Activities of Ignazio CORRAO related to 2022/0272(COD)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020
Amendments (88)
Amendment 131 #
Proposal for a regulation
Recital 9
Recital 9
(9) This Regulation ensures a high level of cybersecurity of products with digital elements. It does not regulate services, such as Software-as-a-Service (SaaS), except for, processes and ancillary services. The definition and regulatory scope for products with digital elements should also include remote data processing solutions relating to awhich are necessary for products with digital elements understood as any data processing at a distance for whichto perform its functions. Remote data processing solutions should be understood as any data processing at a distance, irrespective of whether data is processed or stored locally on the device of the user or remotely. Moreover, manufacturers shall remain responsible for the software which is designed and developed, as well as customised or substantially modified by the manufacturer of the product concerned or under the control or responsibility of that manufacturer, and the absence of which would prevent such a product with digital elements from performing one of its functions. Software-as-a-Service (SaaS) shall constitute remote data processing solutions within the meaning of this Regulation to the extent that is inextricably linked to the performing one the product functions. For instance, websites or cloud service models supporting the functionality of products with digital elements fall in the scope of this Regulation. [Directive XXX/XXXX (NIS2)] puts in place cybersecurity and incident reporting requirements for essential and important entities, such as critical infrastructure, with a view to increasing the resilience of the services they provide. [Directive XXX/XXXX (NIS2)] applies to cloud computing services and cloud service models, such as SaaS. All entities providing cloud computing services in the Union that meet or exceed the threshold for medium-sized enterprises fall in the scope of that Directive. Where the manufacturer employs such cloud solutions which are not covered by NIS 2 or uses a custom implementation of a cloud service model, the requirements in this Regulation should be applicable.
Amendment 134 #
Proposal for a regulation
Recital 9 a (new)
Recital 9 a (new)
(9a) Software and data that are openly shared and where users can freely access, use, modify and redistribute them or modified versions thereof, can contribute to research and innovation in the market. Research by the European Commission also shows that free and open-source software can contribute between €65 billion to €95 billion to the European Union’s GDP and that it can provide significant growth opportunities for the European economy. Users are allowed to run, copy, distribute, study, change and improve software and data, including models by way of free and open-source licences. To foster the development and deployment of free and open source software, especially by SMEs, start-ups, non-profits, academic research but also by individuals, this Regulation should not apply to such free and open-source software components, except in very specific cases. We must take into account the fact that different development models of software distributed and developed under public licences exist, having a wide a range of different roles in such development models. For example commercial open-source exists and is generally developed by a single organisation or an asymmetric community, where a single organisation is generating significant revenues from related use in business relationships. In contrast, vendor-neutral free and open source is developed by a symmetric community, sometimes under the governance of a non-profit organisation, ensuring transparency and neutrality in the development model and with no direct revenues from related use in business relationships. This is why this Regulation should differentiate and the independent developers of free and open-source software components should not be mandated under this Regulation to comply with requirements targeting the product value chain and, in particular, not towards the manufacturer that has used that free and open-source software component in a commercial product. Developers of free and open-source software components, as well as all manufacturers that are not subject to stricter compliance rules, should however be encouraged to implement the provisions of Annex I, as a way to increase security, allowing the promotion of trustworthy products with digital elements in the EU.
Amendment 137 #
Proposal for a regulation
Recital 10
Recital 10
(10) In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source codNeither the collaborative development of free and open-source software components nor making them available on open repositories should constitute a placing on the market or putting into service. As such, most package mand modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity mightagers, code hosting, and collaboration platforms do not make software products available on the market as distributors within this Act. A commercial activity, within the understanding of making available on the market, might however be characterizsed not only by charging a price for a product, but also byfree and open- source software component, but also by monetisation like charging a price for technical support services, paid software updates, by providing a software platform through which the manufacturprovider monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software (such as an App Store), or by the use of data. Unrelated consulting services, membership fees and not for profit sponsorships do not constitute monetisation within the scope of this regulation.When open-source software is integrated into a final product with digital elements that is placed on the market, the economic operator that has placed the final product with digital elements on the market shall be responsible for the compliance of the product including of the free and open-source components.
Amendment 150 #
Proposal for a regulation
Recital 22
Recital 22
(22) In order to ensure that products with digital elements, when placed on the market, do not pose cybersecurity risks to persons and organisations, essential requirements should be set out for such products. When the products are subsequently modified, by physical or digital means, in a way that is not foreseen by the manufacturer and that may imply that they no longer meet the relevant essential requirements, the modification should be considered as substantial. For example, software updates or repairs such as minor adjustment of the source code that can improve the security and functioning, could be assimilated to maintenance operations provided that they do not modify a product already placed on the market in such a way that compliance with the applicable requirements may be affected, or that the intended use for which the product has been assessed may be changed. As is the case for physical repairs or modifications, a product with digital elements should be considered as substantially modified by a software change where the software update modifies the original intended functions, type or performance of the product and these changes were not foreseen in the initial risk assessment, or the nature of the hazard has changed or the level of risk has increased because of the software update.
