European flag

Proposition de

RÈGLEMENT DU PARLEMENT EUROPÉEN ET DU CONSEIL

sur les exigences horizontales en matière de cybersécurité applicables aux produits comportant des éléments numériques, modifiant le règlement (UE) 2019/1020 et la directive (UE) 2020/1828

(Texte présentant de l'intérêt pour l'EEE)

{SEC(2022) 321 final} - {SWD(2022) 282 final} - {SWD(2022) 283 final}

CHAPITRE I
DISPOSITIONS GÉNÉRALES

Article 1 - Objet

Le présent règlement prévoit :

(a) des règles pour la mise à disposition sur le marché de produits comportant des éléments numériques afin d'assurer la cybersécurité de ces produits ;

(b) des exigences essentielles pour la conception, le développement et la production de produits comportant des éléments numériques, et des obligations pour les opérateurs économiques en rapport avec ces produits en ce qui concerne la cybersécurité ;

(c) les exigences essentielles relatives aux processus de traitement de la vulnérabilité mis en place par les fabricants pour garantir la cybersécurité des produits comportant des éléments numériques pendant la durée d'utilisation prévue du produit, ainsi que les obligations des opérateurs économiques en ce qui concerne ces processus ;

(d) les règles relatives à la surveillance du marché, y compris le contrôle et l'application des règles et exigences visées au présent article.

Article 2 - Champ d'application

Le présent règlement s'applique aux produits contenant des éléments numériques mis à disposition sur le marché, dont la destination ou l'utilisation raisonnablement prévisible comprend une connexion logique ou physique, directe ou indirecte, à un dispositif ou à un réseau.

2. Le présent règlement ne s'applique pas aux produits contenant des éléments numériques auxquels s'appliquent les actes juridiques de l'Union suivants :

(a) Règlement (UE) 2017/745 ;

(b) Règlement (UE) 2017/746 ;

(c) Règlement (UE) 2019/2144.

3. Le présent règlement ne s'applique pas aux produits comportant des éléments numériques qui ont été certifiés conformément au règlement (UE) 2018/1139.

4. Le présent règlement ne s'applique pas aux équipements qui relèvent du champ d'application de la directive 2014/90/UE du Parlement européen et du Conseil.

5. L'application du présent règlement aux produits comportant des éléments numériques couverts par d'autres règles de l'Union établissant des exigences qui traitent tout ou partie des risques couverts par les exigences essentielles énoncées à l'annexe I peut être limitée ou exclue, lorsque :

(a) cette limitation ou exclusion est compatible avec le cadre réglementaire général applicable à ces produits ; et

(b) les règles sectorielles assurent un niveau de protection identique ou supérieur à celui prévu par le présent règlement.

La Commission est habilitée à adopter des actes délégués conformément à l'article 61 pour compléter le présent règlement en précisant si une telle limitation ou exclusion est nécessaire, les produits et les règles concernés, ainsi que la portée de la limitation, le cas échéant.

6. Le présent règlement ne s'applique pas aux pièces détachées qui sont mises à disposition sur le marché pour remplacer des composants identiques dans des produits comportant des éléments numériques et qui sont fabriquées selon les mêmes spécifications que les composants qu'elles sont destinées à remplacer.

7. Le présent règlement ne s'applique pas aux produits comportant des éléments numériques développés ou modifiés exclusivement à des fins de sécurité nationale ou de défense, ni aux produits spécifiquement conçus pour traiter des informations classifiées.

8. Les obligations prévues par le présent règlement n'impliquent pas la fourniture d'informations dont la divulgation serait contraire aux intérêts essentiels de la sécurité nationale, de la sécurité publique ou de la défense des États membres.

Article 3 - Définitions

Aux fins du présent règlement, les définitions suivantes s'appliquent :

(1) "produit comportant des éléments numériques" : tout produit logiciel ou matériel et ses solutions de traitement des données à distance, y compris les composants logiciels ou matériels devant être mis sur le marché séparément ;

(2) "traitement de données à distance" : tout traitement de données à distance dont le logiciel est conçu et développé par le fabricant ou sous la responsabilité du fabricant, et dont l'absence empêcherait le produit contenant des éléments numériques d'accomplir l'une de ses fonctions ;

(3) "cybersécurité", la cybersécurité telle que définie à l'article 2, point (1), du règlement (UE) 2019/881 ;

(4) "logiciel" : la partie d'un système d'information électronique qui consiste en un code informatique ;

(5) "matériel" : un système d'information électronique physique, ou des parties de celui-ci, capable de traiter, de stocker ou de transmettre des données numériques ;

(6) "composant" : un logiciel ou un matériel destiné à être intégré dans un système d'information électronique ;

(7) "système d'information électronique" : tout système, y compris les équipements électriques ou électroniques, capable de traiter, de stocker ou de transmettre des données numériques ;

(8) "connexion logique" : une représentation virtuelle d'une connexion de données mise en œuvre par le biais d'une interface logicielle ;

(9) "connexion physique" : toute connexion entre des systèmes d'information électroniques ou des composants mis en œuvre par des moyens physiques, notamment par le biais d'interfaces électriques, optiques ou mécaniques, de fils ou d'ondes radio ;

(10) "connexion indirecte" : une connexion à un dispositif ou à un réseau qui n'a pas lieu directement, mais plutôt dans le cadre d'un système plus large qui peut être directement connecté à ce dispositif ou à ce réseau ;

(11) "point final" : tout dispositif connecté à un réseau et servant de point d'entrée à ce réseau ;

(12) "opérateur économique" : le fabricant, le mandataire, l'importateur, le distributeur ou toute autre personne physique ou morale soumise à des obligations en rapport avec la fabrication de produits ou leur mise à disposition sur le marché conformément au présent règlement ;

(13) "fabricant" : toute personne physique ou morale qui développe ou fabrique des produits comportant des éléments numériques ou qui fait concevoir, développer ou fabriquer des produits comportant des éléments numériques et les commercialise sous son nom ou sa marque, que ce soit à titre onéreux, payant ou gratuit ;

(14) "gestionnaire de logiciels libres" : une personne morale, autre qu'un fabricant, dont le but ou l'objectif est de fournir systématiquement et durablement un soutien au développement de produits spécifiques comportant des éléments numériques, qualifiés de logiciels libres et destinés à des activités commerciales, et qui assure la viabilité de ces produits ;

(15) "mandataire" : toute personne physique ou morale établie dans l'Union qui a reçu un mandat écrit d'un fabricant pour agir en son nom dans le cadre de tâches déterminées ;

(16) "importateur" : toute personne physique ou morale établie dans l'Union qui met sur le marché un produit comportant des éléments numériques qui porte le nom ou la marque d'une personne physique ou morale établie en dehors de l'Union ;

(17) "distributeur" : toute personne physique ou morale de la chaîne d'approvisionnement, autre que le fabricant ou l'importateur, qui met un produit contenant des éléments numériques à disposition sur le marché de l'Union sans en modifier les propriétés ;

(18) "consommateur" : toute personne physique qui agit à des fins qui n'entrent pas dans le cadre de son activité commerciale, industrielle, artisanale ou libérale ;

(19) "microentreprises", "petites entreprises" et "entreprises moyennes" : les microentreprises, les petites entreprises et les entreprises moyennes telles que définies dans la recommandation 2003/361/CE de la Commission ;

(20) "période d'assistance" : la période pendant laquelle le fabricant est tenu de veiller à ce que les vulnérabilités du produit comportant des éléments numériques soient traitées efficacement et conformément aux exigences essentielles énoncées à l'annexe I, partie II ;

(21) "mise sur le marché" : la première mise à disposition d'un produit contenant des éléments numériques sur le marché de l'Union ;

(22) "mise à disposition sur le marché", la fourniture d'un produit contenant des éléments numériques en vue de sa distribution ou de son utilisation sur le marché de l'Union dans le cadre d'une activité commerciale, à titre onéreux ou gratuit ;

(23) "destination" : l'utilisation à laquelle un produit contenant des éléments numériques est destiné par le fabricant, y compris le contexte et les conditions d'utilisation spécifiques, tels que spécifiés dans les informations fournies par le fabricant dans le mode d'emploi, le matériel promotionnel ou de vente et les déclarations, ainsi que dans la documentation technique ;

(24) "utilisation raisonnablement prévisible" : une utilisation qui n'est pas nécessairement celle prévue par le fabricant dans les instructions d'utilisation, le matériel et les déclarations promotionnels ou de vente, ainsi que dans la documentation technique, mais qui est susceptible de résulter d'un comportement humain ou d'opérations ou d'interactions techniques raisonnablement prévisibles ;

(25) "usage abusif raisonnablement prévisible" : l'utilisation d'un produit comportant des éléments numériques d'une manière qui n'est pas conforme à sa destination, mais qui peut résulter d'un comportement humain raisonnablement prévisible ou d'une interaction avec d'autres systèmes ;

(26) "autorité notifiante" : l'autorité nationale responsable de la mise en place et de l'exécution des procédures nécessaires à l'évaluation, à la désignation et à la notification des organismes d'évaluation de la conformité, ainsi qu'à leur contrôle ;

(27) "évaluation de la conformité" : le processus consistant à vérifier si les exigences essentielles énoncées à l'annexe I ont été respectées ;

(28) "organisme d'évaluation de la conformité" : un organisme d'évaluation de la conformité tel que défini à l'article 2, point 13), du règlement (UE) n° 765/2008 ;

(29) "organisme notifié" : un organisme d'évaluation de la conformité désigné conformément à l'article 33 du présent règlement et à d'autres dispositions législatives d'harmonisation pertinentes de l'Union ;

(30) "modification substantielle" : un changement apporté au produit contenant des éléments numériques après sa mise sur le marché, qui affecte la conformité du produit contenant des éléments numériques aux exigences essentielles énoncées à l'annexe I, partie I, ou qui entraîne une modification de l'usage prévu pour lequel le produit contenant des éléments numériques a été évalué ;

(31) "marquage CE" : un marquage par lequel un fabricant indique qu'un produit comportant des éléments numériques et les processus mis en place par le fabricant sont conformes aux exigences essentielles énoncées à l'annexe I et à d'autres dispositions législatives de l'Union ▌harmonisation ▌ applicables prévoyant son apposition ;

(32) "législation d'harmonisation de l'Union", la législation de l'Union énumérée à l'annexe I du règlement (UE) 2019/1020 et toute autre législation de l'Union harmonisant les conditions de commercialisation des produits auxquels ce règlement s'applique ;

(33) "autorité de surveillance du marché" : une autorité de surveillance du marché telle que définie à l'article 3, point 4), du règlement (UE) 2019/1020 ;

(34) "norme internationale", une norme internationale telle que définie à l'article 2, point 1) a), du règlement (UE) n° 1025/2012 ;

(35) "norme européenne", une norme européenne telle que définie à l'article 2, point 1) b), du règlement (UE) n° 1025/2012 ;

(36) "norme harmonisée", une norme européenne telle que définie à l'article 2, point 1) b), du règlement (UE) n° 1025/2012 ;

(37) "risque de cybersécurité" : le potentiel de perte ou de perturbation causé par un incident, exprimé comme une combinaison de l'ampleur de cette perte ou perturbation et de la probabilité d'occurrence de l'incident ;

(38) "risque important de cybersécurité" : un risque de cybersécurité dont on peut supposer, sur la base de ses caractéristiques techniques, qu'il présente une probabilité élevée d'incident susceptible d'avoir une incidence négative grave, notamment en provoquant des pertes ou des perturbations considérables, matérielles ou immatérielles ;

(39) "nomenclature logicielle" ou "SBOM" : un enregistrement formel contenant les détails et les relations de la chaîne d'approvisionnement des composants inclus dans les éléments logiciels d'un produit comportant des éléments numériques ;

(40) "vulnérabilité" : une faiblesse, une susceptibilité ou un défaut d'un produit comportant des éléments numériques qui peut être exploité par une cybermenace ;

(41) "vulnérabilité exploitable" : une vulnérabilité susceptible d'être utilisée efficacement par un adversaire dans des conditions opérationnelles pratiques ;

(42) "vulnérabilité activement exploitée" : une vulnérabilité pour laquelle il existe des preuves fiables qu'un ▌acteur malveillant l'a exploitée dans un système sans l'autorisation du propriétaire du système ;

(43) "incident", un incident tel que défini à l'article 6, point 6), de la directive (UE) 2022/2555 ;

(44) "incident ayant une incidence sur la sécurité du produit contenant des éléments numériques" : un incident qui affecte négativement ou est susceptible d'affecter négativement la capacité du produit d'un fabricant contenant des éléments numériques à protéger la disponibilité, l'authenticité, l'intégrité ou la confidentialité des données ou des fonctions ;

(45) "accident évité de justesse", un accident évité de justesse tel que défini à l'article 6, point 5), de la directive (UE) 2022/2555 ;

(46) "cybermenace", une cybermenace telle que définie à l'article 2, point (8), du règlement (UE) 2019/881 ;

(47) "données à caractère personnel", les données à caractère personnel définies à l'article 4, point 1), du règlement (UE) 2016/679.

(48) "logiciel libre" : un logiciel dont le code source est ouvertement partagé et qui est mis à disposition sous une licence libre qui prévoit tous les droits nécessaires pour le rendre librement accessible, utilisable, modifiable et redistribuable ;

(49) "rappel", le rappel tel que défini à l'article 3, point 22), du règlement (UE) 2019/1020 ;

(50) "retrait", le retrait tel que défini à l'article 3, point 23), du règlement (UE) 2019/1020 ;

(51) "CSIRT désigné comme coordinateur", un CSIRT désigné comme coordinateur conformément à l'article 12, paragraphe 1, de la directive (UE) 2022/2555.

Article 4 - Libre circulation

1. Les États membres ne font pas obstacle, pour les matières couvertes par le présent règlement, à la mise à disposition sur le marché de produits comportant des éléments numériques conformes au présent règlement.

2. Lors de foires commerciales, d'expositions et de démonstrations ou d'événements similaires, les États membres n'empêchent pas la présentation ou l'utilisation d'un produit comportant des éléments numériques qui n'est pas conforme au présent règlement, y compris ses prototypes, à condition qu'il soit présenté à l'aide d'un panneau visible indiquant clairement
indiquant que le produit n'est pas conforme au présent règlement et qu'il ne doit pas être mis à disposition sur le marché.
le marché jusqu'à ce qu'il soit conforme à ce règlement.

3. Les États membres ne font pas obstacle à la mise à disposition sur le marché de logiciels non finalisés qui ne sont pas conformes au présent règlement, à condition que ces logiciels ne soient mis à disposition que pour une période limitée nécessaire à des fins d'essai et qu'un signe visible indique clairement qu'ils ne sont pas conformes au présent règlement et qu'ils ne seront pas mis à disposition sur le marché à des fins autres que l'essai.

4. Le paragraphe 3 ne s'applique pas aux composants de sécurité tels que définis par d'autres législations d'harmonisation de l'Union autres que le présent règlement.

Article 5 - Acquisition ou utilisation de proconduits avec éléments numériques

1. Le présent règlement n'empêche pas les États membres de soumettre les produits comportant des éléments numériques à des exigences de cybersécurité supplémentaires pour l'acquisition ou l'utilisation de ces produits à des fins spécifiques, y compris lorsque ces produits seront acquis ou utilisés à des fins de défense ou de sécurité nationale, pour autant que ces exigences soient compatibles avec les obligations des États membres prévues par le droit de l'Union et qu'elles soient nécessaires et proportionnées à la réalisation de ces objectifs. 

