Next event: Text adopted by Parliament, 1st reading/single reading 2024/03/12 more...
- Decision by Parliament, 1st reading 2024/03/12
- Debate in Parliament 2024/03/11
- Approval in committee of the text agreed at 1st reading interinstitutional negotiations 2024/01/23
- Coreper letter confirming interinstitutional agreement 2023/12/20
- Text agreed during interinstitutional negotiations 2023/12/20
- Committee decision to enter into interinstitutional negotiations confirmed by plenary (Rule 71) 2023/09/13
- Committee decision to enter into interinstitutional negotiations announced in plenary (Rule 71) 2023/09/11
- Committee report tabled for plenary, 1st reading 2023/07/27
- Vote in committee, 1st reading 2023/07/19
- Committee decision to open interinstitutional negotiations with report adopted in committee 2023/07/19
- Committee opinion 2023/06/30
- Contribution 2023/05/23
Progress: Awaiting Council's 1st reading position
Role | Committee | Rapporteur | Shadows |
---|---|---|---|
Lead | ITRE | DANTI Nicola ( Renew) | VIRKKUNEN Henna ( EPP), COVASSI Beatrice ( S&D), CORRAO Ignazio ( Verts/ALE), GAZZINI Matteo ( ID), TOŠENOVSKÝ Evžen ( ECR), BOTENGA Marc ( GUE/NGL) |
Committee Opinion | IMCO | LØKKEGAARD Morten ( Renew) | Adam BIELAN ( ECR), Arba KOKALARI ( PPE), Marcel KOLAJA ( Verts/ALE), Adriana MALDONADO LÓPEZ ( S&D) |
Committee Opinion | LIBE |
Lead committee dossier:
Legal Basis:
RoP 57, TFEU 114
Legal Basis:
RoP 57, TFEU 114Subjects
- 2.10.03 Standardisation, EC/EU standards and trade mark, certification, compliance
- 3.30.06 Information and communication technologies, digital technologies
- 3.30.07 Cybersecurity, cyberspace policy
- 3.30.25 International information networks and society, internet
- 4.60.08 Safety of products and services, product liability
- 6.20.02 Export/import control, trade defence, trade barriers
Events
The Committee on Industry, Research and Energy adopted the report by Nicola DANTI (Renew, IT) on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020.
The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows:
Security updates
The amended text stated that manufacturers should ensure, where technically feasible, that products with digital elements clearly differentiate between security and functionality updates. Security updates, designed to decrease the level of risk or to remedy potential vulnerabilities, should be installed automatically , in particular in the case of consumer products.
Enhancing skills in a cyber resilient digital environment
Members stressed the importance of professional skills in the cybersecurity field, proposing education and training programmes, collaboration initiatives, and strategies for enhancing workforce mobility.
Point of single contact for users
In order to facilitate reporting on the security of products , manufacturers should designate a point of single contact to enable users to communicate directly and rapidly with them, where applicable by electronic means and in a user-friendly manner, including by allowing users of the product to choose the means of communication, which should not solely rely on automated tools.
Manufacturers should make public the information necessary for the end users to easily identify and communicate with their points of single contact.
Guidelines
The amended text included provisions for the Commission to issue guidelines to create clarity, certainty for, and consistency among the practices of economic operators. The Commission should focus on how to facilitate compliance by microenterprises, small enterprises and medium-sized enterprises.
Conformity assessment procedures for products with digital elements
Harmonised standards, common specifications or European cybersecurity certification schemes should be in place for six months before the conformity assessment procedure applies.
Mutual recognition agreements (MRAs)
To promote international trade, the Commission should endeavour to conclude Mutual Recognition Agreements (MRAs) with third countries. The Union should establish MRAs only with third countries that are on a comparable level of technical development and have a
compatible approach concerning conformity assessment. The MRAs should ensure the same level of protection as that provided for by this Regulation.
Procedure at EU level concerning products with digital elements presenting a significant cybersecurity risk
Where the Commission has sufficient reason to consider that a product with digital elements presents a significant cybersecurity risk in light of non-technical risk factors, Members considered that it should inform the relevant market surveillance authorities and issue targeted recommendations to economic operators aimed at ensuring that appropriate corrective actions are put in place.
Revenues generated from penalties
The revenues generated from the payments of penalties should be used to strengthen the level of cybersecurity within the Union, including by developing capacity and skills related to cybersecurity, improving economic operators' cyber resilience, in particular of microenterprises and of small and medium-sized enterprises and more in general fostering public awareness of cyber security issues.
Evaluation and review
Every year when presenting the Draft Budget for the following year, the Commission should submit a detailed assessment of ENISA's tasks under this Regulation as set out in Annex VIa and other relevant Union law and shall detail the financial and human resources needed to fulfil those tasks.
PURPOSE: to lay down a horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements.
PROPOSED ACT: Regulation of the European Parliament and of the Council.
ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.
BACKGROUND: hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of EUR 5.5 trillion by 2021. Such products suffer from two major problems adding costs for users and the society: (i) a low level of cybersecurity , reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them, and (ii) an insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner. In a connected environment, a cybersecurity incident in one product can affect an entire organisation or a whole supply chain, often propagating across the borders of the internal market within a matter of minutes. This can lead to severe disruption of economic and social activities or even become life threatening.
While the existing Union legislation applies to certain products with digital elements, there is no horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements. It is therefore necessary to lay down a uniform legal framework for essential cybersecurity requirements for placing products with digital elements on the Union market.
CONTENT: with this proposal, the Commission seeks to lay down horizontal cybersecurity rules which are not specific to sectors or certain products with digital elements.
Subject matter
Based on the new legislative framework for product legislation in the EU, the proposal establishes:
- rules for the placing on the market of products with digital elements to ensure the cybersecurity of such products;
- essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products with respect to cybersecurity;
- essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes;
- rules on market surveillance and enforcement of the above-mentioned rules and requirements.
Scope
The draft Regulation applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. It will not apply to products for which cybersecurity requirements are already set out in existing EU rules, for example on medical devices, aviation or cars .
Objectives
It has two main objectives aiming to ensure the proper functioning of the internal market:
- create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufactures take security seriously throughout a product’s life cycle;
- create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.
Obligations for manufacturers, importers and distributors
Obligations would be set up for economic operators, starting from manufacturers, up to distributors and importers, in relation to the placement on the market of products with digital elements, as adequate for their role and responsibilities on the supply chain.
The essential cybersecurity requirements and obligations mandate that all products with digital elements shall only be made available on the market if, where dully supplied, properly installed, maintained and used for their intended purpose or under conditions, which can be reasonably foreseen, they meet the essential cybersecurity requirements set out in this draft Regulation.
The essential requirements and obligations would mandate manufacturers to factor in cybersecurity in the design and development and production of the products with digital elements, exercise due diligence on security aspects when designing and developing their products, be transparent on cybersecurity aspects that need to be made known to customers, ensure security support (updates) in a proportionate way, and comply with vulnerability handling requirements.
Notification of conformity assessment bodies
Proper functioning of notified bodies is crucial for ensuring a high level of cybersecurity and for the confidence of all interested parties. Therefore, the proposal sets out requirements for national authorities responsible for conformity assessment bodies (notified bodies). Member States will designate a notifying authority that will be responsible for setting up and carrying out the necessary procedures for the assessment and notification of conformity assessment bodies and the monitoring of notified bodies.
Conformity assessment process
Manufacturers should undergo a process of conformity assessment to demonstrate whether the specified requirements relating to a product have been fulfilled. Where compliance of the product with the applicable requirements has been demonstrated, manufacturers and developers would draw up an EU declaration of conformity and will be able to affix the CE marking.
Market surveillance
Member States should appoint market surveillance authorities , which would be responsible for enforcing the Cyber Resilience Act obligations.
In case of non-compliance, market surveillance authorities could require operators to bring the non-compliance to an end and eliminate the risk, to prohibit or restrict the making available of a product on the market, or to order that the product is withdrawn or recalled. Each of these authorities will be able to fine companies that don't adhere to the rules.
Application
To allow manufacturers, notified bodies and Member States time to adapt to the new requirements, the proposed Regulation will become applicable 24 months after its entry into force, except for the reporting obligation on manufacturers, which would apply from 12 months after the date of entry into force.
Documents
- Text adopted by Parliament, 1st reading/single reading: T9-0130/2024
- Decision by Parliament, 1st reading: T9-0130/2024
- Debate in Parliament: Debate in Parliament
- Approval in committee of the text agreed at 1st reading interinstitutional negotiations: PE758.004
- Coreper letter confirming interinstitutional agreement: GEDA/A/(2024)000218
- Text agreed during interinstitutional negotiations: PE758.004
- Committee report tabled for plenary, 1st reading: A9-0253/2023
- Committee opinion: PE742.490
- Contribution: COM(2022)0454
- Amendments tabled in committee: PE746.920
- Amendments tabled in committee: PE746.921
- Committee draft report: PE745.538
- Contribution: COM(2022)0454
- Contribution: COM(2022)0454
- Economic and Social Committee: opinion, report: CES4103/2022
- Contribution: COM(2022)0454
- Document attached to the procedure: OJ C 452 29.11.2022, p. 0023
- Document attached to the procedure: N9-0088/2022
- Document attached to the procedure: EUR-Lex
- Document attached to the procedure: SEC(2022)0321
- Document attached to the procedure: SWD(2022)0282
- Document attached to the procedure: EUR-Lex
- Document attached to the procedure: SWD(2022)0283
- Legislative proposal published: COM(2022)0454
- Legislative proposal published: EUR-Lex
- Document attached to the procedure: EUR-Lex SEC(2022)0321
- Document attached to the procedure: SWD(2022)0282
- Document attached to the procedure: EUR-Lex SWD(2022)0283
- Document attached to the procedure: OJ C 452 29.11.2022, p. 0023 N9-0088/2022
- Economic and Social Committee: opinion, report: CES4103/2022
- Committee draft report: PE745.538
- Amendments tabled in committee: PE746.920
- Amendments tabled in committee: PE746.921
- Committee opinion: PE742.490
- Coreper letter confirming interinstitutional agreement: GEDA/A/(2024)000218
- Text agreed during interinstitutional negotiations: PE758.004
- Text adopted by Parliament, 1st reading/single reading: T9-0130/2024
- Contribution: COM(2022)0454
- Contribution: COM(2022)0454
- Contribution: COM(2022)0454
- Contribution: COM(2022)0454
Activities
- Brando BENIFEI
Plenary Speeches (0)
- Heidi HAUTALA
Plenary Speeches (0)
- Seán KELLY
Plenary Speeches (0)
- Stanislav POLČÁK
Plenary Speeches (0)
- Mounir SATOURI
Plenary Speeches (0)
Amendments | Dossier |
291 |
2022/0272(COD)
2023/04/28
IMCO
291 amendments...