Amendment 152 #
Proposal for a regulation
Recital 24 a (new)
Recital 24 a (new)
(24a) Manufacturers of products with digital elements should ensure that software updates are provided in a clear and transparent way and clearly differentiate between security and functionality updates. Whilst security updates are designed to decrease the level of risk of a product with digital elements, the uptake of functionality updates provided by the manufacturer should always remain a user choice. Manufacturers should therefore provide these updates separately, unless technically unfeasible. Manufacturers should provide consumers with adequate information on the reasons behind each update and its foreseen impact on the product, as well as a clear and easy-to-use opt-out mechanism.
Amendment 154 #
Proposal for a regulation
Recital 25
Recital 25
(25) Products with digital elements should be considered critical if the negative impact of the exploitation of potential cybersecurity vulnerabilities in the product can be severe due to, amongst others, the cybersecurity-related functionality, or the intended use or the size of market penetration of a particular product. In particular, vulnerabilities in products with digital elements that have a cybersecurity- related functionality, such as secure elements, can lead to a propagation of security issues throughout the supply chain or society. The severity of the impact of a cybersecurity incident may also increase when taking into account the intended use of the product, such as in an industrial setting or in the context of an essential entity of the type referred to in Annex [Annex I] to Directive [Directive XXX/ XXXX (NIS2)], or for the performance of critical or sensitive functions, such as processing of personal dataimpacting health, safety or fundamental rights.
Amendment 158 #
Proposal for a regulation
Recital 28
Recital 28
(28) This Regulation addresses cybersecurity risks in a targeted manner. Products with digital elements might, however, pose other safety risks, that are not always related to cybersecurity but can be a consequence of a security breach. Those risks should continue to be regulated by other relevant Union product legislation as a rule if a higher level of protection is conferred. If not, safety risks in connection with the cybersecurity functions of products with digital elements should fall within the scope of this Regulation. If no other Union harmonisation legislation is applicable, they should be subject to Regulation [General Product Safety Regulation]. Therefore, in light of the targeted nature of this Regulation, as a derogation from Article 2(1), third subparagraph, point (b), of Regulation [General Product Safety Regulation], Chapter III, Section 1, Chapters V and VII, and Chapters IX to XI of Regulation [General Product Safety Regulation] should apply to products with digital elements with respect to safety risks not covered by this Regulation, if those products are not subject to specific requirements imposed by other Union harmonisation legislation within the meaning of [Article 3, point (25) of the General Product Safety Regulation].
Amendment 159 #
Proposal for a regulation
Recital 30
Recital 30
Amendment 160 #
Proposal for a regulation
Recital 31
Recital 31
(31) Regulation [European Health Data Space Regulation proposal] complements the essential requirements laid down in this Regulation. The electronic health record systems (‘EHR systems’) falling under the scope of Regulation [European Health Data Space Regulation proposal] which are products with digital elements within the meaning of this Regulation should therefore also comply with the essential requirements set out in this Regulation. T and their manufacturers should demonstrate conformity as required by Regulation [European Health Data Spacethis Regulation proposal]. To facilitate compliance, manufacturers may draw up a single technical documentation containing the elements required by both legal acts. As this Regulation does not cover SaaS as such, EHR systems offered through the SaaS licensing and delivery model are not within the scope of this Regulation. Similarly, EHR systems that are developed and used in-house are not within the scope of this Regulation, as they are not placed on the market.
Amendment 163 #
Proposal for a regulation
Recital 32 a (new)
Recital 32 a (new)
(32a) In order to ensure the products are designed, developed and produced in line with essential requirements foreseen in Section 1 of Annex I, manufacturers should exercise due diligence when integrating components sourced from third parties in products with digital elements. Given that such components are tailored to and integrated taken into account the specificities of the product, in particular in the case of free and open source software that have not been placed on the market in exchange of financial or other type of monetisation, the manufacturer of the product shall be responsible for ensuring its compliance.
