Activities of Adam BIELAN related to 2022/0272(COD)

Proposal for a regulation
Recital 10

(10) In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software. Nonetheless, in order to ensure that individual or micro developers of software as defined in Commission Recommendation 2003/361/EC do not face major financial obstacles and are not discouraged from testing the proof of concept as well as the business case on the market, these entities shall be required to make best efforts in order to comply with the requirements in this proposal during the 18 months from placing a software on the market. This special regime will prevent the chilling effect of high compliance and entry costs could have on entrepreneurs or skilled individuals who consider developing software in the Union.

2023/04/28
Committee: IMCO

Proposal for a regulation
Recital 11 a (new)

(11 a) According to the WTO Agreement on Technical Barriers to Trade, when technical regulations are necessary and relevant international standards exist, WTO Members should use those standards as the basis for their own technical regulations. It is important to avoid duplication of work among standardisation organizations, as international standards are intended to facilitate the harmonization of national and regional technical regulations and standards, thereby reducing non-tariff technical barriers to trade. Given that cybersecurity is a global issue, the Union should strive for maximum alignment. To achieve this objective, the standardization request for this Regulation, as set out in Article 10 of Regulation 1025/2012, should seek to reduce barriers to the acceptance of standards by publishing their references in the Official Journal of the EU, in accordance with Article 10 (6) of Regulation 1025/2012.

2023/04/28
Committee: IMCO

Proposal for a regulation
Recital 11 b (new)

(11 b) Considering the broad scope of this Regulation, the timely development of harmonised standards poses a significant challenge. To enhance the security of products with digital components in the Union market as soon as possible, the Commission should be empowered for a limited time to declare existing international standards for cyber security of products as satisfying the requirements of this Regulation. These standards should be published as standards providing presumption of conformity.

2023/04/28
Committee: IMCO

Proposal for a regulation
Recital 19

(19) Certain tasks provided for in this Regulation should be carried out by ~~ENISA, in accordance with Article 3(2) of Regulation (EU) 2019/881~~the relevant Computer Security Incident Response Teams (CSIRTs) or the relevant market surveillance authority. In particular, ~~ENISA~~CSIRTs should receive notifications from manufacturers of actively exploited vulnerabilities ~~contained i~~having a significant impact on products with digital elements, as well as incidents having an significant impact on the security of those products. ENISA should also forward these notifications to the relevant Computer Security Incident Response Teams (CSIRTs) or, respectively, to the relevant single points of contact of the Member States designated in accordance with Article [Article X] of Directive [Directive XXX / XXXX (NIS2)], and inCSIRTs or the relevant market surveillance authority, should submit to ENISA information on notifications provided such information is relevant for the coordinated response to large-scale cybersecurity incidents. For the purpose of this Regulation, an incident shall be considered to be significant if (i) it has caused or is capable of causing severe operational disruption of the production or the development, build and distribution environment form the ~~relevant market surveillance authorities about~~ manufacturer concerned, that would impact the security of a product; or (ii) it has affected or is capable of affecting other n~~otified vulnerability~~atural or legal persons by causing considerable material or non-material damage. On the basis of the information it gathers, ENISA should prepare a biennial technical report on emerging trends regarding cybersecurity risks in products with digital elements and submit it to the Cooperation Group referred to in Directive ~~[Directive XXX / XXXX (NIS2)]~~(EU) 2022/2555. Furthermore, considering its expertise and mandate, ENISA should be able to support the process for implementation of this Regulation. In particular, it should be able to propose joint activities to be conducted by market surveillance authorities based on indications or information regarding potential non-compliance with this Regulation of products with digital elements across several Member States or identify categories of products for which simultaneous coordinated control actions should be organised. In exceptional circumstances, at the request of the Commission, ENISA should be able to conduct evaluations in respect of specific products with digital elements that present a significant cybersecurity risk, where an immediate intervention is required to preserve the good functioning of the internal market.

