BETA

48 Amendments of Bart GROOTHUIS related to 2022/0272(COD)

Amendment 138 #
Proposal for a regulation
Recital 10
(10) In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services,solely occurs when a price is charged for the use of a product with the intention of making a profit beyond mere technical support, consulting services, or maintenance based on incurred costs, or by providing a software platform through which the manufacturer monetises other services, or by the usemonetisation of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
2023/05/04
Committee: ITRE
Amendment 165 #
Proposal for a regulation
Recital 34 a (new)
(34a) Dependencies on high-risk suppliers of critical products with digital elements intended for the use by essential entities of the type referred to in [Annex I to the Directive XXX/XXXX (NIS2)] pose a strategic risk that needs to be mitigated at Union level. To mitigate this strategic risk there is a need to move beyond non- binding initiatives, such as the 5G toolbox, and move towards a binding toolbox for reducing critical ICT supply chain risks adopted as a delegated act. It should leverage the lessons learned from those past and national experiences, be based upon a risk assessment and offer strategic risk mitigation measures. Critical products with digital elements used in critical sectors should therefore be subjected to a strategic supply chain risk assessment that includes non-technical factors to assess the risk of the manufacturer being subject to undue interference from a third country. Those factors may include the jurisdiction of the supplier/manufacturer and the characteristics of the supplier’s corporate ownership and the links of control to a third-country government where it is established. A high risk is attributed to a third country’s legislation that obliges arbitrary access to any kind of company data, that would e.g. allow it to conduct economic espionage, without legislative or democratic checks and balances, meaningful oversight mechanisms or the right to appeal to an independent judiciary. A high risk is also attributed where a manufacturer is operating under foreign ownership or control that has the power, direct or indirect, whether or not exercised, to direct or decide matters affecting the management or operations of the manufacturer, or in case of opaque ownership structures, which are are state- owned or controlled. Not all instances of control will create security risks, but what should be considered is the extent to which the use of the critical product by the entities: (a) includes access to sensitive or classified information or assets, (b) relates to the storage or transport of sensitive materials or substances, (c) relates to the provision of security services for physical sites or facilities, (d) is for, or relates to, the storage or protection of sensitive or classified information. Non-technical risk factors should not impede procurement from entities established in likeminded strategic partner countries.
2023/05/04
Committee: ITRE
Amendment 192 #
Proposal for a regulation
Recital 63
(63) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission to, in open consultation with stakeholders and in consideration of international and industry standards: specify the format and elements of the software bill of materials, specify further the type of information, format and procedure of the notifications on actively exploited vulnerabilities and incidents submitted to ENISA by the manufacturers, specify the European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 that can be used to demonstrate conformity with the essential requirements or parts therefore as set out in Annex I of this Regulation, adopt common specifications in respect of the essential requirements set out in Annex I, lay down technical specifications for pictograms or any other marks related to the security of the products with digital elements, and mechanisms to promote their use, decide on corrective or restrictive measures at Union level in exceptional circumstances which justify an immediate intervention to preserve the good functioning of the internal market. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council34. _________________ 34 Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p.13).
2023/05/04
Committee: ITRE
Amendment 209 #
Proposal for a regulation
Article 2 – paragraph 1
1. This Regulation applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.
2023/05/04
Committee: ITRE
Amendment 222 #
Proposal for a regulation
Article 3 – paragraph 1 – point 1
(1) ‘product with digital elements’ means any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately;
2023/05/04
Committee: ITRE
Amendment 237 #
Proposal for a regulation
Article 3 – paragraph 1 – point 31
(31) ‘substantial modification’ means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential requirements set out in Section 1 of Annex I or results in a modification to the intended use for which the product with digital elements has been assessed, excluding security and maintenances updates that aim to mitigate vulnerabilities;
2023/05/04
Committee: ITRE
Amendment 246 #
Proposal for a regulation
Article 3 – paragraph 1 – point 39
(39) ‘actively exploited vulnerability’ means a vulnerability for which there is reliable evidence that execution of malicious code was performed by an actor on a system without permission of the system owner; but does not include a vulnerability for which there is reliable evidence that the exploitation was performed by an actor for purposes of good faith testing, investigation, correction, or disclosure of a security flaw or vulnerability to promote the security or safety of the system owner, computers or software, or those who use such computers or software;
2023/05/04
Committee: ITRE
Amendment 248 #
Proposal for a regulation
Article 3 – paragraph 1 – point 39 – point a (new)
a) ‘expected product lifetime’ means the lifetime a manufacturer documents in the information and instructions to the user defined in Annex II (8). For software it includes the iterated modifications within the version that was placed in the market.
