BETA

Activities of Arba KOKALARI related to 2022/0272(COD)

Shadow opinions (1)

2023/06/30
Committee: IMCO
Dossiers: 2022/0272(COD)
Documents: PDF(382 KB) DOC(245 KB)
Authors: [{'name': 'Morten LØKKEGAARD', 'mepid': 96709}]

Amendments (65)

Proposal for a regulation
Recital 19

(19) Certain tasks provided for in this Regulation should be carried out by ENISA, in accordance with Article 3(2) of Regulation (EU) 2019/881. In particular, ENISA should receive notifications from manufacturers of actively exploited vulnerabilities contained in products with digital elements, as well as incidents having an impact on the security of those products. ENISA should also forward these notifications to the relevant Computer Security Incident Response Teams (CSIRTs) or, respectively, to the relevant single points of contact of the Member States designated in accordance with Article [Article X] of Directive [Directive XXX / XXXX (NIS2)], and inform the relevant market surveillance authorities about the notified vulnerability. On the basis of the information it gathers, ENISA should prepare a biennial technical report on emerging trends regarding cybersecurity risks in products with digital elements and submit it to the Cooperation Group referred to in Directive [Directive XXX / XXXX (NIS2)]. Furthermore, considering its expertise and mandate, ENISA should be able to support the process for implementation of this Regulation. In particular, it should be able to propose joint activities to be conducted by market surveillance authorities based on indications or information regarding potential non-compliance with this Regulation of products with digital elements across several Member States or identify categories of products for which simultaneous coordinated control actions should be organised. In exceptional circumstances, at the request of the Commission, ENISA should be able to conduct evaluations in respect of specific products with digital elements that present a significant cybersecurity risk, where an immediate intervention is required to preserve the good functioning of the internal market. ENISA should publish and maintain a known exploited vulnerability catalogue, as an authoritative source of vulnerabilities exploited. Manufacturers should monitor the catalogue and notify any listed vulnerability found in their product. Active exploitation in this context does not include scanning, security research exploits or Proofs of Concept.

2023/04/28
Committee: IMCO

Proposal for a regulation
Recital 22

(22) In order to ensure that products with digital elements, when placed on the market, do not pose cybersecurity risks to persons and organisations, essential requirements should be set out for such products. When the products are subsequently modified, by physical or digital means, in a way that is not foreseen by the manufacturer and that may imply that they no longer meet the relevant essential requirements, the modification should be considered as substantial. For example, software updates or repairs could be assimilated to maintenance operations provided that they do not modify a product already placed on the market in such a way that compliance with the applicable requirements may be affected~~, or that the intended use for which the product has been assessed may be changed~~. As is the case for physical repairs or modifications, a product with digital elements should be considered as substantially modified by a software change where the software update modifies the original intended functions, type or performance of the product and these changes were not foreseen in the initial risk assessment, or the nature of the hazard has changed or the level of risk has significantly increased because of the software update.

2023/04/28
Committee: IMCO

Proposal for a regulation
Recital 23

(23) In line with the commonly established notion of substantial modification for products regulated by Union harmonisation legislation, whenever a substantial modification occurs that may affect the compliance of a product with this Regulation or when the intended purpose of that product changes, , it is appropriate that the compliance of the product with digital elements is verified and that, where applicable, ~~it undergoes a new~~the conformity assessment is updated. Where applicable, if the manufacturer undertakes a conformity assessment involving a third party, changes that might lead to substantial modifications should be notified to the third party. Should a substantial modification be deemed to occur, the update to the conformity assessment should focus solely on the aspects of the assessment affected by the modification.

2023/04/28
Committee: IMCO

Proposal for a regulation
Recital 32

(32) In order to ensure that products with digital elements are secure both at the time of their placing on the market as well as throughout their life-cycle, it is necessary to lay down essential requirements for vulnerability handling and essential cybersecurity requirements relating to the properties of products with digital elements. While manufacturers should comply with all essential requirements related to vulnerability handling and ensure that all their products are delivered without any known exploitable vulnerabilities, they should determine which other essential requirements related to the product properties are relevant for the concerned type of product. For this purpose, manufacturers should undertake an assessment of the cybersecurity risks associated with a product with digital elements to identify relevant risks and relevant essential requirements and in order to appropriately apply suitable harmonised standards ~~or common specifications~~.

