|
A revised Swedish Council Presidency compromise text (not publicly available), was discussed by the Horizontal Working Party on Cyber Issues on 21 June 2023.
Analysis
Council experts of the Horizontal Working Party on Cyber Issues met on 21 June to continue their exchange of views on the proposal, particularly discussing a revised Swedish Presidency compromise text (not publicly available).
According to media the main elements of this revised compromise text include would include:
(i) the definition for the term ‘actively exploited vulnerabilities’ was broadened in line with the NIS2 Directive in order to cover attempted as well as successful security breaches;
(ii) vulnerability handling obligations would apply to products with digital elements in their entirety, including all integrated components, requiring manufacturers to indicate when they will provide vulnerability handling as well as to publicly disclose information on fixed vulnerabilities in most cases;
(iii) a new Annex listing the highly critical products which would require a European cybersecurity certification was introduced;
(iv) essential requirements for connected products would apply to each product placed on the market and the responsibility to comply with such requirements would shift to “any economic operator that introduces substantial modifications to such products”;
The Swedish EU Council presidency added two additional essential requirements.
- Every connected device should have a unique product identifier. This identifier should be mentioned during the rollout of security patches so that the applicability of the update can be easily determined.
- Obligation to the manufacturers to empower users to securely and easily remove all data and settings, including those enabling access to Wi-Fi networks, from the product to dispose of it securely.
(v) on common specifications, requirements have been added to reduce the Commission’s discretion to rely on common specifications, notably by mandating the EU executive to consult with national representatives, experts and relevant stakeholders. The EU Council also introduced the possibility for a member state to contest the common speciation if it does not entirely satisfy the regulation’s requirements.
(vi) on EU certification schemes, the text mandates the levels of assurance ‘substantial’ or ‘high’.
(vii) the measure’s entry into application would be pushed to three years after its entry into force.
(viii) reporting obligations on actively exploited vulnerabilities remains the main point of contention regarding this revised compromise text :
- Member State delegations made changes so that the handling of such information would be the responsibility of national Computer Security Incident Response Teams (CSIRTs), rather than the EU agency for cybersecurity (ENISA).
- Obligation to the manufacturers to submit a warning within 24 hours of becoming aware of such a vulnerability and provide a more detailed update within 3 days;
- Notifications to be sent through the electronic notification endpoint in the Member State in which they are established, which would then feed into a single reporting platform managed by ENISA;
- Remove the provision stipulating that the measure’ obligations “should not entail disclosing information contrary to the essential interests of EU countries’ security”.
Next Steps :
The Associated IMCO Committee is tentatively scheduled to consider compromise amendments (not yet publicly available) on the draft Opinion on 28 June, as well as vote on the draft Opinion on 29 June 2023.
A vote in the ITRE Committee (lead) on the draft Report, as well as the amendments tabled to it, is tentatively foreseen for 19 July 2023.
Once approved, the Committee would then submit its text to plenary for adoption. However, a date for the vote in plenary has yet to be determined.
The approved text would constitute the European Parliament’s negotiating position for the trilogue discussions.
|
