Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
EU: Council and Parliament reach provisional agreement of Cyber Resilience Act
The Council of the European Union announced, on November 30, 2023, that it had reached a provisional agreement with the European Parliament on the proposal for a Cyber Resilience Act, released by the European Commission in September 2022. The Cyber Resilience Act seeks to introduce mandatory cybersecurity requirements for products with digital elements, throughout their whole lifecycle, with the aim to ensure that products such as connected home cameras, fridges, TVs, and toys are safe before they are placed on the market.
The provisional agreement was welcomed by the European Consumer Organisation (BEUC), which issued a press release on December 1, 2023. In this regard, the BEUC Deputy Director General, Ursula Pachl, highlighted that the Cyber Resilience Act would substantially improve the current situation, where the market has failed to adequately protect consumers against cybersecurity risks.
Which elements of the Commission's proposal have been retained?
The provisional agreement maintains the general focus of the Commission's proposal. Specifically, the Council and the Parliament retained the rules to rebalance responsibility for compliance towards manufacturers, who must meet certain obligations such as providing cybersecurity risk assessments, as well as a market surveillance framework to enforce the rules.
Which amendments have the Council and the Parliament introduced?
At the same time, the provisional agreement proposes:
- a simpler methodology for the classification of digital products to be covered by the Cyber Resilience Act;
- a support period from manufacturers of at least five years, except for products that are expected to be in use for a shorter period of time;
- reporting obligations to competent national authorities regarding actively exploited vulnerabilities and incidents, with strengthened functions for the European Union Agency for Cybersecurity (ENISA); and
- additional support measures for small and micro enterprises.
Regarding the application of the new requirements, the provisional agreement sets the timeframe to three years after the entry into force of the Cyber Resilience Act, to give manufacturers sufficient time to adapt.
What are the next steps?
Following the provisional agreement, the Council explained that work will continue at a technical level to finalize the details of the compromise text, which is expected to be submitted to the Committee of Permanent Representatives in the EU (Coreper) for endorsement.
You can read the Council's press release here and the BEUC's press release here.