2023/04/28
Committee: IMCO

Proposal for a regulation
Recital 22

(22) In order to ensure that products with digital elements, when placed on the market, do not pose cybersecurity risks to persons and organisations, essential requirements should be set out for such products. When the products are subsequently modified, by physical or digital means, in a way that ~~is not foreseen by the manufacturer and that may imply that they no longer meet the relevant essential requirements~~materially alters the core function of a product, the modification should be considered as substantial. For example, software updates or repairs could be assimilated to maintenance operations provided that they do not modify a product already placed on the market in such a way that compliance with the applicable requirements may be affected, or that the intended use for which the product has been assessed may be changed. As is the case for physical repairs or modifications, a product with digital elements should be considered as substantially modified by a software change where the software update modifies the original intended functions, type or performance of the product and these changes were not foreseen in the initial risk assessment, or the nature of the hazard has changed or the level of risk has increased because of the software updateintroduce substantial changes to the functions or cybersecurity architecture of a product already placed on the market, that change the level of hazard or risk for which the product was assessed.

2023/04/28
Committee: IMCO

Proposal for a regulation
Recital 23

(23) In line with the commonly established notion of substantial modification for products regulated by Union harmonisation legislation, whenever a substantial modification occurs that may affect the compliance of a product with this Regulation ~~or when the intended purpose of that product changes~~, it is appropriate that the compliance of the product with digital elements is verified and that, where applicable, ~~it undergoes a new~~the conformity assessment updated. Where applicable, if the manufacturer undertakes a conformity assessment involving a third party, changes that might lead to substantial modifications should be notified to the third party. The subsequent conformity assessment should address the changes that lead to the new assessment, unless these changes have significant impact on the conformity of other parts of the product.

2023/04/28
Committee: IMCO

Proposal for a regulation
Recital 26

(26) Critical products with digital elements should be subject to stricter conformity assessment procedures, while keeping a proportionate approach. For this purpose, critical products with digital elements should be divided into two classes, reflecting the level of cybersecurity risk linked to these categories of products. A potential cyber incident involving products in class II might lead to greater negative impacts than an incident involving products in class I, for instance due to the nature of their cybersecurity-related function or intended use in ~~sensitive~~ environments of high criticality, and therefore should undergo a stricter conformity assessment procedure.

2023/04/28
Committee: IMCO

Proposal for a regulation
Recital 32

(32) In order to ensure that products with digital elements are secure both at the time of their placing on the market as well as throughout their life-cycle, it is necessary to lay down essential requirements for vulnerability handling and essential cybersecurity requirements relating to the properties of products with digital elements. While manufacturers should comply with all essential requirements related to vulnerability handling ~~and ensure that all their products are delivered without any known exploitable vulnerabilities~~, they should determine which ~~other~~ essential requirements related to the product properties are relevant for the concerned type of product. For this purpose, manufacturers should undertake an assessment of the cybersecurity risks associated with a product with digital elements to identify relevant risks and relevant essential requirements and in order to appropriately apply suitable harmonised standards or common specifications. Products with digital elements shall be either placed on the market delivered without any known critical or high severity exploitable vulnerabilities or manufacturers shall provide based on a risk assessment the appropriate impact mitigation such as by security updates before the product is put into service for the first time.

2023/04/28
Committee: IMCO

Proposal for a regulation
Recital 34

(34) To ensure that the national CSIRTs and the single point of contacts designated in accordance with Article [Article X] of Directive [Directive XX/XXXX (NIS2)] are provided with the information necessary to fulfil their tasks and raise the overall level of cybersecurity of essential and important entities, and to ensure the effective functioning of market surveillance authorities, manufacturers of products with digital elements should notify to ENISA vulnerabilities that are being actively exploited. As most products with digital elements are marketed across the entire internal market, any exploited vulnerability in a product with digital elements should be considered a threat to the functioning of the internal market. Manufacturers should also consider disclosing fixed vulnerabilities to the European vulnerability database established under Directive [Directive XX/XXXX (NIS2)] and managed by ENISA or under any other publicly accessible vulnerability database.deleted

