Back to EUR-Lex homepage

EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search
You are here

Document Ares(2022)1955357

Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for connected products and associated services (Cyber Resilience Act)

CALL FOR EVIDENCE

FOR AN IMPACT ASSESSMENT

This document aims to inform the public and stakeholders on the Commission's future legislative work so they can provide feedback on the Commission's understanding of the problem and possible solutions, and give us any relevant information that they may have, including on possible impacts of the different options.

Title of the initiative

Cyber Resilience Act

Lead DG (responsible unit)

Directorate‑General for Communications Networks, Content and Technology / Unit H2 for Cybersecurity and Digital Privacy Policy

Likely type of initiative

Regulation on horizontal cybersecurity requirements for digital products and ancillary services

Indicative timetable

Q3-2022

Additional information

-

This document is for information purposes only. It does not prejudge the final decision of the Commission on whether this initiative will be pursued or on its final content. All elements of the initiative described, including its timing, are subject to change.

A. Political context, problem definition and subsidiarity check

Political context

In her State of the Union 2021 address, President von der Leyen underlined that the EU should strive to become a leader in cybersecurity, announcing in that context a new European Cyber Resilience Act. The act would add in particular to the existing baseline cybersecurity framework of the Directive on the security of Network and Information Systems 1 and the Cybersecurity Act. Against the background of a growing number of high-profile cyberattacks with a global footprint, the annual cost of cybercrime to the global economy in 2020 was estimated to be EUR 5.5 trillion, double that of 2015 2 .

In 2020, the EU’s cybersecurity strategy for the digital decade announced the establishment of “new horizontal rules” for connected products and associated services placed on the internal market. The Cyber Resilience Act would complement the Delegated Regulation of 29 October 2021 under the Radio Equipment Directive by setting up streamlined cybersecurity requirements covering a wide range of digital products 3 and their ancillary services 4 . This would include tangible digital products (wireless and wired) 5 and non-embedded software 6 , and would cover their whole life cycle.  

Problem the initiative aims to tackle

In a connected environment, a cybersecurity incident in one product can affect an entire organisation or a whole supply chain. This can lead to severe disruption of economic and social activities or even become life threatening. The lack of appropriate security in digital products and ancillary services is one of the main avenues for successful attacks.

When placing digital products or services on the market, vendors (e.g. hardware manufacturers, software developers, distributors and importers) often do not put in place adequate cybersecurity safeguards. The reasons for this can include: (i) wanting to benefit from being the first to put a product or service on the market, due to network effects 7 present in ICT markets; (ii) lack of qualified security professionals; and (iii) additional costs combined with lack of economic incentives. Similarly, vendors’ response to vulnerabilities throughout their products’ lifecycle is too often inadequate. Moreover, vendors do not systematically provide information on product security (due to the lack of economic incentives), making it difficult for consumers to inform themselves and assess the security of the products and services they are using.

The current EU framework applicable to digital products comprises several pieces of legislation, including EU legislation on specific products covering safety-related aspects and general legislation on product liability. However, the current legislation covers only certain aspects linked to the cybersecurity of tangible digital products and, where applicable, embedded software 8 concerning these products. The EU regulatory framework on products (e.g. the General Product Safety Directive and the Machinery Directive, both currently under review) does not prescribe specific cybersecurity requirements, e.g. covering the whole life cycle of a product. ‘Whole life cycle’ requirements are crucial in the case of digital products and ancillary services, as software needs to be updated on a regular basis. 

In addition, the existing framework does not cover all types of digital products. In particular, the current framework fails to cover a variety of widely used hardware (e.g. hardware not falling under the Radio Equipment Directive or the Medical Devices Regulation). Moreover, non-embedded software products are not addressed in the current framework, even though vulnerabilities 9  in software products are increasingly serving as a channel for cybersecurity attacks, causing significant societal and economic costs 10 .

Basis for EU action (legal basis and subsidiarity check)

Legal basis

This intervention will be based on Art 114 of the Treaty on the Functioning of the European Union (TFEU), whose objective is the establishment and functioning of the internal market by enhancing measures for the approximation of national rules.

This intervention would aim to improve the internal market’s functioning by: (i) streamlining and supplementing existing rules; and (ii) preventing further fragmentation of cybersecurity requirements for digital products and ancillary services in the internal market, at both national and EU level. Given the global and cross-border nature of the ICT market and the internet, the intervention also aims to reduce negative cross-border spill-overs and subsequent costs to society to mitigate the risks associated with non-secure products (e.g. a cybersecurity incident in one Member State can block economic or social activities in other Member State; digital products, such as software libraries, are often reused in several different digital products across sectors and borders).

