Explanatory Memorandum to COM(2022)454 - Horizontal cybersecurity requirements for products with digital elements

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier COM(2022)454 - Horizontal cybersecurity requirements for products with digital elements.
source COM(2022)454 EN
date 15-09-2022


1. CONTEXT OF THE PROPOSAL

Reasons for and objectives of the proposal

Hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of EUR 5.5 trillion by 2021. Such products suffer from two major problems adding costs for users and the society: i a low level of cybersecurity, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them, and i an insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner. In a connected environment, a cybersecurity incident in one product can affect an entire organisation or a whole supply chain, often propagating across the borders of the internal market within a matter of minutes. This can lead to severe disruption of economic and social activities or even become life threatening.

The cybersecurity of products with digital elements has a strong cross-border dimension, as products manufactured in one country are often used across the internal market. In addition, incidents initially affecting a single entity or a single Member State often spread within minutes across the entire internal market.

While existing internal market legislation applies to certain products with digital elements, most of the hardware and software products are currently not covered by any EU legislation tackling their cybersecurity. In particular, the current EU legal framework does not address the cybersecurity of non-embedded software, even if cybersecurity attacks increasingly target vulnerabilities in these products, causing significant societal and economic costs. There are numerous examples of noteworthy cyberattacks resulting from suboptimal product security, such as the WannaCry ransomware worm, which exploited a Windows vulnerability that affected 200 000 computers across 150 countries in 2017 and caused a damage amounting to billions of USD; the Kaseya VSA supply chain attack, which used Kaseya’s network administration software to attack over 1 000 companies and forcing a supermarket chain to close all its 500 shops across Sweden; or the many incidents in which banking applications are hacked to steal money from unsuspecting consumers.

Two main objectives were identified aiming to ensure the proper functioning of the internal market: i create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product’s life cycle; and i create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements. Four specific objectives were set out: (i) ensure that manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle; (ii) ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers; (iii) enhance the transparency of security properties of products with digital elements, and (iv) enable businesses and consumers to use products with digital elements securely.

The strong cross-border nature of cybersecurity and the growing incidents, with spill-over effects across borders, sectors and products, mean that the objectives cannot effectively be achieved by Member States alone. Given the global nature of markets for products with digital elements, Member States face the same risks for the same product with digital elements on their territory. An emerging fragmented framework of potentially diverging national rules risks hampering an open and competitive single market for products with digital elements. Joint action at EU level is thus necessary to increase the level of trust among users and the attractiveness of EU products with digital elements. It would also benefit the internal market by providing legal certainty and achieving a level playing field for vendors of products with digital elements, as highlighted also in the final report of the Conference on the Future of Europe, in which citizens call for a stronger role for the EU in countering cybersecurity threats.

Interplay with existing policy provisions in the policy area

The EU framework comprises several pieces of horizontal legislation that cover certain aspects linked to cybersecurity from different angles (products, services, crisis management, and crimes). In 2013, the Directive on attacks against information systems, 1 harmonising criminalisation and penalties for a number of offences directed against information systems came into force. In August 2016, Directive (EU) 2016/1148 on security of network and information systems (NIS Directive) 2 entered into force as the first piece of EU-wide legislation on cybersecurity. Its revision, resulting in Directive [Directive XXX/XXXX (NIS2)], raises the EU common level of ambition. In 2019, the EU Cybersecurity Act 3 entered into force, aiming to enhance the security of ICT products, ICT services and ICT processes by introducing a voluntary European cybersecurity certification framework. 4

Cybersecurity of the entire supply chain is ensured only if all its components are cyber-secure. The above-mentioned EU legislation has however substantial gaps in this regard, as it does not cover mandatory requirements for the security of products with digital elements.