2023/04/28
Committee: IMCO

Proposal for a regulation
Recital 35

(35) Manufacturers should also report to ENISA any incident having an impact on the security of the product with digital elements. Notwithstanding the incident reporting obligations in Directive [Directive XXX/XXXX (NIS2)] for essential and important entities, it is crucial for ENISA, the single points of contact designated by the Member States relevant CSIRTs or, where applicable the relevant market surveillance authority, any incident having a~~ccordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] and the market surveillance authorities to receive information from the manufacturers of~~ significant impact on the security of the products with digital elements ~~allowing them to assess the security of these products~~. In order to ensure that users can react quickly to incidents having an significant impact on the security of their products with digital elements, manufacturers should also inform their users about any such incident and, where applicable, about any corrective measures that the users can deploy to mitigate the impact of the incident, for example by publishing relevant information on their websites or, where the manufacturer is able to contact the users and where justified by the risks, by reaching out to the users directly.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 2 – paragraph 1

1. This Regulation applies to products with digital elements placed on the market whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a ~~device or~~ network.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 2 – paragraph 2 – point c a (new)

(c a) Regulation (EU) 2022/2554;

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 2 – paragraph 2 – point c b (new)

(c b) Directive (EU) 2022/2555.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 2 – paragraph 5 a (new)

5 a. This Regulation does not apply to any supply of a product with digital elements for distribution and use on the Union market where such supply, distribution, and use exclusively occurs within the same group of companies within the meaning of Article 2(13) of Regulation (EU) 2015/848.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 3 – paragraph 1 – point 1

(1) ‘product with digital elements’ means any software or hardware product ~~and its remote data processing solutions~~, including software or hardware components to be placed on the market separately;

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 3 – paragraph 1 – point 2

(2) ‘remote data processing’ means any data processing at a distance for which the software is designed and developed by the manufacturer or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions;deleted

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 3 – paragraph 1 – point 6

(6) ‘software’ means the part of an electronic information system which consists of computer code, with exception of software relating to the Internet websites;

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 3 – paragraph 1 – point 26

(26) ‘reasonably foreseeable misuse’ means the use of a product with digital elements in a way that is not in accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systems;deleted (This amendment applies throughout the text.)

2023/04/28
Committee: IMCO

Zdzisław KRASNODĘBSKI, Adam BIELAN, Kosma ZŁOTOWSKI

Proposal for a regulation
Article 3 – paragraph 1 – point 31

(31) ‘substantial modification’ means a change to the product with digital elements following its placing on the market, which ~~affects the compliance of the product with digital elements with the essential requirements set out in Section 1 of Annex I or results in a modification to the intended use for which~~has material impact on the core function of the product with digital elements ~~has been assessed~~;

2023/04/28
Committee: IMCO

Proposal for a regulation
Recital 10

(10) In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software. Nonetheless, in order to ensure that individual or micro developers of software as defined in Commission Recommendation 2003/361/EC do not face major financial obstacles and are not discouraged from testing the proof of concept as well as the business case on the market, these entities shall be required to make best efforts in order to comply with the requirements in this proposal during the 12 months from placing a software on the market. This special regime will prevent the chilling effect of high compliance and entry costs could have on entrepreneurs or skilled individuals who consider developing software in the European Union.

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 4 – paragraph 3

3. Member States shall not prevent the making available of unfinished software which does not comply with this Regulation provided that the software is only made available ~~for a limited period required for testing purposes~~in a non-production version for testing purposes, including software labelled as ‘beta,’ ‘pre-release’, or ‘candidate’, and that a visible sign clearly indicates that it does not comply with this Regulation and will not be available on the market for purposes other than testing.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 6 – paragraph 5

