EU Commission pitches double reporting of open security loopholes in cybersecurity law

The question of who should receive extremely sensitive cyber threat intelligence has been a sticking point in the negotiations on the Cyber Resilience Act. The Commission proposed a middle ground that would double the receivers.

The Cyber Resilience Act is a legislative proposal introducing security requirements for connected devices. The file is being finalised in ‘trilogues’ between the EU Commission, Council and Parliament.

Among the obligations of product manufacturers, there is one to report not only cybersecurity incidents, as has been the case in previous legislation, but also actively exploited vulnerabilities.

If a vulnerability is being actively exploited, it means there is an entry point for hackers that has not been patched yet. As a result, this type of information is highly dangerous if it falls into the wrong hands, and who should handle this task is a politically sensitive question.

In the original Commission text, ENISA, the EU cybersecurity agency, was assigned this complex work – an approach that found support in the Parliament. By contrast, European governments want to move this task to the national Computer Security Incident Response Teams (CSIRTs).

Following the last trilogue on 8 November, Euractiv reported how a possible landing zone could be envisaged by accepting the role of the CSIRTs but with a stronger involvement of ENISA and that the EU executive proposed that both bodies could receive the reporting simultaneously.

In an undated compromise text circulated after the trilogue, seen by Euractiv, the Commission put its idea in black-and-white.

“The manufacturers shall notify any actively exploited vulnerability contained in the product with digital elements that they become aware of to [the CSIRTs designated as coordinators pursuant to Article 12(1) of Directive (EU) 2022/2555 and ENISA],” reads the text.

National CSIRTs would, therefore, be in the driving seat of the reporting process, for instance, to request the manufacturer provide an intermediate report. The notifications would be submitted via a pan-European platform to the end-point of the CSIRT of the country where the company has its main establishment.

“A manufacturer shall be considered to have its main establishment in the Union in the Member State where the decisions related to the cybersecurity of its products with digital elements are predominantly taken,” continues the document.

If this criterion is not conclusive, the main establishment will be considered the EU country where the company has the highest number of employees.

“Where a notification is submitted using the electronic notification end-point of one of the Member States, the information submitted shall be available to ENISA simultaneously,” the text adds.

Remarkably, the compromise allows manufacturers that do not have a legal office in the EU to pick and choose their national CSIRT of reference, a point Euractiv understands is particularly difficult to digest for the EU Parliament.

Another sensitive question relates to the CSIRTs’ discretion in delaying the transmission of such sensitive threat intelligence “based on justified cybersecurity-related grounds for a period of time that is strictly necessary”.

For MEPs, this point is really important because it could lead to the information being withheld essentially forever without anyone ever knowing, as national authorities might use these vulnerabilities to spy on targets over national security or law enforcement reasons.

“Where a CSIRT decides to withhold a notification, it shall immediately inform ENISA and provide both a justification for withholding the notification as well as an indication of when it will disseminate the notification,” the document states.

In turn, ENISA could advise the CSIRTs on the cybersecurity grounds related to delaying the dissemination of the notification.

Establishing and maintaining the single reporting platform, including the national endpoints, would be the responsibility of ENISA in collaboration with the CSIRT.

Within two years from the entry into application of the relevant provisions, the Commission would have to provide a report to the EU Parliament and Council on the impact of the application of the grounds for delaying notifications and the effectiveness of the reporting platform.

Euractiv understands this compromise is yet to be discussed at the technical level, and that a final decision on this contentious point is only expected at the next, and possibly last, trilogue on 30 November.

[Edited by Nathalie Weatherald]

Read more with EURACTIV