Activities of Henna VIRKKUNEN related to 2022/0272(COD)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020
Amendments (42)
Amendment 133 #
Proposal for a regulation
Recital 9
Recital 9
(9) This Regulation ensures a high level of cybersecurity of products with digital elements. It does not regulate services, such as Software-as-a-Service (SaaS), except for remote data processing solutions relating to a product with digital elements understood as any data processing at a distance for which the software is designed and developed by or on behalf of the manufacturer of the product concerned or under the responsibility of that manufacturer, and the absence of which would prevent such a product with digital elements from performing one of its essential functions. [Directive XXX/XXXX(EU) 2022/2555 (NIS2)] puts in place cybersecurity and incident reporting requirements for essential and important entities, such as critical infrastructure, with a view to increasing the resilience of the services they provide. [Directive XXX/XXXX(EU) 2022/2555 (NIS2)] applies to cloud computing services and cloud service models, such as SaaS. All entities providing cloud computing services in the Union that meet or exceed the threshold for medium-sized enterprises fall in the scope of that Directive.
Amendment 140 #
Proposal for a regulation
Recital 10
Recital 10
(10) In order not to hamper innovation or research, only free and open-source software developed or supplied outsidein the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services when this pursues a profit or the intention to monetise, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
Amendment 147 #
Proposal for a regulation
Recital 19 a (new)
Recital 19 a (new)
(19a) ENISA should publish and maintain a known exploited vulnerability catalogue that should be included in the European vulnerability database established under Directive 2022/2555 (NIS2). The catalogue should assist manufacturers in detecting known exploitable vulnerabilities and notify vulnerabilities found in their products, in order to ensure that secure products are placed on the market.
Amendment 162 #
Proposal for a regulation
Recital 32
Recital 32
(32) In order to ensure that products with digital elements are secure both at the time of their placing on the market as well as throughout their life-cycle, it is necessary to lay down essential requirements for vulnerability handling and essential cybersecurity requirements relating to the properties of products with digital elements. While manufacturers should comply with all essential requirements related to vulnerability handling and ensure that all their products are delivered without any known exploitable vulnerabilities known to them, they should determine which other essential requirements related to the product properties are relevant for the concerned type of product. For this purpose, manufacturers should undertake an assessment of the cybersecurity risks associated with a product with digital elements to identify relevant risks and relevant essential requirements and in order to appropriately apply suitable harmonised standards or common specifications.
Amendment 170 #
Proposal for a regulation
Recital 35 a (new)
Recital 35 a (new)
(35a) Reporting should be as convenient and efficient as possible. For this purpose, ENISA should provide for an online system into which all requested information can be inserted.
Amendment 184 #
Proposal for a regulation
Recital 53
Recital 53
(53) In the interests of competitiveness, it is crucial that notified bodies apply the conformity assessment procedures without creating unnecessary burden foron economic operators. In order to ensure that notified bodies are able to perform their tasks efficiently, and to minimise possible impediments, the Commission and Member States should ensure that there are skilled professionals in the Union. For the same reason, and to ensure equal treatment of economic operators, consistency in the technical application of the conformity assessment procedures needs to be ensured. That should be best achieved through appropriate coordination and cooperation between notified bodies.
Amendment 185 #
Proposal for a regulation
Recital 53 a (new)
Recital 53 a (new)
(53a) In order to increase efficiency and transparency, the Commission should within 24 months from the entry into force of this Regulation, ensure that there is a sufficient number of notified bodies in the Union to carry out a conformity assessment, in order to avoid bottlenecks and hindrances to market entry.
Amendment 200 #
Proposal for a regulation
Recital 69
Recital 69
(69) Economic operators should be provided with a sufficient time to adapt to the requirements of this Regulation. This Regulation should apply [324 months] from its entry into force, with the exception of the reporting obligations concerning activelyknown exploited vulnerabilities and incidents, which should apply [122 months] from the entry into force of this Regulation.
Amendment 202 #
Proposal for a regulation
Recital 69 a (new)
Recital 69 a (new)
(69a) This Regulation may generate additional costs to micro, small and medium-sized enterprises. In order to support these enterprises that may face additional costs, the Commission should establish financial and technical support that allows for these companies to contribute to the European cybersecurity landscape.
Amendment 228 #
Proposal for a regulation
Article 3 – paragraph 1 – point 4 a (new)
Article 3 – paragraph 1 – point 4 a (new)
(4a) ‘cybersecurity’ means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;
Amendment 234 #
Proposal for a regulation
Article 3 – paragraph 1 – point 21 a (new)
Article 3 – paragraph 1 – point 21 a (new)
(21a) ‘micro, small and medium sized enterprises’ means micro, small and medium sized enterprises as defined in Commission Recommendation 2003/361/EC1a; _________________ 1a Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (notified under document number C(2003) 1422) (OJ L 124, 20.5.2003, p. 36).