2023/05/04
Committee: ITRE
Amendment 260 #
Proposal for a regulation
Article 6 – paragraph 3
3. The Commission is empowered to adopt a delegated act in accordance with Article 50 to supplement this Regulation by specifying the definitions of the product categories under class I and class II as set out in Annex III. The delegated act shall be adopted [by 12 months since the entry into force of this Regulation]. If it expands the scope of the product categories, the procedure in paragraph 2 should be followed. The delegated act shall be adopted [by 12 months since the entry into force of this Regulation]. The Commission shall establish a process under which a product which is a candidate to be a critical product can be reviewed in a collaborative process by all relevant stakeholders, including manufacturers and users, to assess the security risk posed by potential cybersecurity issues with the product, whether and how much designating the product as critical would likely reduce that risk, and the costs associated with designating the product as critical. If such assessment clearly establishes that designating that product as critical would materially reduce the security risk posed to the users of the product and that the value of such reduction would outweigh the costs to the manufacturer and other parties, the product may be designated as critical under this Regulation.
2023/05/04
Committee: ITRE
Amendment 264 #
Proposal for a regulation
Article 6 – paragraph 5
5. The Commission is empowered to adopt delegated acts in accordance with Article 50 to supplement this Regulation by specifying categories of highly critical products with digital elements for which the manufacturers shall be required to obtain a European cybersecurity certificate under a European cybersecurity certification scheme pursuant to Regulation (EU) 2019/881 to demonstrate conformity with the essential requirements set out in Annex I, or parts thereof. When determining such categories of highly critical products with digital elements, the Commission shall take into account the level of cybersecurity risk related to the category of products with digital elements, in light of one or several of the criteria listed in paragraph 2, as well as in view of the assessment of whether that category of products is: (a) used or relied upon by the essential entities of the type referred to in Annex [Annex I] to the Directive [Directive XXX/ XXXX (NIS2)] or will have potential future significance for the activities of these entities; or (b) relevant for the resilience of the overall supply chain of products with digital elements against disruptive events.
2023/05/04
Committee: ITRE
Amendment 269 #
Proposal for a regulation
Article 10 – paragraph 1
1. When placing a product with digital elements on the market, manufacturers shall ensure that it has been designed, developed and produced in accordance with the essential requirements set out in Section 1 of Annex I. Manufacturers may deviate from a requirement in justified cases if it does not apply due to the nature of the product. Manufacturers should document the justification in the cybersecurity risks assessment in accordance to paragraph 2.
2023/05/04
Committee: ITRE
Amendment 278 #
Proposal for a regulation
Article 10 – paragraph 6 – subparagraph 1
WManufacturers shall ensure, when placing a product with digital elements on the market, and for the expected product lifetime or for a period of five years from the placing of the product on the market, whichever is shorter, manufacturers shall ensure that vulnerabilities of that product are handled effectively and, that vulnerabilities of that product or of its iterated versions during its lifetime are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I. Manufacturers shall determine the expected product lifetime referred to in the first subparagraph of this paragraph taking into accordance wiunt the the essential requirements set out in Section 2 of Annex I.ime users reasonably expect to be able to use the product given its functionality and intended purpose and therefore can expect to receive security updates
2023/05/04
Committee: ITRE
Amendment 290 #
Proposal for a regulation
Article 10 – paragraph 9
9. Manufacturers shall ensure that procedures are in place for products with digital elements that are part of a series of production to remain in conformity. The manufacturer shall adequately take into account changes in the development and production process or in the design or characteristics of the product with digital elements and changes in the harmonised or industry standards, European cybersecurity certification schemes or the common specifications referred to in Article 19 by reference to which the conformity of the product with digital elements is declared or by application of which its conformity is verified.
