41 Amendments of Carlos ZORRINHO related to 2022/0272(COD)
Amendment 125 #
Proposal for a regulation
Recital 1
Recital 1
(1) It is necessary toCybersecurity is a key challenge for the European Union as the diffusion of products with digital elements is constantly rising. In this regard, cyberattacks are a matter of public interest as they can have a critical impact not only for the economy but also for consumers safety and health. It is therefore necessary to address cyber resilience at Union level and improve the functioning of the internal market by laying down a uniform legal framework for essential cybersecurity requirements for placing products with digital elements on the Union market. Two major problems adding costs for users and society should be addressed: a low level of cybersecurity of products with digital elements, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them, and an insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner.
Amendment 126 #
Proposal for a regulation
Recital 4
Recital 4
(4) While the existing Union legislation applies to certain products with digital elements, there is no horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements. The various acts and initiatives taken thus far at Union and national levels only partially address the identified cybersecurity-related problems and risks, creating a legislative patchwork within the internal market, increasing legal uncertainty for both manufacturers and users of those products and adding an unnecessary burden on companies to comply with a number of requirements for similar types of products. The cybersecurity of these products has a particularly strong cross-border dimension, as products manufactured in one country are often used by organisations and consumers across the entire internal market. This makes it necessary to regulate the field at Union level. The Union regulatory landscape should be harmonised by introducing cybersecurity requirements for products with digital elements. In addition, certainty for operators and users should be ensured across the Union, as well as a better harmonisation of the single market, proportionality for micro, small and medium sized enterprises, thus creating more viable conditions for operators aiming at entering the Union market.
Amendment 135 #
Proposal for a regulation
Recital 10
Recital 10
(10) In order not to hampeAs a crucial tool for innovation orand research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by: charging a price for a product, but also by; charging a price for technical support services, bywhen this does not serve only the recuperation of actual costs; providing a software platform through which the manufacturer monetises other services, or by; the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software. The circumstances under which the product has been developed, or how the development has been financed should not be taken into account when determining the commercial or non- commercial nature of that activity. When free and open-source software, supplied outside of the course of a commercial activity, is integrated into a final product with digital elements made available on the market, the economic operator that has placed the relevant product on the market shall be responsible for the compliance both of the product and of the integrated open-source software, according to this Regulation.
Amendment 142 #
Proposal for a regulation
Recital 10 a (new)
Recital 10 a (new)
(10a) The lack of professional skills in the field of cybersecurity is a key issue to be tackled for the succesful application of this Regulation. Therefore, in line with the European Commission Communication "Closing the cybersecurity talent gap to boost the EU's competitiveness, growth and resilience ('The Cybersecurity Skills Academy')", specific measures both at EU and Member States level should be put in place to assess the state and the evolution of cybersecurity labour market and create a single point of entry and synergies for cybersecurity education and training offers with the aim of establishing a common EU approach to cybersecurity training.
Amendment 144 #
Proposal for a regulation
Recital 14 a (new)
Recital 14 a (new)
(14a) This Regulation should not apply to spare parts that are exclusively manufactured in order to repair and update products with digital elements that have been placed on the market before the application date of this Regulation.
Amendment 146 #
Proposal for a regulation
Recital 19
Recital 19
(19) Certain tasks provided for in this Regulation should be carried out by ENISA, in accordance with Article 3(2) of Regulation (EU) 2019/881. In particular, ENISA should receive notifications from manufacturers of actively exploited vulnerabilities contained in products with digital elements, as well as incidents having an impact on the security of those products. ENISA should also forward these notifications to the relevant Computer Security Incident Response Teams (CSIRTs) or, respectively, to the relevant single points of contact of the Member States designated in accordance with Article [Article X] of Directive [Directive XXX / XXXX (NIS2)], and inform the relevant market surveillance authorities about the notified vulnerability. ENISA should ensure the confidentiality of these notifications with particular regard to vulnerabilities for which a security update is not yet available. On the basis of the information it gathers, ENISA should prepare a biennial technical report on emerging trends regarding cybersecurity risks in products with digital elements and submit it to the Cooperation Group referred to in Directive [Directive XXX / XXXX (NIS2)]. Furthermore, considering its expertise and mandate, ENISA should be able to support the process for implementation of this Regulation. In particular, it should be able to propose joint activities to be conducted by market surveillance authorities based on indications or information regarding potential non-compliance with this Regulation of products with digital elements across several Member States or identify categories of products for which simultaneous coordinated control actions should be organised. In exceptional circumstances, at the request of the Commission, ENISA should be able to conduct evaluations in respect of specific products with digital elements that present a significant cybersecurity risk, where an immediate intervention is required to preserve the good functioning of the internal market.
