EU Member States discussed the Swedish Presidency’s new compromise text on future legislation on cyber resilience (see EUROPE 13065/9) at a meeting of the Council of the EU’s Horizontal Working Party on Cyber Issues on Wednesday 18 January.
Presented by the European Commission on 15 September 2022 (see EUROPE 13022/9), the future regulation is intended to introduce common cybersecurity rules for manufacturers and developers of all products with digital and connected elements.
Firstly, the new version of the text extends the scope in certain cases to ‘software as a service’ (or ‘SaaS’), which are software application solutions hosted in the cloud and operated outside an organisation or company by a service provider.
These ‘SaaS’ would now fall under the scope of the legislation in cases where they meet the criteria as “remote data processing solutions relating to a product with digital elements, defined as any data processing at a distance for which the software or hardware is designed and developed by the manufacturer of the product concerned or under the responsibility of that manufacturer, and the absence of which would prevent such a product with digital elements from performing one of its functions”, the document states.
Cloud services designed and developed outside the responsibility of a manufacturer of a product with digital elements would, for example, fall outside the scope, as would websites, since they are not developed under the responsibility of a manufacturer of internet browsers and the absence of any individual website would not prevent a browser from performing its functions.
In addition, the text clarifies the room for manoeuvre of Member States on certain issues. They could not, in the aspects covered by the text, hinder the making available on the market of products with digital elements that comply with this Regulation. However, Member States could establish national measures - including restrictions - on products containing digital elements or their suppliers and on non-technical issues not covered by the future Regulation.
The compromise proposal also provides that Member States may take measures to safeguard national security by submitting additional measures on products with digital components used for military, defence or national security purposes.
Finally, a new recital has been added, stating that the obligations under the future regulation should not involve the provision of information the disclosure of which would be contrary to the essential security interests of the Member States.
See the document: https://aeur.eu/f/4z2 (Original version in French by Thomas Mangin)