Requirements for online marketplaces, the scope of the cybersecurity regulation and provisions on critical and highly critical products, among others, are set to be discussed in the European Parliament on Tuesday (13 June).

The Cyber Resilience Act is a legislative proposal to introduce cybersecurity requirements for the manufacturers of Internet of Things products, connected devices that generate and exchange data.

The office of the MEP spearheading the file, Nicola Danti, circulated a second batch of compromise amendments on Thursday, seen by EURACTIV.

Online marketplaces

At Tuesday’s political meeting, lawmakers will discuss introducing obligations for online marketplaces in line with the General Product Safety Regulation, requiring them to set up a single point of contact for communicating with market surveillance authorities on cybersecurity issues.

In turn, market surveillance authorities could order online marketplaces to take down, disable access, or present explicit warnings about offers of connected devices that present a significant cybersecurity risk.

These orders must follow conditions listed under the Digital Services Act. Upon receiving such orders, the online marketplace must take action without undue delay and no later than within two days. Such take-down orders might also target all identical offers.

Online marketplaces are required to temporarily suspend suppliers that repeatedly breach the regulation.

Scope

The question of to what extent the regulation should cover open-source software is marked as requiring further discussions at the political level.

In his draft report, Danti proposed excluding from the scope spare parts solely meant for the repair process. The text now specifies that the manufacturer of the original product should supply these spare parts to benefit from this exception.

The compromise removes a carveout for products developed for the defence sector.

Critical & highly critical products

The Cyber Resilience Act includes a list of critical products for which the manufacturers must undergo external audits to demonstrate compliance.

The previous batch of amendments mandated that the Commission could not amend this list before two years since the regulation’s entry into force to ensure legal clarity and responsibility. The new compromise goes further and requires two years for each subsequent modification.

Similarly, the draft cybersecurity law also states that the European Commission could designate categories of products as highly critical and require certificates issued under the Cybersecurity Act. But the text mandates that the certification requirement would only apply after one year.

The Parliament’s latest text mandates that category of products would have to meet the highest level of assurance under the certification schemes. In contrast, a level of assurance of ‘substantial’ would suffice for critical products.

Expected product lifetime

Danti removed the principle that the manufacturers should ensure security updates for at least five years, leaving it up to the manufacturers, in line with reasonable consumer expectations. However, the adjective ‘reasonable’ has been deleted.

“The manufacturer may provide vulnerability handling, including security updates, for a period longer than the expected product lifetime,” the text clarifies, adding that, where relevant, consumers should be informed of the vulnerability handling period before the purchase.

Reporting

The Cyber Resilience Act requires manufacturers to report any incident and vulnerabilities that are being actively exploited to ENISA, the EU cybersecurity agency. The text specifies that ENISA or the relevant computer emergency response team can request an intermediate report.

In addition, ENISA is asked to establish a single entry point for reporting obligations under the new cybersecurity law and other EU legislation where possible.

New wording mandates the manufacturers, where necessary and based on risk analysis, to timely inform distributors and end users of the lack of compliance with the cybersecurity requirement and, where available, the risk mitigation measures they can take.

High-risk vendors

The previous batch of compromise amendments introduced the principle that market surveillance authorities should consider non-technical risk factors. These additions are now marked as requiring further political discussion.

At the same time, the rapporteur proposes to move to the text’s preamble a reference that the market authorities should consider the detection of back-doors or other exploitable vulnerabilities when carrying out coordinated actions, so-called sweeps.

Expert group

The composition of the expert group on cyber resilience has been amended to include representatives of European standardisation bodies, whilst “where needed, representatives of other EU Agencies may be invited.”

Moreover, the Commission must consult with the groups when preparing secondary legislation. During investigations, the group might non-binding opinions.

Allocation of revenues

In his draft report, Danti proposed to earmark the fines resulting from the CRA to finance cybersecurity projects under the Digital Europe Programme.

The reference to the EU programme was removed, and the member states were given more flexibility to finance projects to increase cyber skills, build SMEs’ capacity, improve cyber threat awareness, or prevent cyber theft of Intellectual Property.

Essential requirements

The possibility for users to securely withdraw and remove their data permanently has been included in the list of essential requirements.

[Edited by Alice Taylor]

Read more with EURACTIV