BETA

53 Amendments of Kosma ZŁOTOWSKI related to 2022/0272(COD)

Amendment 61 #
Proposal for a regulation
Recital 9
(9) This Regulation ensures a high level of cybersecurity of products with digital elements. It does not regulate services, such as Software-as-a-Service (SaaS), except for remote data processing solutions relating to a product with digital elements understood as any data processing at a distance for which the software is designed and developed by the manufacturer of the product concthat fall into one or more of the following data processing services models: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), Software-as-a-Service (SaaS). Those service delivery models represent a specific, pre-packaged combination of IT resources offerned or under the responsibility of that manufacturer, and the absence of which would prevent such a product with digital elements from performing by a provider of data processing service. Three base cloud delivery models are further completed by emerging variations, each comprised of a distinct combinatione of its functionIT resources. [Directive XXX/XXXX (NIS2)] puts in place cybersecurity and incident reporting requirements for essential and important entities, such as critical infrastructure, with a view to increasing the resilience of the services they provide. [Directive XXX/XXXX (NIS2)] applies to cloud computing services and cloud service models, such as IaaS, PaaS and SaaS. All entities providing cloud computing services in the Union that meet or exceed the threshold for medium-sized enterprises fall in the scope of that Directive.
2023/04/28
Committee: IMCO
Amendment 64 #
Proposal for a regulation
Recital 10
(10) In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software. Nonetheless, in order to ensure that individual or micro developers of software as defined in Commission Recommendation 2003/361/EC do not face major financial obstacles and are not discouraged from testing the proof of concept as well as the business case on the market, these entities shall be required to make best efforts in order to comply with the requirements in this proposal during the 18 months from placing a software on the market. This special regime will prevent the chilling effect of high compliance and entry costs could have on entrepreneurs or skilled individuals who consider developing software in the Union.
2023/04/28
Committee: IMCO
Amendment 75 #
Proposal for a regulation
Recital 19
(19) Certain tasks provided for in this Regulation should be carried out by ENISA, in accordance with Article 3(2) of Regulation (EU) 2019/881the relevant Computer Security Incident Response Teams (CSIRTs) or the relevant market surveillance authority. In particular, ENISACSIRTs should receive notifications from manufacturers of actively exploited vulnerabilities contained ihaving a significant impact on products with digital elements, as well as incidents having an significant impact on the security of those products. ENISA should also forward these notifications to the relevant Computer Security Incident Response Teams (CSIRTs) or, respectively, to the relevant single points of contact of the Member States designated in accordance with Article [Article X] of Directive [Directive XXX / XXXX (NIS2)], and inCSIRTs or the relevant market surveillance authority, should submit to ENISA information on notifications provided such information is relevant for the coordinated response to large-scale cybersecurity incidents. For the purpose of this Regulation, an incident shall be considered to be significant if (i) it has caused or is capable of causing severe operational disruption of the production or the development, build and distribution environment form the relevant market surveillance authorities about manufacturer concerned, that would impact the security of a product; or (ii) it has affected or is capable of affecting other notified vulnerabilityatural or legal persons by causing considerable material or non-material damage. On the basis of the information it gathers, ENISA should prepare a biennial technical report on emerging trends regarding cybersecurity risks in products with digital elements and submit it to the Cooperation Group referred to in Directive [Directive XXX / XXXX (NIS2)](EU) 2022/2555. Furthermore, considering its expertise and mandate, ENISA should be able to support the process for implementation of this Regulation. In particular, it should be able to propose joint activities to be conducted by market surveillance authorities based on indications or information regarding potential non-compliance with this Regulation of products with digital elements across several Member States or identify categories of products for which simultaneous coordinated control actions should be organised. In exceptional circumstances, at the request of the Commission, ENISA should be able to conduct evaluations in respect of specific products with digital elements that present a significant cybersecurity risk, where an immediate intervention is required to preserve the good functioning of the internal market.
2023/04/28
Committee: IMCO
Amendment 77 #
Proposal for a regulation
Recital 22
(22) In order to ensure that products with digital elements, when placed on the market, do not pose cybersecurity risks to persons and organisations, essential requirements should be set out for such products. When the products are subsequently modified, by physical or digital means, in a way that is not foreseen by the manufacturer and that may imply that they no longer meet the relevant essential requirementsmaterially alters the core function of a product, the modification should be considered as substantial. For example, software updates or repairs could be assimilated to maintenance operations provided that they do not modify a product already placed on the market in such a way that compliance with the applicable requirements may be affected, or that the intended use for which the product has been assessed may be changed. As is the case for physical repairs or modifications, a product with digital elements should be considered as substantially modified by a software change where the software update modifies the original intended functions, type or performance of the product and these changes were not foreseen in the initial risk assessment, or the nature of the hazard has changed or the level of risk has increased because of the software updateintroduce substantial changes to the functions or cybersecurity architecture of a product already placed on the market, that change the level of hazard or risk for which the product was assessed.