Amendment 174 #
Proposal for a regulation
Recital 38
Recital 38
(38) In order to facilitate assessment of conformity with the requirements laid down by this Regulation, there should be a presumption of conformity for products with digital elements which are in conformity with harmonised horizontal or domain specific standards, which translate the essential requirements of this Regulation into detailed technical specifications, and which are adopted in accordance with Regulation (EU) No 1025/2012 of the European Parliament and of the Council29. Regulation (EU) No 1025/2012 provides for a procedure for objections to harmonised standards where those standards do not entirely satisfy the requirements of this Regulation. _________________ 29 Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).
Amendment 180 #
Proposal for a regulation
Recital 41
Recital 41
(41) Where no harmonised standards are adopted, and after taking in due consideration widely accepted international standards, or where the harmonised standards do not sufficiently address the essential requirements of this Regulation, the Commission should be able to adopt common specifications by means of implementingdelegated acts. Reasons for developing such common specifications, instead of relying on harmonised standards, might include a refusal of the standardisation request by any of the European standardisation organisations, undue delays in the establishment of appropriate harmonised standards, or a lack of compliance of developed standards with the requirements of this Regulation or with a request of the Commission. In order to facilitate assessment of conformity with the essential requirements laid down by this Regulation, there should be a presumption of conformity for products with digital elements that are in conformity with the common specifications adopted by the Commission according to this Regulation for the purpose of expressing detailed technical specifications of those requirements.
Amendment 183 #
Proposal for a regulation
Recital 53
Recital 53
(53) In the interests of competitiveness, it is crucial that notified bodies apply the conformity assessment procedures without creating unnecessary burden for economic operators, in particular for micro, small, medium sized enterprises. In this regard, Member States, with the support of the Commission, should ensure that there is an adequate availability of cybersecurity skilled professionals in order to ensure that notified bodies can carry out their activities efficiently thus facilitating economic operators' compliance to this Regulation. For the same reason, and to ensure equal treatment of economic operators, consistency in the technical application of the conformity assessment procedures needs to be ensured. That should be best achieved through appropriate coordination and cooperation between notified bodies.
Amendment 187 #
Proposal for a regulation
Recital 57 a (new)
Recital 57 a (new)
(57a) In this framework, in order to provide updated information on the cyber security of critical products with digital elements, as defined in Annex III, the Commission should consider the adoption of measures aimed at informing the market on products that, according to Article 10 (6) of this Regulation, will not receive any further cyber security management.
Amendment 188 #
Proposal for a regulation
Recital 61
Recital 61
(61) Simultaneous coordinated control actions (‘sweeps’) are specific enforcement actions by market surveillance authorities that can further enhance product security. Sweeps should, in particular, be conducted where market trends, consumer complaints or other indications suggest that certain product categories are often found to present cybersecurity risks. ENISA should submit proposals for categories of products for which sweeps could be organised to the market surveillance authorities, based, among others, on the notifications of product vulnerabilities and incidents it receives. ENISA should also coordinate national market surveillance authorities for regular checks of products with digital elements placed on the market by manufacturers that might present a security risk for the EU, with particular regard to identifying exploitable vulnerabilities.
