May 2026: Major Information Technology Standards for Security and Digital Product Passports

As Information Technology evolves at an unprecedented pace, the regulatory and standards landscape must keep pace to ensure trust, interoperability, and efficiency. In May 2026, five influential standards were released—reshaping the approach to cybersecurity, digital product identification, and IT assurance across the sector. From detailed data carrier specifications for digital product passports to the reformed evaluation criteria for IT product security, these standards are poised to impact organizations across the value chain.

Overview / Introduction

The Information Technology and Office Equipment sector underpins almost every aspect of modern business. With an ever-expanding digital footprint, security, transparency, and reliable risk management are now vital requirements for industry professionals, quality managers, compliance officers, engineers, researchers, and procurement leaders.

Standards in this field serve as internationally accepted benchmarks—defining how organizations should design, implement, and evaluate technology to ensure resilience, interoperability, and compliance. This article explores five new or revised standards published in May 2026, providing insights on data carrier requirements, IT security evaluation, and methodologies for certifying security properties. Readers will gain a strategic overview, detailed technical coverage, and actionable guidance for aligning organizational practices with these newly published standards.

Detailed Standards Coverage

EN 18220:2026 - Digital Product Passport Data Carriers

Digital product passport – Data carriers

This European standard establishes the requirements for data carriers used within Digital Product Passport (DPP) systems—an essential mechanism for enabling traceability and transparency throughout the product lifecycle. The scope covers specifications for symbology characteristics, encoding methods, error correction codes, printing and production quality, and carrier durability. Requirements also span graphical indicators for DPP recognition, placement guidance, machine readability, and quality assurance processes for both physical and digital linkage.

While it details robust guidelines for labeling and data embedding (including barcodes, NFC, and RFID), the standard explicitly excludes architecture, use case specifics, and cryptographic security features.

This standard is particularly relevant for product manufacturers, logistics providers, and IT integrators active in the circular economy or those responding to the EU’s Ecodesign for Sustainable Product Regulation (ESPR). Ensuring conformance will help organizations future-proof their products for digital supply chains and regulatory mandates.

Key highlights:

• Defines technical requirements for 2D barcodes, NFC, HF/UHF RFID, and embedding methods
• Specifies data carrier quality, error correction, and durability
• Includes guidance for accessibility, graphical recognition, and machine readability

Access the full standard:View EN 18220:2026 on iTeh Standards

EN ISO/IEC 15408-1:2026 - IT Security Evaluation Criteria: Introduction and General Model

Information security, cybersecurity and privacy protection – Evaluation criteria for IT security – Part 1: Introduction and general model (ISO/IEC 15408-1:2026)

EN ISO/IEC 15408-1:2026 is the foundational document for the globally recognized Common Criteria (CC) framework, providing the core model and concepts for evaluating IT products’ security properties. It defines essential terms, introduces the Target of Evaluation (TOE) concept, and offers an overview of the entire standard series.

This part is intended to guide manufacturers, evaluators, certification bodies, and end-users in understanding how to approach security evaluation—laying the groundwork for consistent IT risk management. The standard details the evaluation context and describes the relationship between threats, organizational security policies, and security assurance objectives.

Organizations developing or deploying products in regulated markets or supplying IT systems to government and critical infrastructure sectors should prioritize aligning with this model.

Key highlights:

• Establishes the basis for IT product security evaluation
• Details the overall structure and terminology for the ISO/IEC 15408 series
• Outlines the evaluation model and audience considerations

Access the full standard:View EN ISO/IEC 15408-1:2026 on iTeh Standards

EN ISO/IEC 15408-2:2026 - IT Security Evaluation Criteria: Security Functional Components

Information security, cybersecurity and privacy protection – Evaluation criteria for IT security – Part 2: Security functional components (ISO/IEC 15408-2:2026)

Building on the general model, Part 2 of the ISO/IEC 15408 series standardizes the catalogue of security functional components required for systematic IT security evaluations. It covers the taxonomy and structure of requirements addressing specific security functions—such as security audit, identification and authentication, access control, communication, user data protection, and more.

For professionals structuring Protection Profiles and Security Targets, this part offers a comprehensive menu of standardized controls and requirements to select and tailor for their IT products. This provides assurance to procurement specialists and compliance officers that evaluated products meet recognizable security benchmarks.

Key highlights:

• Compiles a catalogue of security function types and evaluation elements
• Establishes templates for defining and choosing functional requirements
• Facilitates consistent, repeatable security design and assessment

Access the full standard:View EN ISO/IEC 15408-2:2026 on iTeh Standards

EN ISO/IEC 15408-3:2026 - IT Security Evaluation Criteria: Security Assurance Components

Information security, cybersecurity and privacy protection – Evaluation criteria for IT security – Part 3: Security assurance components (ISO/IEC 15408-3:2026)

This part documents the security assurance components—criteria by which the processes and activities underpinning a product’s claimed security properties are assessed. The standard outlines assurance classes, families, and components, forming the backbone for evaluation assurance levels (EALs), Protection Profiles, Security Targets, and more. It guides evaluators and organizations in assembling packages of assurance activities that align with risk assessment outcomes.

