EU Council reconsiders critical products in new cybersecurity law
The Swedish presidency of the EU Council of ministers shared a new compromise text with hefty changes on the categorisation of critical and highly critical products under the Cyber Resilience Act.
The draft law is designed to establish baseline cybersecurity requirements for connected devices, such as the fact that Internet of Things (IoT) products that connect and exchange data with other devices cannot be launched on the market with any known exploitable vulnerability.
Whilst for most connected devices, manufacturers will be able to self-assess the compliance to such requirements, for some specific products deemed ‘critical’ or ‘highly critical’ an external audit will be needed. The way and which products would qualify for these two crucial categories were at the centre of the latest compromise text, seen by EURACTIV.
The compromise was shared on Friday (10 February) and will be discussed on Wednesday at the Cybersecurity Working Party, a technical body that lays the preparatory work for approval at the ministerial level.
According to the compromise text, certain products will be deemed ‘critical’ if they perform a key security function, for instance, authentication, intrusion prevention or network protection.
That is the case for malware detection software, network traffic monitoring systems for throughput and flow control, security information and event management systems, systems rolling out updates and security patches, firewalls, digital certificates, and smart home devices with security functionalities like alarm systems.
Another subgroup of Internet of Things products is considered ‘critical’ if they play a central role in the management of a broader system or if they have the potential to damage several other products, such as network management and configuration control.
This second criterion relates to standalone and embedded browsers, network resource management including software-designed networking technology, application configuration management systems for centralised systems configuration, remote access software, physical and virtual network interfaces, routers, microprocessors, microcontrollers, operating systems and industrial products and control systems not covered in the ‘highly critical’ category.
Highly critical products
Another group of products would be considered ‘highly critical’ if they meet both aforementioned criteria, namely, they have an important security function and are central in a broader IoT environment.
This class of products includes identity management systems, authentication tools, Virtual Private Networks (VPNs), network management systems for the configuration, monitoring and updating of network devices, hypervisors, microprocessors for secure elements, devices based on tamper-secure chips, hardware security models, secure crypto-processors, and smartcard readers.
Firewalls for industrial use will be categorised ‘highly critical’ if they have both a cybersecurity-related function and are used in sensitive environments, including industrial control setting for entities designated as ‘essential’ under the recently revised Networks and Information Directive (NIS2).
A final group of products would be classified as ‘highly critical’ if they meet the double condition of being used in a sensitive environment and central to managing a broader system. Application-specific integrated circuits, field-programmable gate arrays, industrial automation and control systems, industrial IoT devices and smart meters are part of this group of products.
The list of critical and highly critical products was included in the annexe to the draft law, as annexes can be more easily updated than the body of the text. The European Commission would have to consider these criteria when amending the products listed in the annexe.
To demonstrate compliance with some of the regulation’s essential requirements, the Commission might mandate specific categories of highly critical products to obtain an EU cybersecurity certificate with a level ‘substantial’ or ‘high’ as defined under the Cybersecurity Act.
To determine which categories of highly critical products should be requested for these certificates, the EU executive will need to consider the above-mentioned criteria and whether the product could disrupt the essential entities identified under NIS2 or supply chains critical for the EU market.
The Swedish presidency included a template for a simplified EU declaration of conformity, displaying the URL where the full declaration will be accessible online.