Activities of Evžen TOŠENOVSKÝ related to 2022/0272(COD)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020
Amendments (110)
Amendment 124 #
Proposal for a regulation
Title 1
Title 1
Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on horizoessential cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 (Cyber Resilience Act) (Text with EEA relevance)
Amendment 130 #
Proposal for a regulation
Recital 8 a (new)
Recital 8 a (new)
(8a) Directive (EU) 2022/2555 puts in place cybersecurity and incident reporting requirements for essential and important entities, such as critical infrastructure, with a view to increasing the resilience of the services they provide. It applies to cloud computing services and cloud service models, such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS) and Network as a Service (NaaS). All entities providing cloud computing services in the Union that meet or exceed the threshold for medium-sized enterprises and the smaller providers of cloud computing services identified in accordance with Article 2(2) fall in the scope of that Directive.
Amendment 132 #
Proposal for a regulation
Recital 9
Recital 9
(9) This Regulation does not regulate the cloud computing services, it ensures a high level of cybersecurity of products with digital elements. It does not regulate services, such as Software-as-a-Service (SaaS), except for remote data processing solutions relating to a product with digital elements understood as any data processing at a distance for which the software is designed and developed by the manufacturer of the product concerned or undThe cloud enabled remote data processing solutions relating to a product with digital elements should be however considered as integral part of the product, only where the responsibility of that manufacturer, and the absence of which would prevent such a product with digital elements from performing one of its functions. [Directive XXX/XXXX (NIS2)] puts in place cybersecurity and incident reporting requirements for essential and important entities, such as critical infrastructure, with a view to increasing the resilience of the services they provide. [Directive XXX/XXXX (NIS2)] applies to cloud computing services and cloud service models, such as SaaS. All entities providing cloud computing services in the Union that meet or exceed the threshold for medium-sized enterprises fall in the scope of that Directivesoftware for remote data processing is designed and developed by or for the manufacturer of the product concerned and is critical for the fundamental functions of the product with digital elements.
Amendment 145 #
Proposal for a regulation
Recital 19
Recital 19
(19) Certain tasks provided for in this Regulation should be carried out by ENISA, in accordance with Article 3(2) of Regulation (EU) 2019/881. In particular, ENISA should receive notifications from manufacturers of actively exploited vulnerabilities contained in products with digital elements, as well asSIRTs should receive notifications from manufacturers of incidents having an impact on the security of those products. ENISACSIRTs should also forward these notifications to the relevant Computer Security Incident Response Teams (CSIRTs) or, respectively, to the relevant single points of contact of the Member States designated in accordance with Article [Article X] of Directive [Directive XXX / XXXX (NIS2)](EU) 2022/2555, and inform the relevant market surveillance authorities about the notified vulnerability. On the basis of the information it gathers, ENISA should prepare a biennial technical report on emerging trends regarding cybersecurity risks in products with digital elements and submit it to the Cooperation Group referred to in Directive [Directive XXX / XXXX (NIS2)](EU) 2022/2555. Furthermore, considering its expertise and mandate, ENISA should be able to support the process for implementation of this Regulation. In particular, it should be able to propose joint activities to be conducted by market surveillance authorities, upon their request, based on indications or information regarding potential non- compliance with this Regulation of products with digital elements across several Member States or identify categories of products for which simultaneous coordinated control actions should be organised. In exceptional circumstances, at the request of the Commission, ENISA should be able to conduct evaluations in respect of specific products with digital elements that present a significant cybersecurity risk, where an immediate intervention is required to preserve the good functioning of the internal market.
Amendment 148 #
Proposal for a regulation
Recital 22
Recital 22
(22) In order to ensure that products with digital elements, when placed on the market, do not pose cybersecurity risks to persons and organisations, essential requirements should be set out for such products. When the products are subsequently modified, by physical or digital means, in a way that is not foreseen by the manufacturer and that may imply that they no longer meet the relevant essential requirements, the modification should be considered as substantial. For example, software updates or repairs could be assimilated to maintenance operations provided that they do not modify a product already placed on the market in such a way that compliance with the applicable requirements may be affected, or that the intended use for which the product has been assessed may be changed. As is the case for physical repairs or modifications, a product with digital elements should be considered as substantially modified by a software change where the software update modifies the original intended functions, type or performance of the product and these changes were not foreseen in the initial risk assesseyond necessary maintenance or security update, by physical or digital means, by the manufacturer and results in modification of the product’s fundamental functions or its intended use and thus significantly affects the relevant essential requirements, or the nature of the hazard has changed or the level of risk has increased because of the software updatemodification should be considered as substantial.
Amendment 151 #
Proposal for a regulation
Recital 23
Recital 23
(23) In line with the commonly established notion of substantial modification for products regulated by Union harmonisation legislation, whenever a substantial modification occurs that may affect the compliance of a product with this Regulation or when the intended purpose of that product changes, it is appropriate that the compliance of the product with digital elements is verified and that, where applicable, it undergoes an updated conformity assessment focusing on the modified elements or new conformity assessment. Where applicable, if the manufacturer undertakes a conformity assessment involving a third party, changes that might lead to substantial modifications should be notified to the third party.
Amendment 157 #
Proposal for a regulation
Recital 26
Recital 26
(26) Critical products with digital elements should be subject to stricter conformity assessment procedures, while keeping a proportionate approach. For this purpose, critical products with digital elements should be divided into two classes, reflecting the level of cybersecurity risk linked to these categories of products. A potential cyber incident involving products in class II might lead to greater negative impacts than an incident involving products in class I, for instance due to the nature of their cybersecurity-related function or intended use in sensitivehighly critical environments, and therefore should undergo a stricter conformity assessment procedure.
Amendment 161 #
Proposal for a regulation
Recital 32
Recital 32
(32) In order to ensure that products with digital elements are secure both at the time of their placing on the market as well as throughout their life-cycle, it is necessary to lay down essential requirements for vulnerability handling and essential cybersecurity requirements relating to the properties of products with digital elements. While manufacturers should comply with all essential requirements related to vulnerability handling and, they should determine which other essential requirements related to the product properties are relevant for the concerned type of product, they should for instance ensure that all their products are delivered without any known exploitablepatched vulnerabilities, they should determine which other essential requirements related to the product properties are relevant for the concerned type of product or that the appropriate impact mitigation such as by security updates before the product is put into service for the first time. For this purpose, manufacturers should undertake an assessment of the cybersecurity risks associated with a product with digital elements to identify relevant risks and relevant essential requirements and in order to appropriately apply suitable harmonised standards or common specificationor international standards.
