Burkhard Zimmermann
Leading IEC SC62 D JWG 36 and support IEC SC62A JWG 9 as an expert
Leading IEC SC62 D JWG 36 and support IEC SC62A JWG 9 as an expert
Co-founder of a circular economy startup developing infrastructure for DPP-enabled resale in the European textile sector, based in Berlin. Leading business development, regulatory strategy, and product design for a platform that enables verified resale through Digital Product Passports. The startup is incubated at ESCP Blue Factory.
French national with experience in business development and technology. Self-taught technical skills in product prototyping and data systems. Previous experience includes roles in consulting and business analysis.
Beyond this project: Active in the European circular economy ecosystem. Relocating to Paris in May 2026 to continue building at the intersection of sustainability regulation and commerce technology.
This fellowship supports my role as a convener of ISO TCC307 WG3. The priority is to organise the appropriate ballots and meetings to allow the experts to discuss and reach a consensus based on the comments received for the projects in ISO TC 307 WG3. Another priority is to complete the norms with the attendance list and verify that all experts in the meeting were duly registered in the portal and authorised to participate in the meetings.
One of the main challenges of this work has been overcoming the cultural barriers and language differences encountered during this period, particularly through various meetings and ad hoc meetings for the three projects, which are ongoing in preparation for the final stage to publication.
The fellowship addressed key limitations found in version 2.0 of the OASIS Collaborative Automated Course of Action Operations (CACAO) standard. While CACAO v2.0 introduced the first machine-readable format for cybersecurity playbooks, real-world use revealed gaps that limited interoperability and automation. The most critical issues included ambiguous schema elements, unclear execution semantics, and limited support for graphical and modular representations needed to visualize and exchange playbooks. From a European standpoint, these shortcomings directly affected operations. SOCs, CSIRTs, and critical infrastructure operators faced difficulties creating executable playbooks, hindering the coordinated responses envisioned by the NIS2 Directive, the Cyber Solidarity Act, and the EU Cyber Crisis Blueprint.
The fellowship, therefore, focused on three main goals:
1. Consolidating feedback from European and international stakeholders who implemented CACAO v2.0.
2. Designing and drafting CACAO v3.0 — a major revision introducing structural schema improvements, more precise execution semantics, and modular extensibility.
3. Aligning the work with EU cybersecurity policy and operational priorities so that standardized, machine-readable playbooks can support coordinated preparedness and response.
The effort resulted in the ongoing working CACAO v3.0 Draft Specification and accompanying validation outputs, now progressing toward formal adoption within OASIS. By resolving the main technical and semantic issues, the fellowship strengthened Europe’s role in cybersecurity standardization. It established a solid, vendor-neutral foundation for automated, collaborative cyber defense across the EU.
My fellowship addresses three critical gaps in the European AI standardization landscape: The first gap concerns the harmonisation of Documentation Development, as there is an urgent need for technical documentation (Annex ZA, HAS checklists) to connect developing standards with AI Act requirements following the M/593 request. Without this work, standards risk delayed OJEU citation, creating regulatory uncertainty. I've worked on developing preliminary harmonization documents for JT021008 (Trustworthiness), JT021039 (QMS), and JT021024 (Risk Management). The second gap is related to cross-Standard Technical Coherence. As multiple AI standards are developed simultaneously, it creates potential inconsistencies in terminology, requirements, and implementation approaches. I've created mapping documents highlighting interconnections between standards, particularly focusing on how QMS requirements interface with other M/593 standards, to ensure a coherent framework. The third gap focuses on the alignment with EU AI Act Articles, as technical specifications in draft standards must precisely align with AI Act articles to support regulatory compliance. I have contributed targeted technical refinements to clauses 6.4 (transparency) and 6.5 (human oversight) in the Trustworthiness Framework to strengthen alignment with Articles 13 and 14 of the AI Act.
Local Digital Twins will be a fundamental building block for CitiVerse. It will also play a crucial role for anyone in the public sector who wants to fully utilize the usage of AI.
Today, cities, regions and countries all over the world are building Local Digital Twins using various tools and approaches. Game engines, CAD tools, GIS, AR/VR/XR tools, Urban Digital Platforms, CIM and other visualisation tools are used. Thus a wide spread of technologies and standards.
Interoperability for Local Digital Twins (LTD) is crucial. They need to fit horizontally and vertically. Horizontally is to put a LDT of one city next to a LDT of another city and make them align. Vertically, by example, a LDT produced by a city must fit LDT from public transportation and LDT by the energy company for the same geographical area, etc.
European CitiVerse will be built upon Local Digital Twins. If separate Local Digital Twins in Europe don't fit together it will be impossible to create a seamless CitiVerse. It will also be difficult with interoperability between LDT:s. The LDT also needs interoperability versus dataspaces and IoT. For a LDT:s to be useful for officials and others, LDT:s need interoperability with the business operating systems used by officials on a daily basis.
In this sense, in the framework of my fellowship, my JWG has sent a survey to many major LDT projects around the world, and we are now gathering the results and statistics. The result will be a gap analysis and a technical report, which will enable advice to all relevant major SDO:s on how to develop or change their standards to fit better together.