[ad_1]
EU countries are considering moving vulnerability reporting to the national level as a new compromise to cyber resilience legislation, aligning product lifecycle definitions to product idiosyncrasies.
The Cyber Resilience Act is an EU legislative proposal to introduce baseline cybersecurity requirements for Internet of Things products. Discussions on the draft law have recently accelerated at the EU Ministerial Conference.
The Swedish Presidency will circulate the new compromise text confirmed by EURACTIV on 27 January, and on Wednesday (1 February) the Horizontal Working Group on Cyber Issues, the technical body of the EU Council, which will do preparatory work for ministerial approval. will be discussed. .
At the same meeting, representatives from EU countries will also discuss conformity assessment and a list of critical products that must undergo third-party assessment before being placed on the European market. The Swedish president’s office has not yet circulated any documents on these aspects.
product life cycle
The European Commission’s original proposal required manufacturers to ensure the security of Internet of Things products for the entire lifecycle or up to five years. The text has been changed to better describe the lifecycle of various products.
“When manufacturers bring products with digital elements to market, and for a period of time after doing so, they must ensure that they are suitable for the product type and expected lifespan,” said the compromise. said.
In other words, each product has a different lifecycle, self-assessed by the manufacturer based on “how long users should reasonably expect to receive security updates given the product’s functionality and intended purpose.” You seem to recognize that you need to
In any case, if the product’s connected device is more than 5 years old, the manufacturer must provide security patches for at least 5 years. The technical security support expiration date must be printed on the product packaging.
If a manufacturer identifies a security issue, it has a due diligence obligation to deploy security updates for at least 10 years. The same timeline applies if a manufacturer learns, or has reason to believe, that its product is no longer compliant with regulatory security requirements.
report
The original proposal required manufacturers to report actively exploited product vulnerabilities to ENISA, the EU cybersecurity agency.
This approach has raised concerns about ENISA’s ability to process hundreds of thousands of notifications and create a potential “single point of failure” for sensitive information that is attractive to hackers.
As such, the EU Council appears to be moving away from this approach, aligning its notification obligations with those of the recently revised Networks and Information Systems Directive (NIS2) and moving reports to national Computer Security Incident Response Teams (CSIRTs). am.
The CSIRT will then forward the notification to ENISA and to the market surveillance authorities of all relevant Member States, unless a potential cybersecurity risk is seen.
The proposal will be discussed at the technical level until a common position is found among Member States.
[Edited by Alice Taylor]
[ad_2]
Source link
