Cyber resilience act: Coreper agree common position on security requirements for digital products

Brussels, 19 July 2023

With a view to ensuring that products with digital components, such as connected home cameras, smart fridges, TVs, and toys, are safe before entering the market, member states’ representatives (Coreper) reached a common position on the proposed legislation regarding horizontal cybersecurity requirements for products with digital elements (cyber resilience act).

We are to celebrate the agreement reached today in the Council. An agreement that advances EU’s commitment towards a safe and secure digital single market. IoT and other connected objects need to come with a baseline level of cybersecurity when they are sold in the EU, ensuring that businesses and consumers are effectively protected against cyber threats. This is an important milestone for the Spanish presidency, and we hope to bring forward negotiations with the Parliament as much as possible.

Carme Artigas Brugal, State Secretary for digitalisation and artificial intelligence

Objectives of the proposal

The draft regulation introduces mandatory cybersecurity requirements for the design, development, production and making available on the market of hardware and software products to avoid overlapping requirements stemming from different pieces of legislation in EU member states.

The proposed regulation will apply to all products that are connected either directly or indirectly to another device or network. There are some exceptions for products, for which cybersecurity requirements are already set out in existing EU rules, for example on medical devices, aviation, or cars.

The proposal aims to fill the gaps, clarify the links, and make the existing cybersecurity legislation more coherent by ensuring that products with digital components, for example ‘Internet of Things’ (IoT) products, become secure throughout the whole supply chain and throughout their whole lifecycle.

Finally, the proposed regulation also allows consumers to take cybersecurity into account when selecting and using products that contain digital elements by providing users the opportunity to make informed choices of hardware and software products with the proper cybersecurity features.

Main elements retained from the Commission’s proposal

The Council’s common position maintains the general thrust of the Commission’s proposal, namely as regards:

rules to rebalance responsibility for compliance towards manufacturers, who must ensure conformity with security requirements of products with digital elements that are made available on the EU market, including obligations like cybersecurity risk assessment, declaration of conformity, and cooperation with competent authorities
essential requirements for the vulnerability handling processes for manufacturers to ensure the cybersecurity of digital products, and obligations for economic operators, such as importers or distributors, in relation to these processes
measures to improve transparency on security of hardware and software products for consumers and business users, and a market surveillance framework to enforce these rules

The Council’s amendments

However, the Council’s text amends various parts of the Commission’s proposal, including on the following aspects:

the scope of the proposed legislation, including with regard to the specific categories of products that should comply with the regulation’s requirements
reporting obligations of actively exploited vulnerabilities or incidents to the competent national authorities (‘computer security incident response teams’ – CSIRTs) instead of the EU agency for cybersecurity (ENISA) with the latter establishing a single reporting platform
elements for the determination of the expected product lifetime by manufacturers
support measures for small and micro enterprises
a simplified declaration of conformity

Next steps

Today’s agreement on the Council’s common position (‘negotiating mandate’) will allow the Spanish presidency to enter negotiations with the European Parliament (‘trilogues’) on the final version of the proposed legislation.

Background

In its conclusions of 2 December 2020 on the cybersecurity of connected devices, the Council underlined the importance of assessing the need for horizontal legislation in the long-term to address all relevant aspects of cybersecurity of connected devices, such as availability, integrity and confidentiality, including specifying conditions for the placement on the market.

First announced by Commission’s President Von der Leyen in her state of the Union address in September 2021, the idea was reflected in the Council conclusions of 23 May 2022 on the development of the European Union’s cyber posture, which called upon the Commission to propose common cybersecurity requirements for connected devices by the end of 2022.

On 15 September 2022, the Commission adopted the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending regulation (EU)2019/1020 (‘cyber resilience act’), which will complement the EU cybersecurity framework: the directive on the security of network and information systems (NIS directive), the directive on measures for a high level of cybersecurity across the Union (NIS 2 directive) and the EU cybersecurity act.

Source – EU Council

Cyber Resilience Act: MEPs back plan to boost digital products security

Brussels, 19 July 2023

New cyber resilience rules adopted on Wednesday will establish a uniform set of cybersecurity requirements for all digital products in the European Union.

The draft cyber resilience act approved by the Industry, Research and Energy Committee aims to ensure that products with digital features, e.g. phones or toys, are secure to use, resilient against cyber threats and provide enough information about their security properties.

MEPs propose more precise definitions, feasible timelines, and a fairer distribution of responsibilities. The draft rules put products into different lists based on their criticality and the level of cybersecurity risk they pose. MEPs suggest expanding this list with such product as identity management systems software, password managers, biometric readers, smart home assistants, smart watches and private security cameras. Products should also have security updates installed automatically and separately from functionality ones, MEPs add.

They also emphasise the importance of professional skills in the cybersecurity field, proposing education and training programmes, collaboration initiatives, and strategies for enhancing workforce mobility.

Quote

Lead MEP Nicola Danti (Renew, IT) said:

“With ever-increasing interconnection, cybersecurity needs to become a priority for industry and consumers alike. Europe’s security in the digital domain is as strong as its weakest link. Thanks to the Cyber Resilience Act, hardware and software products will be more cyber secure, vulnerabilities will get fixed and cyber threats to our citizens will be minimised.”

