Aiming to ensure that products with digital components, such as connected home cameras, smart fridges, TVs and toys, are secure before entering the market, representatives of Member States (Coreper) reached a common position on proposed legislation on horizontal cybersecurity.
The agreement advances the EU’s commitment to a secure digital single market. The various network-connected objects must provide a basic level of cybersecurity when sold within the Union’s borders. It is also necessary to ensure that businesses and consumers are effectively protected against cyber threats.
The draft regulation aims to enforce compulsory cybersecurity measures for hardware and software products’ design, development, production, and market availability in the EU Member States. This is to prevent duplicating requirements arising from various legislations within the EU.
The proposed regulation will be applicable to all products that have direct or indirect connections to other devices or networks. Some products, such as medical devices, aviation equipment, or cars, which already have cybersecurity requirements defined in existing EU regulations, are exempted from the proposed rules.
The objective of the proposal is to address the deficiencies, establish clear connections, and enhance the overall consistency of current cybersecurity laws. This will be achieved by ensuring that products containing digital elements, such as Internet of Things products, are secure across the entire supply chain and throughout their lifecycle.
Finally, the proposed regulation enables consumers to consider cybersecurity while choosing and using products that incorporate digital elements. It empowers users to make informed decisions by selecting hardware and software products that possess appropriate cybersecurity features.
- Regulations to redistribute the responsibility for compliance to manufacturers, requiring them to ensure that products containing digital elements, offered on the EU market, meet security requirements. This includes obligations such as conducting cybersecurity risk assessments, issuing declarations of conformity, and collaborating with competent authorities.
- Essential requirements for vulnerability management processes for manufacturers to ensure the cybersecurity of digital products, and obligations for economic operators, such as importers or distributors, in relation to these processes.
- Measures to improve transparency in the security of hardware and software products for consumers and business users and a market surveillance framework to enforce these standards.
However, the European Council’s text modifies several parts of the Commission’s proposal, including the following aspects:
- The scope of the proposed legislation, including the specific categories of products that should meet the regulation’s requirements.
- Obligations to report actively exploited vulnerabilities or incidents to the competent national authorities (Computer Security Incident Response Teams – CSIRTs) instead of the EU agency for cybersecurity (ENISA), with the latter establishing a single reporting platform.
- Elements for determining the product’s functional lifespan foreseen by the manufacturers.
- Support measures for small and micro enterprises.
- A simplified declaration of conformity.