53 Amendments of Kosma ZŁOTOWSKI related to 2022/0272(COD)
Amendment 61 #
Proposal for a regulation
Recital 9
Recital 9
(9) This Regulation ensures a high level of cybersecurity of products with digital elements. It does not regulate services, such as Software-as-a-Service (SaaS), except for remote data processing solutions relating to a product with digital elements understood as any data processing at a distance for which the software is designed and developed by the manufacturer of the product concthat fall into one or more of the following data processing services models: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), Software-as-a-Service (SaaS). Those service delivery models represent a specific, pre-packaged combination of IT resources offerned or under the responsibility of that manufacturer, and the absence of which would prevent such a product with digital elements from performing by a provider of data processing service. Three base cloud delivery models are further completed by emerging variations, each comprised of a distinct combinatione of its functionIT resources. [Directive XXX/XXXX (NIS2)] puts in place cybersecurity and incident reporting requirements for essential and important entities, such as critical infrastructure, with a view to increasing the resilience of the services they provide. [Directive XXX/XXXX (NIS2)] applies to cloud computing services and cloud service models, such as IaaS, PaaS and SaaS. All entities providing cloud computing services in the Union that meet or exceed the threshold for medium-sized enterprises fall in the scope of that Directive.
Amendment 64 #
Proposal for a regulation
Recital 10
Recital 10
(10) In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software. Nonetheless, in order to ensure that individual or micro developers of software as defined in Commission Recommendation 2003/361/EC do not face major financial obstacles and are not discouraged from testing the proof of concept as well as the business case on the market, these entities shall be required to make best efforts in order to comply with the requirements in this proposal during the 18 months from placing a software on the market. This special regime will prevent the chilling effect of high compliance and entry costs could have on entrepreneurs or skilled individuals who consider developing software in the Union.
Amendment 75 #
Proposal for a regulation
Recital 19
Recital 19
(19) Certain tasks provided for in this Regulation should be carried out by ENISA, in accordance with Article 3(2) of Regulation (EU) 2019/881the relevant Computer Security Incident Response Teams (CSIRTs) or the relevant market surveillance authority. In particular, ENISACSIRTs should receive notifications from manufacturers of actively exploited vulnerabilities contained ihaving a significant impact on products with digital elements, as well as incidents having an significant impact on the security of those products. ENISA should also forward these notifications to the relevant Computer Security Incident Response Teams (CSIRTs) or, respectively, to the relevant single points of contact of the Member States designated in accordance with Article [Article X] of Directive [Directive XXX / XXXX (NIS2)], and inCSIRTs or the relevant market surveillance authority, should submit to ENISA information on notifications provided such information is relevant for the coordinated response to large-scale cybersecurity incidents. For the purpose of this Regulation, an incident shall be considered to be significant if (i) it has caused or is capable of causing severe operational disruption of the production or the development, build and distribution environment form the relevant market surveillance authorities about manufacturer concerned, that would impact the security of a product; or (ii) it has affected or is capable of affecting other notified vulnerabilityatural or legal persons by causing considerable material or non-material damage. On the basis of the information it gathers, ENISA should prepare a biennial technical report on emerging trends regarding cybersecurity risks in products with digital elements and submit it to the Cooperation Group referred to in Directive [Directive XXX / XXXX (NIS2)](EU) 2022/2555. Furthermore, considering its expertise and mandate, ENISA should be able to support the process for implementation of this Regulation. In particular, it should be able to propose joint activities to be conducted by market surveillance authorities based on indications or information regarding potential non-compliance with this Regulation of products with digital elements across several Member States or identify categories of products for which simultaneous coordinated control actions should be organised. In exceptional circumstances, at the request of the Commission, ENISA should be able to conduct evaluations in respect of specific products with digital elements that present a significant cybersecurity risk, where an immediate intervention is required to preserve the good functioning of the internal market.
Amendment 77 #
Proposal for a regulation
Recital 22
Recital 22
(22) In order to ensure that products with digital elements, when placed on the market, do not pose cybersecurity risks to persons and organisations, essential requirements should be set out for such products. When the products are subsequently modified, by physical or digital means, in a way that is not foreseen by the manufacturer and that may imply that they no longer meet the relevant essential requirementsmaterially alters the core function of a product, the modification should be considered as substantial. For example, software updates or repairs could be assimilated to maintenance operations provided that they do not modify a product already placed on the market in such a way that compliance with the applicable requirements may be affected, or that the intended use for which the product has been assessed may be changed. As is the case for physical repairs or modifications, a product with digital elements should be considered as substantially modified by a software change where the software update modifies the original intended functions, type or performance of the product and these changes were not foreseen in the initial risk assessment, or the nature of the hazard has changed or the level of risk has increased because of the software updateintroduce substantial changes to the functions or cybersecurity architecture of a product already placed on the market, that change the level of hazard or risk for which the product was assessed.