Amendment 235 #
Proposal for a regulation
Article 3 – paragraph 1 – point 21 b (new)
Article 3 – paragraph 1 – point 21 b (new)
(21b) ‘provider of an online marketplace’ means a provider of an intermediary service using an online interface, which allows consumers to conclude distance contracts with traders for the sale of products;
Amendment 247 #
Proposal for a regulation
Article 3 – paragraph 1 – point 39
Article 3 – paragraph 1 – point 39
(39) ‘activelyknown exploited vulnerability’ means a patched vulnerability for which there is reliable evidence exists that execution of malicious code was performed by an actor on a system without permission of the system owner;
Amendment 249 #
Proposal for a regulation
Article 3 – paragraph 1 – point 39 a (new)
Article 3 – paragraph 1 – point 39 a (new)
(39a) ‘incident’ means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;
Amendment 280 #
Proposal for a regulation
Article 10 – paragraph 6 – subparagraph 1
Article 10 – paragraph 6 – subparagraph 1
Amendment 283 #
Proposal for a regulation
Article 10 – paragraph 6 – subparagraph 2 a (new)
Article 10 – paragraph 6 – subparagraph 2 a (new)
Manufacturers shall determine the expected product lifetime referred to in the first subparagraph of this paragraph, taking into account the time users reasonably expect to be able to use the product given its functionality and intended purpose, and therefore can expect to receive security updates.
Amendment 294 #
Proposal for a regulation
Article 10 – paragraph 10 a (new)
Article 10 – paragraph 10 a (new)
10a. Manufacturers shall clearly specify in an easily accessible manner, and where applicable, on the packaging of the product with digital elements, the end date for the expected product lifetime as referred to in paragraph 6, including at least the month and year, until which the manufacturer will at least ensure the effective handling of vulnerabilities in accordance with the essential requirements set out in Section 2 of Annex I.
Amendment 307 #
Proposal for a regulation
Article 11 – paragraph 1
Article 11 – paragraph 1
1. The manufacturer shall, without undue delay and in any event within 24 hours of becoming aware of it, notify to ENISA any activelyknown exploited vulnerability contained in the product with digital elements in accordance with paragraph 1a of this Article. The notification shall include details concerning that vulnerability and, where applicable, any corrective or mitigating measures taken. ENISA shall, without undue delay, unless for justified cybersecurity risk-related grounds, forward the notification to the CSIRT designated for the purposes of coordinated vulnerability disclosure in accordance with Article [Article X] of Directive [Directive XXX/XXXX(EU) 2022/2555 (NIS2)] of Member States concerned upon receipt and inform the market surveillance authority about the notified vulnerability. Where a notified vulnerability has no corrective or mitigating measures available, ENISA shall ensure that the sharing of information regarding the notified vulnerability is based on applicable security protocols and on a need-to-know- basis.
Amendment 310 #
Proposal for a regulation
Article 11 – paragraph 1 a (new)
Article 11 – paragraph 1 a (new)
1a. 1a. Notifications as referred to in paragraph 1 shall be subject to the following procedure: (a) an early warning, without undue delay and in any event within 24 hours of the manufacturer becoming aware of the known exploited vulnerability, detailing whether any known corrective or mitigating measure is available; (b) a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the known exploited vulnerability, which, where applicable, updates the information referred to in point (a), details any corrective or mitigating measures taken and indicates an assessment of extent of the vulnerability, including its severity and impact; (c) an intermediate report on relevant status updates, upon the request of ENISA; (d) a final report, within one month after the submission of the vulnerability notification under point (b), including at least the following: (i) a detailed description of the vulnerability, including its severity and impact; (ii) where available, information concerning any actor that has exploited or that is exploiting the vulnerability; (iii) details about the security update or other corrective measures that have been made available to remedy the vulnerability.
Amendment 312 #
Proposal for a regulation
Article 11 – paragraph 1 b (new)
Article 11 – paragraph 1 b (new)
1b. Once a security update has been made available, or an appropriate corrective or mitigation measure has been implemented, ENISA shall add the notified vulnerability to the European vulnerability database referred to in Article 12 of Directive [Directive 2022/2555 (NIS2)].