~~5. The Commission is empowered to adopt~~ delegated acts in accordance with Article 50 to supplement this Regulation by specifying categories of highly critical products with digital elements for which the manufacturers shall be required to obtain a European cybersecurity certificate under a European cybersecurity certification scheme pursuant to Regulation (EU) 2019/881 to demonstrate conformity with the essential requirements set out in Annex I, or parts thereof. When determining such categories of highly critical products with digital elements, the Commission shall take into account the level of cybersecurity risk related to the category of products with digital elements, in light of one or several of the criteria listed in paragraph 2, as well as in view of the assessment of whether that category of products is: (a) essential entities of the type referred to in Annex [Annex I] to the Directive [Directive XXX/ XXXX (NIS2)] or will have potential future significance for the activities of these entities; or (b) overall supply chain of products with digital elements against disruptive events.used or relied upon by the relevant for the resilience of the

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 7 – paragraph 1

By way of derogation from Article 2(1), third subparagraph, point (b), of Regulation [General Product Safety Regulation] where products with digital elements are not subject to specific requirements laid down in other Union harmonisation legislation within the meaning of [Article 3, point (25) of the General Product Safety Regulation], Chapter III, Section 1, Chapters V and VII, and Chapters IX to XI of Regulation [General Product Safety Regulation] shall apply to those products with respect to safety risks not covered byProducts with digital elements as defined and falling within the scope of [General Product Safety Regulation] shall be deemed as complying with the cybersecurity requirements for the purpose of [Article 5 of General Product Safety Regulation] if they comply with the requirements of this Regulation.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 10 – paragraph -1 (new)

-1. Software manufacturers which qualify as a microenterprise as defined in Commission Recommendation 2003/361/EC shall make best efforts to comply with the requirements in this Regulation during the 18 months from placing a software on the market.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 10 – paragraph 1

1. When placing a product with digital elements on the market, manufacturers shall take reasonable measures to ensure that it has been designed, developed and produced in accordance with the essential requirements set out in Section 1 of Annex I.

2023/04/28
Committee: IMCO

Proposal for a regulation
Recital 38 a (new)

(38a) According to the WTO Agreement on Technical Barriers to Trade, when technical regulations are necessary and relevant international standards exist, WTO Members should use those standards as the basis for their own technical regulations. It is important to avoid duplication of work among standardisation organisations, as international standards are intended to facilitate the harmonisation of national and regional technical regulations and standards, thereby reducing non-tariff technical barriers to trade. Given that cybersecurity is a global issue, the EU should strive for maximum alignment. To achieve this objective, the standardisation request for this Regulation, as set out in Article 10 of Regulation (EU) 1025/2012, should seek to reduce barriers to the acceptance of standards by publishing their references in the Official Journal of the EU, in accordance with Article 10(6) of Regulation (EU) 1025/2012.

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 10 – paragraph 4

4. For the purposes of complying with the obligation laid down in paragraph 1, manufacturers shall exercise due diligence when integrating components sourced from third parties in products with digital elements. They shall take reasonable measures to ensure that such components do not compromise the security of the product with digital elements.

2023/04/28
Committee: IMCO

Proposal for a regulation
Recital 38 b (new)

(38b) Considering the broad scope of this Regulation, the timely development of harmonised standards poses a significant challenge. To enhance the security of products with digital components in the Union market, international standards should be published as a standard providing presumption of conformity.

2023/05/04
Committee: ITRE

Proposal for a regulation
Recital 41

(41) Where no harmonised standards are adopted or where the harmonised standards do not sufficiently address the essential requirements of this Regulation, the Commission should be able to adopt common specifications by means of implementing acts. Reasons for developing such common specifications, instead of relying on harmonised standards, might include a refusal of the standardisation request by any of the European standardisation organisations, undue delays in the establishment of appropriate harmonised standards, or a lack of compliance of developed standards with the requirements of this Regulation or with a request of the Commission. In order to facilitate assessment of conformity with the essential requirements laid down by this Regulation, there should be a presumption of conformity for products with digital elements that are in conformity with the common specifications adopted by the Commission according to this Regulation for the purpose of expressing detailed technical specifications of those requirements.deleted

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 10 – paragraph 6 – subparagraph 1

When placing a product with digital elements on the market, and for ~~the expected product lifetime or for~~ a period of five years from the placing of the product on the market~~, whichever is shorter~~ or a shorter period, appropriate to the type and specificity of product, manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I.

