Chapter I - General Provisions
Scope and definitions
AMD 39: The rapporteur simplified the definition of the scope and deleted the notions of intended and reasonably foreseeable uses. The regulation applies to products that can have a direct or indirect data connection to a device or network.
AMD 40 Introduces a temporary 40 month-exemption for components designed as spare part for other products with digital elements.
AMD 41 Remote data processing, the rapporteur reduced the scope: Remote data processing solutions should be covered when they are pivotal to the functioning of the product with digital elements.
AMD 42-46 the Rapporteur inserted a definition for the term ‘cybersecurity’ to be in line with the Cybersecurity Act, as well as additional definitions for the terms ‘incident’, ‘near miss’, and ‘cyber threat’.
Critical products with digital elements
AMD 47 - The Rapporteur proposed that the list of critical products in Annex III should be amended only once every two years by the Commission via delegated acts.
AMD 48 – 49 The Rapporteur intends to speed-up the adoption: the Commission is expected to adopt delegated acts to specify the definitions of the products under class I and II by 6 months after the entry into force (instead of one year). Moreover new category of products identified under class I and II should be subject to the relevant conformity assessment within 12 months of the adoption of the delegated act.
Highly critical products
AMD 50-51 - With regard to highly critical products with digital elements for which manufacturers must obtain a European cybersecurity certificate, MEP Danti underscored that this obligation should begin to apply 12 months after the adoption of the relevant delegated act. Moreover, a minimum period of operation for new EU cybersecurity schemes is envisaged, the Commission will be able to require the mandatory certification no earlier than 12 months after the adoption of the scheme.
CRA Expert group
AMD 51 – 53 - Furthermore, the Rapporteur introduced a new Article 6a to establish an expert group on cyber resilience, which would be responsible for advising the Commission on certain elements of the proposed Regulation. Amongst other advisory activities, The Expert Group shall also map trends at Union and Member State level regarding existing and patched vulnerabilities.
Public procurement
AMD 54 - A new Article 9a regarding public procurement of products with digital elements was also introduced in order to oblige Member States to ensure that manufacturers remedy vulnerabilities in such products as a matter of urgency.
Chapter II - Obligations of Economic Operators
Open-source software component
AMD 55 - When integrating components of open-source software that have not been placed on the market in the course of a commercial activity, the Rapporteur added that manufacturers [of the final product] must ensure that such components comply with the proposed Regulation.
Product lifetime
AMD 56 – 58 - 62 - The rapporteur introduced an obligation for manufacturers to determine the expected lifetime of products with digital elements when they are placed on the market and ensure that this lifetime is clearly stated on the products, either through its packaging or in the contractual agreements. Manufacturers would also be required to actively inform users when their product with digital elements has reached the end of its expected product lifetime.
The conformity obligation with the essential requirement is therefore aligned with the new definition of expected product lifetime (instead of minimum 5 years after the placing of the market.)
This approach may enter into conflict with IMCO amendments.
Automatic security updates by default
AMD 57 - For business-to-consumer products with digital elements, MEP Danti suggested that those procedures should include automatic security updates by default. Additional amendments regarding manufacturer obligations stressed that information and instructions should be as user-friendly as possible.
Vulnerability handling
AMD 59 – A new article is introduced, when a product lifetime is shorter that 5 years and whose vulnerability handling obligation is over, manufacturers shall provide free access to the source code to undertaking upon a contractual arrangement. Undertakings are committed extending the vulnerability handling and security update up to 5 years. This obligation ceases when the lifetime of the product has reached five years.
Reporting obligation of manufacturers
AMD 64 - Certain provisions were altered in order to ensure alignment with NIS 2. The rapporteur introduced a need-to-know-basis for vulnerability disclosure, where a notified vulnerability has no corrective or mitigating measure available.
AMD 69 - Moreover, the Rapporteur introduced a new Article 11a to specify the vulnerability notification process in line with NIS 2.
AMD 67- 68 – The notification is rectricted to “significant incidents” having impact on the product security, when:
- it has caused or is capable of causing severe operational disruption of the production or the services for the manufacturer concerned, which would impact the security of a product; or
- it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.
