The Charter of Trust is a private-sector cybersecurity initiative unveiled at the Munich Security Conference in February 2018. It was spearheaded by Siemens CEO Joe Kaeser, who argued that digitalization required binding rules to protect critical infrastructure, the economy, and democratic institutions. Founding signatories included Siemens, Airbus, Allianz, Daimler, IBM, NXP, SGS, Deutsche Telekom, and the Munich Security Conference itself, with additional companies and partners joining in subsequent years.
The Charter sets out ten core principles that signatories commit to implement and promote. These include:
- Ownership of cyber and IT security at the highest levels of management
- Responsibility throughout the digital supply chain, requiring baseline security in products and services
- Security by default in IoT and connected devices
- User-centricity so that end users are not left to bear unrealistic security burdens
- Innovation and co-creation with partners and governments
- Education in cybersecurity skills and digital literacy
- Certification for critical infrastructure and solutions
- Transparency and response during incidents
- Regulatory framework advocacy for binding rules at the multilateral level
- Joint initiatives to drive adoption
Unlike a treaty, the Charter is non-binding and operates as a voluntary commitment, but signatories report on implementation through working groups covering topics such as supply chain security, security by default, and education. The initiative is often cited alongside the Paris Call for Trust and Security in Cyberspace (also 2018) and the Tech Accord as part of a wave of non-state-led cyber norms-building. Critics note that as a corporate-driven framework it lacks enforcement and verification mechanisms, while supporters argue it fills a gap left by slow intergovernmental progress at the UN Group of Governmental Experts and Open-Ended Working Group.
Example
In February 2018, Siemens, Airbus, Allianz, IBM, and other firms signed the Charter of Trust at the Munich Security Conference to commit to shared cybersecurity standards.
Frequently asked questions
No. It is a voluntary commitment by participating companies and partners; there is no treaty obligation or enforcement mechanism.
Keep learning