A group of companies including Ericsson and Nokia warned a European cybersecurity bill could create bottlenecks and disrupt supply chains, as they pressed for amendments ahead of planned negotiations about the proposal between countries and politicians tomorrow (8 November). 

In a letter to European Commission (EC), industry group Digital Europe said the broad scope of the draft bill would impact millions of connected devices spanning household appliances, toys and cybersecurity tools, preventing secure products from entering the market and reaching European customers. 

The EC published the draft legislation in September 2022, with the law scheduled to take effect in 2024.

As well as Nokia and Ericsson, the letter from Digital Europe was also signed by Siemens, Robert Bosch, Schneider Electric and ESET.

The signatories claim they always back “horizontal cybersecurity rules for connected products rather than a patchwork of different rules per sector”. They further argued the proposal lacks capacity to govern different products. 

Of particular concern to the manufacturers is a requirement to prove compliance through third-party certifiers for a category listing high-risk products with cybersecurity features, such as password management or intrusion detection. 

The group claims these components are crucial to the economy and assessment through third parties “risks creating a Covid-19 (coronavirus)-style blockage in European supply chains”, which may hurt competitiveness.  

Concerns were also raised on the harm of reporting unpatched vulnerabilities. “Manufacturers should be allowed to make a judgement call to prioritise patching over immediate reporting based on justified cybersecurity-related grounds.”

To that end, the companies called for more flexibility by suggesting the legislation “maximise the possibility of self-assessment” and “significantly reduce” products in the category, along with allowing at least 48 months for the development of a more harmonised standard.