2023/04/28
Committee: IMCO
Amendment 81 #
Proposal for a regulation
Recital 23
(23) In line with the commonly established notion of substantial modification for products regulated by Union harmonisation legislation, whenever a substantial modification occurs that may affect the compliance of a product with this Regulation or when the intended purpose of that product changes, it is appropriate that the compliance of the product with digital elements is verified and that, where applicable, it undergoes a newthe conformity assessment updated. Where applicable, if the manufacturer undertakes a conformity assessment involving a third party, changes that might lead to substantial modifications should be notified to the third party. The subsequent conformity assessment should address the changes that lead to the new assessment, unless these changes have significant impact on the conformity of other parts of the product.
2023/04/28
Committee: IMCO
Amendment 96 #
Proposal for a regulation
Recital 34
(34) To ensure that the national CSIRTs and the single point of contacts designated in accordance with Article [Article X] of Directive [Directive XX/XXXX (NIS2)] are provided with the information necessary to fulfil their tasks and raise the overall level of cybersecurity of essential and important entities, and to ensure the effective functioning of market surveillance authorities, manufacturers of products with digital elements should notify to ENISA vulnerabilities that are being actively exploited. As most products with digital elements are marketed across the entire internal market, any exploited vulnerability in a product with digital elements should be considered a threat to the functioning of the internal market. Manufacturers should also consider disclosing fixed vulnerabilities to the European vulnerability database established under Directive [Directive XX/XXXX (NIS2)] and managed by ENISA or under any other publicly accessible vulnerability database.deleted
2023/04/28
Committee: IMCO
Amendment 100 #
Proposal for a regulation
Recital 35
(35) Manufacturers should also report to ENISA any incident having an impact on the security of the product with digital elements. Notwithstanding the incident reporting obligations in Directive [Directive XXX/XXXX (NIS2)] for essential and important entities, it is crucial for ENISA, the single points of contact designated by the Member States relevant CSIRTs or, where applicable the relevant market surveillance authority, any incident having accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] and the market surveillance authorities to receive information from the manufacturers of significant impact on the security of the products with digital elements allowing them to assess the security of these products. In order to ensure that users can react quickly to incidents having an significant impact on the security of their products with digital elements, manufacturers should also inform their users about any such incident and, where applicable, about any corrective measures that the users can deploy to mitigate the impact of the incident, for example by publishing relevant information on their websites or, where the manufacturer is able to contact the users and where justified by the risks, by reaching out to the users directly.
2023/04/28
Committee: IMCO
Amendment 113 #
Proposal for a regulation
Article 2 – paragraph 1
1. This Regulation applies to products with digital elements placed on the market whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.
2023/04/28
Committee: IMCO
Amendment 115 #
Proposal for a regulation
Article 2 – paragraph 2 – point c a (new)
(c a) Regulation (EU) 2022/2554;
2023/04/28
Committee: IMCO
Amendment 116 #
Proposal for a regulation
Article 2 – paragraph 2 – point c b (new)
(c b) Directive (EU) 2022/2555.
2023/04/28
Committee: IMCO
Amendment 121 #
Proposal for a regulation
Article 2 – paragraph 5 a (new)
5 a. This Regulation does not apply to any supply of a product with digital elements for distribution and use on the Union market where such supply, distribution, and use exclusively occurs within the same group of companies within the meaning of Article 2(13) of Regulation (EU) 2015/848.
2023/04/28
Committee: IMCO
Amendment 124 #
Proposal for a regulation
Article 3 – paragraph 1 – point 1
(1) ‘product with digital elements’ means any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately;
2023/04/28
Committee: IMCO
Amendment 126 #
Proposal for a regulation
Article 3 – paragraph 1 – point 2
(2) ‘remote data processing’ means any data processing at a distance for which the software is designed and developed by the manufacturer or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions;deleted
2023/04/28
Committee: IMCO
Amendment 128 #
Proposal for a regulation
Article 3 – paragraph 1 – point 6
(6) ‘software’ means the part of an electronic information system which consists of computer code, with exception of software relating to the Internet websites;
2023/04/28
Committee: IMCO
Amendment 135 #
Proposal for a regulation
Article 3 – paragraph 1 – point 26
(26) ‘reasonably foreseeable misuse’ means the use of a product with digital elements in a way that is not in accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systems;deleted (This amendment applies throughout the text.)
