EU Council moves to adjust product lifecycle, reporting in new cybersecurity law – EURACTIV.com

EU countries are considering adjusting the definition of product lifecycle to the specificity of the product and moving the reporting of vulnerabilities at the national level in a new compromise on the Cyber Resilience Act.

The Cyber Resilience Act is an EU legislative proposal to introduce baseline cybersecurity requirements for Internet of Things products. The discussions on the draft law have recently picked up pace in the Council of EU ministers.

The Swedish presidency circulated a new compromise text, dated 27 January and seen by EURACTIV, to be discussed on Wednesday (1 February) at the Horizontal Working Party on Cyber Issues, the technical body of the EU Council that lays the preparatory work for ministerial approval.

At the same meeting, EU countries’ representatives are also due to discuss conformity assessment and the list of critical products that will have to go through a third-party assessment before being placed on the European market. On these aspects, the Swedish presidency did not circulate a text yet.

Product lifecycle

The original Commission’s proposal mandated that manufacturers ensure the security of their Internet of Things products throughout their lifecycle or for a maximum of five years. The text has been changed to better account for different products’ lifecycles.

“Manufacturers shall ensure when placing a product with digital elements on the market and for a period of time after the placing on the market, appropriate to the type of product and its expected lifetime,” the compromise reads.

In other words, the intention seems to recognise that each product has a different lifecycle that the manufacturer would have to self-assess based on the “time users reasonably expect to receive security updates given the product’s functionality and intended purpose.”

At any rate, if the connected device of a product is more than five years, the manufacturer should provide security patches for at least five years. The expiration date of the technical security support should be displayed on the product’s packaging.

If the manufacturer identifies a security problem, they have the due diligence obligation of rolling out security updates for at least 10 years. The same timeline applies if the manufacturer learns or has reason to believe that its product no longer complies with the regulation’s security requirements.

Reporting

The original proposal mandated manufacturers to report any actively exploited product vulnerability to ENISA, the EU’s cybersecurity agency.

This approach raised concerns regarding ENISA’s capacity to handle hundreds of thousands of these notifications and to create a potential ‘single point of failure’ of sensitive information that is attractive to hackers.

Therefore, the EU Council seems to be departing from this approach, and aligning the notification obligation to those of the recently revised Networks and Information System Directive (NIS2), moving the reporting to the national Computer Security Incident Response Team (CSIRT).

The CSIRTs would then forward the notification to ENISA and the market surveillance authorities of all the concerned member states unless they see potential cybersecurity risks in doing so.

The proposal will now be discussed at the technical level until a common position is found among the member states.

[Edited by Alice Taylor]

Comments are closed.