The Pulse: 27 January - 07 February, 2025

Your Source for Global Regulatory Insights

This week's trending sources in C2P

• UK: Using Harmonized Standards for Placing CE Marked Products in Great Britain, Guidance Document, February 2025
• Malaysia: Performance, Testing and Labelling of Energy-Using Products, Guidance Document, December 2024
• EU: Competitiveness Compass for the EU, Communication, January 2025

What is our Content Team talking about?

Illinois Senate proposes an amendment to the Environmental Protection Act on prior consultation of affected communities

by Cristian Barroso

On 28 January 2025, Senate Bill 1307 was introduced, proposing to amend the Illinois Environmental Protection Act on prior consultation of environmental justice communities.

Scope

The Bill requires companies that intend to construct, modify, or expand a facility or “source” subject to the Clean Air Act Permit Program or a State operating permit in an environmental justice community to conduct a public consultation and to develop an environmental justice assessment identifying potential risks to human health and the environment, before applying for a construction permit.

Public consultation

The public consultation must be held within the environmental justice community where the proposed source is located (or to be located), providing proper notice shall be given to elected officials, members of the general assembly, directors of child centers (30 days in advance), and the general public.

Notice to the general public shall be published in a newspaper of general circulation and posted on the applicants and Agency website.

During the meeting, the applicant must present a summary of the environmental justice assessment, collect public comments, and provide 30 days for further comments.

Environmental Justice Assessment

The Environmental Justice Assessment must be conducted by a third party and shall consist of the following:

• Air dispersion model examining the air quality-related impacts of the proposed project;
• A modelling protocol analysis of short-term impacts on air quality;
• An environmental impact review evaluating the direct, indirect, and cumulative environmental and health impacts within the environmental justice community.

Finally, the draft includes provisions to contest permit issuance and environmental justice grievances.

What are our Knowledge Partners talking about?

2024 IoT Security Foundation publishes Vulnerability Disclosure audit summary

by RINA

The IoT security foundation have published their annual ‘State of Vulnerability Disclosure Policy (VDP) Usage in Global Consumer IoT’ report, which offers a unique barometer of the progress that is being made with regards to security in the global consumer IoT market.

Vulnerability Disclosure Policies

One of the key security requirements for complying with legislation such as the recently implemented UK Product Security and Telecommunications Infrastructure Act (PSTI) or the recently adopted EU Cyber Resilience Act is to ensure that manufacturers make a ‘vulnerability disclosure policy’ publicly available. The report highlights how the concept of vulnerability disclosure is often misunderstood to mean that companies are required in some jurisdictions to alert the authorities of some kind of data breach or compromise. In reality, a vulnerability disclosure is a specific place where security researchers can disclose vulnerabilities to a company so that they can be rectified. The European Union Agency for Cybersecurity (ENISA) defines vulnerability disclosure as “the process of identifying, reporting and patching weaknesses of software, hardware or services that can be exploited.”

Report findings

The headline statistic for this year’s report is that nearly 36% of global IoT manufacturers have a vulnerability disclosure policy, meaning that over 64% still have no way for security researchers to contact them. Whilst this is an increase in the adoption of vulnerability disclosure best practices compared to previous years, it demonstrates that theoretically, the majority of IoT devices being placed on the market do not comply with essential requirements of relevant legislations. A positive note, however, is that the trend appears to suggest that IoT manufacturers are starting to adopt better security practices. The report also found that certain jurisdictions were more likely to have higher levels of compliance, with the UK and EU noticeably showing a higher percentage of manufacturers adopting vulnerability disclosure policies than within other markets, identifying the impact of developing legislation.

Conclusion

The report identifies some positive signs in the global transition towards cybersecurity measures for IoT devices, implementation can seem fragmented and inconsistent. Whilst there has clearly been positive effect from legislation such as the UK’s PSTI Act, hundreds of companies in the report dataset have still done nothing, showing real barriers to adoption.

Enforcement bodies in different jurisdictions will have to decide what they do about this, particularly in the UK where it is now a legal requirement. Companies in Europe will have until 2027 to achieve compliance to the CRA. Should manufacturers seek assistance with vulnerability disclosure policies or their wider cybersecurity regulatory requirements, RINA can assist accordingly.

What are our clients asking about?

"Under the EU CBAM Regulation, who is responsible for filling in the CBAM statement?"

Answered by Alex Li

The CBAM regulation designates reporting declarant to be one of the following:

(a) the importer who lodges a customs declaration for release for free circulation of goods in its own name and on its own behalf;

(b) the person, holding an authorization to lodge a customs declaration referred to in Article 182(1) of Regulation (EU) No 952/2013 of the European Parliament and of the Council , who declares the importation of goods;

(c) the indirect customs representative, where the customs declaration is lodged by the indirect customs representative appointed in accordance with Article 18 of Regulation (EU) No 952/2013, when the importer is established outside the Union or where the indirect customs representative has agreed to the reporting obligations in accordance with Article 32 of Regulation (EU) 2023/956;

Therefore, if your company imports the end products into the EU, then your company would be liable to report as you are the reporting declarant. In this case, whether your company actually manufactures the products is of no relevance.

You may also consult this FAQ document for the CBAM regulation, in which the 22 Q&A deals specifically with this matter.

Don't miss out on our next webinar on 26 February 2025

Bird’s Eye View of Global AI Regulations: US, EU, UK, Singapore and China

Gain insights into how different jurisdictions are addressing AI-related challenges and what these developments mean for businesses, policymakers, and compliance professionals.

Register Now