Manufacturers’ obligations, reporting, compliance and enforcement are the main areas of the first compromise on the new cybersecurity law EU lawmakers will discuss next week.
The Cyber Resilience Act is a legislative proposal introducing basic cybersecurity requirements for connected products. The European Parliament’s rapporteur Nicola Danti circulated the first compromise amendment last week.
The other political groups have until Monday (22 May) to submit their written comments before the first technical meeting next Wednesday. The text, seen by EURACTIV, builds on Danti’s draft report introducing amendments to crucial parts of the file.
The scope of the regulation was enlarged to cover any product with digital elements that can have a direct or indirect data connection to a device or network.
At the same time, connected devices developed exclusively for the defence sector were excluded alongside those with national security and military purposes.
The preamble’s text, which covers essential aspects of the proposal, such as how to deal with open software, was not included in the first batch of compromises as EURACTIV understands the rapporteur still has not decided on the issue.
Obligations for manufacturers
When a manufacturer places a product in the EU market, they must determine, based on a risk assessment, which essential requirements they consider relevant for their products, justifying the choice in the technical document.
The product producers would have to provide the necessary security and functionality updates that should be rolled out automatically by default, unless the users opt out, at least throughout the product’s entire lifetime.
The definition of substantial modification was amended to exclude security updates intended to mitigate vulnerabilities.
The manufacturers are to keep the technical documentation that shows compliance with the cybersecurity law for the product’s expected lifetime or ten years, whichever is longer.
The draft law mandates manufacturers to inform ENISA, the EU cybersecurity agency, about cybersecurity incidents and actively exploited vulnerabilities. The latter is more sensitive information, so the treatment has been limited to a need-to-know basis.
An amendment from Bart Groothuis, rapporteur for the revised Networks and Information Directive (NIS2), aligned the reporting requirements between the two legislations and ensured that “an entity may only be fined once for non-compliance with overlapping requirements.”
In addition, a paragraph that would give ENISA or national Computer Emergency Response Teams (CSIRTs) the capacity to disclose a significant incident in the public interest has been added.
For significant incidents, the manufacturers would have to inform the impacted users, and only where relevant all the users, and inform them of risk mitigation and corrective measures they can implement.
Moreover, the manufacturers would have to establish a single point of contact to enable users to communicate with them rapidly and directly.
A new obligation has been introduced for importers and distributors of critical products meant for entities deemed essential to the functioning of society under NIS2 to also consider non-technical risk factors.
The reference here is to high-risk vendors, a category used to restrict the use of a supplier that is considered under the influence of hostile powers, as it was for the Chinese telecom giant Huawei.
Obtaining a European cybersecurity certification has been added to how manufacturers will be able to demonstrate compliance with the regulation. Compliance will be presumed when the manufacturers follow harmonised technical standards.
The compromise mandates that harmonised standards, common specifications and cybersecurity certification schemes should be in place for six months before the conformity assessment procedure starts to apply.
The European Commission will be able to issue mandatory common specifications when a standardisation request has not been accepted, and no harmonised standard is expected to be in place within a reasonable time.
The manufacturers of critical products must undergo external vetting from authorised auditors, the notified bodies. The Commission is to ensure that a sufficient number of notified bodies is available in the EU within two years from the regulation’s entry into force to avoid bottlenecks.
The market surveillance authorities might ask ENISA for technical advice on enforcing the regulation. In particular, ENISA might be asked to provide a non-binding evaluation for products presenting a significant cybersecurity risk.
Market surveillance authorities are also asked to provide granular data on categories of connected products. The Commission is to analyse the data to identify specific categories of products where non-compliance is exceptionally high.
The consideration of non-technical risk factors was also introduced for national authorities, and a reference to identifying potential embedded backdoors or other exploited vulnerabilities was added regarding coordinated control actions, so-called sweeps.
One of the main changes introduced by Danti was to let the manufacturers compete in setting the expected product lifetime as long as in line with reasonable consumer expectations. While this measure was maintained, the compromise requires manufacturers to consider the product’s intended purpose and sustainability aspects.
The compromise states that “the integration of a component of higher class of criticality does not change the level of criticality for the product the component is integrated into”.
The list of critical products was amended to include platforms used for authentication, authorisation and accounting in the first class of critical products and biometric readers in the second one.
A new article mandates establishing regulatory sandboxes to provide a controlled environment for manufacturers that want to test their products.
[Edited by Nathalie Weatherald]
Read more with EURACTIV
Click Here For The Original Source.