AMD 74 – New article 11(a) provides additional voluntary reporting.
Obligations of Distributors
AMD 75-77. The rapporteur limited the CRA obligations on the basis of information in their possession.
Chapter III - Conformity of the Product with Digital Elements
Common specifications vs Harmonised standards
AMD 79 - With regard to common specifications, MEP Danti emphasised that common specifications should only be a last-resort option for the Commission and defined a list of conditions which include the advice of the CRA Expert Group.
Conformity Assessment of class I
AMD 83: To avoid excessive rescores to third-party assessment for class I, the rapporteur specified that If harmonised standards, common specifications or European cybersecurity certification schemes are not available, or in the six months following their adoption, manufacturers may be able to demonstrate compliance with this Regulation via the self-assessment procedure.
Mutual Recognition Agreements (MRAs)
AMD 85 introduced a new article 24(a), which paves the way for MRAs that shall ensure the “same level of protection”. Moreover, the Commission shall assess international standards to simplify the development of EU harmonised standards.
Chapter IV - Notification of Conformity Assessment Bodies
AMD 86-87 - Concerning the requirements relating to notified bodies, the Member States and the Commission were called upon to put in place appropriate measures to ensure sufficient availability of skilled professionals, in order to minimise bottlenecks in the activities of conformity assessment bodies.
Chapter V - Market Surveillance and Enforcement
AMD 88 – 97 - As for market surveillance, the Rapporteur suggested that such authorities should provide the Commission with data about the average expected product lifetime set by the manufacturers, disaggregated per category of product with digital elements. The Commission would then be required to publish that information in a publicly accessible and user-friendly database.
AMD 94 - Moreover, MEP Danti underscored the need for market surveillance authorities to regularly conduct sweeps of products in order to check compliance with the proposed Regulation, which should prioritise products placed on the market that may present security risks for the EU.
Chapter VII - Confidentiality and Penalties
AMD 103 - The Rapporteur inserted a new Article 53a regarding the allocation of the revenue from the penalties to support cybersecurity in the EU.
Chapter VIII - Transitional and Final Provisions
Radio Equipment directive and CRA compliance
AMD 104 – Until 40 months after the date of entry into force of the CRA, manufacturers may comply with the requirements of this Regulation on a voluntary basis.
In order to encourage early compliance with the proposed Regulation, MEP Danti included a provision granting a presumption of conformity with the RED Delegated Act (Commission Delegated Regulation (EU) 2022/30). This delegated act shall be repealed at the end of this transitional period.
Annexes
Annex I Essential cybersecurity requirements
AMD 108 - the Rapporteur considered that the obligation to deliver products without known exploitable vulnerabilities should be risk-based, as some vulnerabilities may present very low or no cybersecurity risk.
Annex II: Information and instructions to users
It is aligned this with previous amendments requiring information to be provided regarding the expected lifetime of products placed on the market.
Annex III on the classes for critical products with digital elements,
The Rapporteur proposed adding home automation systems and private security devices, while removing robot sensing and actuator components and robot controllers.
Legislative calendar
Committee on Industry, Research, and Energy (ITRE) Lead
The ITRE Committee is tentatively expected to discuss its draft opinion on 25 April 2023. MEPs would then have until 27 April 2023 to table amendments to the text.
A vote in Committee on the draft Report, as well as the amendments tabled to it, is then tentatively foreseen for 19 July 2023.
Once approved, the Committee would then submit its text to plenary for adoption. However, a date for the vote in plenary has yet to be determined.
The approved text would constitute the European Parliament’s negotiating position.
Committee on the Internal Market and Consumer Protection (IMCO) - Associated
The Associated IMCO Committee is scheduled to meet and discuss its Draft opinion on 25 April 2023.
Following this, IMCO MEPs would then have until 26 April 2023 to table amendments to the text. The Committee is then tentatively scheduled to meet and discuss the amendments on either 22 or 23 May 2023.
A vote on the draft Opinion, as well as the amendments tabled to it, is then tentatively scheduled to take place on either 28 or 29 June 2023.
|
