EU Council mulls pan-European platform to handle cyber vulnerabilities

Managing cyber vulnerabilities exploited by hackers remains the pain point of a new cybersecurity law, with the idea of a pan-European reporting platform entering the scene.

The Cyber Resilience Act is a legislative proposal introducing security requirements manufacturers must comply with before launching connected devices in the EU market.

The critical point of contention remains the reporting obligations on actively exploited vulnerability, with significant changes being discussed as shown in an updated Council text dated 15 June and seen by EURACTIV.

The document was the centre of the discussion in a meeting of the Cyber Working Party, a technical body of the EU Council of Ministers, on Wednesday (21 June), when it became clear no common position could be reached on the file before the end of the Swedish presidency.

Thus, the baton is due to be passed on to Spain next month, with a tentative date for an endorsement at the ambassador level set for 17 July.

Vulnerability handling

For the first time, the draft EU law would require manufacturers to report not only cybersecurity incidents but also actively exploited vulnerabilities, meaning security loopholes that have yet to be patched.

The concept of actively exploited vulnerabilities was aligned with the definition of the revised Networks and Information Security Directive (NIS2) and expanded to cover both attempted and successful security breaches.

Moreover, the compromise notes that the vulnerability handling obligations “apply to products with digital elements in their entirety, including all integrated components”.

Manufacturers should indicate when they will provide vulnerability handling, for instance, in the product’s package. Manufacturers should publicly disclose information on fixed vulnerabilities unless the security risks outweigh the benefits, notably to allow users to apply the relevant patch.

Reporting obligations

The reporting obligations of manufacturers are the real bone of contention in the Council, as EU countries moved the handling of such sensitive intelligence from the hands of ENISA, the EU cybersecurity agency, to those of the national Computer emergency response teams (CSIRTs).

Manufacturers would have to send an early warning within 24 hours since they become aware of an actively exploited vulnerability and an update within three days with more detailed information, remediation status and any corrective or mitigating measures.

All notifications are to be submitted via the electronic notification endpoint of the EU country where they have their main establishment, defined as “where the decisions related to cybersecurity of its products with digital elements are predominantly taken”.

All the national endpoints should feed into a single reporting platform established and managed by ENISA, with the CSIRTs involved in setting up the platform’s security and operational arrangements.

The first CSIRT that receives the notification will have to inform all the relevant peers, but in exceptional circumstances, this might be delayed as strictly necessary for justified cybersecurity reasons.

A provision stating that the regulation’s obligations should not entail disclosing information contrary to the essential interests of EU countries’ security was removed.

Special product categories

As previously reported by EURACTIV, the EU Council introduced a new annexe listing highly critical products, reducing the discretion of the European Commission, which will still be able to add or remove product categories.

The idea is that the EU executive could oblige via delegated acts these product categories to qualify with a European cybersecurity certification to demonstrate compliance with the EU rules.

Member states have included the conditions that for the certificate to become mandatory, it must already be in place, and the Commission needs to carry out an impact assessment to analyse its effect in terms of product availability in the internal market.

“The assessment of the potential market impact of the envisaged mandatory certification should consider both the supply and demand side, including whether there is sufficient demand,” the text reads.

Special product categories are also listed under classes I and II, which, together with highly critical products, the Commission is tasked to specify common specifications and conformity assessment procedures.

Application-specific integrated circuits and field-programmable gate arrays were moved from class II to class I. Authentication software like password managers was added to class II.

Essential requirements

The Cyber Resilience Act is meant to introduce essential requirements for all connected products. The new text specifies that these essential requirements, including vulnerability handling, apply to each product placed on the market regardless if they are part of a series.

The responsibility to comply with these essential requirements shifts on any economic operator that introduces substantial modifications to the product, which might also result from software updates, whether separate or in combination with a security update.

Before placing a product into the market, manufacturers should conduct an impact assessment to consider whether a vulnerability might have a systemic impact on consumers and organisations.

Delegate powers

The Commission’s power to adopt delegated acts will expire five years after the regulation’s entry into force. Still, it will be automatically extended unless the EU Council or Parliament oppose it. The EU executive is also to provide a report nine months before the end of the five-year period.


The regulation’s entry into application was postponed from two to three years since it entered into force.

[Edited by Nathalie Weatherald]


About the author

Related Post

Leave a comment

Your email address will not be published. Required fields are marked *