Cyber Resilience Act, co-legislators seek balance between roles of ENISA and CSIRTs ahead of next round of inter-institutional negotiations

Negotiators from the Council of the European Union and the European Parliament will meet on 30 November to attempt to reach a political agreement on legislation for cyber-resilience (Cyber Resilience Act). In the meantime, work will focus in particular on the role of the European Union Agency for Cybersecurity (ENISA) and the computer attack warning and response centres (CSIRTs) when incidents are reported by manufacturers of connected objects.

Although they are close to a political agreement, the co-legislators will have to strike a balance between the competences of ENISA and the CSIRTs. The European Parliament wants ENISA to be responsible for receiving reports of security incidents from manufacturers. The Council of the EU wants Member States to retain control over this issue and for incidents and other vulnerabilities to be reported to the CSIRTs.

The Commission proposes that incident and vulnerability reports be submitted to ENISA and the CSIRTs, but the co-legislators will have to agree on which entity is alerted first in the event of an incident.

In its position, Parliament also wanted the European Commission to amend ENISA’s financial statement to give it nine full-time equivalent posts and additional funding so that it could fulfil its role (see EUROPE 13226/3).

In addition, the negotiators from the Council of the EU and Parliament will be working on the issue of vulnerabilities, whereas the last compromise text proposed that only exploited vulnerabilities should be covered by the text and that unsuccessful attempts should be excluded.

While the co-legislators have validated the five-year period during which manufacturers will be required to provide patches and security updates, work still needs to be carried out on critical product categories.

Discussions should focus on the criteria used to define whether or not a product is considered critical, on impact assessment and on whether or not systems or objects qualified as critical are considered as such when integrated with other non-critical products. (Original version in French by Thomas Mangin)