Annexes to COM(2022)454 - Horizontal cybersecurity requirements for products with digital elements - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2022)454 - Horizontal cybersecurity requirements for products with digital elements. |
|---|---|
| document | COM(2022)454  |
| date | September 15, 2022 |
EUR million (to three decimal places)
| Year 2024 | Year 2025 | Year 2026 | Year 2027 | TOTAL | |||
| DG: CNECT | |||||||
| • Human resources | 1.030 | 1.030 | 1.030 | 1.030 | 4.120 | ||
| • Other administrative expenditure | 0.222 | 0.222 | 0.222 | 0.222 | 0.888 | ||
| TOTAL DG CNECT | Appropriations | 1.252 | 1.252 | 1.252 | 1.252 | 5.008 |
| TOTAL appropriations under HEADING 7 of the multiannual financial framework | (Total commitments = Total payments) | 1.252 | 1.252 | 1.252 | 1.252 | 5.008 |
EUR million (to three decimal places)
| Year 2024 | Year 2025 | Year 2026 | Year 2027 | TOTAL | |||
| TOTAL appropriations under HEADINGS 1 to 7 of the multiannual financial framework | Commitments | 1.252 | 1.252 | 1.252 | 1.252 | 5.008 | |
| Payments | 1.252 | 1.252 | 1.252 | 1.252 | 5.008 |
3.2.2.Estimated output funded with operational appropriations
Commitment appropriations in EUR million (to three decimal places)
| Indicate objectives and outputs ⇩ | Year N | Year N+1 | Year N+2 | Year N+3 | Enter as many years as necessary to show the duration of the impact (see point 1.6) | TOTAL | ||||||||||||
| OUTPUTS | ||||||||||||||||||
| Type 44 | Average cost | No | Cost | No | Cost | No | Cost | No | Cost | No | Cost | No | Cost | No | Cost | Total No | Total cost | |
| SPECIFIC OBJECTIVE No 1 45 … | ||||||||||||||||||
| - Output | ||||||||||||||||||
| - Output | ||||||||||||||||||
| - Output | ||||||||||||||||||
| Subtotal for specific objective No 1 | ||||||||||||||||||
| SPECIFIC OBJECTIVE No 2 ... | ||||||||||||||||||
| - Output | ||||||||||||||||||
| Subtotal for specific objective No 2 | ||||||||||||||||||
| TOTALS |
3.2.3.Summary of estimated impact on administrative appropriations
–◻ The proposal/initiative does not require the use of appropriations of an administrative nature
–☑ The proposal/initiative requires the use of appropriations of an administrative nature, as explained below:
EUR million (to three decimal places)
| Year 2024 | Year 2025 | Year 2026 | Year 2027 |
| HEADING 7 of the multiannual financial framework | |||||
| Human resources | 1.030 | 1.030 | 1.030 | 1.030 | 4.120 |
| Other administrative expenditure | 0.222 | 0.222 | 0.222 | 0.222 | 0.888 |
| Subtotal HEADING 7 of the multiannual financial framework | 1.252 | 1.252 | 1.252 | 1.252 | 5.008 |
| Outside HEADING 7 46 of the multiannual financial framework | |||||
| Human resources | |||||
| Other expenditure of an administrative nature | |||||
| Subtotal outside HEADING 7 of the multiannual financial framework |
| TOTAL | 1.252 | 1.252 | 1.252 | 1.252 | 5.008 |
The appropriations required for human resources and other expenditure of an administrative nature will be met by appropriations from the DG that are already assigned to management of the action and/or have been redeployed within the DG, together if necessary with any additional allocation which may be granted to the managing DG under the annual allocation procedure and in the light of budgetary constraints.
3.2.3.1.Estimated requirements of human resources
–◻ The proposal/initiative does not require the use of human resources.
