SMART: a Technology Readiness Methodology in the Frame of the NIS Directive

TL;DR

This paper proposes a standardized methodology called SMART for assessing the market readiness and quality of software technologies, addressing limitations of traditional TRL assessments especially in cybersecurity contexts.

Contribution

It introduces a new methodology that extends TRL to evaluate software maturity and compliance, bridging the gap between legal requirements and technological reality.

Findings

Developed the SMART assessment framework

Demonstrated the methodology's applicability to cybersecurity software

Enhanced risk mitigation through comprehensive readiness evaluation

Abstract

An ever shorter technology lifecycle engendered the need for assessing new technologies w.r.t. their market readiness. Knowing the Technology readiness level (TRL) of a given target technology proved to be useful to mitigate risks such as cost overrun, product roll out delays, or early launch failures. Originally developed for space programmes by NASA, TRL became a de facto standard among technology and manufacturing companies and even among research funding agencies. However, while TRL assessments provide a systematic evaluation process resulting in meaningful metric, they are one dimensional: they only answer the question if a technology can go into production. Hence they leave an inherent gap, i.e., if a technology fulfils requirements with a certain quality. This gap becomes intolerable when this metric is applied software such as technological cybersecurity measures. With legislation such as the General Data Protection Regulation4 (GDPR) and the Network and Information Systems Directive5 (NIS-D) making reference to state of the art when requiring appropriate protection measures, software designers are faced with the question how to measure if a technology is suitable to use. We argue that there is a potential mismatch of legal aim and technological reality which not only leads to a risk of non-compliance, but also might lead to weaker protected systems than possible. In that regard, we aim to address the gaps identified with existing Technology Readiness Assessment (TRA)s and aim to overcome these by developing standardised method which is suitable for assessing software w.r.t. its market readiness and quality (in sum maturity).