The EU Parliament's rapporteur on the Cyber Resilience Act, Nicola Danti, has sent a first draft report to the shadow rapporteurs.
Danti wants to achieve changes compared to the Commission's draft, especially with regard to the schedule, the mandatory update period, the responsible bodies and open source software.
This analysis is available
to IPPEN.MEDIA as part of a cooperation with the Europe.Table Professional Briefing -
Europe.Table
first published it
on April 3, 2023.
With the Cyber Resilience Act, the EU wants to create a catch-all regulation for networked products that do not fall under more specific fall right.
The Commission presented the CRA in September, and now things are moving forward in Parliament: rapporteur Nicola Danti has sent the draft report to the shadow rapporteurs.
According to the Commission's draft, a minimum guarantee for software updates is to be introduced, among other things.
Here, the Italian Renew politician wants to oblige manufacturers to state a “reasonable, expected lifespan” for a product.
They should also take sustainability aspects into account.
Both the Commission and Danti propose five years as the minimum lifetime.
During this period, vendors must provide cybersecurity-critical updates.
As soon as the end is announced, the products or their manufacturers should actively inform users about the end of the support period.
However, Danti's draft report also provides for an exception.
If products have a shorter life expectancy than five years and product support is discontinued before then, the providers would have to make the source code available to third parties.
At the same time, Danti's draft provides for strict regulations as to who these third parties should be and under what conditions access should be possible.
In addition, this obligation should expire after five years.
Table.Media newsletter
Get 30 days free access to further exclusive information from the Table.Media Professional Briefings - the decisive for the decisive in business, science, politics, administration and NGOs.
Open source should no longer be directly affected
There had been a lot of criticism of the CRA from open source developers.
These could regularly not meet the CRA requirements.
Software that is freely available cannot go through the planned and costly security check mechanisms.
Here, Danti now wants to take an intermediate path: the obligation to check and update should be transferred to those who use open source software in their commercial products.
According to the EP rapporteur, home automation systems should also be included in the category of products to be externally certified.
Self-certification by the manufacturers of these systems would then be ruled out.
Instead, a third-party verification under Article 6 of the Commission proposal would have to take place.
Such systems are at home in more and more households: from intelligent thermostats to electricity storage controls to household appliance controls.
There is already a related option in Germany with the voluntary IT security label.
However, since 2021 only 37 services and products have been certified by the Federal Office for Information Security (BSI).
So far, these have only been mail services and broadband routers.
However, according to the BSI, smart home end devices such as televisions, smart garden tools and home automation solutions will soon follow.
Danti wants to further extend transition periods
The Commission proposal provides for a two-year transition period after the entry into force of the CRA in Article 57.
ITRE rapporteur Danti now wants to achieve a 40-month transition period.
Danti also wants to extend the deadlines for the reporting obligations: They should only take effect 20 instead of twelve months after the entry into force.
And the Commission's proposal already stipulated that products already on the market should not fall under the new regime.
If the Industry Committee were to prevail here, an improvement in the IT security level through the CRA would probably not be expected before 2028 at the earliest, and then only for new products.
Danti has a particular focus on the enforcement regime: he wants clear accountability for all vulnerability and incident reporting duties.
For the CRA to be effective, it wants a one-stop solution: "The rapporteur believes that the best institution to perform this role is ENISA," says the draft report.
For this purpose, the network and information security authority is to be equipped with additional positions and competencies.
With this, the rapporteur touches on an old dispute.
Cyber security is primarily seen as part of national security in many Member States.
Accordingly, competence is still primarily distributed nationally and ENISA primarily has a coordinating function.
In any case, experts currently do not see ENISA in a position to guarantee the expected great effort for the enforcement of the CRA.
Danti says China - without saying China
What is extremely important to the rapporteur: With its Amendment 83, Danti wants to create a basis for harmonizing cyber security requirements with third countries.
Danti wants to call on the Commission to create mutual recognition agreements with like-minded third countries.
In addition, international standards should be checked to see whether they “provide the same level of protection as those proposed in this regulation”.
The rapporteur hopes that these could be referenced for the planned, harmonized European standards.
However, it is repeatedly criticized that actors from China from the state, state-controlled private sector and science that is not sufficiently remote from the state are becoming increasingly powerful in the relevant standardization bodies.
The vote in the Council on the Cyber Resilience Act is currently underway, in the Federal Government the Federal Ministry of the Interior is responsible, which also reports to the BSI.
The BMWK and the BMUV are also involved.
When an agreement on the CRA is possible is currently still open in both the Council and Parliament.
By Falk Steiner
List of rubrics: © Imago