While the proposed Cyber Resilience Act covers products with digital elements placed on the market, the Directive [Directive XXX/XXX (NIS2)] aims at ensuring a high level of cybersecurity of services provided by essential and important entities. Directive [Directive XXX/XXXX (NIS2)] requires Member States to ensure that essential and important entities within the scope, such as health care or cloud providers and public administration entities, take appropriate and proportionate technical, operational and organisational cybersecurity measures. This includes, among others, a requirement to ensure security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure. Directive [Directive XXX/XXXX (NIS2)] requires the Commission to adopt implementing acts laying down the technical and the methodological requirements of those measures within 21 months after the date of entry into force of this Directive for certain types of entities, such as cloud computing service providers. For all other entities, the Commission may adopt an implementing act, laying down the technical and the methodological requirements, as well as sectoral requirements. This framework will ensure that technical specifications and measures similar to the essential cybersecurity requirements of the Cyber Resilience Act are also implemented for the design, development and vulnerability handling of software provided as a service (Software-as-a-Service). For example, this could be a means to ensure a high level of cybersecurity in cases such as electronic health records (EHR) systems, including when delivered as Software-as-a-Service (SaaS) or developed within health institutions (in-house), in accordance with the proposed [European Health Data Space Regulation].

Interplay with other Union policies

As set out in the Communication ‘Shaping Europe’s digital future’ 5 , it is crucial for the EU to reap all the benefits of the digital age and to strengthen its industry and innovation capacity, within safe and ethical boundaries. The European strategy for data sets out four pillars – data protection, fundamental rights, safety and cybersecurity – as essential pre-requisites for a society empowered by the use of data.

The current EU framework 6 applicable to products that may also have digital elements comprises several pieces of legislation, including EU legislation on specific products covering safety-related aspects and general legislation on product liability. The proposal is coherent with the current product-related EU regulatory framework, as well as with recent legislative proposals such as the Commission’s proposal for Regulation [the Artificial Intelligence (AI) Regulation] 7 .

The proposed Regulation would apply to all radio equipment within the scope of Commission Delegated Regulation (EU) 2022/30. Moreover, the requirements laid down by this Regulation include all the elements of the essential requirements referred to in Article 3(3), points (d), (e) and (f) of Directive 2014/53/EU, including the main elements set out in the [Commission implementation decision XXX/2022 on a standardisation request to the European Standardisation Organisations] issued on the basis of that Delegated Regulation. In order to avoid a regulatory overlap, it is envisaged that the Commission would repeal or amend the Delegated Regulation with respect to the radio equipment covered by the proposed Regulation, so that the latter one would apply to it, once applicable.

Moreover, in order to avoid a duplication of work, it is envisaged that the Commission and the European Standardisation Organisations take into account the standardisation work carried out in the context of Commission Implementing Decision C(2022)5637 on a standardisation request for the RED Delegated Regulation 2022/30 in the preparation and development of harmonised standards to facilitate the implementation of the Regulation.

2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

Legal basis

The legal basis for this proposal is Article 114 of the Treaty on the Functioning of the European Union (TFEU), which provides for the adoption of measures to ensure the establishing and functioning of the internal market. The purpose of the proposal is to harmonise cybersecurity requirements for products with digital elements in all Member States and to remove obstacles to the free movement of goods.

Article 114 TFEU may be used as a legal basis to prevent the occurrence of these obstacles resulting from diverging national laws and approaches on how to address the legal uncertainties and gaps in the existing legal frameworks. 8 Furthermore, the Court of Justice has recognised that applying heterogeneous technical requirements could be valid grounds to trigger Article 114 TFEU. 9

The current EU legislative framework applicable to products with digital elements is based on Article 114 TFEU, and comprises several pieces of legislation, including on specific products and safety-related aspects or general legislation on product liability. However, it covers only certain aspects linked to the cybersecurity of tangible digital products and, as applicable, software embedded in these products. At national level, Member States are starting to take national measures requiring vendors of digital products to enhance their cybersecurity. 10 At the same time, the cybersecurity of digital products has a particularly strong cross-border dimension, as products manufactured in one country are often used by organisations and consumers across the entire internal market. Incidents that initially concern a single entity or Member State often spread within minutes across organisations, sectors and several Member States.