Amendment 195 #
Proposal for a regulation
Recital 65
Recital 65
(65) In order to ensure effective enforcement of the obligations laid down in this Regulation, each market surveillance authority should have the power to impose or request the imposition of administrative fines. Maximum levels for administrative fines to be provided for in national laws for non-compliance with the obligations laid down in this Regulation should therefore be established. When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation should be taken into account, notably the economic operator's size, whether it is a micro, small or medium sized enterprise, and as a minimum thosee circumstances explicitly established in this Regulation, including whether administrative fines have been already applied by other market surveillance authorities to the same operator for similar infringements. Such circumstances can be either aggravating, in situations where the infringement by the same operator persists on the territory of other Member States than the one where an administrative fine has already been applied, or mitigating, in ensuring that any other administrative fine considered by another market surveillance authority for the same economic operator or the same type of breach should already take account, along with other relevant specific circumstances, of a penalty and the quantum thereof imposed in other Member States. In all such cases, the cumulative administrative fine that could be applied by market surveillance authorities of several Member States to the same economic operator for the same type of infringement should ensure the respect of the principle of proportionality.
Amendment 196 #
Proposal for a regulation
Recital 66 a (new)
Recital 66 a (new)
(66a) The revenues generated from the payments of penalties should be used to strengthen the level of cybersecurity within the Union, including by developing capacity and skills related to cybersecurity, improving economic operators' cyber resilience, in particular of micro, small and medium sized enterprises and more in general fostering public awareness of cyber security issues.
Amendment 198 #
Proposal for a regulation
Recital 69
Recital 69
(69) Economic operators should be provided with a sufficient time to adapt to the requirements of this Regulation. This Regulation should apply [2430 months] from its entry into force, with the exception of the reporting obligations concerning actively exploited vulnerabilities and incidents, which should apply [12 months] from the entry into force of this Regulation.
Amendment 205 #
Proposal for a regulation
Article 1 – paragraph 1 – point d
Article 1 – paragraph 1 – point d
(d) rules on market monitoring, surveillance and enforcement of the above- mentioned rules and requirements.
Amendment 213 #
4a. This regulation does not apply to spare parts that are exclusively manufactured in order to repair products with digital elements that have been placed on the market before the application date of this regulation referred to in Article 57.
Amendment 233 #
Proposal for a regulation
Article 3 – paragraph 1 – point 21 a (new)
Article 3 – paragraph 1 – point 21 a (new)
(21a) 'consumer' means any natural person who, under the circumstances of this Regulation, is acting for purposes which are outside their trade, business, craft or profession.
Amendment 239 #
Proposal for a regulation
Article 3 – paragraph 1 – point 31
Article 3 – paragraph 1 – point 31
(31) ‘substantial modification’ means a change or a series of changes to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential requirements set out in Section 1 of Annex I or results in a modification to the intended use for which the product with digital elements has been assessed;
Amendment 256 #
Proposal for a regulation
Article 6 – paragraph 1
Article 6 – paragraph 1
1. Products with digital elements that belong to a category which is listed in Annex III shall be considered critical products with digital elements. POnly products which have the core functionality of a category that is listed in Annex III to this Regulation shall be considered as falling into that category. Categories of critical products with digital elements shall be divided into class I and class II as set out in Annex III, reflecting the level of cybersecurity risk related to these products. The integration of a component of higher class of criticality does not change the level of criticality for the product the component is integrated into.
Amendment 261 #
Proposal for a regulation
Article 6 – paragraph 3
Article 6 – paragraph 3
3. The Commission is empowered to adopt a delegated act in accordance with Article 50 to supplement this Regulation by specifying the definitions of the product categories under class I and class II as set out in Annex III. The delegated act shall be adopted [by 129 months since the entry into force of this Regulation].