Amendment 164 #
Proposal for a regulation
Recital 34
Recital 34
(34) To ensure that the national CSIRTs and the single point of contacts designated in accordance with Article [Article X] of Directive [Directive XX/XXXX (NIS2)](EU) 2022/2555 are provided with the information necessary to fulfil their tasks and raise the overall level of cybersecurity of essential and important entities, and to ensure the effective functioning of market surveillance authorities, manufacturers of products with digital elements should notify to ENISA vulnerabilities that are being actively exploitedCSIRTs all fixed vulnerabilities, and on a voluntary basis also unpatched vulnerabilities. As most products with digital elements are marketed across the entire internal market, any exploited vulnerability in a product with digital elements should be considered a threat to the functioning of the internal market. Manufacturers should also considertherefore disclosinge fixed vulnerabilities to the European vulnerability database established under Directive [Directive XX/XXXX (NIS2)] and managed by ENISA or under any other publicly accessible vulnerability database(EU) 2022/2555 and managed by ENISA. Manufacturers should also benefit from coordinated vulnerability disclosure mechanism established under Directive (EU) 2022/2555.
Amendment 167 #
Proposal for a regulation
Recital 35
Recital 35
(35) Manufacturers should also report to ENISA anyCSIRTs any significant incident having an impact on the security of the product with digital elements, and on a voluntary basis any other incident, near miss or cyber threat. Notwithstanding the incident reporting obligations in Directive [Directive XXX/XXXX (NIS2)](EU) 2022/2555 for essential and important entities, it is crucial for CSIRT, ENISA, the single points of contact designated by the Member States in accordance with Article [Article X]8 of Directive [Directive XXX/XXXX (NIS2)](EU) 2022/2555 and the market surveillance authorities to receive information from the manufacturers of products with digital elements allowing them to assess the security of these products. In order to ensure that users can react quickly to incidents having an impact on the security of their products with digital elements, manufacturers should also inform their users about any such incident and, where applicable, about any corrective measures that the users can deploy to mitigate the impact of the incident, for example by publishing relevant information on their websites or, where the manufacturer is able to contact the users and where justified by the risks, by reaching out to the users directly.
Amendment 168 #
Proposal for a regulation
Recital 35 a (new)
Recital 35 a (new)
(35a) The manufacturers of products with digital elements are often in a situation where a particular incident, because of its features, needs to be reported to various authorities as a result of notification obligations included in various legal instruments. Such cases create additional burdens and may also lead to uncertainties with regard to the format and procedures of such notifications. In view of this and, for the purposes of simplifying the reporting of security incidents, Member States should establish a single entry point for all notifications required under this Regulation, Directive (EU) 2022/2555, and possibly also under other Union law such as Regulation (EU) 2016/679 and Directive 2002/58/EC. The Commission should develop and adopt common notification templates by means of implementing acts that would simplify and streamline the reporting information requested by Union law and decrease the burdens for companies.
Amendment 172 #
Proposal for a regulation
Recital 36
Recital 36
(36) Manufacturers of products with digital elements should put in place additional own coordinated vulnerability disclosure policies to facilitate the reporting of vulnerabilities by individuals or entities. A coordinated vulnerability disclosure policy should specify a structured process through which vulnerabilities are reported to a manufacturer in a manner allowing the manufacturer to diagnose and remedy such vulnerabilities before detailed vulnerability information is disclosed to third parties or to the public. Given the fact that information about exploitable vulnerabilities in widely used products with digital elements can be sold at high prices on the black market, manufacturers of such products should be able to use programmes, as part of their coordinated vulnerability disclosure policies, to incentivise the reporting of vulnerabilities by ensuring that individuals or entities receive recognition and compensation for their efforts (so-called ‘bug bounty programmes’).
Amendment 173 #
Proposal for a regulation
Recital 37
Recital 37
(37) In order to facilitate vulnerability analysis, manufacturers should identify and document components contained in the products with digital elements, including for relevant software products by drawing up a software bill of materials. A software bill of materials (SBOMs). A SBOM can provide those who manufacture, purchase, and operate software with information that enhances their understanding of the supply chain, which has multiple benefits, most notably it helps manufacturers and users to track known newly emerged vulnerabilities and risks. It is of particular importance for manufacturers to ensure that their products do not contain vulnerable components developed by third parties.
Amendment 175 #
Proposal for a regulation
Recital 38 a (new)
Recital 38 a (new)
(38a) According to the WTO Agreement on Technical Barriers to Trade, when technical regulations are necessary and relevant international standards exist, WTO Members should use those standards as the basis for their own technical regulations. It is important to avoid duplication of work among standardisation organisations, as international standards are intended to facilitate the harmonisation of national and regional technical regulations and standards, thereby reducing non-tariff technical barriers to trade. Given that cybersecurity is a global issue, the EU should strive for maximum alignment. To achieve this objective, the standardisation request for this Regulation, as set out in Article 10 of Regulation (EU) 1025/2012, should seek to reduce barriers to the acceptance of standards by publishing their references in the Official Journal of the EU, in accordance with Article 10(6) of Regulation (EU) 1025/2012.
Amendment 176 #
Proposal for a regulation
Recital 38 b (new)
Recital 38 b (new)
(38b) Considering the broad scope of this Regulation, the timely development of harmonised standards poses a significant challenge. To enhance the security of products with digital components in the Union market, international standards should be published as a standard providing presumption of conformity.