Stakeholders obliged to demonstrate product or system trustworthiness (such as in critical national infrastructure, defense, or regulated financial markets) will benefit from this standard’s rigorous assurance criteria and its compatibility with international certification.

Key highlights:

• Defines the structure and content of assurance components and packages
• Supports consistent demonstration and validation of security claims
• Vital for constructing Protection Profiles and Security Targets per CC

Access the full standard:View EN ISO/IEC 15408-3:2026 on iTeh Standards

EN ISO/IEC 15408-4:2026 - Framework for Specification of Evaluation Methods and Activities

Information security, cybersecurity and privacy protection – Evaluation criteria for IT security – Part 4: Framework for the specification of evaluation methods and activities (ISO/IEC 15408-4:2026)

EN ISO/IEC 15408-4:2026 introduces a standardized methodology for defining objective, repeatable, and reproducible evaluation methods and activities within IT security assessments. Its framework guides how to specify the structure, scope, required inputs, competencies, and reporting obligations for evaluation tasks—but does not prescribe how to undertake or maintain these methods.

This document is integral for certification bodies, evaluators, and organizations seeking uniformity across security evaluations—increasing confidence in audit results, harmonizing certification programs, and supporting cross-border acceptance.

Key highlights:

• Sets a consistent framework for specification of evaluation activities
• Facilitates reproducible, standardized certification processes
• Supports developers and evaluators in building and selecting assessment methods

Access the full standard:View EN ISO/IEC 15408-4:2026 on iTeh Standards

Industry Impact & Compliance

These new and revised standards are set to influence a broad spectrum of organizations—from SMEs to multinational enterprises, and from IT product vendors to critical infrastructure operators. Key impacts and considerations include:

• Regulatory Alignment: Adopting these standards supports conformance with emerging EU regulations, such as the ESPR and cybersecurity legislation, as well as global acceptance of security certification and digital product traceability.
• Risk Management: Enhanced definitions for security evaluation and product identification help manage supply chain, operational, and reputational risks.
• Competitive Advantage: Demonstrable compliance and certification signal trustworthiness to partners and end-users, making products more competitive in international markets.
• Implementation Timeline: Organizations should assess transition deadlines, update procedures, and plan for internal/external audits to ensure timely conformance.
• Risks of Non-Compliance: Failure to adopt these standards could result in loss of market access, regulatory scrutiny, or potential security breaches due to unassessed risks or inadequate product data carriers.

Technical Insights

The standards profiled here share several technical requirements and best practices relevant for implementation and certification:

• Clarity and Structure in Security Evaluation: The Common Criteria series (ISO/IEC 15408) codifies how to express, structure, and verify both functional and assurance requirements. This aids systematic threat analysis, objective setting, and evidence-based assessment.
• Data Carrier Interoperability: EN 18220:2026 emphasizes interoperability, machine readability, and durability for digital product identifiers, encouraging the use of widely deployed technologies (2D barcodes, RFID, NFC) and standardized symbologies (such as Data Matrix, QR code, GS1 Digital Link URI).
• Repeatable Assessment Frameworks: EN ISO/IEC 15408-4:2026 underpins evaluation credibility by providing a repeatable framework for specifying evaluation methods, supporting global comparability.
• Testing and Certification: The standards demand rigorous quality and performance testing, including error correction, symbol dimensioning, and environmental durability for data carriers, as well as technical competence and documented reporting in security evaluations.
• Best Practices: Effective implementation should include:
  • Regular review of product-specific Protection Profiles (PPs)
  • Mapping product features to recognized security function components
  • Establishing documented procedures for selection and verification of digital product identifiers
  • Training staff on security assurance concepts and evaluation methodology

Conclusion / Next Steps

The May 2026 publication of these five standards marks a pivotal advance in the Information Technology and Office Equipment field. Whether you are responsible for product architecture, procurement, compliance, or quality assurance, integrating these standards into your business processes will strengthen digital trust, regulatory readiness, and competitive positioning.

Recommendations:

• Review the full text of each standard to determine applicability to your products, services, or operations
• Assess current procedures and plan transitions for compliance with updated requirements
• Engage with certified evaluators or auditors to support your certification journey
• Subscribe to updates from iTeh Standards to stay informed of further developments across Parts 3–7 of this standards series

Learn More: Explore these and other critical standards in Information Technology and Office Equipment at iTeh Standards, your authoritative source for compliance and industry leadership.