BETA

22 Amendments of Lina GÁLVEZ related to 2022/0272(COD)

Amendment 125 #
Proposal for a regulation
Recital 1
(1) It is necessary toCybersecurity is a key challenge for the European Union as the diffusion of products with digital elements is constantly rising. In this regard, cyberattacks are a matter of public interest as they can have a critical impact not only for the economy but also for consumers safety and health. It is therefore necessary to address cyber resilience at Union level and improve the functioning of the internal market by laying down a uniform legal framework for essential cybersecurity requirements for placing products with digital elements on the Union market. Two major problems adding costs for users and society should be addressed: a low level of cybersecurity of products with digital elements, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them, and an insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner.
2023/05/04
Committee: ITRE
Amendment 126 #
Proposal for a regulation
Recital 4
(4) While the existing Union legislation applies to certain products with digital elements, there is no horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements. The various acts and initiatives taken thus far at Union and national levels only partially address the identified cybersecurity-related problems and risks, creating a legislative patchwork within the internal market, increasing legal uncertainty for both manufacturers and users of those products and adding an unnecessary burden on companies to comply with a number of requirements for similar types of products. The cybersecurity of these products has a particularly strong cross-border dimension, as products manufactured in one country are often used by organisations and consumers across the entire internal market. This makes it necessary to regulate the field at Union level. The Union regulatory landscape should be harmonised by introducing cybersecurity requirements for products with digital elements. In addition, certainty for operators and users should be ensured across the Union, as well as a better harmonisation of the single market, proportionality for micro, small and medium sized enterprises, thus creating more viable conditions for operators aiming at entering the Union market.
2023/05/04
Committee: ITRE
Amendment 142 #
Proposal for a regulation
Recital 10 a (new)
(10a) The lack of professional skills in the field of cybersecurity is a key issue to be tackled for the succesful application of this Regulation. Therefore, in line with the European Commission Communication "Closing the cybersecurity talent gap to boost the EU's competitiveness, growth and resilience ('The Cybersecurity Skills Academy')", specific measures both at EU and Member States level should be put in place to assess the state and the evolution of cybersecurity labour market and create a single point of entry and synergies for cybersecurity education and training offers with the aim of establishing a common EU approach to cybersecurity training.
2023/05/04
Committee: ITRE
Amendment 146 #
Proposal for a regulation
Recital 19
(19) Certain tasks provided for in this Regulation should be carried out by ENISA, in accordance with Article 3(2) of Regulation (EU) 2019/881. In particular, ENISA should receive notifications from manufacturers of actively exploited vulnerabilities contained in products with digital elements, as well as incidents having an impact on the security of those products. ENISA should also forward these notifications to the relevant Computer Security Incident Response Teams (CSIRTs) or, respectively, to the relevant single points of contact of the Member States designated in accordance with Article [Article X] of Directive [Directive XXX / XXXX (NIS2)], and inform the relevant market surveillance authorities about the notified vulnerability. ENISA should ensure the confidentiality of these notifications with particular regard to vulnerabilities for which a security update is not yet available. On the basis of the information it gathers, ENISA should prepare a biennial technical report on emerging trends regarding cybersecurity risks in products with digital elements and submit it to the Cooperation Group referred to in Directive [Directive XXX / XXXX (NIS2)]. Furthermore, considering its expertise and mandate, ENISA should be able to support the process for implementation of this Regulation. In particular, it should be able to propose joint activities to be conducted by market surveillance authorities based on indications or information regarding potential non-compliance with this Regulation of products with digital elements across several Member States or identify categories of products for which simultaneous coordinated control actions should be organised. In exceptional circumstances, at the request of the Commission, ENISA should be able to conduct evaluations in respect of specific products with digital elements that present a significant cybersecurity risk, where an immediate intervention is required to preserve the good functioning of the internal market.
2023/05/04
Committee: ITRE
Amendment 174 #
Proposal for a regulation
Recital 38
(38) In order to facilitate assessment of conformity with the requirements laid down by this Regulation, there should be a presumption of conformity for products with digital elements which are in conformity with harmonised horizontal or domain specific standards, which translate the essential requirements of this Regulation into detailed technical specifications, and which are adopted in accordance with Regulation (EU) No 1025/2012 of the European Parliament and of the Council29. Regulation (EU) No 1025/2012 provides for a procedure for objections to harmonised standards where those standards do not entirely satisfy the requirements of this Regulation. _________________ 29 Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).