Amendment 315 #
Proposal for a regulation
Article 11 – paragraph 2
Article 11 – paragraph 2
2. The manufacturer shall, without undue delay and in any event within 24 hours of becoming aware of it, notify to ENISA any significant incident having impact on the security of the product with digital elements in accordance with paragraph 2b of this Article. ENISA shall, without undue delay, unless for justified cybersecurity risk-related grounds, forward the notifications to the single point of contact designated in accordance with Article [Article X] of Directive [Directive XXX/XXXX(EU) 2022/2555 (NIS2)] of the Member States concerned and inform the market surveillance authority about the notified significant incidents. The significant incident notification shall include information on the severity and impact of the incident and, where applicable, indicate whether the manufacturer suspects the incident to be caused by unlawful or malicious acts or considers the necessary information to make the competent authority aware of the incident and allow for the entity to have a cross-border impactseek assistance.
Amendment 316 #
Proposal for a regulation
Article 11 – paragraph 2 a (new)
Article 11 – paragraph 2 a (new)
Amendment 319 #
Proposal for a regulation
Article 11 – paragraph 2 b (new)
Article 11 – paragraph 2 b (new)
2b. Notifications as referred to in paragraph 2 shall be subject to the following procedure: (a) an early warning, without undue delay and in any event within 24 hours of the manufacturer becoming aware of the significant incident, which, where applicable, indicates whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact; (b) an incident notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the significant incident, which, where applicable, updates the information referred to in point (a) and indicates an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise; (c) an intermediate report on relevant status updates upon the request of ENISA; (d) a final report, within one month after the submission of the incident notification under point (b), including at least the following: (i) a detailed description of the incident, including its severity and impact; (ii) the type of threat or root cause that is likely to have triggered the incident; (iii) applied and ongoing mitigation measures; (iv) where applicable, the cross-border impact of the incident; In the event of an ongoing incident at the time of the submission of the final report referred to in point (d) of the first subparagraph, Member States shall ensure that entities concerned provide a progress report at that time and a final report within one month of their handling of the incident.
Amendment 323 #
Proposal for a regulation
Article 11 – paragraph 3 a (new)
Article 11 – paragraph 3 a (new)
3a. ENISA shall publish and maintain a known exploited vulnerability catalogue that shall be included in the European vulnerability database established under Directive 2022/2555 (NIS2). The catalogue shall assist manufacturers in detecting known exploitable vulnerabilities and notify vulnerabilities found in their products.
Amendment 326 #
Proposal for a regulation
Article 11 – paragraph 4
Article 11 – paragraph 4
4. The manufacturer shall inform, without undue delay and after becoming aware, the users of the product with digital elements about the significant incident and, where necessary, about corrective measures that the user can deploy to mitigate the impact of the significant incident.
Amendment 337 #
Proposal for a regulation
Article 11 – paragraph 7 a (new)
Article 11 – paragraph 7 a (new)
7a. ENISA shall establish a digital reporting mechanism, after having consulted relevant stakeholder groups, so that manufacturers are able to fulfil their reporting obligations via an Online Application.
Amendment 343 #
Proposal for a regulation
Article 13 – paragraph 3
Article 13 – paragraph 3
3. Where an importer considers or has reason to believe that a product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements set out in Annex I, the importer shall not place the product on the market until that product or the processes put in place by the manufacturer have been brought into conformity with the essential requirements set out in Annex I. Furthermore, where the product with digital elements presents a significant cybersecurity risk, the importer shall inform the manufacturer and the market surveillance authorities to that effect.
Amendment 346 #
Proposal for a regulation
Article 13 – paragraph 6 – subparagraph 1
Article 13 – paragraph 6 – subparagraph 1
Importers who know or have reason to believe that a product with digital elements, which they have placed on the market, or the processes put in place by its manufacturer, are not in conformity with the essential requirements set out in Annex I shall immediately require the manufacturer to take the corrective measures necessary to bring that product with digital elements or the processes put in place by its manufacturer into conformity with the essential requirements set out in Annex I, or to withdraw or recall the product, if appropriate.
Amendment 347 #
Proposal for a regulation
Article 13 – paragraph 6 – subparagraph 2
Article 13 – paragraph 6 – subparagraph 2
Upon identifying a vulnerability in the product with digital elements, importers shall inform the manufacturer without undue delay about that vulnerability. Furthermore, where the product with digital elements presents a significant cybersecurity risk, importers shall immediately inform the market surveillance authorities of the Member States in which they made the product with digital elements available on the market to that effect, giving details, in particular, of the non-conformity and of any corrective measures taken.
Amendment 348 #
Proposal for a regulation
Article 13 – paragraph 6 – subparagraph 2 a (new)
Article 13 – paragraph 6 – subparagraph 2 a (new)
Upon receiving information from the manufacturer that the product with digital elements presents a significant cybersecurity risk, giving details, in particular, of the non-conformity and of any corrective measures taken, importers shall immediately forward this information to the market surveillance authorities of the Member States in which they made the product with digital elements available on the market to that effect.
