EU countries are considering moving vulnerability reporting to the national level, aligning product lifecycle definitions to product idiosyncrasies and a new compromise to cyber resilience legislation.
The Cyber Resilience Act is an EU legislative proposal to introduce baseline cybersecurity requirements for Internet of Things products. Discussions on the draft law have recently accelerated at the EU Ministerial Conference.
The Swedish Presidency will circulate the new compromise document, which was confirmed by EURACTIV on 27 January, and on Wednesday (1 February) the European Council’s technical body, the Technical Body on Cyber Issues, which will work on preparatory work for ministerial approval. It will be discussed in the working group. .
At the same meeting, representatives from EU countries will also discuss conformity assessment and a list of critical products that must undergo third-party assessment before being placed on the European market. The Swedish president’s office has not yet circulated any documents on these aspects.
product life cycle
The original commission proposal required manufacturers to secure Internet of Things products for the entire lifecycle or for up to five years. The text has been changed to better describe the lifecycle of various products.
“When manufacturers bring products with digital elements to market, and for a period of time after doing so, they must ensure that they are suitable for the product type and expected lifespan,” said the compromise. said.
In other words, each product has a different lifecycle, self-assessed by the manufacturer based on “how long users should reasonably expect to receive security updates given the product’s functionality and intended purpose.” You seem to recognize that you need to
In any case, if the product’s connected device is more than 5 years old, the manufacturer must provide security patches for at least 5 years. The technical security support expiration date must be printed on the product packaging.
If a manufacturer identifies a security issue, it has a due diligence obligation to deploy security updates for at least 10 years. The same timeline applies if a manufacturer learns, or has reason to believe, that its product is no longer compliant with regulatory security requirements.
The original proposal required manufacturers to report actively exploited product vulnerabilities to ENISA, the EU cybersecurity agency.
This approach has raised concerns about ENISA’s ability to process hundreds of thousands of notifications and create a potential “single point of failure” for sensitive information that is attractive to hackers.
As such, the EU Council appears to be moving away from this approach, aligning notification obligations with those of the recently revised Networks and Information Systems Directive (NIS2) and moving reporting to national Computer Security Incident Response Teams (CSIRTs). .
The CSIRT will then forward the notification to ENISA and to the market surveillance authorities of all relevant Member States, unless a potential cybersecurity risk is seen.
The proposal will be discussed at the technical level until a common position is found among Member States.
[Edited by Alice Taylor]