EU member states have agreed on their position on the Cyber Resilience Act. This bill must impose cybersecurity requirements on digital products that appear on the European market. The Member States will enter into negotiations with the European Parliament.
The Council of the European Union, consisting of ministers of EU Member States, was agreed on Wednesday with a negotiating mandate on the Cyber Resilience Act. The council will therefore negotiate with the European Parliament this autumn about the final content of the law, which may then be adopted later.
The EU Council, consisting of ministers from EU member states, has made some adjustments to the bill. For example, the EU Council wants manufacturers to release security updates during the lifespan that consumers and companies can ‘reasonably expect’ from the product. The European Commission proposed a maximum term of five years in its first bill. The proposal also includes measures to support ‘small and micro businesses’ in complying with the proposed law.
Work on the Cyber Resilience Act has been underway for some time. The European Commission made an initial proposal for this last year. Under the law, manufacturers are obliged, among other things, to release free security updates. It will also be mandatory to report vulnerabilities and incidents to the European cybersecurity agency ENISA within 24 hours.
Several open source foundations, including the Linux Foundation Europe, signed earlier this year an open letter expressing their concerns about the bill. Also the Electronic Frontier Foundation expressed concerns about the bill earlier this year. That foundation wrote that open source developers who receive any amount of money for their work, for example through donations, can be held responsible for vulnerabilities in their software. This could also apply if their software is incorporated into another product, even if they did not design that product themselves, the EFF said. According to the EFF, this could cause open source developers to stop releasing their projects. According to the foundation, mandatory vulnerability disclosure is also dangerous because it could mean that vulnerabilities are made public before a patch is available.