Members of the European Parliament’s Committee on the Internal Market and Consumer Protection (IMCO) debated, on Tuesday 23 May, the amendments tabled by the political groups on the future Cyber Resilience Act (see EUROPE 13169/7).
During the discussions, emphasis was placed first of all on the burden that the text could place on micro, small and medium-sized enterprises. On this point, the groups seem to agree: “This legislation will result in significant compliance costs. Costs and unnecessary bureaucracy must be cut”, summarised Arba Kokalari (EPP, Swedish). However, a balance will have to be found “without compromising", said Morten Løkkegaard (Renew Europe, Danish), rapporteur of the IMCO Committee.
For its part, the Commission has not closed the door on alternative solutions to increase support for micro-enterprises and SMEs. “We can consider other options, with the use of financial instruments or other guidelines”, it said.
Most of the European Parliament political groups also stressed the need to align the Cyber Resilience Act with other existing legislation, such as the revised ‘NIS 2’ directive, which should ensure a common high level of cyber security across the EU (see EUROPE 13072/30) and the EU General Product Safety Regulation (see EUROPE 13089/11), or the forthcoming Artificial Intelligence Act (see EUROPE 13180/1).
The question of the timeframe for the implementation of the future legislation, on the other hand, has shown divisions among MEPs.
For the EPP, the timeframe for implementation is considered too short. “Companies need time to adapt”, Ms Kokalari added.
For the S&D group, however, implementation should be as quick as possible. “We have reservations about extending the implementation period. We need to protect consumers as quickly as possible”, said Adriana Maldonado López (S&D, Spanish).
The Commission’s original proposal was that the future regulation would apply 24 months after its entry into force, with the exception of the notification requirement for manufacturers, which would apply 12 months earlier.
In addition to questions about the scope and possible exemptions for some open source software developers, some MEPs, such as Adam Bielan (ECR, Polish), questioned the capacities of the European Union Agency for Cybersecurity (ENISA), which could be tasked with centralising the reporting of significant security incidents. “Does it have the capacity? For us, no”, he stated.
A technical meeting will be held on Wednesday 24 May. “There are a number of possible overlaps. We want to manage the dossier as well as possible, but with the aim of completing it before the end of the mandate”, summarised Mr Løkkegaard. (Original version in French by Thomas Mangin)