Amendment 178 #
Proposal for a regulation
Recital 41
Recital 41
Amendment 182 #
Proposal for a regulation
Recital 45
Recital 45
(45) As a general rule the conformity assessment of products with digital elements should be carried out by the manufacturer under its own responsibility following the procedure based on Module A of Decision 768/2008/EC. The manufacturer should retain flexibility to choose a stricter conformity assessment procedure involving a third- party. If the product is classified as a critical product of class I, additional assurance is required to demonstrate conformity with the essential requirements set out in this Regulation. The manufacturer should apply harmonised standards, common specificationsinternational standards, or cybersecurity certification schemes under Regulation (EU) 2019/881 which have been identified by the Commission in an implementing act, if it wants to carry out the conformity assessment under its own responsibility (module A). If the manufacturer does not apply such harmonised standards, common specificationsinternational standards, or cybersecurity certification schemes, the manufacturer should undergo conformity assessment involving a third party. Taking into account the administrative burden on manufacturers and the fact that cybersecurity plays an important role in the design and development phase of tangible and intangible products with digital elements, conformity assessment procedures respectively based on modules B+C or module H of Decision 768/2008/EC have been chosen as most appropriate for assessing the compliance of critical products with digital elements in a proportionate and effective manner. The manufacturer that carries out the third- party conformity assessment can choose the procedure that suits best its design and production process. Given the even greater cybersecurity risk linked with the use of products classified as critical class II products, the conformity assessment should always involve a third party.
Amendment 186 #
Proposal for a regulation
Recital 56
Recital 56
(56) A dedicated administrative cooperation group (ADCO) for cyber resilience of products with digital elements should be established for the uniform application of this Regulation, pursuant to Article 30(2) of Regulation (EU) 2019/1020. This ADCO should be composed of representatives of the designated market surveillance authorities and, if appropriate, representatives of the single liaison offices. The Commission should support and encourage cooperation between market surveillance authorities through the Union Product Compliance Network, established on the basis of Article 29 of Regulation (EU) 2019/1020 and comprising representatives from each Member State, including a representative of each single liaison office referred to in Article 10 of Regulation (EU) 2019/1020 and an optional national expert, the chairs of ADCOs, and representatives from the Commission. The Commission should participate in the meetings of the Network, its sub-groups and this respective ADCO. It should also assist this ADCO by means of an executive secretariat that provides technical and logistic support.
Amendment 193 #
Proposal for a regulation
Recital 63
Recital 63
(63) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission to: specify the recommended format and elements of the software bill of materials, specify further the type of information, format and procedure of the notifications on actively exploitpatched vulnerabilities and incidents submitted to ENISACSIRTs by the manufacturers, specify the European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 that can be used to demonstrate conformity with the essential requirements or parts therefore as set out in Annex I of this Regulation, adopt common specifications in respect of the essential requirements set out in Annex I, lay down technical specifications for pictograms or any other marks related to the security of the products with digital elements, and mechanisms to promote their use, decide on corrective or restrictive measures at Union level in exceptional circumstances which justify an immediate intervention to preserve the good functioning of the internal market. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council34. _________________ 34 Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p.13).
Amendment 194 #
Proposal for a regulation
Recital 65
Recital 65
(65) In order to ensure effective enforcement of the obligations laid down in this Regulation, each market surveillance authority should have the power to impose or request the imposition of administrative fines. Maximum levels for administrative fines to be provided for in national laws for non-compliance with the obligations laid down in this Regulation should therefore be established. When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation should be taken into account and as a minimum those explicitly established in this Regulation, including whether the manufacturer is SME, with particular attention payed to micro manufacturers and start-ups, or whether administrative fines have been already applied by other market surveillance authorities to the same operator for similar infringements. Such circumstances can be either aggravating, in situations where the infringement by the same operator persists on the territory of other Member States than the one where an administrative fine has already been applied, or mitigating, in ensuring that any other administrative fine considered by another market surveillance authority for the same economic operator or the same type of breach should already take account, along with other relevant specific circumstances, of a penalty and the quantum thereof imposed in other Member States. In all such cases, the cumulative administrative fine that could be applied by market surveillance authorities of several Member States to the same economic operator for the same type of infringement should ensure the respect of the principle of proportionality.
Amendment 199 #
Proposal for a regulation
Recital 69
Recital 69
(69) Economic operators should be provided with a sufficient time to adapt to the requirements of this Regulation. This Regulation should apply [2460 months] from its entry into force, with the exception of the reporting obligations concerning actively exploited vulnerabilities and incidents, which should apply [124 months] from the entry into force of this Regulation.
Amendment 201 #
Proposal for a regulation
Recital 69 a (new)
Recital 69 a (new)
Amendment 207 #
Proposal for a regulation
Article 2 – paragraph 1
Article 2 – paragraph 1
1. This Regulation applies to products with digital elements placed on the market whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.
Amendment 210 #
Proposal for a regulation
Article 2 – paragraph 2 – point c a (new)
Article 2 – paragraph 2 – point c a (new)
(ca) Regulation (EU) 2022/2554.
Amendment 215 #
Proposal for a regulation
Article 2 – paragraph 5 a (new)
Article 2 – paragraph 5 a (new)
5a. This Regulation does not apply to any supply of a product with digital elements for distribution and use on the Union market where such supply, distribution, and use exclusively occurs within the same group of companies within the meaning of Article 2(13) of Regulation (EU) 2015/848.