The various acts and initiatives taken so far at EU and national levels only partially address the problems identified and risk creating a legislative patchwork within the internal market, increasing legal uncertainty for both vendors and users of these products and adding unnecessary burden on companies to comply with a number of requirements for similar types of products.

The proposed Regulation would harmonise and streamline the EU regulatory landscape by introducing cybersecurity requirements for products with digital elements and avoid overlapping requirements stemming from different pieces of legislation. This would create greater legal certainty for operators and users across the Union, as well as a better harmonisation of the European single market, creating more viable conditions for operators aiming at entering the EU market.

Subsidiarity (for non-exclusive competence)

The strong cross-border nature of cybersecurity in general and the growing number of risks and incidents, which have spill-over effects across borders, sectors and products, mean that the objectives of the present intervention cannot effectively be achieved by Member States alone. National approaches in addressing the problems, and in particular approaches introducing mandatory requirements, will create additional legal uncertainty and legal barriers. Companies could be prevented from seamlessly expanding into other Member States, depriving users of the benefits of their products.

Joint action at EU level is therefore necessary to establish a high level of trust among users, increasing the attractiveness of EU products with digital elements. It would also benefit the digital single market and internal market in general by providing legal certainty and achieving a level playing field for manufacturers of products with digital elements.

Ultimately, the Council Conclusions of 23 May 2022 on the development of the European Union’s cyber posture call upon the Commission to propose, by the end of 2022, common cybersecurity requirements for connected devices.

Proportionality

As regards the proportionality of the proposed Regulation, the measures in the policy options considered would not go beyond what is needed to achieve the general and specific objectives and would not impose disproportionate costs. More specifically, the intervention considered would ensure that products with digital elements would be secured throughout their whole life cycle and proportionally to the risks faced through objective-oriented and technology neutral requirements that remain reasonable and generally corresponding to the interest of the entities involved.

The essential cybersecurity requirements in the proposal are building on widely used standards, and the standardisation process that will follow would take into account the technical specificities of the products. This means that where needed for a given risk level, security controls would be adapted. Furthermore, the envisaged horizontal rules would only foresee third-party assessment for critical products. This would only include a narrow share of the market for products with digital elements. The impact on SMEs would depend on their presence in the market of these specific product categories.

Regarding the proportionality of the costs for conformity assessment, notified bodies conducting the third party assessments would take the size of the undertaking into account when setting their fees. A reasonable transition period of 24 months to prepare the implementation would also be provided , giving time to the relevant markets to prepare, while providing a clear direction for R&D investments. Any compliance costs for businesses would be outweighed by the benefits brought by a higher level of security of products with digital elements and ultimately an increase of trust of users in these products.

Choice of the instrument

A regulatory intervention would entail the adoption of a regulation and not a directive. This is because, for this particular type of product legislation, a regulation would more effectively address the problems identified and meet the objectives formulated, since it is an intervention that is conditioning the placing on the internal market of a very wide category of products. The transposition process in the case of a directive for such intervention could leave too much room for discretion at national level, potentially leading to lack of uniformity of certain essential cybersecurity requirements, legal uncertainty, further fragmentation or even discriminatory situations cross-border, even more taking account of the fact that the products covered could be of multiple purpose or use and that manufacturers can produce multiple categories of such products.

3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

Stakeholder consultations

The Commission has consulted a broad range of stakeholders. Member States and stakeholders were invited to participate in the open public consultation and in the surveys and workshops organised in the context of a study conducted by a consortium supporting the Commission’s preparatory work for the impact assessment: Wavestone, the Centre for European Policy Studies (CEPS) and ICF. The consulted stakeholders included national market surveillance authorities, Union bodies dealing with cybersecurity, hardware and software manufacturers, importers and distributors of hardware and software, trade associations, consumer organisations and users of products with digital elements and citizens, researchers and academia, notified bodies and accreditation bodies, and cybersecurity industry professionals.

