Choose the experimental features you want to try

This document is an excerpt from the EUR-Lex website

Document 52022XX1129(01)

Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 2022/C 452/07 (The full text of this Opinion can be found in English, French and German on the EDPS website https://edps.europa.eu)

OJ C 452, 29.11.2022, p. 23–25 (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

29.11.2022   

EN

Official Journal of the European Union

C 452/23


Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020

(2022/C 452/07)

(The full text of this Opinion can be found in English, French and German on the EDPS website https://edps.europa.eu)

On 15 September 2022, the European Commission issued a Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 (1) (‘the Proposal’).

The EDPS welcomes the Proposal and fully supports its general objective to improve the functioning of the internal market by laying down a uniform legal framework for essential cybersecurity requirements for placing products with digital elements on the Union market.

The EDPS recalls that Article 5(1)(f) GDPR has established security as one of the main principles relating to the processing of personal data. Article 32 GDPR further defines this obligation, applicable to both controllers and processors, to ensure an appropriate level of security. Therefore, the EDPS welcomes that security and data minimization principles are already embedded in the essential cybersecurity requirements enumerated in the Annex I of the Proposal. In addition, the EDPS strongly recommends including the data protection by design and by default principle in the essential cybersecurity requirements of products with digital elements.

Recital 17 provides for very important governance provisions that are not reflected in the operational part of the Proposal. Therefore, the EDPS recommends specifying in the operational part of the Proposal all the aspects related to the creation of synergies on both standardisation and certification on cybersecurity as well as synergies between this Proposal and the Union data protection law in the area of market surveillance and enforcement. Furthermore, the EDPS considers it necessary to clarify that the Proposal does not seek to affect the application of existing EU laws governing the processing of personal data, including the tasks and powers of the independent supervisory authorities competent to monitor compliance with those instruments.

The EDPS welcomes the fact that this provision acknowledges that the processing of personal data is a critical and sensitive function and might as such require the corresponding critical products with digital elements to obtain a European cybersecurity certificate under a European cybersecurity certification scheme. At the same time, the EDPS recommends clarifying in a recital of the Proposal that obtaining a European cybersecurity certification under the Proposal does not guarantee compliance with the GDPR.

Finally, the EDPS welcomes the proposed penalties, which are similar to those of the GDPR for a breach Article 32 GDPR on the security of processing, with a maximum fine of 2,5 % of global annual turnover. As a result, the Proposal could serve as yet another form of protection for individuals that reside within EU Member States, in conjunction with the provisions of the GDPR.

1.   INTRODUCTION

1.

On 15 September 2022, the European Commission issued a Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020.

2.

The objective of the Proposal is to improve the functioning of the internal market by laying down a uniform legal framework for essential cybersecurity requirements for placing products with digital elements on the Union market (2). In particular, the Proposal aims to set the boundary conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufactures take security seriously throughout a product’s life cycle. It also aims to create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements (3).

3.

To this end, the Proposal lays down (4):

rules for the placing on the market of products with digital elements to ensure the cybersecurity of such products;

essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products with respect to cybersecurity;

essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes;

rules on market surveillance and enforcement of the above-mentioned rules and requirements.

4.

The EU framework comprises several pieces of horizontal legislation that cover certain aspects linked to cybersecurity from different angles (products, services, crisis management, and crimes). In 2013, the Directive on attacks against information systems (5), harmonising criminalisation and penalties for a number of offences directed against information systems came into force. In August 2016, Directive (EU) 2016/1148 (6) on security of network and information systems (NIS Directive) entered into force as the first piece of EU-wide legislation on cybersecurity. Its revision, resulting in the NIS2 Directive, raises the EU common level of ambition regarding the cybersecurity of ICT services. In 2019, the EU Cybersecurity Act (7) entered into force, aiming to enhance the security of ICT products, ICT services and ICT processes by introducing a voluntary European cybersecurity certification framework.

5.

The present Opinion of the EDPS is issued in response to a consultation by the European Commission of 15 September 2022, pursuant to Article 42(1) of EUDPR. The EDPS welcomes the reference to this consultation in Recital 71 of the Proposal. In this regard, the EDPS also positively notes that he was previously informally consulted pursuant to recital 60 of EUDPR.

3.   CONCLUSIONS

31.

In light of the above, the EDPS makes the following recommendations:

(1)

to include the data protection by design and by default principle in the essential cybersecurity requirements of products with digital elements;

(2)

to explain in the preamble the importance of products with digital elements that perform cryptographic operations, including encryption at rest and in transit and pseudonymisation that are necessary for effective information security, cybersecurity, data protection and privacy;

(3)

to add in Annex II tangible and intangible products with digital elements that perform cryptographic operations;

(4)

to delete Regulation (EU) 2017/745 (8) from the list of the legislations excluded from the application of the Proposal;

(5)

to clarify expressly in the Proposal what are the elements of the essential requirements referred to by Article 3(3)(e) of Directive 2014/53/EU (9) on personal data and privacy;

(6)

to specify in the operational part of the Proposal the practical aspects related to the creation of synergies on both standardisation and certification on cybersecurity as well as synergies between this Proposal and the Union data protection law in the area of market surveillance and enforcement;

(7)

to clarify that the Proposal does not seek to affect the application of existing EU laws governing the processing of personal data, including the tasks and powers of the independent supervisory authorities competent to monitor compliance with those instruments;

(8)

to add relevant definitions of ‘free software’, ‘open source software’ and ‘free and open source software’;

(9)

to clarify in recital of the Proposal that obtaining a European cybersecurity certification under the Proposal does not guarantee compliance with the GDPR.

Brussels, 9 November 2022.

Wojciech Rafał WIEWIÓROWSKI


(1)  COM/2022/454 final.

(2)  Recital 1 of the Proposal.

(3)  Recital 2 of the Proposal

(4)  Article 1 of the Proposal.

(5)  Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA (OJ L 218, 14.8.2013, p. 8).

(6)  Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016 p. 1).

(7)  Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15).

(8)  Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (OJ L 117, 5.5.2017, p. 1).

(9)  Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of radio equipment and repealing Directive 1999/5/EC (OJ L 153, 22.5.2014, p. 62).


Top