Amendment 100 #
Proposal for a regulation Recital 35 (35) Manufacturers should also report to
Amendment 101 #
Proposal for a regulation Recital 38 (38) In order to facilitate assessment of conformity with the requirements laid down by this Regulation, there should be a presumption of conformity for products with digital elements which are in conformity with harmonised standards, which translate the essential requirements
Amendment 102 #
Proposal for a regulation Recital 45 (45) As a general rule the requirements for the conformity assessment of products with digital elements should be risk-based and to that regard in many cases the assessment could be carried out by the manufacturer under its own responsibility following the procedure based on Module A of Decision 768/2008/EC. The manufacturer should retain flexibility to choose a stricter conformity assessment procedure involving a third-party. If the product is classified as a critical product of class I, additional assurance is required to demonstrate conformity with the essential requirements set out in this Regulation. The manufacturer should apply harmonised standards, common specifications or cybersecurity certification schemes under Regulation (EU) 2019/881 which have been identified by the Commission in an implementing act, if it wants to carry out the conformity assessment under its own responsibility (module A). If the manufacturer does not apply such harmonised standards, common specifications or cybersecurity certification schemes, the manufacturer should undergo conformity assessment involving a third party. Taking into account the administrative burden on manufacturers and the fact that cybersecurity plays an important role in the design and development phase of tangible and intangible products with digital elements, conformity assessment procedures respectively based on modules B+C or module H of Decision 768/2008/EC have been chosen as most appropriate for assessing the compliance of critical products with digital elements in a proportionate and effective manner. The manufacturer that carries out the third- party conformity assessment can choose the procedure that suits best its design and production process. Given the even greater cybersecurity risk linked with the use of products classified as critical class II products, the conformity assessment should
Amendment 103 #
Proposal for a regulation Recital 45 (45) As a general rule the conformity assessment of products with digital elements should be carried out by the manufacturer under its own responsibility following the procedure based on Module A of Decision 768/2008/EC. The manufacturer should retain flexibility to choose a stricter conformity assessment procedure involving a third-party. If the product is classified as a critical product of class I, additional assurance is required to demonstrate conformity with the essential requirements set out in this Regulation. The manufacturer should apply harmonised standards
Amendment 104 #
Proposal for a regulation Recital 56 a (new) (56 a) In order for SMEs to be able to cope with the new obligations imposed by this Regulation, the Commission should provide them with relevant guidelines.
Amendment 105 #
Proposal for a regulation Recital 62 (62) In order to ensure that the regulatory framework can be adapted where necessary, the power to adopt acts in accordance with Article 290 of the Treaty
Amendment 106 #
Proposal for a regulation Recital 63 (63) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission to: specify the format and elements of the software bill of materials, specify further the type of information, format and procedure of the notifications on actively exploited vulnerabilities and incidents submitted to ENISA by the manufacturers, based on industry best practices, specify the European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 that can be used to demonstrate conformity with the essential requirements or parts therefore as set out in Annex I of this Regulation, adopt common specifications in respect of the essential requirements set out in Annex I, lay down technical specifications for pictograms or any other marks related to the security of the products with digital elements, and mechanisms to promote their use, decide on corrective or restrictive measures at Union level in exceptional circumstances which justify an immediate intervention to preserve the good functioning of the internal market. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council34 . __________________ 34 Regulation (EU) No 182/2011 of the
Amendment 107 #
Proposal for a regulation Recital 69 (69) Economic operators should be provided with a sufficient time to adapt to the requirements of this Regulation. This Regulation should apply [12
Amendment 108 #
Proposal for a regulation Recital 69 (69) Economic operators should be provided with a sufficient time to adapt to the requirements of this Regulation. This Regulation should apply [
Amendment 109 #
Proposal for a regulation Recital 71 a (new) (71 a) The Commission shall present easy-to-understand guidelines for businesses with the requirements of this Regulation. When developing such guidelines, the Commission should take into consideration needs of SMEs so as to keep administrative and financial burdens to a minimum while facilitating their compliance with this Regulation. The Commission should consult relevant stakeholders, with expertise in the field of cybersecurity.
Amendment 110 #
Proposal for a regulation Recital 71 b (new) (71 b) Where third party assessment is mandated, such assessment should take into account: the similarity of products with digital elements by accepting one product as representative of a family or category of products for assessment purposes due to them having equitable hardware and/or software; reciprocity to eliminate duplication by accepting of other entities’ assessments or certification (e.g. recognition of assessments from qualified bodies outside the Union; reuse of certifications); deltas in order to only focus on additional requirements not covered by other entities’ assessments and not reassessing the whole set; attestation in order to accept assessments from the manufacturer for certain aspects of the wider third-party assessment; and maintenance to allow certain changes or software updates to the product without requiring reassessment. In particular, software updates that do not weaken the security posture of the product should not be considered as justifiable to require reassessment.
Amendment 111 #
Proposal for a regulation Article 1 – paragraph 1 – introductory part The objective of this Regulation is to provide for a high level of consumer protection by protecting the confidentiality, integrity and availability of information in products with digital elements. This Regulation lays down:
Amendment 112 #
Proposal for a regulation Article 1 – paragraph 1 – point d (d) rules on market monitoring, market surveillance and
Amendment 113 #
Proposal for a regulation Article 2 – paragraph 1 1. This Regulation applies to products with digital elements placed on the market whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a
Amendment 114 #
Proposal for a regulation Article 2 – paragraph 1 1. This Regulation applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to an external device or network.
Amendment 115 #
Proposal for a regulation Article 2 – paragraph 2 – point c a (new) (c a) Regulation (EU) 2022/2554;
Amendment 116 #
Proposal for a regulation Article 2 – paragraph 2 – point c b (new) (c b) Directive (EU) 2022/2555.
Amendment 117 #
Proposal for a regulation Article 2 – paragraph 3 a (new) 3 a. This Regulation shall not apply to software provided under free and open- source licences, including its source code and modified versions, except when such software is provided as a paid or monetised product. The compliance of free and open-source components of products shall be ensured by the manufacturer of the product.
Amendment 118 #
Proposal for a regulation Article 2 – paragraph 4 – subparagraph 2 Amendment 119 #
Proposal for a regulation Article 2 – paragraph 5 – subparagraph 1 (new) 6. This Regulation does not apply to the internal networks of a product with digital elements if these networks have dedicated endpoints and are secured from external data connection.
Amendment 120 #
Proposal for a regulation Article 2 – paragraph 5 a (new) 5 a. This Regulation does not apply to freeware and open-source software unless: (a) the developer or a third-party has agreed to the provision of technical support services, either with a user, or with a manufacturer who wishes to use the software as a component in their own products. (b) the software is provided in the course of commercial activity, either by: (i) charging a price for a product; (ii) providing a software platform reliant on other services which the manufacturer monetises; (iii) using personal data generated by the software for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
Amendment 121 #
Proposal for a regulation Article 2 – paragraph 5 a (new) 5 a. This Regulation does not apply to any supply of a product with digital elements for distribution and use on the Union market where such supply, distribution, and use exclusively occurs within the same group of companies within the meaning of Article 2(13) of Regulation (EU) 2015/848.
Amendment 122 #
Proposal for a regulation Article 2 – paragraph 5 a (new) 5 a. This Regulation shall not apply to spare parts intended solely to replace defective parts of products with digital elements, in order to restore their functionality.
Amendment 123 #
Proposal for a regulation Article 3 – paragraph 1 – point 1 (1) ‘product with digital elements’ means any software or hardware product
Amendment 124 #
Proposal for a regulation Article 3 – paragraph 1 – point 1 (1) ‘product with digital elements’ means any software or hardware product
Amendment 125 #
Proposal for a regulation Article 3 – paragraph 1 – point 1 a (new) (1 a) 'partly completed products with digital elements’ means an assembly which cannot in itself function so as to perform a specific application and which is only intended to be incorporated into or assembled with a product with digital elements or other partly completed product with digital elements, thereby forming a product with digital elements;
Amendment 126 #
Proposal for a regulation Article 3 – paragraph 1 – point 2 Amendment 127 #
Proposal for a regulation Article 3 – paragraph 1 – point 4 a (new) (4 a) ‘consumer’ means any natural person who, under the circumstances regulated by this Regulation, is acting for purposes which are outside their trade, business, craft or profession;
Amendment 128 #
Proposal for a regulation Article 3 – paragraph 1 – point 6 (6) ‘software’ means the part of an electronic information system which consists of computer code, with exception of software relating to the Internet websites;
Amendment 129 #
Proposal for a regulation Article 3 – paragraph 1 – point 6 a (new) (6 a) 'freeware' means proprietary software that is provided at no cost to the user, but cannot be distributed, studied, changed, improved, integrated into other products or provided as a service without the consent of the author;
Amendment 130 #
Proposal for a regulation Article 3 – paragraph 1 – point 6 b (new) (6 b) ‘ open-source software’ means software distributed under a licence which allow users to run, copy, distribute, study, change and improve it freely, as well as to integrate it as a component in other products, provide it as a service, or provide commercial support for it;
Amendment 131 #
Proposal for a regulation Article 3 – paragraph 1 – point 11 (11) ‘physical connection’ means any connection between electronic information systems or components implemented using physical means, including through electrical or mechanical interfaces
Amendment 132 #
Proposal for a regulation Article 3 – paragraph 1 – point 18 (18) ‘manufacturer’ means any natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under his or her name or trademark, whether for payment or
Amendment 133 #
Proposal for a regulation Article 3 – paragraph 1 – point 23 (23) ‘making available on the market’ means any supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity,
Amendment 134 #
Proposal for a regulation Article 3 – paragraph 1 – point 23 a (new) (23 a) ‘recall’ means recall as defined in Article 3, point (22) of Regulation (EU) 2019/1020;
Amendment 135 #
Proposal for a regulation Article 3 – paragraph 1 – point 26 Amendment 136 #
Proposal for a regulation Article 3 – paragraph 1 – point 31 (31) ‘substantial modification’ means a change to the product with digital elements following its placing on the market, which
Amendment 137 #
Proposal for a regulation Article 3 – paragraph 1 – point 31 (31) ‘substantial modification’ means a change to the product with digital elements, excluding security and maintenance updates, following its placing on the market, which affects the compliance of the product with digital elements with the essential requirements set out in Section 1 of Annex I or results in a modification to the intended use for which the product with digital elements has been assessed;
Amendment 138 #
Proposal for a regulation Article 3 – paragraph 1 – point 39 (39) ‘actively exploited vulnerability’ means a patched vulnerability for which there is reliable evidence that execution of malicious code was performed by an actor on a system without permission of the system owner;
Amendment 139 #
Proposal for a regulation Article 3 – paragraph 1 – point 40 a (new) (40 a) 'partly completed products with digital elements' means a tangible item which is unable to function independently and which is only produced with the aim of be incorporated into or assembled with a product with digital elements or other partly completed product with digital elements, and which can only be effectively assessed for its conformity taking into account how it is incorporated into an intended final product with digital elements;
Amendment 140 #
Proposal for a regulation Article 3 – paragraph 1 – point 40 a (new) (40 a) ‘life-cycle’ means the period from the moment that product covered by this Regulation is placed on the market or put into service until the moment that it is discarded, including the effective time when it is capable of being used and the phases of transport, assembly, dismantling, disabling, scrapping or other physical or digital modifications foreseen by the manufacturer;
Amendment 141 #
Proposal for a regulation Article 4 – paragraph 1 1. Member States shall not impede, for the matters covered by this Regulation, the making available on the market of products with digital elements or partly completed products with digital elements which comply with this Regulation.
Amendment 142 #
Proposal for a regulation Article 4 – paragraph 1 1. Member States shall not impede, for the matters covered by this Regulation, the making available on the market of products with digital elements or partly completed products with digital elements which comply with this Regulation.
