Activities of Brando BENIFEI related to 2022/0272(COD)
Plenary speeches (1)
Horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 (A9-0253/2023 - Nicola Danti) (vote)
Amendments (32)
Amendment 63 #
Proposal for a regulation
Recital 10
Recital 10
(10) In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributableSoftware and data that are openly shared and where users can freely access, use, modify and redistribute them or modified versions thereof, can contribute to research and innovation in the market. Research by the Commission also shows that free and open-source software can contribute between €65 billion to €95 billion to the Union’s GDP and that it can provide significant growth opportunities for the European economy. In order not to hamper innovation or research, only free and open-source software supplied in the course of a commercial activity should be covered by this Regulation. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services when this does not serve only the recuperation of actual costs or pursues a profit or the intention to monetise, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software. Neither the collaborative development of free and open-source software components nor making them available on open repositories should constitute a placing on the market or putting into service. The circumstances under which the product has been developed, or how the development has been financed should not be taken into account when determining the commercial or non-commercial nature of that activity.
Amendment 68 #
Proposal for a regulation
Recital 10 a (new)
Recital 10 a (new)
(10 a) Free and open-source software is developed, maintained, and distributed via online platforms. In contrast to app stores that make products available, these entities play an important research and development role. As such, package managers, code hosting, and collaboration platforms do not make software products available on the market as distributors within this Regulation.
Amendment 73 #
Proposal for a regulation
Recital 16 a (new)
Recital 16 a (new)
(16 a) Without prejudice to the rules set out in Directive 85/374/EEC, manufacturers should also be liable for the damages suffered by consumers that are caused by their infringement of the legal obligations and cybersecurity requirements set out in this Regulation. Such compensation should be in accordance with the rules and procedures set out in the applicable national law and without prejudice to other possibilities for redress available under consumer protection rules.
Amendment 83 #
Proposal for a regulation
Recital 24 a (new)
Recital 24 a (new)
(24 a) Manufacturers should clearly differentiate between security and functionality updates, and ensure that they are provided separately in a clear and transparent way. Manufacturers should therefore provide these updates separately, unless technically unfeasible. Manufacturers should provide consumers with adequate information on the motive behind each update and its foreseen impact on the product, as well as a clear and easy-to-use opt-out mechanism.
Amendment 85 #
Proposal for a regulation
Recital 25
Recital 25
(25) Products with digital elements should be considered critical if the negative impact of the exploitation of potential cybersecurity vulnerabilities in the product can be severe due to, amongst others, the cybersecurity-related functionality, or the intended use or the reasonably foreseen misuse caused by a cyberattack. In particular, vulnerabilities in products with digital elements that have a cybersecurity- related functionality, such as secure elements, can lead to a propagation of security issues throughout the supply chain. The severity of the impact of a cybersecurity incident may also increase when taking into account the intended use of the product, such as in an industrial setting or in the context of an essential entity of the type referred to in Annex [Annex I] to Directive [Directive XXX/ XXXX (NIS2)], or for the performance of critical or sensitive functions, such as processing of personal data.
Amendment 88 #
Proposal for a regulation
Recital 28
Recital 28
(28) This Regulation addresses cybersecurity risks in a targeted manner. Products with digital elements might, however, pose other safety risks, that, including other risks related to their intended use or reasonably foreseen misuse of products with digital elements caused by a cyberattack. Therefore, safety risks related to the cybersecurity functions of products with digital elements shall fall within the scope of this Regulation. Other risks which are not related to cybersecurity. Those risks should continue to be regulated by other relevant Union product legislation. If no other Union harmonisation legislation is applicable, they should be subject to Regulation [General Product Safety Regulation]. Therefore, in light of the targeted nature of this Regulation, as a derogation from Article 2(1), third subparagraph, point (b), of Regulation [General Product Safety Regulation], Chapter III, Section 1, Chapters V and VII, and Chapters IX to XI of Regulation [General Product Safety Regulation] should apply to products with digital elements with respect to safety risks not covered by this Regulation, if those products are not subject to specific requirements imposed by other Union harmonisation legislation within the meaning of [Article 3, point (25) of the General Product Safety Regulation].
Amendment 91 #
Proposal for a regulation
Recital 30
Recital 30
(30) The machinery products falling within the scope of Regulation [Machinery Regulation proposal] which are products with digital elements within the meaning of this Regulation and for which a declaration of conformity has been issued on the basis of this Regulation should be deemed to be in conformity with the essential health and safety requirements set out in [Annex III, sections 1.1.9 and 1.2.1] of the Regulation [Machinery Regulation proposal], as regards protection against corruption and safety and reliability of control systems in so far as the compliance with those requirements is demonstrated by the EU declaration of conformity issued under this Regulation without prejudice to products with digital elements, which are also machinery products that fall within the categories listed in Annex I of Regulation [Machinery Regulation proposal], being subject to the specific conformity assessment procedure as required by Article 21(2) and (3) of Regulation [Machinery Regulation proposal].
