European upcoming cybersecurity legislation – Current State of Play
Member states’ representatives have reached a common position on this proposed Cyber Resilience Act.
The regulation has undergone adjustments concerning reporting obligations, highly critical products category, and product lifetime before receiving endorsement at the ambassadorial level.
Reporting obligations have been introduced in the cybersecurity regulation, requiring manufacturers to notify the competent authority of any cybersecurity incidents or exploited vulnerabilities. The responsibility for this reporting has been shifted from ENISA to national Computer Security Incident Response Teams (CSIRTs), with encouragement for member states to establish a single national entry point for reporting.
CSIRTs that receive the reports must share them with their peers through a single reporting platform, unless there are valid cybersecurity-related reasons to delay transmission. ENISA will create the pan-European platform based on CSIRTs’ specifications, and it will notify any cybersecurity incident related to the platform promptly.
Previously added flexibility for manufacturers in reporting deadlines has been removed.
Then, regarding highly critical products, the latest version removed explicit references to the term. Instead, the European Commission will have a reduced discretion on this matter and will have to conduct an impact assessment before requesting mandatory certification for specific product categories.
The concept of expected product lifetime has also been included, with manufacturers required to indicate the expected product lifetime for security updates. The elements considered for this calculation have been moved to the preamble, and market surveillance authorities’ entitlement to request justification for the product lifetime calculation has been removed.
Responsibility for compliance with the cybersecurity law shifts to the economic operator making substantial modifications to a connected device. However, this responsibility is waived for security patches that do not alter the product’s intended purpose. Products with digital elements developed or modified by public administrations for their exclusive use are also exempted.
Enforcement of the regulation will involve EU market surveillance authorities issuing guidance documents to facilitate national-level enforcement. Spare parts exclusively manufactured to replace identical components in connected devices have been excluded from the regulation’s scope, with specific requirements to follow the same development and production processes as the original product.
The Spanish Presidency of the Council of the European Union has released a semi-final version of a draft of the Cyber Resilience Act that significantly reduces the number of product categories that must comply with specific regulations. The draft law stipulates that product manufacturers must self-assess their compliance, except for certain categories of products that require external vetting by authorized auditors. The revised list of special product categories includes Class I and II products, which are essential for the cybersecurity of other products or carry a high risk of adverse effects if manipulated.
Revised list of Class I products
Class I products now include anti-virus software, boot managers, digital certificate issuance software, operating systems, network interfaces, internet routers, microprocessors, and microcontrollers. Class II products encompass Virtual Private Networks (VPNs), runtime systems supporting virtualized execution of operating systems, and firewalls.
Highly critical products
The law also introduces a category for highly critical products, allowing the European Commission to mandate EU cybersecurity certification, but with limitations on its discretion. The Commission must conduct an impact assessment and specify the required level of assurance proportionate to the product’s risk level.
Administrative requirements and reporting
The draft law also mandates product manufacturers to report cybersecurity incidents and vulnerabilities to national Computer Security Incident Response Teams (CSIRTs), removing ENISA’s direct involvement. CSIRTs will guide the platform’s security arrangements and may delay notifications under justified circumstances. Manufacturers are required to determine the expected lifetime of their products based on various factors.
The Council text also includes provisions to ease administrative burdens for small and micro companies and clarifies that the regulation does not apply to spare parts exclusively supplied by the original product manufacturer with digital elements.
The Cyber Resilience Act is one step closer to becoming a reality
On July 5th, EU lawmakers involved in the European Parliament’s leading Industry Committee will discuss various aspects of the Cyber Resilience Act (CRA), including the treatment of open source, the support period for products, the reporting obligations, and the timeline for implementation.
Prior to the meeting, a largely consolidated version of the text has been shared. The committee is scheduled to vote on the regulation on July 19th.
A redefined and clarified scope of application
Following clarifications, the regulation’s scope now includes remote data processing solutions integrated into connected devices, such as cloud-enabled functionalities for smart home appliances.
However, websites that are not directly linked to a product with digital elements or fall outside the manufacturer’s responsibility for cloud services are not considered remote data processing solutions under this regulation. The scope also excludes free and open-source software that is not used in commercial settings, where developers employed by commercial entities can control code modifications.
Manufacturers must show due diligence
Manufacturers that incorporate components from third parties, including free and open-source software, into their products are required to exercise due diligence to ensure compliance with the cybersecurity requirements. If a vulnerability is discovered during this process, the manufacturers should address it and inform the component developer about the security patch they applied. Manufacturers of components must provide all relevant information to the final product manufacturer to comply with the regulation.