Amendment 143 #
Proposal for a regulation Article 4 – paragraph 2 2. At trade fairs, exhibitions and demonstrations or similar events, Member States shall not prevent the presentation and use of a product with digital elements which does not comply with this Regulation provided that the product is used exclusively for exhibition purposes within the course of such event and that a visible sign clearly indicates that it does not comply with this Regulation.
Amendment 144 #
Proposal for a regulation Article 4 – paragraph 2 2.
Amendment 145 #
Proposal for a regulation Article 4 – paragraph 2 2. At trade fairs, exhibitions and demonstrations or similar events, Member States shall not prevent the presentation and use of a product with digital elements or a partly completed product with digital elements which does not comply with this Regulation.
Amendment 146 #
Proposal for a regulation Article 4 – paragraph 2 2. At trade fairs, exhibitions and demonstrations or similar events, Member States shall not prevent the presentation and use of a product with digital elements or partly completed products with digital elements which do
Amendment 147 #
Proposal for a regulation Article 4 – paragraph 3 Amendment 148 #
Proposal for a regulation Article 4 – paragraph 3 3. Member States shall not prevent the making available of unfinished software which does not comply with this Regulation provided that the software is only made available
Amendment 149 #
Proposal for a regulation Article 5 – paragraph 1 – point 1 (1) they meet the essential requirements set out in Section 1 of Annex I, under the condition that they are properly installed, maintained, used for their intended purpose or under conditions which can reasonably be foreseen, and
Amendment 150 #
Proposal for a regulation Article 5 – paragraph 1 – point 1 (1) they meet the essential requirements set out in Section 1 of Annex I, under the condition that they are properly installed, maintained, used for their intended purpose or under conditions which can reasonably be foreseen,
Amendment 151 #
Proposal for a regulation Article 6 – paragraph 2 – introductory part 2. The Commission is empowered to adopt delegated acts in accordance with Article 50 to amend Annex III by including in the list of categories of critical products with digital elements a new category or withdrawing an existing one from that list 48 months after the start of application of this Regulation and every 5 years thereafter. When assessing the need to amend the list in Annex III, the Commission shall take into account the level of cybersecurity risk related to the category of products with digital elements. In determining the level of cybersecurity risk, one or several of the following criteria shall be taken into account:
Amendment 152 #
Proposal for a regulation Article 6 – paragraph 2 – point b (b) the intended use in
Amendment 153 #
Proposal for a regulation Article 6 – paragraph 2 – point c (c) the intended use and scale of performing critical or sensitive functions, such as the volume of processing of personal data
Amendment 154 #
Proposal for a regulation Article 6 – paragraph 3 Amendment 155 #
Proposal for a regulation Article 6 – paragraph 3 3. The Commission is empowered to adopt a delegated act in accordance with Article 50 to supplement this Regulation by specifying the definitions of the product categories under class I and class II as set out in Annex III. The delegated act shall be adopted [by
Amendment 156 #
Proposal for a regulation Article 6 – paragraph 3 3. The Commission is empowered to adopt a delegated act in accordance with Article 50 to supplement this Regulation by specifying the definitions of the product categories under class I and class II as set out in Annex III. The delegated act shall be adopted [by
Amendment 157 #
Proposal for a regulation Article 6 – paragraph 4 4. Critical products with digital elements shall be subject to the conformity assessment procedures referred to in Article 24(2) and (3). By exception, small and micro enterprises can use the procedure referred to in Article 24(2).
Amendment 158 #
Proposal for a regulation Article 6 – paragraph 4 4. Critical products with digital elements shall be subject to the conformity assessment procedures referred to in Article 24
Amendment 159 #
Proposal for a regulation Article 6 – paragraph 5 Amendment 160 #
Proposal for a regulation Article 6 – paragraph 5 – introductory part 5. The Commission is empowered to
Amendment 161 #
Proposal for a regulation Article 7 – paragraph 1 Amendment 162 #
Proposal for a regulation Article 7 – paragraph 1 Amendment 163 #
Proposal for a regulation Article 8 – paragraph 1 1. Products with digital elements or partly completed products with digital elements classified as high-risk AI systems in accordance with Article [Article 6] of Regulation [the AI Regulation] which fall within the scope of this Regulation, and fulfil the essential requirements set out in Section 1 of Annex I of this Regulation, and where the processes put in place by the manufacturer are compliant with the essential requirements set out in Section 2
Amendment 164 #
Proposal for a regulation Article 8 – paragraph 2 Amendment 165 #
Proposal for a regulation Article 8 – paragraph 2 2. For the products and cybersecurity requirements referred to in paragraph 1, the relevant conformity assessment procedure as required by
Amendment 166 #
Proposal for a regulation Article 8 – paragraph 3 Amendment 167 #
Proposal for a regulation Article 8 – paragraph 3 Amendment 168 #
Proposal for a regulation Article 9 – paragraph 1 Amendment 169 #
Proposal for a regulation Article 9 – paragraph 1 Machinery products under the scope of Regulation [Machinery Regulation proposal] which are products with digital elements or partly completed products with digital elements within the meaning of this Regulation and for which an EU declaration of conformity has been issued on the basis of this Regulation shall be deemed to be in conformity with the essential health and safety requirements set out in Annex [Annex III, Sections 1.1.9 and 1.2.1] to Regulation [Machinery Regulation proposal], as regards protection against corruption and safety and reliability of control systems, and in so far as the achievement of the level of protection required by those requirements is demonstrated in the EU declaration of conformity issued under this Regulation.
Amendment 170 #
Proposal for a regulation Article 9 – paragraph 1 a (new) By derogation from paragraph 1, products with digital elements which are also machinery products that fall within the categories listed in Annex I of Regulation [Machinery Regulation proposal], shall be subject to the specific conformity assessment procedures as required by Article 21(2) and (3) of Regulation [Machinery Regulation proposal].
Amendment 171 #
Proposal for a regulation Article 10 – paragraph -1 (new) -1. Software manufacturers which qualify as a microenterprise as defined in Commission Recommendation 2003/361/EC shall make best efforts to comply with the requirements in this Regulation during the 18 months from placing a software on the market.
Amendment 172 #
Proposal for a regulation Article 10 – paragraph 1 1. When placing a product with digital elements on the market, manufacturers shall take reasonable measures to ensure that it has been designed, developed and produced in accordance with the essential requirements set out in Section 1 of Annex I.
Amendment 173 #
Proposal for a regulation Article 10 – paragraph 2 2. For the purposes of complying with the obligation laid down in paragraph 1, manufacturers shall undertake an assessment of the cybersecurity risks associated with a data connection to an external device or network of a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing security incidents and minimising the impacts of such incidents, including in relation to the health and safety of users.
Amendment 174 #
Proposal for a regulation Article 10 – paragraph 3 3. When placing a product with digital elements on the market, the manufacturer shall include a cybersecurity risk assessment in the technical documentation as set out in Article 23 and Annex V in a manner suitable for distribution of that component and which does not limit the options for further making available of the component. For products with digital elements referred to in Articles 8 and 24(4) that are also subject
Amendment 175 #
Proposal for a regulation Article 10 – paragraph 4 4. For the purposes of complying with the obligation laid down in paragraph 1, manufacturers shall exercise due diligence when integrating components sourced from third parties in products with digital elements.
Amendment 176 #
Proposal for a regulation Article 10 – paragraph 4 4. For the purposes of complying with the obligation laid down in paragraph 1, manufacturers shall exercise due diligence when integrating components sourced from third parties in products with digital elements. They shall take reasonable measures to ensure that such components do not compromise the security of the product with digital elements.
Amendment 177 #
Proposal for a regulation Article 10 – paragraph 6 – subparagraph 1 When placing a product with digital elements on the market,
Amendment 178 #
Proposal for a regulation Article 10 – paragraph 6 – subparagraph 1 When placing a product with digital elements on the market, and for the expected product lifetime or for a period of five years from the placing of the product on the market, whichever is shorter, manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I. When the expected product lifetime is shorter than 5 years, and the manufacturer is unable to continue to ensure that vulnerabilities of the product are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I, it shall publish the source code under free and open source license.
Amendment 179 #
Proposal for a regulation Article 10 – paragraph 6 – subparagraph 1 When placing a product with digital elements on the market, and for the expected product lifetime
Amendment 180 #
Proposal for a regulation Article 10 – paragraph 6 – subparagraph 1 When placing a product with digital elements on the market, and for the expected product lifetime at the time of placing that product on the market or for a period of five years from the placing of the product on the market, whichever is shorter, manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out in Section 2
Amendment 181 #
Proposal for a regulation Article 10 – paragraph 6 – subparagraph 1 When placing a product with digital elements on the market
Amendment 182 #
Proposal for a regulation Article 10 – paragraph 6 – subparagraph 1 a (new) Manufacturers shall set out the expected product lifetime considering the reasonable expectations of consumers regarding the functionality and intended purpose of the product, and the provision of security and functionality updates.
Amendment 183 #
Proposal for a regulation Article 10 – paragraph 8 8. Manufacturers shall keep the technical documentation and the EU declaration of conformity,
Amendment 184 #
Proposal for a regulation Article 10 – paragraph 9 9. Manufacturers shall ensure that procedures are in place for products with digital elements that are part of a series of production to remain in conformity. The manufacturer shall adequately take into account changes in the development and production process or in the design or characteristics of the product with digital elements and changes in the harmonised standards, European cybersecurity certification schemes or the common specifications referred to in Article 19 by reference to which the conformity of the product with digital elements is declared or by application of which its conformity is verified. Where new knowledge, techniques, or standards become available, which were not available at the time of design of a serial product, the manufacturer may consider implementing such improvements periodically for future product generations. The manufacturer shall take into account the associated costs and efforts, including the efforts required for development, testing, validation, and approval process time.
Amendment 185 #
Proposal for a regulation Article 10 – paragraph 9 a (new) 9 a. Manufacturers shall publicly communicate and advertise the expected product lifetime of their products, in a clear and understandable manner, and in particular the minimal duration of the provision of security updates.
Amendment 186 #
Proposal for a regulation Article 10 – paragraph 10 a (new) 10 a. Manufacturers shall indicate the expected product lifetime in a clear and understandable manner. Where applicable, manufacturers shall also specify the expected product lifetime on the packaging of the product with digital elements.
Amendment 187 #
Proposal for a regulation Article 10 – paragraph 12 12. From the placing on the market and for the expected product lifetime
Amendment 188 #
Proposal for a regulation Article 10 – paragraph 12 12. From the placing on the market and for the expected product lifetime or for a period of five years after the placing on the market of a product with digital elements, whichever is shorter, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer
Amendment 189 #
Proposal for a regulation Article 10 – paragraph 12 12. From the placing on the market and for
Amendment 190 #
Proposal for a regulation Article 10 – paragraph 15 15. The Commission may, by means of
Amendment 191 #
Proposal for a regulation Article 10 – paragraph 15 a (new) 15 a. Manufacturers shall make publicly available communication channels such as a telephone number, electronic address or dedicated section of their website, taking into account accessibility needs for persons with disabilities, enabling users of products with digital elements to submit complaints electronically and free of charge.
