EU lawmakers set to close deal on cybersecurity law for connected devices

The main political groups of the European Parliament are expected to reach a common position on the new cybersecurity regulation at a political meeting on Wednesday (5 July).

The Cyber Resilience Act is a legislative proposal to introduce cybersecurity requirements such as mandatory security patches and vulnerability handling for Internet of Things products, connected devices able to collect and exchange data.

The EU lawmakers involved in the file for the European Parliament’s leading Industry Committee will meet on Wednesday to discuss where to deal with the issue of open source, whether in the chapeau or in the body of the text, the product’s support period, the reporting obligations and the timeline for the entry into force.

Ahead of the political endorsement, the rapporteur Nicola Danti shared a largely consolidated version of the text, seen by EURACTIV, following a technical meeting on Monday. The committee vote is scheduled on 19 July.


The latest compromise clarifies that the remote data processing solutions integrated into the connected devices, such as cloud-enabled functionalities for smart home appliances, are also covered in the regulation’s scope.

“On the other hand, websites not inextricably linked to a product with digital elements or cloud services outside the responsibility of the manufacturer, should not be considered as remote data processing solutions under this regulation,” the text reads.

By contrast, free and open-source software outside of commercial settings is excluded from the scope. Commercial settings are where developers employed by commercial entities or their employers can exercise control over the modifications that are accepted in the code base.

Supply chain responsibilities

The due diligence obligations to ensure compliance with the cybersecurity requirements would fall on the manufacturers that decide to integrate components from third parties, including free and open-source software, into their products.

If the manufacturers discover a vulnerability in carrying out this due diligence, they should address it and inform the developer of the component of the security patch they applied.

The Parliament’s text obliges the manufacturers of components to provide the final product manufacturer with all the relevant information to comply with the regulation free of charge.

The responsibility to comply with the cybersecurity law shifts on any economic operator that substantially modifies the product. The Commission is tasked with providing guidance on what constitutes substantial modifications.

Support period

The definition of the support period was changed to include the timeframe during which manufacturers are expected to handle vulnerabilities.

Manufacturers should make the support period proportionate to the expected product lifetime and provide market authorities with the relevant information upon request. Authorities should actively ensure that the manufacturers are correctly determining the support period.

Reporting obligations

Manufacturers must report any actively exploited vulnerability throughout the support period.

MEPs explained that these obligations cover “instances where an actor is executing malicious code on a product with digital elements in order to generate a security breach, for example, by exploiting weaknesses in identification and authentication functions.”

At the same time, hacks done in good faith, such as for testing, investigating, correcting or promoting the security of the system and its users, are kept out.

Manufacturers should also enable third parties to report vulnerabilities directly to them or indirectly via the national Computer Security Incident Response Team for those who want to do so anonymously.

Online marketplaces

In a previous iteration of the text, MEPs introduced obligations for online marketplaces, which will have to set up a single point of contact to communicate with market surveillance authorities on cybersecurity matters.

New wording clarifies situations whereby an online marketplace acts as a mere intermediator or produces some of the connected devices it sells, in which case the draft law’s requirements would also cover them.

High-risk vendors

The wording on high-risk vendors was significantly toned down compared to previous amendments. The notion covers suppliers like Huawei that are deemed to pose a risk due to China’s national law that allows the government to request access to data.

Market surveillance authority and the European Commission are tasked with providing guidance and targeted recommendations to implement corrective measures for Internet of Things products that present a significant cybersecurity risk due to these non-technical risk factors.

Support for SMEs

MEPs want that the Commission supports the SMEs’ compliance efforts with the regulation by streamlining financial support via the Digital Europe Programme and other EU programmes. EU countries are also to consider complementary actions.

The article on regulatory sandboxes was deleted in favour of more generic controlled testing environments EU countries might establish with the support of ENISA, the EU cybersecurity agency. Manufacturers of products using an AI system deemed high-risk under the AI Act will be able to join regulatory sandboxes established under that regulation.


The rapporteur pushed the date of application from 24 to 40 years, whilst the reporting obligations were extended from 12 to 20 months since the regulation’s entry into force. This part might still be subject to significant changes at the political level.

[Edited by Nathalie Weatherald]


About the author

Related Post

Leave a comment

Your email address will not be published. Required fields are marked *