Amendment 221 #
Proposal for a regulation
Article 3 – paragraph 1 – point 1
Article 3 – paragraph 1 – point 1
(1) ‘product with digital elements’ means any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately;
Amendment 223 #
Proposal for a regulation
Article 3 – paragraph 1 – point 1 a (new)
Article 3 – paragraph 1 – point 1 a (new)
(1a) ‘consumer product with digital elements’ means any product with digital elements’ to be placed on the market with default generic security configuration;
Amendment 224 #
Proposal for a regulation
Article 3 – paragraph 1 – point 1 b (new)
Article 3 – paragraph 1 – point 1 b (new)
(1b) ‘business-to-business product with digital elements’ means any product with digital elements’ to be placed on the market with individual security configuration in accordance with contractual arrangements;
Amendment 225 #
Proposal for a regulation
Article 3 – paragraph 1 – point 2
Article 3 – paragraph 1 – point 2
(2) ‘remote data processing’ means any remote data processing at a distance for which the software is designed and developed by or for the manufacturer or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its function, and is critical for the fundamental functions of the product with digital elements;
Amendment 226 #
Proposal for a regulation
Article 3 – paragraph 1 – point 3
Article 3 – paragraph 1 – point 3
Amendment 227 #
Proposal for a regulation
Article 3 – paragraph 1 – point 4
Article 3 – paragraph 1 – point 4
Amendment 229 #
Proposal for a regulation
Article 3 – paragraph 1 – point 6
Article 3 – paragraph 1 – point 6
(6) ‘software’ means the part of an electronic information system which consists of computer code, with exception of software relating to internet websites;
Amendment 231 #
Proposal for a regulation
Article 3 – paragraph 1 – point 16 a (new)
Article 3 – paragraph 1 – point 16 a (new)
(16a) ‘micro, small and medium-sized enterprises’ or ‘SMEs’ means micro, small and medium-sized enterprises as defined in the Annex to Commission Recommendation 2003/361/EC;
Amendment 236 #
Proposal for a regulation
Article 3 – paragraph 1 – point 26
Article 3 – paragraph 1 – point 26
Amendment 238 #
Proposal for a regulation
Article 3 – paragraph 1 – point 31
Article 3 – paragraph 1 – point 31
(31) ‘substantial modification’ means a change by the manufacturer to the product with digital elements following its placing on the market, whichbeyond necessary security and maintenance updates, which results in modification of the product’s fundamental functions or its intended use and thus significantly affects the compliance of the product with digital elements with the essential requirements set out in Section 1 of Annex I or results in a modification to the intended use for which the product with digital elements has been assessed;
Amendment 240 #
Proposal for a regulation
Article 3 – paragraph 1 – point 34 a (new)
Article 3 – paragraph 1 – point 34 a (new)
(34a) ‘international standard’ means an international standard as defined in Article 2, point (1)(a), of Regulation (EU) No 1025/2012;
Amendment 241 #
Proposal for a regulation
Article 3 – paragraph 1 – point 34 b (new)
Article 3 – paragraph 1 – point 34 b (new)
(34b) ‘near miss’ means a near miss as defined in Article 6, point (5), of Directive (EU) 2022/2555;
Amendment 242 #
Proposal for a regulation
Article 3 – paragraph 1 – point 34 c (new)
Article 3 – paragraph 1 – point 34 c (new)
(34c) ‘incident’ means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;
Amendment 243 #
Proposal for a regulation
Article 3 – paragraph 1 – point 36 a (new)
Article 3 – paragraph 1 – point 36 a (new)
(36a) ‘cyber threat’ means a cyber threat as defined in Article 2, point (10), of Regulation (EU) 2019/881;
Amendment 244 #
Proposal for a regulation
Article 3 – paragraph 1 – point 36 b (new)
Article 3 – paragraph 1 – point 36 b (new)
(36b) ‘significant cyber threat’ means a significant cyber threat as defined in Article 2, point (11), of Regulation (EU) 2019/881;
Amendment 245 #
Proposal for a regulation
Article 3 – paragraph 1 – point 37
Article 3 – paragraph 1 – point 37
(37) ‘software bill of materials’ or ‘SBOM’ means a formal record containing details and supply chain relationships of components included in the software elements of a product with digital elements;
Amendment 253 #
Proposal for a regulation
Article 4 – paragraph 3
Article 4 – paragraph 3
3. Member States shall not prevent the making available of unfinished software which does not comply with this Regulation provided that the software is only made available in a non-production version for a limited period required for testing purposes, including software labelled as “beta,” “pre-release,” or “candidate", and that a visible sign clearly indicates that it does not comply with this Regulation and will not be available on the market for purposes other than testing.
Amendment 257 #
Proposal for a regulation
Article 6 – paragraph 2 – introductory part
Article 6 – paragraph 2 – introductory part
2. TOn the basis of the reports referred to in Article 56 and after consulting the Cyber Resilience Expert Group, ADCO, ENISA, and, where necessary, other relevant stakeholders, the Commission is empowered to adopt delegated acts, in accordance with Article 50 to amend Annex III by including in the list of categories of critical products with digital elements a new category or withdrawing an existing one from that list. When assessing the need to amend the list in Annex III, the Commission shall take into account the level of cybersecurity risk related to the category of products with digital elements. In determining the level of cybersecurity risk, one or several of the following criteria shall be taken into account:
Amendment 259 #
Amendment 265 #
Proposal for a regulation
Article 6 – paragraph 5
Article 6 – paragraph 5
Amendment 270 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
1. When placing a product with digital elements on the market, manufacturers shall ensure take reasonable measures that it has been designed, developed and produced in accordance with the essential requirements set out in Section 1 of Annex I.
Amendment 274 #
Proposal for a regulation
Article 10 – paragraph 4
Article 10 – paragraph 4
4. For the purposes of complying with the obligation laid down in paragraph 1, manufacturers shall exercise due diligence when integrating components sourced from third parties in products with digital elements. They shall take reasonable measures ensure that such components do not compromise the security of the product with digital elements.
Amendment 276 #
Proposal for a regulation
Article 10 – paragraph 6 – subparagraph 1
Article 10 – paragraph 6 – subparagraph 1
When placing a product with digital elements on the market, and for the expected product lifetime indicated by the manufacturer, or for a period of five years from the placing of the product on the market, whichever is shorter, manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I. The Commission may, after consulting the Cyber Resilience Expert Group, ADCO, ENISA, and, where necessary, other relevant stakeholders, by means of implementing acts, specify the format and information of the label for consumer products with digital elements, which might easily indicate the expected lifetime of the product. On top of that, this label might contain additional information enabling consumers to quickly understand the level of security and privacy associated with the product. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 51(2).
Amendment 284 #
Proposal for a regulation
Article 10 – paragraph 7 – subparagraph 1
Article 10 – paragraph 7 – subparagraph 1
Before placing a product with digital elements on the market, manufacturers shall draw up the technical documentation referred to in Article 23. The technical documentation shall be made available by the manufacturers, to the market surveillance authorities or CSIRTs, upon justified request, for the purpose of specific supervisory tasks and incident handling set in this Regulation. Those authorities shall ensure the confidentiality and appropriate protection of the information provided in the technical documentation.