Amendment 81 #
Proposal for a regulation
Recital 23
Recital 23
(23) In line with the commonly established notion of substantial modification for products regulated by Union harmonisation legislation, whenever a substantial modification occurs that may affect the compliance of a product with this Regulation or when the intended purpose of that product changes, it is appropriate that the compliance of the product with digital elements is verified and that, where applicable, it undergoes a newthe conformity assessment updated. Where applicable, if the manufacturer undertakes a conformity assessment involving a third party, changes that might lead to substantial modifications should be notified to the third party. The subsequent conformity assessment should address the changes that lead to the new assessment, unless these changes have significant impact on the conformity of other parts of the product.
Amendment 96 #
Proposal for a regulation
Recital 34
Recital 34
Amendment 100 #
Proposal for a regulation
Recital 35
Recital 35
(35) Manufacturers should also report to ENISA any incident having an impact on the security of the product with digital elements. Notwithstanding the incident reporting obligations in Directive [Directive XXX/XXXX (NIS2)] for essential and important entities, it is crucial for ENISA, the single points of contact designated by the Member States relevant CSIRTs or, where applicable the relevant market surveillance authority, any incident having accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] and the market surveillance authorities to receive information from the manufacturers of significant impact on the security of the products with digital elements allowing them to assess the security of these products. In order to ensure that users can react quickly to incidents having an significant impact on the security of their products with digital elements, manufacturers should also inform their users about any such incident and, where applicable, about any corrective measures that the users can deploy to mitigate the impact of the incident, for example by publishing relevant information on their websites or, where the manufacturer is able to contact the users and where justified by the risks, by reaching out to the users directly.
Amendment 113 #
Proposal for a regulation
Article 2 – paragraph 1
Article 2 – paragraph 1
1. This Regulation applies to products with digital elements placed on the market whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.
Amendment 115 #
Proposal for a regulation
Article 2 – paragraph 2 – point c a (new)
Article 2 – paragraph 2 – point c a (new)
(c a) Regulation (EU) 2022/2554;
Amendment 116 #
Proposal for a regulation
Article 2 – paragraph 2 – point c b (new)
Article 2 – paragraph 2 – point c b (new)
(c b) Directive (EU) 2022/2555.
Amendment 121 #
Proposal for a regulation
Article 2 – paragraph 5 a (new)
Article 2 – paragraph 5 a (new)
5 a. This Regulation does not apply to any supply of a product with digital elements for distribution and use on the Union market where such supply, distribution, and use exclusively occurs within the same group of companies within the meaning of Article 2(13) of Regulation (EU) 2015/848.
Amendment 124 #
Proposal for a regulation
Article 3 – paragraph 1 – point 1
Article 3 – paragraph 1 – point 1
(1) ‘product with digital elements’ means any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately;
Amendment 126 #
Proposal for a regulation
Article 3 – paragraph 1 – point 2
Article 3 – paragraph 1 – point 2
Amendment 128 #
Proposal for a regulation
Article 3 – paragraph 1 – point 6
Article 3 – paragraph 1 – point 6
(6) ‘software’ means the part of an electronic information system which consists of computer code, with exception of software relating to the Internet websites;
Amendment 135 #
Proposal for a regulation
Article 3 – paragraph 1 – point 26
Article 3 – paragraph 1 – point 26
Amendment 136 #
Proposal for a regulation
Article 3 – paragraph 1 – point 31
Article 3 – paragraph 1 – point 31
(31) ‘substantial modification’ means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential requirements set out in Section 1 of Annex I or results in a modification to the intended use for whichhas material impact on the core function of the product with digital elements has been assessed;
Amendment 136 #
Proposal for a regulation
Recital 10
Recital 10
(10) In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software. Nonetheless, in order to ensure that individual or micro developers of software as defined in Commission Recommendation 2003/361/EC do not face major financial obstacles and are not discouraged from testing the proof of concept as well as the business case on the market, these entities shall be required to make best efforts in order to comply with the requirements in this proposal during the 12 months from placing a software on the market. This special regime will prevent the chilling effect of high compliance and entry costs could have on entrepreneurs or skilled individuals who consider developing software in the European Union.
