Page 151 - SAMENA Trends - September-October 2022
P. 151

REGULATORY & POLICY UPDATES  SAMENA TRENDS

        EU Proposes New Law to Make Manufacturers Liable for Device Security,

        Breach Reporting


        The European Commission has released its draft Cyber Resilience
        Act.  The legislation  proposes  new requirements  for connected
        devices  in  terms  of  security,  from basic  design  elements  to
        customer support in the event of a cyber-attack or security breach.
        The  law  must  still  be  discussed  and  approved  by  the  European
        Parliament  and  Council, after which  manufacturers and  sellers
        would have  up to  two years  to  implement  the  changes.    First
        announced by Commission President Ursula von der Leyen in her
        State of the Union address in September 2021, the Cyber Resilience
        Act was already the subject of a public consultation earlier this
        year. According to the  Commission,  the  proposal puts  more
        responsibility  on the  part  of manufacturers to ensure  that  their
        devices which connect to the internet are designed to be safe and
        supported if hacked. Consumers and businesses should benefit
        from greater  transparency on security, increasing  trust  in  digital
        products, while the EU is also hoping to set a new global standard,
        which other  countries  will  follow to improve  cybersecurity.  The
        legislation  includes  rules  for bringing  products  with  digital
        elements  to market,  essential  requirements  for the  design,
        development  and  production of such  products, obligations  for
        businesses in relation to these products, requirements for putting
        in place procedures to address eventual vulnerabilities during the
        life of the product and an obligation to report actively any exploited
        vulnerabilities or security incidents. The remit of the new law will be   extensive conformity processes required for new devices. It could
        wide, covering any hardware or software that connects to another   also force service providers to turn to only EU-approved equipment,
        device or network, via  a  wired  or wireless  connection. Certain   creating a new barrier to trade.  Under the Commission's proposal,
        exemptions will apply in sectors with their own legislation, such   the obligation to report security breaches would come into effect a
        as automotives, aviation or medical devices. Software as a service   year after the law enters into force, and the other obligations only
        is not covered either, but may fall under other EU legislation such   within two years. Each EU state will name a regulator to enforce the
        as the NIS 2 directive covering essential services.  The industry   rules, and this body will be able to order changes in products, ban
        group CCIA warned that  the  legislation  could  create  new 'red   unsafe products and conduct product recalls. In addition, it could
        tape', slowing the time to bring new technology to market due to   fine companies that do not comply with the rules.



        ComReg Consulting on Review of Termination Markets



        Ireland’s Commission for Communications Regulation (ComReg)   withdrawal of the existing SMP-based interconnection obligations
        has launched a consultation on its review of the fixed and mobile   ‘in order to provide certainty to other SPs [service providers] and
        voice  termination  markets,  and  confirmed  it  proposes  removing   allow them time to make alternative operational interconnection
        the significant market power (SMP) designations and obligations   arrangements  should  they be  required’.  Previously, ComReg’s
        it previously imposed via decisions in 2019 and 2020. According   2019 Termination  Markets  Decision,  published  in  May that  year,
        to ComReg, it plans to do so as termination markets are no longer   designated  22  fixed  service  providers  (‘FSPs’)  and  six  mobile
        identified as being susceptible to ex-ante regulation by the EC, while   service  providers  (‘MSPs’)  as  having  SMP.  Meanwhile,  a  follow-
        based on the Irish watchdog’s assessment set out in its consultation,   up decision – ‘2020 Further Termination Decision’, dated October
        it believes that the markets would fail a ‘Three Criteria Test’ set out in   2020 – designated an additional three FSPs with SMP. Comments
        Article 67 of the European Electronic Communication Code (EECC),   on ComReg’s consultation are being accepted until 7 December
        meaning they cannot be subject to SMP regulation. As such, with   2022, following which the regulator will consider the feedback and
        the markets no longer susceptible to ex ante regulation, ComReg   review its proposals, before notifying draft measures to the EC and
        has  said  it  proposes  to withdraw all  existing  SMP designations   the Body of European Regulators for Electronic Communications
        and obligations, although it has confirmed it plans to impose a six-  (BEREC).
        month sunset period on fixed line incumbent eir in respect of the


                                                                                            151  SEPTEMBER-OCTOBER 2022
   146   147   148   149   150   151   152   153   154   155   156