2023/04/28
Committee: IMCO
Amendment 136 #
Proposal for a regulation
Article 3 – paragraph 1 – point 31
(31) ‘substantial modification’ means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential requirements set out in Section 1 of Annex I or results in a modification to the intended use for whichhas material impact on the core function of the product with digital elements has been assessed;
2023/04/28
Committee: IMCO
Amendment 136 #
Proposal for a regulation
Recital 10
(10) In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software. Nonetheless, in order to ensure that individual or micro developers of software as defined in Commission Recommendation 2003/361/EC do not face major financial obstacles and are not discouraged from testing the proof of concept as well as the business case on the market, these entities shall be required to make best efforts in order to comply with the requirements in this proposal during the 12 months from placing a software on the market. This special regime will prevent the chilling effect of high compliance and entry costs could have on entrepreneurs or skilled individuals who consider developing software in the European Union.
2023/05/04
Committee: ITRE
Amendment 148 #
Proposal for a regulation
Article 4 – paragraph 3
3. Member States shall not prevent the making available of unfinished software which does not comply with this Regulation provided that the software is only made available for a limited period required for testing purposesin a non-production version for testing purposes, including software labelled as ‘beta,’ ‘pre-release’, or ‘candidate’, and that a visible sign clearly indicates that it does not comply with this Regulation and will not be available on the market for purposes other than testing.
2023/04/28
Committee: IMCO
Amendment 159 #
Proposal for a regulation
Article 6 – paragraph 5
5. The Commission is empowered to adopt delegated acts in accordance with Article 50 to supplement this Regulation by specifying categories of highly critical products with digital elements for which the manufacturers shall be required to obtain a European cybersecurity certificate under a European cybersecurity certification scheme pursuant to Regulation (EU) 2019/881 to demonstrate conformity with the essential requirements set out in Annex I, or parts thereof. When determining such categories of highly critical products with digital elements, the Commission shall take into account the level of cybersecurity risk related to the category of products with digital elements, in light of one or several of the criteria listed in paragraph 2, as well as in view of the assessment of whether that category of products is: (a) essential entities of the type referred to in Annex [Annex I] to the Directive [Directive XXX/ XXXX (NIS2)] or will have potential future significance for the activities of these entities; or (b) overall supply chain of products with digital elements against disruptive events.used or relied upon by the relevant for the resilience of the
2023/04/28
Committee: IMCO
Amendment 161 #
Proposal for a regulation
Article 7 – paragraph 1
By way of derogation from Article 2(1), third subparagraph, point (b), of Regulation [General Product Safety Regulation] where products with digital elements are not subject to specific requirements laid down in other Union harmonisation legislation within the meaning of [Article 3, point (25) of the General Product Safety Regulation], Chapter III, Section 1, Chapters V and VII, and Chapters IX to XI of Regulation [General Product Safety Regulation] shall apply to those products with respect to safety risks not covered byProducts with digital elements as defined and falling within the scope of [General Product Safety Regulation] shall be deemed as complying with the cybersecurity requirements for the purpose of [Article 5 of General Product Safety Regulation] if they comply with the requirements of this Regulation.
2023/04/28
Committee: IMCO
Amendment 171 #
Proposal for a regulation
Article 10 – paragraph -1 (new)
-1. Software manufacturers which qualify as a microenterprise as defined in Commission Recommendation 2003/361/EC shall make best efforts to comply with the requirements in this Regulation during the 18 months from placing a software on the market.
2023/04/28
Committee: IMCO
Amendment 172 #
Proposal for a regulation
Article 10 – paragraph 1
1. When placing a product with digital elements on the market, manufacturers shall take reasonable measures to ensure that it has been designed, developed and produced in accordance with the essential requirements set out in Section 1 of Annex I.
2023/04/28
Committee: IMCO
Amendment 176 #
Proposal for a regulation
Article 10 – paragraph 4
4. For the purposes of complying with the obligation laid down in paragraph 1, manufacturers shall exercise due diligence when integrating components sourced from third parties in products with digital elements. They shall take reasonable measures to ensure that such components do not compromise the security of the product with digital elements.