Amendment 351 #
Proposal for a regulation
Article 14 – paragraph 3
Article 14 – paragraph 3
3. Where a distributor considers or has reason to believe that a product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements set out in Annex I, the distributor shall not make the product with digital elements available on the market until that product or the processes put in place by the manufacturer have been brought into conformity. Furthermore, where the product with digital elements poses a significant cybersecurity risk, the distributor shall inform the manufacturer and the market surveillance authorities to that effect.
Amendment 352 #
Proposal for a regulation
Article 14 – paragraph 4 – subparagraph 1
Article 14 – paragraph 4 – subparagraph 1
Distributors who know or have reason to believe that a product with digital elements, which they have made available on the market, or the processes put in place by its manufacturer are not in conformity with the essential requirements set out in Annex I shall make sure that threquire the manufacturer to take corrective measures necessary to bring that product with digital elements or the processes put in place by its manufacturer into conformity are taken, or to withdraw or recall the product, if appropriate.
Amendment 353 #
Proposal for a regulation
Article 14 – paragraph 4 – subparagraph 2
Article 14 – paragraph 4 – subparagraph 2
Upon identifying a vulnerability in the product with digital elements, distributors shall inform the manufacturer without undue delay about that vulnerability. Furthermore, where the product with digital elements presents a significant cybersecurity risk, distributors shall immediately inform the market surveillance authorities of the Member States in which they have made the product with digital elements available on the market to that effect, giving details, in particular, of the non-conformity and of any corrective measures taken.
Amendment 355 #
Proposal for a regulation
Article 14 – paragraph 4 – subparagraph 2 a (new)
Article 14 – paragraph 4 – subparagraph 2 a (new)
Upon receiving information from the manufacturer that the product with digital elements presents a significant cybersecurity risk, giving details, in particular, of the non-conformity and of any corrective measures taken, distributors shall immediately forward this information to the market surveillance authorities of the Member States in which they made the product with digital elements available on the market to that effect.
Amendment 362 #
Proposal for a regulation
Article 17 a (new)
Article 17 a (new)
Amendment 373 #
Proposal for a regulation
Article 23 – paragraph 5
Article 23 – paragraph 5
5. The Commission is empowered to adopt delegated acts in accordance with Article 50 to supplement this Regulation by the elements to be included in the technical documentation set out in Annex V to take account of technological developments, as well as developments encountered in the implementation process of this Regulation. When adopting delegated acts, the Commission shall take into account and make sure the administrative burden on micro, small and medium sized enterprises is kept to a minimum.
Amendment 383 #
Proposal for a regulation
Article 24 – paragraph 5
Article 24 – paragraph 5
5. Notified bodies shall take into account the specific interests and needs of micro, small and medium sized enterprises (SMEs) when setting the fees for conformity assessment procedures and reduce those fees proportionately to their specific interests and needs. The Commission shall ensure that appropriate financial support in the regulatory framework of existing Union programmes is allocated to micro, small and medium- sized enterprises, in order to mitigate possible financial burden.
Amendment 387 #
Proposal for a regulation
Article 28 – paragraph 1 a (new)
Article 28 – paragraph 1 a (new)
1a. The Commission shall, within 24 months from the entry into force of this Regulation, ensure that there is a sufficient number of notified bodies in the Union to carry out a conformity assessment, in order to avoid bottlenecks and hindrances to market entry.
Amendment 440 #
Proposal for a regulation
Article 50 – paragraph 6 a (new)
Article 50 – paragraph 6 a (new)
6a. When exercising the power of delegation, the Commission shall conduct public consultations and engage in regular dialogue with economic operators, in order to collect evidence and evaluate market implications of including or withdrawing categories of products in the scope of this Regulation.
Amendment 444 #
Proposal for a regulation
Article 53 – paragraph 1
Article 53 – paragraph 1
1. Member States shall lay down the rules on penalties applicable to infringements by economic operators of this Regulation and shall take all measures necessary to ensure that they are enforced. The penalties provided for shall be effective, proportionate and dissuasive. These rules shall take into account the financial capabilities of micro, small and medium-sized enterprises.
Amendment 458 #
Proposal for a regulation
Article 57 – paragraph 2
Article 57 – paragraph 2
It shall apply from [324 months after the date of entry into force of this Regulation]. However Article 11 shall apply from [122 months after the date of entry into force of this Regulation].
Amendment 463 #
Proposal for a regulation
Annex I – Part 1 – point 2
Annex I – Part 1 – point 2
(2) Products with digital elements shall be delivered without any known exploitable vulnerabilities which the manufacturer knows of, unless a manufacturer ensures that there are updates available which remedy this vulnerability and these are run automatically at the first time of use of the product;