2023/04/28
Committee: IMCO

Proposal for a regulation
Recital 45

(45) As a general rule the conformity assessment of products with digital elements should be carried out by the manufacturer under its own responsibility following the procedure based on Module A of Decision 768/2008/EC. The manufacturer should retain flexibility to choose a stricter conformity assessment procedure involving a third- party. If the product is classified as a critical product of class I, additional assurance is required to demonstrate conformity with the essential requirements set out in this Regulation. The manufacturer should apply harmonised standards, ~~common specifications~~international standards, or cybersecurity certification schemes under Regulation (EU) 2019/881 which have been identified by the Commission in an implementing act, if it wants to carry out the conformity assessment under its own responsibility (module A). If the manufacturer does not apply such harmonised standards, ~~common specifications~~international standards, or cybersecurity certification schemes, the manufacturer should undergo conformity assessment involving a third party. Taking into account the administrative burden on manufacturers and the fact that cybersecurity plays an important role in the design and development phase of tangible and intangible products with digital elements, conformity assessment procedures respectively based on modules B+C or module H of Decision 768/2008/EC have been chosen as most appropriate for assessing the compliance of critical products with digital elements in a proportionate and effective manner. The manufacturer that carries out the third- party conformity assessment can choose the procedure that suits best its design and production process. Given the even greater cybersecurity risk linked with the use of products classified as critical class II products, the conformity assessment should always involve a third party.

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 10 – paragraph 9

9. Manufacturers shall ensure that procedures are in place for products with digital elements that are part of a series of production to remain in conformity. The manufacturer shall adequately take into account changes in the development and production process or in the design or characteristics of the product with digital elements and changes in the harmonised standards, European cybersecurity certification schemes or the common specifications referred to in Article 19 by reference to which the conformity of the product with digital elements is declared or by application of which its conformity is verified. Where new knowledge, techniques, or standards become available, which were not available at the time of design of a serial product, the manufacturer may consider implementing such improvements periodically for future product generations. The manufacturer shall take into account the associated costs and efforts, including the efforts required for development, testing, validation, and approval process time.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 10 – paragraph 12

12. From the placing on the market and for ~~the expected product lifetime or for~~ a period of five years after the placing on the market ofr a shorter period, appropriate to the type and specificity of product with digital elements, ~~whichever is shorter,~~ manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements set out in Annex I shall ~~immediately~~without undue delay take reasonable measures proportionate to the risk, take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, to withdraw or to recall the product, as appropriate.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 11 – paragraph 1

1. The manufacturer shall, ~~without undue delay and in any event within 24 hours of becoming aware of it, notify to ENISA~~notify relevant Computer Security Incident Response Teams (CSIRTs) or, where applicable, competent authority of the Member State established under Directive (EU) 2022/2555, any actively exploited vulnerability ~~contained i~~with significant impact on the product with digital elements. The notification shall ~~include details concerning~~be submitted without undue delay after thate vulnerability and, where applicable, any corrective or mitigating measures taken. ENISA shall, without undue delay, unless for justified cybersecurity risk-related grounds, forward the notification to the CSIRT designated for the purposes of coordinated vulnerability disclosure in accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] of Member States concerned upon receipt and inform the market surveillance authority about the notified vulnerabilityhas been addressed and shall include details concerning that vulnerability and, where applicable, any corrective or mitigating measures taken.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 11 – paragraph 2