Practical need for EU action

In the present case, EU intervention on cybersecurity is justified due to the cross-border nature of the risks and the negative impact that a fragmented or purely Member-State-driven approach would have on the internal market. Joint action at EU level would therefore result in more effective protection against cybersecurity risks and thus add value to existing or future national policies. It would also result in a level playing field for vendors of digital products and ancillary services.

In particular, regulatory action of this kind at EU level would establish a high level of trust among users, increasing the attractiveness of EU digital products and ancillary services. It would also benefit the (digital) single market and internal market in general by providing legal certainty for vendors of digital products and ancillary services.

B. Objectives and policy options

The initiative’s objectives fall into three main categories.

·Firstly, it aims to enhance and ensure a consistently high level of cybersecurity of digital products and ancillary services. More specifically, a broad range of such products and associated services would be secured throughout their whole lifecycle proportional to the risks.

·Secondly, it aims to enable users to match the security properties of such products against their needs, including by enhancing the transparency of cybersecurity features. This would protect users from insecure digital products and ancillary services, and incentivise vendors to offer more secure products, thus increasing the trust in the digital single market.

·Third, it seeks to improve the functioning of the internal market by levelling the playing field for vendors of digital products and ancillary services.

Next to essential cybersecurity requirements, the initiative would place obligations on economic operators, and introduce provisions on conformity assessment, on the notification of conformity assessment bodies, and on market surveillance. 

In practice, essential cybersecurity requirements – whether they are regulated altogether in one wide-ranging (‘horizontal’) piece of legislation or on an ad hoc basis – would translate into harmonised standards specific for the different categories of products. Globally, developing such cybersecurity standards could contribute to boosting the EU’s leadership on standard setting by shaping standards for digital products and ancillary services that could serve as global benchmarks 11 .

At this stage of reflection, the Commission is considering the following policy options:

1.Maintaining the status quo – this would involve existing legislation (e.g. the Delegated Regulation under the Radio Equipment Directive, legislation on medical devices, motor vehicles, machinery or product safety, etc.) partially addressing the cybersecurity of tangible products.

2.Introducing voluntary measures – voluntary certification schemes under the Cybersecurity Act could be further developed and applied. Soft law measures such as guidelines or recommendations could also be considered, in particular on the cybersecurity of non-embedded software.

3.‘Ad hoc’ regulatory interventions for cybersecurity of digital products and ancillary services – the intervention would be limited to adding and/or amending the cybersecurity requirements in the already existing legislation and regulating new risks as they emerge, including potentially on non-embedded software.

4.A mixed approach including mandatory and soft rules. This would entail:

(I).A horizontal regulatory intervention introducing cybersecurity requirements for a broad scope of tangible digital products and ancillary services. 

Different sub-options may be considered with regard to the conformity assessment procedure:

-conformity self-assessment by default, where vendors may opt for a third-party conformity assessment when deemed appropriate; or

-a third-party conformity assessment is prescribed for certain categories of products under a risk-based approach taking account of such factors as intended use, functionality or the nature of potential harm.

(II).In addition, a staggered approach would be considered as regards cybersecurity of non-embedded software, with soft law measures such as guidelines or recommendations as a first step, potentially followed by regulatory intervention, depending on the results of implementing such measures.

5.A horizontal regulatory intervention introducing cybersecurity requirements for a broad scope of tangible and non-tangible digital products and ancillary associated services, including non-embedded software. Alternative sub-options could be considered regarding the categories of software to be covered, either only critical software or all software, and regarding the conformity assessment procedure, as in option 4 (i).

C. Likely impacts

The initiative is expected to have positive economic impacts. Introducing horizontal cybersecurity requirements for digital products and ancillary services would improve cybersecurity for consumers and users throughout the whole EU supply chain and increase the selection of higher-quality and safer goods and services. This would enhance public trust in the digital economy, contributing to economic growth and investments.

Moreover, enhancing the cybersecurity of products and services would help to mitigate loss of revenue due to cyberattacks and reduce the large expenses associated with ad hoc threat mitigation. An initial exploratory study contracted by the Commission in 2021 to assess the need for horizontal cybersecurity requirements for digital products indicated that the benefits of regulatory intervention would outweigh its potential costs.

