Analysis
MEPs of the Associated IMCO Committee put forward 291 amendments to the draft Opinion prepared by Rapporteur Morten Løkkegaard (Renew Europe, Denmark).
The main modifications of the interest of the member of Eurosmart can be summarised as follows:
Chapter I - General Provisions
Article 1 - subject matter
AMD 111 - Shadow Rapporteur Adriana Maldonado López (S&D, Spain) clarified that the objective of the proposed Regulation is “to provide for a high level of consumer protection by protecting the confidentiality, integrity, and availability of information in products with digital elements”.
Article 2 – Scope
AMD 114 – 119 MEP Carlo Fidanza (EPP, Italy) specified the terms “connected” or “connectable” should refer only to the external network for connected products. The proposal would not be applicable to the internal network of a machine/vehicle.
AMD117 - Shadow Rapporteur Marcel Kolaja (Greens/EFA, Czechia) underscored that the proposed Regulation should not apply to software provided under free and open source licences, except when such software is provided as a paid or monetised product.
AMD 125 - Shadow Rapporteur Arba Kokalari (EPP, Sweden) introduced a definition for the term ‘partly completed products with digital elements’ falling under the scope of the CRA. Additionally, AMD 125 – he provided an extensive definition for “life-cycle”: “life-cycle’ means the period from the moment that product covered by this Regulation is placed on the market or put into service until the moment that it is discarded (…) foreseen by the manufacturer".
Article 3 - Definitions
In parallel, definitions for the terms ‘consumer’, ‘software’, ‘manufacturer’, ‘recall’, ‘reasonably foreseeable misuse’, ‘substantial modification’, and ‘life cycle’, were modified or introduced by Shadow Rapporteurs.
Article 5 requirements for products with digital elements
AMD 150 - MEPs López, Leitão-Marques, Angel, Maria Grapini, Benifei also proposed to oblige manufacturers to differentiate between security updates (to provide devices with enhanced security, including security patches) and corrective or functionality updates (to provide corrective or new functionalities, including corrective patches), establishing that these updates should be provided separately, unless clearly demonstrated that it is not technically possible.
Article 6 Critical products with digital elements
AMD 154 MEP Kokalari also proposed changes to the Commission’s ability to adopt delegated acts to specify the definition of product categories. Whereas AMD 156, MEPs López, Leitão-Marques, Angel, Maria Grapini, Benifei proposed a swift clarification of the definitions by the Commission by 6 months since the entry into force.
AMD 158 - moreover the same MEPs specified that Critical products should always undergo an independent third-party assessment and deleted the possibility to rely on self-assessment.
AMD 159 – MEPs Bielan (ECR, PL), Złotowski (ECR, PL) deleted the mandatory EU CSA certification for highly critical products. AMD 160 MEP Kokalari proposed the same approach.
Article 8 – High risk AI systems
AMD 164 MEP Kokalari deleted the possibility for notified bodies designated under the AI act to control the conformity of the high-risk AI-system falling under the CRA.
AMD 166 Whereas MEP Schwab (EPP, DE) specified that high risk AI do not have to undergo more than one conformity assessment and should not be subject to the conformity assessment procedures under the CRA.
Chapter II - Obligations of Economic Operators
Article 10 – obligations of manufacturers
AMD 175 - Concerning the obligations of manufacturers, MEP Kolaja highlighted that manufacturers should ensure that components sourced from third parties do not compromise the security of the product with digital elements.
AMD 176 – MEP Fidanza proposed the manufacturer to define the expected product lifetime and make sure that vulnerabilities are effectively handled at least the product lifetime or 10 years whichever is shorter. He justified that many complex industrial machineries have a very long lifecycle (20 years+) – Whereas MEP Kolaja (ADM 178) proposed, when the product lifetime is shorter than 5 years, and if the manufacturer is unable to continue to ensure the vulnerability handling, it shall publish the source code under free and open-source license.
AMD 179 MEPs López, Leitão-Marques, Angel, Grapini, Benifei proposed to consider the specificities of the usage of all the types of connected products. Products should therefore be secure during a minimum period of time which must correspond to the expected lifetime of the actual product.
AMD 178 In addition, MEP Maldonado López suggested that manufacturers be obliged to set out the expected product lifetime considering the reasonable expectations of consumers regarding the functionality and intended purpose of the product, and the provision of security and functionality updates. MEP Kolaja tabled a similar amendment.
MEP Maldonado López also stressed that manufacturers should make communication channels publicly available, taking into account accessibility needs for persons with disabilities, in order to enable users to submit complaints electronically and free of charge.
