This document is an excerpt from the EUR-Lex website
Document 52022XX1129(01)
Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 2022/C 452/07 (The full text of this Opinion can be found in English, French and German on the EDPS website https://edps.europa.eu)
Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 2022/C 452/07 (The full text of this Opinion can be found in English, French and German on the EDPS website https://edps.europa.eu)
Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 2022/C 452/07 (The full text of this Opinion can be found in English, French and German on the EDPS website https://edps.europa.eu)
OJ C 452, 29.11.2022, p. 23–25
(BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)
29.11.2022 |
EN |
Official Journal of the European Union |
C 452/23 |
Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020
(2022/C 452/07)
(The full text of this Opinion can be found in English, French and German on the EDPS website https://edps.europa.eu)
On 15 September 2022, the European Commission issued a Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 (1) (‘the Proposal’).
The EDPS welcomes the Proposal and fully supports its general objective to improve the functioning of the internal market by laying down a uniform legal framework for essential cybersecurity requirements for placing products with digital elements on the Union market.
The EDPS recalls that Article 5(1)(f) GDPR has established security as one of the main principles relating to the processing of personal data. Article 32 GDPR further defines this obligation, applicable to both controllers and processors, to ensure an appropriate level of security. Therefore, the EDPS welcomes that security and data minimization principles are already embedded in the essential cybersecurity requirements enumerated in the Annex I of the Proposal. In addition, the EDPS strongly recommends including the data protection by design and by default principle in the essential cybersecurity requirements of products with digital elements.
Recital 17 provides for very important governance provisions that are not reflected in the operational part of the Proposal. Therefore, the EDPS recommends specifying in the operational part of the Proposal all the aspects related to the creation of synergies on both standardisation and certification on cybersecurity as well as synergies between this Proposal and the Union data protection law in the area of market surveillance and enforcement. Furthermore, the EDPS considers it necessary to clarify that the Proposal does not seek to affect the application of existing EU laws governing the processing of personal data, including the tasks and powers of the independent supervisory authorities competent to monitor compliance with those instruments.
The EDPS welcomes the fact that this provision acknowledges that the processing of personal data is a critical and sensitive function and might as such require the corresponding critical products with digital elements to obtain a European cybersecurity certificate under a European cybersecurity certification scheme. At the same time, the EDPS recommends clarifying in a recital of the Proposal that obtaining a European cybersecurity certification under the Proposal does not guarantee compliance with the GDPR.
Finally, the EDPS welcomes the proposed penalties, which are similar to those of the GDPR for a breach Article 32 GDPR on the security of processing, with a maximum fine of 2,5 % of global annual turnover. As a result, the Proposal could serve as yet another form of protection for individuals that reside within EU Member States, in conjunction with the provisions of the GDPR.
1. INTRODUCTION
1. |
On 15 September 2022, the European Commission issued a Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020. |
2. |
The objective of the Proposal is to improve the functioning of the internal market by laying down a uniform legal framework for essential cybersecurity requirements for placing products with digital elements on the Union market (2). In particular, the Proposal aims to set the boundary conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufactures take security seriously throughout a product’s life cycle. It also aims to create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements (3). |
3. |
To this end, the Proposal lays down (4):
|
4. |
The EU framework comprises several pieces of horizontal legislation that cover certain aspects linked to cybersecurity from different angles (products, services, crisis management, and crimes). In 2013, the Directive on attacks against information systems (5), harmonising criminalisation and penalties for a number of offences directed against information systems came into force. In August 2016, Directive (EU) 2016/1148 (6) on security of network and information systems (NIS Directive) entered into force as the first piece of EU-wide legislation on cybersecurity. Its revision, resulting in the NIS2 Directive, raises the EU common level of ambition regarding the cybersecurity of ICT services. In 2019, the EU Cybersecurity Act (7) entered into force, aiming to enhance the security of ICT products, ICT services and ICT processes by introducing a voluntary European cybersecurity certification framework. |
5. |
The present Opinion of the EDPS is issued in response to a consultation by the European Commission of 15 September 2022, pursuant to Article 42(1) of EUDPR. The EDPS welcomes the reference to this consultation in Recital 71 of the Proposal. In this regard, the EDPS also positively notes that he was previously informally consulted pursuant to recital 60 of EUDPR. |
3. CONCLUSIONS
31. |
In light of the above, the EDPS makes the following recommendations:
|
Brussels, 9 November 2022.
Wojciech Rafał WIEWIÓROWSKI
(1) COM/2022/454 final.
(2) Recital 1 of the Proposal.
(3) Recital 2 of the Proposal
(4) Article 1 of the Proposal.
(5) Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA (OJ L 218, 14.8.2013, p. 8).
(6) Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016 p. 1).
(7) Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15).
(8) Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (OJ L 117, 5.5.2017, p. 1).
(9) Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of radio equipment and repealing Directive 1999/5/EC (OJ L 153, 22.5.2014, p. 62).