Next event: Text adopted by Parliament, 1st reading/single reading 2024/03/12 more...
- Decision by Parliament, 1st reading 2024/03/12
- Debate in Parliament 2024/03/11
- Approval in committee of the text agreed at 1st reading interinstitutional negotiations 2024/01/23
- Coreper letter confirming interinstitutional agreement 2023/12/20
- Text agreed during interinstitutional negotiations 2023/12/20
- Committee decision to enter into interinstitutional negotiations confirmed by plenary (Rule 71) 2023/09/13
- Committee decision to enter into interinstitutional negotiations announced in plenary (Rule 71) 2023/09/11
- Committee report tabled for plenary, 1st reading 2023/07/27
- Vote in committee, 1st reading 2023/07/19
- Committee decision to open interinstitutional negotiations with report adopted in committee 2023/07/19
- Committee opinion 2023/06/30
- Contribution 2023/05/23
- Amendments tabled in committee 2023/05/03
- Amendments tabled in committee 2023/05/03
- Referral to associated committees announced in Parliament 2023/04/20
- Committee draft report 2023/03/31
Progress: Awaiting Council's 1st reading position
Role | Committee | Rapporteur | Shadows |
---|---|---|---|
Lead | ITRE | DANTI Nicola ( Renew) | VIRKKUNEN Henna ( EPP), COVASSI Beatrice ( S&D), CORRAO Ignazio ( Verts/ALE), GAZZINI Matteo ( ID), TOŠENOVSKÝ Evžen ( ECR), BOTENGA Marc ( GUE/NGL) |
Committee Opinion | IMCO | LØKKEGAARD Morten ( Renew) | Adam BIELAN ( ECR), Arba KOKALARI ( PPE), Marcel KOLAJA ( Verts/ALE), Adriana MALDONADO LÓPEZ ( S&D) |
Committee Opinion | LIBE |
Lead committee dossier:
Legal Basis:
RoP 57, TFEU 114
Legal Basis:
RoP 57, TFEU 114Subjects
- 2.10.03 Standardisation, EC/EU standards and trade mark, certification, compliance
- 3.30.06 Information and communication technologies, digital technologies
- 3.30.07 Cybersecurity, cyberspace policy
- 3.30.25 International information networks and society, internet
- 4.60.08 Safety of products and services, product liability
- 6.20.02 Export/import control, trade defence, trade barriers
Events
The Committee on Industry, Research and Energy adopted the report by Nicola DANTI (Renew, IT) on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020.
The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows:
Security updates
The amended text stated that manufacturers should ensure, where technically feasible, that products with digital elements clearly differentiate between security and functionality updates. Security updates, designed to decrease the level of risk or to remedy potential vulnerabilities, should be installed automatically , in particular in the case of consumer products.
Enhancing skills in a cyber resilient digital environment
Members stressed the importance of professional skills in the cybersecurity field, proposing education and training programmes, collaboration initiatives, and strategies for enhancing workforce mobility.
Point of single contact for users
In order to facilitate reporting on the security of products , manufacturers should designate a point of single contact to enable users to communicate directly and rapidly with them, where applicable by electronic means and in a user-friendly manner, including by allowing users of the product to choose the means of communication, which should not solely rely on automated tools.
Manufacturers should make public the information necessary for the end users to easily identify and communicate with their points of single contact.
Guidelines
The amended text included provisions for the Commission to issue guidelines to create clarity, certainty for, and consistency among the practices of economic operators. The Commission should focus on how to facilitate compliance by microenterprises, small enterprises and medium-sized enterprises.
Conformity assessment procedures for products with digital elements
Harmonised standards, common specifications or European cybersecurity certification schemes should be in place for six months before the conformity assessment procedure applies.
Mutual recognition agreements (MRAs)
To promote international trade, the Commission should endeavour to conclude Mutual Recognition Agreements (MRAs) with third countries. The Union should establish MRAs only with third countries that are on a comparable level of technical development and have a
compatible approach concerning conformity assessment. The MRAs should ensure the same level of protection as that provided for by this Regulation.
Procedure at EU level concerning products with digital elements presenting a significant cybersecurity risk
Where the Commission has sufficient reason to consider that a product with digital elements presents a significant cybersecurity risk in light of non-technical risk factors, Members considered that it should inform the relevant market surveillance authorities and issue targeted recommendations to economic operators aimed at ensuring that appropriate corrective actions are put in place.
Revenues generated from penalties
The revenues generated from the payments of penalties should be used to strengthen the level of cybersecurity within the Union, including by developing capacity and skills related to cybersecurity, improving economic operators' cyber resilience, in particular of microenterprises and of small and medium-sized enterprises and more in general fostering public awareness of cyber security issues.
Evaluation and review
Every year when presenting the Draft Budget for the following year, the Commission should submit a detailed assessment of ENISA's tasks under this Regulation as set out in Annex VIa and other relevant Union law and shall detail the financial and human resources needed to fulfil those tasks.
PURPOSE: to lay down a horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements.