Amendment 166 #
Proposal for a regulation
Recital 35
Recital 35
(35) Manufacturers should also report to ENISA any incident having an impact on the security of the product with digital elements. Notwithstanding the incident reporting obligations in Directive [Directive XXX/XXXX (NIS2)] for essential and important entities, it is crucial for ENISA, the single points of contact designated by the Member States in accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] and the market surveillance authorities to receive information from the manufacturers of products with digital elements allowing them to assess the security of these products. In order to ensure that users can react quickly to incidents having an impact on the security of their products with digital elements, manufacturers should also inform their users about any such incident and, where applicable, about any corrective measures that the users can deploy to mitigate the impact of the incident, for example by publishing relevant information on their websites or, where the manufacturer is able to contact the users and where justified by the risks, by reaching out to the users directly. Manufacturers that identify vulnerability in a component integrated in a product with digital elements, including in a free and open source component should report the vulnerability to the person or entity maintaining the component together with the corrective measure taken, and provide the corresponding code under a free and open source licence.
Amendment 181 #
Proposal for a regulation
Recital 45
Recital 45
(45) As a general rule the requirements for the conformity assessment of products with digital elements should be risk-based and to that regard in many cases the assessment could be carried out by the manufacturer under its own responsibility following the procedure based on Module A of Decision 768/2008/EC. The manufacturer should retain flexibility to choose a stricter conformity assessment procedure involving a third-party. If the product is classified as a critical product of class I, additional assurance is required to demonstrate conformity with the essential requirements set out in this Regulation. The manufacturer should apply harmonised standards, common specifications or cybersecurity certification schemes under Regulation (EU) 2019/881 which have been identified by the Commission in an implementing act, if it wants to carry out the conformity assessment under its own responsibility (module A). If the manufacturer does not apply such harmonised standards, common specifications or cybersecurity certification schemes, the manufacturer should undergo conformity assessment involving a third party. Taking into account the administrative burden on manufacturers and the fact that cybersecurity plays an important role in the design and development phase of tangible and intangible products with digital elements, conformity assessment procedures respectively based on modules B+C or module H of Decision 768/2008/EC have been chosen as most appropriate for assessing the compliance of critical products with digital elements in a proportionate and effective manner. The manufacturer that carries out the third- party conformity assessment can choose the procedure that suits best its design and production process. Given the even greater cybersecurity risk linked with the use of products classified as critical class II products, the conformity assessment should always involve a third party.
Amendment 197 #
Proposal for a regulation
Recital 69
Recital 69
(69) Economic operators should be provided with a sufficient time to adapt to the requirements of this Regulation. This Regulation should apply [124 months] from its entry into force, with the exception of the reporting obligations concerning actively exploited vulnerabilities and incidents, which should apply [12 months] from the entry into force of this Regulation.
Amendment 204 #
Proposal for a regulation
Article 1 – paragraph 1 – point d
Article 1 – paragraph 1 – point d
(d) rules on market monitoring, market surveillance and enforcement of the above- mentioned rules and requirements.
Amendment 212 #
Proposal for a regulation
Article 2 – paragraph 3 a (new)
Article 2 – paragraph 3 a (new)
3a. This Regulation shall not apply to software provided under free and open- source licences, including its source code and modified versions, except when such software is provided as a paid or monetised product. The compliance of free and open-source components of products shall be ensured by the manufacturer of the product.
Amendment 220 #
Proposal for a regulation
Article 3 – paragraph 1 – point 1
Article 3 – paragraph 1 – point 1
(1) ‘product with digital elements’ means any software or hardware product and itsits ancillary services, including remote data processing solutions, includingand software or hardware components to be placed on the market separately;
Amendment 232 #
Proposal for a regulation
Article 3 – paragraph 1 – point 18
Article 3 – paragraph 1 – point 18
(18) ‘manufacturer’ means any natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under his or her name or trademark, whether for payment or free of chargemonetisation;
Amendment 250 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
2. At trade fairs, exhibitions and demonstrations or similar events, Member States shall not prevent the presentation and use of a prototype product with digital elements or a software, which does not comply with this Regulation, provided that the availability is limited in time and geographical area and is supplied exclusively for testing.
Amendment 251 #
Proposal for a regulation
Article 4 – paragraph 3
Article 4 – paragraph 3
Amendment 255 #
Proposal for a regulation
Article 5 – paragraph 1 – point 1
Article 5 – paragraph 1 – point 1
(1) they meet the essential requirements set out in Section 1 of Annex I, under the condition that they are properly installed, maintained, used for their intended purpose or under conditions which can reasonably be foreseen, and, where applicable, provided with the necessary security and functionality updateds, and
Amendment 262 #
Proposal for a regulation
Article 6 – paragraph 3
Article 6 – paragraph 3
3. The Commission is empowered to adopt a delegated act in accordance with Article 50 to supplement this Regulation by specifying the definitions of the product categories under class I and class II as set out in Annex III. The delegated act shall be adopted [by 126 months since the entry into force of this Regulation].
