The EU lawmaker spearheading the Cyber Resilience Act has produced a draft report pitching the removal of time obligations for products’ lifetime and limiting the scope of reporting to significant incidents, among other significant changes.

The Cyber Resilience Act is a draft law introducing cybersecurity requirements for Internet of Things products (IoT), connected devices that can exchange data. The European Parliament’s rapporteur Nicola Danti circulated his draft report, seen by EURACTIV, with the other political groups on Friday (31 March).

While Danti maintained the overall scope of the regulation, he simplified the language, stating that the requirements apply to all connected devices “that can have a direct or indirect data connection to a device or network”.

Scope

To maintain the innovation drive of open software, developers are not bound by the regulation if they are not receiving any financial returns for their projects. By contrast, open source software supplied in the context of commercial activity is covered.

Spare parts designed solely for the repair process on the market before the regulation entered into force were excluded.

Connected devices developed exclusively for military purposes or to process classified information have been exempted, but the member states should ensure the same or higher level of protection.

EU Council mulls broad national security carveouts in IoT cybersecurity law

The Czech presidency of the EU Council has circulated the first compromise on the Cyber Resilience Act, dated 18 November and obtained by EURACTIV, making hefty editing to the proposal’s scope and free movement clause.

Product lifetime

For Danti, having a fixed date for the expected product lifetime is inappropriate for horizontal legislation affecting various sectors, from smartphones to industrial machinery.

Therefore, he proposes to let manufacturers determine the lifetime of their respective products as long as that is in line with consumers’ expectations. The idea is that IoT manufacturers could also compete on the lifetime of their products, which should be clearly displayed in the packaging or in the contractual agreements.

Moreover, the rapporteur wants to include the obligation for manufacturers to inform consumers when the lifetime of their product is about to end.

Reporting obligations

The deadlines for the reporting obligations for manufacturers that become aware of any actively exploited vulnerability and security incidents in one of their products have been aligned with those of the recently revised Network and Information Security Directive (NIS2).

The draft report proposes limiting the scope of this reporting obligation only to actively exploited vulnerabilities and significant incidents instead of all incidents.

In addition, the rapporteur wants to put in place clear protocols for handling such notifications, as information about unpatched vulnerability could cause significant damage if it falls into the hands of malicious actors.

Therefore, a delicate question that needs an answer is who should handle such sensitive information. Whilst EU countries have moved the gathering of vulnerabilities into the hands of national Cyber Security Incident Response Teams (CSIRTs), Danti wants to maintain the centralising role of ENISA.

To cope with this task, the Italian lawmaker wants to increase the EU cybersecurity agency’s human and financial resources.

Another proposed idea is establishing a voluntary reporting mechanism for incidents like near misses and cyber threats.

EU Council extends product lifetime, clarifies scope in cybersecurity law

A new Council text on the Cyber Resilience Act, seen by EURACTIV, removes the five-year limit to the product lifecycle, clarifies the regulation’s scope and makes automatic security updates the default option for connected devices.

Critical products

To ensure legal clarity and predictability, the Commission can amend the list of critical products in Annex III only once every two years.

The deadline for the EU executive to adopt a delegated act specifying the product categories under class I and class II has been shortened from 12 to six months from the regulation’s entry into force to give product manufacturers more time to adjust.

Consumer security devices like home automation systems, cameras, and smart locks have been added to critical products under class I. Routers and modems have been moved to the higher class of security

EU Council reconsiders critical products in new cybersecurity law

The Swedish presidency of the EU Council of ministers shared a new compromise text with hefty changes on the categorisation of critical and highly critical products under the Cyber Resilience Act.

Timeline & implementation

Danti considers that compliance with the requirements of the Cyber Resilience Act will be particularly challenging for SMEs. Thus, he proposes extending the entry into application from two years to 40 months since its entry into force.

The idea is that during this transitional period, manufacturers could already start complying with the new cybersecurity law voluntarily, obtaining a presumption of conformity with the existing Radio Equipment Directive.

The rapporteur also wants the Commission to provide guidelines to guide stakeholders in the implementation phase.

Safety

Another significant modification to the original proposal is that the draft report wants to mandate the manufacturers to roll out automatic updates for the safety features of their product whenever possible throughout the product’s lifetime.

If a manufacturer has defined its product lifetime as under five years, it should allow other companies to provide security patches extending that lifetime. In these cases, the manufacturers would be obliged to disclose the product’s source code.

International trade

The draft report urges the EU executive to consider mutual recognition agreements with like-minded third countries with comparable protection levels. At the same time, ENISA would be tasked with coordinating checks together with market surveillance authorities on high-risk vendors that might, for instance, include backdoors into their products.

Stakeholder involvement

The rapporteur proposes establishing the Expert Group on Cyber Resilience, a body gathering stakeholders from public institutions, companies, civil society, academia and experts to advise the Commission on preparing delegated acts under the new cybersecurity law.

Fines

Danti suggests that the penalties issued under the Cyber Resilience Act should be earmarked for cybersecurity projects under the Digital Europe Programme.