Navigating cybersecurity standards for media companies: NIST, EBU and MPA requirements explained

Multiple frameworks now define cybersecurity requirements for broadcast and media companies. The landscape has expanded in recent years, from industry-specific recommendations developed by the European Broadcasting Union to general frameworks from the National Institute of Standards and Technology, plus content security standards from the Motion Picture Association. Each provides detailed guidance for organizational structures, processes and maturity levels that media companies should establish to manage cyber risks.

The frameworks reflect a common understanding: cybersecurity requires governance, not just technology. Media companies that rely on networks and IT systems for content production, management and distribution need formal structures with defined roles, documented processes and executive commitment backed by resources.

The EBU published recommendation R 144, “Cybersecurity Governance for Media Companies,” in 2016, establishing specific requirements for broadcast organizations, along with other documentation such as R 141 on DDoS and R 145 on ransomware and malware.

Since that time, multiple instances of DDoS, ransomware and general cyberattacks have hit the industry. Security breaches can range from impairing service delivery to causing reputational damage.

While these manuals have not been updated since 2016, the EBU has remained active in cybersecurity guidance. The organization released R 143 version 3.0 in March 2025, updating recommendations for media vendors’ systems, software and services. The EBU has also published additional recommendations covering ransomware mitigation, security maturity benchmarks, secure file ingest and secure software development lifecycles.

The frameworks define what adequate cybersecurity governance looks like, what roles organizations should establish, and how to assess organizational maturity.

Understanding maturity levels

The EBU framework defines five maturity levels, adapted from the Capability Maturity Model used across industries to assess organizational capability. The levels provide a roadmap for organizations to assess current state and plan improvements.

Level 1, labeled “Chaotic,” describes organizations with no documented responsibility for cybersecurity. Security in general is driven ad hoc, typically uncontrolled and reactive. The EBU document notes that if no CISO role is defined, the cybersecurity maturity level would typically be 1.

Advertisement

Level 2, “Repeatable,” indicates that responsibility for cybersecurity has been assigned and documented. Parts of cybersecurity processes are managed in a reproducible manner as standard procedures, though overall performance remains reactive.

Level 3, “Defined,” represents a significant step. Organizations at this level maintain a formal cybersecurity policy approved by executive management and a documented acceptable use policy. Many processes are documented and characterized as standard processes that are improved over time.

Level 4, “Managed,” describes organizations with proactive cybersecurity operations. Formal cybersecurity risk assessments following frameworks such as ISO/IEC 27001 are conducted regularly. Metrics are in place to measure, control and optimize cybersecurity processes. The maturity of cybersecurity processes can be proved by regularly conducting self-assessments.

Level 5, “Optimizing,” represents the highest maturity. The information security management system is validated by an external authority through official ISO/IEC 27001 certification. The main focus for all cybersecurity processes is optimization and improvement.

The EBU recommendation suggests that media companies should aim for at least Level 3 maturity, where formal policies and documented processes exist.

NIST Cybersecurity Framework 2.0

The National Institute of Standards and Technology released its Cybersecurity Framework 2.0 in February 2024, updating guidance first published in 2014. The framework organizes cybersecurity around six functions: Govern, Identify, Protect, Detect, Respond and Recover. Together, these functions provide a comprehensive view for managing cybersecurity risk.

The Govern function explicitly addresses organizational cybersecurity risk management strategy, expectations and policy, which should be established, communicated and monitored. NIST guidance emphasizes that organizations should understand and assess specific cybersecurity needs, develop tailored risk strategies and establish defined risk management policies approved by management. These policies should be organization-wide, repeatable and recurring. Roles and responsibilities should be clear.

The NIST framework can be used by organizations to understand, assess, prioritize and communicate cybersecurity risks. It is designed to foster internal and external communication across teams and integrate with broader risk management strategies.

NAB guidance for U.S. broadcasters

The National Association of Broadcasters has taken an educational approach to cybersecurity, translating NIST framework guidance specifically for broadcast operations rather than creating separate standards.

For example, NAB published “An Essential Guide to Broadcasting Cybersecurity,” which examined the NIST Cybersecurity Framework and identified the most relevant recommendations for broadcast facilities. The organization also produced “35 Critical Cybersecurity Activities All Broadcasters Should Know,” which condensed key activities into a more accessible format.

NAB subsequently developed a Broadcast Cybersecurity Certificate Program, a four-course online sequence targeting technology and engineering staff with information specific to the broadcast industry. The program aligns with the NIST Framework for Improving Critical Infrastructure Cybersecurity.

MPA Content Security Best Practices and Trusted Partner Network

The Motion Picture Association maintains the MPA Content Security Best Practices, currently at version 5.3.1, which provides an Information Security Management System control framework derived from and mapped to ISO/IEC 27001:2022, ISO/IEC 27002:2022, NIST CSF and other standards. The framework addresses content security throughout the media and entertainment supply chain.

