Activities of Morten LØKKEGAARD related to 2022/0272(COD)
Opinions (1)
OPINION on the proposal for a regulation of the European Parliament and of the Council on Horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020
Amendments (24)
Amendment 76 #
Proposal for a regulation
Recital 20
Recital 20
(20) Products with digital elements should bear the CE marking to visibly, legibly and indelibly indicate their conformity with this Regulation so that they can move freely within the internal market. Member States should not create unjustified obstacles to the placing on the market of products with digital elements that comply with the requirements laid down in this Regulation and bear the CE marking.
Amendment 97 #
Proposal for a regulation
Recital 34 a (new)
Recital 34 a (new)
(34 a) ENISA should be responsible for publishing and maintaining a database of known exploited vulnerabilities. Manufacturers should monitor the database and notify vulnerabilities found in their products.
Amendment 139 #
Proposal for a regulation
Article 3 – paragraph 1 – point 40 a (new)
Article 3 – paragraph 1 – point 40 a (new)
(40 a) 'partly completed products with digital elements' means a tangible item which is unable to function independently and which is only produced with the aim of be incorporated into or assembled with a product with digital elements or other partly completed product with digital elements, and which can only be effectively assessed for its conformity taking into account how it is incorporated into an intended final product with digital elements;
Amendment 141 #
Proposal for a regulation
Article 4 – paragraph 1
Article 4 – paragraph 1
1. Member States shall not impede, for the matters covered by this Regulation, the making available on the market of products with digital elements or partly completed products with digital elements which comply with this Regulation.
Amendment 145 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
2. At trade fairs, exhibitions and demonstrations or similar events, Member States shall not prevent the presentation and use of a product with digital elements or a partly completed product with digital elements which does not comply with this Regulation.
Amendment 152 #
Proposal for a regulation
Article 6 – paragraph 2 – point b
Article 6 – paragraph 2 – point b
(b) the intended use in sensitive environments, including in industrial settingcritical applications in sensitive environments or by essential entities of the type referred to in the Annex [Annex I] to the Directive [Directive XXX/XXXX (NIS2)];
Amendment 163 #
Proposal for a regulation
Article 8 – paragraph 1
Article 8 – paragraph 1
1. Products with digital elements or partly completed products with digital elements classified as high-risk AI systems in accordance with Article [Article 6] of Regulation [the AI Regulation] which fall within the scope of this Regulation, and fulfil the essential requirements set out in Section 1 of Annex I of this Regulation, and where the processes put in place by the manufacturer are compliant with the essential requirements set out in Section 2 of Annex I, shall be deemed in compliance with the requirements related to cybersecurity set out in Article [Article 15] of Regulation [the AI Regulation], without prejudice to the other requirements related to accuracy and robustness included in the aforementioned Article, and in so far as the achievement of the level of protection required by those requirements is demonstrated by the EU declaration of conformity issued under this Regulation.
Amendment 169 #
Proposal for a regulation
Article 9 – paragraph 1
Article 9 – paragraph 1
Machinery products under the scope of Regulation [Machinery Regulation proposal] which are products with digital elements or partly completed products with digital elements within the meaning of this Regulation and for which an EU declaration of conformity has been issued on the basis of this Regulation shall be deemed to be in conformity with the essential health and safety requirements set out in Annex [Annex III, Sections 1.1.9 and 1.2.1] to Regulation [Machinery Regulation proposal], as regards protection against corruption and safety and reliability of control systems, and in so far as the achievement of the level of protection required by those requirements is demonstrated in the EU declaration of conformity issued under this Regulation.
Amendment 192 #
Proposal for a regulation
Article 11 – paragraph 1
Article 11 – paragraph 1
1. The manufacturer shall, without undue delay and in any event within 24 hours of becoming aware of it, notify to ENISA any actively exploited vulnerability contained in the product with digital elements. The notification shall include details concerning that vulnerability and, where applicable, any corrective or mitigating measures taken. ENISA shall, without undue delay, unless for justified cybersecurity risk-related grounds, forward the notification to the CSIRT designated for the purposes of coordinated vulnerability disclosure in accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] of Member States concerned upon receipt and immediately inform the market surveillance authority about the notified vulnerability. Where a notified vulnerability has no corrective or mitigating measures available, ENISA shall ensure that information about the notified vulnerability is shared in line with strict security protocols and on a need-to-know-basis.