2023/05/04
Committee: ITRE
Amendment 293 #
Proposal for a regulation
Article 10 – paragraph 10 a (new)
10a. Manufacturers shall clearly and understandably specify in an easily accessible manner and where applicable on the packaging of the product with digital elements, the end date for the expected product lifetime as referred to in paragraph 6, including at least the month and year, until which the manufacturer will at least ensure the effective handling of vulnerabilities in accordance with the essential requirements set out in Section 2 of Annex I.
2023/05/04
Committee: ITRE
Amendment 300 #
Proposal for a regulation
Article 10 – paragraph 15
15. The Commission may, by means of implementing acts, and following an open consultation with stakeholders and in line with international standards, specify the format and elements of the software bill of materials set out in Section 2, point (1), of Annex I. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 51(2).
2023/05/04
Committee: ITRE
Amendment 309 #
Proposal for a regulation
Article 11 – paragraph 1
1. The manufacturer shall, without undue delay and in any event within 724 hours of becoming aware of it, notify to ENISA any actively exploitafter the patch is publicly available, notify to CSIRT Network any new patched vulnerabilityies contained in the product with digital elements that may be actively exploited and pose a significant cybersecurity risk. The notification shall include basic details concerning that vulnerability and, where applicable, any corrective or mitigating measures taken. ENISA shall, without undue delay, unless for justified cybersecurity risk-related grounds, forward the notification to the CSIRT designated for the purposes of coordinated vulnerability disclosure in accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] of Member States concerned upon receipt and inform the market surveillance authority about the notified vulnerability based on the manufacturers coordinated vulnerability disclosure policy required by section 2 of Annex I item (5) (e.g., the ISO/IEC 29147).
2023/05/04
Committee: ITRE
Amendment 314 #
Proposal for a regulation
Article 11 – paragraph 2
2. The manufacturer shall, without undue delay and in any event within 24 hours of becoming aware of it, notify to ENISA anynotify the designated CSIRT or single point of contact, in accordance to the procedure of Directive [Directive XXX.XXXX NIS2], any significant incident having impact on the security of the product with digital elements. ENISAThe single point of contact shall, without undue delay, unless for justified cybersecurity risk-related grounds, forward the notifications to the single point of contact designated in accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] of the Member States concerned and inform the market surveillance authority about the notified incidents. The incident notification shall include information on the severity and impact of the incident and, where applicable, indicate whether the manufacturer suspects the incident to be caused by unlawful or malicious acts or considers it to have a cross-border impact.
2023/05/04
Committee: ITRE
Amendment 318 #
Proposal for a regulation
Article 11 – paragraph 2 a (new)
2a. Economic operators that are also identified as essential entities or important entities under the Directive [ Directive XXX.XXXX NIS2 ] and who submit their incident notification pursuant to the Directive [ Directive XXX.XXXX NIS2 ] should be deemed compliant with the requirements in point 2 of this Article. Moreover, an entity may only be fined once for non-compliance to overlapping reporting requirements.
2023/05/04
Committee: ITRE
Amendment 325 #
Proposal for a regulation
Article 11 – paragraph 4
4. The manufacturer shall inform, without undue delay and after becoming aware, the impacted users of the product with digital elements about the incident and, where necessaryhaving significant impact and, where necessary may inform all users of the product with digital elements, about corrective measures that the user can deploy to mitigate the impact of the incident.
2023/05/04
Committee: ITRE
Amendment 341 #
Proposal for a regulation
Article 13 – paragraph 2 – point c a (new)
(ca) Non-technical risk factors of the manufacturer are taken into consideration for critical products described in Class II of Annex III intended for the use by essential entities of the type referred to in [Annex I to the Directive XXX/XXXX (NIS2)];
2023/05/04
Committee: ITRE
Amendment 345 #
Proposal for a regulation
Article 13 – paragraph 6 – subparagraph 1
Importers who know or have reason to believe that a product with digital elements, which they have placed on the market, or the processes put in place by its manufacturer, are not in conformity with the essential requirements set out in Annex I or non-technical risk factors shall immediately take the corrective measures necessary to bring that product with digital elements or the processes put in place by its manufacturer into conformity with the essential requirements set out in Annex I, or to withdraw or recall the product, if appropriate.
