Analysis
The revised compromise text on the Cyber Resilience Act has been refined, modifying the provisions regarding the reporting obligations, highly critical products and product lifetime, according to media reports. The draft modified reporting obligations, designated new products as highly critical and extended manufacturer’s responsibility on product lifetime ahead of the endorsement.
On open-source software
The CRA would only apply if it is linked to a commercial activity. Products that are made for the delivery of a service or developed by a public administration exclusively for its own will not be captured by the regulation.
On reporting obligations
Addressing the obligation on manufacturers to report to the competent authority any cybersecurity incident or vulnerability of which they become aware, the Council decided to transfer this responsibility from ENISA, the EU cybersecurity agency, to national Computer Security Incident Response Teams (CSIRTs) while encouraging to establish a central reporting point for these requirements.
Manufacturers will need to file an early warning within 24 hours of any product cybersecurity incident to the national Computer Security Incident Response Teams (CSIRTs) and a detailed notification within 72 hours.
Single reporting platform
A Single reporting platform will be established and maintained by ENISA. CSIRT would be expected to share the received report with other CSIRTs through a single reporting platform, unless there are valid cybersecurity reasons to delay the transmission and to collectively develop specifications on how these circumstances should be handled and determined.
While the provisions giving market surveillance authorities access to the platform and allowing manufacturers flexibility in notification deadlines have been removed, ENISA should establish another pan-European platform based on the CSIRT specifications and notify any cybersecurity incidents linked to the platform.
Highly-critical products
The revised compromise text has removed explicit references to highly critical products, the European Commission's discretionary power in this area has been reduced, an initial list of product categories has been drawn up and impact assessments would be carried out before applying for mandatory certification, taking into account market conditions and Member States' state of preparedness.
Highly critical products are defined as products that have a cybersecurity-related functionality or a function which carries a “significant risk” in terms of intensity and ability to disrupt a large number of other products through direct manipulation, such as products that support virtual private network (VPN) functions such as VPN server and clients.
Product lifetime
Some modifications have been made regarding the product lifetime, manufacturers are therefore required to indicate the expected product lifetime for security updates and market surveillance authorities would no longer need to request justification for product lifetime calculations.
The manufacturers must indicate the expected product lifetime during which users can expect security updates.
The elements to be considered in this calculation were moved from the binding parts of the regulation to the preamble, namely the expected availability of the operating environment, the lifetime of products with similar functionalities, and guidance from market surveillance authorities.
Responsability for compliance
The responsibility would lie with the economic operator that substantially modifies a connected device, except for security patches that do not change the product's intended purpose while exemptions were also introduced for security updates aimed at decreasing cybersecurity risk, as well as for products developed or modified by public administration entities solely for their use.
Products with digital elements developed or modified by a public administration entity exclusively for its own use were also carved out.
|
