7 Amendments of Angelika NIEBLER related to 2022/0272(COD)
Amendment 162 #
Proposal for a regulation
Recital 32
Recital 32
(32) In order to ensure that products with digital elements are secure both at the time of their placing on the market as well as throughout their life-cycle, it is necessary to lay down essential requirements for vulnerability handling and essential cybersecurity requirements relating to the properties of products with digital elements. While manufacturers should comply with all essential requirements related to vulnerability handling and ensure that all their products are delivered without any known exploitable vulnerabilities known to them, they should determine which other essential requirements related to the product properties are relevant for the concerned type of product. For this purpose, manufacturers should undertake an assessment of the cybersecurity risks associated with a product with digital elements to identify relevant risks and relevant essential requirements and in order to appropriately apply suitable harmonised standards or common specifications.
Amendment 169 #
Proposal for a regulation
Recital 35 a (new)
Recital 35 a (new)
(35a) To minimise bureaucratic burden, especially on SMEs, there should be only two reporting stages after discovering an actively exploited vulnerability and the reportings should include only necessary information to make the competent authority aware of the incident and the measures taken and allow for the entity to seek assistance. The early warning after 24 hours should be seen as first notification with only the most essential information to raise ENISA’s awareness of the incident. After 72 hours, a manufacturer should state more precisely which measures were taken after the incident.
Amendment 170 #
Proposal for a regulation
Recital 35 a (new)
Recital 35 a (new)
(35a) Reporting should be as convenient and efficient as possible. For this purpose, ENISA should provide for an online system into which all requested information can be inserted.
Amendment 311 #
Proposal for a regulation
Article 11 – paragraph 1 a (new)
Article 11 – paragraph 1 a (new)
1a. Manufacturers shall submit to ENISA a vulnerability notification within 72 hours of becoming aware of the actively exploited vulnerability, which, where applicable, shall update the information that was given in the early warning, especially on the corrective or mitigating measures taken.
Amendment 315 #
Proposal for a regulation
Article 11 – paragraph 2
Article 11 – paragraph 2
2. The manufacturer shall, without undue delay and in any event within 24 hours of becoming aware of it, notify to ENISA any significant incident having impact on the security of the product with digital elements in accordance with paragraph 2b of this Article. ENISA shall, without undue delay, unless for justified cybersecurity risk-related grounds, forward the notifications to the single point of contact designated in accordance with Article [Article X] of Directive [Directive XXX/XXXX(EU) 2022/2555 (NIS2)] of the Member States concerned and inform the market surveillance authority about the notified significant incidents. The significant incident notification shall include information on the severity and impact of the incident and, where applicable, indicate whether the manufacturer suspects the incident to be caused by unlawful or malicious acts or considers the necessary information to make the competent authority aware of the incident and allow for the entity to have a cross-border impactseek assistance.
Amendment 337 #
Proposal for a regulation
Article 11 – paragraph 7 a (new)
Article 11 – paragraph 7 a (new)
7a. ENISA shall establish a digital reporting mechanism, after having consulted relevant stakeholder groups, so that manufacturers are able to fulfil their reporting obligations via an Online Application.
Amendment 463 #
Proposal for a regulation
Annex I – Part 1 – point 2
Annex I – Part 1 – point 2
(2) Products with digital elements shall be delivered without any known exploitable vulnerabilities which the manufacturer knows of, unless a manufacturer ensures that there are updates available which remedy this vulnerability and these are run automatically at the first time of use of the product;