Amendment 192 #
Proposal for a regulation Article 11 – paragraph 1 1. The manufacturer shall, without undue delay and in any event within 24 hours of becoming aware of it, notify to ENISA any actively exploited vulnerability contained in the product with digital elements. The notification shall include details concerning that vulnerability and, where applicable, any corrective or mitigating measures taken. ENISA shall, without undue delay, unless for justified cybersecurity risk-related grounds, forward the notification to the CSIRT designated for the purposes of coordinated vulnerability disclosure in accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] of Member States concerned upon receipt and immediately inform the market surveillance authority about the notified vulnerability. Where a notified vulnerability has no corrective or mitigating measures available, ENISA shall ensure that information about the notified vulnerability is shared in line with strict security protocols and on a need-to-know-basis.
Amendment 193 #
Proposal for a regulation Article 11 – paragraph 1 1. The manufacturer shall, without undue delay and
Amendment 194 #
Proposal for a regulation Article 11 – paragraph 1 1. The manufacturer shall,
Amendment 195 #
Proposal for a regulation Article 11 – paragraph 1 1. The manufacturer shall, without undue delay and in any event within 24 hours of becoming aware of it, notify to ENISA any actively exploited vulnerability contained in the product with digital elements. The notification shall include details concerning that vulnerability and, where applicable, any corrective or mitigating measures taken and the recommended risk mitigation measures. ENISA shall, without undue delay, unless for justified cybersecurity risk-related grounds, forward the notification to the CSIRT designated for the purposes of coordinated vulnerability disclosure in accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] of Member States concerned upon receipt and inform the market surveillance authority about the
Amendment 196 #
Proposal for a regulation Article 11 – paragraph 2 2. The manufacturer shall, without undue delay and in any event within 24 hours of becoming aware of it, by means of an early warning, notify
Amendment 197 #
Proposal for a regulation Article 11 – paragraph 2 2. The manufacturer shall, without undue delay and
Amendment 198 #
Proposal for a regulation Article 11 – paragraph 2 2. The manufacturer shall, without undue delay
Amendment 199 #
Proposal for a regulation Article 11 – paragraph 3 3.
Amendment 200 #
Proposal for a regulation Article 11 – paragraph 3 3. ENISA shall submit to the European cyber crisis liaison organisation network (EU-CyCLONe) established by Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] information notified pursuant to paragraph
Amendment 201 #
Proposal for a regulation Article 11 – paragraph 4 4. The manufacturer shall inform, without undue delay and after becoming aware, the users of the product with digital elements about the incident and
Amendment 202 #
Proposal for a regulation Article 11 – paragraph 4 4. The manufacturer shall inform, without undue delay and after becoming aware, the users of the product with digital elements about
Amendment 203 #
Proposal for a regulation Article 11 – paragraph 4 4. The manufacturer shall inform, without undue delay and after becoming aware, the users of the product with digital elements
Amendment 204 #
Proposal for a regulation Article 11 – paragraph 4 4. The manufacturer shall inform, without undue delay and after becoming aware, the users of the product with digital elements about the incident and, where necessary, about risk mitigation and any corrective measures that the user can deploy to mitigate the impact of the incident.
Amendment 205 #
Proposal for a regulation Article 11 – paragraph 5 5. The Commission, after consulting stakeholders and CSIRTs may, by means of implementing acts, specify further the type of information, format and procedure of the notifications submitted pursuant to paragraphs 1 and 2. Those implementing acts shall be based on European and international standards, such as ISO/IEC 29147 and adopted in accordance with the examination procedure referred to in Article 51(2).
Amendment 206 #
Proposal for a regulation Article 11 – paragraph 6 6. ENISA, on the basis of the notifications received pursuant to paragraphs 1 and 2, shall prepare a biennial technical report on emerging trends regarding cybersecurity risks in products with digital elements and submit it to the Cooperation Group referred to in Article [Article X] of Directive [Directive XXX/XXXX (NIS2)]. The first such report shall be submitted within 24 months after the obligations laid down in paragraph
Amendment 207 #
Proposal for a regulation Article 11 – paragraph 6 6. ENISA, on the basis of the notifications received pursuant to paragraphs 1, 2 and
Amendment 208 #
Proposal for a regulation Article 11 – paragraph 7 7. Manufacturers shall, upon identifying a vulnerability in a component, including in an open source component, which is integrated in the product with digital elements, report the vulnerability and the corrective or mitigating measure taken, to the person or entity maintaining the component. Such corrective or mitigating measures shall be accompanied by the relevant code and appropriate licenses that allow the deployment. This does not release the manufacturer from the obligation to maintain the compliance of the product with the requirements of this Regulation, nor does it create obligations for the developers of free and open source components that have no contractual relation to the said manufacturer.
Amendment 209 #
Proposal for a regulation Article 11 a (new) Article 11 a Single point of contact for users 1. Manufacturers shall designate a single point of contact to enable users to communicate directly and rapidly with them, where applicable by electronic means and in a user-friendly manner, including by allowing recipients of the service to choose the means of communication, which shall not solely rely on automated tools. 2. In addition to the obligations provided under Directive 2000/31/EC, manufacturers shall make public the information necessary for the end users in order to easily identify and communicate with their single points of contact. That information shall be easily accessible and shall be kept up to date.
Amendment 210 #
Proposal for a regulation Article 13 – paragraph 2 – point c a (new) (c a) all the documents proving the fulfilment of the requirements set in this article have been received from the manufacturer and are available for inspection.
Amendment 211 #
Proposal for a regulation Article 13 – paragraph 6 – subparagraph 1 Importers who know or have reason to believe that a product with digital
Amendment 212 #
Proposal for a regulation Article 14 – paragraph 2 – point b a (new) (b a) they have received from the importer all the information and documentation required by this regulation.
Amendment 213 #
Proposal for a regulation Article 16 – paragraph 1 A natural or legal person, other than the manufacturer, the importer or the
Amendment 214 #
Proposal for a regulation Article 16 – paragraph 1 A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of the product with digital elements and makes it available on the market shall be considered a manufacturer for the purposes of this Regulation.
Amendment 215 #
Proposal for a regulation Article 17 – paragraph 1 – introductory part 1. Economic operators shall, on request
Amendment 216 #
Proposal for a regulation Article 18 – paragraph 1 a (new) 1 a. The Commission shall, as provided in Article 10(1) of Regulation (EU) 1025/2012, request one or more European standardisation organisations to draft harmonised standards for the requirements set out in Annex I.
Amendment 217 #
Proposal for a regulation Article 18 – paragraph 2 Amendment 218 #
Proposal for a regulation Article 18 – paragraph 4 Amendment 219 #
Proposal for a regulation Article 18 – paragraph 4 a (new) 4 a. In accordance with Article 10(1) of Regulation 1025/2012, when preparing the Standardisation Request for this Regulation, the Commission shall aim for maximum harmonisation with existing or imminent international standards for cybersecurity. In the first three years following the date of application of this Regulation, the Commission is empowered to declare an existing international standard as meeting the requirements of this Regulation, without any European modifications, provided that adherence to such standards sufficiently enhances the security of products with digital elements, and provided that the standard is published as a separate version by one of the European Standardisation Organisations.
Amendment 220 #
Proposal for a regulation Article 19 Amendment 221 #
Proposal for a regulation Article 19 – paragraph 1 Amendment 222 #
Proposal for a regulation Article 20 – paragraph 2 2. The EU declaration of conformity shall have the model structure set out in Annex IV and shall contain the elements specified in the relevant conformity assessment procedures set out in Annex VI. Such a declaration shall be
Amendment 223 #
Proposal for a regulation Article 20 a (new) Article 20 a EU Declaration of Incorporation for partly completed products with digital elements 1. The EU declaration of incorporation shall be drawn up by manufacturers in accordance with Article 10(7) and state that the fulfilment of the relevant essential requirements set out in Annex I has been demonstrated. 2. The EU declaration of incorporation shall have the model structure set out in Annex IVa (new). Such a declaration shall be updated as appropriate. It shall be made available in the language or languages required by the Member State in which the partly completed product with digital elements is placed on the market or made available. 3. Where a partly completed product with digital elements is subject to more than one Union act requiring an EU declaration of incorporation, a single EU declaration of incorporation shall be drawn up in respect of all such Union acts. That declaration shall contain the identification of the Union acts concerned, including their publication references. 4. The Commission is empowered to adopt delegated acts in accordance with Article 50 to supplement this Regulation by adding elements to the minimum content of the EU declaration of incorporation as set out in Annex IVa (new) to take account of technological developments.
Amendment 224 #
Proposal for a regulation Article 22 – paragraph 1 1. The CE marking shall be affixed visibly, legibly and indelibly to the product with digital elements. Where that is not possible or not warranted on account of the
Amendment 225 #
Proposal for a regulation Article 22 – paragraph 3 3. The CE marking shall be affixed before the product with digital elements is placed on the market. It may be followed by a pictogram or any other mark indicating to consumers a special risk or use set out in implementing acts referred to in paragraph 6.
Amendment 226 #
Proposal for a regulation Article 22 – paragraph 5 5. Member States shall build upon
Amendment 227 #
Proposal for a regulation Article 22 – paragraph 6 6. The Commission may, by means of
Amendment 228 #
Proposal for a regulation Article 22 – paragraph 6 a (new) 6 a. The Commission shall present easy-to-understand guidelines for businesses with the requirements of this Regulation. When developing such guidelines, the Commission should take into consideration needs of SMEs so as to keep administrative and financial burdens to a minimum while facilitating their compliance with this Regulation. The Commission should consult relevant stakeholders, with expertise in the field of cybersecurity.
Amendment 229 #
Proposal for a regulation Article 22 – paragraph 6 a (new) 6 a. A partly completed product with digital elements shall not be marked with the CE marking under this Regulation without prejudice of marking provisions resulting from other applicable Union legislation.
Amendment 230 #
Proposal for a regulation Article 23 – paragraph 2 2. The technical documentation shall be drawn up before the product with digital elements is placed on the market and shall be continuously updated, where appropriate, during the expected product lifetime or during a period of five years after the placing on the market of a product with digital elements, whichever is
Amendment 231 #
Proposal for a regulation Article 23 – paragraph 3 3. For products with digital elements
Amendment 232 #
Proposal for a regulation Article 23 – paragraph 5 Amendment 233 #
Proposal for a regulation Article 23 – paragraph 5 5. The Commission is empowered to adopt delegated acts in accordance with Article 50 to supplement this Regulation by the elements to be included in the technical documentation set out in Annex V to take account of technological developments, as well as developments encountered in the implementation process of this Regulation. The Commission shall strive to minimise the administrative burden for small and medium sized enterprises.
Amendment 234 #
Proposal for a regulation Article 24 – paragraph 1 – point c a (new) (c a) a European cybersecurity certification scheme adopted in accordance with Article 18(4) of Regulation (EU) 2019/881.
Amendment 235 #
Proposal for a regulation Article 24 – paragraph 2 – introductory part 2. Where, in assessing the compliance of the
Amendment 236 #
Proposal for a regulation Article 24 – paragraph 2 – point b a (new) (b a) where applicable, a European cybersecurity certification scheme at assurance level ‘substantial’ or ‘high’ pursuant to Regulation (EU) 2019/881.
Amendment 237 #
Proposal for a regulation Article 24 – paragraph 3 – introductory part 3. Where the product is a critical product with digital elements
Amendment 238 #
Proposal for a regulation Article 24 – paragraph 4 a (new) 4 a. For products to which Union harmonisation legislation based on the New Legislative Framework apply, the manufacturer shall follow the relevant conformity assessment as required under those legal acts. The requirements set out in Chapter 3 shall apply to those products.