2. Sans préjudice de la directive (UE) 2014/24 et de la directive (UE) 2014/25/UE, lorsqu'ils achètent des produits comportant des éléments numériques qui relèvent du champ d'application du présent règlement, les États membres veillent à ce que la conformité aux exigences essentielles énoncées à l'annexe I du présent règlement, y compris la capacité des fabricants à gérer efficacement les vulnérabilités, soit prise en considération dans le processus d'achat.

Article 6 - Exigences relatives aux produits contenant des éléments numériques

Les produits comportant des éléments numériques ne sont mis à disposition sur le marché que si :

(1) ils satisfont aux exigences essentielles énoncées à l'annexe I, partie I, pour autant qu'ils soient correctement installés, entretenus, utilisés conformément à leur destination ou dans des conditions raisonnablement prévisibles et, le cas échéant, que les mises à jour de sécurité nécessaires aient été installées, et

(2) les processus mis en place par le fabricant sont conformes aux exigences essentielles énoncées à l'annexe I, partie II.

Article 7 - Important produits comportant des éléments numériques

1. Les produits comportant des éléments numériques qui ont la fonctionnalité essentielle d'une catégorie de produits définie à l'annexe III sont considérés comme des produits importants comportant des éléments numériques et sont soumis aux procédures d'évaluation de la conformité visées à l'article 32, paragraphes 2 et 3. L'intégration d'un produit comportant des éléments numériques qui possède la fonctionnalité essentielle d'une catégorie de produits visée à l'annexe III ne soumet pas en soi le produit dans lequel il est intégré aux procédures d'évaluation de la conformité visées à l'article 32, paragraphes 2 et 3.

2. Les catégories de produits comportant des éléments numériques visées au paragraphe 1 du présent article, divisées en classes I et II comme indiqué à l'annexe III, répondent à au moins un des critères suivants :

(a) le produit contenant des éléments numériques remplit principalement des fonctions essentielles à la cybersécurité d'autres produits, réseaux ou services, y compris la sécurisation de l'authentification et de l'accès, la prévention et la détection des intrusions, la sécurité des points finaux ou la protection des réseaux ;

(b) le produit contenant des éléments numériques remplit une fonction qui comporte un risque important d'effets négatifs en raison de son intensité et de sa capacité à perturber, contrôler ou endommager un grand nombre d'autres produits ou la santé, la sécurité ou la sûreté de ses utilisateurs par une manipulation directe, telle qu'une fonction de système central, y compris la gestion de réseau, le contrôle de la configuration, la virtualisation ou le traitement de données à caractère personnel.

3. La Commission est habilitée à adopter des actes délégués en conformité avec l'article 61 pour modifier l'annexe III en incluant dans la liste une nouvelle catégorie dans chaque classe des catégories de ▌ produits comportant des éléments numériques et en précisant sa définition, en déplaçant une catégorie de produits d'une classe à l'autre ou en retirant une catégorie existante de cette liste. Lorsqu'elle évalue la nécessité de modifier la liste figurant à l'annexe III, la Commission tient compte des fonctionnalités liées à la cybersécurité ou de la fonction et du niveau de risque pour la cybersécurité que présentent les produits comportant des éléments numériques, tels qu'établis par les critères visés au paragraphe 2.

Les actes délégués visés au premier alinéa du présent paragraphe prévoient, le cas échéant, une période de transition minimale de douze mois, notamment lorsqu'une nouvelle catégorie de produits importants comportant des éléments numériques est ajoutée à la classe I ou II ou déplacée de la classe I à la classe II conformément à l'annexe III, avant que les procédures pertinentes d'évaluation de la conformité visées à l'article 32, paragraphes 2 et 3, ne commencent à s'appliquer, à moins qu'une période de transition plus courte ne soit justifiée par des raisons d'urgence impérieuses.

3. Au plus tard le ... [12 mois à compter de la date d'entrée en vigueur du présent règlement], la Commission adopte un acte d'exécution précisant la description technique des ▌ catégories de produits contenant des éléments numériques dans les classes I et II telles que définies à l'annexe III et à l'annexe II. la description technique des catégories de produits comportant des éléments numériques figurant à l'annexe IV.

Cet acte d'exécution est adopté conformément à la procédure d'examen
visés à l'article 62, paragraphe 2.

Article 8 - Produits critiques comportant des éléments numériques

1. La Commission est habilitée à adopter des actes délégués en conformité avec l'article 50 pour complètent le présent règlement afin de déterminer quels sont les produits comportant des éléments numériques ayant la fonctionnalité essentielle d'une catégorie figurant à l'annexe III bis du présent règlement est la suivante doit obtenir un certificat européen de cybersécurité d'un niveau d'assurance au moins égal à substantielle dans le cadre d'un système européen de certification de la cybersécurité adopté en vertu de la Règlement (UE) 2019/881 pour démontrer la conformité avec les exigences essentielles établies figurant à l'annexe I du présent règlement ou à des parties de celle-ci, à condition qu'un État membre de l'Union européenne soit en mesure d'appliquer les dispositions du présent règlement. système de certification de la cybersécurité couvrant les catégories de produits dotés d'une technologie numérique. a été adoptée conformément au règlement (UE) 2019/881, et est disponible à l'adresse suivante fabricants. Les actes délégués précisent le niveau d'assurance requis qui doit être proportionnés au niveau de risque de cybersécurité associé aux produits ayant une éléments numériques et tient compte de leur destination, y compris de leur caractère critique. la dépendance des entités essentielles du type visé à l'article 3 de la directive (UE) 2022/2555. 

Avant d'adopter ces actes délégués, la Commission procède à une évaluation de l'impact de l'action de l'Union européenne sur l'environnement. l'impact potentiel sur le marché des mesures envisagées et procède à des consultations avec les parties prenantes concernées, y compris le groupe européen de certification en matière de cybersécurité visé à l'article 5, paragraphe 2, de la directive. au règlement (UE) 2019/881. L'évaluation tient compte de l'état de préparation et de l'efficacité de la mise en œuvre. le niveau de capacité des États membres à mettre en œuvre les politiques européennes respectives. système de certification en matière de cybersécurité. Lorsqu'aucun acte délégué visé au premier alinéa n'a été adopté, la Commission peut le modifier en conséquence. a été adopté, les produits comportant des éléments numériques qui ont le noyau d'une catégorie figurant à l'annexe IV sont soumises à l'évaluation de la conformité. les procédures d'évaluation visées à l'article 32, paragraphe 3. 

Les actes délégués visés au premier alinéa prévoient un minimum de une période de transition de six mois pour leur application, à moins qu'une période de transition plus courte ne soit justifiée pour les raisons suivantes des raisons impératives d'urgence. 

2. La Commission est habilitée à adopter des actes délégués en conformité avec l'article 61 pour modifier l'annexe IV en ajoutant ou en retirant des catégories de ▌ produits critiques comportant des éléments numériques. Lorsqu'elle détermine ces catégories de produits critiques comportant des éléments numériques et le niveau d'assurance requis, conformément au paragraphe 1 du présent article, la Commission
tenir compte des critères visés à l'article 7, paragraphe 2, et de la mesure dans laquelle au moins l'un des critères suivants s'applique : 

(a) il existe une dépendance critique des entités essentielles visées à l'article 3 de la directive ▌ (UE) 2022/2555 relative à la catégorie des produits comportant des éléments numériques ; ▌ 

(b) les incidents et les vulnérabilités exploitées concernant la catégorie des produits contenant des éléments numériques peuvent entraîner de graves perturbations des chaînes d'approvisionnement critiques dans l'ensemble du marché intérieur.

Avant d'adopter ces actes délégués, la Commission procède à une évaluation de l'impact de l'action de l'Union européenne sur l'environnement. type visé au paragraphe 1, deuxième alinéa.

Les actes délégués visés au premier alinéa prévoient une période de transition minimale de six mois, à moins qu'une période de transition plus courte ne soit justifiée par des raisons d'urgence impérieuses.

Article 9 - Consultation des parties prenantes

1. Lors de l'élaboration des mesures de mise en œuvre du présent règlement, la Commission consulte les parties prenantes concernées, telles que les autorités compétentes des États membres, le secteur privé, y compris les micro, petites et moyennes entreprises, la communauté des logiciels libres, les associations de consommateurs, le monde universitaire et les agences ou organes de l'Union compétents ou les groupes d'experts établis au niveau de l'Union, et tient compte de leurs avis. En particulier, la Commission consulte et sollicite l'avis de ces parties prenantes de manière structurée et, le cas échéant, dans les cas suivants : 

(a) préparer les lignes directrices visées à l'article 26 ;

(b) préparer les descriptions techniques spécifiques des catégories de produits figurant à l'annexe III conformément à l'article 7, paragraphe 4, évaluer la nécessité d'éventuelles mises à jour de la liste des catégories de produits conformément à l'article 7, paragraphe 3, et à l'article 8, paragraphe 2, ou procéder à l'évaluation de l'incidence potentielle sur le marché visée à l'article 8, paragraphe 1, sans préjudice de l'article 61 du présent règlement ;

(c) entreprendre des travaux préparatoires en vue de l'évaluation et de la révision du présent règlement.

2. La Commission organise régulièrement, au moins une fois par an, des sessions de consultation et d'information afin de recueillir les avis des parties prenantes visées au paragraphe 1 sur la mise en œuvre du présent règlement.

Article 10 - Renforcer les compétences dans un environnement numérique cyber-résilient

Aux fins du présent règlement et afin de répondre aux besoins des professionnels dans le cadre de sa mise en œuvre, les États membres, avec, le cas échéant, le soutien de la Commission, du Centre européen de compétence en cybersécurité et de l'ENISA, tout en respectant pleinement la responsabilité des États membres dans le domaine de l'éducation, promeuvent des mesures et des stratégies visant à :

a) développer les compétences en matière de cybersécurité et créer des outils organisationnels et technologiques pour garantir une disponibilité suffisante de professionnels qualifiés afin de soutenir les activités des autorités de surveillance du marché et des organismes d'évaluation de la conformité ;

(b) renforcer la collaboration entre le secteur privé, les opérateurs économiques, y compris par le biais de la requalification ou de l'amélioration des compétences des employés des fabricants, les consommateurs, les prestataires de formation ainsi que les administrations publiques, afin d'élargir les possibilités d'accès des jeunes aux emplois dans le secteur de la cybersécurité.

Article 11 - Sécurité générale des produits

Par dérogation à l'article 2, paragraphe 1, troisième alinéa, point b), du règlement (UE) 2023/988, le chapitre III, section 1, les chapitres V et VII et les chapitres IX à XI dudit règlement ▌s'appliquent aux ▌ produits comportant des éléments numériques en ce qui concerne les aspects et les risques ou catégories de risques qui ne sont pas couverts par le présent règlement lorsque ces produits ne sont pas soumis à des exigences de sécurité spécifiques prévues par d'autres "législations d'harmonisation de l'Union" telles que définies à l'article 3, point 27), du règlement (UE) 2023/988.

Article 12 - Systèmes d'IA à haut risque

1. Sans préjudice des exigences relatives à l'exactitude et à la robustesse énoncées à [l'article 15] du règlement ... [le règlement IA], les produits comportant des éléments numériques qui relèvent du champ d'application du présent règlement et qui sont classés comme systèmes IA à haut risque en vertu de [l'article 6] dudit règlement sont réputés conformes aux exigences de cybersécurité ▌ énoncées à [l'article 15] dudit règlement lorsque :

(a) ces produits satisfont aux exigences essentielles énoncées à l'annexe I, partie I ;

(b) les processus mis en place par le fabricant sont conformes aux exigences essentielles énoncées à l'annexe I, partie II ; et

(c) l'atteinte du niveau de protection de la cybersécurité requis en vertu de [l'article 15] du règlement ... [le règlement IA] est démontrée dans la déclaration de conformité de l'UE délivrée en vertu du présent règlement.

2. Pour les produits comportant des éléments numériques et des exigences de cybersécurité visés au paragraphe 1 du présent article, la procédure d'évaluation de la conformité pertinente prévue à [l'article 43] du règlement ... [règlement AI] s'applique. Aux fins de cette évaluation, les organismes notifiés qui sont compétents pour contrôler la conformité des systèmes d'IA à haut risque en vertu du ▌ règlement... [règlement AI] sont également compétents pour contrôler la conformité des ▌ systèmes d'IA à haut risque qui relèvent du champ d'application du présent règlement avec les exigences énoncées à l'annexe I du présent règlement, à condition que la conformité de ces organismes notifiés avec les exigences énoncées à l'article 39 du présent règlement ait été évaluée dans le cadre de la procédure de notification prévue par le règlement... [règlement AI].

3. Par dérogation au paragraphe 2, les produits importants comportant des éléments numériques énumérés à l'annexe III du présent règlement, qui sont soumis aux procédures d'évaluation de la conformité visées à l'article 32, paragraphe 2, points a) et b), et à l'article 32, paragraphe 3, du présent règlement, et les produits critiques comportant des éléments numériques énumérés à l'annexe IV du présent règlement qui sont tenus d'obtenir un certificat européen de cybersécurité en vertu de l'article 8, paragraphe 1, du présent règlement ou, à défaut, qui sont soumis aux procédures d'évaluation de la conformité visées à l'article 32, paragraphe 3, du présent règlement, et qui sont également classés comme systèmes d'IA à haut risque en vertu de l'article [article 6] du ▌ règlement... [règlement AI] et auxquels s'applique la procédure d'évaluation de la conformité fondée sur le contrôle interne visée à [l'annexe VI] du règlement... [règlement AI], sont soumis aux procédures d'évaluation de la conformité ▌ prévues par le présent règlement, dans la mesure où les exigences essentielles du présent règlement sont concernées.

4. Les fabricants de produits comportant des éléments numériques visés au paragraphe 1 du présent article peuvent participer aux "bacs à sable" réglementaires en matière d'IA visés à [l'article 53] du règlement ... [le règlement sur l'IA].

CHAPITRE II
LES OBLIGATIONS DES OPÉRATEURS ÉCONOMIQUES ET LES DISPOSITIONS RELATIVES AUX LOGICIELS LIBRES ET OPEN-SOURCE

Article 13 - Obligations des fabricants

1. Lorsqu'ils mettent sur le marché un produit comportant des éléments numériques, les fabricants veillent à ce que ce produit ait été conçu, développé et produit conformément aux exigences essentielles énoncées à l'annexe I, partie I.

2. Pour se conformer à l'obligation énoncée au paragraphe 1, les fabricants procèdent à une évaluation des risques de cybersécurité associés à un produit comportant des éléments numériques et tiennent compte des résultats de cette évaluation durant les phases de planification, de conception, de développement, de production, de livraison et de maintenance du produit comportant des éléments numériques, en vue de réduire au minimum les risques de cybersécurité, de prévenir les incidents de sécurité et de réduire au minimum les incidences de ces incidents, y compris en ce qui concerne la santé et la sécurité des utilisateurs.

