The interinstitutional negotiations (‘trilogues’) on the Cyber Resilience Act are set to get underway after the European Parliament and the EU Council adopted their respective positions on Wednesday 19 July. The text tabled by Nicola Danti (Renew Europe, Italian) was supported by 61 MEPs from the Committee on Industry, Research and Energy (one vote against, 10 abstentions) (see EUROPE 13217/10).
The text adopted by the European Parliament Committee thus confirms the mandatory cybersecurity requirements for the design, development, production and placing on the market of hardware and software products. Thus, “all digital elements available on the market that can have a direct or indirect data connection with a device or network” should be made available by manufacturers “without any known exploitable vulnerability”.
These products should have a secure configuration by default, “unless agreed otherwise between the parties in a business-to-business context”. Functional and security updates will be made available separately. These should be notified to users.
In addition, manufacturers would be required to carry out an assessment of the cybersecurity risk associated with their products. This assessment should be taken into account during the product design, development, delivery and maintenance phases.
This maintenance period should be “proportionate to the expected lifetime of the product“ and take into account “the nature of the product, user expectations and the availability of the operating environment”. Manufacturers should also make available to the supervisory authorities the information on product life used to define the maintenance period.
More stringent provisions for ‘critical’ products
Obligations would also be strengthened for ‘critical’ products, likely to have an impact on health, fundamental rights or safety. Manufacturers of network management systems, biometric readers, password managers or network configuration tools, for example, should obtain a European cybersecurity certificate, in accordance with the Regulation on certification in this field (2019/881). The European Commission could, by means of delegated acts, add to the list of products qualified as ‘critical’. The first delegated act could be adopted at the earliest 2 years after the entry into force of the Regulation.
The European Parliament position also allows companies to use ‘regulatory sandboxes’ for product prototypes or unfinished software. Member States could be supported by the European Union Agency for Cybersecurity (ENISA) in setting up these ‘regulatory sandboxes’.
Parliament also calls on the Commission to amend ENISA’s financial statement to give it nine full-time equivalent posts and additional funding so that it can fulfil its role under the Cyber Resilience Act.
ENISA would also be responsible for receiving notifications from manufacturers about identified vulnerabilities. These notifications should be issued within 72 hours of their detection. Corrective or mitigating measures should be taken.
The text also provides for the establishment, “no later than 6 months after the entry into force of the text” of a group of experts on cyber resilience, appointed by the Commission for a renewable three-year term.
This group of experts would be made up of representatives from various EU bodies and agencies, including ENISA, the European Data Protection Board and the European standardisation bodies. This group of experts is expected to, among other things, advise the Commission on the list of critical products or the implementation of European cybersecurity certification systems.
Parliament also wants to review the date of application of the text, assuming 36 months instead of 24 from the date of entry into force. Article 11, on manufacturers’ reporting obligations, would apply after 18 months.
The EU Council reviews the role of ENISA
For its part, the EU Council maintained the Commission’s approach on several points. In line with the Commission’s proposal, the EU Council intends to “rebalance the responsibility for compliance towards manufacturers”, who would have to ensure compliance with safety requirements for products with digital components.
They would be required to assess cybersecurity risks, make a declaration of compliance and cooperate with the competent authorities. On the other hand, the Commission’s approach has also been reviewed with regard to a number of aspects, in particular the essential requirements relating to vulnerability treatment processes. The EU Council, for example, wants actively exploited vulnerabilities or potential incidents to be notified to the national competent authority, and not to ENISA.
Other changes have also been made to the scope of application, the determination of product lifetimes, support measures for small and medium-sized enterprises and simplified declarations of conformity.
To see the text adopted by the European Parliament Committee: https://aeur.eu/f/866 (Original version in French by Thomas Mangin)