Amendment 148 #
Proposal for a regulation
Article 4 – paragraph 3
Article 4 – paragraph 3
3. Member States shall not prevent the making available of unfinished software which does not comply with this Regulation provided that the software is only made available for a limited period required for testing purposesin a non-production version for testing purposes, including software labelled as ‘beta,’ ‘pre-release’, or ‘candidate’, and that a visible sign clearly indicates that it does not comply with this Regulation and will not be available on the market for purposes other than testing.
Amendment 159 #
Proposal for a regulation
Article 6 – paragraph 5
Article 6 – paragraph 5
Amendment 161 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
Amendment 171 #
Proposal for a regulation
Article 10 – paragraph -1 (new)
Article 10 – paragraph -1 (new)
-1. Software manufacturers which qualify as a microenterprise as defined in Commission Recommendation 2003/361/EC shall make best efforts to comply with the requirements in this Regulation during the 18 months from placing a software on the market.
Amendment 172 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
1. When placing a product with digital elements on the market, manufacturers shall take reasonable measures to ensure that it has been designed, developed and produced in accordance with the essential requirements set out in Section 1 of Annex I.
Amendment 176 #
Proposal for a regulation
Article 10 – paragraph 4
Article 10 – paragraph 4
4. For the purposes of complying with the obligation laid down in paragraph 1, manufacturers shall exercise due diligence when integrating components sourced from third parties in products with digital elements. They shall take reasonable measures to ensure that such components do not compromise the security of the product with digital elements.
Amendment 181 #
Proposal for a regulation
Article 10 – paragraph 6 – subparagraph 1
Article 10 – paragraph 6 – subparagraph 1
When placing a product with digital elements on the market, and for the expected product lifetime or for a period of five years from the placing of the product on the market, whichever is shorter or a shorter period, appropriate to the type and specificity of product, manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I.
Amendment 189 #
Proposal for a regulation
Article 10 – paragraph 12
Article 10 – paragraph 12
12. From the placing on the market and for the expected product lifetime or for a period of five years after the placing on the market ofr a shorter period, appropriate to the type and specificity of product with digital elements, whichever is shorter, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements set out in Annex I shall immediatelywithout undue delay take reasonable measures proportionate to the risk, take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, to withdraw or to recall the product, as appropriate.
Amendment 194 #
Proposal for a regulation
Article 11 – paragraph 1
Article 11 – paragraph 1
1. The manufacturer shall, without undue delay and in any event within 24 hours of becoming aware of it, notify to ENISAnotify relevant Computer Security Incident Response Teams (CSIRTs) or, where applicable, competent authority of the Member State established under Directive (EU) 2022/2555, any actively exploited vulnerability contained iwith significant impact on the product with digital elements. The notification shall include details concerningbe submitted without undue delay after thate vulnerability and, where applicable, any corrective or mitigating measures taken. ENISA shall, without undue delay, unless for justified cybersecurity risk-related grounds, forward the notification to the CSIRT designated for the purposes of coordinated vulnerability disclosure in accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] of Member States concerned upon receipt and inform the market surveillance authority about the notified vulnerabilityhas been addressed and shall include details concerning that vulnerability and, where applicable, any corrective or mitigating measures taken.
Amendment 198 #
Proposal for a regulation
Article 11 – paragraph 2
Article 11 – paragraph 2
2. The manufacturer shall, without undue delay and in any from the moment it becomes aware, notify to releveant within 24 hours of becoming aware of it, notify to ENISA anyCSIRTs or, where applicable, competent authority of the Member State established under Directive (EU) 2022/2555, any major incident having a significant impact on the security of the product with digital elements. ENISA shall, without undue delay, unless for justified cybersecurity risk-related grounds, forward the notifications to the single point of contact designated in accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] of the Member States concerned and inform the market surveillance authority about the notified incidents. The incident notification shall include informationThe incident notification shall be submitted without undue delay and include information strictly necessary to make the competent authority aware of the incident, and where relevant and proportionate to the risk, on the severity and impact of the incident and, where applicable, indicate whether the manufacturer suspects the incident to be caused by unlawful or malicious acts or considers it to have a cross-border impact.