3. L'évaluation du risque de cybersécurité est documentée et mise à jour, le cas échéant, au cours de la période d'assistance à déterminer conformément au paragraphe 8 du présent article. Cette évaluation du risque de cybersécurité comprend au moins une analyse des risques de cybersécurité fondée sur la destination et l'utilisation raisonnablement prévisible, ainsi que sur les conditions d'utilisation, du produit comportant des éléments numériques, tels que l'environnement opérationnel ou les biens à protéger, en tenant compte de la durée d'utilisation prévue du produit. L'évaluation du risque de cybersécurité indique si et, le cas échéant, de quelle manière, les exigences de sécurité énoncées à l'annexe I, partie I, point 3), sont applicables au produit concerné comportant des éléments numériques et comment ces exigences sont mises en œuvre sur la base de l'évaluation du risque de cybersécurité. Il indique également comment le fabricant doit appliquer l'annexe I, partie I, point 1, et les exigences en matière de traitement des vulnérabilités énoncées à l'annexe I, partie II.

4. Lorsqu'il met sur le marché un produit comportant des éléments numériques, le fabricant inclut une évaluation du risque de cybersécurité dans la documentation technique prévue à l'article 23 et à l'annexe V. Pour les produits comportant des éléments numériques visés à l'article 8 et à l'article 24, paragraphe 4, qui sont également soumis à d'autres actes de l'Union, l'évaluation du risque de cybersécurité peut faire partie de l'évaluation du risque exigée par ces actes respectifs de l'Union. Lorsque certaines exigences essentielles ne sont pas applicables au produit commercialisé comportant des éléments numériques, le fabricant inclut une justification claire dans cette documentation.

5. Aux fins du respect du paragraphe 1, les fabricants font preuve de diligence raisonnable lorsqu'ils intègrent des composants provenant de tiers, de sorte que ces composants ne compromettent pas la cybersécurité du produit comportant des éléments numériques, y compris lorsqu'ils intègrent des composants de logiciels libres qui n'ont pas été mis à disposition sur le marché dans le cadre d'une activité commerciale. 

6. Lorsqu'ils identifient une vulnérabilité dans un composant, y compris dans un composant à source ouverte, qui est intégré dans le produit avec des éléments numériques, les fabricants signalent la vulnérabilité à la personne ou à l'entité qui fabrique ou entretient le composant, et traitent et corrigent la vulnérabilité conformément aux exigences en matière de traitement des vulnérabilités énoncées à l'annexe I, partie II. Lorsque les fabricants ont mis au point une modification logicielle ou matérielle pour remédier à la vulnérabilité de ce composant, ils partagent le code ou la documentation correspondante avec la personne ou l'entité qui fabrique ou entretient le composant, le cas échéant dans un format lisible par machine.

7. Le fabricant documente systématiquement, d'une manière proportionnée à la nature et aux risques de cybersécurité, les aspects pertinents de la cybersécurité concernant le produit comportant des éléments numériques, y compris les vulnérabilités dont il a connaissance et toute information pertinente fournie par des tiers, et met à jour, le cas échéant, l'évaluation du risque de cybersécurité du produit.

8. Les fabricants veillent, lors de la mise sur le marché d'un produit comportant des éléments numériques, et pendant la période de soutien, à ce que les vulnérabilités de ce produit, y compris ses composants, soient traitées efficacement et conformément aux exigences essentielles énoncées à l'annexe I, partie II.

Les fabricants déterminent la période de support de manière à ce qu'elle reflète la durée pendant laquelle le produit est censé être utilisé, en tenant compte, en particulier, des attentes raisonnables de l'utilisateur, de la nature du produit, y compris sa destination, ainsi que du droit de l'Union pertinent déterminant la durée de vie des produits comportant des éléments numériques. Lorsqu'ils déterminent la période de soutien, les fabricants peuvent également tenir compte des périodes de soutien des produits dotés d'éléments numériques offrant une fonctionnalité similaire mis sur le marché par d'autres fabricants, de la disponibilité de l'environnement d'exploitation, des périodes de soutien des composants intégrés qui fournissent des fonctions essentielles et proviennent de tiers, ainsi que des orientations pertinentes fournies par le groupe de coopération administrative spécialisé (ADCO) établi en vertu de l'article 52, paragraphe 15, et par la Commission. Les éléments à prendre en compte pour déterminer la durée de la période d'assistance sont examinés de manière à garantir la proportionnalité.

Sans préjudice du deuxième alinéa, la période d'assistance est d'au moins cinq ans. Lorsqu'il est prévu que le produit contenant des éléments numériques sera utilisé pendant moins de cinq ans, la période d'assistance correspond à la durée d'utilisation prévue.

En tenant compte des recommandations de l'ADCO visées à l'article 52, paragraphe 16, la Commission peut adopter des actes délégués conformément à l'article 61 pour compléter le présent règlement en précisant la période de soutien minimale pour des catégories de produits spécifiques lorsque les données de surveillance du marché suggèrent des périodes de soutien inadéquates.

Les fabricants incluent les informations qui ont été prises en compte pour déterminer les éléments suivants
la période de soutien d'un produit comportant des éléments numériques dans la documentation technique, comme indiqué à l'annexe VII.

Les fabricants disposent de politiques et de procédures appropriées, y compris de politiques coordonnées de divulgation des vulnérabilités, visées à l'annexe I, section 2, point 5), pour traiter et corriger les vulnérabilités potentielles du produit contenant des éléments numériques signalées par des sources internes ou externes. 

9. Les fabricants veillent à ce que chaque mise à jour de sécurité visée à l'annexe I, partie II, point 8), qui a été mise à la disposition des utilisateurs pendant la période d'assistance, reste disponible après sa publication pendant au moins dix ans après la mise sur le marché du produit contenant des éléments numériques ou pendant le reste de la période d'assistance, la durée la plus longue étant retenue.

10. Lorsqu'un fabricant a mis sur le marché des versions ultérieures substantiellement modifiées d'un produit logiciel, il peut assurer la conformité à l'exigence essentielle énoncée à l'annexe I, partie II, point 2), uniquement pour la version qu'il a mise sur le marché en dernier lieu, à condition que les utilisateurs des versions précédemment mises sur le marché aient accès gratuitement à la dernière version mise sur le marché et n'aient pas à supporter de coûts supplémentaires pour adapter l'environnement matériel et logiciel dans lequel ils utilisent la version originale de ce produit.

11. Les fabricants peuvent conserver des archives publiques de logiciels permettant aux utilisateurs d'accéder aux versions antérieures. Dans ce cas, les utilisateurs sont clairement informés, d'une manière facilement accessible, des risques liés à l'utilisation de logiciels non pris en charge.

12. Avant de mettre sur le marché un produit comportant des éléments numériques, les fabricants établissent la documentation technique visée à l'article 31. 

Ils effectuent ou font effectuer les procédures choisies d'évaluation de la conformité visées à l'article 32.

Lorsque la conformité du produit contenant des éléments numériques aux exigences essentielles énoncées à l'annexe I, partie I, et des processus mis en place par le fabricant aux exigences essentielles énoncées à l'annexe I, partie II, a été démontrée par cette procédure d'évaluation de la conformité, les fabricants établissent la déclaration UE de conformité conformément à l'article 28 et apposent le marquage CE conformément à l'article 30.

13. Les fabricants tiennent la documentation technique et la déclaration UE de conformité ▌ à la disposition des autorités de surveillance du marché pendant au moins dix ans à compter de la mise sur le marché du produit comportant des éléments numériques ou pendant la période d'assistance, la durée la plus longue étant retenue.

14. Les fabricants veillent à ce que des procédures soient en place pour que les produits comportant des éléments numériques qui font partie d'une série de production restent conformes au présent règlement. Les fabricants tiennent dûment compte des modifications du processus de développement et de production ou de la conception ou des caractéristiques du produit contenant des éléments numériques, ainsi que des modifications des normes harmonisées, des systèmes européens de certification en matière de cybersécurité ou des spécifications communes visés à l'article 27, par référence auxquels la conformité du produit contenant des éléments numériques est déclarée ou par application desquels sa conformité est vérifiée.

15. Les fabricants veillent à ce que leurs produits comportant des éléments numériques portent un numéro de type, de lot ou de série ou tout autre élément permettant leur identification ou, lorsque cela n'est pas possible, veillent à ce que ces informations figurent sur leur emballage ou dans un document accompagnant le produit comportant des éléments numériques.

16. Les fabricants indiquent le nom, la dénomination commerciale enregistrée ou la marque déposée du fabricant, ainsi que l'adresse postale, l'adresse électronique ou d'autres coordonnées numériques et, le cas échéant, le site internet sur lequel le fabricant peut être contacté, sur le produit comportant des éléments numériques, sur son emballage ou dans un document accompagnant le produit comportant des éléments numériques. Ces informations figurent également dans les informations et instructions destinées à l'utilisateur visées à l'annexe II. Les coordonnées sont rédigées dans une langue aisément compréhensible par les utilisateurs et les autorités de surveillance du marché.

17. Aux fins du présent règlement, les fabricants désignent un point de contact unique pour permettre aux utilisateurs de communiquer directement et rapidement avec eux, notamment pour faciliter le signalement des vulnérabilités du produit comportant des éléments numériques.

Les fabricants veillent à ce que le point de contact unique soit facilement identifiable par les utilisateurs. Ils mentionnent également le point de contact unique dans les informations et instructions destinées à l'utilisateur qui figurent à l'annexe II.

Le point de contact unique permet aux utilisateurs de choisir les moyens de communication qu'ils préfèrent et ne les limite pas à des outils automatisés.

18. Les fabricants veillent à ce que les produits comportant des éléments numériques soient accompagnés des informations et instructions destinées à l'utilisateur visées à l'annexe II, sur support papier ou électronique. Ces informations et instructions sont fournies dans une langue aisément compréhensible par les utilisateurs et les autorités de surveillance du marché. Elles sont claires, compréhensibles, intelligibles et lisibles. Elles permettent une installation, un fonctionnement et une utilisation sûrs des produits comportant des éléments numériques. Les fabricants tiennent les informations et les instructions à l'intention de l'utilisateur visées à l'annexe II à la disposition des utilisateurs et des autorités de surveillance du marché pendant au moins dix ans après la mise sur le marché du produit contenant des éléments numériques ou pendant la période d'assistance, la durée la plus longue étant retenue. Lorsque ces informations et instructions sont fournies en ligne, les fabricants veillent à ce qu'elles soient accessibles, conviviales et disponibles en ligne pendant au moins dix ans après la mise sur le marché du produit comportant des éléments numériques ou pendant la période d'assistance, la durée la plus longue étant retenue. 

19. Les fabricants veillent à ce que la date de fin de la période d'assistance visée au paragraphe 8, comprenant au moins le mois et l'année, soit précisée de manière claire et compréhensible au moment de l'achat, d'une manière aisément accessible, le cas échéant, sur le produit comportant des éléments numériques, sur son emballage ou par des moyens numériques. 

Lorsque cela est techniquement possible compte tenu de la nature du produit contenant des éléments numériques, les fabricants affichent une notification aux utilisateurs les informant que leur produit contenant des éléments numériques a atteint la fin de sa période d'assistance.

20. Les fabricants fournissent soit une copie de la déclaration UE de conformité, soit une déclaration UE de conformité simplifiée avec le produit comportant des éléments numériques. Lorsqu'une déclaration UE de conformité simplifiée est fournie, elle contient l'adresse internet exacte à laquelle la déclaration UE de conformité complète peut être consultée. 

21. À compter de la mise sur le marché et pendant la période de soutien ▌ , les fabricants qui savent ou ont des raisons de croire que le produit contenant des éléments numériques ou les procédés mis en place par le fabricant ne sont pas conformes aux exigences essentielles énoncées à l'annexe I prennent immédiatement les mesures correctives nécessaires pour mettre ce produit contenant des éléments numériques ou les procédés du fabricant en conformité, pour retirer ou pour rappeler le produit, selon le cas.

22. Sur requête motivée d'une autorité de surveillance du marché, les fabricants fournissent à cette autorité, dans une langue aisément compréhensible par celle-ci, toutes les informations et tous les documents, sur support papier ou électronique, nécessaires pour démontrer la conformité du produit comportant des éléments numériques et des processus mis en place par le fabricant aux exigences essentielles énoncées à l'annexe I. Les fabricants coopèrent avec cette autorité, à sa demande, à toute mesure prise pour réduire de manière adéquate les risques de cybersécurité posés par le produit comportant des éléments numériques qu'ils ont mis sur le marché.

23. Un fabricant qui cesse ses activités et qui, de ce fait, n'est pas en mesure de respecter les obligations prévues par le présent règlement informe, avant que la cessation des activités ne prenne effet, les autorités de surveillance du marché concernées de cette situation, ainsi que, par tout moyen disponible et dans la mesure du possible, les utilisateurs des produits concernés comportant des éléments numériques mis sur le marché, de l'imminence de la cessation des activités.

24. La Commission peut, au moyen d'actes d'exécution, en tenant compte des normes européennes ou internationales et des meilleures pratiques, préciser le format et les éléments de la nomenclature du logiciel figurant à l'annexe I, partie II, point 1). Ces actes d'exécution sont adoptés en conformité avec la procédure d'examen visée à l'article 62, paragraphe 2.

25. Afin d'évaluer la dépendance des États membres et de l'Union dans son ensemble à l'égard des composants logiciels et, en particulier, des composants considérés comme des logiciels libres, l'ADCO peut décider de procéder à une évaluation de la dépendance à l'échelle de l'Union pour des catégories spécifiques de produits comportant des éléments numériques. À cette fin, les autorités de surveillance du marché peuvent demander aux fabricants de ces catégories de produits comportant des éléments numériques d'effectuer une évaluation de la dépendance à l'échelle de l'Union.
les éléments numériques pour fournir les nomenclatures de logiciels pertinentes visées à l'annexe I, partie II, point (1). Sur la base de ces informations, les autorités de surveillance du marché peuvent fournir à ADCO des informations anonymes et agrégées sur les dépendances logicielles. ADCO soumet un rapport sur les résultats de l'évaluation des dépendances au groupe de coopération établi en vertu de l'article 14 de la directive (UE) 2022/2555.

Article 14 - Obligations de déclaration des fabricants

1. Un fabricant ▌ notifie ▌ toute vulnérabilité activement exploitée contenue dans le produit comportant des éléments numériques dont il a connaissance simultanément au CSIRT désigné comme coordinateur, conformément au paragraphe 7 du présent article, et à l'ENISA. Le fabricant notifie cette vulnérabilité activement exploitée via la plateforme unique de notification établie à l'article 16.

2. Aux fins de la notification visée au paragraphe 1, les fabricants soumettent :

(a) une notification d'alerte rapide concernant une vulnérabilité activement exploitée, sans retard excessif et, en tout état de cause, dans les 24 heures suivant le moment où le fabricant en a eu connaissance, indiquant, le cas échéant, les États membres sur le territoire desquels le fabricant sait que son produit contenant des éléments numériques a été mis à disposition ;

(b) à moins que les informations pertinentes n'aient déjà été fournies, une notification de vulnérabilité, sans retard excessif et en tout état de cause dans les 72 heures suivant le moment où le fabricant a pris connaissance de la vulnérabilité activement exploitée, qui fournit des informations générales, le cas échéant, sur le produit comportant les éléments numériques concernés, la nature générale de l'exploitation et de la vulnérabilité concernée, ainsi que toute mesure corrective ou d'atténuation prise, et les mesures correctives ou d'atténuation que les utilisateurs peuvent prendre, et qui indique également, le cas échéant, le degré de sensibilité que le fabricant considère comme étant celui des informations notifiées ;

(c) à moins que les informations pertinentes n'aient déjà été fournies, un rapport final, au plus tard 14 jours après qu'une mesure corrective ou d'atténuation est disponible, comprenant au moins les éléments suivants :

(i) une description de la vulnérabilité, y compris sa gravité et son impact ;

(ii) le cas échéant, des informations concernant tout acteur malveillant qui a exploité ou qui exploite la vulnérabilité ;

(iii) des détails sur la mise à jour de sécurité ou d'autres mesures correctives qui ont été mises à disposition pour remédier à la vulnérabilité.

