Activities of Matteo GAZZINI related to 2022/0272(COD)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020
Amendments (30)
Amendment 127 #
Proposal for a regulation
Recital 7
Recital 7
(7) Under certain conditions, all products with digital elements integrated in or connected to a larger electronic information system can serve as an attack vector for malicious actors. As a result, even hardware and software considered as less critical can facilitate the initial compromise of a device or network, enabling malicious actors to gain privileged access to a system or move laterally across systems. Manufacturers should therefore ensure that all connectable products with digital elements connected to external network or device are designed and developed in accordance with essential requirements laid down in this Regulation. This includes both products that can be connected to external networks or device physically via hardware interfaces and products that are connected logically, such as via network sockets, pipes, files, application programming interfaces or any other types of software interface. As cybersecurity threats can propagate through various products with digital elements before reaching a certain target, for example by chaining together multiple vulnerability exploits, manufacturers should also ensure the cybersecurity of those products that are only indirectly connected to other devices or networks.
Amendment 128 #
Proposal for a regulation
Recital 7 a (new)
Recital 7 a (new)
(7a) This regulation should not apply to the internal networks of a product with digital elements if these networks have dedicated endpoints and are secured from external data connection.
Amendment 129 #
Proposal for a regulation
Recital 7 b (new)
Recital 7 b (new)
(7b) This regulation should not apply to spare parts intended solely to replace defective parts of products with digital elements, in order to restore their functionality.
Amendment 141 #
Proposal for a regulation
Recital 10
Recital 10
(10) In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services,solely occurs when a price is charged for the use of a product with the intention of making a profit or by providing a software platform through which the manufacturer monetises other services, or by the usemonetization of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
Amendment 143 #
Proposal for a regulation
Recital 13 a (new)
Recital 13 a (new)
(13a) Agricultural and forestry vehicles in scope of Regulations (EU) 167/2013 of the European Parliament and of the Council fall also in the scope of this Regulation. In order to avoid regulatory overlaps, additional cybersecurity requirements in future amendments of Regulation (EU) 167/2013 should not be foreseen.
Amendment 155 #
Proposal for a regulation
Recital 26
Recital 26
(26) Critical products with digital elements should be subject to stricter conformity assessment procedures, while keeping a proportionate approach. For this purpose, critical products with digital elements should be divided into two classes, reflecting the level of cybersecurity risk linked to these categories of products. A potential cyber incident involving products in class II might lead to greater negative impacts than an incident involving products in class I, for instance due to the nature of their cybersecurity-related function or intended use in sensitive environments, and therefore should undergo a stricter conformity assessment procedure. Periodical checks should be carried out to ensure that the list of critical products with digital elements is updated.
Amendment 171 #
Proposal for a regulation
Recital 36
Recital 36
(36) Manufacturers of products with digital elements should put in place coordinated vulnerability disclosure policies that are coordinated in terms of frequency and timing to facilitate the reporting of vulnerabilities by individuals or entities. A coordinated vulnerability disclosure policy should specify a structured process through which vulnerabilities are reported to a manufacturer in a manner allowing the manufacturer to diagnose and remedy such vulnerabilities before detailed vulnerability information is disclosed to third parties or to the public. Given the fact that information about exploitable vulnerabilities in widely used products with digital elements can be sold at high prices on the black market, manufacturers of such products should be able to use programmes, as part of their coordinated vulnerability disclosure policies, to incentivise the reporting of vulnerabilities by ensuring that individuals or entities receive recognition and compensation for their efforts (so-called ‘bug bounty programmes’).