Article 11 – reporting obligations of manufacturers
AMD 192 With regard to the reporting obligations of manufacturers, Rapporteur Morten Løkkegaard (Renew Europe, Denmark) stressed that, in cases where a notified vulnerability has no corrective or mitigating measures available, ENISA should ensure that information about the notified vulnerability is shared in line with strict security protocols and on a need-to-know-basis.
The Rapporteur also underscored that manufacturers should, without undue delay and in any event within 72 hours of becoming aware of the significant incident related to a product with digital elements, further notify ENISA with details on the significant incident.
AMD 193 - Moreover, MEP Kolaja introduced a new Article 11a to require manufacturers to designate a single point of contact to enable users to communicate directly and rapidly with them.
Chapter III - Conformity of the Product with Digital Elements
Article 18 – presumption of conformity
AMD 217 - MEPs Bielan and Kokalari proposed changes to the Commission’s ability to adopt implementing acts. MEP Bielan also suggested that Article 19 on common specifications be deleted in its entirety. Instead of harmonised standards, common specifications or CSA scheme, harmonisation should be based on “existing or imminent international (sectorial) standards for cybersecurity”
AMD 223 Furthermore, Rapporteur Morten Løkkegaard (Renew Europe, Denmark) introduced a new Article 20a obliging manufacturers to draw up an EU declaration of incorporation for partly completed products with digital elements that states that the fulfilment of the relevant essential requirements set out in Annex I has been demonstrated.
The Rapporteur also stressed that a partly completed product with digital elements shall not be marked with the CE marking under the proposed Regulation without prejudice of marking provisions resulting from other applicable Union legislation.
Article 24 - Conformity assessment procedures for products with digital elements
AMD 234 - MEPs Løkkegaard, Ansip, Charanzová, Hahn clarified the possibility to rely on a EU CSA scheme as a proof of conformity for class 0 products
AMD 235 – 236 - 237 Moreover MEPs López, Leitão-Marques, Angel,Grapini, Benifei porposed the text to require all ‘critical products with digital elements’ to undergo mandatory European cybersecurity certification at the level of assurance « high ». They justified that such a certification at level “high” ensures that the product has been evaluated at a level intended to minimise the risk of state-of-the-art cyberattacks carried out by actors with significant skills and resources. This level also guarantees that evaluators will use penetration testing, meaning that they will try to hack the device.
Chapter IV - Notification of Conformity Assessment Bodies
AMD 243 - MEP Kolaja emphasised that Member States and the Commission should put in place appropriate measures to ensure sufficient availability of skilled professionals in order to minimise bottlenecks.
Chapter V - Market Surveillance and Enforcement
AMD 258 With respect to the supervision of the implementation of the reporting obligations under the proposed Regulation, MEP Kolaja stressed that designated market surveillance authorities must cooperate with ENISA for inforcement and investigations.
AMD 260 Additionally, MEP Maldonado López specified that market surveillance authorities should be equipped to receive complaints by consumers affected by products with digital elements if they consider that the relevant products or the practices engaged infringe upon the proposed Regulation.
AMD 164 Furthermore, MEP Kolaja introduced a new Article 41a establishing an expert group on technical matters. In particular the expert group shall provide non-binding
evaluations of products with digital elements upon request by a market surveillance authority that is conducting an investigation.
AMD 288 In parallel, Rapporteur Morten Løkkegaard (Renew Europe, Denmark) inserted a new Article 49a to enable the Commission to appoint by way of an implementing act an expert group to provide technical advice to market surveillance authorities on matters related to the implementation and enforcement of the proposed Regulation.
Chapter VI - Delegated Powers and Committee Procedure
No amendments were proposed for Chapter VI.
Chapter VII - Confidentiality and Penalties
AMD 290 - With regard to penalties, MEP Maldonado López suggested that non-compliance with the cybersecurity requirements should be subject to administrative fines of up to 30 000 000 euro, rather than 15 000 000 euro, or up to 6% of its total worldwide annual turnover for the preceding financial year, rather than 2.5%.
AMD 294 - Rapporteur Morten Løkkegaard (Renew Europe, Denmark) introduced a new Article 53a obliging the Commission and ENISA to establish a European regulatory sandbox with voluntary participation of manufacturers of products with digital elements.
Next Steps
The Committee is tentatively scheduled to meet and discuss the amendments tabled to the draft Opinion on either 22 or 23 May 2023.
A vote on the draft Opinion, as well as the amendments tabled to it, is then tentatively scheduled to take place on either 28 or 29 June 2023.
|