3. Un fabricant ▌ notifie ▌ tout incident grave ayant un impact sur la sécurité du produit comportant des éléments numériques dont il a connaissance simultanément au CSIRT désigné comme coordinateur, conformément au paragraphe 7 du présent article, et à l'ENISA. Le fabricant notifie cet incident par l'intermédiaire de la plateforme unique de notification établie à l'article 16.

4. Aux fins de la notification visée au paragraphe 3, les fabricants soumettent :

(a) an early warning notification on a severe incident having an impact on the security of the product with digital elements, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, including at least whether the incident is suspected of being caused by unlawful or malicious acts. The notification shall also indicate, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available;

(b) unless the relevant information has already been provided, an incident notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the incident, which shall provide general information, as available, about the nature of the incident, an initial assessment of the incident, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take. The notification shall also indicate, where applicable, how sensitive the manufacturer deems the notified information to be;

(c) unless the relevant information has already been provided, a final report, within one month after the submission of the incident notification under point (b), including at least the following:

(i) a detailed description of the incident, including its severity and impact;

(ii) the type of threat or root cause that is likely to have triggered the incident;

(iii) applied and ongoing mitigation measures.

5. For the purpose of paragraph 3, an incident having an impact on the security of the product with digital elements shall be considered to be severe, where:

(a) it negatively affects or is capable to negatively affect the ability of a manufacturer’s product with digital elements to protect the availability, authenticity, integrity or confidentiality of sensitive or important data or functions; or

(b) it has led or is capable to lead to the introduction or execution of malicious code in a product with digital elements or in the network and information systems of a user of the product with digital elements.

6. Where necessary, the CSIRT designated as coordinator initially receiving the notification may request manufacturers to provide an intermediate report on relevant status updates about the actively exploited vulnerability or severe incident having an impact on the security of the product with digital elements.

7. The notifications referred to in paragraphs 1 and 3 shall be submitted via the single reporting platform referred to in Article 16 using one of the electronic notification endpoints referred to in Article 16(1). The notification shall be submitted using the electronic notification end point of the CSIRT designated as coordinator of the Member State where the manufacturers have their main establishment in the Union and shall be simultaneously accessible to ENISA.

For the purposes of this Regulation, a manufacturer shall be considered to have its main establishment in the Union in the Member State where the decisions related to the cybersecurity of its products with digital elements are predominantly taken. If such a Member State cannot be determined, the main establishment shall be considered to be in the Member State where the manufacturer concerned has the establishment with the
highest number of employees in the Union.

Where a manufacturer has no main establishment in the Union, it shall submit the notifications referred to in paragraphs 1 and 3 using the electronic notification endpoint of the CSIRT designated as coordinator in the Member State determined pursuant to the following order and based on the information available to the manufacturer:

(a) the Member State in which the authorised representative acting on behalf of the manufacturer for the highest number of the products with digital elements is established;

(b) the Member State in which the importer placing on the market the highest number of products with digital elements of that manufacturer is established;

(c) the Member State in which the distributor making available the highest number of products with digital elements of that manufacturer is established;

(d) the Member State in which the highest number of users of the products with digital elements of that manufacturer are located.

In  relation to point (d) of the third subparagraph, a manufacturer may submit notifications related to any subsequent actively exploited vulnerability or severe incident having an impact on the security of the product with digital elements to the same CSIRT designated as coordinator to which it first reported.

8. ▌After becoming aware of an actively exploited vulnerability or a severe incident, the manufacturer shall inform the impacted users of the product with digital elements, and where appropriate all users, about an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements and, where necessary, about risk mitigation and any corrective measures that the users can deploy to mitigate the impact of that vulnerability or incident, where appropriate in a structured and easily automatically processible machine-readable format. Where the manufacturer fails to inform the users of the product with digital elements in a timely manner, the notified CSIRTs designated as coorindators may provide such information to the
users when considered proportionate and necessary for preventing or mitigating the impact of that vulnerability or incident.

9. By… [12 months from the date of entry into force of this Regulation], the Commission shall adopt a delegated act in accordance with Article 61 to supplement this Regulation by specifying the terms and conditions for applying the cybersecurity related grounds in relation to delaying the dissemination of notifications as referred to in Article 16(2). The commission shall cooperate with the CSIRTs network as established pursuant to Article 15 of Directive (EU_ 2022/2555 and ENISA in preparing the draft delegated act.

10. The Commission may, by means of implementing acts, further the format and procedures of the notifications referred to in this Article as well as Articles 15 and 16. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2). The Commission shall cooperate with the CSIRTs network and ENISA in preparing those draft implementing acts.

Article 15 –  Voluntary reporting 

1. Manufacturers as well as other natural or legal persons may notify any vulnerability contained in the product with digital elements as well as cyber threats that could affect the risk profile of the product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA.

2. Manufacturers as well as other natural or legal persons may notify any incident having an impact on the security of the product with digital elements as well as near misses that could have resulted in an incident having an impact on the security of the product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA.

3. The CSIRT designated as coordinator or ENISA shall process the notifications referred to in paragraphs 1 and 2 of this Article in accordance with the procedure laid down in Article 16.

The CSIRT designated as coordinator may prioritise the processing of mandatory notifications over voluntary notifications.

4. Where a natural or legal person other than the manufacturer notifies an actively exploited vulnerability or a severe incident having an impact on the security of a product with digital elements in accordance with paragraphs 1 or 2 of this Article, the CSIRT designated as coordinator shall without undue delay inform the manufacturer.

5. The CSIRTs designated as coordinator as well as ENISA shall ensure the confidentiality and appropriate protection of the information provided by the notifying natural or legal person. Without prejudice to the prevention, investigation, detection and prosecution of criminal offences, voluntary reporting shall not result in the imposition of any additional obligations upon the notifying natural or legal person to which it would not have been subject had it not submitted the notification.

Article 16 – Establishment of a single reporting platform

1. For the purposes of the notifications referred to in Article 14(1) and (3) and Article 15(1) and (2) in order to simplify the reporting obligations of manufacturers, a single reporting platform shall be established by ENISA. The day-to-day operations managed and maintained by ENISA. The architecture of the single reporting platform shall allow Member States and ENISA to put in place their own electronic notification end-points.

2. After receiving a notification, the CSIRT designated as coordinator initially receiving the notification shall, without delay, disseminate the notification via the single reporting platform to all the CSIRTs designated as coordinators on whose territory the manufacturer has indicated that the product with digital elements has been made available.

In exceptional circumstances and in particular upon request by the manufacturer and in light of the level of sensitivity of the notified information as indicated by the manufacturer under Article 14(2), point (a), of this Regulation, the dissemination of the notification may be delayed based on justified cybersecurity related grounds for a period of time that is strictly necessary, including in cases where a vulnerability is subject to a coordinated vulnerability disclosure procedure as referred to in Article 12(1) of Directive (EU) 2022/2555. Where a CSIRT decides to withhold a notification, it shall immediately inform ENISA about the decision and provide both a justification for withholding the notification as well as an indication of when it will disseminate the notification in accordance with the dissemination procedure laid down in this paragraph. ENISA may support the CSIRT on the application of cybersecurity related
grounds in relation to delaying the dissemination of the notification.

In particularly exceptional circumstances, when the manufacturer marks in a
notification referred to in Article 14(2), point (b):

(a) that the notified vulnerability has been actively exploited by a malicious actor and that,
according to the information available, it has been exploited in no other Member State than the one of the CSIRT to which the manufacturer has notified the vulnerability;

(b) that any immediate further dissemination of the notified vulnerability would likely result in the supply of information the disclosure of which would be contrary to the essential interests of that Member State; or

(c) that the notified vulnerability poses an imminent high cybersecurity risk stemming from the further dissemination.

Only the information that a notification was made by the manufacturer, the general information about the product, the information on the general nature of the exploit and the information that security related grounds were raised are made available simultaneously to ENISA until the full notification is disseminated to the CSIRTs concerned and ENISA. Where, based on that information, ENISA considers that there is a systemic risk affecting security in the internal market, it shall recommend to the recipient CSIRT that it disseminate the full notification to the other CSIRTs designated as coordinators and to ENISA itself.

3. After receiving a notification regarding an actively exploited vulnerability in a product
with digital elements or regarding a severe incident having an impact on the security of a product with digital elements, the CSIRTs shall provide the market surveillance authorities of their respective Member States with the notified information necessary for
the market surveillance authorities to fulfil their obligations under this Regulation.

4. ENISA shall take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of the single reporting platform and the information submitted or disseminated via the single reporting platform. It shall notify without undue delay any security incident affecting the single reporting platform to the CSIRTs network as well as to the Commission.

5. ENISA, in cooperation with the CSIRTs network, shall provide and implement
specifications on the technical, operational and organisational measures regarding the establishment, maintenance and secure operation of the single reporting platform referred to in paragraph 1, including at least the security arrangements related to the establishment, operation and maintenance of the single reporting platform, as well as the
electronic notification end-points set up by the CSIRTs designated as coordinators at national level and ENISA at Union level, including procedural aspects to ensure that, where a notified vulnerability has no corrective or mitigating measures available, information about that vulnerability is shared in line with strict security protocols and on a need-to-know-basis.

6. Where a CSIRT designated as coordinator has been made aware of an actively exploited vulnerability as part of a coordinated vulnerability disclosure procedure as referred to in
Article 12(1) of Directive (EU) 2022/2555, the CSIRT designated as coordinator initially receiving the notification may delay the dissemination of the respective notification via
the single reporting platform based on justified cybersecurity related grounds for a period of time that is strictly necessary and until consent for disclosure by the involved coordinated vulnerability disclosure parties is given. That requirement shall not prevent manufacturers from notifying such a vulnerability on a voluntary basis in accordance with the procedure laid down in this Article.

Article 17 – Other provisions related to reporting

1. ENISA may submit to the European cyber crisis liaison organisation network (EUCyCLONe) established under Article 16 of Directive (EU) 2022/2555 information
notified pursuant to Article 14(1) and (3) and Article 15(1) and (2) if such information is relevant for the coordinated management of large-scale cybersecurity incidents and crises at an operational level. For the purpose of determining such relevance, ENISA may consider technical analyses performed by the CSIRTs network, where available.

2. Where public awareness is necessary to prevent or mitigate a severe incident having an impact on the security of the product with digital elements or to deal with an ongoing incident, or where disclosure of the incident is otherwise in the public interest, the CSIRT designated as coordinator of the relevant Member State, may, after consulting the manufacturer concerned, and where appropriate in cooperation with ENISA, inform the public about the incident or require the manufacturer to do so.

3. ENISA, on the basis of the notifications received pursuant to Article 14(1) and (3) and Article 15(1) and (2), shall prepare, every 24 months, a technical report on emerging trends regarding cybersecurity risks in products with digital elements and submit it to the Cooperation Group established under Article 14 of Directive (EU) 2022/2555. The first such report shall be submitted within 24 months after the obligations laid down in Article 14(1) and (3) start applying. ENISA shall
include relevant information from its technical reports in its report on the state of cybersecurity in the Union pursuant to Article 18 of Directive (EU) 2022/2555.

4. The mere act of notification in accordance with Article 14(1) and (3) or Article 15(1) and (2) shall not subject the notifying natural or legal person to increased liability.

5. After a security update or another form of corrective or mitigating measure is available, ENISA shall, in agreement with the manufacturer of the product with digital elements concerned, add the notified publicly known vulnerability notified pursuant to Article 14(1) or Article 15(1) of this Regulation to the European vulnerability database established pursuant to Article 12(2) of Directive (EU) 2022/2555.

6. The CSIRTs designated as coordinators shall provide helpdesk support in relation to the reporting obligations under Article 14 to manufacturers and in particular manufacturers that qualify as microenterprises or as small or medium-sized enterprises.

Article 18 – Authorised representatives

1. A manufacturer may, by a written mandate, appoint an authorised representative.

2. The obligations laid down in Article 13(1) to (12), first subparagraph, and (14) shall not form part of the authorised representative’s mandate.

3. An authorised representative shall perform the tasks specified in the mandate received from the manufacturer. The authorised representative shall provide a copy of the mandate to the market surveillance authorities upon request. The mandate shall allow the authorised representative to do at least the following:

(a) keep the EU declaration of conformity referred to in Article 27 and the technical documentation referred to in Article 31 at the disposal of the market surveillance authorities for at least 10 years after the product with digital elements has been placed on the market, or for the support period, whichever is longer;

(b) further to a reasoned request from a market surveillance authority, provide that authority with all the information and documentation necessary to demonstrate the conformity of the product with digital elements;

(c) cooperate with the market surveillance authorities, at their request, on any action taken to eliminate the cybersecurity risks posed by a product with digital elements covered by the authorised representative’s mandate.

Article 19 – Obligations of importers

1. Importers shall place on the market only products with digital elements that comply with the essential requirements set out in Annex I, Part I and where the processes put in place by the manufacturer comply with the essential requirements set out in Annex I, Part II.

2. Before placing a product with digital elements on the market, importers shall ensure that:

(a) les procédures appropriées d'évaluation de la conformité visées à l'article 32 ont été effectuées par le fabricant ;

(b) le fabricant a établi la documentation technique ;

(c) the product with digital elements bears the CE marking referred to in Article 30 and is accompanied by the EU declaration of conformity as referred to in Article 13(20) and the information and instructions for use as set out in Annex II in a language which can be easily understood by users and market surveillance authorities;

(d) The manufacturer has complied with the requirements set out in Article 13(15), (16) and 19.

Aux fins du présent paragraphe, les importateurs doivent être en mesure de fournir les documents nécessaires prouvant le respect des exigences énoncées dans le présent article.

3. Where an importer considers or has reason to believe that a product with digital elements or the processes put in place by the manufacturer are not in conformity with this Regulation, the importer shall not place the product on the market until that product or the processes put in place by the manufacturer have been brought into conformity with this Regulation. Furthermore, where the product with digital elements presents a significant cybersecurity risk, the importer shall inform the manufacturer and the market surveillance authorities to that effect.

Where an importer has reason to believe that a product with digital elements may present a significant cybersecurity risk in light of non-technical risk factors, the importer shall inform the market surveillance authorities to that effect. Upon receipt of such information, the market surveillance authorities shall follow the procedures
referred to in Article 54(2).

4. Importers shall indicate their name, registered trade name or registered trademark, the postal address, email address or other digital contact as well as, where applicable, the website at which they can be contacted on the product with digital elements or ▌ on its packaging or in a document accompanying the product with digital elements. The contact details shall be in a language easily understood by users and market surveillance authorities.

5. Importers who know or have reason to believe that a product with digital elements, which they have placed on the market is not in conformity with this Regulation shall immediately
take the corrective measures necessary to ensure that the product with digital elements is brought into conformity with this Regulation▌, or to withdraw or recall the product, if appropriate.

Upon becoming aware of a vulnerability in the product with digital elements, importers shall inform the manufacturer without undue delay about that vulnerability. Furthermore, where the product with digital elements presents a significant cybersecurity risk, importers shall immediately inform the market surveillance authorities of the Member States in which they
have made the product with digital elements available on the market to that effect, giving details, in particular, of the non-conformity and of any corrective measures taken.