Consultation activities included:

·A first study conducted by a consortium consisting of ICF, Wavestone, Carsa and CEPS, which was published in December 2021 11 . The study identified several market failures and assessed possible regulatory interventions.

·An Open Public Consultation that targeted citizens, stakeholders and cybersecurity experts. 176 replies were submitted. These contributed to the collection of diverse opinions and experiences from all stakeholder groups.

·Workshops organised by the study supporting the Commission’s preparatory work for a Cyber Resilience Act gathered around 100 representatives from all 27 Member States representing a variety of stakeholders.

·Expert interviews were conducted to gain a deeper understanding of current cybersecurity challenges related to products with digital elements, and to discuss policy options for a potential regulatory intervention.

·Bilateral discussions were held with national cybersecurity authorities, the private sector, and consumer organisations.

·Targeted outreach was done to key SME stakeholders.

Collection and use of expertise

The consultation activities aimed to obtain input on the five main evaluation criteria based on the EU Better Regulation Guidelines (effectiveness, efficiency, relevance, coherence, EU-added value) as well as the potential impacts of possible options for the future. The contractor has not only reached out to the stakeholders that would be directly affected by the proposed Regulation, but has also consulted with a wide range of experts in the field of cybersecurity.

•Impact assessment

The Commission conducted an impact assessment for this proposal examined by the Commission's Regulatory Scrutiny Board (RSB). A meeting with the RSB was held on July 6th 2022 and was followed by a positive opinion. The Impact Assessment was adjusted to address the recommendations and comments of the RSB.

The Commission examined different policy options to achieve the general objective of the proposal:

·Soft law approach and voluntary measures (option 1): In this option, there would be no mandatory regulatory intervention. Instead, the Commission would issue communications, guidance, recommendations and potentially codes of conduct to encourage voluntary measures. National schemes, voluntary or mandatory, would continue to be developed to compensate for the lack of EU horizontal rules.

·Ad-hoc regulatory intervention for cybersecurity of tangible products with digital elements and respective embedded software (option 2): This option would entail an ad-hoc product-specific regulatory intervention that would be limited to adding and/or amending the cybersecurity requirements in the already existing legislation or introducing new legislation as new risks emerge, including potentially on non-embedded software.

The options 3 and 4 entail a horizontal regulatory intervention varying in scope, largely following the New Legislative Framework (NLF). This framework sets out essential requirements as a condition for the placement of certain products on the internal market. The NLF also typically provides for conformity assessment, the process conducted by the manufacturer to demonstrate whether specified requirements relating to a product have been fulfilled.

·Mixed approach, including horizontal mandatory rules for cybersecurity of tangible products with digital elements and respective embedded software and a staggered approach for non-embedded software (option 3): This option would entail a regulation introducing horizontal cybersecurity requirements for all tangible products with digital elements and the software embedded within these, as a condition for placement on the market, and would include two sub-options with and without mandatory third-party assessment (3i and 3ii). Non-embedded software would not be regulated.

·A horizontal regulatory intervention introducing cybersecurity requirements for a broad scope of tangible and non-tangible products with digital elements, including non-embedded software (option 4): This option resembles option 3, apart from the scope. Option 4 would include non-embedded software (with two sub-options respectively including only critical (4a) or all software (4b)) in the scope of a potential regulation. For each sub-option, the same sub-options related to conformity assessment as for option 3 would be considered.

Option 4 (with sub-options covering all software and involving mandatory third-party assessment for critical products) emerged as the preferred option based on the assessment of effectiveness against the specific objectives and efficiency of costs versus benefits. This option would ensure the setting out of specific horizontal cybersecurity requirements for all products with digital elements being placed or made available on the internal market, and would be the only option covering the entire digital supply chain. Non-embedded software, often exposed to vulnerabilities, would also be covered by such regulatory intervention, thus ensuring a coherent approach towards all products with digital elements, with a clear share of responsibilities of various economic operators.

