Opinion on the Proposal for a Regulation on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020

The European Data Protection Supervisor (EDPS) published its Opinion on a proposed Regulation laying down cybersecurity requirements for products with digital elements

Concretely, the proposed Regulation aims to set out EU-wide cybersecurity requirements for a broad range of hardware and software products and their remote data processing solutions. These include, for example, browsers, operating systems, firewalls, network management systems, smart meters or routers.

Wojciech Wiewiórowski, EDPS, said: “The cybersecurity of products with digital elements is of utmost importance to protect effectively individuals’ fundamental rights in the digital age, including their rights to privacy and data protection. Harmonised cybersecurity requirements across the EU should reduce the risks for Europeans of being victims of cyber-attacks and of the vast consequences that these may entail, such as the theft and misuse of their personal data.”

In its Opinion, the EDPS reiterates that under the General Data Protection Regulation (GDPR), an appropriate level of security of the processing of personal data must be ensured by controllers and processors. In addition, data protection principles must be embedded throughout the development of technologies that process personal data, including many products with digital elements. As such, the EDPS welcomes the proposed Regulation’s measures that would make security and data minimisation principles an essential part of the EU-wide cybersecurity requirements. Nevertheless, the EDPS strongly recommends to also include the data protection by design and by default principles as an essential part of these requirements.

Concerning the standardisation and certification on cybersecurity mentioned in the proposed Regulation, the EDPS suggests clarifying the type of synergies envisaged between the relevant bodies and organisations. This includes the European Data Protection Board, which brings together the national data protection authorities of the EU and the EDPS.

The EDPS highlights that the proposed European cybersecurity certificate under the cybersecurity standardisation and certification for certain products with digital elements should not serve as a replacement for the GDPR certification, which already guarantees compliance with the GDPR.  It should be made clear in the proposed Regulation that the cybersecurity certificate does not mean that a particular product with digital elements is compliant with the GDPR.

The EDPS suggests clarifying the relationship between the proposed Regulation and EU data protection laws, specifically how these will interact in the area of market surveillance and enforcement. To this end, it is the EDPS’ opinion that the proposed Regulation should not affect, or seek to affect, existing EU laws that are already governing the processing of individuals’ personal data and the tasks and powers of independent data protection authorities. (source: edps.europa.eu/ photo: freepik.com)

The Opinion 23/2022 is available here


Top Stories

Accidents on board an aircraft: The strict liability of airlines under the Montreal convention extends to inadequate first aid administered on board an aircraft

The length of court proceedings for 7 years and 8 months violated the right to a fair hearing within a reasonable time (ECtHR)

TikTok processing of children’s data: Dispute's settlement by European Data Protection Board

Promotion of judges after evaluation by other judges: Substantive conditions and procedural rules must be such as to dispel any reasonable doubt as to the independence and the impartiality

Timeshare contracts: Applicable law in the absence of a choice made by the parties (ECJ)