2023/04/28
Committee: IMCO

Proposal for a regulation
Recital 35

(35) Manufacturers should also report to ENISA any incident having an impact on the security of the product with digital elements. Notwithstanding the incident reporting obligations in Directive [Directive XXX/XXXX (NIS2)] for essential and important entities, it is crucial for ENISA, the single points of contact designated by the Member States in accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] and the market surveillance authorities to receive information from the manufacturers of products with digital elements allowing them to assess the security of these products. In order to ensure that users can react quickly to incidents having an impact on the security of their products with digital elements, manufacturers should also inform their users about any such incident and, where applicable, about any corrective measures that the users can deploy to mitigate the impact of the incident, for example by publishing relevant information on their websites or, where the manufacturer is able to contact the users and where justified by the risks, by reaching out to the users directly.deleted

2023/04/28
Committee: IMCO

Proposal for a regulation
Recital 45

(45) As a general rule the conformity assessment of products with digital elements should be carried out by the manufacturer under its own responsibility following the procedure based on Module A of Decision 768/2008/EC. The manufacturer should retain flexibility to choose a stricter conformity assessment procedure involving a third-party. If the product is classified as a critical product of class I, additional assurance is required to demonstrate conformity with the essential requirements set out in this Regulation. The manufacturer should apply harmonised standards~~, common specifications~~ or cybersecurity certification schemes under Regulation (EU) 2019/881 which have been identified by the Commission in an implementing act, if it wants to carry out the conformity assessment under its own responsibility (module A). If the manufacturer does not apply such harmonised standards~~, common specifications~~ or cybersecurity certification schemes, the manufacturer should undergo conformity assessment involving a third party. Taking into account the administrative burden on manufacturers and the fact that cybersecurity plays an important role in the design and development phase of tangible and intangible products with digital elements, conformity assessment procedures respectively based on modules B+C or module H of Decision 768/2008/EC have been chosen as most appropriate for assessing the compliance of critical products with digital elements in a proportionate and effective manner. The manufacturer that carries out the third- party conformity assessment can choose the procedure that suits best its design and production process. Given the even greater cybersecurity risk linked with the use of products classified as critical class II products, the conformity assessment should always involve a third party.

2023/04/28
Committee: IMCO

Proposal for a regulation
Recital 62

(62) In order to ensure that the regulatory framework can be adapted where necessary, the power to adopt acts in accordance with Article 290 of the Treaty should be delegated to the Commission in respect of updates to the list of critical products in Annex III and specifying the definitions of the these product categories. Power to adopt acts in accordance with that Article should be delegated to the Commission to identify products with digital elements covered by other Union rules which achieve the same level of protection as this Regulation, specifying whether a limitation or exclusion from the scope of this Regulation would be necessary as well as the scope of that limitation, if applicable. Power to adopt acts in accordance with that Article should also be delegated to the Commission in respect of the potential ~~mandating of~~voluntary certification of certain highly critical products with digital elements based on criticality crieria set out in this Regulation, as well as for specifying the minimum content of the EU declaration of conformity and supplementing the elements to be included in the technical documentation. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Inter-institutional Agreement of 13 April 2016 on Better Law-Making 33 . In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts. __________________ 33 OJ L 123, 12.5.2016, p. 1.

2023/04/28
Committee: IMCO

Proposal for a regulation
Recital 63

(63) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission to: specify the format and elements of the software bill of materials, specify further the type of information, format and procedure of the notifications on actively exploited vulnerabilities and incidents submitted to ENISA by the manufacturers, based on industry best practices, specify the European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 that can be used to demonstrate conformity with the essential requirements or parts therefore as set out in Annex I of this Regulation, adopt common specifications in respect of the essential requirements set out in Annex I, lay down technical specifications for pictograms or any other marks related to the security of the products with digital elements, and mechanisms to promote their use, decide on corrective or restrictive measures at Union level in exceptional circumstances which justify an immediate intervention to preserve the good functioning of the internal market. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council34 . __________________ 34 Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p.13).

