The Council presidency and the European Parliament’s negotiators have reached a provisional agreement on the proposed legislation regarding cybersecurity requirements for products with digital elements, which aims to ensure that products such as connected home cameras, fridges, TVs and toys are safe before they are placed on the market (cyber resilience act). "Today’s agreement is a milestone towards a safe and secure digital single market in Europe. Connected devices need a basic level of cybersecurity when sold in the EU, ensuring that businesses and consumers are properly protected against cyber threats. This is exactly what the cyber resilience act will achieve once it enters into force."
José Luis Escrivá, Spanish minister of digital transformation Main objectives of the new regulationThe new law introduces EU-wide cybersecurity requirements for the design, development, production and making available on the market of hardware and software products, to avoid overlapping requirements stemming from different pieces of legislation in EU member states. The regulation will apply to all products that are connected either directly or indirectly to another device or to a network. There are some exceptions for products for which cybersecurity requirements are already set out in existing EU rules, for example medical devices, aeronautical products and cars. The proposal aims to fill the gaps, clarify the links, and make the existing cybersecurity legislation more coherent, ensuring that products with digital components, for example ‘Internet of Things’ (IoT) products, are made secure throughout the supply chain and throughout their lifecycle. Finally, the regulation will allow consumers to take cybersecurity into account when selecting and using products that contain digital elements, making it easier for them to identify hardware and software products with the proper cybersecurity features. Main thrust of the Commission proposal retainedThe provisionally agreed text maintains the general thrust of the Commission’s proposal, namely as regards: - rules to rebalance responsibility for compliance towards manufacturers, who must meet certain obligations such as providing cybersecurity risk assessments, issuing declarations of conformity, and cooperating with the competent authorities
- vulnerability handling processes for manufacturers to ensure the cybersecurity of digital products, and obligations for economic operators, such as importers or distributors, in relation to those processes
- measures to improve transparency on the security of hardware and software products for consumers and business users
- a market surveillance framework to enforce the rules.
Co-legislators’ main amendmentsHowever, the co-legislators propose various adjustments to parts of the Commission’s proposal, mainly with regard to: - the scope of the proposed legislation, with a simpler methodology for the classification of digital products to be covered by the new regulation
- the determination of the expected product lifetime by manufacturers: while the principle remains that the support period for a digital product corresponds to its expected lifetime, a support period of at least five years is indicated, except for products which are expected to be in use for a shorter period of time
- the reporting obligations regarding actively exploited vulnerabilities and incidents: the competent national authorities will be the initial recipients of such reports but the role of the EU agency for cybersecurity (ENISA) is strengthened
- the new rules will apply three years after the law enters into force, which should give manufacturers sufficient time to adapt to the new requirements
- additional support measures for small and micro enterprises have been agreed, including specific awareness-raising and training activities, as well as support for testing and conformity assessment procedures.
|
