European law on cybersecurity, companies warn about risks

Companies have called for greater flexibility, suggesting that the legislation allows for self-assessment and a significant reduction in the number of products covered by the law

A group of companies, including Ericsson and Nokia, have issued a warning about a proposed European cybersecurity law, arguing that it could create obstacles and disruptions in supply chains. In a letter sent to the European Commission, industry group Digital Europe said the broad scope of the draft law would impact millions of connected devices, ranging from household appliances to toys to cybersecurity tools, preventing the commercialization of safe products for European customers, who would therefore be deprived of some important products of these companies. The European Commission published the draft law in September 2022, with entry into force scheduled for 2024. In addition to Nokia and Ericsson, Siemens, Robert Bosch, Schneider Electric and ESET also signed the letter from Digital Europe .

The signatory companies have long supported the need for horizontal cybersecurity rules for connected products, rather than a series of different sector regulations. Furthermore, they believe that the current proposal is not capable of adequately regulating different types of products. A critical point for manufacturers is the requirement to demonstrate compliance through third-party certifiers for a high-risk product category with cybersecurity features, such as password management or intrusion detection. The group argues that these components are critical to the economy and that third-party pricing could cause obstacles similar to those caused by the Covid-19 pandemic in European supply chains, harming competitiveness.

Concerns have also been raised regarding the requirement to report unresolved vulnerabilities. The companies believe that manufacturers should be allowed to prioritize fixing vulnerabilities over immediate reporting based on cybersecurity-related reasons. As a result, companies have called for more flexibility, suggesting that the legislation allow for self-assessment opportunities and a significant reduction in the number of products included in the category. They also proposed allowing at least 48 months for the development of a more harmonized standard.