Amendment 266 #
Proposal for a regulation
Article 6 – paragraph 5 – introductory part
Article 6 – paragraph 5 – introductory part
5. The Commission is empowered to adopt delegated acts in accordance with Article 50 to supplement this Regulation by specifying categories of highly critical products with digital elements for which the manufacturers shall be required to obtain a European cybersecurity certificate under a European cybersecurity certification scheme at assurance level "high" pursuant to Regulation (EU) 2019/881 to demonstrate conformity with the essential requirements set out in Annex I, or parts thereof. When determining such categories of highly critical products with digital elements, the Commission shall take into account the level of cybersecurity risk related to the category of products with digital elements, in light of one or several of the criteria listed in paragraph 2, as well as in view of the assessment of whether that category of products is:
Amendment 267 #
Proposal for a regulation
Article 9 – paragraph 1 – subparagraph 1 (new)
Article 9 – paragraph 1 – subparagraph 1 (new)
Internal networks of a machinery product with digital elements are not subject to this Regulation when they are secured via dedicated endpoints and isolated from external networks, and where the manufacturer assess and indicate the intended final use of the component for the sole internal operations and communication.
Amendment 273 #
Proposal for a regulation
Article 10 – paragraph 4
Article 10 – paragraph 4
4. For the purposes of complying with the obligation laid down in paragraph 1, manufacturers shall exercise due diligence when integrating components sourced from third parties in products with digital elements, including when they integrate components of open-source software that have not been supplied in the course of a commercial activity. They shall ensure that such components do not compromise the security of the product with digital elements.
Amendment 281 #
Proposal for a regulation
Article 10 – paragraph 6 – subparagraph 1
Article 10 – paragraph 6 – subparagraph 1
When placing a product with digital elements on the market, and for the expected product lifetime or for a period of five years from the placing of the product on the market, whichever is shorter, manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I. Where applicable, the expected product lifetime shall be stated on the product or be included in contractual agreements.
Amendment 285 #
Proposal for a regulation
Article 10 – paragraph 8
Article 10 – paragraph 8
8. Manufacturers shall keep the technical documentation and the EU declaration of conformity, where relevant, at the disposal of the market surveillance authorities for ten years, or for the expected product lifetime, whichever is longer, after the product with digital elements has been placed on the market.
Amendment 289 #
Proposal for a regulation
Article 10 – paragraph 9
Article 10 – paragraph 9
9. Manufacturers shall ensure that procedures are in place for products with digital elements that are part of a series of production to remain in conformity. The manufacturer shall adequately take into account changes in the development and production process or in the design or characteristics of the product with digital elements and changes in the harmonised horizontal or domain specific standards, European cybersecurity certification schemes or the common specifications referred to in Article 19 by reference to which the conformity of the product with digital elements is declared or by application of which its conformity is verified.
Amendment 295 #
Proposal for a regulation
Article 10 – paragraph 12
Article 10 – paragraph 12
12. From the placing on the market and for the expected product lifetime or for a period of five years after the placing on the market of a product with digital elements, whichever is shorter, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements set out in Annex I shall immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, to withdraw or to recall the product, as appropriate.
Amendment 303 #
Proposal for a regulation
Article 10 – paragraph 15
Article 10 – paragraph 15
15. The Commission may, by means of implementingdelegated acts, specify the format and elements of the software bill of materials set out in Section 2, point (1), of Annex I. Those implementingdelegated acts shall be adopted in accordance with the examination procedure referred to in Article 51(2)0.
Amendment 333 #
Proposal for a regulation
Article 11 – paragraph 5
Article 11 – paragraph 5
5. The Commission may, by means of implementing acts, specify furtheris empowered to adopt delegated acts, in accordance with Article 50, to further specify the type of information, format and procedure of the notifications submitted pursuant to paragraphs 1 and 2. Those implementingdelegated acts shall be adopted in accordance with the examination procedure referred to in Article 51(2)within 9 months of entry into force of this Regulation.
Amendment 360 #
Proposal for a regulation
Article 16 – paragraph 1
Article 16 – paragraph 1
A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of the product with digital elements, making it available on the market, shall be considered a manufacturer for the purposes of this Regulation.