This policy option also brings added value by covering duty of care and whole life cycle aspects after the placement of the products with digital elements on the market, to ensure, among others, appropriate information on security support and provision of security updates. This policy option would also come to most effectively complement the recent review of the NIS framework, by ensuring the prerequisites for a strengthened supply chain security.

The preferred option would bring significant benefits to the various stakeholders. For businesses, it would prevent divergent security rules for products with digital elements and decrease compliance costs for related cybersecurity legislation. It would reduce the number of cyber incidents, incident handling costs and reputational damage. For the whole EU, it is estimated that the initiative could lead to a costs reduction from incidents affecting companies by roughly EUR 180 to 290 billion annually. It would lead to an increased turnover due to uptake of products with digital elements demand. It would improve the companies’ global reputation leading to a demand uptake also outside the EU. For users, the preferred option would enhance the transparency of the security properties and facilitate the use of products with digital elements. Consumers and citizens would also benefit from better protection of their fundamental rights, such as privacy and data protection.

When asked to rate the effectiveness of the policy interventions, the public consultation respondents agreed that option 4 would be the most effective measure (4.08 on a scale from 1 to 5). This includes consumer organisations (5.00), respondents identifying themselves as users (4.22), notified bodies (4.17), market surveillance authorities (5.00) and producers of products with digital elements (3.85), including those of small and medium size (4.05).

Regulatory fitness and simplification

This proposal lays down requirements that will apply to manufactures of software and hardware. There is a need to ensure legal certainty and avoid further market fragmentation of product-related requirements on cybersecurity on the internal market, which has been demonstrated by the broad support of various stakeholders for a horizontal intervention. The proposal will minimise the regulatory burden put on manufacturers by several product safety acts. The alignment to the NLF means a better functioning of the intervention and its enforcement. The proposal streamlines the process of safeguard procedures, by involving manufacturers and Member States before the Commission is notified. A large part of manufacturers in the scope of the proposal is already familiar with the workings of the NLF, which will contribute to its understanding and implementation. For consumers and companies the Proposal will promote trust in products with digital elements.

Fundamental rights

All policy options are expected to enhance to a certain extent the protection of fundamental rights and freedoms such as privacy, protection of personal data, freedom to conduct business and protection of property or personal dignity and integrity. In particular the preferred policy option 4 consisting of horizontal regulatory interventions and a broad policy scope, would be the most effective in this regard, as it is more likely to help decrease the number and severity of incidents, including personal data breaches. It would also increase the legal certainty and achieve a level playing field for economic operators, raise trust among users and the attractiveness of EU products with digital elements as a whole, thus protecting the property and improving the conditions for economic operators to conduct business.

The horizontal cybersecurity requirements would contribute to the security of personal data by protecting the confidentiality, integrity and availability of information in products with digital elements. Compliance with those requirements will facilitate compliance with the requirement of security of processing of personal data under Regulation (EU) 2016/679 on the General Data Protection Regulation (GDPR) 12 . The proposal would enhance the transparency and information to users, including those that might be less equipped with cybersecurity skills. Users would also be better informed about the risks, capabilities and limitations of the products with digital elements, which would place them in a better position to take the necessary preventive and mitigating measures to reduce the residual risks.

4. BUDGETARY IMPLICATIONS

In order to meet the tasks allocated to the European Union Agency for Cybersecurity (ENISA) under this Regulation, ENISA will have to re-allocate resources of approximately 4.5 FTEs. The Commission would need to allocate 7 FTEs to meet its responsibilities related to enforcement under this Regulation.

A detailed overview of the costs involved is provided in the ‘financial statement’ linked to this proposal.

