The EU’s Cyber Resilience Act has moved closer to adoption after a committee of the European Parliament voted to approve it. The Act, which will impact Irish businesses, as well as companies across the EU, is intended to protect consumers and provide them with clearer information about the security of connected products and services they buy or use.
Speaking last year, when the European Commission launched the proposal, Internal Market Commissioner, Thierry Breton, said, “When it comes to cybersecurity, Europe is only as strong as its weakest link: be it a vulnerable Member State, or an unsafe product along the supply chain. Computers, phones, household appliances, virtual assistance devices, cars, toys… each and every one of these hundreds of million connected products is a potential entry point for a cyberattack. And yet, today most of the hardware and software products are not subject to any cyber security obligations. By introducing cybersecurity by design, the Cyber Resilience Act will help protect Europe’s economy and our collective security.”
The proposal was approved in a vote of the European Parliament’s Industry, Research, and Energy Committee on 19 July, with amendments proposed on definitions, timelines, and responsibility.
Lead MEP on the file, Nicola Danti, from Italy, said, “With ever-increasing interconnection, cybersecurity needs to become a priority for industry and consumers alike. Europe’s security in the digital domain is as strong as its weakest link. Thanks to the Cyber Resilience Act, hardware and software products will be more cyber secure, vulnerabilities will get fixed and cyber threats to our citizens will be minimised.”
The Council of the EU, which co-legislates on EU laws, also adopted a position on the Cyber Resilience Act, with amendments on its scope, requirements to report security incidents, and support for SMEs, among others.
Spanish State Secretary for Digitalisation and Artificial Intelligence, Carme Artigas Brugal, said, “We are to celebrate the agreement reached today in the Council. An agreement that advances EU’s commitment towards a safe and secure digital single market. IoT and other connected objects need to come with a baseline level of cybersecurity when they are sold in the EU, ensuring that businesses and consumers are effectively protected against cyber threats. This is an important milestone for the Spanish presidency, and we hope to bring forward negotiations with the Parliament as much as possible.”
Some of the details of the proposed legislation have been criticised by open-source groups, which are concerned about the possibility of unintended consequences that they say may have a detrimental impact on open-source software development.
In an article, the Electronic Frontier Foundation said, “The CRA imposes liabilities for commercial activity which bring vulnerable products to market. Though recital 10 of the proposed law exempts not-for-profit open source contributors from what is considered “commercial activity” and thus liability, the exemption defines commercial activity much too broadly. Any open source developer soliciting donations or charging for support services for their software is not exempted and thus liable for damages if their product inadvertently contains a vulnerability which is then incorporated into a product, even if they themselves did not produce that product.”
The European Parliament will vote on whether to approve the Committee’s decision at a future plenary session. It will then begin negotiations with the Council and the Commission.