EU Council mulls broad national security carveouts in IoT cybersecurity law – EURACTIV.com
The Czech presidency of the EU Council has circulated the first compromise on the Cyber Resilience Act, dated 18 November and obtained by EURACTIV, making hefty editing to the proposal’s scope and free movement clause.
The Cyber Resilience Act is horizontal legislation intended to introduce essential cybersecurity requirements for connected devices and their related services. Since the proposal was published in September, national representatives in the EU Council have been engaged in preliminary discussions.
The new text will be discussed at the Horizontal Working Party on Cyber Issues, a preparatory body in the EU Council, on Wednesday (23 November). Following this preliminary discussion, member states will be requested to provide written comments.
National security
The presidency added wording saying that the regulation should not prevent member states from imposing national restrictions on products with digital elements based on national security grounds, including by banning them from their markets.
“This regulation is without prejudice to the member states’ responsibilities to safeguard national security or their power to safeguard other essential state functions, including ensuring the territorial integrity of the State and maintaining law and order,” the document continues.
In addition, connected products developed exclusively for defence purposes have also been excluded from the scope of the regulation. This carveout might cause some uncertainty around dual-use technology, which can be employed in both the military and civilian spheres.
The compromise also limits the reporting obligations from information whose disclosure might go against an EU country’s national security, public security or defence interest.
Similarly, the compromise states that the Cyber Resilience Act should not prevent member states from assessing the conformity of products used in the military or defence field, for national security purposes or processing classified information.
Software
According to a draft version of the progress report, dated 18 November and also seen by EURACTIV, an essential part of the discussions in the Council focused on to what extent Software-as-a-Service is covered in the regulation.
This topic was set to be a sensitive one from the start. Even before the draft was out, Denmark, Germany, and the Netherlands issued a non-paper calling for extending the scope to Software-as-a-Service.
In this regard, the Czechs proposed including the following paragraph to define software: “computer code comprises of a sequence or set of instructions described in a programming language, including machine or binary code, to be executed by another software or by hardware, to process, store or transmit of digital data”.
Sectorial legislation
Products covered in the EU directive harmonising river information systems on inland waterways have been excluded from the scope. More generally, products covered by sectorial legislation mandating the same or higher level of protection might be excluded from the regulation’s requirements.
The original text allowed the circulation of unfinished, non-compliant software on condition that it is only made available for testing purposes. However, member states want to make clear that this does not apply to safety components covered in EU-harmonised legislation.
Further discussion points
“Member states indicated that scoping of critical products will merit thorough discussion. Member states also underlined the need for clarity on the interaction with other relevant legislation, such as the NIS 2 Directive or the Cybersecurity Act,” the progress report reads.
EU countries also called for clarifying some of the terms used in the proposal and for a close assessment of the burden the regulation would place on SMEs and start-ups that develop and manufacture these products.
Some European governments also want to closely examine the proposed limitation for compliance with the regulation’s requirements to the expected lifetime of the product or five years since the placement in the EU market, whichever is shorter.
The role and tasks envisaged for ENISA, the EU’s cybersecurity agency, are also mentioned as requiring further discussions.
[Edited by Zoran Radosavljevic]
Gloss