EU Council member states reach consensus on cybersecurity requirements for digital products

Member states of the Council of the EU (European Council) announced that they have reached a common position on security requirements for digital products. The draft regulation introduces mandatory cybersecurity requirements for the design, development, production, and making available on the market of hardware and software products to avoid overlapping requirements stemming from different pieces of legislation in European Union (EU) member states. These shared requirements ensure that digital products meet the highest level of security and protect users’ sensitive information.

Representatives of the EU member states reached a common position on the proposed legislation regarding horizontal cybersecurity requirements for products with digital elements (cyber resilience act). The proposed regulation will apply to all products that are connected either directly or indirectly to another device or network. There are some exceptions for products, for which cybersecurity requirements are already set out in existing EU rules, for example on medical devices, aviation, or cars.

“We are to celebrate the agreement reached today in the Council. An agreement that advances EU’s commitment towards a safe and secure digital single market,” Carme Artigas Brugal, State Secretary for digitalisation and artificial intelligence, wrote in a Wednesday statement released by the European Council. “IoT and other connected objects need to come with a baseline level of cybersecurity when they are sold in the EU, ensuring that businesses and consumers are effectively protected against cyber threats. This is an important milestone for the Spanish presidency, and we hope to bring forward negotiations with the Parliament as much as possible.”

The current proposal aims to fill the gaps, clarify the links, and make the existing cybersecurity legislation more coherent by ensuring that products with digital components, for example Internet of Things (IoT) products, become secure throughout the whole supply chain and throughout their whole lifecycle. 

Finally, the proposed regulation also allows consumers to take cybersecurity into account when selecting and using products that contain digital elements by providing users the opportunity to make informed choices of hardware and software products with the proper cybersecurity features. 

The Council’s common position maintains general thrust of the Commission’s proposal, namely as regards rules to rebalance responsibility for compliance towards manufacturers, who must ensure conformity with security requirements of products with digital elements that are made available on the EU market, including obligations like cybersecurity risk assessment, declaration of conformity, and cooperation with competent authorities. 

It also includes essential requirements for the vulnerability handling processes for manufacturers to ensure the cybersecurity of digital products, and obligations for economic operators, such as importers or distributors, in relation to these processes, and measures to improve transparency on security of hardware and software products for consumers and business users, and a market surveillance framework to enforce these rules. 

However, the Council’s text amends various parts of the Commission’s proposal, including the scope of the proposed legislation, including with regard to the specific categories of products that should comply with the regulation’s requirements. It also altered reporting obligations of actively exploited vulnerabilities or incidents to the competent national authorities (computer security incident response teams – CSIRTs) instead of the EU Agency for Cybersecurity (ENISA) with the latter establishing a single reporting platform. It also covers elements for the determination of the expected product lifetime by manufacturers, support measures for small and micro enterprises, and a simplified declaration of conformity. 

Looking ahead, Wednesday’s agreement on the Council’s common position (negotiating mandate) will allow the Spanish presidency to enter negotiations with the European Parliament (trilogues) on the final version of the proposed legislation.

The European Council underlined in its December 2020 conclusions on cybersecurity of connected devices the importance of assessing the need for horizontal legislation in the long-term to address relevant aspects of cybersecurity of connected devices. First announced by Commission’s President Von der Leyen in her state of the Union address in September 2021, the idea was reflected in the Council conclusions last May on the development of the European Union’s cyber posture, which called upon the Commission to propose common cybersecurity requirements for connected devices by the end of 2022.

“The cybersecurity requirements imposed on entities providing services or carrying out activities which are economically significant vary considerably among Member States in terms of type of requirement, their level of detail and the method of supervision. Those disparities entail additional costs and create difficulties for entities that offer goods or services across borders,” the agency outlined in its December 2022 document. “Requirements imposed by one Member State that are different from, or even in conflict with, those imposed by another Member State, may substantially affect such cross-border activities.” 

Furthermore, the document covered the possibility that the inadequate design or implementation of cybersecurity requirements in one member state is likely to have repercussions at the level of cybersecurity of other member states, in particular given the intensity of cross-border exchanges. 

Last September, the Commission adopted the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending regulation (EU) 2019/1020 (‘cyber resilience act’), which will complement the EU cybersecurity framework: the directive on the security of network and information systems (NIS directive), the directive on measures for a high level of cybersecurity across the Union (NIS 2 directive) and the EU cybersecurity act.

The EU Council move follows the April action by global cybersecurity agencies that want software manufacturers to take necessary steps to ship products that are secure-by-design and secure-by-default, thereby shifting the balance of cybersecurity risk and revamping their design and development programs. These approaches to product security will help move much of the burden of staying secure to manufacturers and reduce the chances that customers will fall victim to security incidents resulting from misconfigurations, insufficiently fast patching, or many other common issues.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.