5. OTHER ELEMENTS

Implementation plans and monitoring, evaluation and reporting arrangements

The Commission will monitor the implementation, the application and the compliance to these new provisions with a view to assessing their effectiveness. The regulation will request a Commission’s evaluation and review and the submission of a public report in this respect to the European Parliament and to the Council by 36 months after the date of application and every four years thereafter.


Detailed explanation of the specific provisions of the proposal

Contents

1.

General provisions (Chapter I)


This proposed Regulation lays down (a) rules for the placing on the market of products with digital elements to ensure the cybersecurity of such products; (b) essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products with respect to cybersecurity; (c) essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes; (d) rules on market surveillance and enforcement of the above-mentioned rules and requirements.

The proposed Regulation will apply to all products with digital elements whose intended and reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.

The proposed Regulation will not apply to products with digital elements within the scope of Regulation (EU) 2017/745 [medical devices for human use and accessories for such devices] and Regulation (EU) 2017/746 [in vitro diagnostic medical devices for human use and accessories for such devices], as both Regulations contain requirements regarding devices, including on software and general obligations on manufacturers, covering the whole life cycle of products, as well as conformity assessment procedures. This Regulation will not apply to products with digital elements that have been certified in accordance with Regulation 2018/1139 [high uniform level of civil aviation safety], nor to products to which Regulation (EU) 2019/2144 applies [on type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles].

Critical products with digital elements shall be subject to specific conformity assessment procedures and shall be divided into class I and class II as set out in Annex III, reflecting their cybersecurity risk level, with class II representing a greater risk. A product with digital elements is considered critical and therefore included in Annex III taking into account the impact of potential cybersecurity vulnerabilities included in the product with digital elements. The cybersecurity-related functionality of the product with digital elements and the intended use in sensitive environments such as an industrial setting, amongst others, is taken into account in the determination of cybersecurity risk.

The Commission is also empowered to adopt delegated acts to supplement this Regulation by specifying categories of highly critical products with digital elements for which the manufacturers shall be required to obtain a European cybersecurity certificate under a European cybersecurity certification scheme to demonstrate conformity with the essential requirements set out in Annex I, or parts thereof. When determining such categories of highly critical products with digital elements, the Commission shall take into account the level of cybersecurity risk related to the category of products with digital elements, in light of one or several of the criteria considered for the listing of critical products with digital elements in Annex III as well as in view of the assessment of whether that category of products is used or relied upon by the essential entities of the type referred to in Annex [Annex I] to the Directive [Directive XXX/ XXXX (NIS2)] or will have potential future significance for the activities of these entities; or relevant for the resilience of the overall supply chain of products with digital elements against disruptive events.

2.

Obligations of economic operators (Chapter II)


The proposal incorporates obligations for manufacturers, importers and distributors based on the reference provisions foreseen in Decision 768/2008/EC. The essential cybersecurity requirements and obligations mandate that all products with digital elements shall only be made available on the market if, where dully supplied, properly installed, maintained and used for their intended purpose or under conditions, which can be reasonably foreseen, they meet the essential cybersecurity requirements set out in this Regulation.

The essential requirements and obligations would mandate manufacturers to factor in cybersecurity in the design and development and production of the products with digital elements, exercise due diligence on security aspects when designing and developing their products, be transparent on cybersecurity aspects that need to be made known to customers, ensure security support (updates) in a proportionate way, and comply with vulnerability handling requirements.

Obligations would be set up for economic operators, starting from manufacturers, up to distributors and importers, in relation to the placement on the market of products with digital elements, as adequate for their role and responsibilities on the supply chain.

3.

Conformity of the product with digital elements (Chapter III)


The product with digital elements, which is in conformity with harmonised standards or parts thereof, the references of which have been published in the Official Journal of the European Union, shall be presumed to be in conformity with the essential requirements of this proposed Regulation. Where harmonised standards do not exist or are insufficient or where there undue delays in the standardisation procedure or where the request by the Commission has not been accepted by the European standardisation organisations, the Commission may, by the means of implementing acts, adopt common specifications.

