Cyber resilience act: member states agree common position on security requirements for digital produ
With a view to ensuring that products with digital components, such as connected home cameras, smart fridges, TVs, and toys, are safe before entering the market, member states’ representatives (Coreper) reached a common position on the proposed legislation regarding horizontal cybersecurity requirem
We are to celebrate the agreement reached today in the Council. An agreement that advances EU's commitment towards a safe and secure digital single market. IoT and other connected objects need to come with a baseline level of cybersecurity when they are sold in the EU, ensuring that businesses and consumers are effectively protected against cyber threats. This is an important milestone for the Spanish presidency, and we hope to bring forward negotiations with the Parliament as much as possible.
Carme Artigas Brugal, State Secretary for digitalisation and artificial intelligence
Objectives of the proposal
The draft regulation introduces mandatory cybersecurity requirements for the design, development, production and making available on the market of hardware and software products to avoid overlapping requirements stemming from different pieces of legislation in EU member states.
The proposed regulation will apply to all products that are connected either directly or indirectly to another device or network. There are some exceptions for products, for which cybersecurity requirements are already set out in existing EU rules, for example on medical devices, aviation, or cars.
The proposal aims to fill the gaps, clarify the links, and make the existing cybersecurity legislation more coherent by ensuring that products with digital components, for example ‘Internet of Things’ (IoT) products, become secure throughout the whole supply chain and throughout their whole lifecycle.
Finally, the proposed regulation also allows consumers to take cybersecurity into account when selecting and using products that contain digital elements by providing users the opportunity to make informed choices of hardware and software products with the proper cybersecurity features.
Main elements retained from the Commission’s proposal
The Council’s common position maintains the general thrust of the Commission’s proposal, namely as regards:
- rules to rebalance responsibility for compliance towards manufacturers, who must ensure conformity with security requirements of products with digital elements that are made available on the EU market, including obligations like cybersecurity risk assessment, declaration of conformity, and cooperation with competent authorities
- essential requirements for the vulnerability handling processes for manufacturers to ensure the cybersecurity of digital products, and obligations for economic operators, such as importers or distributors, in relation to these processes
- measures to improve transparency on security of hardware and software products for consumers and business users, and a market surveillance framework to enforce these rules
The Council’s amendments
However, the Council’s text amends various parts of the Commission’s proposal, including on the following aspects:
- the scope of the proposed legislation, including with regard to the specific categories of products that should comply with the regulation’s requirements
- reporting obligations of actively exploited vulnerabilities or incidents to the competent national authorities (‘computer security incident response teams’ – CSIRTs) instead of the EU agency for cybersecurity (ENISA) with the latter establishing a single reporting platform
- elements for the determination of the expected product lifetime by manufacturers
- support measures for small and micro enterprises
- a simplified declaration of conformity
Next steps
Today’s agreement on the Council’s common position ('negotiating mandate') will allow the Spanish presidency to enter negotiations with the European Parliament ('trilogues') on the final version of the proposed legislation.
Background
In its conclusions of 2 December 2020 on the cybersecurity of connected devices, the Council underlined the importance of assessing the need for horizontal legislation in the long-term to address all relevant aspects of cybersecurity of connected devices, such as availability, integrity and confidentiality, including specifying conditions for the placement on the market.
First announced by Commission’s President Von der Leyen in her state of the Union address in September 2021, the idea was reflected in the Council conclusions of 23 May 2022 on the development of the European Union’s cyber posture, which called upon the Commission to propose common cybersecurity requirements for connected devices by the end of 2022.
On 15 September 2022, the Commission adopted the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending regulation (EU)2019/1020 (‘cyber resilience act’), which will complement the EU cybersecurity framework: the directive on the security of network and information systems (NIS directive), the directive on measures for a high level of cybersecurity across the Union (NIS 2 directive) and the EU cybersecurity act.