Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: Council and Parliament reach provisional agreement of Cyber Resilience Act

The Council of the European Union announced, on November 30, 2023, that it had reached a provisional agreement with the European Parliament on the proposal for a Cyber Resilience Act, released by the European Commission in September 2022. The Cyber Resilience Act seeks to introduce mandatory cybersecurity requirements for products with digital elements, throughout their whole lifecycle, with the aim to ensure that products such as connected home cameras, fridges, TVs, and toys are safe before they are placed on the market.

The provisional agreement was welcomed by the European Consumer Organisation (BEUC), which issued a press release on December 1, 2023. In this regard, the BEUC Deputy Director General, Ursula Pachl, highlighted that the Cyber Resilience Act would substantially improve the current situation, where the market has failed to adequately protect consumers against cybersecurity risks. 

Which elements of the Commission's proposal have been retained?

The provisional agreement maintains the general focus of the Commission's proposal. Specifically, the Council and the Parliament retained the rules to rebalance responsibility for compliance towards manufacturers, who must meet certain obligations such as providing cybersecurity risk assessments, as well as a market surveillance framework to enforce the rules.

Which amendments have the Council and the Parliament introduced?

At the same time, the provisional agreement proposes:

  • a simpler methodology for the classification of digital products to be covered by the Cyber Resilience Act;
  • a support period from manufacturers of at least five years, except for products that are expected to be in use for a shorter period of time;
  • reporting obligations to competent national authorities regarding actively exploited vulnerabilities and incidents, with strengthened functions for the European Union Agency for Cybersecurity (ENISA); and
  • additional support measures for small and micro enterprises.

Regarding the application of the new requirements, the provisional agreement sets the timeframe to three years after the entry into force of the Cyber Resilience Act, to give manufacturers sufficient time to adapt.

What are the next steps?

Following the provisional agreement, the Council explained that work will continue at a technical level to finalize the details of the compromise text, which is expected to be submitted to the Committee of Permanent Representatives in the EU (Coreper) for endorsement.

You can read the Council's press release here and the BEUC's press release here.