Amendment 190 #
Proposal for a regulation
Recital 62
Recital 62
(62) In order to ensure that the regulatory framework can be adapted where necessary, the power to adopt acts in accordance with Article 290 of the Treaty should be delegated to the Commission in respect of updates to the list of critical products in Annex III and specifying the definitions of the these product categories. Such updates shall be carried out periodically by the Commission, ensuring timely changes to the list of critical products in Annex III. Power to adopt acts in accordance with that Article should be delegated to the Commission to identify products with digital elements covered by other Union rules which achieve the same level of protection as this Regulation, specifying whether a limitation or exclusion from the scope of this Regulation would be necessary as well as the scope of that limitation, if applicable. Power to adopt acts in accordance with that Article should also be delegated to the Commission in respect of the potential mandating of certification of certain highly critical products with digital elements based on criticality crieria set out in this Regulation, as well as for specifying the minimum content of the EU declaration of conformity and supplementing the elements to be included in the technical documentation. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Inter-institutional Agreement of 13 April 2016 on Better Law-Making33. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts. _________________ 33 OJ L 123, 12.5.2016, p. 1.
Amendment 206 #
Proposal for a regulation
Article 2 – paragraph 1
Article 2 – paragraph 1
1. This Regulation applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to an external device or network. This Regulation does not apply to the electronic communications networks as defined in Article 2, point (1), of Directive (EU) 2018/1972 in which products with digital elements are integrated.
Amendment 216 #
Proposal for a regulation
Article 2 – paragraph 5 a (new)
Article 2 – paragraph 5 a (new)
5a. This Regulation does not apply to free and open-source software, including its source code and modified versions, except when such software is provided in exchange for a price or as a monetised product with the intention of making a profit rather than performing maintenance.
Amendment 218 #
Proposal for a regulation
Article 2 – paragraph 5 b (new)
Article 2 – paragraph 5 b (new)
5b. 6 (new) This Regulation does not apply to the internal networks of a product with digital elements if these networks have dedicated endpoints and are secured from external data connection.
Amendment 219 #
Proposal for a regulation
Article 2 – paragraph 5 c (new)
Article 2 – paragraph 5 c (new)
5c. 7 (new) This Regulation shall not apply to spare parts intended solely to replace defective parts of products with digital elements, in order to restore their functionality.
Amendment 230 #
Proposal for a regulation
Article 3 – paragraph 1 – point 11
Article 3 – paragraph 1 – point 11
(11) ‘physical connection’ means any connection between electronic information systems or components implemented using physical means, including through electrical or mechanical interfaces, wires or radio wav or wires;.
Amendment 252 #
Proposal for a regulation
Article 4 – paragraph 3
Article 4 – paragraph 3
3. Member States shall not prevent the making available of unfinished software which does not comply with this Regulation provided that the software is only made available for a limited period required for testing purposes and that a visible sign clearly indicates that it does not comply with this Regulation and will not be available on the market for purposes other than testing.
Amendment 258 #
Proposal for a regulation
Article 6 – paragraph 2 – introductory part
Article 6 – paragraph 2 – introductory part
2. The Commission is empowered to adopt delegated acts in accordance with Article 50 to amend Annex III by including in the list of categories of critical products with digital elements a new category or withdrawing an existing one from that list. The Commission should carry out periodical checks to assess whether the list of critical products with digital elements needs to be integrated or updated. When assessing the need to amend the list in Annex III, the Commission shall take into account the level of cybersecurity risk related to the category of products with digital elements. In determining the level of cybersecurity risk, one or several of the following criteria shall be taken into account:
Amendment 271 #
Proposal for a regulation
Article 10 – paragraph 2
Article 10 – paragraph 2
2. For the purposes of complying with the obligation laid down in paragraph 1, manufacturers shall undertake an assessment of the cybersecurity risks associated with a data connection to an external device or network of a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing security incidents and minimising the impacts of such incidents, including in relation to the health and safety of users.