2. The manufacturer shall, without undue delay ~~and in any~~ from the moment it becomes aware, notify to releveant ~~within 24 hours of becoming aware of it, notify to ENISA any~~CSIRTs or, where applicable, competent authority of the Member State established under Directive (EU) 2022/2555, any major incident having a significant impact on the security of the product with digital elements. ENISA shall, without undue delay, unless for justified cybersecurity risk-related grounds, forward the notifications to the single point of contact designated in accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] of the Member States concerned and inform the market surveillance authority about the notified incidents. The incident notification shall include informationThe incident notification shall be submitted without undue delay and include information strictly necessary to make the competent authority aware of the incident, and where relevant and proportionate to the risk, on the severity and impact of the incident and, where applicable, indicate whether the manufacturer suspects the incident to be caused by unlawful or malicious acts or considers it to have a cross-border impact.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 11 – paragraph 3

3. ~~ENISA shall submit to the European cyber crisis liaison organisation network (EU-CyCLONe) established by Article [Article X] of Directive [Directive XXX/XXXX (NIS2)]~~CSIRTs or, where applicable, competent authority of the Member State established under Directive (EU) 2022/2555, shall submit to ENISA information notified pursuant to paragraphs 1 and 2 if such information is relevant for the coordinated management of large-scale cybersecurity incidents and crises at an operational level. ENISA shall submit the information received by the CSIRTs or, where applicable, competent authority of the Member State established under Directive (EU) 2022/2555, to the European cyber crisis liaison organisation network (EUCyCLONe) established by Article 16 of Directive (EU) 2022/2555.

2023/04/28
Committee: IMCO

Proposal for a regulation
Recital 69 a (new)

(69a) Economic operators that are SMEs, with particular attention paid to micro enterprises and start-ups, should be provided with dedicated guidance and where possible with financial support to adapt to the requirements of this Regulation when placing new product on the market. In particular, the Commission, ENISA and the Member States, should establish a European cyber resilience regulatory sandboxes, the Commission should establish a special webpage and provide direct tailored advice, and streamline the financial support from Digital Europe Programme and other relevant EU programmes. Member States should consider all possible complementary actions aiming at advice and financial support for SMEs, including via digital/cybersecurity hubs and start-up accelerators. Where the market surveillance authorities exercise their supervisory enforcement tasks, they should take into consideration whether the manufacturer is a SME, with particular attention payed to micro companies and start-ups.

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 11 – paragraph 4

4. The manufacturer shall inform, without undue delay and after becoming aware, the users of the product with digital elements about ~~the incid~~a significant incident having major impact on the security of the product with digital elements and, where necessary, about corrective measures that the user can deploy to mitigate the impact of the incident.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 11 – paragraph 5

5. The Commission, after consulting stakeholders and CSIRTs may, by means of implementing acts, specify further the type of information, format and procedure of the notifications submitted pursuant to paragraphs 1 and 2. Those implementing acts shall be based on European and international standards, such as ISO/IEC 29147 and adopted in accordance with the examination procedure referred to in Article 51(2).

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 11 – paragraph 6

6. ENISA, on the basis of the notifications received pursuant to paragraphs 1, 2 and 23, shall prepare a biennial technical report on emerging trends regarding cybersecurity risks in products with digital elements and submit it to the Cooperation Group referred to in Article ~~[Article X]~~14 of Directive ~~[Directive XXX/XXXX (NIS2)]~~(EU) 2022/2555. The first such report shall be submitted within 24 months after the obligations laid down in paragraphs 1 and 2 start applying.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 2 – paragraph 2 – point c a (new)

(ca) Regulation (EU) 2022/2554.