2023/04/28
Committee: IMCO
Amendment 181 #
Proposal for a regulation
Article 10 – paragraph 6 – subparagraph 1
When placing a product with digital elements on the market, and for the expected product lifetime or for a period of five years from the placing of the product on the market, whichever is shorter or a shorter period, appropriate to the type and specificity of product, manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I.
2023/04/28
Committee: IMCO
Amendment 189 #
Proposal for a regulation
Article 10 – paragraph 12
12. From the placing on the market and for the expected product lifetime or for a period of five years after the placing on the market ofr a shorter period, appropriate to the type and specificity of product with digital elements, whichever is shorter, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements set out in Annex I shall immediatelywithout undue delay take reasonable measures proportionate to the risk, take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, to withdraw or to recall the product, as appropriate.
2023/04/28
Committee: IMCO
Amendment 194 #
Proposal for a regulation
Article 11 – paragraph 1
1. The manufacturer shall, without undue delay and in any event within 24 hours of becoming aware of it, notify to ENISAnotify relevant Computer Security Incident Response Teams (CSIRTs) or, where applicable, competent authority of the Member State established under Directive (EU) 2022/2555, any actively exploited vulnerability contained iwith significant impact on the product with digital elements. The notification shall include details concerningbe submitted without undue delay after thate vulnerability and, where applicable, any corrective or mitigating measures taken. ENISA shall, without undue delay, unless for justified cybersecurity risk-related grounds, forward the notification to the CSIRT designated for the purposes of coordinated vulnerability disclosure in accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] of Member States concerned upon receipt and inform the market surveillance authority about the notified vulnerabilityhas been addressed and shall include details concerning that vulnerability and, where applicable, any corrective or mitigating measures taken.
2023/04/28
Committee: IMCO
Amendment 198 #
Proposal for a regulation
Article 11 – paragraph 2
2. The manufacturer shall, without undue delay and in any from the moment it becomes aware, notify to releveant within 24 hours of becoming aware of it, notify to ENISA anyCSIRTs or, where applicable, competent authority of the Member State established under Directive (EU) 2022/2555, any major incident having a significant impact on the security of the product with digital elements. ENISA shall, without undue delay, unless for justified cybersecurity risk-related grounds, forward the notifications to the single point of contact designated in accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] of the Member States concerned and inform the market surveillance authority about the notified incidents. The incident notification shall include informationThe incident notification shall be submitted without undue delay and include information strictly necessary to make the competent authority aware of the incident, and where relevant and proportionate to the risk, on the severity and impact of the incident and, where applicable, indicate whether the manufacturer suspects the incident to be caused by unlawful or malicious acts or considers it to have a cross-border impact.
2023/04/28
Committee: IMCO
Amendment 199 #
Proposal for a regulation
Article 11 – paragraph 3
3. ENISA shall submit to the European cyber crisis liaison organisation network (EU-CyCLONe) established by Article [Article X] of Directive [Directive XXX/XXXX (NIS2)]CSIRTs or, where applicable, competent authority of the Member State established under Directive (EU) 2022/2555, shall submit to ENISA information notified pursuant to paragraphs 1 and 2 if such information is relevant for the coordinated management of large-scale cybersecurity incidents and crises at an operational level. ENISA shall submit the information received by the CSIRTs or, where applicable, competent authority of the Member State established under Directive (EU) 2022/2555, to the European cyber crisis liaison organisation network (EUCyCLONe) established by Article 16 of Directive (EU) 2022/2555.
2023/04/28
Committee: IMCO
Amendment 202 #
Proposal for a regulation
Article 11 – paragraph 4
4. The manufacturer shall inform, without undue delay and after becoming aware, the users of the product with digital elements about the incida significant incident having major impact on the security of the product with digital elements and, where necessary, about corrective measures that the user can deploy to mitigate the impact of the incident.
2023/04/28
Committee: IMCO
Amendment 205 #
Proposal for a regulation
Article 11 – paragraph 5
5. The Commission, after consulting stakeholders and CSIRTs may, by means of implementing acts, specify further the type of information, format and procedure of the notifications submitted pursuant to paragraphs 1 and 2. Those implementing acts shall be based on European and international standards, such as ISO/IEC 29147 and adopted in accordance with the examination procedure referred to in Article 51(2).
