The ever-increasing phenomenon of cyber attacks poses a severe issue in today's almost entirely digital society, as it threatens the security of both citizens and organisations alike. If not prevented, cyber attacks could cost immense sums of money, but could also grant cyber criminals access to personal and confidential information. With this in mind, the European Commission issued a Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements, amending Regulation (EU) 2019/1020 ('the Proposal').
In the following article, we provide an overview of the Proposal and touches upon its correlation with the existing data protection law under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
Overview of the Proposal
The main objective of the Proposal is to establish a uniform regulatory framework containing essential cybersecurity requirements that must be met for a product with digital elements to be placed on the EU market (Recital 1 of the Proposal). The Proposal aims to ensure that manufacturers place greater importance on cybersecurity throughout a product's lifecycle, which will inevitably lead to hardware and software products with digital elements being placed on the EU market with fewer flaws and vulnerabilities. Last but not least, the greater control of products with digital elements aims to develop a better-informed user base, which will take cybersecurity into consideration before selecting and using products with digital elements (Recital 2 of the Proposal).
The material scope of the Proposal encompasses a wide array of products with digital elements due to its intentionally broad interpretation. The Proposal defines 'products with digital elements' as 'any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately' (Article 3(1) of the Proposal). Thereby, it covers all products with digital elements 'whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network' (Article 2(1) of the Proposal).
Excluded are products that are sufficiently covered by existing sectoral EU legislation, as explicitly stipulated in Articles 2(2) and 2(3) of the Proposal and products developed exclusively for national security or military purposes or designated specifically to process classified information (such as medical devices and products used exclusively for national security or military purposes). Moreover, the application of the Proposal to products covered by existing EU regulations that address some or all of the risks that are laid down in Annex I of the Proposal may be limited, or even excluded, if 'such limitation or exclusion is consistent with the overall regulatory framework applying to those products and the sectoral rules achieve the same level of protection as the one provided by this Regulation' (Article 4 of the Proposal).
The Proposal splits products with digital elements into two categories (Class I and Class II), depending on the level of their anticipated cybersecurity risk. Subject to a product's risk classification, different procedures, methods, and requirements apply, that all need to be met for a product to successfully pass the so-called 'conformity assessment' and be placed on the EU market. The Proposal introduces CE marking for products with digital elements that indicates that the product passed the 'conformity assessment'.
In Article 1, the Proposal sets forth:
- rules for the placing on the market of products with digital elements to ensure the cybersecurity of such products;
- essential requirements for the design, development, and production of products with digital elements, and obligations for economic operators (such as manufacturers, authorised representatives, importers, and distributors) in relation to these products with respect to cybersecurity;
- essential requirements for the vulnerability handling process put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole lifecycle, and obligations for economic operators in relation to these processes; and
- rules on market surveillance and enforcement of the abovementioned rules and requirements.
The Proposal provides for the designation of a market surveillance authority from each Member State which will be granted comprehensive investigative, monitoring, and regulatory powers. These national authorities should cooperate closely with the European Union Agency for Cybersecurity ('ENISA') for the implementation of the reporting obligations pursuant to Article 11 of the Proposal (Article 41(3) of the Proposal), but also with other market surveillance authorities pursuant to the harmonisation efforts of other EU legislation (Article 41(3) of the Proposal). The market surveillance authorities will also be granted the power to perform so-called 'sweeps' which are essentially 'simultaneous coordinated control actions of particular products with digital elements or categories thereof to check compliance with or to detect infringements' to the Proposal (Article 49(1) of the Proposal). Sweeps will be coordinated by the Commission (Article 49(2) of the Proposal).
Further, it is required that Member States establish penalties (administrative fines) applicable to infringements by economic operators and take the necessary measures to ensure that they are enforced. The limits of the penalties, together with the relevant infringements, are stipulated in the Proposal under Article 53. Overall, they are similar to those found under the GDPR.
Correlation with data protection
The Proposal explicitly stipulates in Recital 17 that the Proposal should be 'without prejudice' to the GDPR. The Proposal recognises that Data Protection by Design and by Default principles, as well as cybersecurity in general are fundamental elements of the GDPR. Nevertheless, the essential cybersecurity requirements and conditions set forth in the Proposal aim to enhance the protection of personal data and security offered to EU citizens.
The Proposal also provides for various synergies that would need to be established on standardisation and certification on cybersecurity aspects between the Commission, the European Standardisation Organisations, ENISA, the European Data Protection Board ('EDPB'), and the national data protection supervisory authorities (Recital 17 of the Proposal). Synergies between the Proposal and EU data protection law should also be established in the area of market surveillance and enforcement, which could be achieved by a close cooperation of the national market surveillance authorities and the relevant supervising authorities of EU data protection legislation. As the European Data Protection Supervisor ('EDPS') stated in its Opinion 23/2022, the Proposal 'could serve as yet another form of protection for individuals that reside within EU Member States, in conjunction with the provisions of the GDPR' (Paragraph 30).
An example of enhancement of the data subject's protection introduced by the Proposal is the new reporting obligation requiring the manufacturers to inform, without undue delay and after becoming aware of it, the users about any incident having impact on the security of a product and notify, within 24 hours of becoming aware of it, ENISA of such incident.
Cyber attacks are a reoccurring phenomenon in today's digitalised society, and they pose a significant threat to both citizens' and organisations' data security, integrity, and confidentiality. The horizontal cybersecurity requirements offered by the Proposal are an important step towards tackling data breaches by protecting the confidentiality, integrity, and availability of information in products with digital elements, by facilitating compliance with the requirement of security of personal data processing provided by the GDPR, and lastly by enhancing the transparency and information to users regarding the risks, capabilities, and limitations of the products with digital elements they choose to make use of, so that they can take preventative and mitigating measures to reduce the residual risks.
This article was originally published by OneTrust Data Guidance, and may be accessed by clicking here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.