EU Commission pitches double reporting of open security loopholes in cybersecurity law – EURACTIV.com

/in


The question of who should receive extremely sensitive cyber threat intelligence has been a sticking point in the negotiations on the Cyber Resilience Act. The Commission proposed a middle ground that would double the receivers.

The Cyber Resilience Act is a legislative proposal introducing security requirements for connected devices. The file is being finalised in ‘trilogues’ between the EU Commission, Council and Parliament.

Among the obligations of product manufacturers, there is one to report not only cybersecurity incidents, as has been the case in previous legislation, but also actively exploited vulnerabilities.

If a vulnerability is being actively exploited, it means there is an entry point for hackers that has not been patched yet. As a result, this type of information is highly dangerous if it falls into the wrong hands, and who should handle this task is a politically sensitive question.

In the original Commission text, ENISA, the EU cybersecurity agency, was assigned this complex work – an approach that found support in the Parliament. By contrast, European governments want to move this task to the national Computer Security Incident Response Teams (CSIRTs).

Following the last trilogue on 8 November, Euractiv reported how a possible landing zone could be envisaged by accepting the role of the CSIRTs but with a stronger involvement of ENISA and that the EU executive proposed that both bodies could receive the reporting simultaneously.

In an undated compromise text circulated after the trilogue, seen by Euractiv, the Commission put its idea in black-and-white.

“The manufacturers shall notify any actively exploited vulnerability contained in the product with digital elements that they become aware of to [the CSIRTs designated as coordinators pursuant to Article 12(1) of Directive (EU) 2022/2555 and ENISA],” reads the text.

National CSIRTs would, therefore, be in the driving seat of the reporting process, for instance, to request the manufacturer provide an intermediate report. The notifications would be submitted via a pan-European platform to the end-point of the CSIRT of the country where the company has its main establishment.

“A manufacturer shall…

Source…