Amendment 288 #
Proposal for a regulation
Article 10 – paragraph 9
Article 10 – paragraph 9
9. Manufacturers shall ensure that procedures are in place for products with digital elements that are part of a series of production to remain in conformity. The manufacturer shall adequately take into account changes in the development and production process or in the design or characteristics of the product with digital elements and changes in the harmonised or international standards, European cybersecurity certification schemes or the common specifications referred to in Article 19 by reference to which the conformity of the product with digital elements is declared or by application of which its conformity is verified. Where new knowledge, techniques, or standards become available, which were not available at the time of design of a serial product, the manufacturer may consider implementing such improvements for future product generations. The manufacturer shall take into account the associated costs and efforts, including the efforts required for development, testing, validation and approval process time.
Amendment 296 #
Proposal for a regulation
Article 10 – paragraph 12
Article 10 – paragraph 12
12. From the placing on the market and for the expected product lifetime indicated by the manufacturer in accordance with paragraph 6 of this Article, or for a period of five years after the placing on the market of a product with digital elements, whichever is shorter, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements set out in Annex I shall immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, to withdraw or to recall the product, as appropriate.
Amendment 299 #
Proposal for a regulation
Article 10 – paragraph 13 a (new)
Article 10 – paragraph 13 a (new)
13a. For the purposes of complying with the obligations laid down in this Regulation, manufacturers shall ensure that they use adequate skilled professionals in the field of cybersecurity.
Amendment 302 #
Proposal for a regulation
Article 10 – paragraph 15
Article 10 – paragraph 15
15. The Commission may, by means of implementing actafter consulting the Cyber Resilience Expert Group, ADCO, ENISA, and, where necessary, other relevant stakeholders, by means of guidelines, specify the recommended format and elements of the software bill of materialSBOMs set out in Section 2, point (1), of Annex I. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 51(2), based on international standards and established best practices.
Amendment 304 #
Proposal for a regulation
Article 10 a (new)
Article 10 a (new)
Article10a Reporting of vulnerabilities 1. The manufacturer shall, without undue delay, notify to CSIRT in the Member State of main establishment designated as a coordinator for the purposes of coordinated vulnerability disclosure in accordance with Article 12(1) of Directive 2022/2555 of Member States concerned any patched vulnerability contained in the product with digital elements and may voluntarily notify, where appropriate, also the unpatched vulnerability. The notification shall include details concerning that vulnerability and, where applicable, any corrective or mitigating measures taken, in particular regarding available patches. The mere act of notification of vulnerability shall not subject the notifying manufacturer to increased liability. CSIRT designated as a coordinator shall, without undue delay, unless for justified cybersecurity risk- related grounds, forward the notification to the upon receipt to ENISA and inform the market surveillance authorities concerned about the notified vulnerability. 2. The information about vulnerability shall be stored in a European vulnerability database referred to in Article 12(2) of Directive 2022/2555, maintained by ENISA. That database shall include: (a) information describing the vulnerability; (b) the affected product with digital elements and the severity of the vulnerability in terms of the circumstances under which it may be exploited; (c) the availability of related patches and, in the absence of available patches, guidance provided by the competent authorities or the CSIRTs addressed to users of vulnerable product with digital elements as to how the risks resulting from disclosed vulnerabilities can be mitigated. 3. Natural or legal persons shall be able to report, anonymously where they so request, a vulnerability of product with digital elements to the CSIRT designated as coordinator. The CSIRT designated as coordinator shall without undue delay notify the manufacturer, ensure that diligent follow-up action is carried out with regard to the reported vulnerability and shall ensure the anonymity of the natural or legal person reporting the vulnerability. Where the reporting concerns the manufacturer with main establishment in other Member State, the CSIRT designated as coordinator shall forward it to relevant CSIRT designated as coordinator in that Member State. Where a reported vulnerability could have a significant impact on entities in more than one Member State, the CSIRT designated as coordinator of each Member State concerned shall, where appropriate, cooperate with other CSIRTs designated as coordinators within the CSIRTs network.
Amendment 305 #
Proposal for a regulation
Article 11 – title
Article 11 – title
Reporting obligations of manufacturerf incidents
Amendment 306 #
Proposal for a regulation
Article 11 – paragraph 1
Article 11 – paragraph 1
Amendment 313 #
Proposal for a regulation
Article 11 – paragraph 2
Article 11 – paragraph 2
2. The manufacturer shall notify, without undue delay and in any event within 24 hours of becoming aware of it, notify to ENISA its CSIRT in the Member State of main establishment of any incident thavingt has a significant impact on the security of the product with digital elements as referred to in paragraph 2a (significant incident). ENISA shall, without undue delay, unless for justified cybersecurity risk-related grounds, forward the notifications to the single point of contact designated in accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] of the Member States concerned and inform the market surveillance authority about the notified incidents. The incident notification shall include information on the severity and impact of the incident and, where applicable, indicate whether the manufacturer suspects the incident to be caused by unlawful or malicious acts or considers it to have a cross-border impact. The mere act of notification shall not subject the notifying manufacturer to increased liability. On a voluntary basis, the manufacturer may notify also other than significant incidents, cyber threats and near misses.
Amendment 317 #
Proposal for a regulation
Article 11 – paragraph 2 a (new)
Article 11 – paragraph 2 a (new)
2a. An incident shall be considered to be significant if: (a) it has caused or is capable of causing severe operational disruption of the design, development, production or functioning of the product with digital elements or financial loss for the manufacturer concerned; (b) it has affected or is capable of affecting other natural or legal persons by causing considerable material or non- material damage.
Amendment 320 #
Proposal for a regulation
Article 11 – paragraph 2 b (new)
Article 11 – paragraph 2 b (new)
Amendment 321 #
Proposal for a regulation
Article 11 – paragraph 2 c (new)
Article 11 – paragraph 2 c (new)
2c. CSIRT shall, without undue delay, unless for justified cybersecurity risk- related grounds, inform the market surveillance authority about the notified incidents and in the case of a cross-border significant incident forward the notifications to the single point of contact designated in accordance with Article 8(3) of Directive (EU) 2022/2555.
