Analysis
MEPs of the lead ITRE Committee put forward 423 amendments to the draft Report prepared by Rapporteur Nicola Danti (Renew Europe, Italy).
As the draft Report itself contains 123 amendments to the Commission’s proposal, a total of 546 amendments have been tabled on the file by the ITRE Committee alone.
The main changes proposed by the amendments to each Chapter of the proposal can be summarised as follows:
Chapter I - General Provisions
Article 2 - Scope (article 2)
MEPs tabled amendments to limit the scope:
- AMD 201 – 208 – 211 not applicable to products with digital elements isolated from external devices and network. (AMD 218) Or running on internal networks.
- AMD 212 – 216 – 217 not applicable to free and open source software and source code expect if they are monetised, compliance should be ensured by the manufacturer of the final product who integrates these open source elements.
- AMD 219 not applicable to spare parts intended to replace defective parts
Article 3 - Definitions
Definitions for the terms ‘consumer product with digital elements’, ‘business-to-business product with digital elements’, ‘cybersecurity’, ‘software’, ‘consumer’, ‘provider of an online marketplace’, ‘substantial modification’, ‘near miss’, ‘incident’, and ‘significant cyber threat’ were modified or introduced by Shadow Rapporteurs.
AMD 221-222: To avoid overlap with the NIS2 remote data processing, it is not considered as an element of “products with digital element”.
AMD 247 modifies “actively exploited vulnerability" into “known vulnerability”. In line with line with ISO/IEC 29147, requiring the disclosure of a vulnerability should take place after that vulnerability has been patched or remedied to avoid security risks.
AMD 248 includes the definition of “expected product lifetime": expected product lifetime’ means the lifetime a manufacturer documents in the information and instructions to the user defined in Annex II (8). For software it includes the iterated modifications within the version that was placed in the market.
Article 4 – Free movement
AMD 254 introduced the ability to Member States to apply additional requirements for very specific use-cases and products with higher cybersecurity risks, in particular when national security is involved.
Moreover, MEP Carrao underscored that Member States should not prevent the presentation and use of a non-compliant prototype product with digital elements or a software, provided that the availability is limited in time and geographical area and is supplied exclusively for testing.
Article 6 – Critical products with digital elements
MEPs proposed changes to the Commission’s ability to adopt delegated acts when identifying new critical products:
- AMD 257 The commission to act on the basis of reports issued by the Cyber Resilience Act Expert group and other stakeholders.
- AMD 258 The Commission should carry out periodical checks to assess whether the list of critical products with digital elements needs to be integrated or updated.
- AMD 260 introduced a collaborative revision process by all relevant stakeholders.
AMD 261 – 262 respectively proposed the Commission to adopt specify definition for class I and II by 9 or 6 months after the entry into force.
AMD 264 – MEP Bart Grotius deleted the highly critical product category. From his perspective, if a product is in the future considered ‘highly critical,’ it should simply be included a new item under Class II of Annex III to ensure a heightened level of conformity assessment. Mandatory certification overlaps with considerations regarding the use of critical products by essential entities covered by NIS2 but could also risk sidestepping the traditional approach to standardization that is based on coordinated efforts by the technical and industry community. (Same as AMD 265)
Whereas AMD 266 provides a certification for highly critical products at assurance level “High”.
Chapter II - Obligations of Economic Operators
Article 10 – obligation of manufacturers
AMD 277 - The manufacturer to define the expected product lifetime in line with reasonable consumer expectations and that promoting sustainability and the need to ensure long-lasting products. Vulnerability handling should be ensured at least during the expected product lifetime or 10 years, whichever is shorter.
Whereas AMD 278 from MEP Groothuis proposed that vulnerabilities of the product or of its iterated versions should be ensured alongside its expected lifetime.
AMDs 280 – 281- 282 – 283 - 285 sticked to the expected product lifetime for the effective handling of vulnerability with no minimal period. The support period should be based on the time users reasonably expect to be able to use the product given its functionality and intended purpose.
