Opinion on the Proposal for a Regulation on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020

The European Data Protection Supervisor (EDPS) published its Opinion on a proposed Regulation laying down cybersecurity requirements for products with digital elements

Concretely, the proposed Regulation aims to set out EU-wide cybersecurity requirements for a broad range of hardware and software products and their remote data processing solutions. These include, for example, browsers, operating systems, firewalls, network management systems, smart meters or routers.

Wojciech Wiewiórowski, EDPS, said: “The cybersecurity of products with digital elements is of utmost importance to protect effectively individuals’ fundamental rights in the digital age, including their rights to privacy and data protection. Harmonised cybersecurity requirements across the EU should reduce the risks for Europeans of being victims of cyber-attacks and of the vast consequences that these may entail, such as the theft and misuse of their personal data.”

In its Opinion, the EDPS reiterates that under the General Data Protection Regulation (GDPR), an appropriate level of security of the processing of personal data must be ensured by controllers and processors. In addition, data protection principles must be embedded throughout the development of technologies that process personal data, including many products with digital elements. As such, the EDPS welcomes the proposed Regulation’s measures that would make security and data minimisation principles an essential part of the EU-wide cybersecurity requirements. Nevertheless, the EDPS strongly recommends to also include the data protection by design and by default principles as an essential part of these requirements.

Concerning the standardisation and certification on cybersecurity mentioned in the proposed Regulation, the EDPS suggests clarifying the type of synergies envisaged between the relevant bodies and organisations. This includes the European Data Protection Board, which brings together the national data protection authorities of the EU and the EDPS.

The EDPS highlights that the proposed European cybersecurity certificate under the cybersecurity standardisation and certification for certain products with digital elements should not serve as a replacement for the GDPR certification, which already guarantees compliance with the GDPR.  It should be made clear in the proposed Regulation that the cybersecurity certificate does not mean that a particular product with digital elements is compliant with the GDPR.

The EDPS suggests clarifying the relationship between the proposed Regulation and EU data protection laws, specifically how these will interact in the area of market surveillance and enforcement. To this end, it is the EDPS’ opinion that the proposed Regulation should not affect, or seek to affect, existing EU laws that are already governing the processing of individuals’ personal data and the tasks and powers of independent data protection authorities. (source: edps.europa.eu/ photo: freepik.com)

The Opinion 23/2022 is available here

Comments

Editorial

Editorial
George Kazoleas, Lawyer

Top Stories

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Daily Mail publisher wins case against ‘success fees’ paid to lawyers (ECtHR)

ECtHR elects a new Vice-President of the Court and two new Section Presidents

Intellectual property: the figurative sign consisting of the phrase ‘RUSSIAN WARSHIP, GO F* *K yourself’ in Russian and English cannot be registered as an EU trade mark

The banks Crédit agricole and Credit Suisse participated in a cartel in the sector for suprasovereign bonds, sovereign bonds and public agency bonds denominated in US dollars

European Ombudsman asks Commission to publish details of its handling of senior staff move to law firm

A national court is not required to apply a decision of its constitutional court that infringes EU law (ECJ)