Cyber resilience act: Council and Parliament strike a deal on security requirements for digital products

The Council presidency and the European Parliament’s negotiators have reached a provisional agreement on the proposed legislation regarding cybersecurity requirements for products with digital elements, which aims to ensure that products such as connected home cameras, fridges, TVs and toys are safe before they are placed on the market (cyber resilience act). 
 

Main objectives of the new regulation

The new law introduces EU-wide cybersecurity requirements for the design, development, production and making available on the market of hardware and software products, to avoid overlapping requirements stemming from different pieces of legislation in EU member states.

The regulation will apply to all products that are connected either directly or indirectly to another device or to a network. There are some exceptions for products for which cybersecurity requirements are already set out in existing EU rules, for example medical devices, aeronautical products and cars.

The proposal aims to fill the gaps, clarify the links, and make the existing cybersecurity legislation more coherent, ensuring that products with digital components, for example ‘Internet of Things’ (IoT) products, are made secure throughout the supply chain and throughout their lifecycle.

Finally, the regulation will allow consumers to take cybersecurity into account when selecting and using products that contain digital elements, making it easier for them to identify hardware and software products with the proper cybersecurity features.

Main thrust of the Commission proposal retained

The provisionally agreed text maintains the general thrust of the Commission’s proposal, namely as regards:

• rules to rebalance responsibility for compliance towards manufacturers, who must meet certain obligations such as providing cybersecurity risk assessments, issuing declarations of conformity, and cooperating with the competent authorities
   
• vulnerability handling processes for manufacturers to ensure the cybersecurity of digital products, and obligations for economic operators, such as importers or distributors, in relation to those processes
   
• measures to improve transparency on the security of hardware and software products for consumers and business users
   
• a market surveillance framework to enforce the rules.
   

Co-legislators’ main amendments

However, the co-legislators propose various adjustments to parts of the Commission’s proposal, mainly with regard to:

• the scope of the proposed legislation, with a simpler methodology for the classification of digital products to be covered by the new Regulation
   
• the determination of the expected product lifetime by manufacturers: while the principle remains that the support period for a digital product corresponds to its expected lifetime, a support period of at least five years is indicated, except for products which are expected to be in use for a shorter period of time
   
• the reporting obligations regarding actively exploited vulnerabilities and incidents: the competent national authorities will be the initial recipients of such reports but the role of the EU agency for cybersecurity (ENISA) is strengthened
   
• the new rules will apply three years after the law enters into force, which should give manufacturers sufficient time to adapt to the new requirements
   
• additional support measures for small and micro enterprises have been agreed, including specific awareness-raising and training activities, as well as support for testing and conformity assessment procedures.

Quote

José Luis Escrivá, Spanish minister of digital transformation: “Today’s agreement is a milestone towards a safe and secure digital single market in Europe. Connected devices need a basic level of cybersecurity when sold in the EU, ensuring that businesses and consumers are properly protected against cyber threats. This is exactly what the cyber resilience act will achieve once it enters into force.”

Next steps

Following today’s provisional agreement, work will continue at technical level in the coming weeks to finalise the details of the new regulation. The Spanish presidency will submit the compromise text to the member states’ representatives (Coreper) for endorsement once this work has been concluded.

The entire text will need to be confirmed by both institutions and undergo legal-linguistic revision before formal adoption by the co-legislators.

Background

In its conclusions of 2 December 2020 on the cybersecurity of connected devices, the Council underlined the importance of assessing the need for horizontal legislation in the long term to address all relevant aspects of cybersecurity of connected devices, such as availability, integrity and confidentiality, including specifying conditions for placement on the market.

First announced by Commission President von der Leyen in her State of the Union address in September 2021, the cyber resilience act was mentioned in the Council conclusions of 23 May 2022 on the development of the European Union’s cyber posture, which called upon the Commission to submit its proposal by the end of 2022.

On 15 September 2022, the Commission submitted the proposal for a cyber resilience act, which will complement the existing EU cybersecurity framework: the directive on the security of network and information systems (NIS directive), the directive on measures for a high level of cybersecurity across the Union (NIS 2 directive) and the EU cybersecurity act.