6. Importers shall, for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer, keep a copy of the EU declaration of conformity at the disposal of the market surveillance authorities and ensure that the technical documentation can be made available to those authorities, upon request.

7. Importers shall, further to a reasoned request from a market surveillance authority, provide it with all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements with the essential requirements set out in Annex I, Part I, as well as of the processes put in place by the manufacturer with the essential requirements set out in Annex I, Part II, in a language that can be easily understood by that authority. They shall cooperate with that authority, at its request, on any action taken to adequately reduce the cybersecurity risks posed by a product with digital elements, which they have placed on the market.

8. When the importer of a product with digital elements becomes aware that the manufacturer of that product ceased its operations and, as result, is not able to comply with the obligations laid down in this Regulation, the importer shall inform the relevant market surveillance authorities about this situation, as well as, by any means available and to the extent possible, the users of the products with digital elements placed on the market.

Article 20 – Obligations of distributors

1. When making a product with digital elements available on the market, distributors shall act with due care in relation to the requirements set out in this Regulation.

2. Before making a product with digital elements available on the market, distributors shall verify that:

(a) le produit comportant des éléments numériques porte le marquage CE ;

(b) the manufacturer and the importer have complied with the obligations set out respectively in Articles 13(15), (16), (18), (19) and (20) and Article 19(4) and have provided all necessary documents to the distributor.

3. Where a distributor considers or has reason to believe, on the basis of information in its possession, that a product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements set out in Annex I, the distributor shall not make the product with digital elements available on the market until that product or the processes put in place by the manufacturer have been brought into conformity with thie Regulation. Furthermore, where the product with digital elements poses a significant cybersecurity risk, the distributor shall inform, without undue delay, the manufacturer and the market surveillance authorities to that effect.

4. Distributors who know or have reason to believe, on the basis of information in their possession, that a product with digital elements, which they have made available on the market, or the processes put in place by its manufacturer are not in conformity with this Regulation shall make sure that the corrective measures necessary to bring that product with digital elements or the processes put in place by its manufacturer into conformity, or to withdraw or recall the product, if appropriate, are taken.

Dès qu'ils ont connaissance d'une vulnérabilité du produit contenant des éléments numériques, les distributeurs en informent le fabricant dans les meilleurs délais. En outre, lorsque le produit contenant des éléments numériques présente un risque significatif pour la cybersécurité, les distributeurs en informent immédiatement les autorités de surveillance du marché des États membres dans lesquels ils ont mis le produit contenant des éléments numériques à disposition sur le marché, en fournissant des précisions, notamment, sur la non-conformité et sur toute mesure corrective prise.

5. Distributors shall, further to a reasoned request from a market surveillance authority, provide it with all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements and the processes put in place by its manufacturer with this Regulation in a language that can be easily understood by that authority. They shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by a product with digital elements, which they have made available on the market.

6. When the distributor of a product with digital elements becomes aware, on the basis of information in its possession, that the manufacturer of that product ceased its operations and, as result, is not able to comply with the obligations laid down in this Regulation, the distributor shall inform, without undue delay, the relevant market surveillance authorities about this situation, as well as, by any means available and to the extent possible, the users of  the products with digital elements placed on the market.

Article 21 – Cases in which obligations of manufacturers apply to importers and distributors

An importer or distributor shall be considered a manufacturer for the purposes of this Regulation and shall be subject to ▌ Articles 13 and 14, where that importer or distributor places a product with digital elements on the market under its name or trademark or carries out a substantial modification of the product with digital elements already placed on the market.

Article 22 – Other cases in which obligations of manufacturers apply

1. A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of the product with digital elements and makes it available on the market, shall be considered a manufacturer for the purposes of this Regulation.

2. That person shall be subject to ▌ the obligations set out in Articles 13 and 14, for the part of the product that is affected by the substantial modification or, if the substantial modification has an impact on the cybersecurity of the product with digital elements as a whole, for the entire product.

Article 23 – Identification of economic operators

1. Economic operators shall, on request  ▌ , provide to the market surveillance authorities with the following information:

(a) name and address of any economic operator who has supplied them with a product with digital elements;

(b) name and address of any economic operator to whom they have supplied a product with digital elements, where the information is available;

2. Economic operators shall be able to present the information referred to in paragraph 1 for ten years after they have been supplied with the product with digital elements and for ten years after they have supplied the product with digital elements.

Article 24 – Obligations of open-source software stewards

1. Open-source software stewards shall put in place and document in a verifiable manner a cybersecurity policy to foster the development of a secure product with digital elements as well as an effective handling of vulnerabilities by the developers of that product. That policy shall also foster the voluntary reporting of vulnerabilities as laid down in Article 15 by the developers of that product and take into account the specific nature of the open source software steward and the legal and organisational arrangements to which it is subject. That policy shall, in particular, include aspects related to documenting, addressing and remediating vulnerabilities and promote the sharing of information concerning discovered vulnerabilities within the open-source community.

2. Open-source software stewards shall cooperate with the market surveillance authorities, at their request, with a view to mitigating the cybersecurity risks posed by a product with digital elements qualifying as free and open-source software.

Further to a reasoned request from a market surveillance authority, open-source software stewards shall provide that authority, in a language which can be easily understood by it, with the documentation referred to in paragraph 1, in paper or electronic form.

3. The obligations laid down in Article 14(1) shall apply to open-source software stewards to the extent that they are involved in the development of the products with digital elements. The obligations laid down in Article 14(3) and (8) shall apply to open-source software stewards to the extent that severe incidents having an impact on the security of products with digital elements affect network and information
systems provided by the open-source software stewards for the development of such products.

Article 25 – Security attestation of free and open-source software

In order to facilitate the due diligence obligation set out in Article 13(5), in particular as regards manufacturers that integrate free and open-source software components in their products with digital elements, the Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation by establishing voluntary security attestation programmes allowing the developers or users of products with digital elements qualifying as free and open-source software as well as other third parties to assess the conformity of such products with all or certain essential requirements or other obligations laid down in this Regulation.

Article 26 – Guidance

1. In order to facilitate implementation and ensure consistency, the Commission shall publish guidance to assist the economic operators in applying this Regulation, with a particular focus on facilitating compliance by microenterprises, small enterprises and medium-sized enterprises.

2. Where it intends to provide guidance as referred to in paragraph 1, the Commission shall address at least the following aspects:

(a) the scope of this Regulation, with a particular focus on remote data processing solutions and free and open-source software;

(b) the application of the support periods in relation to particulaar categories of products with digital elements; 

(c) guidance targeted at manufacturers subject to this Regulation that are also subject to Union harmonisation legislation or other than this Regulation or to other related Union legal acts;

(d) the notion of substantial modifications.

The Commission shall also maintain an easy-to-access list of the delegated and implementing acts adopted pursuant to this Regulation. 

3. When preparing the guidance pursuant to this Article, the Commission shall consult relevant stakeholders.

CHAPTER III
CONFORMITY OF THE PRODUCT WITH DIGITAL ELEMENTS

Article 27 – Presumption of conformity

1. Products with digital elements and processes put in place by the manufacturer which are in conformity with harmonised standards or parts thereof the references of which have been published in the Official Journal of the European Union shall be presumed to be in conformity with the essential requirements set out in Annex I covered by those standards or parts thereof.

The Commission shall, in accordance with Article 10(1) of Regulation (EU) 1025/2012, request one or more European standardisation organisations to draft harmonised standards for the essential requirements set out in Annex I to this Regulation. When preparing the standardisation request for this Regulation, the Commission shall strive to take into account existing international and European standards for cybersecurity that are in place or under development in order to simplify the development of harmonised standards, in line with Regulation (EU) 1025/2012.


2. The Commission may adopt implementing acts establishing common specifications covering technical requirements that provide a means to comply with the essential requirements set out in Annex I for products with digital elements within the scope of this Regulation.

Those implementing acts shall only be adopted where the following conditions are fulfilled:

(a) the Commission has requested, pursuant to Article 10(1) of Regulation (EU) No 1025/2012, one or more European standardisation organisations to draft a harmonised standard for the essential requirements set out in Annex I and:

(i) the request has not been accepted;

(ii) the harmonised standards addressing that request are not delivered within the deadline set in accordance with Article 10(1) of Regulation (EU) No 1025/2012;

(iii) the harmonised standards do not comply with the request; and

(b) no reference to harmonised standards covering the relevant essential requirements set out in Annex I has been published in the Official Journal of the European Union in accordance with Regulation (EU) No 1025/2012 and no such reference is expected to be published within a reasonable period. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

3. Before preparing the draft implementing act referred to in paragraph 2, the Commission shall inform the committee referred to in Article 22 of Regulation (EU) No 1025/2012
that it considers that the conditions in paragraph 2 have been fulfilled.

4. When preparing the draft implementing act referred to in paragraph 2, the Commission shall take into account the views of relevant bodies and shall duly consult all relevant
stakeholders.

5. Products with digital elements and processes put in place by the manufacturer which are in conformity with the common specifications established by implementing acts referred
to in paragraph 2 of this Article, or parts thereof, shall be presumed to be in conformity with the essential requirements set out in Annex I covered by those common specifications or parts thereof.

6. Where a harmonised standard is adopted by a European standardisation organisation and proposed to the Commission for the purpose of publishing its reference in the Official Journal of the European Union, the Commission shall assess the harmonised standard in accordance with Regulation (EU) No 1025/2012. When reference of a harmonised standard is published in the Official Journal of the European Union, the
Commission shall repeal the implementing acts referred to in paragraph 2, or parts thereof which cover the same essential requirements as those covered by that harmonised standard. 

7. Where a Member State considers that a common specification does not entirely satisfy the essential requirements set out in Annex I, it shall inform the Commission thereof by submitting a detailed explanation. The Commission shall assess that detailed
explanation and may, if appropriate, amend the implementing act establishing the common specification in question. 

8. Products with digital elements and processes put in place by the manufacturer for which an EU statement of conformity or certificate has been issued under a European cybersecurity certification scheme adopted pursuant to Regulation (EU) 2019/881 ▌, shall be presumed to be in conformity with the essential requirements set out in Annex I in so far as the EU statement of conformity or European cybersecurity certificate, or parts thereof, cover those requirements.

10. The Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation by specifying the European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 that can be used to demonstrate conformity of products with digital elements with the essential requirements or parts thereof as set out in Annex I to this Regulation. Furthermore, the issuance of a European cybersecurity certificate
issued under such schemes, at least at assurance level ‘substantial’, eliminates the obligation of a manufacturer to carry out a third-party conformity assessment for the corresponding requirements, as set out in Article 32(2), poins (a) and (b), article 32(3), points (a) and (b), of this Regulation. ▌

Article 28 – EU declaration of conformity

1. The EU declaration of conformity shall be drawn up by manufacturers in accordance with Article 13(12) and state that the fulfilment of the applicable essential requirements set out in Annex I has been demonstrated.

2. The EU declaration of conformity shall have the model structure set out in Annex V and shall contain the elements specified in the relevant conformity assessment procedures set out in Annex VIII. Such a declaration shall be updated as appropriate. It shall be made available in the language or languages required by the Member State in which the product with digital elements is placed on the market or made available on the market.

The simplified EU declaration of conformity referred to in Article 13(20) shall contain the model structure set out in Annex VI. It shall be made available in the languages required by the Member State in which the product with digital elements is placed on the market or made available on the market. 

3. Where a product with digital elements is subject to more than one Union act requiring an EU declaration of conformity, a single EU declaration of conformity shall be drawn up in respect of all such Union legal acts. That declaration shall contain the identification of the Union acts concerned, including their publication references.

4. By drawing up the EU declaration of conformity, the manufacturer shall assume responsibility for the compliance of the product with digital elements.

5. The Commission is empowered to adopt delegated acts in accordance with Article 50 to supplement this Regulation by adding elements to the minimum content of the EU declaration of conformity set out in Annex IV to take account of technological developments.

Article 29 – General principles of the CE marking

The CE marking as defined in Article 30 shall be subject to the general principles set out in Article 30 of Regulation (EC) No 765/2008.

Article 30 – Rules and conditions for affixing the CE marking

1. The CE marking shall be affixed visibly, legibly and indelibly to the product with digital elements. Where that is not possible or not warranted on account of the nature of the product with digital elements, it shall be affixed to the packaging and to the EU declaration of conformity referred to in Article 20 accompanying the product with digital elements. For products with digital elements which are in the form of software, the CE marking shall be affixed either to the EU declaration of conformity referred to in Article 20 or on the website accompanying the software product. In the latter case, the relevant section of the website shall be easily and directly accessible to consumers.

2. On account of the nature of the product with digital elements, the height of the CE marking affixed to the product with digital elements may be lower than 5 mm, provided that it remains visible and legible.

3. The CE marking shall be affixed before the product with digital elements is placed on the market. It may be followed by a pictogram or any other mark indicating a special cybersecurity risk or use set out in implementing acts referred to in paragraph 6.

4. The CE marking shall be followed by the identification number of the notified body, where that body is involved in the conformity assessment procedure based on full quality assurance (based on module H) referred to in Article 32.

The identification number of the notified body shall be affixed by the body itself or, under its instructions, by the manufacturer or the manufacturer’s authorised representative.

5. Member States shall build upon existing mechanisms to ensure correct application of the regime governing the CE marking and shall take appropriate action in the event of improper use of that marking. Where the product with digital elements is subject to other Union harmonisation legislation other than this Regulation which also provides for the affixing of the CE marking, the CE marking shall indicate that the product also fulfils the requirements of such other Union harmonisation legislation.

6. The Commission may, by means of implementing acts, lay down technical specifications for labels, pictograms or any other marks related to the security of the products with digital elements, their support period and mechanisms to promote their use and to increase public awareness about the security of products with digital elements. When preparing the draft implementing act, the Commission shall consult relevant stakeholders, and, if it has already been established pursuant to Article 52(15), ADCO. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

Article 31 – Technical documentation 

1. The technical documentation shall contain all relevant data or details of the means used by the manufacturer to ensure that the product with digital elements and the processes put in place by the manufacturer comply with the essential requirements set out in Annex I. It shall at least contain the elements set out in Annex VII.

2. The technical documentation shall be drawn up before the product with digital elements is placed on the market and shall be continuously updated, where appropriate, during at least the support period.

3. For products with digital elements referred to in Articles 8 and 24(4) that are also subject to other Union legal acts which provide for technical documentation, a single set of technical documentation shall be drawn up containing the information referred to in Annex VII of this Regulation and the information required by those respective Union legal acts.

4. The technical documentation and correspondence relating to any conformity assessment procedure shall be drawn up in an official language of the Member State in which the notified body is established or in a language acceptable to that body.

5. The Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation by adding elements to be included in the technical documentation set out in Annex VII to take account of technological developments, as well as developments encountered in the implementation process of this Regulation. To that end, the Commission shall strive to ensure that the administrative burden on microenterprises and small and medium-sized enterprises is proportionate.

Article 32 – Conformity assessment procedures for products with digital elements 

1. The manufacturer shall perform a conformity assessment of the product with digital elements and the processes put in place by the manufacturer to determine whether the essential requirements set out in Annex I are met. The manufacturer shall demonstrate conformity with the essential requirements by using any of the following procedures:

(a) the internal control procedure (based on module A) set out in Annex VIII; 

(b) the EU-type examination procedure (based on module B) set out in Annex VIII followed by conformity to EU-type based on internal production control (based on module C) set out in Annex VIII; 

(c) conformity assessment based on full quality assurance (based on module H) set out in Annex VIII; or

(d) where available and applicable, a European cybersecurity certification scheme as specified in Article 27(9).