Amendment 263 #
Proposal for a regulation
Article 6 – paragraph 4
Article 6 – paragraph 4
4. Critical products with digital elements shall be subject to the conformity assessment procedures referred to in Article 24(2) and (3). By exception, small and micro enterprises can use the procedure referred to in Article 24(2).
Amendment 272 #
Proposal for a regulation
Article 10 – paragraph 4
Article 10 – paragraph 4
4. For the purposes of complying with the obligation laid down in paragraph 1, manufacturers shall exercise due diligence when integrating components sourced from third parties in products with digital elements. They shallIt falls upon the manufacturer to ensure that such components do not compromise the security of the product with digital elements, in particular in the case of open source software that have not been placed on the market in exchange of financial or other type of monetisation, including data returns. The due diligence obligation can be considered fulfilled if all components have been already deemed compliant and the CE mark has been affixed to them as appropriate.
Amendment 275 #
Proposal for a regulation
Article 10 – paragraph 6 – subparagraph 1
Article 10 – paragraph 6 – subparagraph 1
When placing a product with digital elements on the market, and for the expected product lifetime or for a period of five years from the placing of the product on the market, whichever is shorter, manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out in Sectfor a period of at least five years or the expected product lifetime or, whichever is longer, manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I. In the case of small and micro enterprises this obligation and the obligation foreseen in Article 10(12) are limited to the expected product lifetime as determined by the manufacturer, taking into account the reasonable expectations of consumers regarding the functionality, intended purpose of the product, and the provision of security and functionality updates. In any case, the end users must be informed of the minimal duration that a product will benefit from security updates, before purchase. Manufacturers shall have appropriate policies and procedures, including coordinated vulnerability disclosure policies, referred to in Section 2, point (5), of Annex I, to process and remediate potential vulnerabilities in the product with digital elements reported from internal or external sources. Those procedures shall differentiate between security updates that provide devices with enhanced security, including security patches and corrective or functionality updates that provide corrective or new functionalities, including corrective patches, establishing that these updates should be provided separately, unless clearly demonstrated that it is not technically possible. The end user shall always retain the possibility to revert to a previous version 2 of Annex I. functionality updates.
Amendment 286 #
Proposal for a regulation
Article 10 – paragraph 8
Article 10 – paragraph 8
8. Manufacturers shall keep the technical documentation and the EU declaration of conformity, where relevant, at the disposal of the market surveillance authorities for at least ten years after the product with digital elements has been placed on the market.
Amendment 291 #
Proposal for a regulation
Article 10 – paragraph 9 a (new)
Article 10 – paragraph 9 a (new)
9a. Manufacturers shall publicly communicate and advertise the expected product lifetime of their products, in a clear and understandable manner, and in particular, the minimal duration of the provision of security updates.
Amendment 298 #
Proposal for a regulation
Article 10 – paragraph 12
Article 10 – paragraph 12
12. From the placing on the market and for the expected product lifetime or for a period of at least five years afteor for the placing on the market of a product with digital elementsexpected product lifetime, whichever is shortlonger, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements set out in Annex I shall immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, to withdraw or to recall the product, as appropriate.
Amendment 301 #
Proposal for a regulation
Article 10 – paragraph 15
Article 10 – paragraph 15
15. The Commission may, by means of implementingdelegated acts, specify the format and elements of the software bill of materials set out in Section 2, point (1), of Annex I. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 51(2).
Amendment 308 #
Proposal for a regulation
Article 11 – paragraph 1
Article 11 – paragraph 1
1. The manufacturer shall, without undue delay and in any event within 24 hours of becoming aware of it, notify to ENISA any actively exploited vulnerability contained in the product with digital elements. The notification shall include details concerning that vulnerability and, where applicable, any corrective or mitigating measures taken and the recommended risk mitigation measures. ENISA shall, without undue delay, unless for justified cybersecurity risk-related grounds, forward the notification to the CSIRT designated for the purposes of coordinated vulnerability disclosure in accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] of Member States concerned upon receipt and inform the market surveillance authority about the notified vulnerabilityexistence of a vulnerability and where applicable, the potential risk mitigation measures .
Amendment 327 #
Proposal for a regulation
Article 11 – paragraph 4
Article 11 – paragraph 4
4. The manufacturer shall inform, without undue delay and after becoming aware, the users of the product with digital elements about the incident and, where necessary, about risk mitigation and any corrective measures that the user can deploy to mitigate the impact of the incident.
Amendment 335 #
Proposal for a regulation
Article 11 – paragraph 7
Article 11 – paragraph 7
7. Manufacturers shall, upon identifying a vulnerability in a component, including in an open source component, which is integrated in the product with digital elements, report the vulnerability and the corrective or mitigating measure taken, to the person or entity maintaining the component. Such corrective or mitigating measures shall be accompanied by the relevant code and appropriate licenses that allow the deployment. This does not release the manufacturer from the obligation to maintain the compliance of the product with the requirements of this regulation, nor does it create obligations for the developers of free and open source components that have no contractual relation to the said manufacturer.