Amendment 199 #
Proposal for a regulation
Article 11 – paragraph 3
Article 11 – paragraph 3
3. ENISA shall submit to the European cyber crisis liaison organisation network (EU-CyCLONe) established by Article [Article X] of Directive [Directive XXX/XXXX (NIS2)]CSIRTs or, where applicable, competent authority of the Member State established under Directive (EU) 2022/2555, shall submit to ENISA information notified pursuant to paragraphs 1 and 2 if such information is relevant for the coordinated management of large-scale cybersecurity incidents and crises at an operational level. ENISA shall submit the information received by the CSIRTs or, where applicable, competent authority of the Member State established under Directive (EU) 2022/2555, to the European cyber crisis liaison organisation network (EUCyCLONe) established by Article 16 of Directive (EU) 2022/2555.
Amendment 202 #
Proposal for a regulation
Article 11 – paragraph 4
Article 11 – paragraph 4
4. The manufacturer shall inform, without undue delay and after becoming aware, the users of the product with digital elements about the incida significant incident having major impact on the security of the product with digital elements and, where necessary, about corrective measures that the user can deploy to mitigate the impact of the incident.
Amendment 205 #
Proposal for a regulation
Article 11 – paragraph 5
Article 11 – paragraph 5
5. The Commission, after consulting stakeholders and CSIRTs may, by means of implementing acts, specify further the type of information, format and procedure of the notifications submitted pursuant to paragraphs 1 and 2. Those implementing acts shall be based on European and international standards, such as ISO/IEC 29147 and adopted in accordance with the examination procedure referred to in Article 51(2).
Amendment 207 #
Proposal for a regulation
Article 11 – paragraph 6
Article 11 – paragraph 6
6. ENISA, on the basis of the notifications received pursuant to paragraphs 1, 2 and 23, shall prepare a biennial technical report on emerging trends regarding cybersecurity risks in products with digital elements and submit it to the Cooperation Group referred to in Article [Article X]14 of Directive [Directive XXX/XXXX (NIS2)](EU) 2022/2555. The first such report shall be submitted within 24 months after the obligations laid down in paragraphs 1 and 2 start applying.
Amendment 217 #
Proposal for a regulation
Article 18 – paragraph 2
Article 18 – paragraph 2
Amendment 218 #
Proposal for a regulation
Article 18 – paragraph 4
Article 18 – paragraph 4
Amendment 220 #
Proposal for a regulation
Article 19
Article 19
Amendment 241 #
Proposal for a regulation
Article 24 – paragraph 5 a (new)
Article 24 – paragraph 5 a (new)
5 a. For products with digital elements falling within the scope of this Regulation and which are placed on the market or put into service by credit institutions regulated by Directive 2013/36/EU, the conformity assessment shall be carried out as part of the procedure referred to in Articles 97 to 101 of that Directive.
Amendment 249 #
Proposal for a regulation
Article 29 – paragraph 12
Article 29 – paragraph 12
12. Conformity assessment bodies shall operate in accordance with a set of consistent, fair and reasonable terms and conditions in line with Article 37(2), in particular taking into account the interests of SMEs in relation to fees.
Amendment 252 #
Proposal for a regulation
Article 37 – paragraph 2
Article 37 – paragraph 2
2. Conformity assessments shall be carried out in a proportionate manner, avoiding unnecessary burdens for economic operators. Conformity assessment bodies shall perform their activities taking due account of the size of an undertaking, the sector in which it operates, its structure, the degree of complexity and the risk exposure of the product type and technology in question and the mass or serial nature of the production process.
Amendment 262 #
Proposal for a regulation
Article 41 – paragraph 11 a (new)
Article 41 – paragraph 11 a (new)
11 a. For products with digital elements falling within the scope of this Regulation, distributed, put into service or used by financial institutions regulated by relevant Union legislation on financial services, the market surveillance authority for the purposes of this Regulation shall be the relevant authority responsible for the financial supervision of those institutions under that legislation.
Amendment 266 #
Proposal for a regulation
Article 43 – paragraph 1 – subparagraph 2
Article 43 – paragraph 1 – subparagraph 2
Where, in the course of that evaluation, the market surveillance authority finds that the product with digital elements does not comply with the requirements laid down in this Regulation or otherwise present threat to national security, it shall without delay require the relevant operator to take all appropriate corrective actions to bring the product into compliance with those requirements, to withdraw it from the market, or to recall it within a reasonable period, commensurate with the nature of the risk, as it may prescribe.
