|
[To Eurosmart members only]
Cyber Resilience Act: Commission calls for feedback
Today [16 March], the European Commission published some news on the upcoming Resilience Act. This future legislation would lay down horizontal cybersecurity requirements for a wide range of digital products and their ancillary services*. It would cover tangible digital products (wireless and wired) and non-embedded software. The whole life cycle of the product would be concerned.
In addition, beside the essential cybersecurity requirements, the legislation would place obligations on economic operators and introduce provisions on conformity assessment, on the notification of conformity assessment bodies and on market surveillance. The requirements, in practice, would translate into harmonised standards specific to the product category.
However, the exact content of the legislation is not known yet and the Commission proposes a few policy options.
The policy options are the following ones:
"1. Maintaining the status quo – this would involve existing legislation (e.g. the Delegated Regulation under the Radio Equipment Directive, legislation on medical devices, motor vehicles, machinery or product safety, etc.) partially addressing the cybersecurity of tangible products.
2. Introducing voluntary measures – voluntary certification schemes under the Cybersecurity Act could be further developed and applied. Soft law measures such as guidelines or recommendations could also be considered, in particular on the cybersecurity of non-embedded software.
3. ‘Ad hoc’ regulatory interventions for cybersecurity of digital products and ancillary services – the intervention would be limited to adding and/or amending the cybersecurity requirements in the already existing legislation and regulating new risks as they emerge, including potentially on non-embedded software.
4. A mixed approach including mandatory and soft rules. This would entail:
(i). A horizontal regulatory intervention introducing cybersecurity requirements for a broad scope of tangible digital products and ancillary services.
Different sub-options may be considered with regard to the conformity assessment procedure:
- conformity self-assessment by default, where vendors may opt for a third-party conformity assessment when deemed appropriate; or
- a third-party conformity assessment is prescribed for certain categories of products under a risk-based approach taking account of such factors as intended use, functionality or the nature of potential harm.
(ii). In addition, a staggered approach would be considered as regards cybersecurity of non-embedded software, with soft law measures such as guidelines or recommendations as a first step, potentially followed by regulatory intervention, depending on the results of implementing such measures.
5. A horizontal regulatory intervention introducing cybersecurity requirements for a broad scope of tangible and non-tangible digital products and ancillary associated services, including non-embedded software. Alternative sub-options could be considered regarding the categories of software to be covered, either only critical software or all software, and regarding the conformity assessment procedure, as in option 4 (i)."
*‘Ancillary service’ means a (digital) service, the absence of which would prevent the tangible product from performing its
functions
The Commission wants to receive feedback (free text) on these options. It has also opened a consultation with a questionnaire. Eurosmart will take part in this consultation process.
Please find the corresponding link below. The policy options are further described in the "call for evidence".
|