2023/05/04
Committee: ITRE
Amendment 180 #
Proposal for a regulation
Recital 41
(41) Where no harmonised standards are adopted, and after taking in due consideration widely accepted international standards, or where the harmonised standards do not sufficiently address the essential requirements of this Regulation, the Commission should be able to adopt common specifications by means of implementingdelegated acts. Reasons for developing such common specifications, instead of relying on harmonised standards, might include a refusal of the standardisation request by any of the European standardisation organisations, undue delays in the establishment of appropriate harmonised standards, or a lack of compliance of developed standards with the requirements of this Regulation or with a request of the Commission. In order to facilitate assessment of conformity with the essential requirements laid down by this Regulation, there should be a presumption of conformity for products with digital elements that are in conformity with the common specifications adopted by the Commission according to this Regulation for the purpose of expressing detailed technical specifications of those requirements.
2023/05/04
Committee: ITRE
Amendment 183 #
Proposal for a regulation
Recital 53
(53) In the interests of competitiveness, it is crucial that notified bodies apply the conformity assessment procedures without creating unnecessary burden for economic operators, in particular for micro, small, medium sized enterprises. In this regard, Member States, with the support of the Commission, should ensure that there is an adequate availability of cybersecurity skilled professionals in order to ensure that notified bodies can carry out their activities efficiently thus facilitating economic operators' compliance to this Regulation. For the same reason, and to ensure equal treatment of economic operators, consistency in the technical application of the conformity assessment procedures needs to be ensured. That should be best achieved through appropriate coordination and cooperation between notified bodies.
2023/05/04
Committee: ITRE
Amendment 195 #
Proposal for a regulation
Recital 65
(65) In order to ensure effective enforcement of the obligations laid down in this Regulation, each market surveillance authority should have the power to impose or request the imposition of administrative fines. Maximum levels for administrative fines to be provided for in national laws for non-compliance with the obligations laid down in this Regulation should therefore be established. When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation should be taken into account, notably the economic operator's size, whether it is a micro, small or medium sized enterprise, and as a minimum thosee circumstances explicitly established in this Regulation, including whether administrative fines have been already applied by other market surveillance authorities to the same operator for similar infringements. Such circumstances can be either aggravating, in situations where the infringement by the same operator persists on the territory of other Member States than the one where an administrative fine has already been applied, or mitigating, in ensuring that any other administrative fine considered by another market surveillance authority for the same economic operator or the same type of breach should already take account, along with other relevant specific circumstances, of a penalty and the quantum thereof imposed in other Member States. In all such cases, the cumulative administrative fine that could be applied by market surveillance authorities of several Member States to the same economic operator for the same type of infringement should ensure the respect of the principle of proportionality.
2023/05/04
Committee: ITRE
Amendment 196 #
Proposal for a regulation
Recital 66 a (new)
(66a) The revenues generated from the payments of penalties should be used to strengthen the level of cybersecurity within the Union, including by developing capacity and skills related to cybersecurity, improving economic operators' cyber resilience, in particular of micro, small and medium sized enterprises and more in general fostering public awareness of cyber security issues.
2023/05/04
Committee: ITRE
Amendment 289 #
Proposal for a regulation
Article 10 – paragraph 9
9. Manufacturers shall ensure that procedures are in place for products with digital elements that are part of a series of production to remain in conformity. The manufacturer shall adequately take into account changes in the development and production process or in the design or characteristics of the product with digital elements and changes in the harmonised horizontal or domain specific standards, European cybersecurity certification schemes or the common specifications referred to in Article 19 by reference to which the conformity of the product with digital elements is declared or by application of which its conformity is verified.
2023/05/04
Committee: ITRE
Amendment 303 #
Proposal for a regulation
Article 10 – paragraph 15
15. The Commission may, by means of implementingdelegated acts, specify the format and elements of the software bill of materials set out in Section 2, point (1), of Annex I. Those implementingdelegated acts shall be adopted in accordance with the examination procedure referred to in Article 51(2)0.