2023/04/28
Committee: IMCO

Proposal for a regulation
Recital 69

(69) Economic operators should be provided with a sufficient time to adapt to the requirements of this Regulation. This Regulation should apply [248 months] from its entry into force, with the exception of the reporting obligations concerning ~~actively~~known exploited vulnerabilities and significant incidents, which should apply [124 months] from the entry into force of this Regulation.

2023/04/28
Committee: IMCO

Proposal for a regulation
Recital 71 a (new)

(71 a) The Commission shall present easy-to-understand guidelines for businesses with the requirements of this Regulation. When developing such guidelines, the Commission should take into consideration needs of SMEs so as to keep administrative and financial burdens to a minimum while facilitating their compliance with this Regulation. The Commission should consult relevant stakeholders, with expertise in the field of cybersecurity.

2023/04/28
Committee: IMCO

Proposal for a regulation
Recital 71 b (new)

(71 b) Where third party assessment is mandated, such assessment should take into account: the similarity of products with digital elements by accepting one product as representative of a family or category of products for assessment purposes due to them having equitable hardware and/or software; reciprocity to eliminate duplication by accepting of other entities’ assessments or certification (e.g. recognition of assessments from qualified bodies outside the Union; reuse of certifications); deltas in order to only focus on additional requirements not covered by other entities’ assessments and not reassessing the whole set; attestation in order to accept assessments from the manufacturer for certain aspects of the wider third-party assessment; and maintenance to allow certain changes or software updates to the product without requiring reassessment. In particular, software updates that do not weaken the security posture of the product should not be considered as justifiable to require reassessment.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 2 – paragraph 4 – subparagraph 2

~~The Commission is empowered to adopt~~ delegated acts in accordance with Article 50 to amend this Regulation specifying whether such limitation or exclusion is necessary, the concerned products and rules, as well as the scope of the limitation, if relevant.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 3 – paragraph 1 – point 1 a (new)

(1 a) 'partly completed products with digital elements’ means an assembly which cannot in itself function so as to perform a specific application and which is only intended to be incorporated into or assembled with a product with digital elements or other partly completed product with digital elements, thereby forming a product with digital elements;

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 3 – paragraph 1 – point 31

(31) ‘substantial modification’ means a change to the product with digital elements, excluding security and maintenance updates, following its placing on the market, which affects the compliance of the product with digital elements with the essential requirements set out in Section 1 of Annex I or results in a modification to the intended use for which the product with digital elements has been assessed;

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 3 – paragraph 1 – point 39

(39) ‘actively exploited vulnerability’ means a patched vulnerability for which there is reliable evidence that execution of malicious code was performed by an actor on a system without permission of the system owner;

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 3 – paragraph 1 – point 40 a (new)

(40 a) ‘life-cycle’ means the period from the moment that product covered by this Regulation is placed on the market or put into service until the moment that it is discarded, including the effective time when it is capable of being used and the phases of transport, assembly, dismantling, disabling, scrapping or other physical or digital modifications foreseen by the manufacturer;

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 4 – paragraph 1

1. Member States shall not impede, for the matters covered by this Regulation, the making available on the market of products with digital elements or partly completed products with digital elements which comply with this Regulation.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 4 – paragraph 2

2. At trade fairs, exhibitions and demonstrations or similar events, Member States shall not prevent the presentation and use of a product with digital elements or partly completed products with digital elements which does not comply with this Regulation.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 6 – paragraph 2 – introductory part

2. The Commission is empowered to adopt delegated acts in accordance with Article 50 to amend Annex III by including in the list of categories of critical products with digital elements a new category or withdrawing an existing one from that list 48 months after the start of application of this Regulation and every 5 years thereafter. When assessing the need to amend the list in Annex III, the Commission shall take into account the level of cybersecurity risk related to the category of products with digital elements. In determining the level of cybersecurity risk, one or several of the following criteria shall be taken into account:

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 6 – paragraph 2 – point c

(c) the intended use and scale of performing critical or sensitive functions, such as the volume of processing of personal data;

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 6 – paragraph 3

~~3. The Commission is empowered to adopt a~~ delegated act in accordance with Article 50 to supplement this Regulation by specifying the definitions of the product categories under class I and class II as set out in Annex III. The delegated act shall be adopted [by 12 months since the entry into force of this Regulation].