Next steps

MEPs on the Industry Committee backed the draft cyber resilience act with 61 votes to 1, with 10 abstentions. They also voted to open negotiations with Council with 65 votes to 2, and 5 abstentions – a decision which will have to be greenlighted by the full House in a forthcoming plenary session.

Background

New technologies come with new risks, and the impact of cyber-attacks through digital products has increased dramatically in recent years. Consumers have fallen victim to security flaws linked to digital products such as baby monitors, robot-vacuum cleaners, Wi-Fi routers and alarm systems. For businesses, the importance of ensuring that digital products in the supply chain are secure has become pivotal, considering three in five vendors have already lost money due to product security gaps.

Source – EU Parliament

Member states agree common position on security requirements for digital products

Brussels, 19 July 2023
Member states have agreed on a common position on the security features that digital products should have under the Cyber Resilience Act.

Member state representatives (Coreper) have reached this agreement to ensure that products with digital components, such as connected home cameras, smart fridges, televisions and toys, are safe before they reach the market.

According to the Spanish Secretary of State for Digitization and Artificial Intelligence, Carme Artigas Brugal, the agreement reached today in the Council of the EU “promotes the EU’s commitment to a secure digital single market”.

Objectives of the proposal

The draft regulation introduces mandatory cybersecurity requirements for designing, developing, producing and placing hardware and software products on the market.

The aim is to avoid the overlapping of criteria that can be caused by different laws in EU member states.

Internet of Things (IoT) and other connected objects must have a cybersecurity reference level when sold in the EU, ensuring that businesses and consumers are effectively protected against cyber threats. This is an important milestone for the Spanish presidency, and we look forward to taking the negotiations with the Parliament as far as we can

Carme Artigas Brugal Spanish Secretary of State for Digitization and Artificial Intelligence.

Medical devices, aviation and automobiles are outside the scope of the regulation since they have cybersecurity requirements established by EU rules.

The proposal aims to close loopholes, clarify links and make cybersecurity law more consistent, ensuring that products with digital components, such as Internet of Things (IoT) products, are secure throughout the entire supply chain and life cycle.

It also helps consumers to consider cybersecurity when selecting and using products containing digital elements, and to make informed decisions about hardware and software products.

The main elements of the Commission’s proposal are retained

The Council’s common position maintained the general approach of the Commission’s proposal on:

Rules to rebalance the responsibility of manufacturers to ensure compliance of products with digital security requirements on the EU market, including cybersecurity risk assessment, declaration of conformity and cooperation with the competent authorities.
Essential requirements for vulnerability management processes for manufacturers to ensure the cybersecurity of digital products, and obligations for economic operators such as importers and distributors concerning these processes.
Measures to improve transparency in terms of the security of hardware and software products for consumers and businesses, and a market surveillance framework to enforce these standards.

Council amendments

In the text agreed in Coreper, the Council amends several parts of the Commission proposal, including the following areas:

The scope of the proposed legislation, including factors concerning the specific categories of products that must comply with regulatory requirements.
Obligations to report vulnerabilities or incidents to national competent authorities (Computer Security Incident Response Teams) rather than to the European Union Agency for Cybersecurity (ENISA), and the establishment of a single reporting platform.
Elements for determining the expected product life.
Measures to support small and micro-enterprises.
A simplified declaration of conformity.

Next steps

The agreement reached today on the Council’s common position (“negotiating mandate”) will allow the Spanish presidency to enter into negotiations with the European Parliament. (“trialogues”) on the final version of the proposed legislation.

Background

The Council, on December 2, 2020, underlined the importance of assessing the need for long-term horizontal legislation that addresses all relevant aspects.

In the Council Conclusions of May 23, 2022, on the development of the European Union’s cyber posture, the Commission was urged to propose common cybersecurity requirements for connected devices by the end of 2022.

On September 15, 2022, the Commission adopted the proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 (“cyberresilience”).

Source – EU Council Presidency

Cookie	Duration	Description
__stripe_mid		This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
__stripe_sid		This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
_abck		This cookie is used to detect and defend when a client attempt to replay a cookie.This cookie manages the interaction with online bots and takes the appropriate actions.
_wpfuuid		This cookie is used by the WPForms WordPress plugin. The cookie is used to allows the paid version of the plugin to connect entries by the same user and is used for some additional features like the Form Abandonment addon.
ASP.NET_SessionId		Issued by Microsoft's ASP.NET Application, this cookie stores session data during a user's website visit.
AWSALBCORS		This cookie is managed by Amazon Web Services and is used for load balancing.
bm_sz		This cookie is set by the provider Akamai Bot Manager. This cookie is used to manage the interaction with the online bots. It also helps in fraud preventions
cookielawinfo-checbox-analytics		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional		The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary		This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
elementor		This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
JSESSIONID		Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy		The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga		The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_4L7PKQPHHV		This cookie is installed by Google Analytics.
_ga_T50H0MNN9J		This cookie is installed by Google Analytics.
_gat_gtag_UA_12289088_5		Set by Google to distinguish users.
_gcl_au		Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid		Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
_mcid		No description available.
_swa_u		This cookie is set by the provider Sitewit.com. This cookie is used for statistical report and analysis.
ak_bmsc		No description available.
AWSALB		AWSALB is a cookie generated by the Application load balancer in the Amazon Web Services. It works slightly different from AWSELB.
ec_store_chameleon_font		No description available.
FCCDCF		No description available.
issuem_lp		No description available.
lp_us_his		No description
m		No description available.