Advertisement

The Trusted Partner Network, owned and operated by the MPA, implements these best practices through assessments that measure vendors’ security posture. TPN assessments have become requirements for companies working on content for major studios including Disney, Netflix, Warner Bros, Amazon and other MPA members. The program includes both self-attestation and third-party assessment options.

The MPA framework emphasizes supply chain security, recognizing that content production involves numerous companies handling valuable assets from pre-production through distribution. More than 1,000 production, editorial, post-production and distribution companies participate in the TPN program. The framework addresses both on-site facilities and cloud-based services.

The CISO role and responsibilities

The CISO role carries specific responsibilities in the EBU model. The person in this position has overall responsibility for all information security concerns of the broadcast company. They should have decision authority and budget to perform audits. They evaluate cybersecurity risks. The CISO should be part of middle management, reporting to a member of the executive board or board of directors such as the COO or CEO.

The EBU recommendation states that depending on organizational size, the CISO role should be fulfilled with one full-time equivalent who has sufficient knowledge and industry standard certifications. The CISO also acts as liaison to government authorities responsible for cyber defense.

Beyond the CISO, the EBU framework identifies several essential roles that should exist within a cybersecurity organization: a Computer Security Incident Response Team, a Security Operations Center, and first and second level support that includes security functions. Optional roles include regional or business unit IT security officers, an information security board and internal audit with cybersecurity in scope.

Implementing these structures requires resources, executive commitment and recognition that cybersecurity represents a business risk rather than solely a technical problem.

At the network level, many organizations like NBCUniversal have well documented standards along with a CISO in place.

Broadcast systems as priority

The EBU recommendation emphasizes: “Cybersecurity is not limited to IT systems (office, management) but must encompass broadcast systems in general. Cybersecurity of these systems is the highest priority for the CISO of a broadcast company.”

The document notes that in cases where a company’s IT department is separated from the broadcast department, the CISO should not be attached solely to the IT department. This organizational structure reflects the reality that broadcast operations carry unique risks requiring specialized attention.

Traffic and automation systems, production control systems, transmission equipment and increasingly IP-based production infrastructure connect to networks. The frameworks recognize that these broadcast-specific systems require protection and that disruption affects a media company’s ability to deliver content.

Advertisement

Vendor security requirements

EBU recommendation R 143 addresses cybersecurity for media vendors’ systems, software and services. The recommendation provides detailed security requirements that media companies should apply when planning and designing systems, and that vendors should meet when responding to tenders.

The framework covers three categories: vendor Information Security Management Systems, media appliance security requirements, and Software as a Service security requirements. The SaaS section, added in version 2.4 published in March 2024, reflects the industry’s increasing reliance on cloud-based services.

R 143 includes a Security Controls Assertion spreadsheet that vendors complete to declare their ability to comply with specific requirements. Requirements are prioritized as P1 (must/must not be implementable), P2 (should/should not be implementable), or P3 (should be used as best practice). Media companies can define their minimal vendor acceptance levels based on these priorities while remaining aware of potential risks.

The vendor ISMS requirements address cybersecurity policy, organizational structure, audit procedures, security certification, security awareness training, technical security analysis, vulnerability management, product lifecycle, secure delivery, customer maintenance, secure development practices, incident management, physical security, cloud security, business continuity, supply chain management and change management.

Media appliance requirements cover documentation, authentication and authorization, encryption, base configuration, network configuration and application security. SaaS requirements address these areas plus monitoring and remediation, network and infrastructure security, data protection and intellectual property rights.

What implementation requires

Moving from Level 1 or 2 maturity to Level 3 requires documented processes across multiple areas. The EBU framework lists specific domains that cybersecurity processes should cover: asset management, cybersecurity for human resources, infrastructure security including network and storage and operating systems, platform security covering middleware and databases, software security including secure software development, audit management, business continuity management, change and configuration management, cybersecurity risk management, identity and access management, security incident management, and threat and vulnerability management.

Organizations at Level 3 maintain a formal cybersecurity policy approved by executive management and a documented acceptable use policy. Many processes are documented as standard procedures and improved over time. The organization begins to operate proactively rather than reactively.

Level 4 introduces regular formal risk assessments following frameworks such as ISO/IEC 27001:2022. Organizations implement metrics to measure, control and optimize cybersecurity processes. They conduct regular self-assessments to measure maturity.

Level 5 represents external validation through official certification of the information security management system, with focus on optimization and improvement. ISO/IEC 27001:2022 certification represents the current standard for ISMS certification.

