Member States have discussed the EU Council Swedish Presidency’s latest compromise version of cyber resilience legislation (see EUROPE 13103/2) at a meeting of the Horizontal Working Party on Cyber Issues on Wednesday 15 February.
Several changes have been made to the previous version of the compromise text as presented by the Swedish Presidency of the EU Council. The text now provides that products with an essential safety function are deemed ‘critical’.
These products, such as network traffic monitoring systems for flow control or security information and event management systems, would not be the only ones to qualify as ‘critical’.
Also added to the list by the compromise document are products from the Internet domain, products that play a major role in the management of a system or those that can harm other products, such as remote access software, operating systems or embedded browsers.
Other products, such as remote authentication tools and virtual private networks, would qualify as ‘highly critical’ if they tick both of the boxes that qualify an object as ‘critical’.
Furthermore, the compromise document foresees that suppliers of ‘highly critical’ products could be required by the European Commission to obtain a ‘cybersecurity certificate’.
In order to justify the application for a certificate, the European Commission should use the criteria laid down in the category of ‘highly critical’ objects and analyse the potential impact of these objects on ‘essential’ entities that fall under the revised ‘NIS2’ Directive, which is intended to ensure a common high level of cybersecurity throughout the EU (see EUROPE 13072/30).
See the document: https://aeur.eu/f/5cb (Original version in French by Thomas Mangin)