BETA

48 Amendments of Bart GROOTHUIS related to 2022/0272(COD)

Proposal for a regulation
Recital 10

(10) In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity ~~might be characterized not only by charging a price for a product, but also by charging a price for technical support services,~~solely occurs when a price is charged for the use of a product with the intention of making a profit beyond mere technical support, consulting services, or maintenance based on incurred costs, or by providing a software platform through which the manufacturer monetises other services, or by the ~~use~~monetisation of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.

2023/05/04
Committee: ITRE

Proposal for a regulation
Recital 34 a (new)

(34a) Dependencies on high-risk suppliers of critical products with digital elements intended for the use by essential entities of the type referred to in [Annex I to the Directive XXX/XXXX (NIS2)] pose a strategic risk that needs to be mitigated at Union level. To mitigate this strategic risk there is a need to move beyond non- binding initiatives, such as the 5G toolbox, and move towards a binding toolbox for reducing critical ICT supply chain risks adopted as a delegated act. It should leverage the lessons learned from those past and national experiences, be based upon a risk assessment and offer strategic risk mitigation measures. Critical products with digital elements used in critical sectors should therefore be subjected to a strategic supply chain risk assessment that includes non-technical factors to assess the risk of the manufacturer being subject to undue interference from a third country. Those factors may include the jurisdiction of the supplier/manufacturer and the characteristics of the supplier’s corporate ownership and the links of control to a third-country government where it is established. A high risk is attributed to a third country’s legislation that obliges arbitrary access to any kind of company data, that would e.g. allow it to conduct economic espionage, without legislative or democratic checks and balances, meaningful oversight mechanisms or the right to appeal to an independent judiciary. A high risk is also attributed where a manufacturer is operating under foreign ownership or control that has the power, direct or indirect, whether or not exercised, to direct or decide matters affecting the management or operations of the manufacturer, or in case of opaque ownership structures, which are are state- owned or controlled. Not all instances of control will create security risks, but what should be considered is the extent to which the use of the critical product by the entities: (a) includes access to sensitive or classified information or assets, (b) relates to the storage or transport of sensitive materials or substances, (c) relates to the provision of security services for physical sites or facilities, (d) is for, or relates to, the storage or protection of sensitive or classified information. Non-technical risk factors should not impede procurement from entities established in likeminded strategic partner countries.

2023/05/04
Committee: ITRE

Proposal for a regulation
Recital 63

(63) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission to, in open consultation with stakeholders and in consideration of international and industry standards: specify the format and elements of the software bill of materials, specify further the type of information, format and procedure of the notifications on actively exploited vulnerabilities and incidents submitted to ENISA by the manufacturers, specify the European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 that can be used to demonstrate conformity with the essential requirements or parts therefore as set out in Annex I of this Regulation, adopt common specifications in respect of the essential requirements set out in Annex I, lay down technical specifications for pictograms or any other marks related to the security of the products with digital elements, and mechanisms to promote their use, decide on corrective or restrictive measures at Union level in exceptional circumstances which justify an immediate intervention to preserve the good functioning of the internal market. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council34. _________________ 34 Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p.13).

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 2 – paragraph 1

1. This Regulation applies to products with digital elements whose intended ~~or reasonably foreseeable~~ use includes a direct or indirect logical or physical data connection to a device or network.

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 3 – paragraph 1 – point 1

(1) ‘product with digital elements’ means any software or hardware product ~~and its remote data processing solutions~~, including software or hardware components to be placed on the market separately;

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 3 – paragraph 1 – point 31

(31) ‘substantial modification’ means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential requirements set out in Section 1 of Annex I or results in a modification to the intended use for which the product with digital elements has been assessed, excluding security and maintenances updates that aim to mitigate vulnerabilities;

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 3 – paragraph 1 – point 39

(39) ‘actively exploited vulnerability’ means a vulnerability for which there is reliable evidence that execution of malicious code was performed by an actor on a system without permission of the system owner; but does not include a vulnerability for which there is reliable evidence that the exploitation was performed by an actor for purposes of good faith testing, investigation, correction, or disclosure of a security flaw or vulnerability to promote the security or safety of the system owner, computers or software, or those who use such computers or software;

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 3 – paragraph 1 – point 39 – point a (new)

a) ‘expected product lifetime’ means the lifetime a manufacturer documents in the information and instructions to the user defined in Annex II (8). For software it includes the iterated modifications within the version that was placed in the market.