Amendment 338 #
Proposal for a regulation
Article 11 a (new)
Article 11 a (new)
Article11a Single point of contact for users 1. Manufacturers shall designate a single point of contact to enable users to communicate directly and rapidly with them, where applicable by electronic means and in a user-friendly manner, including by allowing recipients of the service to choose the means of communication, which shall not solely rely on automated tools. 2. In addition to the obligations provided under Directive 2000/31/EC, manufacturers shall make public the information necessary for the end users in order to easily identify and communicate with their single points of contact. That information shall be easily accessible and shall be kept up to date.
Amendment 342 #
Proposal for a regulation
Article 13 – paragraph 2 – point c a (new)
Article 13 – paragraph 2 – point c a (new)
(ca) all the documents proving the fulfilment of the requirements set in this article have been received from the manufacturer and are available for inspection.
Amendment 344 #
Proposal for a regulation
Article 13 – paragraph 6 – subparagraph 1
Article 13 – paragraph 6 – subparagraph 1
Importers who know or have reason to believe that a product with digital elements, which they have placed on the market, or the processes put in place by its manufacturer, are not in conformity with the essential requirements set out in Annex I shall immediately take the corrective measures necessary to bring that product with digital elements or the processes put in place by its manufacturer into conformity with the essential requirements set out in Annex I, or to withdraw or recall the product, if appropriate. Based on a risk assessment, distributors and end users shall be timely informed of the lack of compliance and the risk mitigation measures they can take.
Amendment 350 #
Proposal for a regulation
Article 14 – paragraph 2 – point b a (new)
Article 14 – paragraph 2 – point b a (new)
(ba) they have received from the importer all the information and documentation required by this regulation.
Amendment 356 #
Proposal for a regulation
Article 16 – paragraph 1
Article 16 – paragraph 1
A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of the product with digital elements and makes the product available on the market, shall be considered a manufacturer for the purposes of this Regulation.
Amendment 361 #
Proposal for a regulation
Article 17 – paragraph 1 – introductory part
Article 17 – paragraph 1 – introductory part
1. Economic operators shall, on request and where the information is available, provide to the market surveillance authorities the following information:
Amendment 372 #
Proposal for a regulation
Article 23 – paragraph 2
Article 23 – paragraph 2
2. The technical documentation shall be drawn up before the product with digital elements is placed on the market and shall be continuously updated, where appropriate, during the expected product lifetime or during a period of five years after the placing on the market of a product with digital elements, whichever is shortlonger.
Amendment 375 #
Proposal for a regulation
Article 24 – paragraph 1 – point c a (new)
Article 24 – paragraph 1 – point c a (new)
(ca) a European cybersecurity certification scheme adopted as per Regulation (EU) 2019/881 in accordance with paragraph 4 of Article 18.
Amendment 377 #
Proposal for a regulation
Article 24 – paragraph 2 – point b a (new)
Article 24 – paragraph 2 – point b a (new)
(ba) where applicable, a European cybersecurity certification scheme at assurance level ‘substantial’ or ‘high’ pursuant to Regulation (EU) 2019/881.
Amendment 379 #
Proposal for a regulation
Article 24 – paragraph 3 – introductory part
Article 24 – paragraph 3 – introductory part
3. Where the product is a critical product with digital elements of class II as set out in Annex III, the manufacturer or the manufacturer’s authorised representative shall demonstrate conformity with the essential requirements set out in Annex I obtaining a European cybersecurity certificate, under a European cybersecurity certification scheme at assurance level ‘high’ pursuant to Regulation (EU) 2019/881. Where such European cybersecurity certification schemes do not exist or only cover parts of the critical product with digital elements, the concerned critical product and the processes put in place by the manufacturer shall demonstrate those essential requirements by using one of the following procedures:
Amendment 381 #
Proposal for a regulation
Article 24 – paragraph 3 a (new)
Article 24 – paragraph 3 a (new)
3a. In accordance with Article 48 of Regulation (EU) 2019/881, the Commission shall request ENISA to prepare the missing candidate schemes with the view of fully covering all the products listed in Annex III.
Amendment 382 #
Proposal for a regulation
Article 24 – paragraph 5
Article 24 – paragraph 5
5. Notified bodies shall take into account the specific interests and needs of micro, small and medium sized enterprises (SMEs) when setting the fees for conformity assessment procedures and reduce those fees proportionately to their specific interests and needs. The Commission shall take appropriate measures to ensure more accessible and affordable procedures, such as establishing a framework for providing appropriate financial support and guidance for the notified bodies.