–☑ The proposal/initiative requires the use of human resources, as explained below:
Estimate to be expressed in full time equivalent units
| Year 2024 | Year 2025 | Year 2026 | Year 2027 | ||
| 20 01 02 01 (Headquarters and Commission’s Representation Offices) | 6 | 6 | 6 | 6 | |
| 20 01 02 03 (Delegations) | |||||
| 01 01 01 01 (Indirect research) | |||||
| 01 01 01 11 (Direct research) | |||||
| Other budget lines (specify) | |||||
| • External staff (in Full Time Equivalent unit: FTE) 47 | |||||
| 20 02 01 (AC, END, INT from the ‘global envelope’) | 1 | 1 | 1 | 1 | |
| 20 02 03 (AC, AL, END, INT and JPD in the delegations) | |||||
| XX 01 xx yy zz 48 | - at Headquarters | ||||
| - in Delegations | |||||
| 01 01 01 02 (AC, END, INT - Indirect research) | |||||
| 01 01 01 12 (AC, END, INT - Direct research) | |||||
| Other budget lines (specify) | |||||
| TOTAL | 7 | 7 | 7 | 7 |
XX is the policy area or budget title concerned.
The human resources required will be met by staff from the DG who are already assigned to management of the action and/or have been redeployed within the DG, together if necessary with any additional allocation which may be granted to the managing DG under the annual allocation procedure and in the light of budgetary constraints.
Description of tasks to be carried out:
| Officials and temporary staff 6 FTEs x 157.000 €/ year = € 942.000 | As described under 2.2.1: –Preparation of the standardisation request and/or common specifications via implementing acts absent successful standardisation process; –Preparing a delegated act [within 12 months since the entry into force of the Regulation] specifying the definitions of the critical products with digital elements; –Potential preparation of delegated acts for updating the list of critical products of class I and II; specifying whether a limitation or exclusion is necessary for products with digital elements covered by other Union rules laying down requirements achieving the same level of protection as this Regulation; mandating the certification of certain highly critical products with digital elements based on criteria set out in this Regulation; specifying the minimum content of the EU declaration of conformity and supplementing the elements to be included in the technical documentation; –Potential preparation of implementing acts relating to the format or elements of the reporting obligations, software bill of materials, common specifications or affixing of CE marking; –Potentially preparing an immediate intervention for imposing corrective or restrictive measures in exceptional circumstances to preserve the good functioning of the internal market, including the preparation of an implementing act; –Organisation and coordination of the notifications by Member States of notified bodies and coordination of the Notified Bodies; –Supporting the coordination of Member States’ market surveillance authorities. |
| External staff 1 END x 88.000 €/ year | As described under 2.2.1: –Preparation of the standardisation request and/or common specifications via implementing acts absent successful standardisation process; –Preparing a delegated act [within 12 months since the entry into force of the Regulation] specifying the definitions of the critical products with digital elements; –Potential preparation of delegated acts for updating the list of critical products of class I and II; specifying whether a limitation or exclusion is necessary for products with digital elements covered by other Union rules laying down requirements achieving the same level of protection as this Regulation; mandating the certification of certain highly critical products with digital elements based on criteria set out in this Regulation; specifying the minimum content of the EU declaration of conformity and supplementing the elements to be included in the technical documentation; –Potential preparation of implementing acts relating to the format or elements of the reporting obligations, software bill of materials, common specifications or affixing of CE marking; –Potentially preparing an immediate intervention for imposing corrective or restrictive measures in exceptional circumstances to preserve the good functioning of the internal market, including the preparation of an implementing act; –Organisation and coordination of the notifications by Member States of notified bodies and coordination of the Notified Bodies; –Supporting the coordination of Member States’ market surveillance authorities. |
3.2.4.Compatibility with the current multiannual financial framework
The proposal/initiative:
–x can be fully financed through redeployment within the relevant heading of the Multiannual Financial Framework (MFF).
No reprogramming is required.
–◻ requires use of the unallocated margin under the relevant heading of the MFF and/or use of the special instruments as defined in the MFF Regulation.