Amendment 196 #
Proposal for a regulation
Article 11 – paragraph 2
Article 11 – paragraph 2
2. The manufacturer shall, without undue delay and in any event within 24 hours of becoming aware of it, by means of an early warning, notify to ENISA of any incident having a significant impact on the security of the product with digital elements. The manufacturer shall without undue delay and in any event within 72 hours of becoming aware of the significant incident related to the product with digital elements further notify ENISA more details on the significant incident. ENISA shall, without undue delay, unless for justified cybersecurity risk-related grounds, forward the notifications to the single point of contact designated in accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] of the Member States concerned and immediately inform the market surveillance authority about the notified incidents. The incident notification shall include information on the severity and impact of the incident and, where applicable, indicate whether the manufacturer suspects the incident to be caused by unlawful or malicious acts or considers it to have a cross-border impact.
Amendment 222 #
Proposal for a regulation
Article 20 – paragraph 2
Article 20 – paragraph 2
2. The EU declaration of conformity shall have the model structure set out in Annex IV and shall contain the elements specified in the relevant conformity assessment procedures set out in Annex VI. Such a declaration shall be continuously updatedupdated as appropriate. It shall be made available in the language or languages required by the Member State in which the product with digital elements is placed on the market or made available.
Amendment 223 #
Proposal for a regulation
Article 20 a (new)
Article 20 a (new)
Article 20 a EU Declaration of Incorporation for partly completed products with digital elements 1. The EU declaration of incorporation shall be drawn up by manufacturers in accordance with Article 10(7) and state that the fulfilment of the relevant essential requirements set out in Annex I has been demonstrated. 2. The EU declaration of incorporation shall have the model structure set out in Annex IVa (new). Such a declaration shall be updated as appropriate. It shall be made available in the language or languages required by the Member State in which the partly completed product with digital elements is placed on the market or made available. 3. Where a partly completed product with digital elements is subject to more than one Union act requiring an EU declaration of incorporation, a single EU declaration of incorporation shall be drawn up in respect of all such Union acts. That declaration shall contain the identification of the Union acts concerned, including their publication references. 4. The Commission is empowered to adopt delegated acts in accordance with Article 50 to supplement this Regulation by adding elements to the minimum content of the EU declaration of incorporation as set out in Annex IVa (new) to take account of technological developments.
Amendment 224 #
Proposal for a regulation
Article 22 – paragraph 1
Article 22 – paragraph 1
1. The CE marking shall be affixed visibly, legibly and indelibly to the product with digital elements. Where that is not possible or not warranted on account of the nature of the product with digital elements, it shall be affixed to the packaging and to the EU declaration of conformity referred to in Article 20 accompanying the product with digital elements. For products with digital elements which are in the form of software, the CE marking shall be affixed either to the EU declaration of conformity referred to in Article 20 or on the website accompanying the software product. In the latter case, the relevant section of the website shall be easily and directly accessible to consumers.
Amendment 225 #
Proposal for a regulation
Article 22 – paragraph 3
Article 22 – paragraph 3
3. The CE marking shall be affixed before the product with digital elements is placed on the market. It may be followed by a pictogram or any other mark indicating to consumers a special risk or use set out in implementing acts referred to in paragraph 6.
Amendment 226 #
Proposal for a regulation
Article 22 – paragraph 5
Article 22 – paragraph 5
5. Member States shall build upon existing mechanisms to ensure correct and harmonised application of the regime governing the CE marking and shall take appropriate and coordinated action in the event of improper use of that marking. Where the product with digital elements is subject to other Union legislation which also provides for the affixing of the CE marking, the CE marking shall indicate that the product also fulfils the requirements of that other legislation.