2. Where, in assessing the compliance of an important product with digital elements of class I as set out in Annex III and the processes put in place by its manufacturer with the essential requirements set out in Annex I, the manufacturer has not applied or has applied only in part harmonised standards, common specifications or European cybersecurity certification schemes at assurance level at least ‘substantial’ as referred to in Article 27, or where such harmonised standards, common specifications or European cybersecurity certification schemes do not exist, the product with digital elements concerned and the processes put in place by the manufacturer shall be submitted with regard to those essential requirements to any of the following procedures:

(a) the EU-type examination procedure (based on module B) set out in Annex VIII followed by conformity to EU-type based on internal production control (based on module C) set out in Annex VIII; or

(b) conformity assessment based on full quality assurance (based on module H) set out in Annex VIII.

3. Where the product is an important product with digital elements that falls under class II as set out in Annex III, the manufacturer shall demonstrate conformity with the essential requirements set out in Annex I by using any of the following procedures:

(a) EU-type examination procedure (based on module B) set out in Annex VIII followed by conformity to EU-type based on internal production control (based on module C) set out in Annex VIII; 

(b) conformity assessment based on full quality assurance (based on module H) set out in Annex VIII; or

(c) where available and applicable, a European cybersecurity certification scheme as specified in Article 27(9) at assurance level at least substantial pursuant to Regulation (EU) 2019/881.

4. Critical products with digital elements listed in Annex IIIa shall demonstrate conformity with the essential requirements set out in Annex I by using one of the following procedures:

(a) a European cybersecurity certification scheme in accordance with Article 8(1), or,

(b) where the conditions in Article 8(1) are not met, any of the procedures referred to in paragraph 3 of this Article.

5. Manufacturers of products with digital elements qualifying as free and open-source software, which fall under the categories listed in Annex III to this Regulation, shall be able to demonstrate conformity with the essential requirements set out in Annex I by
using one of the procedures referred to in paragraph 1 of this Article, provided that the technical documentation referred to in Article 31 is made available to the public at the time of the placing on the market of those products.

6. Manufacturers of products with digital elements that are classified as EHR systems under ▌ Regulation [the European Health Data Space Regulation] shall demonstrate conformity
with the essential requirements laid down in Annex I of this Regulation using the relevant conformity assessment procedure provided for in Regulation [Chapter III of the European
Health Data Space Regulation].

7. ▌The specific interests and needs of microenterprises and small and medium-sized enterprises, including start-ups, shall be taken into account when setting the fees for conformity assessment procedures and ▌those fees shall be reduced proportionately to their specific interests and needs.

Article 33 – Support measures for micro, small and medium-sized enterprises, including start-ups

1. Member States shall, where appropriate, undertake the following actions, tailored to the needs of micro and small enterprises:

(a) organise specific awareness-raising and training activities about the application of this Regulation;

(b) establish a dedicated channel for communication with micro and small enterprises and, as appropriate, local public authorities to provide advice and respond to queries about the implementation of this Regulation;

(c) support testing and conformity assessment activities, including where relevant with the support of the European Cybersecurity Competence Center.

2. Member States may, where appropriate, establish cyber resilience regulatory sandboxes. Such regulatory sandboxes shall provide for controlled testing environments for innovative products with digital elements to facilitate their development, design, validation and testing in view of complying with this Regulation for a limited period of time before the placement of the market. The Commission, and where appropriate
ENISA, may provide technical support, advice and tools for the establishment and operation of regulatory sandboxes. The regulatory sandboxes shall be set up under the direct supervision, guidance and support by the market surveillance authorities. Member States shall inform the Commission and the other market surveillance authorities of the establishment of a regulatory sandbox through ADCO. The regulatory sandboxes shall not affect the supervisory and corrective powers of the competent authorities. Member States shall ensure open, fair, and transparent access to regulatory sandboxes, and in particular facilitate the access for micro and small enterprises, including start-ups.

3. In accordance with Article 26, the Commission shall ensure the development of guidance for micro, small and medium-sized enterprises in relation to the implementation of this Regulation.

4. The Commission shall advertise available financial support in the regulatory framework of existing Union programmes, in particular in order to ease the financial burden on micro and small enterprises.

5. Micro and small enterprises may provide all elements of the technical documentation specified in Annex VIII by using a simplified format. For this purpose, the Commission shall, by means of implementing acts, specify the simplified technical documentation form targeted at the needs of micro and small enterprises, including how the elements of Annex VIII are to be provided. Where a micro or small enterprise opts to provide the
information required in Annex VIII in a simplified manner, it shall use the form referred to in this paragraph. Notified bodies shall accept the form for the purpose of conformity assessment.

The implementing acts referred to in this paragraph shall be adopted in accordance with the examination procedure referred to in Article 62(2).

Article 34 – Mutual recognition agreements

Taking into account the level of technical development and the approach on conformity assessment of a third country, the Union may conclude Mutual Recognition Agreements with third countries, in accordance with Article 218 TFEU, in order to promote and facilitate international trade.

CHAPTER IV
NOTIFICATION OF CONFORMITY ASSESSMENT BODIES

Article 35 – Notification

1. Member States shall notify the Commission and the other Member States of ▌ bodies authorised to carry out conformity assessments in accordance with this Regulation.

2. Member States shall strive to ensure, by… [24 months from the date of entry into force of this Regulation] that there is a sufficient number of notified bodies in the Union to carry our conformity assessments, in order to avoid bottlenecks and hindrances to market entry.

Article 36 – Notifying authorities

1. Member States shall designate a notifying authority that shall be responsible for setting up and carrying out the necessary procedures for the assessment and notification of conformity assessment bodies and the monitoring of notified bodies, including compliance with Article 41.

2. Member States may decide that the assessment and monitoring referred to in paragraph 1 of this Article shall be carried out by a national accreditation body within the meaning of and in accordance with Regulation (EC) No 765/2008.

3. Where the notifying authority delegates or otherwise entrusts the assessment, notification or monitoring referred to in paragraph 1 of this Article to a body which is not a governmental entity, that body shall be a legal entity and shall comply mutatis mutandis with Article 37. In addition it shall have arrangements to cover liabilities arising out of its activities.

4. The notifying authority shall take full responsability for the tasks performed by the body referred to in paragraph 3.

Article 37 – Requirements relating to notifying authorities

1. A notifying authority shall be established in such a way that no conflict of interest with conformity assessment bodies occurs.

2. A notifying authority shall be organised and shall function so as to safeguard the objectivity and impartiality of its activities.

3. A notifying authority shall be organised in such a way that each decision relating to notification of a conformity assessment body is taken by competent persons different from those who carried out the assessment.

4. A notifying authority shall not offer or provide any activities that conformity assessment bodies perform or consultancy services on commercial or competitive basis.

5. A notifying authority shall safeguard the confidentiality of the information it obtains.

6. A notifying authority shall have a sufficient number of competent personnel at its disposal for the proper performance of its tasks.

Article 38 – Information obligation on notifying authorities

1. Member States shall inform the Commission of their procedures for the assessment and notification of conformity assessment bodies and the monitoring of notified bodies, and of
any changes thereto.

2. The Commission shall make the information referred to in paragraph 1 publicly available.

 

Article 39 – Requirements relating to notified bodies

1. For the purposes of notification, a conformity assessment body shall meet the requirements laid down in paragraphs 2 to 12.

2. A conformity assessment body shall be established under national law and have legal personality.

3. A conformity assessment body shall be a third-party body independent of the organisation or the product with digital elements it assesses.

A body belonging to a business association or professional federation representing undertakings involved in the design, development, production, provision, assembly, use or maintenance of products with digital elements which it assesses, may, on condition that its independence and the absence of any conflict of interest are demonstrated, be considered to be such a body.

4. A conformity assessment body, its top level management and the personnel responsible for carrying out the conformity assessment tasks shall not be the designer, developer, manufacturer, supplier, importer, distributor, installer, purchaser, owner, user or maintainer of the products with digital elements which they assess, nor the authorised representative of any of those parties. This shall not preclude the use of assessed products that are necessary for the operations of the conformity assessment body or the use of such products for personal purposes. 

A conformity assessment body, its top level management and the personnel responsible for  carrying out the conformity assessment tasks shall not be directly involved in the design, development, production, import, distribution, the marketing, installation, use or maintenance of those products with digital elements which they assess, or represent the parties engaged in those activities. They shall not engage in any activity that may conflict with their independence of judgement or integrity in relation to conformity assessment activities for which they are notified. This shall in particular apply to consultancy services.

Conformity assessment bodies shall ensure that the activities of their subsidiaries or subcontractors do not affect the confidentiality, objectivity or impartiality of their conformity assessment activities.

5. Conformity assessment bodies and their personnel shall carry out the conformity assessment activities with the highest degree of professional integrity and the requisite technical competence in the specific field and shall be free from all pressures and inducements, particularly financial, which might influence their judgement or the results of their conformity assessment activities, especially as regards persons or groups of persons with an interest in the results of those activities.

6. A conformity assessment body shall be capable of carrying out all the conformity assessment tasks referred to in Annex VI and in relation to which it has been notified, regardless of whether those tasks are carried out by the conformity assessment body itself or on its behalf and under its responsibility. At all times and for each conformity assessment procedure and each kind or category of products with digital elements in relation to which it has been notified, a conformity assessment body shall have at its disposal the necessary:

(a) personnel with technical knowledge and sufficient and appropriate experience to perform the conformity assessment tasks;

(b) descriptions of procedures in accordance with which conformity assessment is to be carried out, ensuring the transparency and the ability of reproduction of those procedures. It shall have appropriate policies and procedures in place that distinguish between tasks it carries out as a notified body and other activities;

(c) procedures for the performance of activities which take due account of the size of an undertaking, the sector in which it operates, its structure, the degree of complexity of the product technology in question and the mass or serial nature of the production process.

A conformity assessment body shall have the means necessary to perform the technical and administrative tasks connected with the conformity assessment activities in an appropriate manner and shall have access to all necessary equipment or facilities.

7. The personnel responsible for carrying out conformity assessment activities shall have the following:

(a) sound technical and vocational training covering all the conformity assessment activities in relation to which the conformity assessment body has been notified;

(b) satisfactory knowledge of the requirements of the assessments they carry out and adequate authority to carry out those assessments;

(c) appropriate knowledge and understanding of the essential requirements set out in Annex I, of the applicable harmonised standards and common specifications and of the relevant provisions of Union harmonisation legislation and of its implementing acts;

(d) the ability to draw up certificates, records and reports demonstrating that assessments have been carried out.

8. The impartiality of the conformity assessment bodies, their top level management and of the assessment personnel shall be guaranteed.

The remuneration of the top level management and assessment personnel of a conformity assessment body shall not depend on the number of assessments carried out or on the results of those assessments.

9. Conformity assessment bodies shall take out liability insurance unless liability is assumed by their Member State in accordance with national law, or the Member State itself is directly responsible for the conformity assessment.

10. The personnel of a conformity assessment body shall observe professional secrecy with regard to all information obtained in carrying out their tasks under Annex VI or any provision of national law giving effect to it, except in relation to the market surveillance authorities of the Member State in which its activities are carried out. Proprietary rights shall be protected. The conformity assessment body shall have documented procedures ensuring compliance with this paragraph.

11. Conformity assessment bodies shall participate in, or ensure that their assessment personnel are informed of, the relevant standardisation activities and the activities of the notified body coordination group established under Article 51 and apply as general guidance the administrative decisions and documents produced as a result of the work of that group.

12. Conformity assessment bodies shall operate in accordance with a set of consistent, fair, proportionate and reasonable terms and conditions, while avoiding unnecessary burdens for economic operators, in particular taking into account the interests of microenterprises and small and medium-sized enterprises in relation to fees.

Article 40 – Presumption of conformity of notified bodies

Where a conformity assessment body demonstrates its conformity with the criteria laid down in the relevant harmonised standards or parts thereof the references of which have been published in the Official Journal of the European Union it shall be presumed to comply with the requirements set out in Article 39 in so far as the applicable harmonised standards cover those requirements.

Article 41 – Subsidiaries of and subcontracting by notified bodies

1. Where a notified body subcontracts specific tasks connected with conformity assessment or has recourse to a subsidiary, it shall ensure that the subcontractor or the subsidiary meets the requirements set out in Article 39 and shall inform the notifying authority accordingly.

2. Notified bodies shall take full responsibility for the tasks performed by subcontractors or subsidiaries wherever these are established.

3. Activities may be subcontracted or carried out by a subsidiary only with the agreement of the manufacturer.

4. Notified bodies shall keep at the disposal of the notifying authority the relevant documents concerning the assessment of the qualifications of the subcontractor or the subsidiary and the work carried out by them under this Regulation.

Article 42 – Application for notification

1. A conformity assessment body shall submit an application for notification to the notifying authority of the Member State in which it is established.

2. That application shall be accompanied by a description of the conformity assessment activities, the conformity assessment procedure or procedures and the product or products with digital elements for which that body claims to be competent, as well, where applicable, by an accreditation certificate issued by a national accreditation body attesting that the conformity assessment body fulfils the requirements laid down in Article 39.

3. Where the conformity assessment body concerned cannot provide an accreditation certificate, it shall provide the notifying authority with all the documentary evidence necessary for the verification, recognition and regular monitoring of its compliance with the requirements laid down in Article 39.

Article 43 – Notification procedure

1. Notifying authorities may notify only conformity assessment bodies, which have satisfied the requirements laid down in Article 29.

2. The notifying authority shall notify the Commission and the other Member States using the New Approach Notified and Designated Organisations (NANDO) information system developed and managed by the Commission.

3. The notification shall include full details of the conformity assessment activities, the conformity assessment module or modules and product or products with digital elements concerned and the relevant attestation of competence.

4. Where a notification is not based on an accreditation certificate as referred to in Article 42(2), the notifying authority shall provide the Commission and the other Member States with documentary evidence which attests to the conformity assessment body’s competence and the arrangements in place to ensure that that body will be monitored regularly and will continue to satisfy the requirements laid down in Article 39.

5. The body concerned may perform the activities of a notified body only where no objections are raised by the Commission or the other Member States within two weeks of a notification where an accreditation certificate is used or within two months of a notification where accreditation is not used.

Only such a body shall be considered to be a notified body for the purposes of this Regulation.

6. The Commission and the other Member States shall be notified of any subsequent relevant changes to the notification.

Article 44 – Identification numbers and lists of notified bodies

1. The Commission shall assign an identification number to a notified body.

It shall assign a single such number even where the body is notified under several Union legal acts.

2. The Commission shall make publicly available the list of the bodies notified under this Regulation, including the identification numbers that have been allocated to them and the activities for which they have been notified.

The Commission shall ensure that that list is kept up to date.

Article 45 – Changes to notifications

1. Where a notifying authority has ascertained or has been informed that a notified body no longer meets the requirements laid down in Article 39, or that it is failing to fulfil its obligations, the notifying authority shall restrict, suspend or withdraw notification as appropriate, depending on the seriousness of the failure to meet those requirements or fulfil those obligations. It shall immediately inform the Commission and the other Member States accordingly.

2. In the event of restriction, suspension or withdrawal of notification, or where the notified body has ceased its activity, the notifying Member State shall take appropriate steps to ensure that the files of that body are either processed by another notified body or kept available for the responsible notifying and market surveillance authorities at their request.