Amendment 268 #
Proposal for a regulation
Article 43 – paragraph 4 – subparagraph 1
Article 43 – paragraph 4 – subparagraph 1
Where the manufacturer of a product with digital elements does not take adequate corrective action within the period referred to in paragraph 1, second subparagraph, or the relevant Member States authority consider product to present threat to the national security, the market surveillance authority shall take all appropriate provisional measures to prohibit or restrict that product being made available on its national market, to withdraw it from that market or to recall it.
Amendment 268 #
Proposal for a regulation
Article 10 – paragraph -1 (new)
Article 10 – paragraph -1 (new)
-1. Software manufacturers which qualify as a microenterprise as defined in Commission Recommendation 2003/361/EC shall make best efforts to comply with the requirements in this Regulation during the 12 months from placing a software on the market.
Amendment 269 #
Proposal for a regulation
Article 43 – paragraph 7
Article 43 – paragraph 7
7. Where, within three months of receipt of the information referred to in paragraph 4, no objection has been raised by either a Member State or the Commission in respect of a provisional measure taken by a Member State, that measure shall be deemed justified. The decision referred to in paragraph 1, concerning threat to national security shall always be deemed justified. This is without prejudice to the procedural rights of the operator concerned in accordance with Article 18 of Regulation (EU) 2019/1020.
Amendment 270 #
Proposal for a regulation
Article 45 – paragraph 1
Article 45 – paragraph 1
1. Where the Commission has sufficient reasons to consider, including based on information provided by the competent authorities of Member States, the computer security incident response teams (CSIRTs) designated or established in accordance with Directive (EU) 2022/2555 or ENISA, that a product with digital elements that presents a significant cybersecurity risk is non-compliant with the requirements laid down in this Regulation, it may request the relevant market surveillance authorities to carry out an evaluation of compliance and follow the procedures referred to in Article 43.
Amendment 272 #
Proposal for a regulation
Article 45 – paragraph 2
Article 45 – paragraph 2
2. In exceptional circumstances which justify an immediate intervention to preserve the good functioning of the internal market and where the Commission has sufficient reasons, substantiated by relevant data, to consider that the product referred to in paragraph 1 remains non- compliant with the requirements laid down in this Regulation and no effective measures have been taken by the relevant market surveillance authorities, the Commission may request ENISAthe relevant Member State authority to carry out an evaluation of compliance. The Commission shall inform the relevant market surveillance authorities and ENISA accordingly. The relevant economic operators shall cooperate as necessary with ENISA.
Amendment 275 #
Proposal for a regulation
Article 45 – paragraph 3
Article 45 – paragraph 3
Amendment 292 #
Proposal for a regulation
Article 53 – paragraph 6 – point a a (new)
Article 53 – paragraph 6 – point a a (new)
(a a) the type of manufactured product and whether entity qualifies as microenterprise for the specific compliance regime outlined in the Article 10(-1) of this Regulation.
Amendment 299 #
Proposal for a regulation
Article 57 – paragraph 2
Article 57 – paragraph 2
It shall apply from [2436 months after the date of entry into force of this Regulation]. However Article 11 shall apply from [124 months after the date of entry into force of this Regulation] and Articles 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38 shall apply from [30 months after the entry into force of this Regulation].
Amendment 304 #
Proposal for a regulation
Annex I – Part 1 – point 2
Annex I – Part 1 – point 2
(2) Products with digital elements shall be delivered without any known exploitable vulnerabilitiein a way that does not wilfully create cybersecurity risks;
Amendment 307 #
Proposal for a regulation
Annex I – Part 1 – point 3 – point a
Annex I – Part 1 – point 3 – point a
(a) be delivered with a secure by default configuration, including the possibility to reset the product to its original statedefault security configuration;
Amendment 343 #
Proposal for a regulation
Annex V – paragraph 1 – point 1 – point a
Annex V – paragraph 1 – point 1 – point a
Amendment 344 #
Proposal for a regulation
Annex V – paragraph 1 – point 2
Annex V – paragraph 1 – point 2
Amendment 347 #
Proposal for a regulation
Annex V – paragraph 1 – point 3
Annex V – paragraph 1 – point 3
3. an assess statement of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained as laid down in Article 10 of this Regulation;
Amendment 445 #
Proposal for a regulation
Article 53 – paragraph 6 – point a a (new)
Article 53 – paragraph 6 – point a a (new)
(aa) the type of manufactured product and whether entity qualifies as microenterprise for the specific compliance regime outlined in the Article 10(-1) of this Regulation.