Cyber Resilience Act: Council adopts common position

Earlier this week, member countries’ representatives (Coreper) met in Brussels. On the agenda was the Cyber Resilience Act vote in the Council, which occurred on 19 July.  Member states have now agreed on a common position regarding the Cyber Resilience Act, which aims to establish cybersecurity requirements for products with digital components before they enter the market. The proposed legislation seeks to ensure that connected devices like home cameras, smart fridges, TVs, and toys are safe and protected against cyber threats in the EU.

The idea for the Cyber Resilience Act was first proposed by European Commission President Von der Leyen in her September 2021 state of the Union speech, and it was later reflected in Council conclusions in May 2022, calling for common cybersecurity requirements for connected devices by the end of 2022. The Commission adopted the proposal in September 2022 to bridge gaps, clarify connections, and create a more coherent cybersecurity framework, making products with digital elements, including Internet of Things (IoT) products, secure throughout their supply chain and lifecycle.

Moreover, the regulation will prove to be important as it aims to safeguard consumers and business’ cybersecurity whilst allowing for more trust in digital products. The ongoing rise of technological advancements induces a lack of transparency from the perspective of customers In other words, the regulation seeks to empower consumers to consider cybersecurity when choosing and using digital products. It aims to provide users with information to make informed decisions about hardware and software products with adequate cybersecurity features. This will equally enforce a new degree of competitiveness in the EU market for digital products. 

The common position for the European Council maintains the principal elements of the Commission’s proposal. They are as follows:

• Rebalancing responsibility for compliance towards manufacturers: This will include ensuring conformity with requirements of products with digital elements, risk assessments, and cooperation with competent authorities.  
• Measures to increase and improve transparency with regards to security hardware and software products, with additional market surveillance framework that will better put these rules into practice.

However, the Council’s text introduces some amendments, such as the scope of the legislation, reporting obligations for vulnerabilities or incidents to national authorities, support measures for small enterprises, and a simplified declaration of conformity.

The general outcome of the vote was positive as the member states celebrated the reached agreement in the Council. Carme Artigas Brugal, State Secretary for Digitalisation and Artificial Intelligence, said: “IoT and other connected objects need to come with a baseline level of cybersecurity when they are sold in the EU, ensuring that businesses and consumers are effectively protected against cyber threats.”

Going forward, the Spanish Presidency will engage in negotiations with the European Parliament (‘trilogues’) to finalise the legislation.