13 Amendments of Carlo FIDANZA related to 2022/0272(COD)
Amendment 57 #
Proposal for a regulation
Recital 7
Recital 7
(7) Under certain conditions, all products with digital elements integrated in or connected to a larger electronic information system can serve as an attack vector for malicious actors. As a result, even hardware and software considered as less critical can facilitate the initial compromise of a device or network, enabling malicious actors to gain privileged access to a system or move laterally across systems. Manufacturers should therefore ensure that all connectable products with digital elements connected to an external network or device are designed and developed in accordance with essential requirements laid down in this Regulation. This includes both products that can be connected to external networks or device physically via hardware interfaces and products that are connected logically, such as via network sockets, pipes, files, application programming interfaces or any other types of software interface. As cybersecurity threats can propagate through various products with digital elements before reaching a certain target, for example by chaining together multiple vulnerability exploits, manufacturers should also ensure the cybersecurity of those products that are only indirectly connected to other devices or networks.
Amendment 58 #
Proposal for a regulation
Recital 7 a (new)
Recital 7 a (new)
(7 a) This Regulation should not apply to the internal networks of a product with digital elements if these networks have dedicated endpoints and are secured from external data connection.
Amendment 59 #
Proposal for a regulation
Recital 7 b (new)
Recital 7 b (new)
(7 b) This Regulation should not apply to spare parts intended solely to replace defective parts of products with digital elements, in order to restore their functionality.
Amendment 72 #
Proposal for a regulation
Recital 13 a (new)
Recital 13 a (new)
(13 a) Agricultural and forestry vehicles in scope of Regulation (EU) 167/2013 of the European Parliament and of the Council fall also in the scope of this Regulation. In order to avoid regulatory overlaps, additional cybersecurity requirements in future amendments of Regulation (EU) 167/2013 should not be foreseen.
Amendment 114 #
Proposal for a regulation
Article 2 – paragraph 1
Article 2 – paragraph 1
1. This Regulation applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to an external device or network.
Amendment 119 #
Proposal for a regulation
Article 2 – paragraph 5 – subparagraph 1 (new)
Article 2 – paragraph 5 – subparagraph 1 (new)
6. This Regulation does not apply to the internal networks of a product with digital elements if these networks have dedicated endpoints and are secured from external data connection.
Amendment 122 #
Proposal for a regulation
Article 2 – paragraph 5 a (new)
Article 2 – paragraph 5 a (new)
5 a. This Regulation shall not apply to spare parts intended solely to replace defective parts of products with digital elements, in order to restore their functionality.
Amendment 131 #
Proposal for a regulation
Article 3 – paragraph 1 – point 11
Article 3 – paragraph 1 – point 11
(11) ‘physical connection’ means any connection between electronic information systems or components implemented using physical means, including through electrical or mechanical interfaces, wires or radio wav or wires;
Amendment 173 #
Proposal for a regulation
Article 10 – paragraph 2
Article 10 – paragraph 2
2. For the purposes of complying with the obligation laid down in paragraph 1, manufacturers shall undertake an assessment of the cybersecurity risks associated with a data connection to an external device or network of a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing security incidents and minimising the impacts of such incidents, including in relation to the health and safety of users.
Amendment 177 #
Proposal for a regulation
Article 10 – paragraph 6 – subparagraph 1
Article 10 – paragraph 6 – subparagraph 1
When placing a product with digital elements on the market, and forthe manufacturer shall define the expected product lifetime or for a period of five years from the placing of the product on the market, whichever is shorter, manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I. . In doing so, the manufacturer shall ensure that the expected product lifetime is in line with reasonable consumer expectations and that it promotes sustainability and the need to ensure long-lasting products with digital elements. Manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I during at least the expected product lifetime or 10 years, whichever is shorter. Where applicable, the expected product lifetime shall be clearly stated on the product, its packaging or be included in contractual agreements.
Amendment 297 #
Proposal for a regulation
Article 55 – paragraph 3 a (new)
Article 55 – paragraph 3 a (new)
3 a. By way of derogation, for products with digital elements falling in scope of Regulation [Machinery Regulation proposal] or Regulation (EU) 167/2013 of the European Parliament and of the Council, the application date referred to Article 57 is extended by [36 months].
Amendment 298 #
Proposal for a regulation
Article 55 – paragraph 3 b (new)
Article 55 – paragraph 3 b (new)
3 b. By way of derogation for products with digital elements falling in scope of Regulation [Machinery Regulation proposal] or Regulation 2013/167, where the annual new sales in the EU of each type are fewer than [1000] units, the application date referred to Article 57 is extended by [60 months].
Amendment 305 #
Proposal for a regulation
Annex I – Part 1 – point 3 – introductory part
Annex I – Part 1 – point 3 – introductory part
(3) On the basis of the cybersecurity risk assessment referred to in Article 10(2) and where applicable, products with digital elements shall: (aa) be placed on the market without any known exploitable vulnerabilities towards an external device or network;