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 6 – paragraph 3

3. The Commission is empowered to adopt a delegated act in accordance with Article 50 to supplement this Regulation by specifying the definitions of the product categories under class I and class II as set out in Annex III. ~~The delegated act shall be adopted [by 12 months since the entry into force of this Regulation].~~ If it expands the scope of the product categories, the procedure in paragraph 2 should be followed. The delegated act shall be adopted [by 12 months since the entry into force of this Regulation]. The Commission shall establish a process under which a product which is a candidate to be a critical product can be reviewed in a collaborative process by all relevant stakeholders, including manufacturers and users, to assess the security risk posed by potential cybersecurity issues with the product, whether and how much designating the product as critical would likely reduce that risk, and the costs associated with designating the product as critical. If such assessment clearly establishes that designating that product as critical would materially reduce the security risk posed to the users of the product and that the value of such reduction would outweigh the costs to the manufacturer and other parties, the product may be designated as critical under this Regulation.

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 6 – paragraph 5

~~5. The Commission is empowered to adopt~~ delegated acts in accordance with Article 50 to supplement this Regulation by specifying categories of highly critical products with digital elements for which the manufacturers shall be required to obtain a European cybersecurity certificate under a European cybersecurity certification scheme pursuant to Regulation (EU) 2019/881 to demonstrate conformity with the essential requirements set out in Annex I, or parts thereof. When determining such categories of highly critical products with digital elements, the Commission shall take into account the level of cybersecurity risk related to the category of products with digital elements, in light of one or several of the criteria listed in paragraph 2, as well as in view of the assessment of whether that category of products is: (a) used or relied upon by the essential entities of the type referred to in Annex [Annex I] to the Directive [Directive XXX/ XXXX (NIS2)] or will have potential future significance for the activities of these entities; or (b) relevant for the resilience of the overall supply chain of products with digital elements against disruptive events.

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 10 – paragraph 1

1. When placing a product with digital elements on the market, manufacturers shall ensure that it has been designed, developed and produced in accordance with the essential requirements set out in Section 1 of Annex I. Manufacturers may deviate from a requirement in justified cases if it does not apply due to the nature of the product. Manufacturers should document the justification in the cybersecurity risks assessment in accordance to paragraph 2.

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 10 – paragraph 6 – subparagraph 1

WManufacturers shall ensure, when placing a product with digital elements on the market, and for the expected product lifetime ~~or for a period of five years from the placing of the product on the market, whichever is shorter, manufacturers shall ensure that vulnerabilities of that product are handled effectively and~~, that vulnerabilities of that product or of its iterated versions during its lifetime are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I. Manufacturers shall determine the expected product lifetime referred to in the first subparagraph of this paragraph taking into acco~~rdance wi~~unt the t~~he essential requirements set out in Section 2 of Annex I.~~ime users reasonably expect to be able to use the product given its functionality and intended purpose and therefore can expect to receive security updates

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 10 – paragraph 9

9. Manufacturers shall ensure that procedures are in place for products with digital elements that are part of a series of production to remain in conformity. The manufacturer shall adequately take into account changes in the development and production process or in the design or characteristics of the product with digital elements and changes in the harmonised or industry standards, European cybersecurity certification schemes ~~or the common specifications referred to in Article 19~~ by reference to which the conformity of the product with digital elements is declared or by application of which its conformity is verified.

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 10 – paragraph 10 a (new)

10a. Manufacturers shall clearly and understandably specify in an easily accessible manner and where applicable on the packaging of the product with digital elements, the end date for the expected product lifetime as referred to in paragraph 6, including at least the month and year, until which the manufacturer will at least ensure the effective handling of vulnerabilities in accordance with the essential requirements set out in Section 2 of Annex I.

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 10 – paragraph 15

15. The Commission may, by means of implementing acts, and following an open consultation with stakeholders and in line with international standards, specify the format and elements of the software bill of materials set out in Section 2, point (1), of Annex I. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 51(2).

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 11 – paragraph 1

1. The manufacturer shall, without undue delay and in any event within 724 hours ~~of becoming aware of it, notify to ENISA any actively exploit~~after the patch is publicly available, notify to CSIRT Network any new patched vulnerabilityies contained in the product with digital elements that may be actively exploited and pose a significant cybersecurity risk. The notification shall include basic details concerning that vulnerability and, where applicable, any corrective or mitigating measures taken. ENISA shall, without undue delay, unless for justified cybersecurity risk-related grounds, forward the notification to the CSIRT designated for the purposes of coordinated vulnerability disclosure in accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] of Member States concerned upon receipt and inform the market surveillance authority about the notified vulnerability based on the manufacturers coordinated vulnerability disclosure policy required by section 2 of Annex I item (5) (e.g., the ISO/IEC 29147).