Article 46 – Challenge of the competence of notified bodies

1. The Commission shall investigate all cases where it doubts, or where doubt is brought to its attention regarding, the competence of a notified body to meet, or the continued fulfilment by a notified body of, the requirements and responsibilities to which it is subject.

2. The notifying Member State shall provide the Commission, on request, with all information relating to the basis for the notification or the maintenance of the competence of the body concerned.

3. The Commission shall ensure that all sensitive information obtained in the course of its investigations is treated confidentially.

4. Where the Commission ascertains that a notified body does not meet or no longer meets the requirements for its notification, it shall inform the notifying Member State accordingly and request it to take the necessary corrective measures, including de-notification if necessary.

Article 47 – Operational obligations of notified bodies

1. Notified bodies shall carry out conformity assessments in accordance with the conformity assessment procedures provided for in Article 32 and Annex VIII.

2. Conformity assessments shall be carried out in a proportionate manner, avoiding unnecessary burdens for economic operators. Conformity assessment bodies shall perform their activities taking due account of the size of an undertaking, in particular as regards microenterprises and small and medium-enterprises, the sector in which they operates, their structure, their degree of complexity and the cybersecurity risk level of the product with digital elements and technology in question and the mass or serial nature of the production process.

3. Notified bodies shall however respect the degree of rigour and the level of protection required for the compliance of the product with digital elements with the provisions of Regulation.

4. Where a notified body finds that requirements laid down in Annex I or in corresponding harmonised standards or in common specifications as referred to in Article 27 have not been met by a manufacturer, it shall require that manufacturer to take appropriate corrective measures and shall not issue a certificate of conformity.

5. Where, in the course of the monitoring of conformity following the issuance of a certificate, a notified body finds that a product with digital elements no longer complies with the requirements laid down in this Regulation, it shall require the manufacturer to take appropriate corrective measures and shall suspend or withdraw the certificate if necessary.

6. Where corrective measures are not taken or do not have the required effect, the notified body shall restrict, suspend or withdraw any certificates, as appropriate.

Article 48 –  Appeal against decisions of notified bodies

Member States shall ensure that an appeal procedure agaisnt decisions of the notified bodies is available.

Article 49 – Information obligation on notified bodies

1. Notified bodies shall inform the notifying authority of the following:

(a) any refusal, restriction, suspension or withdrawal of a certificate;

(b) any circumstances affecting the scope of and conditions for notification;

(c) any request for information which they have received from market surveillance authorities regarding conformity assessment activities;

(d) on request, conformity assessment activities performed within the scope of their notification and any other activity performed, including cross-border activities and subcontracting.

2. Notified bodies shall provide the other bodies notified under this Regulation carrying out similar conformity assessment activities covering the same products with digital elements with relevant information on issues relating to negative and, upon request, positive conformity assessment results.

Article 50 – Exchange of experience

The Commission shall provide for the organisation of the exchange of experience between the Member States’ national authorities responsible for notification policy.

Article 51 – Coordination of notified bodies

1. The Commission shall ensure that appropriate coordination and cooperation between notified bodies are put in place and properly operated in the form of a cross sectoral group of notified bodies.

2. Member States shall ensure that the bodies notified by them participate in the work of that group, directly or by means of designated representatives.

CHAPTER V
MARKET SURVEILLANCE AND ENFORCEMENT

Article 52 – Market surveillance and control of products with digital elements in the Union market

1. Regulation (EU) 2019/1020 shall apply to the products with digital elements that falls within the scope of this Regulation.

2. Each Member State shall designate one or more market surveillance authorities for the purpose of ensuring the effective implementation of this Regulation. Member States may designate an existing or new authority to act as market surveillance authority for this Regulation.

3. The market surveillance authorities designated under paragraph 2 of this Article shall also be responsible for carrying out market surveillance activities in relation to the obligations placed on open-source software stewards in Article 124 of this Regulation. Where a market surveillance authority finds that an open-source software steward is not compliant with the obligations set out in that Article, it shall require the open-source software steward to ensure that all appropriate corrective actions are taken. Open-source software stewards shall ensure that all appropriate corrective action is taken in respect of their obligations under this Regulation.

4. Where relevant, the market surveillance authorities shall cooperate with the national cybersecurity certification authorities designated pursuant to Article 58 of Regulation (EU) 2019/881 and exchange information on a regular basis. With respect to the supervision of the implementation of the reporting obligations pursuant to Article 14 of this Regulation, the designated market surveillance authorities shall cooperate and exchange information on a regular basis with the CSIRTs designated as coordinators and ENISA.

5. The market surveillance authorities may request a CSIRT designated as coordinator or ENISA to provide technical advice on matters related to the implementation and enforcement of this Regulation. When conducting an investigation under Article 54, market surveillance authorities may request the CSIRT designated as coordinator or ENISA to provide an analysis to support evaluations of compliance of products with digital elements.

6. Where relevant, the market surveillance authorities shall cooperate with other market surveillance authorities designated on the basis of other Union harmonisation legislation other than this Regulation, and exchange information on a regular basis.

7. Market surveillance authorities shall cooperate, as appropriate, with the authorities supervising Union data protection law. Such cooperation includes informing these authorities of any finding relevant for the fulfilment of their competences, including when issuing guidance and advice pursuant to paragraph 10 if such guidance and advice concerns the processing of personal data. 

Authorities supervising Union data protection law shall have the power to request and access any documentation created or maintained under this Regulation when access to that documentation is necessary for the fulfilment of their tasks. They shall inform the designated market surveillance authorities of the Member State concerned of any such request.

8. Member States shall ensure that the designated market surveillance authorities are provided with adequate financial and technical resources, including, where appropriate, processing automation tools, as well as with human resources with the necessary cybersecurity skills to fulfil their tasks under this Regulation.

9. The Commission shall encourage and facilitate the exchange of experience between designated market surveillance authorities.

8. Market surveillance authorities may provide guidance and advice to economic operators on the implementation of this Regulation, with the support of the Commission, and where appropriate CSIRTs and ENISA.

11. Market surveillance authorities shall inform consumers of where to submit complaints that might indicate non-compliance with this Regulation, in accordance with Article 11 of Regulation 2019/1020, and also provide information to consumers on where and how
to access mechanisms to facilitate reporting of vulnerabilities, incidents and cyber threats that may affect products with digital elements.

12. Market surveillance authorities shall facilitate, where relevant, the cooperation with relevant stakeholders, including scientific, research and consumer organisations.

13. The market surveillance authorities shall report to the Commission on an annual basis the outcomes of relevant market surveillance activities. The designated market surveillance authorities shall report, without delay, to the Commission and relevant national competition authorities any information identified in the course of market surveillance activities that may be of potential interest for the application of Union competition law.

14. For products with digital elements that fall within the scope of this Regulation classified as high-risk AI systems pursuant to [Article 6] of the Regulation… [the AI Regulation], the market surveillance authorities designated for the purposes of the Regulation [the AI Regulation] shall be the authorities responsible for market surveillance activities required under this Regulation. The market surveillance authorities designated pursuant to Regulation [the AI Regulation] shall cooperate, as appropriate, with the market surveillance authorities designated pursuant to this Regulation and, with respect to the supervision of the implementation of the reporting obligations pursuant to Article 14 of this Regulation, with the  CSIRTs designated as coordinators and ENISA. Market surveillance authorities designated pursuant to Regulation… [the AI Regulation] shall in particular inform market surveillance authorities designated pursuant to this Regulation of any finding relevant for the fulfilment of their tasks in relation to the implementation of this Regulation.

15. ADCO shall be established for the uniform application of this Regulation, pursuant to Article 30(2) of Regulation (EU) 2019/1020. ADCO shall be composed of representatives of the designated market surveillance authorities and, if appropriate, representatives of single liaison offices. ADCO shall also address specific matters related to the market surveillance activites in relation to the obligations placed on open-source software stewards.

16. Market surveillance authorities shall monitor how manufacturers have applied the criteria referred to in Article 13(8) when determining the support period of their products with digital elements.

ADCO shall publish in a publicly accessible and user friendly manner relevant statistics on categories of products with digital elements, including their average support period,
as specified by the manufacturer pursuant to Article 10(10a), as well as provide guidance that includes indicative support periods for categories of products with digital
elements.

Where the data may suggest inadequate support periods for specific categories of
products with digital elements, ADCO may issue recommendations to market
surveillance authorities to focus their activities on such categories of products with
digital elements.

Article 53 – Access to data and documentation

Where necessary to assess the conformity of products with digital elements and the processes put in place by their manufacturers with the essential requirements set out in Annex I, the market surveillance authorities shall, upon a reasoned request, be granted access to the data, in a language easily understood by them, required to assess the design, development, production and vulnerability handling of such products, including related internal documentation of the relevant economic operator.

Article 54 – Procedure at national level concerning products with digital elements presenting a significant cybersecurity risk

1. Where the market surveillance authority of a Member State has sufficient reason to consider that a product with digital elements, including its vulnerability handling, presents a significant cybersecurity risk, it shall, without undue delay and, where appropriate, in cooperation with the relevant CSIRT, carry out an evaluation of the product with digital elements concerned in respect of its compliance with all the requirements laid down in this Regulation. The relevant economic operators shall cooperate as necessary with the market surveillance authority. Where, in the course of that evaluation, the market surveillance authority finds that the product with digital elements does not comply with the requirements laid down in this Regulation, it shall without delay require the relevant economic operator to take all appropriate corrective actions to bring the product with digital elements into compliance with those requirements, to withdraw it from the market, or to recall it within a reasonable period, commensurate with the nature of the cybersecurity risk, as the market surveillance authority may prescribe. The market surveillance authority shall inform the relevant notified body accordingly. Article 18 of Regulation (EU) 2019/1020 shall apply to the ▌ corrective actions. 

2. When determining the significance of a cybersecurity risk referred to in paragraph 1 of this Article, the market surveillance authorities shall also consider nontechnical risk factors, in particular those established as a result of Union level coordinated security risk assessments of critical supply chains carried out in accordance with Article 22 of Directive (EU) 2022/2555. Where a market surveillance authority has  sufficient reason to consider that a product with digital elements presents a significant cybersecurity risk in light of non-technical risk factors, it shall inform the competent authorities designated or established pursuant to Article 8 of Directive (EU) 2022/2555 and cooperate with those authorities as necessary.

3. Where the market surveillance authority considers that non compliance is not restricted to its national territory, it shall inform the Commission and the other Member States of the results of the evaluation and of the actions which it has required the economic operator to take.

4. The economic operator shall ensure that all appropriate corrective action is taken in respect of all the products with digital elements concerned that it has made available on the market throughout the Union.

5. Where the economic operator does not take adequate corrective action within the period referred to in paragraph 1, second subparagraph, the market surveillance authority shall take all appropriate provisional measures to prohibit or restrict that product with digital elements from being made available on its national market, to withdraw it from that market or to recall it.

That authority shall notify the Commission and the other Member States, without delay, of those measures.

6. The information referred to in paragraph 5 shall include all available details, in particular the data necessary for the identification of the non compliant product with digital elements, the origin of that product with digital elements, the nature of the alleged non-compliance and the risk involved, the nature and duration of the national measures taken and the arguments put forward by the relevant economic operator. In particular, the market surveillance authority shall indicate whether the non-compliance is due to one or more of the following:

(a) a failure of the product with digital elements or of the processes put in place by the manufacturer to meet the essential requirements set out in Annex I;

(b) shortcomings in the harmonised standards, European cybersecurity certification schemes, or common specifications, referred to in Article 27.

7. The market surveillance authorities of the Member States other than the market surveillance authority of the Member State initiating the procedure shall without delay inform the Commission and the other Member States of any measures adopted and of any additional information at their disposal relating to the non-compliance of the product with digital elements concerned, and, in the event of disagreement with the notified national measure, of their objections.

8. Where, within three months of receipt of the notification referred to in paragraph 5 of this Article, no objection has been raised by either a Member State or the Commission in respect of a provisional measure taken by a Member State, that measure shall be deemed justified. This is without prejudice to the procedural rights of the economic operator concerned in accordance with Article 18 of Regulation (EU) 2019/1020.

9. The market surveillance authorities of all Member States shall ensure that appropriate restrictive measures are taken in respect of the product with digital elements concerned, such as withdrawal of that product from their market, without delay.

 

Article 55 – Union safeguard procedure

1. Where, within three months of receipt of the notification referred to in Article 54(5), objections are raised by a Member State against a measure taken by another Member State, or where the Commission considers the measure to be contrary to Union law, the Commission shall without delay enter into consultation with the relevant Member State and the economic operator or operators and shall evaluate the national measure. On the basis of the results of that evaluation, the Commission shall decide whether the national measure is justified or not within nine months from the notification referred to in Article 54(5) and notify that decision to the Member State concerned.

2. If the national measure is considered to be justified, all Member States shall take the measures necessary to ensure that the non-compliant product with digital elements is withdrawn from their market, and shall inform the Commission accordingly. If the national measure is not considered to be justified, the Member State concerned shall withdraw the measure.

3. Where the national measure is considered justified and the non-compliance of the product with digital elements is attributed to shortcomings in the harmonised standards, the Commission shall apply the procedure provided for in Article 11 of Regulation (EU) No 1025/2012.

4. Where the national measure is considered justified and the non-compliance of the product with digital elements is attributed to shortcomings in a European cybersecurity certification scheme as referred to in Article 27, the Commission shall consider whether to amend or repeal delegated act adopted pursuant to Article 27(9) that specifies the presumption of conformity concerning that certification scheme.

5. Where the national measure is considered justified and the non compliance of the product with digital elements is attributed to shortcomings in common specifications as referred to in Article 27, the Commission shall consider whether to amend or repeal any implementing act adopted pursuant to Article 27(2) setting out those common specifications.

Article 56 – Procedure at Union level concerning products with digital elements presenting a significant cybersecurity risk

1. Where the Commission has sufficient reason to consider, including based on information provided by ENISA, that a product with digital elements that presents a significant cybersecurity risk does not comply with the requirements laid down in this Regulation, it shall inform the relevant market surveillance authorities. Where the market surveillance authorities carry out an evaluation of that product with digital elements that may present a significant cybersecurity risk in respect of its compliance with the requirements laid down in this Regulation, the procedures referred to in Articles 54 and 55 shall apply.

2. Where the Commission has sufficient reason to consider that a product with digital elements presents a significant cybersecurity risk in light of non-technical risk factors, it shall inform the relevant market surveillance authorities and, where appropriate, the competent authorities designated or established pursuant to Article 8 of Directive (EU) 2022/2555 and cooperate with those authorities as necessary. The Commission shall also consider the relevance of the identified risks for that product with digital elements in view of its tasks regarding the Union level coordinated security risk assessments of critical supply chains provided for in Article 22 of Directive (EU) 2022/2555, and consult as necessary the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555 and ENISA.

3. In ▌ circumstances which justify an immediate intervention to preserve the proper functioning of the internal market and where the Commission has sufficient reason to consider that the product with digital elements referred to in paragraph 1 remains non-compliant with the requirements laid down in this Regulation and no effective measures have been taken by the relevant market surveillance authorities, the Commission shall carry out an evaluation of compliance and may request ENISA to provide an analysis to support it. The Commission shall inform the relevant market surveillance authorities accordingly. The relevant economic operators shall cooperate as necessary with ENISA.

4. Based on the evaluation referred to in paragraph 3, the Commission may decide that a corrective or restrictive measure is necessary at Union level. To that end, it shall without delay consult the Member States concerned and the relevant economic operator or operators.