Amendment 277 #
Proposal for a regulation
Article 10 – paragraph 6 – subparagraph 1
Article 10 – paragraph 6 – subparagraph 1
When placing a product with digital elements on the market, and forthe manufacturer shall define the expected product lifetime or for a period of five years from the placing of the product on the market, whichever is shorter, manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I. In doing so, the manufacturer shall ensure that expected product lifetime is in line with reasonable consumer expectations and that it promotes sustainability and the need to ensure long-lasting products with digital elements. Manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I during at least the expected product lifetime or 10 years, whichever is shorter. Where applicable, the expected product lifetime shall be clearly stated on the product, its packaging or be included in contractual agreements.
Amendment 358 #
Proposal for a regulation
Article 16 – paragraph 1
Article 16 – paragraph 1
A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of the product with digital elements, with the intention of making a profit, shall be considered a manufacturer for the purposes of this Regulation.
Amendment 369 #
Proposal for a regulation
Article 19 – paragraph 1
Article 19 – paragraph 1
Where harmonised standards referred to in Article 18 do not exist or where the Commission considers that the relevant harmonised standards are insufficient to satisfy the requirements of this Regulation or to comply with the standardisation request of the Commission, or where there are undue delays in the standardisation procedure or where the request for harmonised standards by the Commission has not been accepted by the European standardisation organisations, as a last resort the Commission is empowered, by means of implementing acts, to adopt common specifications in respect of the essential requirements set out in Annex I. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 51(2).
Amendment 451 #
Proposal for a regulation
Article 55 – paragraph 3 a (new)
Article 55 – paragraph 3 a (new)
3a. 4 (new) By way of derogation, for products with digital elements falling in scope of Regulation (Machinery Regulation proposal) or Regulation (EU) 167/2013 of the European Parliament and of the Council, the application date referred to art. 57 is extended by (36 months).
Amendment 452 #
Proposal for a regulation
Article 55 – paragraph 3 b (new)
Article 55 – paragraph 3 b (new)
3b. By way of derogation for products with digital elements falling in scope of Regulation (Machinery Regulation proposal) or Regulation 2013/167, where the annual new sales in the EU of each type are fewer than (1000) units, the application date referred to art. 57 is extended by (60 months).
Amendment 456 #
Proposal for a regulation
Article 57 – paragraph 2
Article 57 – paragraph 2
It shall apply from [248 months after the date of entry into force of this Regulation]. However Article 11 shall apply from [124 months after the date of entry into force of this Regulation].
Amendment 464 #
Proposal for a regulation
Annex I – Part 1 – point 3 – introductory part
Annex I – Part 1 – point 3 – introductory part
(3) On the basis of the cybersecurity risk assessment referred to in Article 10(2) and where applicable, products with digital elements shall:
Amendment 469 #
Proposal for a regulation
Annex I – Part 1 – point 3 – point a a (new)
Annex I – Part 1 – point 3 – point a a (new)
(aa) be placed on the market without any known exploitable vulnerabilities towards an external device or network.
Amendment 504 #
Proposal for a regulation
Annex III – Part I – point 17
Annex III – Part I – point 17
17. Firewalls, Security Gateways, intrusion detection and/or prevention systems not covered by class II;
Amendment 508 #
Proposal for a regulation
Annex III – Part I – point 18
Annex III – Part I – point 18
18. Routers, modems intended for the connection to the internet, and switches, and other network nodes that are necessary for the provision of the connectivity service, not covered by class II;
Amendment 516 #
Proposal for a regulation
Annex III – Part I – point 23 a (new)
Annex III – Part I – point 23 a (new)
Amendment 533 #
Proposal for a regulation
Annex III – Part II – point 4
Annex III – Part II – point 4
4. Firewalls, Security Gateways, intrusion detection and/or prevention systems intended for industrial use;
Amendment 537 #
Proposal for a regulation
Annex III – Part II – point 7
Annex III – Part II – point 7
7. Routers, modems intended for the connection to the internet, and switches, and other network nodes that are necessary for the provision of the connectivity service, intended for industrial use;
Amendment 539 #
Proposal for a regulation
Annex III – Part II – point 11
Annex III – Part II – point 11
11. Smartcards, smartcard readers, biometric readers, and tokens;