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 6 – paragraph 5 – introductory part

5. The Commission is empowered to adopt delegated acts in accordance with Article 50 to supplement this Regulation by specifying categories of highly critical products with digital elements for which the manufacturers ~~shall be required to~~may obtain a European cybersecurity certificate under a European cybersecurity certification scheme pursuant to Regulation (EU) 2019/881 to demonstrate conformity with the essential requirements set out in Annex I, or parts thereof. When determining such categories of highly critical products with digital elements, the Commission shall take into account the level of cybersecurity risk related to the category of products with digital elements, in light of one or several of the criteria listed in paragraph 2, as well as in view of the assessment of whether that category of products is:

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 7 – paragraph 1

~~By way of derogation from Article 2(1), third subparagraph, point (b), of~~Products falling under the Regulation [General Product Safety Regulation] wheich are products with digital elements ~~are not subject to specific requirements laid down~~ within the meaning other Union harmonisation legislation within the meaning of [Article 3, point (25) of the General Product Safety Regulation], Chapter III, Section 1, Chapters V and VII, and Chapters IX to XI of Regulation [General Product Safety Regulation] shall apply to those products with respect to safety risks not covered byf this Regulation shall be deemed to be in conformity with Article 5a-1(h) of the General Product Safety Regulation], when they comply with the requirements of this Regulation.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 8 – paragraph 2

2. For the products and cybersecurity requirements referred to in paragraph 1, the relevant conformity assessment procedure as required by Article [Article 43] of Regulation [AI Regulation] shall apply. For the purpose of that assessment, notified bodies which are entitled to control the conformity of the high-risk AI systems under the Regulation [AI Regulation] shall be also entitled to control the conformity of the high-risk AI systems within the scope of this Regulation with the requirements set out in Annex I to this Regulation, provided that the compliance of those notified bodies with the requirements laid down in Article 29 of this Regulation have been assessed in the context of the notification procedure under Regulation [AI Regulation].deleted

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 8 – paragraph 3

3. By derogation from paragraph 2, critical products with digital elements listed in Annex III of this Regulation, which have to apply the conformity assessment procedures referred to in Articles 24(2)(a), 24(2)(b), 24(3)(a) and 24(3)(b) under this Regulation and which are also classified as high-risk AI systems according to Article [Article 6] of the Regulation [AI Regulation] and to which the conformity assessment procedure based on internal control referred to in Annex [Annex VI] to Regulation [the AI Regulation] applies, shall be subject to the conformity assessment procedures as required by this Regulation in so far as the essential requirements of this Regulation are concerned.deleted

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 9 – paragraph 1

Machinery products under the scope of Regulation [Machinery Regulation proposal] which are products with digital elements within the meaning of this Regulation and for which an EU declaration of conformity has been issued on the basis of this Regulation shall be deemed to be in conformity with the essential health and safety requirements set out in Annex [Annex III, Sections 1.1.9 and 1.2.1] to Regulation [Machinery Regulation proposal], as regards protection against corruption and safety and reliability of control systems, and in so far as the achievement of the level of protection required by those requirements is demonstrated in the EU declaration of conformity issued under this Regulation.deleted

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 10 – paragraph 6 – subparagraph 1

When placing a product with digital elements on the market, and for the expected product lifetime at the time of placing that product on the market or for a period of five years from the placing of the product on the market, whichever is shorter, manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 11 – paragraph 1

1. The manufacturer shall, without undue delay and ~~in any event within 24 hours of becoming aware of it, notify to ENISA any actively exploited~~when it has a reasonable belief that a critical or high vulnerability listed in the known exploited vulnerability catalogue referred to in paragraph 5a is present and exploitable in the product with digital elements, and after clear remediation guidance is made available, notify to ENISA such listed known vulnerability contained in the product with digital elements. The notification shall include details concerning that vulnerability and, where applicable, any corrective or mitigating measures taken. ENISA shall, without undue delay, unless for justified cybersecurity risk-related grounds, forward the notification to the CSIRT designated for the purposes of coordinated vulnerability disclosure in accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] of Member States concerned upon receipt and inform the market surveillance authority about the notified vulnerability.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 11 – paragraph 2