2023/04/28
Committee: IMCO
Amendment 207 #
Proposal for a regulation
Article 11 – paragraph 6
6. ENISA, on the basis of the notifications received pursuant to paragraphs 1, 2 and 23, shall prepare a biennial technical report on emerging trends regarding cybersecurity risks in products with digital elements and submit it to the Cooperation Group referred to in Article [Article X]14 of Directive [Directive XXX/XXXX (NIS2)](EU) 2022/2555. The first such report shall be submitted within 24 months after the obligations laid down in paragraphs 1 and 2 start applying.
2023/04/28
Committee: IMCO
Amendment 217 #
Proposal for a regulation
Article 18 – paragraph 2
2. Products with digital elements and processes put in place by the manufacturer, which are in conformity with the common specifications referred to in Article 19 shall be presumed to be in conformity with the essential requirements set out in Annex I, to the extent those common specifications cover those requirements.deleted
2023/04/28
Committee: IMCO
Amendment 218 #
Proposal for a regulation
Article 18 – paragraph 4
4. The Commission is empowered, by means of implementing acts, to specify the European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 that can be used to demonstrate conformity with the essential requirements or parts thereof as set out in Annex I. Furthermore, where applicable, the Commission shall specify if a cybersecurity certificate issued under such schemes eliminates the obligation of a manufacturer to carry out a third-party conformity assessment for the corresponding requirements, as set out in Article 24(2)(a), (b), (3)(a) and (b). Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 51(2).deleted
2023/04/28
Committee: IMCO
Amendment 220 #
Proposal for a regulation
Article 19
Where harmonised standards referred to in Article 189 do not exist or where the Commission considers that the relevant harmonised standards are insufficient to satisfy the requirements of this Regulation or to comply with the standardisation request of the Commission, or where there are undue delays in the standardisation procedure or where the request for harmonised standards by the Commission has not been accepted by the European standardisation organisations, the Commission is empowered, by means of implementing acts, to adopt common specifications in respect of the essential requirements set out in Annex I. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 51(2). eleted Common specifications (This amendment applies throughout the text to all references of Common specifications.)
2023/04/28
Committee: IMCO
Amendment 241 #
Proposal for a regulation
Article 24 – paragraph 5 a (new)
5 a. For products with digital elements falling within the scope of this Regulation and which are placed on the market or put into service by credit institutions regulated by Directive 2013/36/EU, the conformity assessment shall be carried out as part of the procedure referred to in Articles 97 to 101 of that Directive.
2023/04/28
Committee: IMCO
Amendment 249 #
Proposal for a regulation
Article 29 – paragraph 12
12. Conformity assessment bodies shall operate in accordance with a set of consistent, fair and reasonable terms and conditions in line with Article 37(2), in particular taking into account the interests of SMEs in relation to fees.
2023/04/28
Committee: IMCO
Amendment 252 #
Proposal for a regulation
Article 37 – paragraph 2
2. Conformity assessments shall be carried out in a proportionate manner, avoiding unnecessary burdens for economic operators. Conformity assessment bodies shall perform their activities taking due account of the size of an undertaking, the sector in which it operates, its structure, the degree of complexity and the risk exposure of the product type and technology in question and the mass or serial nature of the production process.
2023/04/28
Committee: IMCO
Amendment 262 #
Proposal for a regulation
Article 41 – paragraph 11 a (new)
11 a. For products with digital elements falling within the scope of this Regulation, distributed, put into service or used by financial institutions regulated by relevant Union legislation on financial services, the market surveillance authority for the purposes of this Regulation shall be the relevant authority responsible for the financial supervision of those institutions under that legislation.
2023/04/28
Committee: IMCO
Amendment 266 #
Proposal for a regulation
Article 43 – paragraph 1 – subparagraph 2
Where, in the course of that evaluation, the market surveillance authority finds that the product with digital elements does not comply with the requirements laid down in this Regulation or otherwise present threat to national security, it shall without delay require the relevant operator to take all appropriate corrective actions to bring the product into compliance with those requirements, to withdraw it from the market, or to recall it within a reasonable period, commensurate with the nature of the risk, as it may prescribe.
2023/04/28
Committee: IMCO
Amendment 268 #
Proposal for a regulation
Article 43 – paragraph 4 – subparagraph 1
Where the manufacturer of a product with digital elements does not take adequate corrective action within the period referred to in paragraph 1, second subparagraph, or the relevant Member States authority consider product to present threat to the national security, the market surveillance authority shall take all appropriate provisional measures to prohibit or restrict that product being made available on its national market, to withdraw it from that market or to recall it.
