The representatives of the member states have reached a common position on the Cyber Resilience Act. Among other things, the European Council wants vulnerabilities and incidents to be reported to national authorities. The EU member states will negotiate with the European Parliament next autumn with this agreement.
The European Council, consisting of line ministers of the member states, reports this in a press statement.
The Cyber Resilience Act in a nutshell
In September 2022, the European Commission presented a bill to improve the security of smart devices and to exclude poorly secured products: the Cyber Resilience Act. The main starting point is that manufacturers become responsible for the safety of the products they place on the market.
The bill states, among other things, that manufacturers must provide support for at least five years, for example, by releasing software and security updates. In addition, consumers have the right to information about the security of devices. In the worst case, the European Commission may decide that a product may not be sold in the EU. Vulnerabilities must also be reported to the European cybersecurity agency ENISA.
If manufacturers of smart devices do not comply with these rules, they risk a fine. This can amount to 15 million euros or 2.5 per cent of global turnover.
This is the position of the European Council
The European Council met on Wednesday to discuss a common position on the Cyber Resilience Act, also known as the Cyber Resilience Regulation. The Council wholeheartedly agrees with the European Commission that there will be a reporting obligation if a product contains vulnerabilities or if a serious incident occurs that could impact all consumers. However, the Council wants this report to be made to competent national authorities, the so-called Computer Security Incident Response Teams (CSIRTs), instead of ENISA.The bill states that manufacturers must provide support for a product for at least five years. The European Council sees more benefit in linking this period to the expected lifespan of a product. This means you can expect longer support for some products but shorter for others.
Finally, the Council calls for support for ‘small and micro-enterprises and a simplified declaration of conformity.
Negotiations with the European Parliament will start next autumn
The Spanish Secretary of State for Digitization and Artificial Intelligence, Carme Artigas Brugal, is pleased that the member states have reached a common position. “With this agreement, the EU is taking further steps towards a secure digital single market. Internet of Things (IoT) applications and other connected products sold in the EU must provide a basic level of cybersecurity to protect businesses and consumers effectively against cyber threats. This is an important milestone for the Spanish Presidency, and we hope to advance the negotiations with Parliament as much as possible.”Now that the European Council has a negotiating mandate, the next step can be taken: negotiating with the European Parliament. These negotiations will take place next autumn under the presidency of Spain. The goal is for the Cyber Resilience Act to come into force in 2024.