Negotiators from the Council of the European Union and the European Parliament reached a political agreement on the Cyber Resilience Act shortly before midnight on Thursday 30 November and Friday 1 December.
“The Cyber Resilience Act will strengthen the cybersecurity of connected products by addressing hardware and software vulnerabilities, making the EU a safer and more resilient continent”, commented the European Parliament’s rapporteur for the dossier, Nicola Danti (Renew Europe, Italian).
“Connected devices must benefit from a basic level of cyber security when they are sold in the EU, so that businesses and consumers are properly protected against cyber threats. This is exactly what the Cyber Resilience Act will achieve once it comes into force”, added Spain’s Minister for Digital Transformation, José Luis Escrivá.
According to the compromise document obtained by EUROPE, the European co-legislators have agreed on the length of the support period during which manufacturers must ensure effective handling of vulnerabilities. This is set at 5 years, unless the expected life of a product is shorter.
On the other hand, for products with a useful life of more than 5 years, such as motherboards, microprocessors, network devices such as routers or modems, or software such as operating systems or video editing tools, manufacturers will have to “guarantee longer support periods that reflect the reasonably expected useful life of the product”.
A stronger role for ENISA, although Member States retain control
Parliament and the Council of the EU have also clarified the role of the European Union Agency for Cybersecurity (ENISA), which had been a stumbling block during the negotiations (see EUROPE 13291/8).
The compromise reached by the two institutions provides for vulnerability alerts to be sent by manufacturers to the national competent authority - the Cyber Security Incident Response Team (CSIRT) - which will then submit them to ENISA. ENISA will then decide to inform the other Member States if it considers the threat to be significant.
However, while Parliament has been heeded in relation to strengthening ENISA’s role, the Member States have obtained, during this final trilogue, that they will be able to decide to limit the information contained in the notifications if they consider that this could have an impact in terms of security.
There are also exemptions if the product with the vulnerabilities is mainly present in a single Member State and this does not pose a risk to the other 26 EU Member States, or if the manufacturer in question considers that disclosure of the vulnerability represents a risk, particularly in terms of cyber security.
However, whatever the notification, ENISA should always be informed of the name of the manufacturer, the product concerned and other general information.
Extending the list of products covered
Parliament and the Council of the EU also decided in favour of extending the list of devices covered, with the inclusion of products such as identity management system software, password managers, biometric readers, intelligent home assistants and private security cameras.
Open source software will also be covered, provided it is intended for commercial use. Open source software sold by not-for-profit organisations that reinvest their income in not-for-profit activities does not fall within the scope, nor do ‘cloud’ services.
For all objects covered by the Cyber Resilience Act, the text of the agreement specifies that security updates must be installed automatically and separately from functional updates.
“At present, many products from third countries enter the EU single market without any guarantee that they are cyber-secure or regularly updated with the latest software. In future, products will have to comply with the law on cyber resilience. They will carry the ‘CE’ mark”, explained Henna Virkkunen (EPP, Finnish).
Nor will the regulation apply to products whose cybersecurity requirements are already defined under other European legislation, such as medical devices, aeronautical products, cars or software as a service - commercial operating models of software installed on remote servers rather than on the user’s machine - covered by the revised ‘NIS 2’ directive (see EUROPE 13297/25).
Coming into force in 3 years’ time
In addition, the text includes certain provisions for micro and small businesses, which will be able to benefit from information campaigns, training and support for testing and compliance assessment procedures.
“We have taken care to support micro and small businesses and to better involve stakeholders, and we have addressed the concerns of the open source community, while maintaining an ambitious European dimension”, said Mr Danti.
Finally, the European co-legislators have agreed that the new rules must be applied within 3 years of the text coming into force. (Original version in French by Thomas Mangin)