A new Council text on the Cyber Resilience Act, seen by EURACTIV, removes the five-year limit to the product lifecycle, clarifies the regulation’s scope and makes automatic security updates the default option for connected devices.

The Cyber Resilience Act is a legislative proposal to introduce essential security requirements for devices interconnected via the internet to send and receive data, also known as the Internet of Things (IoT).

The Swedish presidency circulated another compromise on the new cybersecurity law discussed on Wednesday (15 March) at the Cyber Working Party, a technical body of the EU Council of Ministers.

EU Council reconsiders critical products in new cybersecurity law

The Swedish presidency of the EU Council of ministers shared a new compromise text with hefty changes on the categorisation of critical and highly critical products under the Cyber Resilience Act.

Product lifetime

The original proposal mandated that the product manufacturers systematically assess cybersecurity risks and roll out security patches for the product’s expected lifetime or five years, whichever was shorter.

The five-year cap has been removed, meaning the manufacturers are likely to be responsible for a longer period. The manufacturers are not required to indicate their products’ expected lifetime, meaning consumers will know when to expect security updates.

Scope

The new Council text clarifies that websites that do not support the functionality of the connected devices and cloud services developed outside the responsibility of the product manufacturer are outside of the regulation’s scope.

Remote data storage and processing services are only concerned insofar as they are necessary for the function of the Internet of Things product. For example, if a device needs to access a database developed by the manufacturer to work.

In other words, if the manufacturers use a third-party app for data process that is not in scope, but if the same company develops the software, then the website would have to comply with the regulation’s cybersecurity requirements.

Open source

According to the new text, the Cyber Resilience Act would only apply to connected products launched on the EU market to earn money beyond the maintenance costs, thereby limiting the scope for open-source software.

Remarkably, the conditions under which the product was developed do not matter, a caveat that seems intended to ensure that open-source software like Android remains in the scope. By contrast, products provided by public authorities under a fee that merely covers the operational costs are left out.

Security requirements

The text has been amended to make security updates automatically installed as the default option “with a clear and easy-to-use opt-out mechanism” and with the option to postpone them temporarily.

EU Council clarifies Cyber Resilience Act’s interplay with AI Act, product safety

The Swedish presidency of the EU Council has circulated a new compromise text, obtained by EURACTIV, touching upon the relation with other EU laws, the notifying authorities, enforcement and penalties.

The Cyber Resilience Act is a legislative proposal to introduce baseline …

Vulnerabilities and reporting

The document underlines that the role of the EU cybersecurity agency, ENISA, is still under discussion. In the initial proposal, the EU body was tasked with collecting all actively exploited vulnerabilities, creating a massive workload that many feared would be a ‘single point of failure’.

The industry concerns regarding possible leaks of this sensitive information seem to have been acknowledged. Already in a previous compromise, EURACTIV reported that the notification of vulnerabilities was moved to the national Cyber Security Incident Response Team (CSIRTs).

To promote collaboration in addressing vulnerabilities, if a third party informs a CSIRT about an actively exploited vulnerability for an IoT product, the CSIRT should immediately inform the relevant manufacturer.

Moreover, if manufacturers develop a security patch to address the vulnerability of a component of their product, they should share the relevant code with the entity responsible for the component.

A note to the text states that the Council plans to introduce specific requirements for actively exploited vulnerabilities in future versions of the text.

Substantial modifications

The compromise indicates that, even if the connected device was available on the market before the regulation entered into force, it must comply with new cybersecurity requirements in cases where it has been substantially modified.

Security patches intended to reduce the level of risk of an IoT product, for instance, addressing a known vulnerability, are not to be considered substantial modifications.

The same is not valid for updates that modify the intended functions of the product, for instance, adding a new application, as the new feature broadens the attack surface for potential hackers.

Third-party components

A new paragraph introduced due diligence obligations for manufacturers integrating third-party components into their products. In other words, the manufacturers would have to verify that the component is in conformity with cybersecurity requirements and those not have any vulnerability known in publicly accessible databases.