Amendment 227 #
Proposal for a regulation
Article 22 – paragraph 6
Article 22 – paragraph 6
6. The Commission may, by means of implementingdelegated acts, lay down technical specifications for labelling schemes, including harmonised labels, pictograms or any other marks related to the security of the products with digital elements, and mechanisms to promote their use. Those implementing among businesses and consumers and to increase public awareness about security of products with digital elements. Those delegated acts shall be adopted in accordance with the examination procedure referred to in Article 51(2)0.
Amendment 229 #
Proposal for a regulation
Article 22 – paragraph 6 a (new)
Article 22 – paragraph 6 a (new)
6 a. A partly completed product with digital elements shall not be marked with the CE marking under this Regulation without prejudice of marking provisions resulting from other applicable Union legislation.
Amendment 234 #
Proposal for a regulation
Article 24 – paragraph 1 – point c a (new)
Article 24 – paragraph 1 – point c a (new)
(c a) a European cybersecurity certification scheme adopted in accordance with Article 18(4) of Regulation (EU) 2019/881.
Amendment 236 #
Proposal for a regulation
Article 24 – paragraph 2 – point b a (new)
Article 24 – paragraph 2 – point b a (new)
(b a) where applicable, a European cybersecurity certification scheme at assurance level ‘substantial’ or ‘high’ pursuant to Regulation (EU) 2019/881.
Amendment 256 #
Proposal for a regulation
Article 41 – paragraph 3
Article 41 – paragraph 3
3. Where relevant, the market surveillance authorities shall cooperate with the national cybersecurity certification authorities designated under Article 58 of Regulation (EU) 2019/881 and exchange information on a regular basis. With respect to the supervision of the implementation of the reporting obligations pursuant to Article 11 of this Regulation, the designated market surveillance authorities shall effectively cooperate with ENISA. The market surveillance authorities may request ENISA to provide technical advice on matters related to the implementation and enforcement of this Regulation, including during investigations in accordance with Article 43.
Amendment 259 #
Proposal for a regulation
Article 41 – paragraph 7
Article 41 – paragraph 7
7. The Commission shall facilitate the regular and structured exchange of experience between designated market surveillance authorities, including via a dedicated administrative cooperation group (ADCO) established under paragraph 11 of this Article.
Amendment 261 #
Proposal for a regulation
Article 41 – paragraph 11
Article 41 – paragraph 11
11. A dedicated administrative cooperation group (ADCO) shall be established for the uniform application of this Regulation, pursuant to Article 30(2) of Regulation (EU) 2019/1020. This ADCOto facilitate structured cooperation in relation to the implementation of this Regulation and to streamline the practices of market surveillance authorities within the Union, pursuant to Article 30(2) of Regulation (EU) 2019/1020. This ADCO shall have, in particular, the tasks referred to in Article 32(2) of Regulation (EU) 2019/1020 and shall be composed of representatives of the designated market surveillance authorities, ENISA and, if appropriate, representatives of single liaison offices. The ADCO shall meet at regular intervals and, where necessary, at the duly justified request of the Commission or ENISA or a Member State and shall coordinate its action with other existing Union activities related to market surveillance and consumer safety and, where relevant, shall cooperate and exchange information with other Union networks, groups and bodies. The ADCO may invite experts and other third parties, including consumer organisations, to attend its meetings.
Amendment 288 #
Proposal for a regulation
Article 49 a (new)
Article 49 a (new)
Amendment 294 #
Proposal for a regulation
Chapter VII a (new)
Chapter VII a (new)
CHAPTER VIIa MEASURES IN SUPPORT OF INNOVATION: Article 53a Regulatory sandboxes 1. The Commission and ENISA, shall establish a European regulatory sandbox with voluntary participation of manufacturers of products with digital elements to: (a) provide for a controlled environment that facilitates the development, testing and validation of the design, development and production of products with digital elements, before their placement on the market or putting into service pursuant to a specific plan; (b) provide practical support to economic operators, including via guidelines and best practices to comply with the essential requirements set out in Annex I. (c) contribute to evidence-based regulatory learning.