The regulation introduces a support period, which now includes the timeframe for handling vulnerabilities. Manufacturers are expected to determine the support period proportionate to the product’s expected lifetime and provide relevant information to market authorities upon request. Authorities are responsible for ensuring that manufacturers accurately determine the support period.
The proposition requires them to establish a single point of contact to communicate with market surveillance authorities on cybersecurity matters. The new wording clarifies that this requirement also applies to online marketplaces that act as intermediaries or produce connected devices.
The regulation addresses high-risk vendors, but the language has been toned down compared to previous versions.
Small and medium-sized enterprises
MEPs emphasize the need for the Commission to support small and medium-sized enterprises (SMEs) in complying with the regulation by streamlining financial support through programs like the Digital Europe Programme. Member states are also encouraged to consider complementary actions.
After review, EU countries may now establish controlled testing environments with the support of ENISA, the EU cybersecurity agency. Manufacturers of products using high-risk AI systems under the AI Act can participate in regulatory sandboxes established under that regulation.
The rapporteur proposed extending the date of application from 24 to 40 months and extending reporting obligations from 12 to 20 months after the regulation’s entry into force. However, these aspects may still undergo significant changes at the political level.
EU Council Proposes Amendments to the Cyber Resilience Act
The European Union Council, representing its 27 member states, is actively engaged in shaping a revised cybersecurity law that aims to strengthen digital security within the EU. A new fully reviewed text indicates that the Council is making significant adjustments.
Let’s now discover several noteworthy developments that have emerged from this review.
The Swedish EU Council presidency introduced two supplementary requirements to promote user privacy and data protection.
Firstly, every IoT device should have a unique product identifier to enable easy identification during the rollout of security patches.
Secondly, manufacturers must empower users to remove all data and settings securely, including Wi-Fi network access, when disposing of the product.
Moreover, manufacturers are required to include a justification in the cybersecurity risk assessment if an essential requirement does not apply to a particular product.
The Council aims to implement more rigorous assessments for critical products. Those latter are categorized according to specific criteria and will therefore be subject to external audits to ensure their cybersecurity resilience. Changes have been made to the categories to reflect the changing threat landscape.
On one hand, the first criterion for critical products is whether they have cybersecurity-related functionality that performs critical security functions such as authentication, access control, intrusion prevention, endpoint security or network protection.
On the other hand, the second criterion is for products that perform core system functions such as network management, configuration control, virtualization, personal data processing, or functions that could disrupt many connected devices.
The updated compromise made changes to the categories for both criteria, removing some products and adding new ones.
Standardization and Certification
The Cyber Resilience Act includes provisions for issuing technical standards to ensure compliance. The industry will drive standardization, but if the resulting standard deviates significantly or isn’t provided on time, the European Commission can issue common specifications.
The Council cautions against it due to complexities and limits the Commission’s discretion. Member states can contest non-compliant specifications. The act also narrows the Commission’s discretion in cybersecurity certification schemes. Standardization and certification are vital, and industry stakeholders drive the process, but the Commission can issue specifications if needed, with limited discretion, and member states can contest non-compliant ones.
Product Lifecycle and Reporting Requirements
The Council has extended the product lifecycle by removing the previous five-year limit.
Additionally, automatic security updates are proposed as the default option for connected devices, but exceptions are made for certain products integrated into other components or where automatic updates may interfere with operations.
Reporting of incidents and vulnerabilities will be directed to national Computer Security Incident Response Teams (CSIRTs), although the role of the EU cybersecurity agency, ENISA, is still under discussion.
Manufacturers will be required to inform users about corrective measures in a standardized, structured, and machine-readable format in case of incidents.
Additional National Measures
While harmonization is a goal of the Cyber Resilience Act, national governments have the option to impose additional security requirements for ICT products used by entities classified as essential or important under the revised Networks and Information Security Directive (NIS2).
IoT device manufacturers are first in line when it comes to compliance.
Read our practical guides on what you have to do, how much time you have to comply and what the legal ramifications of non-compliance are.
While free and open-source software, for now, does not fall under the purview of the Cyber Resilience Act, commercial software that include remote data processing solutions will need to comply with the Act.
Read our practical guides to understand what you need to do.
IoT device importers, distributors and resellers have many requirements under the CRA and in some circumstances can even be considered as manufacturers themselves.
Our guides detail these stakeholders’ responsibilities and liabilities.
Sign up to the CRA weekly newsletter
Sign up complete ! Check your inbox every Friday for our newsletter.