2. The manufacturer shall, without undue delay and ~~in any event within 24 hours of becoming aware of it, notify to ENISA~~when it has a reasonable belief that a significant incident has occurred, notify any incident having a significant impact on the security of the product ~~with digital elements. ENISA shall, without undue delay, unless for justified cybersecurity risk-related grounds, forward the notification~~development, build and distribution environment of the product with digital elements to the single point of contact designated in accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] of the Member States concerned and inform the market surveillance authority about the notified significant incidents. The significant incident notification shall include ~~information on the severity and impact of the incident~~strictly necessary information to make the competent authority aware of the incident and allow the entity to seek assistance if requires and, where applicable, indicate whether the manufacturer suspects the incident to be caused by unlawful or malicious acts or considers it to have a cross-border impact. The mere act of notification shall not subject the notifying entity to increased liability.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 11 – paragraph 3

3. ENISA shall submit to the European cyber crisis liaison organisation network (EU-CyCLONe) established by Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] information notified pursuant to paragraphs 1 ~~and 2~~ if such information is relevant for the coordinated management of large-scale cybersecurity significant incidents and crises at an operational level.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 11 – paragraph 4

4. The manufacturer shall inform, without undue delay and after becoming aware, the users of the product with digital elements ~~about the~~, where appropriate and if likely to be adversely affected by the significant incident and, where necessary, about corrective measures that the user can deploy to mitigate the impact of the incident.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 11 – paragraph 6

6. ENISA, on the basis of the notifications received pursuant to paragraphs 1 and 2, shall prepare a biennial technical report on emerging trends regarding cybersecurity risks in products with digital elements and submit it to the Cooperation Group referred to in Article [Article X] of Directive [Directive XXX/XXXX (NIS2)]. The first such report shall be submitted within 24 months after the obligations laid down in paragraphs 1 ~~and 2~~ start applying.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 18 – paragraph 1 a (new)

1 a. The Commission shall, as provided in Article 10(1) of Regulation (EU) 1025/2012, request one or more European standardisation organisations to draft harmonised standards for the requirements set out in Annex I.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 19 – paragraph 1

Where harmonised standards referred to in Article 18 do not exist or where the Commission considers that the relevant harmonised standards are insufficient to satisfy the requirements of this Regulation or to comply with the standardisation request of the Commission, or where there are undue delays in the standardisation procedure or where the request for harmonised standards by1. The Commission may adopt implementing acts establishing common specifications covering technical requirements that provide a means to comply with the essential health and safety requirements set out in Annex I for products within the scope of this Regulation. Those implementing acts shall only be adopted where the following conditions are fulfilled: (a) the Commission has requested, pursuant to Article 10(1) of Regulation (EU) No 1025/2012, one or more European standardisation organisations to draft a harmonised standard for the essential requirements set out in Annex I and: (i) the request has not been accepted; or (ii) the harmonised standards addressing that request are not delivered within the deadline set in accordance with Article 10(1) of Regulation (EU) 1025/2012; or (iii) the harmonised standards do not comply with the request; and (b) no reference to harmonised standards covering the requirements set out in Annex I has been published in the Official Journal of the European Union in accordance with Regulation (EU) 1025/2012 and no such reference is expected to be published within a reasonable period. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(3). 2. Before preparing the draft implementing act referred to in paragraph 3, the Commission shall inform the committee referred to in Article 22 of Regulation (EU) 1025/2012 that it considers that the conditions in paragraph 3 have been fulfilled. 3. When preparing the draft implementing act referred to in paragraph 1, the Commission sha~~s not been acce~~ll take into account the views of relevant bodies or the expert group and shall duly consult all relevant stakeholders. 4. Where a harmonised standard is adopted by ~~the~~a European standardisation organisations, the Commission is empowered, by means of implementing acts, to adopt common specifications in respect of the essential requirements set out in Annex I. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 51(2). and proposed to the Commission for the purpose of publishing its reference in the Official Journal of the European Union, the Commission shall assess the harmonised standard in accordance with Regulation (EU) 1025/2012. When reference of a harmonised standard is published in the Official Journal of the European Union, the Commission shall repeal the implementing acts referred to in paragraph 1, or parts thereof which cover the same requirements as those covered by that harmonised standard. 5. When a Member State considers that a common specification does not entirely satisfy the requirements set out in Annex I, it shall inform the Commission thereof by submitting a detailed explanation. The Commission shall assess that detailed explanation and may, if appropriate, amend the implementing act establishing the common specification in question.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 22 – paragraph 6 a (new)

