Members of the European Parliament (MEPs) are fine-tuning the obligations a new cybersecurity legislation will impose on product manufacturers and how it will apply to open-source software.
The Cyber Resilience Act is a legislative proposal introducing security obligations for connected devices. The office of the European Parliament’s rapporteur, centrist MEP Nicola Danti, circulated a third complete revision of the text on Thursday (22 June), seen by EURACTIV.
EU lawmakers are closing in on the file, with two technical meetings scheduled for Tuesday and Friday this week. A final political agreement is expected to be reached among the main political groups of the house next Wednesday (5 July).
Scope
For what concerns the regulation’s scope, a much-debated topic of discussion has been to what extent open-source software should be covered, with the text clarifying that would only occur in specific cases.
In particular, only open-source software made available on the market during a commercial activity is covered, to be assessed on a product-by-product basis that considers both the open-source product’s development model and supply phase.
The example given for a non-commercial setting is that of a fully decentralised model where no single commercial entity exercises control over what is accepted in the project’s code base.
Reporting obligations
The Cyber Resilience Act mandates manufacturers notify ENISA, the EU cybersecurity agency, if they become aware of any actively exploited vulnerability.
New wording indicates that such reporting obligation only applies if an unlawful or malicious actor conducts the hacking. In other words, if the hacking comes from a public authority such as a law enforcement agency, there would be no requirement to report it.
The notification process would take several steps, from an early warning within one day of the event to a more detailed vulnerability notification three days after. However, SMEs have been exempted from the early warning if they do not have enough capacity.
Support period
MEPs are moving away from the concept of ‘expect product lifetime’ in favour of a ‘narrower support period’ during which manufacturers should ensure the handling of vulnerabilities.
“The manufacturer shall ensure that the support period is proportionate to the expected product lifetime as well as taking duly into account the nature of the product, users’ expectations, the availability of the operating environment and, where applicable, the support period of the main components integrated into the product with digital elements,” the text reads.
The market surveillance authorities are tasked to ensure that manufacturers adequately apply these criteria when determining the support period.
For support periods shorter than five years, the manufacturers might provide access to the source code for companies that might provide a handling vulnerability service. However, the requirement that this access should be given for free was removed.
High-risk vendors
Previous iterations of the text introduced the concept of high-risk vendors, companies that are not considered reliable due to non-technical factors, as is the case for Chinese suppliers like Huawei and ZTE.
Obligations for importers of connected devices were modified to state that, whether they have a reason to believe that a product might present such a non-technical risk, they will consider withdrawing it and would have to inform the national authorities and the Commission.
A similar obligation for distributors was deleted “taking account of shadow rapporteurs meeting”, a note to the margin of the text reads. A reference that coordinated control actions should prioritise high-risk vendors was also stroked out.
Moreover, if national authorities or the Commission have sufficient reasons to think a product presents a significant cybersecurity threat or a national security threat due to non-technical reasons should issue targeted recommendations to economic operators on the corrective measures to put in place.
Conformity assessment
Manufacturers will have to show that they comply with the cybersecurity requirements by applying technical standards recognised under EU law, common specifications issued by the Commission or cybersecurity certification schemes which have been in place for a minimum period.
Alternatively, the manufacturers would require a third-party assessment via certified auditors, the notified bodies. EU countries have until one year after the entry into application of the regulation to ensure that there is a sufficient number of notified bodies to avoid bottlenecks.
Guidance
Since the regulation touches upon various domains, the Commission has been tasked with providing guidelines on matters such as the scope, in particular regarding remote data processing, the classification of critical products, and the interplay with other EU legislation.
Guidance is also due on how to perform the risk assessment, determine the support period appropriately and for the member states on the non-prosecution of information security researchers, known as ethical hackers. However, this latter part is marked as “to be completed”.
Highly critical product
For categories of products deemed ‘highly critical’, the Commission will be empowered to require via delegated acts the obtainment of a cybersecurity certificate issued under the Cybersecurity Act with the level of assurance ‘high’.
The obligation to obtain the certificate would apply within one year from the adoption of the secondary legislation.
Expert group
The rapporteur introduced the idea of establishing an expert group on cyber resilience to advise the implementation of the cybersecurity legislation. The group’s composition was further reworked to include the European Cybersecurity Competence Centre.
[Edited by Nathalie Weatherald]
Read more with EURACTIV