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 18 – paragraph 2

2. Products with digital elements and processes put in place by the manufacturer, which are in conformity with the common specifications referred to in Article 19 shall be presumed to be in conformity with the essential requirements set out in Annex I, to the extent those common specifications cover those requirements.deleted

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 18 – paragraph 4

4. The Commission is empowered, by means of implementing acts, to specify the European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 that can be used to demonstrate conformity with the essential requirements or parts thereof as set out in Annex I. Furthermore, where applicable, the Commission shall specify if a cybersecurity certificate issued under such schemes eliminates the obligation of a manufacturer to carry out a third-party conformity assessment for the corresponding requirements, as set out in Article 24(2)(a), (b), (3)(a) and (b). Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 51(2).deleted

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 18 – paragraph 4 a (new)

4 a. In accordance with Article 10(1) of Regulation 1025/2012, when preparing the Standardisation Request for this Regulation, the Commission shall aim for maximum harmonisation with existing or imminent international standards for cybersecurity. In the first three years following the date of application of this Regulation, the Commission is empowered to declare an existing international standard as meeting the requirements of this Regulation, without any European modifications, provided that adherence to such standards sufficiently enhances the security of products with digital elements, and provided that the standard is published as a separate version by one of the European Standardisation Organisations.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 19

~~Where harmonised standards referred to in~~ Article 189 do not exist or where the Commission considers that the relevant harmonised standards are insufficient to satisfy the requirements of this Regulation or to comply with the standardisation request of the Commission, or where there are undue delays in the standardisation procedure or where the request for harmonised standards by the Commission has not been accepted by the European standardisation organisations, the Commission is empowered, by means of implementing acts, to adopt common specifications in respect of the essential requirements set out in Annex I. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 51(2). eleted Common specifications (This amendment applies throughout the text to all references of Common specifications.)

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 24 – paragraph 5 a (new)

5 a. For products with digital elements falling within the scope of this Regulation and which are placed on the market or put into service by credit institutions regulated by Directive 2013/36/EU, the conformity assessment shall be carried out as part of the procedure referred to in Articles 97 to 101 of that Directive.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 29 – paragraph 12

12. Conformity assessment bodies shall operate in accordance with a set of consistent, fair and reasonable terms and conditions in line with Article 37(2), in particular taking into account the interests of SMEs in relation to fees.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 37 – paragraph 2

2. Conformity assessments shall be carried out in a proportionate manner, avoiding unnecessary burdens for economic operators. Conformity assessment bodies shall perform their activities taking due account of the size of an undertaking, the sector in which it operates, its structure, the degree of complexity and the risk exposure of the product type and technology in question and the mass or serial nature of the production process.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 41 – paragraph 11 a (new)

11 a. For products with digital elements falling within the scope of this Regulation, distributed, put into service or used by financial institutions regulated by relevant Union legislation on financial services, the market surveillance authority for the purposes of this Regulation shall be the relevant authority responsible for the financial supervision of those institutions under that legislation.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 43 – paragraph 1 – subparagraph 2

Where, in the course of that evaluation, the market surveillance authority finds that the product with digital elements does not comply with the requirements laid down in this Regulation or otherwise present threat to national security, it shall without delay require the relevant operator to take all appropriate corrective actions to bring the product into compliance with those requirements, to withdraw it from the market, or to recall it within a reasonable period, commensurate with the nature of the risk, as it may prescribe.

2023/04/28
Committee: IMCO

Zdzisław KRASNODĘBSKI, Adam BIELAN, Kosma ZŁOTOWSKI

Proposal for a regulation
Article 43 – paragraph 4 – subparagraph 1

Where the manufacturer of a product with digital elements does not take adequate corrective action within the period referred to in paragraph 1, second subparagraph, or the relevant Member States authority consider product to present threat to the national security, the market surveillance authority shall take all appropriate provisional measures to prohibit or restrict that product being made available on its national market, to withdraw it from that market or to recall it.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 10 – paragraph -1 (new)

-1. Software manufacturers which qualify as a microenterprise as defined in Commission Recommendation 2003/361/EC shall make best efforts to comply with the requirements in this Regulation during the 12 months from placing a software on the market.