6 a. The Commission shall present easy-to-understand guidelines for businesses with the requirements of this Regulation. When developing such guidelines, the Commission should take into consideration needs of SMEs so as to keep administrative and financial burdens to a minimum while facilitating their compliance with this Regulation. The Commission should consult relevant stakeholders, with expertise in the field of cybersecurity.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 23 – paragraph 3

3. For products with digital elements ~~referred to in Articles 8 and 24(4)~~ that are also subject to other Union acts, one single technical documentation shall be drawn up containing the information referred to in Annex V of this Regulation and the information required by those respective Union acts.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 23 – paragraph 5

~~5. The Commission is empowered to adopt~~ delegated acts in accordance with Article 50 to supplement this Regulation by the elements to be included in the technical documentation set out in Annex V to take account of technological developments, as well as developments encountered in the implementation process of this Regulation.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 24 – paragraph 4 a (new)

4 a. For products to which Union harmonisation legislation based on the New Legislative Framework apply, the manufacturer shall follow the relevant conformity assessment as required under those legal acts. The requirements set out in Chapter 3 shall apply to those products.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 24 a (new)

Article 24 a Where products with digital elements have equitable hardware or software, one product model can be representative of a family of products for the purposes of the following conformity assessment procedures: (a) the internal control procedure (based on module A) set out in Annex VI; or (b) the EU-type examination procedure (based on module B) set out in Annex VI followed by conformity to EU-type based on internal production control (based on module C) set out in Annex VI.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 27 – paragraph 5

5. A notifying authority shall safeguard the confidentiality of the information it obtains, especially trade secrets and proprietary information.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 27 – paragraph 6 a (new)

6 a. A notifying authority shall be organised in such a way so that bureaucracy and fees are at an absolute minimum, especially for SMEs.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 29 – paragraph 10

10. The personnel of a conformity assessment body shall observe professional secrecy with regard to all information obtained in carrying out their tasks under Annex VI or any provision of national law giving effect to it, except in relation to the market surveillance authorities of the Member State in which its activities are carried out. Proprietary rights, trade secrets and other sensitive information shall be protected. The conformity assessment body shall have documented procedures ensuring compliance with this paragraph.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 29 – paragraph 12

12. Conformity assessment bodies shall operate in accordance with a set of consistent, fair and reasonable terms and conditions, in particular taking into account the interests of SMEs in relation to fees and also respecting the confidentiality of trade secrets and proprietary information.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 36 – paragraph 3

3. The Commission shall ensure that all trade secrets and sensitive information obtained in the course of its investigations is treated confidentially.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 37 – paragraph 2

2. Conformity assessments shall be carried out in a proportionate manner, avoiding unnecessary burdens for economic operators, with special considerations for SMEs. Conformity assessment bodies shall perform their activities taking due account of the size of an undertaking, the sector in which it operates, its structure, the degree of complexity of the product technology in question and the mass or serial nature of the production process.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 39 – paragraph 1

The Commission shall provide for the organisation of exchange of experience between the Member States' national authorities responsible for notification policy. Experience and knowledge which also can facilitate corporate compliance must also be made publicly available by the Commission.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 40 – paragraph 1

1. The Commission shall ensure that appropriate coordination and cooperation between notified bodies are put in place in a way that reduces bureaucracy and fees, and properly operated in the form of a cross-sectoral group of notified bodies.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 40 – paragraph 2

2. Member States shall ensure that the bodies notified by them participate in the work of that group, directly or by means of designated representatives, in a way that reduces bureaucracy and fees.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 42 – paragraph 1

Where necessary to assess the conformity of products with digital elements and the processes put in place by their manufacturers with the essential requirements set out in Annex I and upon a reasoned request, the market surveillance authorities shall be granted access to the data required to assess the design, development, production and vulnerability handling of such products, including related internal documentation of the respective economic operator. Where appropriate, and in accordance with Article 52(1) point (a), this shall be in a secure, controlled environment determined by the manufacturer.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 55 – paragraph 1

1. EU type-examination certificates and approval decisions issued regarding cybersecurity requirements for products with digital elements that are subject to other Union harmonisation legislation shall remain valid until [42 months after the date of entry into force of this Regulation], unless they expire ~~before~~after that date, or unless otherwise specified in other Union legislation, in which case they shall remain valid as referred to in that Union legislation.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 57 – paragraph 2

It shall apply from [248 months after the date of entry into force of this Regulation]. However Article 11 shall apply from [12 months after the date of entry into force of this Regulation].

