Activities of Marc BOTENGA related to 2022/0272(COD)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020
Amendments (15)
Amendment 139 #
Proposal for a regulation
Recital 10
Recital 10
(10) In order to enhance the collaborative development of free and open source software and not to hamper innovation or research, only free and open- source software developed or supplied outside the course ofused as a monetised product in a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software. Under this Regulation, as manufacturer is considered the party commercially supplying the product to the market.
Amendment 153 #
Proposal for a regulation
Recital 24 a (new)
Recital 24 a (new)
(24a) Manufacturers of products with digital elements shall provide software updates in a clear and transparent way in order to enhance the security protection and the functionality of the products, during the entire duration of the product's expected lifetime. Functionality and security updates shall be differentiated and users shall be clearly informed by the manufacturers regarding the nature and features of the updates. Software updates shall not intentionally affect the functionalities and the intended use of the products nor lessen its expected period of lifetime.
Amendment 156 #
Proposal for a regulation
Recital 26
Recital 26
(26) Critical products with digital elements should be subject to stricter third- party conformity assessment procedures, while keeping a proportionate approachcertified by the relevant EU and Member States' authorities. For this purpose, critical products with digital elements should be divided into two classes, reflecting the level of cybersecurity risk linked to these categories of products. A potential cyber incident involving products in class II might lead to greater negative impacts than an incident involving products in class I, for instance due to the nature of their cybersecurity-related function or intended use in sensitive environments, and therefore should undergo a stricter conformity assessment procedure.
Amendment 217 #
Proposal for a regulation
Article 2 – paragraph 5 a (new)
Article 2 – paragraph 5 a (new)
5a. This regulation does not apply to free and open source software supplied outside the course of a commercial activity.
Amendment 287 #
8. Manufacturers shall keep the technical documentation and the EU declaration of conformity, where relevant, at the disposal of the market surveillance authorities for ten years after the product with digital elements has been placed on the market.
Amendment 292 #
Proposal for a regulation
Article 10 – paragraph 10
Article 10 – paragraph 10
10. Manufacturers shall ensure that products with digital elements are accompanied by the information and instructions set out in Annex II, in an electronic or physical form. Such information and instructions shall be in a language which can be easily understood by users. They shall be clear, understandable, intelligible and legible. They shall allow for a secure installation, operation and use of the products with digital elements. The expected product lifetime shall be communicated and advertised in a clear manner by the manufacturers, and where feasible the expected lifetime shall be clearly demonstrated on the packaging of the product.
Amendment 297 #
Proposal for a regulation
Article 10 – paragraph 12
Article 10 – paragraph 12
12. From the placing on the market and for the entire expected product lifetime or for a period of five years after the placing on the marketlifespan of a product with digital elements, whichever is shorter, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements set out in Annex I shall immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, to withdraw or to recall the product, as appropriate.
Amendment 336 #
Proposal for a regulation
Article 11 – paragraph 7
Article 11 – paragraph 7
7. Manufacturers shall, upon identifying a vulnerability in a component, including in an open source component, which is integrated in the product with digital elements, report the vulnerability to the person or entity maintaining the component. Software modifications in a component developed by manufacturers in order to address reported vulnerabilities shall be shared, including the relevant code, to the person or entity maintaining the component.
Amendment 357 #
Proposal for a regulation
Article 16 – paragraph 1
Article 16 – paragraph 1
A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of the product with digital elements and commercially supplies it in the market, shall be considered a manufacturer for the purposes of this Regulation.
Amendment 378 #
Proposal for a regulation
Article 24 – paragraph 3 – introductory part
Article 24 – paragraph 3 – introductory part
3. Where the product is a critical product with digital elements of class II as set out in Annex III, the manufacturer or the manufacturer’s authorised representative shall demonstrate conformity with the essential requirements set out in Annex I by acquiring a cybersecurity certificate issued by a European authority, under the European cybersecurity certification scheme and at assurance level "high" as listed in the Regulation (EU) 2019/881. For products with digital elements for which a European cybersecurity certification scheme does not exist or covers them only partially, the manufacturer or the manufacturer’s authorised representative shall demonstrate conformity with the essential requirements set out in Annex I by using one of the following procedures:
Amendment 380 #
Proposal for a regulation
Article 24 – paragraph 3 – point b a (new)
Article 24 – paragraph 3 – point b a (new)
(ba) ENISA shall prepare the missing candidate schemes in order to cover all products listed in Annex III, in accordance with Article 48 of the (EU) 2019/881 Regulation.
Amendment 406 #
Proposal for a regulation
Article 41 a (new)
Article 41 a (new)
Article41a Civil society participation in market surveillance activities The active participation of the relevant actors of the civil society (consumers’ organizations, the scientific community, trade unions, etc.) in market surveillance activities, shall be ensured by market surveillance authorities in the Member States and at EU level, in order to create mechanisms to facilitate the voluntary reporting of vulnerabilities, incidents, and cyber threats.
Amendment 409 #
Proposal for a regulation
Article 43 – paragraph 1 – subparagraph 1
Article 43 – paragraph 1 – subparagraph 1
Where the market surveillance authority of a Member State has sufficient reasons to consider that a product with digital elements, including its vulnerability handling, presents a significant cybersecurity risk, it shall carry out without undue delay an evaluation of the product with digital elements concerned in respect of its compliance with all the requirements laid down in this Regulation. The relevant economic operators shall cooperate as necessary with the market surveillance authority.
Amendment 410 #
Proposal for a regulation
Article 43 – paragraph 1 – subparagraph 2
Article 43 – paragraph 1 – subparagraph 2
Where, in the course of that evaluation, the market surveillance authority finds that the product with digital elements does not comply with the requirements laid down in this Regulation, it shall without delay, and within a maximum of five working days, require the relevant economic operator to take all appropriate corrective actions to bring the product into compliance with those requirements, to withdraw it from the market, or to recall it within a reasonable period, commensurate with the nature of the risk, as it may prescribe.
Amendment 436 #
Proposal for a regulation
Article 49 a (new)
Article 49 a (new)
Article49a Right to compensation for damage or loss Consumers suffering damage or loss caused by infringements of the obligations under this Regulation by the relevant economic operators, have the right to seek compensation, in accordance with Union and national law.