Article 11 – Reporting obligation of manufacturers
AMD 309 - MEP Groothuis modified the reporting obligations and considered Mandatory reporting of unpatched exploited vulnerabilities to ENISA as dangerous as these vulnerabilities can be exploited. It would effectively make ENISA world's largest honey pot. If not deleted, it could be revised to only require reporting of patched vulnerabilities (to avoid exploitation) within 72 hours after the patch publicly is available, following industry best practices and standards as a baseline for wider EU coordinated vulnerability disclosure.
Several Shadow Rapporteurs proposed amendments to Chapter II with a view to further align it with the NIS2 Directive by considering only significant incidents (AMD 319).
AMD 316 proposed a definition based on NIS 2 definition, stating that only significant incidents affecting the security of the product should be reported on a mandatory basis, to avoid overburdening manufacturers or ENISA.
In parallel, AMD 338 - MEP Corrao inserted a new Article 11a to oblige manufacturers to designate a single point of contact to enable users to communicate directly and rapidly with them. MEP Tošenovský proposed a similar amendment.
Several provisions within Chapter II were modified by MEP Virkkunen in order to simplify them for SMEs. She also introduced a new Article 17a (AMD 362) outlining specific obligations for providers of online marketplaces.
Chapter III - Conformity of the Product with Digital Elements
Articles 18-24
AMD 363 MEP Tošenovský specified the areas in which the Commission should request the drafting of harmonised standards and suggested removing Article 19 on common specifications from the text in its entirety.
AMD 364 Introduced the presumption of conformity thanks to international standards
AMD 366 Presumption of conformity may be granted through CRA certificate at substantial or high levels. As the CSA lays down a more rigorous cybersecurity assessment framework, it should address products presenting a particular cybersecurity risk. As the conformity assessment framework specific to the CRA is less demanding, it should be used to address mass products subjected to the CRA.
AMD 367 – 368 Deleted the possibility to issue Common Specifications where harmonized standards are insufficient or the standardization request fails. The objective is to avoid the Commission to unilaterally impose a standard on industry bypassing all existing best practices and standardization bodies.
Chapter IV - Notification of Conformity Assessment Bodies
Articles 25-40
AMD 382 – 386 With regard to conformity assessment bodies, MEPs Corrao and Covassi called on the Member States and Commission to l put in place appropriate measures to ensure sufficient availability of skilled professionals.
AMD 383 – 384 – 385 Moreover, MEP Virkkunen underscored that the Commission should ensure that appropriate financial support in the regulatory framework of existing EU programmes is allocated to SMEs in order to mitigate possible financial burden.
Chapter V - Market Surveillance and Enforcement
AMD 397 - With respect to the supervision of the implementation of the reporting obligations under the proposed Regulation, MEP Corrao stressed that designated market surveillance authorities should cooperate with ENISA. He also highlighted that such authorities should facilitate the active participation of stakeholders in market surveillance activities.
AMD 405 - Additionally, MEP Corrao introduced a new Article 41a establishing an expert group on technical matters, while MEP Botenga inserted a new Article 41a to ensure civil society participation in market surveillance activities.
AMD 435 - In parallel, MEP Tošenovský proposed a new Article 49a to allow the Commission, ENISA, and Member States to establish European cyber resilience regulatory sandboxes with voluntary participation of manufacturers of products with digital elements.
Annex III – critical products with digital elements
Proposal to transfer items from Class II to Class I
- AMD 516 - Authentication, Authorisation and Accounting (AAA) platform
- AMD 519 - Public key infrastructure and digital certificate issuers;
- AMD 520 Secure elements
- AMD 521 Hardware Security Modules (HSMs)
- AMD 522 Secure crypto processors;
- AMD 523 Smartcards, smartcard readers and tokens;
Whereas others elements are simply deleted from the annexes, these categories could be added afterwards
- AMD 535 : General purpose microprocessors
- AMD 536: Microprocessors intended for integration in programmable logic controllers and secure elements;
Next Steps
A vote in the ITRE Committee on the Draft Report as well as the amendments tabled to it, is tentatively foreseen for 19 July 2023.
|
