Dear IoT committee members, Following the leak of the 4-colomn document regarding the CSA. For your information, you’ll find attached the provisional agenda for today’s 2nd trilogue meeting. This discussion will start addressing some the core topics for Eurosmart:
1.1. Lifetime/support period - Article 10(6) (lines 184, 185) 1.2. Criticality of products - Article 6 and Article 6a/bis and Annexes III and IIIa (lines 152-168b and 556-597f) 1.3. Reporting obligations / ENISA vs. CSIRTs - Article 11 and related provisions (lines 197-204x) Best regards, Pierre-Jean From: Eurosmart Policy Insights <[email protected]> Date: Tuesday, 7 November 2023 at 08:35 To: "[email protected]" <[email protected]> Subject: [Eu-policy-tracker] CRA - New four column-document available Cyber Resilience Act Leaked 4 column-document A leaked version of the four-column document has been transmitted by Politico. This document reflects some substantial challenges are illustrated by the tentative comprises between the European Commission, the European Parliament, and the Council of the EU’s proposals. Even if the trilogue discussions have found a compromise on the list of applicable essential requirements (Annex I), the certification obligation (Annex IIIa of the Council proposal) and the category of highly critical products have not been addressed. Download on the Eurosmart portal<https://tracker.eurosmart.com/?nltr=MTg7MjgxO2h0dHBzOi8vZmlsZXMuZXVyb3NtYXJ0LmNvbS9mLzE2OTkwODs7OGUzZGVhYTUxYmE5MzQwOGIwZmJiNWU4ODQ5YTMwMzY%3D> Overview Vulnerabilities The definition of vulnerability is now aligned with NIS 2. The notion of “actively exploitable vulnerability” is still under discussion. Moreover, the Parliament has proposed that if a reported vulnerability “has no available corrective or mitigating measures,” ENISA should ensure that information is shared following strict security protocols and on a need-to-know basis. This proposal will be integrated into a Commission compromise on the article. Unpatched vulnerabilities Article 11 remains the most contentious, concerning to whom manufacturers of digital products should report unpatched vulnerabilities. In the compromise text, the negotiators have not reached an agreement on who should manage a database containing vulnerabilities: the EU’s cybersecurity agency ENISA or National Computer Security Incident Response Teams (CSIRTs). Open-source The Commission has drafted a compromise: “only free and open-source software made available on the market, supplied for distribution or use in the course of a commercial activity, should be covered by this Regulation. Whether a free and open-source software product has been made available as part of a commercial activity should be assessed on a case-by-case basis,” Exclusion of national security or military products A new recital proposed by the Parliament also suggests that products with digital components developed “exclusively for national security or military purposes or for handling classified information will not fall under the regulation. Nonetheless, countries are encouraged to ensure an equivalent or higher level of protection for such products. Mandatory EU cybersecurity certification to be discussed The proposal made by the Council to include an Annex (Annex IIIa) that lists products with mandatory EU CSA certification for placing on the market is still to be discussed. Eurosmart addressed last week a white paper<https://tracker.eurosmart.com/?nltr=MTg7MjgxO2h0dHBzOi8vd3d3LmV1cm9zbWFydC5jb20vZXVyb3NtYXJ0cy1jb21tZW50cy1vbi10aGUtY3liZXItcmVzaWxpZW5jZS1hY3QtY3JhLXByb3Bvc2FsLzs7ZTAwYmNiMzI0YjczYmJlMGViNjA3MTgwZjk5MTJlMzA%3D> on this aspect to the policy makers. Next steps Political negotiations will continue on 9 November, with another round on 30 November. An agreement before the end of the year is still expected. Eurosmart AISBL Square de Meeûs 35 - 1000 Brussels (BELGIUM) [twitter]<https://tracker.eurosmart.com/?nltr=MTg7MjgxO2h0dHBzOi8vdHdpdHRlci5jb20vRXVyb3NtYXJ0X0VVOzs0MzczOGM4NGYzNTAxYzg5MWQ1MjkwMTVkZmZlOGI1ZQ%3D%3D> [linkedin] <https://tracker.eurosmart.com/?nltr=MTg7MjgxO2h0dHBzOi8vd3d3LmxpbmtlZGluLmNvbS9jb21wYW55L2V1cm9zbWFydC0tdGhlLWFzc29jaWF0aW9uLXJlcHJlc2VudGluZy10aGUtc21hcnQtc2VjdXJpdHktaW5kdXN0cnk%2FdHJrPWNvbXBhbnlfbG9nbzs7Njg0YjQ3ZGQ1NTkxMjY2ZGU5MTMxNDM2YTYzYTkzNzU%3D> View online<https://tracker.eurosmart.com/?nltr=MTg7MjgxO2h0dHBzOi8vdHJhY2tlci5ldXJvc21hcnQuY29tLz9uYT12Jm5rPTI4MS0xZWNmN2VmYzg0JmlkPTE4Ozs1NDQ3Mzk1MDk1OThmZmY0YzhmOWZhNGY3MmRmNjA0Zg%3D%3D>
Draft Agenda - 2nd trilogue.docx
Description: Draft Agenda - 2nd trilogue.docx