Supply chain security

The Communications Security, Reliability and Interoperability Council, a federal advisory committee, published recommendations in September 2022 specifically addressing communications supply chain security. The CSRIC VIII report identified best practices for improving security across supply chains, recognizing that organizations increasingly depend on external vendors and service providers for critical functions.

Media companies now rely on cloud services for storage, processing and distribution. Remote production depends on internet connectivity and third-party platforms. Content delivery networks handle distribution to audiences. Each external dependency introduces supply chain risk that must be managed.

Multiple frameworks address supply chain security. The NIST framework includes specific guidance for cybersecurity supply chain risk management, recommending that organizations establish strategy, policy and roles and responsibilities for overseeing suppliers, customers and partners. Requirements should be incorporated into contracts. Partners and suppliers should be involved in planning, response and recovery.

EBU R 143 requires that vendors apply the same level of security control assessment to their own suppliers and subcontractors. Vendors should require potential subcontractors and suppliers to declare their ability to comply with security controls with the same level of detail required by customers. For SaaS products, vendors must provide lists of all subcontractors, clearly describe their involvement in service provision, ensure subcontractors meet customer security requirements, and communicate any changes to subcontractor relationships before implementation.

The MPA Content Security Best Practices framework emphasizes supply chain security throughout content production, recognizing that pre-release content passes through numerous companies from script to screen. TPN assessments provide content owners with visibility into service providers’ security preparedness before engagement.

Detection and response capabilities

The CSIRT role identified in the EBU framework handles cybersecurity incident detection and organization of adequate response. This team analyzes vulnerabilities in information systems and technically monitors compliance with internal cybersecurity policies. It maintains an overview of cybersecurity threats and vulnerabilities in the software and systems the company uses.

The CSIRT analyzes information not only from security devices such as firewalls and antivirus systems but also from other infrastructure elements and, in organizations with higher maturity, from business applications such as traffic and automation systems and support systems for financial management and human resources.

The EBU recommendation specifies that the CSIRT should not directly operate security devices or technical equipment related to IT production. That responsibility remains with the Security Operations Center. The CSIRT drives the SOC for handling security incidents but maintains functional separation.

The CSIRT requires extensive resources and expertise in cybersecurity. The EBU recommendation suggests that internal CSIRT capabilities should be complemented or extended by trusted external CSIRT companies that hold relevant international and national certification.

Self-assessment as starting point

Both the NIST and EBU frameworks provide tools for organizations to assess current cybersecurity posture. The NIST CSF 2.0 includes organizational profiles as a mechanism for describing current and target cybersecurity posture in terms of the framework’s outcomes. Tiers can be applied to organizational profiles to characterize the rigor of cybersecurity risk governance and management practices.

The EBU recommendation includes questions for guided cybersecurity self-assessment, organized by maturity level. Level 1 asks simply whether a CISO role has been appointed. Level 2 asks whether the CISO role is documented and whether cybersecurity processes or requirements have been documented. Level 3 examines whether formal cybersecurity policy exists, whether the cybersecurity organization is in place and functional, and whether cybersecurity processes are documented and operational across required domains.

Organizations can use these assessments to identify gaps and prioritize improvements. The process requires honest evaluation rather than aspirational description.

Cybersecurity requires sustained investment. Personnel with appropriate skills command competitive salaries. Security tools and services represent ongoing expenses. Training programs cost money and time. External audits and assessments add to budgets. Implementing recommendations from audits requires additional resources.

Media companies face pressure to control costs while investing in content production, technology upgrades and audience development. Cybersecurity spending competes with visible priorities that directly support business operations. The calculation changes after a successful attack. Incident response, system recovery, forensic investigation, legal fees, regulatory penalties, remediation costs and business disruption can far exceed the investment required for adequate preventive measures.

The EBU recommendation emphasizes that executive management must commit to cybersecurity policy and that the CISO should have budget to perform audits and evaluate risks. Without executive commitment reflected in resource allocation, cybersecurity remains aspirational.

Why it matters

The frameworks examined here represent convergent thinking about what cybersecurity governance requires in modern media organizations. Whether developed by the European Broadcasting Union specifically for broadcasters, by NIST for broader application, or by the Motion Picture Association for content supply chains, the recommendations share fundamental principles: cybersecurity requires formal structures, defined roles, executive commitment and ongoing investment.

The maturity model provides broadcast and media companies with a roadmap to assess current capabilities and plan improvements. Organizations at Level 1 or 2 face different challenges than those at Level 4 or 5. Understanding current maturity helps prioritize investments and set realistic implementation timelines.

The choice facing media companies is not whether adequate cybersecurity governance requires these structures and capabilities. The frameworks make that determination clear. The choice is whether to implement them proactively or reactively, comprehensively or incrementally, with adequate resources or insufficient budgets. The frameworks describe the destination. Organizations determine the path and timeline.