2 minute read
Obligations of manufacturers (Article 10 and Annex I
Class II
12. Industrial Automation & Control Systems (IACS) intended for the use in critical areas of byessential entities of the type referred to in [Annex I to the Directive XXX/XXXX (NIS2)], such as programmable logic controllers (PLC), distributed control systems (DCS), computerised numeric controllers for machine tools (CNC) and supervisory control and data acquisition systems (SCADA);
Industrial Internet of Things devices intended for the use in critical areas of by essential entities of the type referred to in [Annex I to the Directive XXX/XXXX (NIS2)];
Obligations of manufacturers (Article 10 and Annex I)
German industry welcomes the European Commission’s core idea that manufacturers shall only place those products with digital elements on the market that fulfil essential cybersecurity requirements, such as security-by-design and protection from unauthorised access by appropriate control mechanisms. Moreover, we appreciate that all manufacturers are required to implement, in a structured manner, a vulnerability handling process. To ensure that manufacturers of products with digital elements are made aware of all known vulnerabilities, German industry urges the European co-legislators to require government bodies – both at supranational, national and regional level – to share their knowledge of vulnerabilities, i.e. backdoors, with the respective manufacturer and refrain from legislation that allows exploitation of vulnerabilities in order to break or circumvent encryption. Vulnerabilities are a security risk for all and weaken Europe’s cyber-resilience. Henceforth, the Cyber Resilience Act can only achieve its intended goal if both manufacturers and government bodies contribute their fair share. Such an obligation should be introduced in a separate piece of legislation by Member States and should come into effect not later than at end of the implementation period of the Cyber Resilience Act.
German industry welcomes the Commission’s proposal made in Article 10 (6) that obliges manufacturers of products with digital elements to handle and mitigate vulnerabilities for the lifetime of the product or for 5 years, whichever of the two is shorter. German industry perceives this as a well-balanced approach that takes into account the requirements of very different product categories. However, as recent cyber incidents and acts of sabotage on critical infrastructures have shown, Europe’s critical infrastructure is increasingly the target of malicious actors. Taking this into account, manufacturers of products with digital elements that are highly critical for the functioning of essential entities could be obliged to offer their customers remunerated service agreements that ensure that these products with digital elements receive updates and patches longer than the currently foreseen five-yearperiod if technologically feasible.
The obligation to provide “clear, understandable, intelligible and legible” information (Article 10 (10)) should consider the relevant addressee (e.g., IT administrator in business-to-business transactions).
Moreover, the co-legislators should clarify the intention and meaning of Annex I point 9 b “how changes to the product can affect the security of data”. The current wording leaves room for interpretation regarding whose changes have an effect on the security of data.
Manufacturers should provide remedies for identified vulnerabilities within a timeframe appropriate to the significance of the vulnerability and the criticality of the product, taking the use of the product into account. For example, major security updates of products used in critical infrastructure should be provided without culpable delay. In addition, security updates may be provided as part of regular routine updates.