2023/05/04
Committee: ITRE
Amendment 333 #
Proposal for a regulation
Article 11 – paragraph 5
5. The Commission may, by means of implementing acts, specify furtheris empowered to adopt delegated acts, in accordance with Article 50, to further specify the type of information, format and procedure of the notifications submitted pursuant to paragraphs 1 and 2. Those implementingdelegated acts shall be adopted in accordance with the examination procedure referred to in Article 51(2)within 9 months of entry into force of this Regulation.
2023/05/04
Committee: ITRE
Amendment 370 #
Proposal for a regulation
Article 19 – paragraph 1
Where harmonised standards referred to in Article 18 do not exist or where the Commission considers that the relevant harmonised standards are insufficient to satisfy the requirements of this Regulation or to comply with the standardisation request of the Commission, or where there are undue delays in the standardisation procedure or where the request for harmonised standards by the Commission has not been accepted by the European standardisation organisations, the Commission is empowered, by means of implementdelegated acts, ing actscordance with Article 50, to adopt common specifications in respect of the essential requirements set out in Annex I. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 51(2) for products within the scope of this Regulation.
2023/05/04
Committee: ITRE
Amendment 374 #
Proposal for a regulation
Article 23 – paragraph 5
5. The Commission is empowered to adopt delegated acts in accordance with Article 50 to supplement this Regulation by the elements to be included in the technical documentation set out in Annex V to take account of technological developments, of the dimension of economic operators with particular regard to micro, small and medium sized enterprises, as well as developments encountered in the implementation process of this Regulation.
2023/05/04
Committee: ITRE
Amendment 385 #
Proposal for a regulation
Article 24 – paragraph 5
5. Notified bodies shall take into account the specific interests and needs of micro, small and medium sized enterprises (SMEs) when setting the fees for conformity assessment procedures and reduce those fees proportionately to their specific interests and needs.
2023/05/04
Committee: ITRE
Amendment 389 #
Proposal for a regulation
Article 29 – paragraph 7 a (new)
7a. Member States shall put in place appropriate measures to ensure sufficient availability of skilled professionals, in order to minimise bottlenecks in the assessment activities and facilitate the compliance of economic operators to this Regulation.
2023/05/04
Committee: ITRE
Amendment 390 #
Proposal for a regulation
Article 29 – paragraph 12
12. Conformity assessment bodies shall operate in accordance with a set of consistent, fair and reasonable terms and conditions, in particular taking into account the interests of SMEmicro, small and medium sized enterprises in relation to fees.
2023/05/04
Committee: ITRE
Amendment 398 #
Proposal for a regulation
Article 41 – paragraph 6
6. Member States shall ensure that the designated market surveillance authorities are provided with adequate financial and human resources, with appropriate cybersecurity skills, in order to fulfil their tasks under this Regulation.
2023/05/04
Committee: ITRE
Amendment 437 #
Proposal for a regulation
Article 50 – paragraph 2
2. The power to adopt delegated acts referred to in Article 2(4), Article 6(2), Article 6(3), Article 6(5), Article 10 (15), Article 11(5), Article 19 (1), Article 20(5), and Article 23(5) shall be conferred on the Commission.
2023/05/04
Committee: ITRE
Amendment 438 #
Proposal for a regulation
Article 50 – paragraph 3
3. The delegation of power referred to in Article 2(4), Article 6(2), Article 6(3), Article 6(5), Article 10(15), Article 11 (5), Article 19(1), Article 20(5), and Article 23(5) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
2023/05/04
Committee: ITRE
Amendment 448 #
Proposal for a regulation
Article 53 a (new)
Article53a Allocation of penalties Member States shall determine the use of revenues generated from the payments of penalties. At least 50% of the revenues generated from the payments of penalties referred to in Article 53 (1) should be earmarked for one or more of the following: (i) increasing the number of skilled professionals in the field of cybersecurity, notably of women; (ii) capacity-building for micro, small and medium sized enterprises in order to facilitate their compliance with this Regulation; (iii) improving public awareness of cyber threats, with particular regard to their prevention and management;
2023/05/04
Committee: ITRE
Amendment 466 #
Proposal for a regulation
Annex I – Part 1 – point 3 – point a
(a) be delivered with a secure by default configuration, including the possibility to reset the product to its original state, while safeguarding its security;
2023/05/04
Committee: ITRE