Amendment 322 #
Proposal for a regulation
Article 11 – paragraph 3
Article 11 – paragraph 3
3. ENISACSIRT shall submit to the European cyber crisis liaison organisation network (EU-CyCLONe) established by Article 16[Article X] of Directive (EU) 2022/2555 [Directive XXX/XXXX (NIS2)] information notified pursuant to paragraphs 1 and 2 if such information is relevant for the coordinated management of large-scale cybersecurity incidents and crises at an operational level.
Amendment 324 #
Proposal for a regulation
Article 11 – paragraph 4
Article 11 – paragraph 4
4. TWhere appropriate, the manufacturer shall inform, without undue delay and after becoming aware, the users of the product with digital elements about the incidentsignificant incident having major impact on the security of the product concerned, and, where necessary, about corrective measures that the user can deploy to mitigate the impact of the significant incident.
Amendment 328 #
Proposal for a regulation
Article 11 – paragraph 4 a (new)
Article 11 – paragraph 4 a (new)
4a. The CSIRT shall provide, without undue delay and where possible within 24 of receiving the early warning referred to in paragraph 4, point (a), a response to the notifying entity, including initial feedback on the significant incident and, upon request of the entity may provide guidance or operational advice on the implementation of possible mitigation measures. The CSIRT may provide additional technical support if the manufacturer concerned so requests. Where the significant incident is suspected to be of criminal nature, the CSIRT shall provide guidance on reporting the significant incident to law enforcement authorities. CSIRTs may prioritise the processing of mandatory notifications over voluntary notifications, as well as processing of notifications related to critical products with digital elements over other products with digital elements.
Amendment 329 #
Proposal for a regulation
Article 11 – paragraph 4 b (new)
Article 11 – paragraph 4 b (new)
Amendment 330 #
Proposal for a regulation
Article 11 – paragraph 4 c (new)
Article 11 – paragraph 4 c (new)
4c. Where appropriate, and in particular where the significant incident concerns two or more Member States, the CSIRT, the competent authority or the single point of contact shall inform, without undue delay, the other affected Member States and ENISA of the significant incident. Such information shall include the type of information received in accordance with paragraph 2b. In so doing, the CSIRT or the single point of contact shall, in accordance with Union or national law, preserve the entity’s security and commercial interests as well as the confidentiality of the information provided.
Amendment 331 #
Proposal for a regulation
Article 11 – paragraph 4 d (new)
Article 11 – paragraph 4 d (new)
4d. Where public awareness is necessary to prevent a significant incident or to deal with an ongoing significant incident, or where disclosure of the significant incident is otherwise in the public interest, a Member State’s CSIRT or, where applicable, its competent authority, and, where appropriate, the CSIRTs or the competent authorities of other Member States concerned, may, after consulting the entity concerned, inform the public about the significant incident or require the entity to do so
Amendment 332 #
Proposal for a regulation
Article 11 – paragraph 4 e (new)
Article 11 – paragraph 4 e (new)
4e. At the request of the CSIRT or the competent authority, the single point of contact shall forward notifications received pursuant to paragraph 1 to the single points of contact of other affected Member States.
Amendment 334 #
Proposal for a regulation
Article 11 – paragraph 5 a (new)
Article 11 – paragraph 5 a (new)
5a. The Commission may adopt, after consulting stakeholders and CSIRTs Network, by means of implementing acts, further specifying further the type of information, format and the procedure of the a notifications and submitted pursuant to paragraphs 1 and 2 of this Article and of a information submitted pursuant to paragraph 4 of this Article and common notification templates for the single reporting under relevant EU law in accordance with Article 11a. Those implementing acts shall be based, where relevant, on European and international standards and shall be adopted in accordance with the examination procedure referred to in Article 51(2).
Amendment 339 #
Proposal for a regulation
Article 11 a (new)
Article 11 a (new)
Article11a Single Entry Point For the purpose of simplifying reporting and of implementing the automatic and direct reporting and forwarding mechanism under Articles 10a and 11 this Regulation, Directive (EU) 2022/2555, and possibly under other relevant EU legislation, such as Regulation (EU) 2016/679, Member States shall establish and use a single entry point.
Amendment 340 #
Proposal for a regulation
Article 12 – paragraph 1
Article 12 – paragraph 1
1. A manufacturer may appoint an authorised representative(s) for all Member States markets or for specific Member States by a written mandate.
Amendment 363 #
Proposal for a regulation
Article 18 – paragraph 1
Article 18 – paragraph 1
1. Products with digital elements and processes put in place by the manufacturer which are in conformity with harmonised standards or parts thereof the references of which have been published in the Official Journal of the European Union shall be presumed to be in conformity with the essential requirements covered by those standards or parts thereof, set out in Annex I. The Commission shall in accordance with Article 10(1) of Regulation (EU) 1025/2012 request one or more European standardisation organisations to draft harmonised standards for the essential requirements set out in Annex I. When preparing the Standardisation Request for this Regulation, the Commission shall aim for maximum harmonisation with existing or imminent international standards for cybersecurity.
Amendment 364 #
Proposal for a regulation
Article 18 – paragraph 1 a (new)
Article 18 – paragraph 1 a (new)
1a. Products with digital elements and processes put in place by the manufacturer which are in conformity with international standards or parts thereof shall be presumed to be in conformity with the essential requirements covered by those standards or parts thereof, set out in Annex I, where harmonised standards referred to in paragraph 1 of this Article do not exist or where there are undue delays in the standardisation procedure or where the request for harmonised standards by the Commission has not been accepted by the European standardisation organisations.