-
–◻ requires a revision of the MFF.
-
3.2.5.Third-party contributions
The proposal/initiative:
–x does not provide for co-financing by third parties
–◻ provides for the co-financing by third parties estimated below:
Appropriations in EUR million (to three decimal places)
| Year N 49 | Year N+1 | Year N+2 | Year N+3 | Enter as many years as necessary to show the duration of the impact (see point 1.6) | Total | |||
| Specify the co-financing body | ||||||||
| TOTAL appropriations co-financed |
3.3.Estimated impact on revenue
–◻ The proposal/initiative has no financial impact on revenue.
–◻ The proposal/initiative has the following financial impact:
–◻ on own resources
–◻ on other revenue
–please indicate, if the revenue is assigned to expenditure lines ◻
EUR million (to three decimal places)
| Budget revenue line: | Appropriations available for the current financial year | Impact of the proposal/initiative 50 | ||||||
| Year N | Year N+1 | Year N+2 | Year N+3 | Enter as many years as necessary to show the duration of the impact (see point 1.6) | ||||
| Article …………. |
For assigned revenue, specify the budget expenditure line(s) affected.
Other remarks (e.g. method/formula used for calculating the impact on revenue or any other information).
(1) Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA OJ L 218, 14.8.2013, p. 8–14.
(2) Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194/1, 19.7.2016 p. 1).
(3) Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15).
(4) The Cybersecurity Act allows the development of dedicated certification schemes. Each scheme includes references to relevant standards, technical specifications or other cybersecurity requirements defined in the scheme. The decision to develop a cybersecurity certification is a risk-based one.
(5) Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions “Shaping Europe’s digital future” of 19 February 2020, COM(2020) 67 final.
(6) Mainly New Legislative Framework (NLF) legislation.
(7) Proposal for a Regulation of the European Parliament and of the Council laying down harmonized rules on artificial intelligence (Artificial Intelligence Act) and amending certain Union legislative Acts of 21 April 2021, COM (2021) 206 final.
(8) CJEU Judgment of the Court (Grand Chamber) of 3 December 2019, Czech Republic v European Parliament and Council of the European Union, Case C-482/17, paragraph 35.
(9) CJEU Judgment of the Court (Grand Chamber) of 2 May 2006, United Kingdom of Great Britain and Northern Ireland v European Parliament and Council of the European Union, Case C-217/04, paragraphs 62-63.
(10) For example, in 2019, Finland has created a labelling scheme for IoT devices, such as smart TVs, smartphones and toys based on the ETSI standards. Germany has recently introduced a consumer security label for broadband routers, smart TVs, cameras, speakers, toys, as well as cleaning and gardening robots.
(11)
Study on the need of Cybersecurity requirements for ICT products – No. 2020-0715, Final Study Report, available under https://digital-strategy.ec.europa.eu/en/library/study-need-cybersecurity-requirements-ict-products .
(12) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
(13) OJ C , , p. .
(14) OJ C , , p. .
(15) Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15).
(16)
JOIN(2020) 18 final, https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=JOIN:2020:18:FIN .
(17)
2021/2568(RSP), https://www.europarl.europa.eu/doceo/document/TA-9-2021-0286_EN.html .
(18) Conference on the Future of Europe – Report on the Final Outcome, May 2022, Proposal 28(2). The Conference was held Between April 2021 and May 2022. It was a unique, citizen-led exercise of deliberative democracy at the pan-European level, involving thousands of European citizens as well as political actors, social partners, civil society representatives and key stakeholders.
(19) Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (OJ L 117, 5.5.2017, p. 1).
(20) Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU (OJ L 117, 5.5.2017, p. 176).
(21) MDCG 2019-16, endorsed by the Medical Device Coordination Group (MDCG) established by Article 103 of Regulation (EU) 2017/745.