Amendment 239 #
Proposal for a regulation Article 24 – paragraph 5 5. Notified bodies shall take into account the specific interests and needs of micro, small and medium sized enterprises (SMEs) when setting the fees for conformity assessment procedures and reduce those fees proportionately to their specific interests and needs. The Commission shall take appropriate measures to ensure more accessible and affordable procedures, such as establishing a framework for providing appropriate financial support and guidance for the notified bodies.
Amendment 240 #
Proposal for a regulation Article 24 – paragraph 5 5. Notified bodies shall take into account the specific interests and needs of small and medium sized enterprises
Amendment 241 #
Proposal for a regulation Article 24 – paragraph 5 a (new) 5 a. For products with digital elements falling within the scope of this Regulation and which are placed on the market or put into service by credit institutions regulated by Directive 2013/36/EU, the conformity assessment shall be carried out as part of the procedure referred to in Articles 97 to 101 of that Directive.
Amendment 242 #
Proposal for a regulation Article 24 a (new) Amendment 243 #
Proposal for a regulation Article 25 – paragraph 1 Member States shall notify the Commission and the other Member States of conformity assessment bodies authorised to carry out conformity assessments in accordance with this Regulation. Member States and the Commission shall put in place appropriate measures to ensure sufficient availability of skilled professionals, in order to minimise bottlenecks in the activities pursuant to articles 26 to 31.
Amendment 244 #
Proposal for a regulation Article 27 – paragraph 5 5. A notifying authority shall
Amendment 245 #
Proposal for a regulation Article 27 – paragraph 6 a (new) 6 a. A notifying authority shall be organised in such a way so that bureaucracy and fees are at an absolute minimum, especially for SMEs.
Amendment 246 #
Proposal for a regulation Article 29 – paragraph 10 10. The personnel of a conformity assessment body shall observe professional secrecy with regard to all information obtained in carrying out their tasks under Annex VI or any provision of national law giving effect to it, except in relation to the market surveillance authorities of the Member State in which its activities are carried out. Proprietary rights, trade secrets and other sensitive information shall be protected. The conformity assessment body shall have documented procedures ensuring compliance with this paragraph.
Amendment 247 #
Proposal for a regulation Article 29 – paragraph 12 12. Conformity assessment bodies shall operate in accordance with a set of consistent, fair and reasonable terms and conditions, in particular taking into account the interests of SMEs in relation to fees and also respecting the confidentiality of trade secrets and proprietary information.
Amendment 248 #
Proposal for a regulation Article 29 – paragraph 12 12. Conformity assessment bodies shall operate in accordance with a set of consistent, fair and reasonable terms and conditions, in particular taking into account the interests of
Amendment 249 #
Proposal for a regulation Article 29 – paragraph 12 12. Conformity assessment bodies shall operate in accordance with a set of consistent, fair and reasonable terms and conditions in line with Article 37(2), in particular taking into account the interests of SMEs in relation to fees.
Amendment 250 #
Proposal for a regulation Article 36 – paragraph 3 3. The Commission shall ensure that all trade secrets and sensitive information obtained in the course of its investigations is treated confidentially.
Amendment 251 #
Proposal for a regulation Article 37 – paragraph 2 2. Conformity assessments shall be carried out in a proportionate manner, avoiding unnecessary burdens for economic operators, with special considerations for SMEs. Conformity assessment bodies shall perform their
Amendment 252 #
Proposal for a regulation Article 37 – paragraph 2 2. Conformity assessments shall be carried out in a proportionate manner, avoiding unnecessary burdens for economic operators. Conformity assessment bodies shall perform their activities taking due account of the size of an undertaking, the sector in which it operates, its structure, the degree of complexity and the risk exposure of the product type and technology in question and the mass or serial nature of the production process.
Amendment 253 #
Proposal for a regulation Article 39 – paragraph 1 The Commission shall provide for the organisation of exchange of experience between the Member States' national authorities responsible for notification
Amendment 254 #
Proposal for a regulation Article 40 – paragraph 1 1. The Commission shall ensure that appropriate coordination and cooperation between notified bodies are put in place in a way that reduces bureaucracy and fees, and properly operated in the form of a cross-sectoral group of notified bodies.
Amendment 255 #
Proposal for a regulation Article 40 – paragraph 2 2. Member States shall ensure that the bodies notified by them participate in the work of that group, directly or by means of designated representatives, in a way that reduces bureaucracy and fees.
Amendment 256 #
Proposal for a regulation Article 41 – paragraph 3 3. Where relevant, the market surveillance authorities shall cooperate with the national cybersecurity certification authorities designated under Article 58 of Regulation (EU) 2019/881 and exchange information on a regular basis. With respect to the supervision of the implementation of the reporting obligations pursuant to Article 11 of this Regulation, the designated market surveillance authorities shall effectively cooperate with ENISA. The market surveillance authorities may request ENISA to provide technical advice on matters related to the implementation and enforcement of this Regulation, including during investigations in accordance with Article 43.
Amendment 257 #
Proposal for a regulation Article 41 – paragraph 3 3. Where relevant, the market surveillance authorities shall cooperate with the national cybersecurity certification authorities designated under Article 58 of Regulation (EU) 2019/881 and exchange information on a regular basis.
Amendment 258 #
Proposal for a regulation Article 41 – paragraph 3 a (new) 3 a. With respect to the supervision of the implementation of the reporting obligations pursuant to Article 11 of this Regulation, the designated market surveillance authorities shall cooperate with ENISA. The market surveillance authorities may request ENISA to provide technical advice on matters related to the implementation and enforcement of this Regulation. When conducting an investigation under Article 43, market surveillance authorities may request ENISA to provide non-binding evaluations of compliance of products with digital elements.
Amendment 259 #
Proposal for a regulation Article 41 – paragraph 7 7. The Commission shall facilitate the regular and structured exchange of experience between designated market surveillance authorities, including via a dedicated administrative cooperation group (ADCO) established under paragraph 11 of this Article.
Amendment 260 #
Proposal for a regulation Article 41 – paragraph 8 8. Market surveillance authorities may provide guidance and advice to economic operators on the implementation of this Regulation, with the support of the Commission. Market surveillance authorities shall be equipped to receive complaints by consumers affected by products with digital elements if they consider that the relevant products or the practices engaged infringe this Regulation, and shall facilitate the active participation of civil society in market surveillance activities, including scientific, research and consumer organisations, by establishing a clear and accessible mechanism to facilitate reporting of vulnerabilities, incidents, and cyber threats.
Amendment 261 #
Proposal for a regulation Article 41 – paragraph 11 11. A dedicated administrative cooperation group (ADCO) shall be established for the uniform application of this Regulation,
Amendment 262 #
Proposal for a regulation Article 41 – paragraph 11 a (new) 11 a. For products with digital elements falling within the scope of this Regulation, distributed, put into service or used by financial institutions regulated by relevant Union legislation on financial services, the market surveillance authority for the purposes of this Regulation shall be the relevant authority responsible for the financial supervision of those institutions under that legislation.
Amendment 263 #
Proposal for a regulation Article 41 – paragraph 11 a (new) 11 a. Market surveillance authorities shall facilitate the active participation of stakeholders in market surveillance activities, including scientific, research and consumer organisations, by establishing a clear and accessible mechanism to facilitate the voluntary reporting of vulnerabilities, incidents, and cyber threats.
Amendment 264 #
Proposal for a regulation Article 41 a (new) Article 41 a Expert group on technical matters 1. The Commission shall establish an expert group in order to provide technical advice to the Commission and competent authorities on matters related to in the implementation and enforcement of this Regulation. In particular, the expert group shall provide non-binding evaluations of products with digital elements upon request by a market surveillance authority that is conducting an investigation under Article 43 and guidance on the application of relevant concepts to software and the exclusion of free and open source software. 2. The expert group shall consist of independent experts appointed for a renewable three-year term by the Commission on the basis of their scientific or technical expertise in the field. The Commission shall appoint a number of experts which is deemed sufficient to fulfil the foreseen needs, ensuring that their professional background and affiliations result in a balanced representation of stakeholder interests, in particular open source organisations, national accreditation bodies, conformity assessment bodies pursuant to Regulation (EC) 765/2008 of the European Parliament and of the Council, data protection authorities, as well as academia and consumer organisations. 3. The Commission shall take the necessary measures to manage and prevent any conflicts of interest. The Declarations of interests of the members of the expert group shall be made publicly available. 4. The appointed experts shall perform their tasks with the highest level of professionalism, independence, impartiality and objectivity. 5. When adopting positions, views and reports, the expert group shall attempt to reach consensus. If consensus cannot be reached, decisions shall be taken by a qualified majority of the group members.
Amendment 265 #
Proposal for a regulation Article 42 – paragraph 1 Where necessary to assess the conformity of products with digital elements and the processes put in place by their manufacturers with the essential requirements set out in Annex I and upon a reasoned request, the market surveillance authorities shall be granted access to the data required to assess the design, development, production and vulnerability handling of such products, including related internal documentation of the respective economic operator. Where appropriate, and in accordance with Article 52(1) point (a), this shall be in a secure, controlled environment determined by the manufacturer.
Amendment 266 #
Proposal for a regulation Article 43 – paragraph 1 – subparagraph 2 Where, in the course of that evaluation, the market surveillance authority finds that the product with digital elements does not comply with the requirements laid down in this Regulation or otherwise present threat to national security, it shall without delay require the relevant operator to take all appropriate corrective actions to bring the product into compliance with those requirements, to withdraw it from the market, or to recall it within a reasonable
Amendment 267 #
Proposal for a regulation Article 43 – paragraph 1 – subparagraph 2 Where, in the course of that evaluation, the market surveillance authority finds that the product with digital elements does not comply with the requirements laid down in this Regulation, it shall without delay require the relevant economic operator to take all appropriate corrective actions to bring the product into compliance with those requirements, to withdraw it from the market, or to recall it within a
Amendment 268 #
Proposal for a regulation Article 43 – paragraph 4 – subparagraph 1 Where the manufacturer of a product with digital elements does not take adequate corrective action within the period referred to in paragraph 1, second subparagraph, or the relevant Member States authority consider product to present threat to the national security, the market surveillance authority shall take all appropriate provisional measures to prohibit or restrict that product being made
Amendment 269 #
Proposal for a regulation Article 43 – paragraph 7 7. Where, within three months of receipt of the information referred to in paragraph 4, no objection has been raised by either a Member State or the Commission in respect of a provisional measure taken by a Member State, that measure shall be deemed justified. The decision referred to in paragraph 1, concerning threat to national security shall always be deemed justified. This is without prejudice to the procedural rights of the operator concerned in accordance with Article 18 of Regulation (EU) 2019/1020.