Amendment 386 #
Proposal for a regulation
Article 25 – paragraph 1
Article 25 – paragraph 1
Member States shall notify the Commission and the other Member States of conformity assessment bodies authorised to carry out conformity assessments in accordance with this Regulation. Member States and the Commission shall put in place appropriate measures to ensure sufficient availability of skilled professionals, in order to minimise bottlenecks in the activities pursuant to articles 26 to 31.
Amendment 391 #
Proposal for a regulation
Article 29 – paragraph 12
Article 29 – paragraph 12
12. Conformity assessment bodies shall operate in accordance with a set of consistent, fair and reasonable terms and conditions, in particular taking into account the interests of SMEmicro, small and medium enterprises in relation to fees.
Amendment 395 #
3. Where relevant, the market surveillance authorities shall cooperate with the national cybersecurity certification authorities designated under Article 58 of Regulation (EU) 2019/881 and exchange information on a regular basis. With respect to the supervision of the implementation of the reporting obligations pursuant to Article 11 of this Regulation, the designated market surveillance authorities shall cooperate with ENISA.
Amendment 397 #
Proposal for a regulation
Article 41 – paragraph 3 a (new)
Article 41 – paragraph 3 a (new)
3a. With respect to the supervision of the implementation of the reporting obligations pursuant to Article 11 of this Regulation, the designated market surveillance authorities shall cooperate with ENISA. The market surveillance authorities may request ENISA to provide technical advice on matters related to the implementation and enforcement of this Regulation. When conducting an investigation under Article 43, market surveillance authorities may request ENISA to provide non-binding evaluations of compliance of products with digital elements.
Amendment 404 #
Proposal for a regulation
Article 41 – paragraph 11 a (new)
Article 41 – paragraph 11 a (new)
11a. Market surveillance authorities shall facilitate the active participation of stakeholders in market surveillance activities, including scientific, research and consumer organisations, by establishing a clear and accessible mechanism to facilitate the voluntary reporting of vulnerabilities, incidents, and cyber threats.
Amendment 405 #
Proposal for a regulation
Article 41 a (new)
Article 41 a (new)
Amendment 412 #
Proposal for a regulation
Article 43 – paragraph 1 – subparagraph 2
Article 43 – paragraph 1 – subparagraph 2
Where, in the course of that evaluation, the market surveillance authority finds that the product with digital elements does not comply with the requirements laid down in this Regulation, it shall without delay require the relevant economic operator to take all appropriate corrective actions to bring the product into compliance with those requirements, to withdraw it from the market, or to recall it within a reasonabln adequate period, commensurate with the nature of the risk, as it may prescribe.
Amendment 419 #
Proposal for a regulation
Article 45 – paragraph 1
Article 45 – paragraph 1
1. Where the Commission has sufficient reasons to consider, including based on information provided by ENISA, that a product with digital elements that presents a significant cybersecurity risk is non-compliant with the requirements laid down in this Regulation, it mayshall request the relevant market surveillance authorities to carry out an evaluation of compliance and follow the procedures referred to in Article 43.
Amendment 422 #
Proposal for a regulation
Article 45 – paragraph 2
Article 45 – paragraph 2
2. In exceptional circumstances which justify an immediate intervention to preserve the good functioning of the internal market and where the Commission has sufficient reasons to consider that the product referred to in paragraph 1 remains non-compliant with the requirements laid down in this Regulation and no effective measures have been taken by the relevant market surveillance authorities, the Commission mayshall request ENISA to carry out an evaluation of compliance. The Commission shall inform the relevant market surveillance authorities accordingly. The relevant economic operators shall cooperate as necessary with ENISA.
Amendment 424 #
Proposal for a regulation
Article 46 – paragraph 1
Article 46 – paragraph 1
1. Where, having performed an evaluation under Article 43, the market surveillance authority of a Member State finds that although a product with digital elements and the processes put in place by the manufacturer are in compliance with this Regulation, they present a significant cybersecurity risk and, in addition, they pose a risk to the health or safety of persons, to the compliance with obligations under Union or national law intended to protect fundamental rights, the availability authenticity, integrity or confidentiality of services offered using an electronic information system by essential entities of the type referred to in [Annex I to Directive XXX / XXXX (NIS2)] or to other aspects of public interest protection, it shall require the relevant economic operator to take all appropriate measures to ensure that the product with digital elements and the processes put in place by the manufacturer concerned, when placed on the market, no longer present that risk, to withdraw the product with digital elements from the market or to recall it within a reasonabln adequate period, commensurate with the nature of the risk.