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 11 – paragraph 2

2. The manufacturer shall, ~~without undue delay and in any event within 24 hours of becoming aware of it, notify to ENISA any~~notify the designated CSIRT or single point of contact, in accordance to the procedure of Directive [Directive XXX.XXXX NIS2], any significant incident having impact on the security of the product with digital elements. ~~ENISA~~The single point of contact shall, without undue delay, unless for justified cybersecurity risk-related grounds, forward the notifications to the single point of contact designated in accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] of the Member States concerned and inform the market surveillance authority about the notified incidents. The incident notification shall include information on the severity and impact of the incident and, where applicable, indicate whether the manufacturer suspects the incident to be caused by unlawful or malicious acts or considers it to have a cross-border impact.

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 11 – paragraph 2 a (new)

2a. Economic operators that are also identified as essential entities or important entities under the Directive [ Directive XXX.XXXX NIS2 ] and who submit their incident notification pursuant to the Directive [ Directive XXX.XXXX NIS2 ] should be deemed compliant with the requirements in point 2 of this Article. Moreover, an entity may only be fined once for non-compliance to overlapping reporting requirements.

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 11 – paragraph 4

4. The manufacturer shall inform, without undue delay and after becoming aware, the impacted users of the product with digital elements about the incident ~~and, where necessary~~having significant impact and, where necessary may inform all users of the product with digital elements, about corrective measures that the user can deploy to mitigate the impact of the incident.

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 13 – paragraph 2 – point c a (new)

(ca) Non-technical risk factors of the manufacturer are taken into consideration for critical products described in Class II of Annex III intended for the use by essential entities of the type referred to in [Annex I to the Directive XXX/XXXX (NIS2)];

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 13 – paragraph 6 – subparagraph 1

Importers who know or have reason to believe that a product with digital elements, which they have placed on the market, or the processes put in place by its manufacturer, are not in conformity with the essential requirements set out in Annex I or non-technical risk factors shall immediately take the corrective measures necessary to bring that product with digital elements or the processes put in place by its manufacturer into conformity with the essential requirements set out in Annex I, or to withdraw or recall the product, if appropriate.

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 14 – paragraph 2 – point b a (new)

(ba) Non-technical risk factors of the manufacturer are taken into consideration for critical products described in Class II of Annex III intended for the use by essential entities of the type referred to in [Annex I to the Directive XXX/XXXX (NIS2)];

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 14 – paragraph 4 – subparagraph 2

Upon identifying a vulnerability in the product with digital elements, distributors shall inform the manufacturer without undue delay about that vulnerability. Furthermore, where the product with digital elements presents a significant cybersecurity risk including on the basis of non-technical risk factors, distributors shall immediately inform the market surveillance authorities of the Member States in which they have made the product with digital elements available on the market to that effect, giving details, in particular, of the non-conformity and of any corrective measures taken.

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 19 – paragraph 1

Where harmonised standards referred to in Article 18 do not exist or where the Commission considers that the relevant harmonised standards are insufficient to satisfy the requirements of this Regulation or to comply with the standardisation request of the Commission, or where there are undue delays in the standardisation procedure or where the request for harmonised standards by the Commission has not been accepted by the European standardisation organisations, the Commission is empowered, by means of implementing acts, to adopt common specifications in respect of the essential requirements set out in Annex I. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 51(2).deleted

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 41 – paragraph 8

8. Market surveillance authorities may provide guidance and advice to economic operators on the implementation of this Regulation, including on non-technical risk factors, with the support of the Commission.

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 41 – paragraph 8 a (new)

8a. Market surveillance authorities may publish statistics about the average expected product lifetime, as specified by the manufacturer pursuant to article 10 (10a), per category of products with digital elements.

2023/05/04
Committee: ITRE

Where the market surveillance authority of a Member State has sufficient reasons to consider that a product with digital elements, including its vulnerability handling, presents a significant cybersecurity or strategic risk, it shall carry out an evaluation of the product with digital elements concerned in respect of its compliance with all the requirements laid down in this Regulation, including non- technical risk factors. The relevant economic operators shall cooperate as necessary with the market surveillance authority.

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 45 – paragraph 1

1. Where the Commission has sufficient reasons to consider, including based on information provided by ENISA or non-technical risk factors, that a product with digital elements that presents a significant cybersecurity risk is non- compliant with the requirements laid down in this Regulation, it may request the relevant market surveillance authorities to carry out an evaluation of compliance and follow the procedures referred to in Article 43.

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 45 – paragraph 2

2. In exceptional circumstances which justify an immediate intervention to preserve the good functioning of the internal market and where the Commission has sufficient reasons to consider that the product referred to in paragraph 1 remains non-compliant with the requirements laid down in this Regulation, including on the basis of non-technical risk factors, and no effective measures have been taken by the relevant market surveillance authorities, the Commission may request ENISA to carry out an evaluation of compliance. The Commission shall inform the relevant market surveillance authorities accordingly. The relevant economic operators shall cooperate as necessary with ENISA.