Introducing one set of requirements for the same type of product at EU level instead of various potentially diverging national rules would reduce regulatory costs (administrative burden and compliance costs) and level the playing field for vendors. This would foster competition and innovation, stimulating the digital transition.

A European intervention would likely cover a broad range of products placed on the internal market, irrespective of their origin. Third-country vendors of connected products hold a significant share of products marketed in the EU, hence such an approach would allow the EU to promote its vision for high cybersecurity standards, including at international level, and strengthen the EU’s global competitiveness.

The initiative would also have positive social impacts such as reduced levels of cybercrime. It would enhance protection of fundamental rights (personal data in particular) by helping decrease the number and severity of incidents, including data breaches.

Finally, strengthening the cybersecurity of digital products and ancillary services could have positive environmental impacts by contributing to wider use of latest generation digital infrastructure and services, which are more sustainable. The initiative could also lead to the replacement of legacy infrastructures, which are not only less secure but also less energy-efficient and environmental-friendly.

D. Better regulation instruments

Impact assessment

An impact assessment, supported by evidence collection and a stakeholder consultation, will help prepare the policy initiative. It will be prepared in line with the Better Regulation guidelines. The impact assessment will also benefit from consultation activities already carried out in 2021 for the exploratory study contracted by the Commission to assess the need for horizontal cybersecurity requirements for digital products. The impact assessment will also benefit from the findings of a new study that the Commission has contracted to collect evidence and conduct analyses in the first half of 2022.

Consultation strategy

In parallel to the publication of this call for evidence, the Commission is launching a public consultation to gather the views of a variety of stakeholders. The questionnaire will be available in all EU languages, and replies may also be provided in all EU official languages.

A factual summary and analysis will be published on the Commission’s Have Your Say portal after the public consultation is closed.

All stakeholders listed under the target audience will be invited to participate in the public consultation.

In the context of the above-mentioned study supporting the impact assessment, consultants will collect evidence through interviews with experts covering different domains. A workshop with experts and a targeted online consultation will also be held.

Why we are consulting?

Through this consultation, the Commission would like to gather:

·stakeholders’ views on current and emerging problems related to the cyber security of digital products and associated services, including non-embedded software;

·stakeholders’ views on the possible policy approaches to address such problems, the available options and their potential impacts; and

·evidence and data underpinning the identified problems.

Target audience

The consultation aims to gather the views of a variety of stakeholders. These include:

·ICT industry representatives (e.g. hardware manufacturers, software developers, distributors, importers) and professional users; 

·national competent authorities, including cybersecurity-relevant authorities; 

·consumers and consumer associations; 

·conformity assessment bodies; 

·academic experts and the general public.

(1)      The ‘NIS Directive’ is currently under review (trilogue negotiations are ongoing). See Commission proposal: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2020%3A823%3AFIN .
(2)      JRC, Cybersecurity – Our Digital Anchor, 2020: https://publications.jrc.ec.europa.eu/repository/handle/JRC121051  
(3)      For the purposes of this call for evidence, ‘digital product’ covers both hardware and software products, including software that can be made available without hardware (non-embedded software). A ‘hardware product’ is defined as any device or group of interconnected or related devices, one or more of which, using a program, perform automatic processing of digital data. A ‘software product’ is defined as an intangible good that processes digital data, stored, retrieved or transmitted by a hardware device.
(4)      ‘Ancillary service’ means a (digital) service, the absence of which would prevent the tangible product from performing its functions. 
(5)      Examples of tangible digital products are end devices such as sensors and cameras, smart cards, mobile devices, or network devices such as routers and switches.
(6)      Software that comes with applications that are different from the basic functionality of a digital product.
(7)      A ‘network effect’ occurs where the value or utility a user derives from a good or service increases when the number of users of compatible products or services increases.
(8)      Software directly supportive to the function of the device on which the software is downloaded.
(9)      A ‘vulnerability’ is a weakness in the computational logic found in software and hardware components, which, when exploited, has a negative impact on the availability of services, the confidentiality of information, safety, etc.
(10)      Noteworthy examples include Kaseya (2021), WannaCry (2017) and Pegasus (since 2016).
(11)      See An EU Strategy for Standardisation, 2 February 2022: https://ec.europa.eu/docsroom/documents/48598  
Top