Amendment 101 #
Proposal for a regulation
Recital 38
Recital 38
(38) In order to facilitate assessment of conformity with the requirements laid down by this Regulation, there should be a presumption of conformity for products with digital elements which are in conformity with harmonised standards, which translate the essential requirements of this Regulation into detailed technical specifications, and which are adopted in accordance with Regulation (EU) No 1025/2012 of the European Parliament and of the Council29 . Regulation (EU) No 1025/2012 provides for a procedure for objections to harmonised standards where those standards do not entirely satisfy the requirements of this Regulation. The standardisation process should ensure a balanced representation of interests and effective participation of civil society stakeholders, including consumer organisations. __________________ 29 Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).
Amendment 104 #
Proposal for a regulation
Recital 56 a (new)
Recital 56 a (new)
(56 a) In order for SMEs to be able to cope with the new obligations imposed by this Regulation, the Commission should provide them with relevant guidelines.
Amendment 111 #
Proposal for a regulation
Article 1 – paragraph 1 – introductory part
Article 1 – paragraph 1 – introductory part
The objective of this Regulation is to provide for a high level of consumer protection by protecting the confidentiality, integrity and availability of information in products with digital elements. This Regulation lays down:
Amendment 127 #
Proposal for a regulation
Article 3 – paragraph 1 – point 4 a (new)
Article 3 – paragraph 1 – point 4 a (new)
(4 a) ‘consumer’ means any natural person who, under the circumstances regulated by this Regulation, is acting for purposes which are outside their trade, business, craft or profession;
Amendment 134 #
Proposal for a regulation
Article 3 – paragraph 1 – point 23 a (new)
Article 3 – paragraph 1 – point 23 a (new)
(23 a) ‘recall’ means recall as defined in Article 3, point (22) of Regulation (EU) 2019/1020;
Amendment 143 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
2. At trade fairs, exhibitions and demonstrations or similar events, Member States shall not prevent the presentation and use of a product with digital elements which does not comply with this Regulation provided that the product is used exclusively for exhibition purposes within the course of such event and that a visible sign clearly indicates that it does not comply with this Regulation.
Amendment 150 #
Proposal for a regulation
Article 5 – paragraph 1 – point 1
Article 5 – paragraph 1 – point 1
(1) they meet the essential requirements set out in Section 1 of Annex I, under the condition that they are properly installed, maintained, used for their intended purpose or under conditions which can reasonably be foreseen, and, where applicable,provided with the necessary security and functionality updateds, and
Amendment 156 #
Proposal for a regulation
Article 6 – paragraph 3
Article 6 – paragraph 3
3. The Commission is empowered to adopt a delegated act in accordance with Article 50 to supplement this Regulation by specifying the definitions of the product categories under class I and class II as set out in Annex III. The delegated act shall be adopted [by 126 months since the entry into force of this Regulation].
Amendment 170 #
Proposal for a regulation
Article 9 – paragraph 1 a (new)
Article 9 – paragraph 1 a (new)
By derogation from paragraph 1, products with digital elements which are also machinery products that fall within the categories listed in Annex I of Regulation [Machinery Regulation proposal], shall be subject to the specific conformity assessment procedures as required by Article 21(2) and (3) of Regulation [Machinery Regulation proposal].
Amendment 174 #
Proposal for a regulation
Article 10 – paragraph 3
Article 10 – paragraph 3
3. When placing a product with digital elements on the market, the manufacturer shall include a cybersecurity risk assessment in the technical documentation as set out in Article 23 and Annex V in a manner suitable for distribution of that component and which does not limit the options for further making available of the component. For products with digital elements referred to in Articles 8 and 24(4) that are also subject to other Union acts, the cybersecurity risk assessment may be part of the risk assessment required by those respective Union acts. Where certain essential requirements are not applicable to the marketed product with digital elements, the manufacturer shall include a clear justification in that documentation.
Amendment 187 #
Proposal for a regulation
Article 10 – paragraph 12
Article 10 – paragraph 12
12. From the placing on the market and for the expected product lifetime or for a period of five years after the placing on the market of a product with digital elements, whichever is shorter, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements set out in Annex I shall immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, to withdraw or to recall the product, as appropriate.
Amendment 191 #
Proposal for a regulation
Article 10 – paragraph 15 a (new)
Article 10 – paragraph 15 a (new)
15 a. Manufacturers shall make publicly available communication channels such as a telephone number, electronic address or dedicated section of their website, taking into account accessibility needs for persons with disabilities, enabling users of products with digital elements to submit complaints electronically and free of charge.