Amendment 270 #
Proposal for a regulation Article 45 – paragraph 1 1. Where the Commission has sufficient reasons to consider, including based on information provided by the competent authorities of Member States, the computer security incident response teams (CSIRTs) designated or established in accordance with Directive (EU) 2022/2555 or ENISA, that a product with digital elements that
Amendment 271 #
Proposal for a regulation Article 45 – paragraph 1 1. Where the Commission has sufficient reasons to consider, including based on information provided by ENISA, that a product with digital elements that presents a significant cybersecurity risk is non-compliant with the requirements laid down in this Regulation, it
Amendment 272 #
Proposal for a regulation Article 45 – paragraph 2 2. In exceptional circumstances which justify an immediate intervention to preserve the good functioning of the internal market and where the Commission
Amendment 273 #
Proposal for a regulation Article 45 – paragraph 2 2. In
Amendment 274 #
Proposal for a regulation Article 45 – paragraph 2 2. In
Amendment 275 #
Proposal for a regulation Article 45 – paragraph 3 Amendment 276 #
Proposal for a regulation Article 46 – paragraph 1 1. Where, having performed an evaluation under Article 43, the market surveillance authority of a Member State finds that although a product with digital elements and the processes put in place by the manufacturer are in compliance with this Regulation, they present a significant cybersecurity risk and, in addition, they pose a risk to the health or safety of persons, to the compliance with obligations under Union or national law intended to protect fundamental rights, the availability authenticity, integrity or confidentiality of services offered using an electronic information system by essential entities of the type referred to in [Annex I to Directive XXX / XXXX (NIS2)] or to other aspects of public interest protection, it shall require the relevant economic operator to take all appropriate measures to ensure that the product with digital elements and the processes put in place by the manufacturer concerned, when placed on the market, no longer present that risk, to withdraw the product with digital elements from the market or to recall it within a
Amendment 277 #
Proposal for a regulation Article 46 – paragraph 2 2. The manufacturer or other relevant economic operators shall ensure that corrective action is taken in respect of the products with digital elements concerned that they have made available on the market throughout the Union within the timeline established by the market surveillance authority of the Member State referred to in paragraph 1.
Amendment 278 #
Proposal for a regulation Article 46 – paragraph 6 6. Where the Commission has sufficient reasons to consider, including based on information provided by ENISA, that a product with digital elements, although compliant with this Regulation, presents the risks referred to in paragraph 1, it
Amendment 279 #
Proposal for a regulation Article 46 – paragraph 7 7. In
Amendment 280 #
Proposal for a regulation Article 46 – paragraph 8 8. Based on ENISA’s evaluation referred to in paragraph 7, the Commission
Amendment 281 #
Proposal for a regulation Article 48 – paragraph 2 2. The Commission or ENISA
Amendment 282 #
Proposal for a regulation Article 48 – paragraph 2 2. The Commission or ENISA
Amendment 283 #
Proposal for a regulation Article 49 – paragraph 1 1. Market surveillance authorities
Amendment 284 #
Proposal for a regulation Article 49 – paragraph 2 2. Unless otherwise agreed upon by the market surveillance authorities involved, sweeps shall be coordinated by the Commission. The coordinator of the sweep
Amendment 285 #
Proposal for a regulation Article 49 – paragraph 3 3. ENISA
Amendment 286 #
Proposal for a regulation Article 49 – paragraph 4 4. When conducting sweeps, the market surveillance authorities involved
Amendment 287 #
Proposal for a regulation Article 49 – paragraph 5 5. Market surveillance authorities
Amendment 288 #
Proposal for a regulation Article 49 a (new) Amendment 289 #
Proposal for a regulation Article 52 – paragraph 1 – point a (a) intellectual property rights
Amendment 290 #
Proposal for a regulation Article 53 – paragraph 3 3. The non-compliance with the essential cybersecurity requirements laid down in Annex I and the obligations set out in Articles 10 and 11 shall be subject to administrative fines of up to
Amendment 291 #
Proposal for a regulation Article 53 – paragraph 4 4. The non-compliance with any other obligations under this Regulation shall be subject to administrative fines of up to 1
Amendment 292 #
Proposal for a regulation Article 53 – paragraph 6 – point a a (new) (a a) the type of manufactured product and whether entity qualifies as microenterprise for the specific compliance regime outlined in the Article 10(-1) of this Regulation.
Amendment 293 #
Proposal for a regulation Article 53 – paragraph 6 – point c (c) the size and market share of the operator committing the infringement
Amendment 294 #
Proposal for a regulation Chapter VII a (new) CHAPTER VIIa MEASURES IN SUPPORT OF INNOVATION: Article 53a Regulatory sandboxes 1. The Commission and ENISA, shall establish a European regulatory sandbox with voluntary participation of manufacturers of products with digital elements to: (a) provide for a controlled environment that facilitates the development, testing and validation of the design, development and production of products with digital elements, before their placement on the market or putting into service pursuant to a specific plan; (b) provide practical support to economic operators, including via guidelines and best practices to comply with the essential requirements set out in Annex I. (c) contribute to evidence-based regulatory learning.
Amendment 295 #
Proposal for a regulation Article 54 a (new) Article 54 a Amendment to Directive 2020/1828/EC In Annex I to Directive 2020/1828/EC the following point is added: ‘67. [Regulation XXX][Cyber Resilience Act]’.
Amendment 296 #
Proposal for a regulation Article 55 – paragraph 1 1. EU type-examination certificates and approval decisions issued regarding cybersecurity requirements for products with digital elements that are subject to other Union harmonisation legislation shall remain valid until [42 months after the date of entry into force of this Regulation], unless they expire
Amendment 297 #
Proposal for a regulation Article 55 – paragraph 3 a (new) 3 a. By way of derogation, for products with digital elements falling in scope of Regulation [Machinery Regulation proposal] or Regulation (EU) 167/2013 of the European Parliament and of the Council, the application date referred to Article 57 is extended by [36 months].
Amendment 298 #
Proposal for a regulation Article 55 – paragraph 3 b (new) 3 b. By way of derogation for products with digital elements falling in scope of Regulation [Machinery Regulation proposal] or Regulation 2013/167, where the annual new sales in the EU of each type are fewer than [1000] units, the application date referred to Article 57 is extended by [60 months].
Amendment 299 #
Proposal for a regulation Article 57 – paragraph 2 It shall apply from [
Amendment 300 #
Proposal for a regulation Article 57 – paragraph 2 It shall apply from
Amendment 301 #
Proposal for a regulation Article 57 – paragraph 2 It shall apply from
Amendment 302 #
Proposal for a regulation Article 57 – paragraph 2 It shall apply from [
Amendment 303 #
Proposal for a regulation Annex I – Part 1 – point 2 (2) Products with digital elements shall be delivered without any known critical or high severity exploitable vulnerabilities;
Amendment 304 #
Proposal for a regulation Annex I – Part 1 – point 2 (2) Products with digital elements shall be delivered
Amendment 305 #
Proposal for a regulation Annex I – Part 1 – point 3 – introductory part (3) On the basis of the cybersecurity risk assessment referred to in Article 10(2) and where applicable, products with digital elements
Amendment 306 #
Proposal for a regulation Annex I – Part 1 – point 3 – point a (a) be delivered with a secure by default configuration
Amendment 307 #
Proposal for a regulation Annex I – Part 1 – point 3 – point a (a) be delivered with a secure by default configuration, including the possibility to reset the product to its
Amendment 308 #
Proposal for a regulation Annex I – Part 1 – point 3 – point a a (new) (a a) be placed on the market with functional separation of security updates from functionality updates, to allow automatic installation of security updates, with a clear and easy-to-use opt-out mechanism, and preserve user choice on functionalities unless technically unfeasible;
Amendment 309 #
Proposal for a regulation Annex I – Part 1 – point 3 – point c (c) protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypti
Amendment 310 #
Proposal for a regulation Annex I – Part 1 – point 3 – point c (c) protect the confidentiality of stored, transmitted or otherwise processed data, personal or other,
Amendment 311 #
Proposal for a regulation Annex I – Part 1 – point 3 – point d (d) protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, as well as report on corruptions or possible unauthorised access;
Amendment 312 #
Proposal for a regulation Annex I – Part 1 – point 3 – point f (f) protect the availability of essential and basic functions, including the resilience against and mitigation of denial of service attacks;
Amendment 313 #
Proposal for a regulation Annex I – Part 1 – point 3 – point i (i) be designed, developed and produced to reduce the impact of a
Amendment 314 #
Proposal for a regulation Annex I – Part 1 – point 3 – point j (j) provide security related information by providing at user request recording and/or monitoring capabilities, locally and at device level for relevant internal activity, including the access to or modification of data, services or functions;
Amendment 315 #
Proposal for a regulation Annex I – Part 1 – point 3 – point k (k) ensure that vulnerabilities can be addressed through security updates, including, where applicable, separate from functionality updates and through automatic updates and the notification of available updates to users.
Amendment 316 #
Proposal for a regulation Annex I – Part 1 – point 3 – point k (k) ensure that vulnerabilities can be addressed through
Amendment 317 #
Proposal for a regulation Annex I – Part 1 – point 3 – point k a (new) (k a) be designed, developed and produced in order to allow for its secure discontinuation and potential recycling when reaching the end of the life cycle, including by allowing users to securely withdraw and remove all data on a permanent basis;
Amendment 318 #
Proposal for a regulation Annex I – Part 2 – paragraph 1 – point 2 (2) in relation to the risks posed to the products with digital elements, address and remediate critical and high vulnerabilities without delay, including by providing security updates or document the reasons for not remediating the vulnerability;
Amendment 319 #
Proposal for a regulation Annex I – Part 2 – paragraph 1 – point 4 (4) once a security update has been made available, publically or according to industry best practice disclose information about fixed known vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and information helping users to remediate the vulnerabilities;
Amendment 320 #
Proposal for a regulation Annex I – Part 2 – paragraph 1 – point 4 (4) once a security update has been made available, publically disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities;
Amendment 321 #
Proposal for a regulation Annex I – Part 2 – paragraph 1 – point 4 a (new) (4 a) Information regarding fixes and vulnerabilities is shared and disclosed in a controlled way, respecting principles of ‘harm reduction’ and trade secrets through responsible disclosure of vulnerabilities to the actors who can act to mitigate the vulnerability, and that it is not made publicly available to avoid the risk of inadvertently informing potential attackers;
Amendment 322 #
Proposal for a regulation Annex I – Part 2 – paragraph 1 – point 7 (7) provide for mechanisms to securely distribute security updates for products with digital elements to ensure that exploitable vulnerabilities are fixed or mitigated in a timely manner;
Amendment 323 #
Proposal for a regulation Annex I – Part 2 – paragraph 1 – point 8 (8) ensure that, where security patches or updates
Amendment 324 #
Proposal for a regulation Annex II – paragraph 1 – point 2 2. the single point of contact where
Amendment 325 #
Proposal for a regulation Annex II – paragraph 1 – point 6 6. if and, where applicable, where the software bill of materials can be accessed by the competent authorities;
Amendment 326 #
Proposal for a regulation Annex II – paragraph 1 – point 6 6.
