EUROPE
EU ambassadors set to endorse new cybersecurity law for connected devices

A fine-tuned version of the Cyber Resilience Act, seen by EURACTIV, tweaked the parts on reporting obligations, highly critical products and product lifetime ahead of endorsement at the ambassador level.

Earlier this month, the Spanish presidency of the EU Council of Ministers shared a revised compromise discussed at the Horizontal Working Party on Cyber Issues, a technical body of the Council, last Monday to point out any outstanding issue to be addressed.

This discussion informed the final fine-tuning reflected in a new text the Spanish presidency circulated on Thursday (13 July) ahead of the Committee of Permanent Representatives meeting that is set to adopt the EU Council’s position on Wednesday.

On the same day, the European Parliament’s Industry Committee, leading on the file, is also scheduled to adopt its version of the text, with no plenary vote expected. The negotiations between the EU co-legislators are due to start in September.

Reporting obligations

The cybersecurity regulation introduces the obligation for manufacturers that become aware of any cybersecurity incident or actively exploited vulnerability to inform the competent authority.

The Council moved this sensitive task from the hands of ENISA, the EU cybersecurity agency, to those of the national Computer Security Incident Response Teams (CSIRTs). The new text encourages member states to put in place a single national entry point for reporting requirements.

The CSIRT that receives the reporting will have to share it with its peers via a single reporting platform unless there are justified cybersecurity-relate grounds in light of the sensitivity of the notified information to delay the transmission.

Collectively, the CSIRTs will develop specifications on how these exceptional circumstances apply and on the organisation, security and type of information to be shared via the reporting platform.

ENISA will establish the pan-European platform under the specifications of the CSIRTs, analysing potential complementarities with the European vulnerability database established under the revised Networks and Information Security Directive (NIS2).

ENISA will notify any cybersecurity incident related to the platform without undue delay. References to providing market surveillance authorities access to the platform were removed.

A previously added wording that would have given manufacturers flexibility over the reporting deadlines, for instance, if they are developing a mitigation measure, was deleted.

The manufacturer must also inform the user of any incident or active vulnerability. If it fails to do so timely, the notified CSIRT can step in.

Highly critical products

The Cyber Resilience Act introduces the concept of highly critical products for which the European Commission could mandate EU cybersecurity certification schemes. However, the latest version removed any explicit reference to ‘highly critical products’.

EU countries reduced the discretion the EU executive will have on this task, most notably introducing a first list of highly critical product categories that the Commission could amend later on.

The Council text also requires that before requesting mandatory certification, the EU executive should conduct an impact assessment to assess the supply and demand side of the internal market and the capability and readiness of the member states for the schemes’ implementation.

Previous iterations of the text indicated that highly critical products should be asked to comply with the level of assurance ‘substantial’ or ‘high’ under the Cybersecurity Act. This reference to specific assurance levels was removed from the text.

Furthermore, the Commission will have to conduct an impact assessment before requesting a cybersecurity certificate, but the deadline to conduct it was removed. The EU executive will have to consult with the relevant stakeholders, including the European Cybersecurity Certification Group.

Product lifetime

The manufacturers must indicate the expected product lifetime during which users can expect security updates.

The elements to be considered in this calculation were moved from the binding parts of the regulation to the preamble, namely the expected availability of the operating environment, the lifetime of products with similar functionalities, and guidance from market surveillance authorities.

Other points previously listed as relevant for determining the expected product lifetime were removed, namely the reference to relevant EU law and the nature of the product, including the licensing terms.

Market surveillance authorities are no longer entitled to request manufacturers for a justification on how the product lifetime was calculated.

Assignment of responsibility

The responsibility to comply with the cybersecurity law shifts on the economic operator that substantially modifies a connected device. However, this responsibility is waived for security patches that do not modify the intended purpose of a product.

New wording was added to specify that these excluded security updates include those “modifying functions or the performance of a product with digital elements for the sole purpose of decreasing the level of cybersecurity risk.”

Products with digital elements developed or modified by a public administration entity exclusively for its own use were also carved out.

Enforcement

EU market surveillance authorities gathered in the administrative cooperation group will issue guidance documents to streamline the regulation’s enforcement at the national level, notably in the form of best practices and indicators to check compliance effectively.

Spare parts

The components of connected devices manufactured exclusively as spare parts to replace identical components were excluded from the regulation’s scope. The new version specifies that these spare parts must follow “the same development and production processes as the original product”.

[Edited by Nathalie Weatherald]

Source: Euractiv.com

About the author

Related Post

Leave a comment

Your email address will not be published. Required fields are marked *