Amendment 201 #
Proposal for a regulation
Article 11 – paragraph 4
Article 11 – paragraph 4
4. The manufacturer shall inform, without undue delay and after becoming aware, the users of the product with digital elements about the incident and, where necessary, about corrective measures that the user can deploy to mitigate the impact of the incident, and provide them with technical information on the exploited vulnerability, concerned data and potential damage.
Amendment 214 #
Proposal for a regulation
Article 16 – paragraph 1
Article 16 – paragraph 1
A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of the product with digital elements and makes it available on the market shall be considered a manufacturer for the purposes of this Regulation.
Amendment 235 #
Proposal for a regulation
Article 24 – paragraph 2 – introductory part
Article 24 – paragraph 2 – introductory part
2. Where, in assessing the compliance of the critical product with digital elements of class I as set out in Annex III and the processes put in place by its manufacturer with the essential requirements set out in Annex I, the manufacturer or the manufacturer’s authorised representative has not applied or has applied only in part harmonised standards, common specifications or European cybersecurity certification schemes as referred to in Article 18, or where such harmonised standards, common specifications or European cybersecurity certification schemes do not exist, the product with digital elements concerned and the processes put in place by the manufacturer shall be submitted with regard to those essential requirements to either of the following procedures:
Amendment 237 #
Proposal for a regulation
Article 24 – paragraph 3 – introductory part
Article 24 – paragraph 3 – introductory part
3. Where the product is a critical product with digital elements of class II as set out in Annex III, the manufacturer or the manufacturer’s authorised representative shall demonstrate conformity with the essential requirements set out in Annex I by using one of the following procedures:
Amendment 240 #
Proposal for a regulation
Article 24 – paragraph 5
Article 24 – paragraph 5
5. Notified bodies shall take into account the specific interests and needs of small and medium sized enterprises (SMEs) when setting the fees for conformity assessment procedures and reduce those fees proportionately to their specific interests and needs. The Commission shall take appropriate measures to ensure more accessible and affordable procedures, including by establishing a framework for providing appropriate financial support.
Amendment 260 #
Proposal for a regulation
Article 41 – paragraph 8
Article 41 – paragraph 8
8. Market surveillance authorities may provide guidance and advice to economic operators on the implementation of this Regulation, with the support of the Commission. Market surveillance authorities shall be equipped to receive complaints by consumers affected by products with digital elements if they consider that the relevant products or the practices engaged infringe this Regulation, and shall facilitate the active participation of civil society in market surveillance activities, including scientific, research and consumer organisations, by establishing a clear and accessible mechanism to facilitate reporting of vulnerabilities, incidents, and cyber threats.
Amendment 274 #
Proposal for a regulation
Article 45 – paragraph 2
Article 45 – paragraph 2
2. In exceptional circumstances which justify an immediate intervention to preserve the good functioning of the internal market and where the Commission has sufficient reasons to consider that the product referred to in paragraph 1 remains non-compliant with the requirements laid down in this Regulation and no effective measures have been taken by the relevant market surveillance authorities, the Commission mayshall request ENISA to carry out an evaluation of compliance. The Commission shall inform the relevant market surveillance authorities accordingly. The relevant economic operators shall cooperate as necessary with ENISA.
Amendment 281 #
Proposal for a regulation
Article 48 – paragraph 2
Article 48 – paragraph 2
2. The Commission or ENISA mayshall propose joint activities for checking compliance with this Regulation to be conducted by market surveillance authorities based on indications or information of potential non-compliance across several Member States of products falling in the scope of this Regulation with the requirements laid down by the latter.
Amendment 290 #
Proposal for a regulation
Article 53 – paragraph 3
Article 53 – paragraph 3
3. The non-compliance with the essential cybersecurity requirements laid down in Annex I and the obligations set out in Articles 10 and 11 shall be subject to administrative fines of up to 1530 000 000 EUR or, if the offender is an undertaking, up to 2.56 % of the its total worldwide annual turnover for the preceding financial year, whichever is higher.
Amendment 291 #
Proposal for a regulation
Article 53 – paragraph 4
Article 53 – paragraph 4
4. The non-compliance with any other obligations under this Regulation shall be subject to administrative fines of up to 10 5 000 000 EUR or, if the offender is an undertaking, up to 2.5 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.
Amendment 295 #
Proposal for a regulation
Article 54 a (new)
Article 54 a (new)
Article 54 a Amendment to Directive 2020/1828/EC In Annex I to Directive 2020/1828/EC the following point is added: ‘67. [Regulation XXX][Cyber Resilience Act]’.
Amendment 301 #
Proposal for a regulation
Article 57 – paragraph 2
Article 57 – paragraph 2
It shall apply from [24 months after the date of entry into force of this Regulation]. However Article 11 shall apply from [12 months after the date of entry into force of this Regulation].
Amendment 326 #
Proposal for a regulation
Annex II – paragraph 1 – point 6
Annex II – paragraph 1 – point 6
6. if and, where applicable, where the software bill of materials can be accessed;