The European Union has announced that it has reached agreement amongst member states for a comprehensive set of cyber security requirements, designed to strengthen cyber safety standards.
It was revealed the European Council presidency and the European Parliament’s negotiators have reached a provisional agreement on the proposed legislation regarding cybersecurity requirements for products with digital elements, which aims to ensure that products such as connected home cameras, fridges, TVs and toys are safe before they are placed on the market.
The new law introduces EU-wide cybersecurity requirements for the design, development, production and making available on the market of hardware and software products, to avoid overlapping requirements stemming from different pieces of legislation in EU member states.
The regulation will apply to all products that are connected either directly or indirectly to another device or to a network. There are some exceptions for products for which cybersecurity requirements are already set out in existing EU rules, for example medical devices, aeronautical products and cars.
The EU said the proposal aims to fill the gaps, clarify the links, and make the existing cybersecurity legislation more coherent, ensuring that products with digital components, for example ‘Internet of Things’ (IoT) products, are made secure throughout the supply chain and throughout their lifecycle.
The regulation will allow consumers to take cybersecurity into account when selecting and using products that contain digital elements, making it easier for them to identify hardware and software products with the proper cybersecurity features.
José Luis Escrivá, (pic) Spanish minister of digital transformation explained: “This agreement is a milestone towards a safe and secure digital single market in Europe. Connected devices need a basic level of cybersecurity when sold in the EU, ensuring that businesses and consumers are properly protected against cyber threats. This is exactly what the cyber resilience act will achieve once it enters into force.”
The EU said the provisionally agreed text maintains the general thrust of the Commission’s proposal, namely as regards:
- rules to rebalance responsibility for compliance towards manufacturers, who must meet certain obligations such as providing cybersecurity risk assessments, issuing declarations of conformity, and cooperating with the competent authorities.
- vulnerability handling processes for manufacturers to ensure the cybersecurity of digital products, and obligations for economic operators, such as importers or distributors, in relation to those processes.
- measures to improve transparency on the security of hardware and software products for consumers and business users.
- a market surveillance framework to enforce the rules.
“Following today’s provisional agreement, work will continue at technical level in the coming weeks to finalise the details of the new regulation,” an EU spokesperson said. “The Spanish presidency will submit the compromise text to the member states’ representatives (Coreper) for endorsement once this work has been concluded.
“The entire text will need to be confirmed by both institutions and undergo legal-linguistic revision before formal adoption by the co-legislators.”