Amendment 327 #
Proposal for a regulation Annex II – paragraph 1 – point 8 8. the type of technical security support offered by the manufacturer and until when it will be provided
Amendment 328 #
Proposal for a regulation Annex II – paragraph 1 – point 8 a (new) 8 a. the expected product lifetime end- date, clearly displaying, where applicable, on the packaging of the product, until when the manufacturer shall ensure the effective handling of vulnerabilities and provision of security updates;
Amendment 329 #
Proposal for a regulation Annex II – paragraph 1 – point 9 – point a Amendment 330 #
Proposal for a regulation Annex II – paragraph 1 – point 9 – point b Amendment 331 #
Proposal for a regulation Annex II – paragraph 1 – point 9 – point c a (new) (c a) the expected product lifetime and until when the manufacturer ensures the effective handling of vulnerabilities and provision of security updates;
Amendment 332 #
Proposal for a regulation Annex II – paragraph 1 – point 9 – point d Amendment 333 #
Proposal for a regulation Annex III – Part I – point 3 a (new) 3 a. Authentication, Authorization and Accounting (AAA) platforms;
Amendment 334 #
Proposal for a regulation Annex III – Part I – point 15 15. Physical and virtual network interfaces;
Amendment 335 #
Proposal for a regulation Annex III – Part I – point 18 Amendment 336 #
Proposal for a regulation Annex III – Part I – point 23 23. Industrial products with digital elements that can be referred as part of Internet of Things not covered by class II.
Amendment 337 #
Proposal for a regulation Annex III – Part II – point 4 4. Firewalls, security gateways, intrusion detection and/or prevention systems intended for industrial use
Amendment 338 #
Proposal for a regulation Annex III – Part II – point 7 7. Routers, modems intended for the connection to the internet,
Amendment 339 #
Proposal for a regulation Annex III – Part II – point 15 a (new) 15 a. Smart home products, including smart home servers and virtual assistants;
Amendment 340 #
Proposal for a regulation Annex III – Part II – point 15 b (new) 15 b. Smart security devices, including smart door locks, cameras and alarm systems;
Amendment 341 #
Proposal for a regulation Annex III – Part II – point 15 c (new) 15 c. Smart toys and similar devices likely to interact with children;
Amendment 342 #
Proposal for a regulation Annex III – Part II – point 15 d (new) 15 d. Personal health appliances and wearables.
Amendment 343 #
Proposal for a regulation Annex V – paragraph 1 – point 1 – point a Amendment 344 #
Proposal for a regulation Annex V – paragraph 1 – point 2 Amendment 345 #
Proposal for a regulation Annex V – paragraph 1 – point 2 – point a Amendment 346 #
Proposal for a regulation Annex V – paragraph 1 – point 3 3. a
Amendment 347 #
Proposal for a regulation Annex V – paragraph 1 – point 3 3. a
Amendment 57 #
Proposal for a regulation Recital 7 (7) Under certain conditions, all products with digital elements integrated in or connected to a larger electronic information system can serve as an attack vector for malicious actors. As a result, even hardware and software considered as less critical can facilitate the initial compromise of a device or network, enabling malicious actors to gain privileged access to a system or move laterally across systems. Manufacturers should therefore ensure that all
Amendment 58 #
Proposal for a regulation Recital 7 a (new) (7 a) This Regulation should not apply to the internal networks of a product with digital elements if these networks have dedicated endpoints and are secured from external data connection.
Amendment 59 #
Proposal for a regulation Recital 7 b (new) (7 b) This Regulation should not apply to spare parts intended solely to replace defective parts of products with digital elements, in order to restore their functionality.
Amendment 60 #
Proposal for a regulation Recital 9 (9) This Regulation ensures a high level of cybersecurity of products with digital elements
Amendment 61 #
Proposal for a regulation Recital 9 (9) This Regulation ensures a high level of cybersecurity of products with digital elements. It does not regulate services,
Amendment 62 #
Proposal for a regulation Recital 9 a (new) (9 a) Software and data that are openly shared and where users can freely access, use, modify and redistribute them or modified versions thereof, can contribute to research and innovation in the market. Research by the Commission also shows that free and open-source software can contribute between €65 billion to €95 billion to the Union’s GDP and that it can provide significant growth opportunities for the European economy. Users are allowed to run, copy, distribute, study, change and improve software and data, including models by way of free and open- source licences. To foster the development and deployment of free and open source software, especially by SMEs, start-ups, non-profits, academic research but also by individuals, this Regulation should not apply to such free and open-source software components, except in very specific cases. We must take into account the fact that different development models of software distributed and developed under public licences exist, having a wide range of different roles in such development models. Developers of free and open-source software components should not be mandated under this Regulation to comply with requirements targeting the product value chain and, in particular, not towards the manufacturer that has used that free and open-source software component in a commercial product. Developers of free and open- source software components, as well as all manufacturers that are not subject to stricter compliance rules, should however be encouraged to implement the provisions of Annex I, as a way to increase security, allowing the promotion of trustworthy products with digital elements in the Union.
Amendment 63 #
Proposal for a regulation Recital 10 (10)
Amendment 64 #
Proposal for a regulation Recital 10 (10) In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software. Nonetheless, in order to ensure that individual or micro developers of software as defined in Commission Recommendation 2003/361/EC do not face major financial obstacles and are not discouraged from testing the proof of concept as well as the business case on the market, these entities shall be required to make best efforts in order to comply with the requirements in this proposal during the 18 months from placing a software on the market. This special regime will prevent the chilling effect of high compliance and entry costs could have on entrepreneurs or skilled individuals who consider developing software in the Union.
Amendment 65 #
Proposal for a regulation Recital 10 (10)
Amendment 66 #
Proposal for a regulation Recital 10 (10)
Amendment 67 #
Proposal for a regulation Recital 10 a (new) (10 a) Due to the permissive nature of open-source licences, open-source software can be used as a component in products without need for the consent or knowledge of the original author, allowing for manufacturers to build new products and services quickly, however open-source software developers are not compensated for this use and often work on the software in their free time. Therefore, when a manufacturer uses open-source software as a component in a product, they should be subject to the obligations of manufacturers for that component, unless otherwise agreed through the provision of commercial technical support either by the developer or a third-party.
Amendment 68 #
Proposal for a regulation Recital 10 a (new) (10 a) Free and open-source software is developed, maintained, and distributed via online platforms. In contrast to app stores that make products available, these entities play an important research and development role. As such, package managers, code hosting, and collaboration platforms do not make software products available on the market as distributors within this Regulation.
Amendment 69 #
Proposal for a regulation Recital 10 b (new) (10 b) Public open-source code and software repositories allow developers to access a wide range of resources for software development, and allow for developers to share their code with the wider open-source community. These repositories operate as a public good, and therefore should not be considered as providers, manufacturers, importers or distributors, nor should their activity be considered as commercial within the meaning of this Regulation.
Amendment 70 #
Proposal for a regulation Recital 11 a (new) (11 a) According to the WTO Agreement on Technical Barriers to Trade, when technical regulations are necessary and relevant international standards exist, WTO Members should use those standards as the basis for their own technical regulations. It is important to avoid duplication of work among standardisation organizations, as international standards are intended to facilitate the harmonization of national and regional technical regulations and standards, thereby reducing non-tariff technical barriers to trade. Given that cybersecurity is a global issue, the Union should strive for maximum alignment. To achieve this objective, the standardization request for this Regulation, as set out in Article 10 of Regulation 1025/2012, should seek to reduce barriers to the acceptance of standards by publishing their references in the Official Journal of the EU, in accordance with Article 10 (6) of Regulation 1025/2012.
Amendment 71 #
Proposal for a regulation Recital 11 b (new) (11 b) Considering the broad scope of this Regulation, the timely development of harmonised standards poses a significant challenge. To enhance the security of products with digital components in the Union market as soon as possible, the Commission should be empowered for a limited time to declare existing international standards for cyber security of products as satisfying the requirements of this Regulation. These standards should be published as standards providing presumption of conformity.
Amendment 72 #
Proposal for a regulation Recital 13 a (new) (13 a) Agricultural and forestry vehicles in scope of Regulation (EU) 167/2013 of the European Parliament and of the Council fall also in the scope of this Regulation. In order to avoid regulatory overlaps, additional cybersecurity requirements in future amendments of Regulation (EU) 167/2013 should not be foreseen.
Amendment 73 #
Proposal for a regulation Recital 16 a (new) (16 a) Without prejudice to the rules set out in Directive 85/374/EEC, manufacturers should also be liable for the damages suffered by consumers that are caused by their infringement of the legal obligations and cybersecurity requirements set out in this Regulation. Such compensation should be in accordance with the rules and procedures set out in the applicable national law and without prejudice to other possibilities for redress available under consumer protection rules.
Amendment 74 #
Proposal for a regulation Recital 19 (19) Certain tasks provided for in this Regulation should be carried out by ENISA, in accordance with Article 3(2) of Regulation (EU) 2019/881. In particular, ENISA should receive notifications from manufacturers of actively exploited vulnerabilities contained in products with digital elements, as well as incidents having an impact on the security of those products. ENISA should also forward these notifications to the relevant Computer Security Incident Response Teams (CSIRTs) or, respectively, to the relevant single points of contact of the Member States designated in accordance with Article [Article X] of Directive [Directive XXX / XXXX (NIS2)], and inform the relevant market surveillance authorities about the notified vulnerability. On the basis of the information it gathers, ENISA should prepare a biennial technical report on emerging trends regarding cybersecurity risks in products with digital elements and submit it to the Cooperation Group referred to in Directive [Directive XXX / XXXX (NIS2)]. Furthermore, considering its expertise and mandate, ENISA should be able to support the process for implementation of this Regulation. In particular, it should be able to propose joint activities to be conducted by market surveillance authorities based on indications or information regarding potential non-compliance with this Regulation of products with digital elements across several Member States or identify categories of products for which simultaneous coordinated control actions should be organised. In exceptional
Amendment 75 #
Proposal for a regulation Recital 19 (19) Certain tasks provided for in this Regulation should be carried out by
Amendment 76 #
Proposal for a regulation Recital 20 (20) Products with digital elements should bear the CE marking to visibly, legibly and indelibly indicate their conformity with this Regulation so that they can move freely within the internal market. Member States should not create unjustified obstacles to the placing
Amendment 77 #
Proposal for a regulation Recital 22 (22) In order to ensure that products with digital elements, when placed on the market, do not pose cybersecurity risks to persons and organisations, essential requirements should be set out for such products. When the products are subsequently modified, by physical or digital means, in a way that
Amendment 78 #
Proposal for a regulation Recital 22 (22) In order to ensure that products with digital elements, when placed on the market, do not pose cybersecurity risks to persons and organisations, essential requirements should be set out for such products. When the products are subsequently modified, by physical or digital means, in a way that is not foreseen by the manufacturer and that may imply that they no longer meet the relevant essential requirements, the modification should be considered as substantial. For example, software updates or repairs could be assimilated to maintenance operations provided that they do not modify a product already placed on the market in such a way that compliance with the applicable requirements may be affected
Amendment 79 #
Proposal for a regulation Recital 22 (22) In order to ensure that products with digital elements, when placed on the market, do not pose cybersecurity risks to persons and organisations, essential requirements should be set out for such products. When the products are subsequently modified, by physical or digital means, in a way that is not foreseen by the manufacturer and that may imply that they no longer meet the relevant essential requirements, the modification should be considered as substantial. For example, software updates or repairs such as minor adjustment of the source code that can improve the security and functioning, could be assimilated to maintenance operations provided that they do not modify a product already placed on the market in such a way that compliance with the applicable requirements may be affected, or that the intended use for which the product has been assessed may be changed. As is the case for physical repairs or modifications, a product with digital elements should be considered as substantially modified by a software change where the software update modifies the original intended functions, type or performance of the product and these changes were not foreseen in the initial risk assessment, or the nature of the hazard has changed or the level of risk has increased because of the software update.
