EU policymakers prepare to close on cybersecurity law for connected devices

The EU co-legislators are set to reach a political agreement on the Cyber Resilience Act, with the main major hurdle left to solve around the power of national authorities to restrict access to reported vulnerabilities.

The Cyber Resilience Act is a legislative proposal to introduce security requirements for the manufacturers of connected devices. The file is at the final stage of the legislative process with the EU Commission, Parliament and Council hashing out the final dispositions in so-called trilogues.

The main EU institutions are set to formalise an agreement at a political trilogue on Thursday (30 November), but most aspects of the file have already been settled at the technical level, according to an internal document dated 24 November and seen by Euractiv.

At the same time, the thorny aspect of vulnerability and incident reporting remains the main open political question.

Vulnerability reporting

The new cybersecurity law introduces for the first time the obligation not only to report serious incidents, but also actively-exploited vulnerabilities, entry points that are currently being used by malicious actors that have not been patched yet.

While the reporting deadlines have been aligned with those of the revised Networks and Information Systems Directive (NIS2), for actively exploited vulnerabilities the provision of the final report was anticipated to be 14 days.

The initial proposal, supported by the Parliament, envisaged these vulnerabilities being notified to ENISA, the EU cybersecurity agency, member states want to move this task into the hands of their national Computer Security Incident Response Teams (CSIRTs).

The CSIRT of reference is considered that of the country where the manufacturer has its main establishment, namely where it takes cybersecurity-related decisions or has its most employees. Companies with no EU office will have to refer to the country where they have the most users.

In mid-November, Euractiv reported how the Commission proposed as a compromise that the manufacturers would file the notification via a single reporting platform to simultaneously alert the relevant national CSIRT and ENISA.

While a consensus is developing on this approach, the Council insists on the possibility for the CSIRTs to temporarily restrict ENISA’s access to the notifications due to cybersecurity reasons. As MEPs strongly oppose this measure, this will be the contention point in the upcoming trilogue.

At the same time, Euractiv understands member states are not fully happy with the presidency’s compromise, considering it went beyond its mandate. Further controversy might arise from the fact that the EU Parliament wants to include wording calling for increasing ENISA’s resources.

Special product categories

Under the cybersecurity law, manufacturers would be able to self-assess their compliance with the security requirements. However, for certain ‘important’ categories of products, the products would have to be vetted by certified conformity assessment bodies.

Important products are listed in the regulation’s annexe. However, the Council managed to introduce a methodology to classify products under these special categories and some filtering, namely the product must have a critical function for the cybersecurity of other products or presents a function that entails a significant risk of negatively impacting a large number of products or users.

The list of important products, another sticking point in the negotiations, has by now been consolidated.

The first class of important products feature identity management systems, browsers, password managers, malware detection software, Virtual Private Networks (VPNs), network management systems, security information and event management systems, boot managers, digital certificate issuance software, network interfaces, operating systems, routers, microprocessors, microcontrollers with security-related functionalities, and application-specific circuits.

Upon insistence from MEPs, consumer products like smart homes, internet-connected toys, and personal wearables were also included in class I. In class II, the final list includes hypervisors and container runtime systems, firewalls, tamper-resistant microprocessors and controllers.

Finally, the Council also introduced an additional list of critical products, which might be requested to obtain a cybersecurity certificate, including hardware devices, smart meters and smart cards.

Obligations for manufacturers

Manufacturers will have to conduct a risk assessment that will inform which security requirements are applicable to their product. The risk assessment is to be updated as appropriate during the product’s support period.

The support period is the timeframe through which the manufacturers should ensure the handling of the products’ vulnerabilities and should be at least five years uncles the product as a shorter expected lifetime.

In addition, the agreed text mandates that any security update provided during the support period should remain available at least 10 years after it has been issued or the remainder of the support period, whichever is longer.

The text now specifies that manufacturers should provide their products “with a secure by default configuration and provide security updates to users free of charge”.

National security exemption

Still to be confirmed is the wording around the national security exemption requested by the Council. Here, the question is if only products developed exclusively for national security or defence purposes should be excluded, or also those that have been modified for these purposes.

Open source software

How to include open-source software has been largely agreed upon at the technical level. As Euractiv previously reported, EU policymakers introduced the figure of open-source software stewards subject to documentation and vulnerability handling.

Allocation of revenue from penalties

A minor point that must be settled at the trilogue is the MEPs’ proposal to make EU countries reinvest the revenues from penalties under this regulation into cybersecurity capacity-building activities.

[Edited by Nathalie Weatherald]

Read more with EURACTIV