2023/04/28
Committee: IMCO
Amendment 268 #
Proposal for a regulation
Article 10 – paragraph -1 (new)
-1. Software manufacturers which qualify as a microenterprise as defined in Commission Recommendation 2003/361/EC shall make best efforts to comply with the requirements in this Regulation during the 12 months from placing a software on the market.
2023/05/04
Committee: ITRE
Amendment 269 #
Proposal for a regulation
Article 43 – paragraph 7
7. Where, within three months of receipt of the information referred to in paragraph 4, no objection has been raised by either a Member State or the Commission in respect of a provisional measure taken by a Member State, that measure shall be deemed justified. The decision referred to in paragraph 1, concerning threat to national security shall always be deemed justified. This is without prejudice to the procedural rights of the operator concerned in accordance with Article 18 of Regulation (EU) 2019/1020.
2023/04/28
Committee: IMCO
Amendment 270 #
Proposal for a regulation
Article 45 – paragraph 1
1. Where the Commission has sufficient reasons to consider, including based on information provided by the competent authorities of Member States, the computer security incident response teams (CSIRTs) designated or established in accordance with Directive (EU) 2022/2555 or ENISA, that a product with digital elements that presents a significant cybersecurity risk is non-compliant with the requirements laid down in this Regulation, it may request the relevant market surveillance authorities to carry out an evaluation of compliance and follow the procedures referred to in Article 43.
2023/04/28
Committee: IMCO
Amendment 272 #
Proposal for a regulation
Article 45 – paragraph 2
2. In exceptional circumstances which justify an immediate intervention to preserve the good functioning of the internal market and where the Commission has sufficient reasons, substantiated by relevant data, to consider that the product referred to in paragraph 1 remains non- compliant with the requirements laid down in this Regulation and no effective measures have been taken by the relevant market surveillance authorities, the Commission may request ENISAthe relevant Member State authority to carry out an evaluation of compliance. The Commission shall inform the relevant market surveillance authorities and ENISA accordingly. The relevant economic operators shall cooperate as necessary with ENISA.
2023/04/28
Committee: IMCO
Amendment 275 #
Proposal for a regulation
Article 45 – paragraph 3
3. Based on ENISA’s evaluthe Member State authority's evaluation and recommendation, the 3. Commission may decide that a corrective or restrictive measure is necessary at Union level. To this end, it shall without delay consult the Member States concerned and the relevant economic operator or operators.
2023/04/28
Committee: IMCO
Amendment 292 #
Proposal for a regulation
Article 53 – paragraph 6 – point a a (new)
(a a) the type of manufactured product and whether entity qualifies as microenterprise for the specific compliance regime outlined in the Article 10(-1) of this Regulation.
2023/04/28
Committee: IMCO
Amendment 299 #
Proposal for a regulation
Article 57 – paragraph 2
It shall apply from [2436 months after the date of entry into force of this Regulation]. However Article 11 shall apply from [124 months after the date of entry into force of this Regulation] and Articles 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38 shall apply from [30 months after the entry into force of this Regulation].
2023/04/28
Committee: IMCO
Amendment 304 #
Proposal for a regulation
Annex I – Part 1 – point 2
(2) Products with digital elements shall be delivered without any known exploitable vulnerabilitiein a way that does not wilfully create cybersecurity risks;
2023/04/28
Committee: IMCO
Amendment 307 #
Proposal for a regulation
Annex I – Part 1 – point 3 – point a
(a) be delivered with a secure by default configuration, including the possibility to reset the product to its original statedefault security configuration;
2023/04/28
Committee: IMCO
Amendment 343 #
Proposal for a regulation
Annex V – paragraph 1 – point 1 – point a
(a) its intended purpose;deleted
2023/04/28
Committee: IMCO
Amendment 344 #
Proposal for a regulation
Annex V – paragraph 1 – point 2
2. a description of the design, development and production of the product and vulnerability handling processes, including: (a) complete information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and/or a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing; (b) specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates; (c) specifications of the production and monitoring processes of the product with digital elements and the validation of these processes.deleted complete information and complete information and
2023/04/28
Committee: IMCO
Amendment 347 #
Proposal for a regulation
Annex V – paragraph 1 – point 3
3. an assess statement of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained as laid down in Article 10 of this Regulation;
2023/04/28
Committee: IMCO
Amendment 445 #
Proposal for a regulation
Article 53 – paragraph 6 – point a a (new)
(aa) the type of manufactured product and whether entity qualifies as microenterprise for the specific compliance regime outlined in the Article 10(-1) of this Regulation.
2023/05/04
Committee: ITRE