In addition, products with digital elements that have been certified or for which an EU statement of conformity or certificate has been issued under a European cybersecurity certification scheme pursuant to Regulation (EU) 2019/881, and for which the Commission specified via implementing act that it can provide presumption of conformity for this Regulation, shall be presumed to be in conformity with the essential requirements of this Regulation, or parts thereof, in so far as the EU statement of conformity or cybersecurity certificate, or parts thereof, cover those requirements.

Furthermore, in order to avoid undue administrative burden for manufacturers, where applicable, the Commission should specify if a cybersecurity certificate issued under such a European cybersecurity certification scheme eliminates the obligation for manufacturers to carry out a third-party conformity assessment as provided by this Regulation for corresponding requirements.

The manufacturer shall perform a conformity assessment of the product with digital elements and the vulnerability handling processes it has put in place to demonstrate conformity with the essential requirements set out in Annex I by following one of the procedures set out in Annex VI. Manufactures of critical products of class I and II shall use the respective modules necessary for the compliance. Manufacturers of critical product of class II have to involve a third-party in their conformity assessment.

4.

Notification of conformity assessment bodies (Chapter IV)


Proper functioning of notified bodies is crucial for ensuring a high level of cybersecurity and for the confidence of all interested parties in the New Approach system. Therefore, in line with the Decision 768/2008/EC, the proposal sets out requirements for national authorities responsible for conformity assessment bodies (notified bodies). It leaves the ultimate responsibility for designating and monitoring notified bodies with the Member States. Member States shall designate a notifying authority that shall be responsible for setting up and carrying out the necessary procedures for the assessment and notification of conformity assessment bodies and the monitoring of notified bodies.

5.

Market surveillance and enforcement (Chapter V)


In accordance with Regulation (EU) 2019/1020, national market surveillance authorities carry out market surveillance in the territory of that Member State. Member States may choose to designate any existing or new authority to act as market surveillance authority, including national competent authorities established referred to in Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] or designated national cybersecurity certification authorities referred to in Article 58 of Regulation (EU) 2019/881. Economic operators are asked to fully cooperate with market surveillance authorities and other competent authorities.

6.

Delegated powers and committee procedures (Chapter VI)


In order to ensure that the regulatory framework can be adapted where necessary, the power to adopt acts in accordance with Article 290 TFEU is delegated to the Commission for updating the list of critical products of class I and II and specifying the definitions of these products; specifying whether a limitation or exclusion is necessary for products with digital elements covered by other Union rules laying down requirements achieving the same level of protection as this Regulation; mandating the certification of certain highly critical products with digital elements based on criteria set out in this Regulation; specifying the minimum content of the EU declaration of conformity and supplementing the elements to be included in the technical documentation.

The Commission is also empowered to adopt implementing acts to: specify the format or elements of the reporting obligations and of the software bill of materials; specify the European cybersecurity certification schemes that can be used to demonstrate conformity with the essential requirements or parts thereof as set out in this Regulation; adopt common specifications; lay down technical specifications for the affixing of CE marking; adopt corrective or restrictive measures at Union level in exceptional circumstances which justify an immediate intervention to preserve the good functioning of the internal market.

7.

Confidentiality and penalties (Chapter VII)


All parties that apply this Regulation shall respect the confidentiality of information and data obtained in carrying out their tasks and activities.

In order to ensure effective enforcement of the obligations laid down in this Regulation, each market surveillance authority should have the power to impose or request the imposition of administrative fines. In the same vein, this Regulation establishes maximum levels for administrative fines that should be provided in national laws for non-compliance with the obligations laid down in this Regulation.

8.

Transitional and final provisions (Chapter VIII)


To allow manufacturers, notified bodies and Member States time to adapt to the new requirements, the proposed Regulation will become applicable [24 months] after its entry into force, except for the reporting obligation on manufacturers, which would apply from [12 months] after the date of entry into force.