2023/04/28
Committee: IMCO

Proposal for a regulation
Annex I – Part 1 – point 2

(2) Products with digital elements shall be delivered without any known critical or high severity exploitable vulnerabilities;

2023/04/28
Committee: IMCO

Proposal for a regulation
Annex I – Part 1 – point 3 – point a

(a) be delivered with a secure by default configuration~~, including the possibility to reset the product to its original state~~;

2023/04/28
Committee: IMCO

Proposal for a regulation
Annex I – Part 1 – point 3 – point c

(c) protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encryptingon, tokenization, compensating controls or other adequate protection of relevant data at rest or in transit by state of the art mechanisms;

2023/04/28
Committee: IMCO

Proposal for a regulation
Annex I – Part 1 – point 3 – point i

(i) be designed, developed and produced to reduce the impact of an significant incident using appropriate exploitation mitigation mechanisms and techniques;

2023/04/28
Committee: IMCO

Proposal for a regulation
Annex I – Part 1 – point 3 – point k

(k) ensure that vulnerabilities can be addressed through security updates, including, where applicable, separate from functionality updates and through automatic updates and the notification of available updates to users.

2023/04/28
Committee: IMCO

Proposal for a regulation
Annex I – Part 2 – paragraph 1 – point 2

(2) in relation to the risks posed to the products with digital elements, address and remediate critical and high vulnerabilities without delay, including by providing security updates or document the reasons for not remediating the vulnerability;

2023/04/28
Committee: IMCO

Proposal for a regulation
Annex I – Part 2 – paragraph 1 – point 4

(4) once a security update has been made available, publically or according to industry best practice disclose information about fixed known vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and information helping users to remediate the vulnerabilities;

2023/04/28
Committee: IMCO

Proposal for a regulation
Annex I – Part 2 – paragraph 1 – point 4 a (new)

(4 a) Information regarding fixes and vulnerabilities is shared and disclosed in a controlled way, respecting principles of ‘harm reduction’ and trade secrets through responsible disclosure of vulnerabilities to the actors who can act to mitigate the vulnerability, and that it is not made publicly available to avoid the risk of inadvertently informing potential attackers;

2023/04/28
Committee: IMCO

Proposal for a regulation
Annex I – Part 2 – paragraph 1 – point 8

(8) ensure that, where security patches or updates arcan reasonably be made available to address identified security issues, theyre is a means by which users can obtain them are disseminated without delay and free of charge or at a transparent and non-discriminatory cost, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.

2023/04/28
Committee: IMCO

Proposal for a regulation
Annex II – paragraph 1 – point 9 – point a

~~(a) the necessary measures during initial commissioning and throughout the lifetime of the product to ensure its secure use;~~deleted

2023/04/28
Committee: IMCO

Proposal for a regulation
Annex II – paragraph 1 – point 9 – point b

~~(b) how changes to the product can affect the security of data;~~deleted

2023/04/28
Committee: IMCO

Proposal for a regulation
Annex II – paragraph 1 – point 9 – point d

~~(d) the secure decommissioning of the product, including information on how user data can be securely remov~~deleted.

2023/04/28
Committee: IMCO

Proposal for a regulation
Annex V – paragraph 1 – point 2 – point a

(a) complete information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and/or a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing;deleted

2023/04/28
Committee: IMCO

Proposal for a regulation
Annex V – paragraph 1 – point 3

3. an statement or a summary of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained as laid down in Article 10 of this Regulation and, further to a reasoned request from a market surveillance authority, provided that it is necessary in order for this authority to be able to check compliance with the essential requirements set out in Annex I, a detailed assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained as laid down in Article 10 of this Regulation;

2023/04/28
Committee: IMCO