INFORMATION TECHNOLOGY
Cyber resilience act: member states agree common position on security requirements for digital products.
With a view to ensuring that products with digital components, such as connected home cameras, smart fridges, TVs, and toys, are safe before entering the market, member states’ representatives (Coreper) reached a common position on the proposed legislation regarding horizontal cybersecurity requirements for products with digital elements (cyber resilience act).
Objectives of the proposal.
The draft regulation introduces mandatory cybersecurity requirements for the design, development, production and making available on the market of hardware and software products to avoid overlapping requirements stemming from different pieces of legislation in EU member states.
The proposed regulation will apply to all products that are connected either directly or indirectly to another device or network. There are some exceptions for products, for which cybersecurity requirements are already set out in existing EU rules, for example on medical devices, aviation, or cars.
The proposal aims to fill the gaps, clarify the links, and make the existing cybersecurity legislation more coherent by ensuring that products with digital components, for example ‘Internet of Things’ (IoT) products, become secure throughout the whole supply chain and throughout their whole lifecycle.
Finally, the proposed regulation also allows consumers to take cybersecurity into account when selecting and using products that contain digital elements by providing users the opportunity to make informed choices of hardware and software products with the proper cybersecurity features.
Main elements retained from the Commission’s proposal.
The Council’s common position maintains the general thrust of the Commission’s proposal, namely as regards:
rules to rebalance responsibility for compliance towards manufacturers, who must ensure conformity with security requirements of products with digital elements that are made available on the EU market, including obligations like cybersecurity risk assessment, declaration of conformity, and cooperation with competent authorities
essential requirements for the vulnerability handling processes for manufacturers to ensure the cybersecurity of digital products, and obligations for economic operators, such as importers or distributors, in relation to these processes
measures to improve transparency on security of hardware and software products for consumers and business users, and a market surveillance framework to enforce these rules.
The Council’s amendments.
However, the Council’s text amends various parts of the Commission’s proposal, including on the following aspects:
Today’s agreement on the Council’s common position ('negotiating mandate') will allow the Spanish presidency to enter negotiations with the European Parliament ('trilogues') on the final version of the proposed legislation.
Objectives of the proposal.
The draft regulation introduces mandatory cybersecurity requirements for the design, development, production and making available on the market of hardware and software products to avoid overlapping requirements stemming from different pieces of legislation in EU member states.
The proposed regulation will apply to all products that are connected either directly or indirectly to another device or network. There are some exceptions for products, for which cybersecurity requirements are already set out in existing EU rules, for example on medical devices, aviation, or cars.
The proposal aims to fill the gaps, clarify the links, and make the existing cybersecurity legislation more coherent by ensuring that products with digital components, for example ‘Internet of Things’ (IoT) products, become secure throughout the whole supply chain and throughout their whole lifecycle.
Finally, the proposed regulation also allows consumers to take cybersecurity into account when selecting and using products that contain digital elements by providing users the opportunity to make informed choices of hardware and software products with the proper cybersecurity features.
Main elements retained from the Commission’s proposal.
The Council’s common position maintains the general thrust of the Commission’s proposal, namely as regards:
rules to rebalance responsibility for compliance towards manufacturers, who must ensure conformity with security requirements of products with digital elements that are made available on the EU market, including obligations like cybersecurity risk assessment, declaration of conformity, and cooperation with competent authorities
essential requirements for the vulnerability handling processes for manufacturers to ensure the cybersecurity of digital products, and obligations for economic operators, such as importers or distributors, in relation to these processes
measures to improve transparency on security of hardware and software products for consumers and business users, and a market surveillance framework to enforce these rules.
The Council’s amendments.
However, the Council’s text amends various parts of the Commission’s proposal, including on the following aspects:
- the scope of the proposed legislation, including with regard to the specific categories of products that should comply with the regulation’s requirements
- reporting obligations of actively exploited vulnerabilities or incidents to the competent national authorities (‘computer security incident response teams’ – CSIRTs) instead of the EU agency for cybersecurity (ENISA) with the latter establishing a single reporting platform
- elements for the determination of the expected product lifetime by manufacturers
- support measures for small and micro enterprises
- a simplified declaration of conformity.
Today’s agreement on the Council’s common position ('negotiating mandate') will allow the Spanish presidency to enter negotiations with the European Parliament ('trilogues') on the final version of the proposed legislation.
