Stakeholders consulted on new horizontal rules for cybersecurity products and services

The European Commission recently started work on the establishment of new horizontal rules for digital products and associated services placed on the internal market, in the context a new European Cyber Resilience Act (CRA). Such rules had been announced in 2020 as part of the EU’s cybersecurity strategy for the digital decade. To this end, the Commission has launched an open public consultation and published a call for evidence for this Act. The consultation and call for evidence will be open for stakeholders’ feedback for 10 weeks until 25 May 2022.

As indicated in the call for evidence for an impact assessment, the CRA would:

• Aim to set up streamlined horizontal European cybersecurity requirements for manufacturers and vendors of a wide range of digital products and ancillary services (i.e., a (digital) service, the absence of which would prevent the tangible product from performing its functions) that are placed on the internal market to enhance and ensure a consistently high level of cybersecurity. This would include tangible digital products (wireless and wired) as well as embedded and non-embedded software, and would cover their whole life cycle;
• Place obligations on economic operators; and
• Introduce provisions on conformity assessment, on the notification of conformity assessment bodies, and on market surveillance.

The problem the initiative aims to tackle is a fragmented approach regulating the cybersecurity of digital products. As outlined in the call for evidence for an impact assessment, the current EU regulatory framework applicable to digital products:

• Does not cover all types of digital products (e.g., hardware not falling under the Radio Equipment Directive or the Medical Devices Regulation);
• Considers only certain aspects linked to the cybersecurity of tangible digital products and, where applicable, embedded software concerning these products;
• Does not prescribe specific cybersecurity requirements, e.g., covering the whole life cycle of a product.

The CRA would add, inter alia, the existing baseline cybersecurity framework of the NIS Directive (which is currently being revised, please see our previous newsletter) and the Cybersecurity Act as well as complement the Delegated Regulation of 29 October 2021 (please see our previous newsletter) under the Radio Equipment Directive. The cybersecurity regulatory landscape is, thus, becoming more and more complex and requires regular monitoring.

The consultation aims to gather:

1. stakeholders’ views on current and emerging problems related to the cyber security of digital products and associated services, including non-embedded software;
2. stakeholders’ views on the possible policy approaches to address such problems, the available options as well as their potential impacts;
3. evidence and data underpinning the identified problems.

The consultation questionnaire can be accessed here, and the website to give feedback on the CRA can be accessed here. For the time being, the consultation is only available in English. According to the European Commission, translations in the other EU languages will follow soon, and replies may also be provided in all EU official languages.

Next steps

To be able to have an impact on the further development of a regulatory cybersecurity landscape, which is becoming more and more complex and elaborate, it is of vital importance for stakeholders to participate in both the public consultation and the call for evidence (which would be possible until 25 May 2022) and to closely follow the legislator’s work in this regard.

Feedback received will be published on this website and therefore, it must adhere to the feedback rules. In the context of the public consultation, a factual summary and analysis will be published on the Commission’s Have Your Say portal after the public consultation is closed. Your input will be taken into account as the European Commission further develops and fine-tunes this initiative. The Commission’s draft is expected to be published in the third quarter of 2022.

For further information contact Dr. Natallia Karniyevich

Sign up for our Connected newsletter for a monthly round-up from our Regulatory & Public Affairs team.