2023/05/04
Committee: ITRE
Amendment 349 #
Proposal for a regulation
Article 14 – paragraph 2 – point b a (new)
(ba) Non-technical risk factors of the manufacturer are taken into consideration for critical products described in Class II of Annex III intended for the use by essential entities of the type referred to in [Annex I to the Directive XXX/XXXX (NIS2)];
2023/05/04
Committee: ITRE
Amendment 354 #
Proposal for a regulation
Article 14 – paragraph 4 – subparagraph 2
Upon identifying a vulnerability in the product with digital elements, distributors shall inform the manufacturer without undue delay about that vulnerability. Furthermore, where the product with digital elements presents a significant cybersecurity risk including on the basis of non-technical risk factors, distributors shall immediately inform the market surveillance authorities of the Member States in which they have made the product with digital elements available on the market to that effect, giving details, in particular, of the non-conformity and of any corrective measures taken.
2023/05/04
Committee: ITRE
Amendment 368 #
Proposal for a regulation
Article 19 – paragraph 1
Where harmonised standards referred to in Article 18 do not exist or where the Commission considers that the relevant harmonised standards are insufficient to satisfy the requirements of this Regulation or to comply with the standardisation request of the Commission, or where there are undue delays in the standardisation procedure or where the request for harmonised standards by the Commission has not been accepted by the European standardisation organisations, the Commission is empowered, by means of implementing acts, to adopt common specifications in respect of the essential requirements set out in Annex I. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 51(2).deleted
2023/05/04
Committee: ITRE
Amendment 399 #
Proposal for a regulation
Article 41 – paragraph 8
8. Market surveillance authorities may provide guidance and advice to economic operators on the implementation of this Regulation, including on non-technical risk factors, with the support of the Commission.
2023/05/04
Committee: ITRE
Amendment 401 #
Proposal for a regulation
Article 41 – paragraph 8 a (new)
8a. Market surveillance authorities may publish statistics about the average expected product lifetime, as specified by the manufacturer pursuant to article 10 (10a), per category of products with digital elements.
2023/05/04
Committee: ITRE
Amendment 407 #
Where the market surveillance authority of a Member State has sufficient reasons to consider that a product with digital elements, including its vulnerability handling, presents a significant cybersecurity or strategic risk, it shall carry out an evaluation of the product with digital elements concerned in respect of its compliance with all the requirements laid down in this Regulation, including non- technical risk factors. The relevant economic operators shall cooperate as necessary with the market surveillance authority.
2023/05/04
Committee: ITRE
Amendment 418 #
Proposal for a regulation
Article 45 – paragraph 1
1. Where the Commission has sufficient reasons to consider, including based on information provided by ENISA or non-technical risk factors, that a product with digital elements that presents a significant cybersecurity risk is non- compliant with the requirements laid down in this Regulation, it may request the relevant market surveillance authorities to carry out an evaluation of compliance and follow the procedures referred to in Article 43.
2023/05/04
Committee: ITRE
Amendment 420 #
Proposal for a regulation
Article 45 – paragraph 2
2. In exceptional circumstances which justify an immediate intervention to preserve the good functioning of the internal market and where the Commission has sufficient reasons to consider that the product referred to in paragraph 1 remains non-compliant with the requirements laid down in this Regulation, including on the basis of non-technical risk factors, and no effective measures have been taken by the relevant market surveillance authorities, the Commission may request ENISA to carry out an evaluation of compliance. The Commission shall inform the relevant market surveillance authorities accordingly. The relevant economic operators shall cooperate as necessary with ENISA.
2023/05/04
Committee: ITRE
Amendment 441 #
Proposal for a regulation
Article 50 – paragraph 6 a (new)
6a. The Commission shall conduct thorough public consultations and engage in regular and structured dialogue with economic operators to gather evidence and evaluate market implications of including or withdrawing categories of products in scope.
2023/05/04
Committee: ITRE
Amendment 442 #
Proposal for a regulation
Article 51 – paragraph 3 a (new)
3a. The Committee shall conduct thorough public consultations and engage in regular and structured dialogue with economic operators to gather evidence and evaluate market implications of including or withdrawing categories of products in scope.
2023/05/04
Committee: ITRE
Amendment 449 #
Proposal for a regulation
Article 55 – paragraph 2 a (new)
2a. Products with digital elements included in Annex III when placed on the market may meet the conformity assessment requirements under Chapter III by applying the procedure of Article 24 paragraph 1 for a period of 24 months after the date of application of this Regulation as defined in Article 57.
