EU Council’s position on Cyber Resilience Act set for endorsement

The Spanish presidency of the EU Council shared revised compromise of the Cyber Resilience Act, set for endorsement and further negotiations with EU co-legislators.


The Cyber Resilience Act has undergone fine-tuning, addressing aspects related to reporting obligations, highly critical products, and product lifetime. The Spanish presidency of the EU Council of Ministers shared a revised compromise, which was discussed by the Horizontal Working Party on Cyber Issues.

Under the revised Cyber Resilience Act, manufacturers will be obligated to report any cybersecurity incidents or actively exploited vulnerabilities to the competent authority. The responsibility for receiving such reports will now be entrusted to national Computer Security Incident Response Teams (CSIRTs), instead of the EU cybersecurity agency ENISA. The Act encourages member states to establish a single national entry point for reporting requirements, streamlining the process. CSIRTs will share reported incidents with other teams through a centralised reporting platform, with possible delays only in cases where the sensitivity of the information warrants additional security measures.

Another aspect addressed in the revised Act is the product lifetime and the provision of security updates. Manufacturers are required to indicate the expected lifetime of their products, during which users can anticipate receiving security updates. The calculation of the expected product lifetime now considers factors such as the availability of the operating environment, the lifetime of similar products, and guidance from market surveillance authorities. Notably, the reference to relevant EU law and product nature, including licensing terms, has been removed. Market surveillance authorities no longer have the authority to request manufacturers to justify their product lifetime calculations.

Additionally, the Cyber Resilience Act assigns responsibility for compliance with cybersecurity regulations to the economic operator that substantially modifies a connected device. However, exemptions are provided for security patches that do not alter the intended purpose of a product. The Act also specifically excludes products with digital elements developed or modified exclusively by public administration entities for internal use.

The final adjustments were reflected in a new text circulated by the Spanish presidency ahead of the adoption of the EU Council’s position. Concurrently, the European Parliament’s Industry Committee is scheduled to adopt its version of the text. Negotiations between the EU co-legislators are expected to commence in September.