(22) Regulation (EU) 2019/2144 of the European Parliament and of the Council of 27 November 2019 on type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users, amending Regulation (EU) 2018/858 of the European Parliament and of the Council and repealing Regulations (EC) No 78/2009, (EC) No 79/2009 and (EC) No 661/2009 of the European Parliament and of the Council and Commission Regulations (EC) No 631/2009, (EU) No 406/2010, (EU) No 672/2010, (EU) No 1003/2010, (EU) No 1005/2010, (EU) No 1008/2010, (EU) No 1009/2010, (EU) No 19/2011, (EU) No 109/2011, (EU) No 458/2011, (EU) No 65/2012, (EU) No 130/2012, (EU) No 347/2012, (EU) No 351/2012, (EU) No 1230/2012 and (EU) 2015/166 (OJ L 325, 16.12.2019, p. 1).
(23) UN Regulation No 155 – Uniform provisions concerning the approval of vehicles with regard to cybersecurity and cybersecurity management system [2021/387].
(24) Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 (OJ L 212, 22.8.2018, p. 1).
(25) Council Directive 85/374/EEC of 25 July 1985 on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products (OJ L 210, 7.8.85).
(26) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)( OJ L 119, 4.5.2016, p. 1).
(27) Regulation [the AI Regulation].
(28) Directive XXX of the European Parliament and of the Council of [date] [on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 (OJ L xx, date, p.x)].
(29) Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).
(30) Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and repealing Regulation (EEC) No 339/93 (OJ L 218, 13.8.2008, p. 30).
(31) Decision No 768/2008/EC of the European Parliament and of the Council of 9 July 2008 on a common framework for the marketing of products, and repealing Council Decision 93/465/EEC (OJ L 218, 13.8.2008, p. 82).
(32) Regulation (EU) 2019/1020 of the European Parliament and of the Council of 20 June 2019 on market surveillance and compliance of products and amending Directive 2004/42/EC and Regulations (EC) No 765/2008 and (EU) No 305/2011 (OJ L 169, 25.6.2019, p. 1).
(33) OJ L 123, 12.5.2016, p. 1.
(34) Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p.13).
(35) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
(36) Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (OJ L 157, 15.6.2016, p. 1).
(37) As referred to in Article 58(2)(a) or (b) of the Financial Regulation.
(38) See [Commission Staff Working Document on Impact Assessment Report accompanying the Regulation on horizontal cybersecurity requirements for products with digital elements]
(39) See [Commission Staff Working Document on Impact Assessment Report accompanying the Regulation on horizontal cybersecurity requirements for products with digital elements]
(40) Details of management modes and references to the Financial Regulation may be found on the BudgWeb site: https://myintracomm.ec.europa.eu/budgweb/EN/man/budgmanag/Pages/budgmanag.aspx
(41) Year N is the year in which implementation of the proposal/initiative starts. Please replace "N" by the expected first year of implementation (for instance: 2021). The same for the following years.
(42) According to the official budget nomenclature.
(43) Technical and/or administrative assistance and expenditure in support of the implementation of EU programmes and/or actions (former ‘BA’ lines), indirect research, direct research.
(44) Outputs are products and services to be supplied (e.g.: number of student exchanges financed, number of km of roads built, etc.).
(45) As described in point 1.4.2. ‘Specific objective(s)…’
(46) Technical and/or administrative assistance and expenditure in support of the implementation of EU programmes and/or actions (former ‘BA’ lines), indirect research, direct research.
(47) AC= Contract Staff; AL = Local Staff; END= Seconded National Expert; INT = agency staff; JPD= Junior Professionals in Delegations.
(48) Sub-ceiling for external staff covered by operational appropriations (former ‘BA’ lines).
(49) Year N is the year in which implementation of the proposal/initiative starts. Please replace "N" by the expected first year of implementation (for instance: 2021). The same for the following years.
(50) As regards traditional own resources (customs duties, sugar levies), the amounts indicated must be net amounts, i.e. gross amounts after deduction of 20 % for collection costs.