On Tuesday 25 April, MEPs on the European Parliament’s Committee on Industry, Research and Energy (ITRE) debated the report by Nicola Danti (Renew Europe, Italian) on the future legislation on cyber resilience (see EUROPE 13103/2). Presented by the European Commission in September 2022 (see EUROPE 13022/9), the future regulation is intended to introduce common cybersecurity rules for manufacturers and developers of all products with digital and connected elements.
Mr Danti’s report focuses on several aspects, including the responsibility for free software and other open source products. The report suggests that liability for these types of products should be placed on the entities that incorporate the software in question into products that are then sold on the market. An amendment to this effect will be put forward, warned Mr Danti.
“This is a very sensitive issue for all of us. Our proposal is that it is not the open source that counts, but its placing on the market. We have to see which actor is bringing the products to market and how they monetise this”, he commented.
“We must guarantee the role of the open source community with a clear text which would not restrict the application and development of software”, added Ignazio Corra (Greens/EFA, Italian).
Part of the discussion also focused on the role of the European Union Agency for Cybersecurity (ENISA). The report proposes that it should act as a ‘one-stop shop’ for reporting problems and vulnerabilities in order to simplify the burden on businesses. In this respect, Mr Danti said, a request should be made to the Commission for a guarantee that ENISA will be properly resourced.
For others, like Henna Virkkunen (EPP, Finnish), particular attention should be paid to the content of reporting by companies to ENISA. “The obligations are currently very broad for the actors; this will also increase the burden on ENISA. The burden should not be put on SMEs”. Like other MEPs, Ms Virkkunen advocates that only “significant incidents” should be reported.
In addition to discussions on the necessary support for SMEs, the timeframe for the implementation of the future regulation was discussed. The report extends this period to 40 months. “There are very high expectations for this regulation. There should be no further postponements”, Ms Virkkunen said.
Finally, other MEPs emphasised the need to focus on skills development to carry out strategies linked to cybersecurity. “There is a shortage of professionals, some figures suggest 500,000 skilled people are needed. And only 2% of the people in this field are women”, stressed Beatrice Covassi (S&D, Italian). (Original version in French by Thomas Mangin)