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 43 – paragraph 7

7. Where, within three months of receipt of the information referred to in paragraph 4, no objection has been raised by either a Member State or the Commission in respect of a provisional measure taken by a Member State, that measure shall be deemed justified. The decision referred to in paragraph 1, concerning threat to national security shall always be deemed justified. This is without prejudice to the procedural rights of the operator concerned in accordance with Article 18 of Regulation (EU) 2019/1020.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 45 – paragraph 1

1. Where the Commission has sufficient reasons to consider, including based on information provided by the competent authorities of Member States, the computer security incident response teams (CSIRTs) designated or established in accordance with Directive (EU) 2022/2555 or ENISA, that a product with digital elements that presents a significant cybersecurity risk is non-compliant with the requirements laid down in this Regulation, it may request the relevant market surveillance authorities to carry out an evaluation of compliance and follow the procedures referred to in Article 43.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 45 – paragraph 2

2. In exceptional circumstances which justify an immediate intervention to preserve the good functioning of the internal market and where the Commission ~~has~~ sufficient reasons, substantiated by relevant data, to consider that the product referred to in paragraph 1 remains non- compliant with the requirements laid down in this Regulation and no effective measures have been taken by the relevant market surveillance authorities, the Commission may request ~~ENISA~~the relevant Member State authority to carry out an evaluation of compliance. The Commission shall inform the relevant market surveillance authorities and ENISA accordingly. ~~The relevant economic operators shall cooperate as necessary with ENISA.~~

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 45 – paragraph 3

3. Based on ~~ENISA’s evalu~~the Member State authority's evaluation and recommendation, the 3. Commission may decide that a corrective or restrictive measure is necessary at Union level. To this end, it shall without delay consult the Member States concerned and the relevant economic operator or operators.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 53 – paragraph 6 – point a a (new)

(a a) the type of manufactured product and whether entity qualifies as microenterprise for the specific compliance regime outlined in the Article 10(-1) of this Regulation.

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 57 – paragraph 2

It shall apply from [2436 months after the date of entry into force of this Regulation]. However Article 11 shall apply from [124 months after the date of entry into force of this Regulation] and Articles 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38 shall apply from [30 months after the entry into force of this Regulation].

2023/04/28
Committee: IMCO

Proposal for a regulation
Annex I – Part 1 – point 2

(2) Products with digital elements shall be delivered ~~without any known exploitable vulnerabilitie~~in a way that does not wilfully create cybersecurity risks;

2023/04/28
Committee: IMCO

Proposal for a regulation
Annex I – Part 1 – point 3 – point a

(a) be delivered with a secure by default configuration, including the possibility to reset the product to its ~~original state~~default security configuration;

2023/04/28
Committee: IMCO

Proposal for a regulation
Annex V – paragraph 1 – point 1 – point a

~~(a) its intended purpose;~~deleted

2023/04/28
Committee: IMCO

Proposal for a regulation
Annex V – paragraph 1 – point 2

2. a description of the design, development and production of the product and vulnerability handling processes, including: (a) complete information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and/or a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing; (b) specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates; (c) specifications of the production and monitoring processes of the product with digital elements and the validation of these processes.deleted complete information and complete information and

2023/04/28
Committee: IMCO

Proposal for a regulation
Annex V – paragraph 1 – point 3

3. a~~n assess~~ statement of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained as laid down in Article 10 of this Regulation;

2023/04/28
Committee: IMCO

Proposal for a regulation
Article 18 – paragraph 2

2. Products with digital elements and processes put in place by the manufacturer, which are in conformity with the common specifications referred to in Article 19 shall be presumed to be in conformity with the essential requirements set out in Annex I, to the extent those common specifications cover those requirements.deleted

2023/05/04
Committee: ITRE

Proposal for a regulation
Article 19

~~Where harmonised standards referred to in~~ Article 189 do not exist or where the Commission considers that the relevant harmonised standards are insufficient to satisfy the requirements of this Regulation or to comply with the standardisation request of the Commission, or where there are undue delays in the standardisation procedure or where the request for harmonised standards by the Commission has not been accepted by the European standardisation organisations, the Commission is empowered, by means of implementing acts, to adopt common specifications in respect of the essential requirements set out in Annex I. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 51(2).eleted Common specifications

2023/05/04
Committee: ITRE