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 50 – paragraph 6 a (new)

6a. The Commission shall conduct thorough public consultations and engage in regular and structured dialogue with economic operators to gather evidence and evaluate market implications of including or withdrawing categories of products in scope.

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 51 – paragraph 3 a (new)

3a. The Committee shall conduct thorough public consultations and engage in regular and structured dialogue with economic operators to gather evidence and evaluate market implications of including or withdrawing categories of products in scope.

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 55 – paragraph 2 a (new)

2a. Products with digital elements included in Annex III when placed on the market may meet the conformity assessment requirements under Chapter III by applying the procedure of Article 24 paragraph 1 for a period of 24 months after the date of application of this Regulation as defined in Article 57.

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 55 – paragraph 3

3. By way of derogation from paragraph 2, the obligations laid down in Article 11 shall apply to all products with digital elements within the scope of this Regulation that have been placed on the market ~~befor~~24 months after the [date of ~~application~~entry into force of this Regulation ~~referred to in Article 57]~~.

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 57 – paragraph 2

It shall apply from [~~24 months after the date of entry into force of this Regulation]. However Article 11 shall apply from [12~~36 months after the date of entry into force of this Regulation].

2023/05/04
Committee: ITRE

Proposal for a regulation
Annex I – Part 1 – point 2

~~(2) Products with digital elements shall be delivered without any known exploitable vulnerabilities;~~deleted

2023/05/04
Committee: ITRE

Proposal for a regulation
Annex I – Part 1 – point 3 – point b

(b) ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems; , but also by taking into consideration non-technical risk factors, such as third-country legislation that is applicable in the headquarter of the manufacturer obliging arbitrary government access to any kind of company data without legislative or democratic checks and balances or meaningful oversight mechanisms;

2023/05/04
Committee: ITRE

Proposal for a regulation
Annex I – Part 1 – point 3 – point f

(f) protect the availability of essential functions, ~~including~~also after an incident, including with backup management, and the resilience ~~against~~ and mitigation ofmeasures against denial of service attacks;

2023/05/04
Committee: ITRE

Proposal for a regulation
Annex I – Part 2 – paragraph 1 – point 2

(2) in relation to the risks posed to the products with digital elements, address and remediate vulnerabilities with~~out delay~~in an agreed timeline, including by providing security updates;

2023/05/04
Committee: ITRE

Proposal for a regulation
Annex I – Part 2 – paragraph 1 – point 4

(4) once a security update has been made available, share and publically disclose information about fixed vulnerabilities, in~~cluding a description of the vulnerabilities,~~ accordance with a coordinated vulnerability disclosure process, including information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and information helping users to remediate the vulnerabilities. Detailed information about the vulnerabilities should only be shared and disclosed in a controlled way through coordinated disclosure procedures;

2023/05/04
Committee: ITRE

Proposal for a regulation
Annex II – paragraph 1 – point 6

6. if and, where applicable, where the software bill of materials can be accessed; but are not to be made publicly accessible. If the software bill of materials are made available to notified bodies and market surveillance authorities for the exercise of their tasks, it must happen under the strict non-disclosure conditions set out in Article 52.

2023/05/04
Committee: ITRE

Proposal for a regulation
Annex III – Part I – point 13

13. Remote access~~/sharing~~ software;

2023/05/04
Committee: ITRE

Proposal for a regulation
Annex III – Part I – point 16

16. Operating systems ~~not covered by class II~~for servers, desktops and mobile devices;

2023/05/04
Committee: ITRE

Proposal for a regulation
Annex III – Part I – point 18

~~18. Routers, modems intended for the connection to the internet, and switches, not covered by class II;~~deleted

2023/05/04
Committee: ITRE

Proposal for a regulation
Annex III – Part I – point 19

~~19. Microprocessors not covered by class II;~~deleted

2023/05/04
Committee: ITRE

Proposal for a regulation
Annex III – Part I – point 20

~~20. Microcontrollers;~~deleted

2023/05/04
Committee: ITRE

Proposal for a regulation
Annex III – Part II – point 1

~~1. Operating systems for servers, desktops, and mobile devices;~~deleted

2023/05/04
Committee: ITRE

Proposal for a regulation
Annex III – Part II – point 5

~~5. General purpose microprocessors;~~deleted

2023/05/04
Committee: ITRE

Proposal for a regulation
Annex III – Part II – point 6

~~6. Microprocessors intended for integration in programmable logic controllers and secure elements;~~deleted

2023/05/04
Committee: ITRE