Amendment 370 #
Proposal for a regulation
Article 19 – paragraph 1
Article 19 – paragraph 1
Where harmonised standards referred to in Article 18 do not exist or where the Commission considers that the relevant harmonised standards are insufficient to satisfy the requirements of this Regulation or to comply with the standardisation request of the Commission, or where there are undue delays in the standardisation procedure or where the request for harmonised standards by the Commission has not been accepted by the European standardisation organisations, the Commission is empowered, by means of implementdelegated acts, ing actscordance with Article 50, to adopt common specifications in respect of the essential requirements set out in Annex I. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 51(2) for products within the scope of this Regulation.
Amendment 371 #
Proposal for a regulation
Article 23 – paragraph 2
Article 23 – paragraph 2
2. The technical documentation shall be drawn up before the product with digital elements is placed on the market and shall be continuously updated, where appropriate, during the expected product lifetime or during a period of five years after the placing on the market of a product with digital elements, whichever is shorter.
Amendment 374 #
Proposal for a regulation
Article 23 – paragraph 5
Article 23 – paragraph 5
5. The Commission is empowered to adopt delegated acts in accordance with Article 50 to supplement this Regulation by the elements to be included in the technical documentation set out in Annex V to take account of technological developments, of the dimension of economic operators with particular regard to micro, small and medium sized enterprises, as well as developments encountered in the implementation process of this Regulation.
Amendment 385 #
Proposal for a regulation
Article 24 – paragraph 5
Article 24 – paragraph 5
5. Notified bodies shall take into account the specific interests and needs of micro, small and medium sized enterprises (SMEs) when setting the fees for conformity assessment procedures and reduce those fees proportionately to their specific interests and needs.
Amendment 389 #
Proposal for a regulation
Article 29 – paragraph 7 a (new)
Article 29 – paragraph 7 a (new)
7a. Member States shall put in place appropriate measures to ensure sufficient availability of skilled professionals, in order to minimise bottlenecks in the assessment activities and facilitate the compliance of economic operators to this Regulation.
Amendment 390 #
Proposal for a regulation
Article 29 – paragraph 12
Article 29 – paragraph 12
12. Conformity assessment bodies shall operate in accordance with a set of consistent, fair and reasonable terms and conditions, in particular taking into account the interests of SMEmicro, small and medium sized enterprises in relation to fees.
Amendment 398 #
Proposal for a regulation
Article 41 – paragraph 6
Article 41 – paragraph 6
6. Member States shall ensure that the designated market surveillance authorities are provided with adequate financial and human resources, with appropriate cybersecurity skills, in order to fulfil their tasks under this Regulation.
Amendment 437 #
Proposal for a regulation
Article 50 – paragraph 2
Article 50 – paragraph 2
2. The power to adopt delegated acts referred to in Article 2(4), Article 6(2), Article 6(3), Article 6(5), Article 10 (15), Article 11(5), Article 19 (1), Article 20(5), and Article 23(5) shall be conferred on the Commission.
Amendment 438 #
Proposal for a regulation
Article 50 – paragraph 3
Article 50 – paragraph 3
3. The delegation of power referred to in Article 2(4), Article 6(2), Article 6(3), Article 6(5), Article 10(15), Article 11 (5), Article 19(1), Article 20(5), and Article 23(5) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
Amendment 448 #
Proposal for a regulation
Article 53 a (new)
Article 53 a (new)
Article53a Allocation of penalties Member States shall determine the use of revenues generated from the payments of penalties. At least 50% of the revenues generated from the payments of penalties referred to in Article 53 (1) should be earmarked for one or more of the following: (i) increasing the number of skilled professionals in the field of cybersecurity, notably of women; (ii) capacity-building for micro, small and medium sized enterprises in order to facilitate their compliance with this Regulation; (iii) improving public awareness of cyber threats, with particular regard to their prevention and management;
Amendment 466 #
Proposal for a regulation
Annex I – Part 1 – point 3 – point a
Annex I – Part 1 – point 3 – point a
(a) be delivered with a secure by default configuration, including the possibility to reset the product to its original state, while safeguarding its security;