Amendment 425 #
Proposal for a regulation
Article 46 – paragraph 2
Article 46 – paragraph 2
2. The manufacturer or other relevant economic operators shall ensure that corrective action is taken in respect of the products with digital elements concerned that they have made available on the market throughout the Union within the timeline established by the market surveillance authority of the Member State referred to in paragraph 1.
Amendment 426 #
Proposal for a regulation
Article 46 – paragraph 6
Article 46 – paragraph 6
6. Where the Commission has sufficient reasons to consider, including based on information provided by ENISA, that a product with digital elements, although compliant with this Regulation, presents the risks referred to in paragraph 1, it mayshall request the relevant market surveillance authority or authorities to carry out an evaluation of compliance and follow the procedures referred to in Article 43 and paragraphs 1, 2 and 3 of this Article.
Amendment 427 #
Proposal for a regulation
Article 46 – paragraph 7
Article 46 – paragraph 7
7. In exceptional circumstances which justify an immediate intervention to preserve the good functioning of the internal market and where the Commission has sufficient reasons to consider that the product referred to in paragraph 6 continues to present the risks referred to in paragraph 1 and no effective measures have been taken by the relevant national market surveillance authorities, the Commission mayshall request ENISA to carry out an evaluation of the risks presented by that product and shall inform the relevant market surveillance authorities accordingly. The relevant economic operators shall cooperate as necessary with ENISA.
Amendment 428 #
Proposal for a regulation
Article 46 – paragraph 8
Article 46 – paragraph 8
8. Based on ENISA’s evaluation referred to in paragraph 7, the Commission mayshall establish that a corrective or restrictive measure is necessary at Union level. To this end, it shall without delay consult the Member States concerned and the relevant operator or operators.
Amendment 429 #
Proposal for a regulation
Article 48 – paragraph 2
Article 48 – paragraph 2
2. The Commission or ENISA mayshall propose joint activities for checking compliance with this Regulation to be conducted by market surveillance authorities based on indications or information of potential non-compliance across several Member States of products falling in the scope of this Regulation with the requirements laid down by the latter.
Amendment 430 #
Proposal for a regulation
Article 49 – paragraph 1
Article 49 – paragraph 1
1. Market surveillance authorities mashall regularly decide to conduct simultaneous coordinated control actions (“sweeps”) of particular products with digital elements or categories thereof to check compliance with or to detect infringements to this Regulation.
Amendment 431 #
Proposal for a regulation
Article 49 – paragraph 2
Article 49 – paragraph 2
2. Unless otherwise agreed upon by the market surveillance authorities involved, sweeps shall be coordinated by the Commission. The coordinator of the sweep mayshall, where appropriate, make the aggregated results publicly available.
Amendment 432 #
Proposal for a regulation
Article 49 – paragraph 3
Article 49 – paragraph 3
3. ENISA mayshall identify, in the performance of its tasks, including based on the notifications received according to Article 11(1) and (2), categories of products for which sweeps mayshall be organised. The proposal for sweeps shall be submitted to the potential coordinator referred to in paragraph 2 for the consideration of the market surveillance authorities.
Amendment 433 #
Proposal for a regulation
Article 49 – paragraph 4
Article 49 – paragraph 4
4. When conducting sweeps, the market surveillance authorities involved mayshall use the investigation powers set out Articles 41 to 47 and any other powers conferred upon them by national law.
Amendment 434 #
Proposal for a regulation
Article 49 – paragraph 5
Article 49 – paragraph 5
5. Market surveillance authorities mayshall invite Commission officials, and other accompanying persons authorised by the Commission, to participate in sweeps.
Amendment 443 #
Proposal for a regulation
Article 52 – paragraph 1 – point a
Article 52 – paragraph 1 – point a
(a) intellectual property rights, and confidential business information or trade secrets of a natural or legal person, including source code, except the cases referred to in Article 5 of or trade secrets in line with Directive 2016/943 of the European Parliament and of the Council36; _________________ 36 Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (OJ L 157, 15.6.2016, p. 1).
Amendment 447 #
Proposal for a regulation
Article 53 – paragraph 6 – point c
Article 53 – paragraph 6 – point c
(c) the size and market share of the operator committing the infringement, taking into account the scale of risks, consequences and financial specificities of micro, small and medium-sized enterprises.
Amendment 453 #
Proposal for a regulation
Article 57 – paragraph 2
Article 57 – paragraph 2
It shall apply from [24 months after the date of entry into force of this Regulation]. However Article 11 shall apply from [12 months after the date of entry into force of this Regulation].
Amendment 467 #
Proposal for a regulation
Annex I – Part 1 – point 3 – point a a (new)
Annex I – Part 1 – point 3 – point a a (new)
(aa) be placed on the market with functional separation of security updates from functionality updates, to allow automatic installation of security updates, with a clear and easy-to-use opt-out mechanism, and preserve user choice on functionalities unless technically unfeasible.