Amendment 80 #
Proposal for a regulation Recital 23 (23) In line with the commonly established notion of substantial modification for products regulated by Union harmonisation legislation, whenever a substantial modification occurs that may affect the compliance of a product with this Regulation or when the intended purpose of that product changes, , it is appropriate that the compliance of the product with digital elements is verified and that, where applicable,
Amendment 81 #
Proposal for a regulation Recital 23 (23) In line with the commonly established notion of substantial modification for products regulated by Union harmonisation legislation, whenever a substantial modification occurs that may affect the compliance of a product with this Regulation
Amendment 82 #
Proposal for a regulation Recital 24 a (new) (24 a) Manufacturers of products with digital elements should ensure that software updates are provided in a clear and transparent way and clearly differentiate between security and functionality updates. Whilst security updates are designed to decrease the level of risk of a product with digital elements, the uptake of functionality updates provided by the manufacturer should always remain a user choice. Manufacturers should therefore provide these updates separately, unless technically unfeasible. Manufacturers should provide consumers with adequate information on the reasons behind each update and its foreseen impact on the product, as well as a clear and easy-to-use opt-out mechanism.
Amendment 83 #
Proposal for a regulation Recital 24 a (new) (24 a) Manufacturers should clearly differentiate between security and functionality updates, and ensure that they are provided separately in a clear and transparent way. Manufacturers should therefore provide these updates separately, unless technically unfeasible. Manufacturers should provide consumers with adequate information on the motive behind each update and its foreseen impact on the product, as well as a clear and easy-to-use opt-out mechanism.
Amendment 84 #
Proposal for a regulation Recital 25 (25) Products with digital elements should be considered critical if the negative impact of the exploitation of potential cybersecurity vulnerabilities in the product can be severe due to, amongst others, the cybersecurity-related functionality,
Amendment 85 #
Proposal for a regulation Recital 25 (25) Products with digital elements should be considered critical if the negative impact of the exploitation of potential cybersecurity vulnerabilities in the product can be severe due to, amongst others, the cybersecurity-related functionality,
Amendment 86 #
Proposal for a regulation Recital 26 (26) Critical products with digital elements should be subject to stricter conformity assessment procedures, while keeping a proportionate approach. For this purpose, critical products with digital elements should be divided into two classes, reflecting the level of cybersecurity risk linked to these categories of products. A potential cyber incident involving products in class II might lead to greater negative impacts than an incident involving products in class I, for instance due to the nature of their cybersecurity-related function or intended use in
Amendment 87 #
Proposal for a regulation Recital 28 (28) This Regulation addresses cybersecurity risks in a targeted manner. Products with digital elements might, however, pose other safety risks, that are not always related to cybersecurity but can be a consequence of a security breach. Those risks should continue to be regulated by other relevant Union product legislation as a rule if a higher level of protection is conferred. If not, safety risks in connection with the cybersecurity functions of products with digital elements should fall within the scope of this Regulation. If no other Union harmonisation legislation is applicable, they should be subject to Regulation [General Product Safety Regulation]. Therefore, in light of the targeted nature of this Regulation, as a derogation from Article 2(1), third subparagraph, point (b), of Regulation [General Product Safety Regulation], Chapter III, Section 1, Chapters V and VII, and Chapters IX to XI of Regulation [General Product Safety Regulation] should apply to products with digital elements with respect to safety risks not covered by this Regulation, if those products are not subject to specific requirements imposed by other Union harmonisation legislation within the meaning of [Article 3, point (25) of the General Product Safety Regulation].
Amendment 88 #
Proposal for a regulation Recital 28 (28) This Regulation addresses cybersecurity risks in a targeted manner
Amendment 89 #
Proposal for a regulation Recital 29 (29) Products with digital elements classified as high-risk AI systems according to Article 6 of Regulation27 [the AI Regulation] which fall within the scope of this Regulation should comply with the essential requirements set out in this Regulation. When those high-risk AI systems fulfil the essential requirements of this Regulation, they should be deemed compliant with the cybersecurity requirements set out in Article [Article 15] of Regulation [the AI Regulation] in so far as those requirements are covered by the EU declaration of conformity or parts thereof issued under this Regulation. As regards the conformity assessment procedures relating to the essential cybersecurity requirements of a product with digital elements covered by this Regulation and classified as a high-risk AI system, the relevant provisions of Article 43 of Regulation [the AI Regulation] should apply as a rule instead of the respective provisions of this Regulation.
Amendment 90 #
Proposal for a regulation Recital 30 Amendment 91 #
Proposal for a regulation Recital 30 (30) The machinery products falling within the scope of Regulation [Machinery Regulation proposal] which are products with digital elements within the meaning of this Regulation and for which a declaration of conformity has been issued on the basis of this Regulation should be deemed to be in conformity with the essential health and safety requirements set out in [Annex III, sections 1.1.9 and 1.2.1] of the Regulation [Machinery Regulation proposal], as regards protection against corruption and safety and reliability of control systems in so far as the compliance with those requirements is demonstrated by the EU declaration of conformity issued under this Regulation without prejudice to products with digital elements, which are also machinery products that fall within the categories listed in Annex I of Regulation [Machinery Regulation proposal], being subject to the specific conformity assessment procedure as required by Article 21(2) and (3) of Regulation [Machinery Regulation proposal].
Amendment 92 #
Proposal for a regulation Recital 31 (31) Regulation [European Health Data Space Regulation proposal] complements the essential requirements laid down in this Regulation. The electronic health record systems (‘EHR systems’) falling under the scope of Regulation [European Health Data Space Regulation proposal] which are products with digital elements within the meaning of this Regulation should therefore also comply with the essential requirements set out in this Regulation
Amendment 93 #
Proposal for a regulation Recital 32 (32) In order to ensure that products with digital elements are secure both at the time of their placing on the market as well as throughout their life-cycle, it is necessary to lay down essential requirements for vulnerability handling and essential cybersecurity requirements relating to the properties of products with digital elements. While manufacturers should comply with all essential requirements related to vulnerability handling
Amendment 94 #
Proposal for a regulation Recital 32 (32) In order to ensure that products with digital elements are secure both at the time of their placing on the market as well as throughout their life-cycle, it is necessary to lay down essential requirements for vulnerability handling and essential cybersecurity requirements relating to the properties of products with digital elements. While manufacturers should comply with all essential requirements related to vulnerability handling and ensure that all their products are delivered without any known exploitable vulnerabilities, they should determine which other essential requirements related to the product properties are relevant for the concerned type of product. For this purpose, manufacturers should undertake an assessment of the cybersecurity risks associated with a product with digital elements to identify relevant risks and relevant essential requirements and in order to appropriately apply suitable harmonised standards
Amendment 95 #
Proposal for a regulation Recital 32 a (new) (32 a) In order to ensure the products are designed, developed and produced in line with essential requirements foreseen in Section 1 of Annex I, manufacturers should exercise due diligence when integrating components sourced from third parties in products with digital elements. Given that such components are tailored to and integrated taken into account the specificities of the product, in particular in the case of free and open source software that have not been placed on the market in exchange of financial or other type of monetisation, the manufacturer of the product shall be responsible for ensuring its compliance.
Amendment 96 #
Proposal for a regulation Recital 34 Amendment 97 #
Proposal for a regulation Recital 34 a (new) (34 a) ENISA should be responsible for publishing and maintaining a database of known exploited vulnerabilities. Manufacturers should monitor the database and notify vulnerabilities found in their products.
Amendment 98 #
Proposal for a regulation Recital 35 Amendment 99 #
Proposal for a regulation Recital 35 (35) Manufacturers should also report to ENISA any incident having an impact on the security of the product with digital
source: 746.662
|
History
(these mark the time of scraping, not the official date of the change)
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/9 |
|
events/10 |
|
forecasts |
|
procedure/stage_reached |
Old
Awaiting Parliament's position in 1st readingNew
Awaiting Council's 1st reading position |
events/9 |
|
forecasts |
|
events/9 |
|
forecasts/0 |
|
forecasts/0 |
|
forecasts/0/title |
Old
Indicative plenary sitting dateNew
Debate scheduled |
forecasts/1 |
|
forecasts/0/title |
Old
Indicative plenary sitting dateNew
Debate in plenary scheduled |
forecasts/1 |
|
forecasts/0/title |
Old
Indicative plenary sitting dateNew
Debate in plenary scheduled |
forecasts/1 |
|
forecasts/0/title |
Old
Indicative plenary sitting dateNew
Debate in plenary scheduled |
forecasts/1 |
|
forecasts/0/title |
Old
Indicative plenary sitting dateNew
Debate in plenary scheduled |
forecasts/1 |
|
docs/10 |
|
events/8/docs |
|
forecasts/0/date |
Old
2024-04-10T00:00:00New
2024-03-11T00:00:00 |
forecasts/0/date |
Old
2024-03-11T00:00:00New
2024-04-10T00:00:00 |
forecasts/0/date |
Old
2024-04-10T00:00:00New
2024-03-11T00:00:00 |
events/8 |
|
docs/9 |
|
forecasts/0/date |
Old
2024-03-11T00:00:00New
2024-04-10T00:00:00 |
forecasts |
|
docs/3/docs/0/url |
Old
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:C:2022:452:TOCNew
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:452:TOC |
docs/9/date |
Old
2023-05-22T00:00:00New
2023-05-23T00:00:00 |
docs/10/date |
Old
2022-12-20T00:00:00New
2022-12-21T00:00:00 |
docs/11/date |
Old
2022-11-13T00:00:00New
2022-11-14T00:00:00 |
docs/12/date |
Old
2022-12-18T00:00:00New
2022-12-19T00:00:00 |
events/7 |
|
events/6 |
|
docs/10 |
|
docs/9 |
|
events/5/summary |
|
docs/9 |
|
events/5/docs |
|
events/5 |
|
procedure/stage_reached |
Old
Awaiting committee decisionNew
Awaiting Parliament's position in 1st reading |
events/3 |
|
events/4 |
|
procedure/Other legal basis |
Rules of Procedure EP 159
|
docs/8 |
|
docs/8 |
|
docs/7 |
|
docs/6 |
|
committees/2/opinion |
False
|
events/2 |
|
procedure/legal_basis/0 |
Rules of Procedure EP 57
|
docs/5 |
|
procedure/Legislative priorities/0/title |
Old
Joint Declaration on EU legislative priorities for 2023 and 2024New
Joint Declaration 2023-24 |
procedure/Legislative priorities/0 |
|
committees/0/shadows/3 |
|
docs/4 |
|
committees/0/shadows/4 |
|
committees/1 |
Old
New
|
committees/2 |
Old
New
|
docs/4 |
|
docs/4 |
|
docs/0 |
|
events/0 |
|
committees/1/rapporteur |
|
docs/0 |
|
events/0 |
|
committees/0 |
|
committees/0 |
|
docs/3 |
|
docs/3 |
|
docs/3 |
|
events/1 |
|
procedure/dossier_of_the_committee |
|
procedure/stage_reached |
Old
Preparatory phase in ParliamentNew
Awaiting committee decision |
commission |
|
committees/0/shadows/2 |
|
procedure/Legislative priorities |
|
procedure/title |
Old
Horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act)New
Cyber Resilience Act |
committees/0/rapporteur |
|
committees/0/shadows/0 |
|
committees/0/shadows |
|
docs/0/docs/0 |
|
docs/0 |
|
events/0/summary |
|