5. On the basis of the consultation referred to in paragraph 3 of this Article, the Commission may adopt implementing acts to provide for corrective or restrictive measures at Union level, including requiring the relevant products with digital elements to be withdrawn from the market or recalled, within a reasonable period, commensurate with the nature of the risk. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

6. The Commission shall immediately communicate the implementing acts referred to in paragraph 5 to the relevant economic operator or operators. Member States shall implement those implementing acts without delay and shall inform the Commission accordingly.

7. Paragraphs 3 to 6 shall be applicable for the duration of the exceptional situation that justified the Commission’s intervention, provided that the product with digital elements concerned is not brought in compliance with this Regulation.

Article 57 – Compliant products with digital elements which present a significant cybersecurity risk

1. ▌The market surveillance authority of a Member State shall require an economic operator to take all appropriate measures where, having performed an evaluation under Article 54, it finds that although a product with digital elements and the processes put in place by the manufacturer are in compliance with this Regulation, it presents a significant cybersecurity risk as well as a risk to:

(a) the health or safety of persons;

(b) the compliance with obligations under Union or national law intended to protect fundamental rights;

(c) the availability, authenticity, integrity or confidentiality of services offered using an electronic information system by essential entities referred to in Article 3(1) of Directive (EU) 2022/2555; or

(d) other aspects of public interest protection.

The measures referred to in the first subparagraph may include measures to ensure that the product with digital elements concerned and the processes put in place by the manufacturer no longer present the relevant risks when made available on the market, withdrawal from the market of the product with digital elements concerned, or recalling of it, and shall be commensurate with the nature of those risks.

2. The manufacturer or other relevant economic operators shall ensure that corrective action is taken in respect of the products with digital elements concerned that they have made available on the market throughout the Union within the timeline established by the market surveillance authority of the Member State referred to in paragraph 1.

3. The Member State shall immediately inform the Commission and the other Member States about the measures taken pursuant to paragraph 1. That information shall include all available details, in particular the data necessary for the identification of the products with digital elements concerned, the origin and the supply chain of those products with digital elements, the nature of the risk involved and the nature and duration of the national measures taken.

4. The Commission shall without delay enter into consultation with the Member States and the relevant economic operator and shall evaluate the national measures taken. On the basis of the results of that evaluation, the Commission shall decide whether the measure is justified or not and, where necessary, propose appropriate measures.

5. The Commission shall address the decision referred to in paragraph 4 to the Member States.

6. Where the Commission has sufficient reason to consider, including based on information provided by ENISA, that a product with digital elements, although compliant with this Regulation, presents the risks referred to in paragraph 1 of this Article, it shall inform and may request the relevant market surveillance authority or authorities to carry out an evaluation ▌and follow the procedures referred to in Article 54 and paragraphs 1, 2 and 3 of this Article.

7. In ▌ circumstances which justify an immediate intervention to preserve the proper functioning of the internal market and where the Commission has sufficient reason to consider that the product with digital elements referred to in paragraph 6 continues to present the risks referred to in paragraph 1, and no effective measures have been taken by the relevant national market surveillance authorities, the Commission shall carry out an evaluation of the risks presented by that product with digital elements and may request ENISA to provide an analysis to support that evaluation and shall inform the relevant market surveillance authorities accordingly. The relevant economic operators shall cooperate as necessary with ENISA.

8. Based on the evaluation referred to in paragraph 7, the Commission may establish that a corrective or restrictive measure is necessary at Union level. To that end, it shall without delay consult the Member States concerned and the relevant economic operator or operators.

9. On the basis of the consultation referred to in paragraph 8, the Commission may adopt implementing acts to decide on corrective or restrictive measures at Union level, including requiring the relevant products with digital elements to be withdrawn from the market, or recalled, within a reasonable period, commensurate with the nature of the risk. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

10. The Commission shall immediately communicate the implementing acts referred to in ▌ paragraph 9 to the relevant economic operator or operators. Member States shall implement those implementing acts without delay and shall inform the Commission accordingly.

11. Paragraphs 6 to 10 shall apply for the duration of the exceptional situation that justified the Commission’s intervention and for as long as the product with digital elements concerned continues to present the risks referred to in paragraph 1.

Article 58 – Formal non-compliance

1. Where the market surveillance authority of a Member State makes one of the following findings, it shall require the relevant manufacturer to end to the noncompliance concerned:

(a) that the CE marking has been affixed in violation of Articles 29 and 30;

(b) that the CE marking has not been affixed;

(c) that the EU declaration of conformity has not been drawn up;

(d) that the EU declaration of conformity has not been drawn up correctly;

(e) that the identification number of the notified body, which is involved in the conformity assessment procedure, where applicable, has not been affixed;

(f) that the technical documentation is either not available or not complete.

2. Where the non-compliance referred to in paragraph 1 persists, the Member State concerned shall take all appropriate measures to restrict or prohibit the product with digital elements from being made available on the market or ensure that it is recalled or withdrawn from the market.

Article 59 – Joint activities of market surveillance authorities

1. Market surveillance authorities may agree with other relevant authorities to carry out joint activities aimed at ensuring cybersecurity and the protection of consumers with respect to specific products with digital elements placed on the market or made available on the market, in particular products with digital elements that are often found to present cybersecurity risks.

2. The Commission or ENISA shall propose joint activities for checking compliance with this Regulation to be conducted by market surveillance authorities based on indications or information of potential non compliance across several Member States of products with digital elements that fall within the scope of this Regulation with the requirements laid down in this Regulation.

3. The market surveillance authorities and ▌, where applicable, the Commission, shall ensure that the agreement to carry out joint activities does not lead to unfair competition between economic operators and does not negatively affect the objectivity, independence and impartiality of the parties to the agreement.

4. A market surveillance authority may use any information obtained as a result of the joint activities carried out as part of any investigation that it undertakes.

5. The market surveillance authority concerned and, where applicable, the Commission, shall make the agreement on joint activities, including the names of the parties involved, available to the public.

Article 60 – Sweeps

1. Market surveillance authorities shall conduct simultaneous coordinated control actions (sweeps) of particular products with digital elements or categories thereof to check compliance with or to detect infringements to this Regulation. Those sweeps may include inspections of products with digital elements acquired under a cover identity.

2. Unless otherwise agreed upon by the market surveillance authorities involved, sweeps shall be coordinated by the Commission. The coordinator of the sweep shall, where appropriate, make the aggregated results publicly available.

3. Where, in the performance of its tasks, including based on the notifications received pursuant to Article 14(1) and (3), ENISA identifies categories of products with digital elements for which sweeps may be organised, it shall submit a proposal for a sweep to the ▌ coordinator referred to in paragraph 2 of this Article for the consideration of the market surveillance authorities.

4. When conducting sweeps, the market surveillance authorities involved may use the investigation powers set out in Articles 52 to 58 and any other powers conferred upon them by national law.

5. Market surveillance authorities may invite Commission officials, and other accompanying persons authorised by the Commission, to participate in sweeps.

CHAPTER VI
DELEGATED POWERS AND COMMITTEE PROCEDURE

Article 61 – Exercise of the delegation

1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.

2. The power to adopt delegated acts referred to in Article 2(5), second subparagraph, Article 7(3), Article 8(1) and (2), Article 13(8), fourth subparagraph, Article 14(9), Article 25, Article 27(9), Article 28(5) and Article 31(5) shall be conferred on the Commission for a period of five years from … [date of entry into force of this Regulation]. The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the five-year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period.

3. The delegation of power referred to in Article 2(5), second subparagraph, Article 7(3), Article 8(1) and (2), Article 13(8), fourth subparagraph, Article 14(9), Article 25, Article 27(9), Article 28(5) and Article 31(5) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

4. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.

5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.

6. A delegated act adopted pursuant to Article 2(5), second subparagraph, Article 7(3), Article 8(1) and (2), Article 13(8), fourth subparagraph, Article 14(9), Article 25, Article 27(9), Article 28(5) or Article 31(5) shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of two months of notification of that act to the European Parliament and to the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.

Article 62 – Committee procedure

1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.

3. Where the opinion of the committee is to be obtained by written procedure, that procedure shall be terminated without result when, within the time-limit for delivery of the opinion, the chair of the committee so decides or a committee member so requests.

CHAPTER VII
CONFIDENTIALITY AND PENALTIES

Article 63 – Confidentiality

1. All parties involved in the application of this Regulation shall respect the confidentiality of information and data obtained in carrying out their tasks and activities in such a manner as to protect, in particular:

(a) intellectual property rights and confidential business information or trade secrets of a natural or legal person, including source code, except the cases referred to in Article 5 of Directive (EU) 2016/943 of the European Parliament and of the Council41;

(b) the effective implementation of this Regulation, in particular for the purposes of inspections, investigations or audits;

(c) public and national security interests;

(d) integrity of criminal or administrative proceedings.

2. Without prejudice to paragraph 1, information exchanged on a confidential basis between the market surveillance authorities and between market surveillance authorities and the Commission shall not be disclosed without the prior agreement of the originating market surveillance authority.

3. Paragraphs 1 and 2 shall not affect the rights and obligations of the Commission, Member States and notified bodies with regard to the exchange of information and the dissemination of warnings, nor the obligations of the persons concerned to provide information under criminal law of the Member States.

4. The Commission and Member States may exchange, where necessary, sensitive information with relevant authorities of third countries with which they have concluded bilateral or multilateral confidentiality arrangements guaranteeing an adequate level of protection.

Article 64 – Penalties

1. Member States shall lay down the rules on penalties applicable to infringements ▌of this Regulation and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive. Member States shall, without delay, notify the Commission of those rules and measures and shall notify it, without delay, of any subsequent amendment affecting them.

2. Non-compliance with the essential cybersecurity requirements laid down in Annex I and the obligations set out in Articles 13 and 14 shall be subject to administrative fines of up to EUR 15 000 000 or, if the offender is an undertaking, up to 2,5 % of the its total worldwide annual turnover for the preceding financial year, whichever is higher.

3. Non-compliance with the obligations set out in Articles 18 to 23, Article 28, Article 30(1) to (4), Article 31(1) to (4), Article 32(1), (2) and (3); Article 33(5), and Articles 39, 41, 47, 49 and 53 shall be subject to administrative fines of up to EUR 10 000 000 or, if the offender is an undertaking, up to 2 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.

4. The supply of incorrect, incomplete or misleading information to notified bodies and market surveillance authorities in reply to a request shall be subject to administrative fines of up to EUR 5 000 000 or, if the offender is an undertaking, up to 1 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.

5. When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation shall be taken into account and due regard shall be given to the following:

(a) the nature, gravity and duration of the infringement and of its consequences;

(b) whether administrative fines have been already applied by the same or other market surveillance authorities to the same economic operator for a similar infringement;

(c) the size, in particular with regard to microenterprises and small and medium sized-enterprises, including start-ups, and the market share of the economic operator committing the infringement.

6. Market surveillance authorities that apply administrative fines shall communicate that application to the market surveillance authorities of other Member States through the information and communication system referred to in Article 34 of Regulation (EU) 2019/1020.

7. Each Member State shall lay down rules on whether and to what extent administrative fines may be imposed on public authorities and public bodies established in that Member  State.

8. Depending on the legal system of the Member States, the rules on administrative fines may be applied in such a manner that the fines are imposed by competent national courts or other bodies according to the competences established at national level in those Member States. The application of such rules in those Member States shall have an equivalent effect.

9. Administrative fines may be imposed, depending on the circumstances of each individual case, in addition to any other corrective or restrictive measures applied by the market surveillance authorities for the same infringement.

10. By way of derogation from paragraphs 3 to 10, the administrative fines referred to in those paragraphs shall not apply to the following:

(a) manufacturers that qualify as microenterprises or small enterprises with regard to any failure to meet the deadline referred to in Article 14(2), point (a), or Article 14(4), point (a);

(b) any infringement of this Regulation by open-source software stewards.

Article 65 – Representative actions

Directive (EU) 2020/1828 shall apply to the representative actions brought against infringements by economic operators of provisions of this Regulation that harm, or may harm, the collective interests of consumers.

CHAPTER VIII
TRANSITIONAL AND FINAL PROVISIONS

Article 66 – Amendment to Regulation (EU) 2019/1020

In Annex I to Regulation (EU) 2019/1020 the following point is added: ’71. [Regulation (EU) 2024/… of the European Parliament and of the Council*

].

Article 67 – Amendment to Directive (EU) 2020/1828

In Annex I to Directive (EU) 2020/1828, the following point is added;

’67. [Regulation (EU) 2024/… of the European Parliament and of the Council*
]’.

Article 68 – Amendment to Regulation (EU) 168/2013 

Annex II to Regulation (EU) 168/2013 is amended as follows:


In Part C, in the table, the following entry is added:

Article 69 – Transitional provisions

1. EU type-examination certificates and approval decisions issued regarding cybersecurity requirements for products with digital elements that are subject to Union harmonisation legislation other than this Regulation shall remain valid until… [42 months from the date of entry into force of this Regulation], unless they expire before that date, or unless it is otherwise specified in such other Union harmonisation legislation, in which case they shall remain valid as referred to in that legislation.

2. Products with digital elements that have been placed on the market before… [36 months from the date of entry into force of this Regulation], shall be subject to requirements of this Regulation only if, from that date, those products are subject to substantial modifications ▌.

3. By way of derogation from paragraph 2, the obligations laid down in Article 14 shall apply to all products with digital elements that fall within the scope of this Regulation that have been placed on the market before… [36 months from the date of entry into force of this Regulation].

Article 70 – Evaluation and review

1. By… [72 months from the date of entry into force of this Regulation] and every four years thereafter, the Commission shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council. Those reports shall be made public.

2. By… [45 months from the date of entry into force of this Regulation], the Commission shall, after consulting ENISA and the CSIRTs network, submit a report to the European Parliament and to the Council, assessing the effectiveness of the single reporting platform set out in Article 16, as well as the impact of the application of the cybersecurity related grounds referred to Article 16(2) by the CSIRTs designated as coordinators on the effectiveness of the single reporting platform as regards the timely dissemination of received notifications to other relevant CSIRTs.

Article 71 – Entry into force and application

1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

2. This Regulation shall apply from… [36 months from the date of entry into force of this Regulation]. However, Article 14 shall apply from… [21 months from the date of entry into force of this Regulation] and Chapter IV (Articles 35 to 51) shall apply from… [18 months from the date of entry into force of this Regulation].

This Regulation shall be binding in its entirety and directly applicable in all Member States.

LA MISE EN CONFORMITÉ

Je suis un fabricant d'appareils connectés

Les fabricants d'appareils connectés sont les premiers concernés par la mise en conformité.

Lisez nos guides pratiques sur ce que vous devez faire, le temps dont vous disposez pour vous mettre en conformité et les conséquences juridiques de la non-conformité.

Je suis un éditeur de logiciels

Si les logiciels libres ne relèvent pas, pour l'instant, de la loi sur la cyber-résilience, les logiciels commerciaux qui comprennent des solutions de traitement de données à distance devront être conformes à la loi.

Lisez nos guides pratiques pour comprendre ce que vous devez faire.

J'importe / je distribue / je revends

Les importateurs, les distributeurs et les revendeurs de dispositifs connectés sont soumis à de nombreuses exigences en vertu de la loi sur la cyber- résilience et, dans certaines circonstances, peuvent même être considérés comme des fabricants.

Nos guides détaillent les responsabilités de ces acteurs.