On Tuesday, 15 November, the European Data Protection Supervisor (EDPS) published an opinion on the European Commission’s proposed legislation on cyber resilience. The European Commission had presented this text, which is expected to set specific requirements for all digital products and shift responsibility to manufacturers, on 15 September (see EUROPE 13022/9).
Although in favour of this proposal, the EDPS notably insists that the European cybersecurity certificate proposed in the text should not replace certification that ensures compliance with the General Data Protection Regulation (GDPR). Moreover, the EDPS adds that the cybersecurity certificate does not indicate that a product with digital elements is compliant with the GDPR either.
The EDPS also recommends including the ‘data protection by design’ and ‘data protection by default’ principles as an essential part of these requirements.
Furthermore, it suggests clarifying the type of synergies envisaged between the bodies and organisations concerned by the proposal on cyber resilience, including the role of the European Data Protection Board.
Finally, the European Data Protection Supervisor believes that clarifications would also need to be made regarding the relationship between the proposed regulation and existing EU data protection laws. (Original version in French by Thomas Mangin)