English
Estonian
Latvian
Lithuanian
Polish
Romanian
Russian
Ukrainian
A new EU Council’s text puts Software-as-a-Service outside of the scope of the Cyber Resilience Act, while the European Commission clarified the legal basis would not allow for it.
The Cyber Resilience Act is a legislative proposal introducing essential cybersecurity requirements for connected products. To what extent these obligations would also apply to software programmes has been a matter of political discussion in the EU Council.
Some EU countries have also called for including Software-as-a-Service, which gathers online services like Netflix and Google Workspace hosted on the providers’ cloud infrastructure.
A new text from the Czech presidency, dated 2 December and seen by EURACTIV, updated a previous version reported by EURACTIV two weeks ago by placing SaaS firmly outside the regulation’s scope.
In particular, the draft law has been rephrased to only apply to remote data processing solutions based on software or hardware that support the functioning of a connected device.
“Software-as-a-Service (SaaS) solutions constitute remote data processing solutions within the meaning of this Regulation only if they meet that definition. For example, cloud services designed and developed outside the responsibility of a manufacturer of a product with digital elements are not in the scope of this Regulation,” the text continues.
Clarified scope
In other words, only if an app were explicitly created to support a connected product, such as a smart weight scale, would the Cyber Resilience Act apply, as the app is the responsibility of the product manufacturer.
The push for keeping SaaS outside the new cybersecurity rules is consistent with what Internal Market Commissioner Thierry Breton said at the Telecom Council meeting on Tuesday (6 December).
“Software as a service is already covered by the NIS2 Directive,” Breton told EU ministers, adding that incorporating these services under the Cyber Resilience Act would be a legal challenge because of the legal basis on which the proposal was based.
The compromise also explains that websites would not constitute the remote data processing solutions of web browsers, as they are not developed under the responsibility of the browser manufacturer, and the absence of any individual website would not prevent the browser from functioning.
Including websites in the scope would have been highly impractical in assessing their compliance with the EU cybersecurity requirements.
Still up for discussion
“With the current text, it is difficult for companies to see if the regulation covers their products. More work should be done to prevent legal uncertainty. And also, further discussions may be needed on to what extent the services should and could be included,” said Alexandra van Huffelen, the Dutch state secretary for digitalisation, at the ministerial meeting.
The Hague was at the forefront of demanding SaaS to be included in the scope. Even before the proposal was published, the Netherlands, Denmark and Germany penned a non-paper pushing for an extension in this sense.
The exclusion of SaaS would be welcomed with a deep sigh of relief by large parts of the industry. However, while the text seems to be moving in this direction, the matter of scope seems still far from being settled as national representatives are still trying to grasp how the new rules would fit in a complex IT environment.
“It is still a bit unclear at this stage,” an EU diplomat told EURACTIV. “We are all hoping for more discussions on this.”
For instance, while a website becomes connected to an app through an application programming interface (API), the app would fall under the scope while the software itself would not due to the responsibility exclusion.
National security
The revision also concerned the part that carved out national security matters, a jealously guarded competence for member states.
A new paragraph has been added mandating that member states should not put in place obstacles that prevent connected products from being launched and circulating in the EU single market. Restrictions might only relate to non-technical factors in compliance with European law.
The capacity of member states to introduce additional security requirements for Internet of Things products used for military, defence or national security products, as well as the exemption to share information that might be used against the essential security interest of EU countries, were maintained with minor tweaks.
[Edited by Alice Taylor]