Amendment 365 #
Proposal for a regulation
Article 18 – paragraph 2
Article 18 – paragraph 2
Amendment 367 #
Proposal for a regulation
Article 19
Article 19
Amendment 376 #
Proposal for a regulation
Article 24 – paragraph 2 – introductory part
Article 24 – paragraph 2 – introductory part
2. Where, in assessing the compliance of the critical product with digital elements of class I as set out in Annex III and the processes put in place by its manufacturer with the essential requirements set out in Annex I, the manufacturer or the manufacturer’s authorised representative has not applied or has applied only in part harmonised standards, common specifications or European cybersecurity certification schemes as referred to in Article 18, or where such harmonised standards, common specifications or European cybersecurity certification schemes or international standards do not exist, the product with digital elements concerned and the processes put in place by the manufacturer shall be submitted with regard to those essential requirements to either of the following procedures:
Amendment 384 #
Proposal for a regulation
Article 24 – paragraph 5
Article 24 – paragraph 5
5. Notified bodies shall take into account the specific interests and needs of small and medium sized enterprises (SMEs) when setting the fees for conformity assessment procedures and reduce those fees proportionately to their specific interests and needs.
Amendment 388 #
Proposal for a regulation
Article 29 – paragraph 7 – point c
Article 29 – paragraph 7 – point c
(c) appropriate knowledge and understanding of the essential requirements set out in Annex I, of the applicable harmonised standards and of the relevant provisions of Union harmonisation legislation and of its implementing acts;
Amendment 392 #
Proposal for a regulation
Article 29 – paragraph 12
Article 29 – paragraph 12
12. Conformity assessment bodies shall operate in accordance with a set of consistent, fair and reasonable terms and conditions in line with Article 37(2), in particular taking into account the interests of SMEs in relation to fees.
Amendment 393 #
Proposal for a regulation
Article 37 – paragraph 2
Article 37 – paragraph 2
2. Conformity assessments shall be carried out in a proportionate manner, avoiding unnecessary burdens for economic operators. Conformity assessment bodies shall perform their activities taking due account of the size of an undertaking, the sector in which it operates, its structure, the degree of complexity and the risk exposure of the product type and technology in question and the mass or serial nature of the production process.
Amendment 394 #
Proposal for a regulation
Article 37 – paragraph 4
Article 37 – paragraph 4
4. Where a notified body finds that requirements laid down in Annex I or in corresponding harmonised standards or in international standards or in common specifications as referred to in Article 19 have not been met by a manufacturer, it shall require that manufacturer to take appropriate corrective measures and shall not issue a conformity certificate.
Amendment 396 #
Proposal for a regulation
Article 41 – paragraph 3
Article 41 – paragraph 3
3. Where relevant, the market surveillance authorities shall cooperate with the national cybersecurity certification authorities designated under Article 58 of Regulation (EU) 2019/881, competent authorities and CSIRTs designated under Articles 8 and 10 of Directive (EU) 2022/2555 and exchange information on a regular basis. With respect to the supervision of the implementation of the reporting obligations pursuant to Articles 10a and 11 of this Regulation, the designated market surveillance authorities shall cooperate with CSIRTs and ENISA.
Amendment 400 #
Proposal for a regulation
Article 41 – paragraph 8
Article 41 – paragraph 8
8. Market surveillance authorities may provide guidance and advice to economic operators on the implementation of this Regulation, with the support of CSIRTS, ENISA and the Commission.
Amendment 402 #
Proposal for a regulation
Article 41 – paragraph 9 a (new)
Article 41 – paragraph 9 a (new)
9a. The Commission shall evaluate the reported data, including the for the purpose of report referred to in Article 41(9). Where the reported data suggest an increased level of non-compliance in specific categories of products, the Commission, after consulting the Expert Group and ADCO, may recommend that all surveillance authorities focus closely on the product categories concerned.
Amendment 403 #
Proposal for a regulation
Article 41 – paragraph 11
Article 41 – paragraph 11
11. A dedicated administrative cooperation group (ADCO) for cyber resilience of products with digital elements shall be established for the uniform application of this Regulation, pursuant to Article 30(2) of Regulation (EU) 2019/1020. This ADCO shall be composed of representatives of the designated market surveillance authorities and, if appropriate, representatives of single liaison offices. In particular, this ADCO shall exchange best practices and, where relevant, cooperate with Cyber Resilience Expert Group, ENISA, Cooperation Group and CSITs Network.
Amendment 408 #
Proposal for a regulation
Article 43 – paragraph 1 – subparagraph 1
Article 43 – paragraph 1 – subparagraph 1
Where the market surveillance authority of a Member State has sufficient reasons to consider that a product with digital elements, including its vulnerability handling, presents a significant cybersecurity risk, it shall carry out, where appropriate in cooperation with CSIRT, an evaluation of the product with digital elements concerned in respect of its compliance with all the requirements laid down in this Regulation. The relevant economic operators shall cooperate as necessary with the market surveillance authority.
Amendment 411 #
Proposal for a regulation
Article 43 – paragraph 1 – subparagraph 2
Article 43 – paragraph 1 – subparagraph 2
Where, in the course of that evaluation, the market surveillance authority finds that the product with digital elements does not comply with the requirements laid down in this Regulation or present threat to national security, it shall without delay require the relevant operator to take all appropriate corrective actions to bring the product into compliance with those requirements, to withdraw it from the market, or to recall it within a reasonable period, commensurate with the nature of the risk, as it may prescribe.
Amendment 413 #
Proposal for a regulation
Article 43 – paragraph 4 – subparagraph 1
Article 43 – paragraph 4 – subparagraph 1
Where the manufacturer of a product with digital elements does not take adequate corrective action within the period referred to in paragraph 1, second subparagraph, or where the relevant Member State authority consider product to present threat to national security, the market surveillance authority shall take all appropriate provisional measures to prohibit or restrict that product being made available on its national market, to withdraw it from that market or to recall it.
Amendment 414 #
Proposal for a regulation
Article 43 – paragraph 5 – point b
Article 43 – paragraph 5 – point b
(b) shortcomings in the harmonised standards, cybersecurity certification schemes, or international standards common specifications, referred to in Article 18.
Amendment 415 #
Proposal for a regulation
Article 43 – paragraph 7
Article 43 – paragraph 7
7. Where, within three months of receipt of the information referred to in paragraph 4, no objection has been raised by either a Member State or the Commission in respect of a provisional measure taken by a Member State, that measure shall be deemed justified. The decision referred to in paragraph 1 of this Article, concerning threat to national security, shall always be deemed justified. This is without prejudice to the procedural rights of the operator concerned in accordance with Article 18 of Regulation (EU) 2019/1020.