2023/05/04
Committee: ITRE
Amendment 450 #
Proposal for a regulation
Article 55 – paragraph 3
3. By way of derogation from paragraph 2, the obligations laid down in Article 11 shall apply to all products with digital elements within the scope of this Regulation that have been placed on the market befor24 months after the [date of applicationentry into force of this Regulation referred to in Article 57].
2023/05/04
Committee: ITRE
Amendment 454 #
Proposal for a regulation
Article 57 – paragraph 2
It shall apply from [24 months after the date of entry into force of this Regulation]. However Article 11 shall apply from [1236 months after the date of entry into force of this Regulation].
2023/05/04
Committee: ITRE
Amendment 461 #
Proposal for a regulation
Annex I – Part 1 – point 2
(2) Products with digital elements shall be delivered without any known exploitable vulnerabilities;deleted
2023/05/04
Committee: ITRE
Amendment 470 #
Proposal for a regulation
Annex I – Part 1 – point 3 – point b
(b) ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems; , but also by taking into consideration non-technical risk factors, such as third-country legislation that is applicable in the headquarter of the manufacturer obliging arbitrary government access to any kind of company data without legislative or democratic checks and balances or meaningful oversight mechanisms;
2023/05/04
Committee: ITRE
Amendment 473 #
Proposal for a regulation
Annex I – Part 1 – point 3 – point f
(f) protect the availability of essential functions, includingalso after an incident, including with backup management, and the resilience against and mitigation ofmeasures against denial of service attacks;
2023/05/04
Committee: ITRE
Amendment 483 #
Proposal for a regulation
Annex I – Part 2 – paragraph 1 – point 2
(2) in relation to the risks posed to the products with digital elements, address and remediate vulnerabilities without delayin an agreed timeline, including by providing security updates;
2023/05/04
Committee: ITRE
Amendment 484 #
Proposal for a regulation
Annex I – Part 2 – paragraph 1 – point 4
(4) once a security update has been made available, share and publically disclose information about fixed vulnerabilities, including a description of the vulnerabilities, accordance with a coordinated vulnerability disclosure process, including information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and information helping users to remediate the vulnerabilities. Detailed information about the vulnerabilities should only be shared and disclosed in a controlled way through coordinated disclosure procedures;
2023/05/04
Committee: ITRE
Amendment 493 #
Proposal for a regulation
Annex II – paragraph 1 – point 6
6. if and, where applicable, where the software bill of materials can be accessed; but are not to be made publicly accessible. If the software bill of materials are made available to notified bodies and market surveillance authorities for the exercise of their tasks, it must happen under the strict non-disclosure conditions set out in Article 52.
2023/05/04
Committee: ITRE
Amendment 499 #
Proposal for a regulation
Annex III – Part I – point 13
13. Remote access/sharing software;
2023/05/04
Committee: ITRE
Amendment 502 #
Proposal for a regulation
Annex III – Part I – point 16
16. Operating systems not covered by class IIfor servers, desktops and mobile devices;
2023/05/04
Committee: ITRE
Amendment 507 #
Proposal for a regulation
Annex III – Part I – point 18
18. Routers, modems intended for the connection to the internet, and switches, not covered by class II;deleted
2023/05/04
Committee: ITRE
Amendment 510 #
Proposal for a regulation
Annex III – Part I – point 19
19. Microprocessors not covered by class II;deleted
2023/05/04
Committee: ITRE
Amendment 512 #
Proposal for a regulation
Annex III – Part I – point 20
20. Microcontrollers;deleted
2023/05/04
Committee: ITRE
Amendment 532 #
Proposal for a regulation
Annex III – Part II – point 1
1. Operating systems for servers, desktops, and mobile devices;deleted
2023/05/04
Committee: ITRE
Amendment 535 #
Proposal for a regulation
Annex III – Part II – point 5
5. General purpose microprocessors;deleted
2023/05/04
Committee: ITRE
Amendment 536 #
Proposal for a regulation
Annex III – Part II – point 6
6. Microprocessors intended for integration in programmable logic controllers and secure elements;deleted
2023/05/04
Committee: ITRE