The second interinstitutional negotiation on the Cyber Resilience Act set the framework for a political agreement expected later this month. However, the controversial issue of who should receive sensitive vulnerability information is still to be fully settled.
The Cyber Resilience Act is a draft law introducing security requirements for connected devices. The file is at the last stage of the legislative process, so-called trilogues between the EU Commission, Parliament and Council.
On Wednesday (8 November), the second political trilogue endorsed the aspect of the support period through which security patches will have to be guaranteed and provided some guidance for the technical level to work on compromises for two sticking points of the bill: the reporting obligations and critical products.
Reporting obligations
The draft cybersecurity law requires manufacturers to report security incidents and actively exploited vulnerabilities.
This aspect has proved the most controversial of the negotiations, as the EU Commission and Parliament wanted this task with ENISA, the EU cybersecurity agency, whilst EU governments want to move it into the hands of their national computer security incident response team (CSIRTs).
While each co-legislator remains firm on its position, a possible middle ground currently being explored is to keep the reporting with the CSIRTs but with a stronger role for ENISA. While the MEPs seem open to a single reporting platform, the sticking point in the negotiations remains which entity should be the first recipient of the reporting.
In particular, the Commission suggested that the reporting might be done to both the EU agency and the national CSIRT. However, this solution would significantly expand the attack surface for extremely sensitive information.
Meanwhile, in a compromise text circulated just ahead of the trilogue, the definition of actively exploited vulnerability was changed to only cover vulnerabilities that have been successfully exploited, excluding failed attempts.
Additionally, the text specifies that only incidents with a severe impact must be reported. The definitions of incidents and near misses were aligned with the NIS2.
MEPs introduced the idea that ENISA should include the vulnerability in the European database established under NIS2 once a security patch is rolled out. Importantly, the text now specifies that this would regard only publicly known vulnerabilities.
Critical categories
The Cyber Resilience Act envisages that most product manufacturers can self-assess whether they meet its security requirements. In contrast, critical product categories must undergo conformity assessment procedures with certified auditors.
Divergence persists on whether the word ‘critical’ should be used for these product categories. The Commission proposed using the word ‘impactful’ instead since it has also appeared in the AI Act, but the discussion is to be continued at the technical level.
A political question that still needs to be solved is which type of secondary legislation is required, namely implementing or delegated acts. One important case relates to the ability of the Commission to update the list of ‘critical’ products.
In the latest compromise, the Council introduced some criteria filtering the products falling into the listed categories to be deemed critical.
At the trilogue, the co-legislators tried to fine-tune these criteria: the product needs to either have a critical function for the cybersecurity of other products or entail a significant risk of disrupting many other products or the health and security of vulnerable individuals.
The compromise also indicates that only connected devices with a ‘core’ functionality falling into one of the specific categories listed in the annexe will be considered a critical product.
Moreover, if a product with a core functionality that falls into the critical categories is integrated into another product, the latter is not automatically considered critical.
The Commission is empowered to change these special product categories but should ensure “an adequate transition period”, especially for new categories. The EU executive must specify these product categories within 16 months of the regulation’s entry into force.
Following an impact assessment, the EU executive could also request that highly critical products obtain an existing cybersecurity certification. The MEPs’ specification that this obligation would take one year to apply was removed.
The list of critical products is still an open part of the negotiations, with the EU countries attempting to shorten it and the European Parliament that has extended it. Euractiv understands a mid-way solution could be found, but the two institutions have yet to reveal their priorities.
Support period
The parliamentarians obtained a minimum support period of five years, during which manufacturers would have to ensure security updates and vulnerability handling unless the product has a shorter lifetime.
In addition, compared to a previous version of the text reported by Euractiv, the new version of the provision following the trilogues specifies that the “elements to determine the support period shall be considered in a manner that ensures proportionality”.
The Commission will be empowered to mandate a minimum support period for certain product categories via secondary legislation where there is evidence of systematically inadequate support periods.
Next steps
According to a source with knowledge of the matters, after Wednesday’s trilogue, it is even more likely that a final agreement will be reached at the next political meeting on 30 November, albeit intense work is expected to take place at the technical level until then.
[Edited by Nathalie Weatherald]