PROPOSED ACT: Regulation of the European Parliament and of the Council.
ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.
BACKGROUND: hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of EUR 5.5 trillion by 2021. Such products suffer from two major problems adding costs for users and the society: (i) a low level of cybersecurity , reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them, and (ii) an insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner. In a connected environment, a cybersecurity incident in one product can affect an entire organisation or a whole supply chain, often propagating across the borders of the internal market within a matter of minutes. This can lead to severe disruption of economic and social activities or even become life threatening.
While the existing Union legislation applies to certain products with digital elements, there is no horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements. It is therefore necessary to lay down a uniform legal framework for essential cybersecurity requirements for placing products with digital elements on the Union market.
CONTENT: with this proposal, the Commission seeks to lay down horizontal cybersecurity rules which are not specific to sectors or certain products with digital elements.
Subject matter
Based on the new legislative framework for product legislation in the EU, the proposal establishes:
- rules for the placing on the market of products with digital elements to ensure the cybersecurity of such products;
- essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products with respect to cybersecurity;
- essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes;
- rules on market surveillance and enforcement of the above-mentioned rules and requirements.
Scope
The draft Regulation applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. It will not apply to products for which cybersecurity requirements are already set out in existing EU rules, for example on medical devices, aviation or cars .
Objectives
It has two main objectives aiming to ensure the proper functioning of the internal market:
- create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufactures take security seriously throughout a product’s life cycle;
- create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.
Obligations for manufacturers, importers and distributors
Obligations would be set up for economic operators, starting from manufacturers, up to distributors and importers, in relation to the placement on the market of products with digital elements, as adequate for their role and responsibilities on the supply chain.
The essential cybersecurity requirements and obligations mandate that all products with digital elements shall only be made available on the market if, where dully supplied, properly installed, maintained and used for their intended purpose or under conditions, which can be reasonably foreseen, they meet the essential cybersecurity requirements set out in this draft Regulation.
The essential requirements and obligations would mandate manufacturers to factor in cybersecurity in the design and development and production of the products with digital elements, exercise due diligence on security aspects when designing and developing their products, be transparent on cybersecurity aspects that need to be made known to customers, ensure security support (updates) in a proportionate way, and comply with vulnerability handling requirements.
Notification of conformity assessment bodies
Proper functioning of notified bodies is crucial for ensuring a high level of cybersecurity and for the confidence of all interested parties. Therefore, the proposal sets out requirements for national authorities responsible for conformity assessment bodies (notified bodies). Member States will designate a notifying authority that will be responsible for setting up and carrying out the necessary procedures for the assessment and notification of conformity assessment bodies and the monitoring of notified bodies.
Conformity assessment process
Manufacturers should undergo a process of conformity assessment to demonstrate whether the specified requirements relating to a product have been fulfilled. Where compliance of the product with the applicable requirements has been demonstrated, manufacturers and developers would draw up an EU declaration of conformity and will be able to affix the CE marking.
Market surveillance
Member States should appoint market surveillance authorities , which would be responsible for enforcing the Cyber Resilience Act obligations.
In case of non-compliance, market surveillance authorities could require operators to bring the non-compliance to an end and eliminate the risk, to prohibit or restrict the making available of a product on the market, or to order that the product is withdrawn or recalled. Each of these authorities will be able to fine companies that don't adhere to the rules.
Application
To allow manufacturers, notified bodies and Member States time to adapt to the new requirements, the proposed Regulation will become applicable 24 months after its entry into force, except for the reporting obligation on manufacturers, which would apply from 12 months after the date of entry into force.
