The European Commission unveiled, on Thursday 15 September, its proposal for legislation on cyber resilience (see EUROPE 13017/6). This text, which comes in addition to the arsenal provided by other legislation in the digital sector, such as the DSA-DMA digital package (see EUROPE 12986/3), should make it possible to introduce common cybersecurity rules for manufacturers and developers of all products with digital and connected elements.
“Data is a major issue for everyone and the interconnections between information space and physical space are growing. The architecture is based on the texts we have already worked on, such as the DSA and the DMA, but the information space is not protected, so we need barriers”, said the Commissioner for Internal Market, Thierry Breton.
In detail, the Commission’s proposal is based on three pillars. Firstly, it will have to set specific requirements for all digital products and will shift the responsibility back to the manufacturers to ensure that the products are safe. The latter will thus have to take cybersecurity into consideration from the design and development of the products concerned.
Additional assessment for 10% of products
In practical terms, manufacturers would have to obtain a ‘CE’ marking of conformity in order for software or any other object falling under this legislation to be admitted into the European single market.
For “90% of objects”, Mr Breton said, this conformity assessment could be carried out by the manufacturers themselves. On the other hand, “for about thirty more specific objects”, the assessment will have to be carried out by a third party.
“This is done so as not to increase the burden, the control will have to be done by all those who have the responsibility: customs for products coming from outside the EU, market surveillance authorities for everything that circulates in the Single Market. We will just ask them to check, as they already do for other products, that the cyber products are compliant”, he added.
In detail, hard drives, smart speakers, games or word processing or photo editing software would be exempt from third party assessment. Other products would be judged on the basis of functionality, intended use and other criteria such as the magnitude of the potential impact.
Products qualified as critical, such as password managers, network interfaces, firewalls or microcontrollers, would be subject to standards enforcement or third-party assessment. Those that are most likely to cause risks, such as operating systems, CPUs or industrial firewalls, would not be able to escape a third party assessment.
In particular, manufacturers and developers should ensure that they provide end-of-life information, updates and support throughout a product’s life cycle.
Penalties of up to 5% of turnover
Secondly, and these are the other two pillars on which the proposal is based, the text aims to ensure that users have more information at their disposal when choosing a digital product, with notions of boundaries not being a limit to the scope of the text. “This text must be a point of reference on the international scene”, explained Mr Breton.
In case of compliance failures, the text provides for several types of sanctions. Thus, non-compliance of a product could lead to a recall of the product in question, or even to its prohibition in the Single Market. If the offending entity fails to respond, fines of up to 5% of worldwide turnover could be imposed.
In addition to cooperation with national authorities and customs services, the European Union Agency for Cybersecurity (ENISA) will also be involved.
The agency, based in Athens, would be responsible for assessing the conformity of a product in case of doubt on the part of the Commission or in the event that a national authority has not done its job properly. A report would then be produced and submitted to the Commission.
A proposal that “should go further”
The Commission’s proposal quickly caused a reaction. According to the European Consumer Organisation (BEUC), this proposal “meets a long-standing need” and “would significantly improve the current situation”.
However, the BEUC added, the text “should go further”, including “recognising the need for independent third-party assessment of certain higher-risk products” and “requiring manufacturers to continuously address security vulnerabilities by providing software updates during the intended lifetime of the product”. The organisation also advocates for a more effective redress and compensation mechanism for consumers harmed by a product.
On the European Parliament side, some, such as Patrick Breyer (Greens/EFA, German), also said that an obligation to correct loopholes immediately would be welcome. The MEP also stated that special attention should be paid to open source software so as not to jeopardise its development.
See the proposal: https://aeur.eu/f/339 (Original version in French by Thomas Mangin)