Amendment 471 #
Proposal for a regulation
Annex I – Part 1 – point 3 – point c
Annex I – Part 1 – point 3 – point c
(c) protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means;
Amendment 472 #
Proposal for a regulation
Annex I – Part 1 – point 3 – point d
Annex I – Part 1 – point 3 – point d
(d) protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, as well as report on corruptions or possible unauthorised access;
Amendment 474 #
Proposal for a regulation
Annex I – Part 1 – point 3 – point f
Annex I – Part 1 – point 3 – point f
(f) protect the availability of essential and basic functions, including the resilience against and mitigation of denial of service attacks;
Amendment 475 #
Proposal for a regulation
Annex I – Part 1 – point 3 – point j
Annex I – Part 1 – point 3 – point j
(j) provide security related information by providing at user request recording and/or monitoring capabilities, locally and at device level for relevant internal activity, including the access to or modification of data, services or functions;
Amendment 477 #
Proposal for a regulation
Annex I – Part 1 – point 3 – point k
Annex I – Part 1 – point 3 – point k
(k) ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automaticdedicated security updates and the notification of available updates to users.
Amendment 478 #
Proposal for a regulation
Annex I – Part 1 – point 3 – point k a (new)
Annex I – Part 1 – point 3 – point k a (new)
(ka) be designed, developed and produced in order to allow for its secure discontinuation and potential recycling when reaching the end of the life cycle, including by allowing users to securely withdraw and remove all data on a permanent basis.
Amendment 485 #
Proposal for a regulation
Annex I – Part 2 – paragraph 1 – point 4
Annex I – Part 2 – paragraph 1 – point 4
(4) once a security update has been made available, publically disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities;
Amendment 486 #
Proposal for a regulation
Annex I – Part 2 – paragraph 1 – point 7
Annex I – Part 2 – paragraph 1 – point 7
(7) provide for mechanisms to securely distribute security updates for products with digital elements to ensure that exploitable vulnerabilities are fixed or mitigated in a timely manner;
Amendment 490 #
Proposal for a regulation
Annex II – paragraph 1 – point 2
Annex II – paragraph 1 – point 2
2. the single point of contact where information about cybersecurity vulnerabilities of the product can be reported and received;
Amendment 494 #
Proposal for a regulation
Annex II – paragraph 1 – point 6
Annex II – paragraph 1 – point 6
6. if and, where applicable, where the software bill of materials can be accessed by the competent authorities;
Amendment 496 #
Proposal for a regulation
Annex II – paragraph 1 – point 9 – point c a (new)
Annex II – paragraph 1 – point 9 – point c a (new)
(ca) the expected product lifetime and until when the manufacturer ensures the effective handling of vulnerabilities and provision of security updates.
Amendment 498 #
Proposal for a regulation
Annex III – Part I – point 3 a (new)
Annex III – Part I – point 3 a (new)
3a. Authentication, Authorization and Accounting (AAA) platforms.
Amendment 501 #
Proposal for a regulation
Annex III – Part I – point 15
Annex III – Part I – point 15
15. Physical and virtual network interfaces;
Amendment 506 #
Proposal for a regulation
Annex III – Part I – point 18
Annex III – Part I – point 18
Amendment 514 #
Proposal for a regulation
Annex III – Part I – point 23
Annex III – Part I – point 23
23. Industrial products with digital elements that can be referred as part of Internet of Things not covered by class II.
Amendment 534 #
Proposal for a regulation
Annex III – Part II – point 4
Annex III – Part II – point 4
4. Firewalls, security gateways, intrusion detection and/or prevention systems intended for industrial use;
Amendment 538 #
Proposal for a regulation
Annex III – Part II – point 7
Annex III – Part II – point 7
7. Routers, modems intended for the connection to the internet, and switches, intended for industrial usand other network nodes that are necessary for the provision of the connectivity service;
Amendment 540 #
15a. Smart home products, including smart home servers and virtual assistants;
Amendment 541 #
Proposal for a regulation
Annex III – Part II – point 15 b (new)
Annex III – Part II – point 15 b (new)
15b. Smart security devices, including smart door locks, cameras and alarm systems;
Amendment 542 #
Proposal for a regulation
Annex III – Part II – point 15 c (new)
Annex III – Part II – point 15 c (new)
15c. Smart toys and similar devices likely to interact with children;
Amendment 543 #
Proposal for a regulation
Annex III – Part II – point 15 d (new)
Annex III – Part II – point 15 d (new)
15d. Personal health appliances and wearables.