Documents
- Text adopted by Parliament, 1st reading/single reading: T9-0130/2024
- Decision by Parliament, 1st reading: T9-0130/2024
- Debate in Parliament: Debate in Parliament
- Approval in committee of the text agreed at 1st reading interinstitutional negotiations: PE758.004
- Coreper letter confirming interinstitutional agreement: GEDA/A/(2024)000218
- Text agreed during interinstitutional negotiations: PE758.004
- Committee report tabled for plenary, 1st reading: A9-0253/2023
- Committee opinion: PE742.490
- Contribution: COM(2022)0454
- Amendments tabled in committee: PE746.920
- Amendments tabled in committee: PE746.921
- Committee draft report: PE745.538
- Contribution: COM(2022)0454
- Contribution: COM(2022)0454
- Economic and Social Committee: opinion, report: CES4103/2022
- Contribution: COM(2022)0454
- Document attached to the procedure: OJ C 452 29.11.2022, p. 0023
- Document attached to the procedure: N9-0088/2022
- Document attached to the procedure: EUR-Lex
- Document attached to the procedure: SEC(2022)0321
- Document attached to the procedure: SWD(2022)0282
- Document attached to the procedure: EUR-Lex
- Document attached to the procedure: SWD(2022)0283
- Legislative proposal published: COM(2022)0454
- Legislative proposal published: EUR-Lex
- Document attached to the procedure: EUR-Lex SEC(2022)0321
- Document attached to the procedure: SWD(2022)0282
- Document attached to the procedure: EUR-Lex SWD(2022)0283
- Document attached to the procedure: OJ C 452 29.11.2022, p. 0023 N9-0088/2022
- Economic and Social Committee: opinion, report: CES4103/2022
- Committee draft report: PE745.538
- Amendments tabled in committee: PE746.920
- Amendments tabled in committee: PE746.921
- Committee opinion: PE742.490
- Coreper letter confirming interinstitutional agreement: GEDA/A/(2024)000218
- Text agreed during interinstitutional negotiations: PE758.004
- Text adopted by Parliament, 1st reading/single reading: T9-0130/2024
- Contribution: COM(2022)0454
- Contribution: COM(2022)0454
- Contribution: COM(2022)0454
- Contribution: COM(2022)0454
Activities
- Brando BENIFEI
Plenary Speeches (0)
- Heidi HAUTALA
Plenary Speeches (0)
- Seán KELLY
Plenary Speeches (0)
- Stanislav POLČÁK
Plenary Speeches (0)
- Mounir SATOURI
Plenary Speeches (0)
History
(these mark the time of scraping, not the official date of the change)
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/9 |
|
events/10 |
|
forecasts |
|
procedure/stage_reached |
Old
Awaiting Parliament's position in 1st readingNew
Awaiting Council's 1st reading position |
events/9 |
|
forecasts |
|
events/9 |
|
forecasts/0 |
|
forecasts/0 |
|
forecasts/0/title |
Old
Indicative plenary sitting dateNew
Debate scheduled |
forecasts/1 |
|
forecasts/0/title |
Old
Indicative plenary sitting dateNew
Debate in plenary scheduled |
forecasts/1 |
|
forecasts/0/title |
Old
Indicative plenary sitting dateNew
Debate in plenary scheduled |
forecasts/1 |
|
forecasts/0/title |
Old
Indicative plenary sitting dateNew
Debate in plenary scheduled |
forecasts/1 |
|
forecasts/0/title |
Old
Indicative plenary sitting dateNew
Debate in plenary scheduled |
forecasts/1 |
|
docs/10 |
|
events/8/docs |
|
forecasts/0/date |
Old
2024-04-10T00:00:00New
2024-03-11T00:00:00 |
forecasts/0/date |
Old
2024-03-11T00:00:00New
2024-04-10T00:00:00 |
forecasts/0/date |
Old
2024-04-10T00:00:00New
2024-03-11T00:00:00 |
events/8 |
|
docs/9 |
|
forecasts/0/date |
Old
2024-03-11T00:00:00New
2024-04-10T00:00:00 |
forecasts |
|
docs/3/docs/0/url |
Old
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:C:2022:452:TOCNew
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:452:TOC |
docs/9/date |
Old
2023-05-22T00:00:00New
2023-05-23T00:00:00 |
docs/10/date |
Old
2022-12-20T00:00:00New
2022-12-21T00:00:00 |
docs/11/date |
Old
2022-11-13T00:00:00New
2022-11-14T00:00:00 |
docs/12/date |
Old
2022-12-18T00:00:00New
2022-12-19T00:00:00 |
events/7 |
|
events/6 |
|
docs/10 |
|
docs/9 |
|
events/5/summary |
|
docs/9 |
|
events/5/docs |
|
events/5 |
|
procedure/stage_reached |
Old
Awaiting committee decisionNew
Awaiting Parliament's position in 1st reading |
events/3 |
|
events/4 |
|
procedure/Other legal basis |
Rules of Procedure EP 159
|
docs/8 |
|
docs/8 |
|
docs/7 |
|
docs/6 |
|
committees/2/opinion |
False
|
events/2 |
|
procedure/legal_basis/0 |
Rules of Procedure EP 57
|
docs/5 |
|
procedure/Legislative priorities/0/title |
Old
Joint Declaration on EU legislative priorities for 2023 and 2024New
Joint Declaration 2023-24 |
procedure/Legislative priorities/0 |
|
committees/0/shadows/3 |
|
docs/4 |
|
committees/0/shadows/4 |
|
committees/1 |
Old
New
|
committees/2 |
Old
New
|
docs/4 |
|
docs/4 |
|
docs/0 |
|
events/0 |
|
committees/1/rapporteur |
|
docs/0 |
|
events/0 |
|
committees/0 |
|
committees/0 |
|
docs/3 |
|
docs/3 |
|
docs/3 |
|
events/1 |
|
procedure/dossier_of_the_committee |
|
procedure/stage_reached |
Old
Preparatory phase in ParliamentNew
Awaiting committee decision |
commission |
|
committees/0/shadows/2 |
|
procedure/Legislative priorities |
|
procedure/title |
Old
Horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act)New
Cyber Resilience Act |
committees/0/rapporteur |
|
committees/0/shadows/0 |
|
committees/0/shadows |
|
docs/0/docs/0 |
|
docs/0 |
|
events/0/summary |
|