Amendment 416 #
Proposal for a regulation
Article 44 – paragraph 5
Article 44 – paragraph 5
Amendment 417 #
Proposal for a regulation
Article 45 – paragraph 1
Article 45 – paragraph 1
1. Where the Commission has sufficient reasons to consider, including based on information provided by the competent authorities of Member States, CSIRTs designated in accordance with Directive (EU) 2022/2555 or ENISA, that a product with digital elements that presents a significant cybersecurity risk is non-compliant with the requirements laid down in this Regulation, it may request the relevant market surveillance authorities to carry out an evaluation of compliance and follow the procedures referred to in Article 43.
Amendment 421 #
Proposal for a regulation
Article 45 – paragraph 2
Article 45 – paragraph 2
2. In exceptional circumstances which justify an immediate intervention to preserve the good functioning of the internal market and where the Commission has sufficient reasons, substantiated by relevant data, to consider that the product referred to in paragraph 1 remains non- compliant with the requirements laid down in this Regulation and no effective measures have been taken by the relevant market surveillance authorities, the Commission may request the relevant Member State authority ENISA to carry out an evaluation of compliance. The Commission shall inform the relevant market surveillance authorities and ENISA accordingly. The relevant economic operators shall cooperate as necessary with ENISA.
Amendment 423 #
Proposal for a regulation
Article 45 – paragraph 3
Article 45 – paragraph 3
3. Based on ENISA’s evaluMember State’s authority evaluation and recommendation, the Commission may decide that a corrective or restrictive measure is necessary at Union level. To this end, it shall without delay consult the Member States concerned and the relevant economic operator or operators.
Amendment 435 #
Proposal for a regulation
Article 49 a (new)
Article 49 a (new)
Amendment 439 #
Proposal for a regulation
Article 50 – paragraph 4
Article 50 – paragraph 4
4. Before adopting a delegated act, the Commission shall launch a public consultation and consult experts designated by each Member State in accordance with principles laid down in the Inter-institutional Agreement of 13 April 2016 on Better Law-Making.
Amendment 446 #
Proposal for a regulation
Article 53 – paragraph 6 – point b a (new)
Article 53 – paragraph 6 – point b a (new)
(ba) whether the manufacturer is SME, with particular attention payed to micro enterprises and start-ups, and whether adequate advice and/or financial support has been provided to them to ensure their compliance with this Regulation;
Amendment 455 #
Proposal for a regulation
Article 57 – paragraph 2
Article 57 – paragraph 2
It shall apply from [2460 months after the date of entry into force of this Regulation]. However, Articles 10a and 11 shall apply from [124 months after the date of entry into force of this Regulation].
Amendment 462 #
Proposal for a regulation
Annex I – Part 1 – point 2
Annex I – Part 1 – point 2
Amendment 465 #
Proposal for a regulation
Annex I – Part 1 – point 3 – point a
Annex I – Part 1 – point 3 – point a
(a) be deliveredconsumer products with digital elements shall be placed on the market with a secure by default configuration, including the possibility to reset the product to its original state; default security configuration; where the above described configuration is not possible in case of business-to-business products with digital elements, they may be configured on the basis of individual contractual arrangements;
Amendment 468 #
(aa) (-a) be placed on the market without any known exploitable vulnerabilities described in the European vulnerability database referred to in Article 12(2) of Directive 2022/2555;
Amendment 476 #
Proposal for a regulation
Annex I – Part 1 – point 3 – point k
Annex I – Part 1 – point 3 – point k
(k) ensure that vulnerabilities in consumer products with digital elements can be addressed through security updates, including, where applicable, through automatic updates and the notification of available updates to userby default, with optional opt-out, and, where applicable, through the notification of available updates to users with optional postponement; where the above described is not possible in case of business-to- business products with digital elements, the mechanism of handling of vulnerabilities may be set in the individual contractual arrangements.
Amendment 481 #
Proposal for a regulation
Annex I – Part 2 – paragraph 1 – point 1
Annex I – Part 2 – paragraph 1 – point 1
(1) identify and document vulnerabilities and components contained in the product, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top- level dependencies of the product;
Amendment 482 #
Proposal for a regulation
Annex I – Part 2 – paragraph 1 – point 2
Annex I – Part 2 – paragraph 1 – point 2
(2) in relation to the risks posed to the products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where the above described is not possible in case of business-to-business products with digital elements, the procedure for handling of vulnerabilities may be set in the individual contractual arrangements;
Amendment 487 #
Proposal for a regulation
Annex I – Part 2 – paragraph 1 – point 8
Annex I – Part 2 – paragraph 1 – point 8
(8) ensure that, where security patches or updates are available to address identified security issues, they are disseminated without delay and for consumer products with digital elements free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken; in case of business-to- business products with digital elements the procedures for patching and updating may be set in the individual contractual arrangements.
Amendment 489 #
Proposal for a regulation
Annex II – paragraph 1 – point 1
Annex II – paragraph 1 – point 1
1. the name, registered trade name or registered trade mark of the manufacturer, and the postal address and, the email address and website at which the manufacturer can be contacted, on the product or, where that is not possible, on its packaging or in a document accompanying the product;
Amendment 491 #
Proposal for a regulation
Annex II – paragraph 1 – point 5
Annex II – paragraph 1 – point 5
Amendment 492 #
Proposal for a regulation
Annex II – paragraph 1 – point 6
Annex II – paragraph 1 – point 6
Amendment 544 #
Proposal for a regulation
Annex V – paragraph 1 – point 2 – point a
Annex V – paragraph 1 – point 2 – point a
Amendment 545 #
Proposal for a regulation
Annex V – paragraph 1 – point 2 – point b
Annex V – paragraph 1 – point 2 – point b
(b) complete information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the the manufacturer’s coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates;
Amendment 546 #
Proposal for a regulation
Annex V – paragraph 1 – point 3
Annex V – paragraph 1 – point 3
3. an assess statement of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained as laid down in Article 10 of this Regulation;