Regulation proposal - Cyber Resilience Act

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL ON HORIZONTAL CYBERSECURITY REQUIREMENTS FOR PRODUCTS WITH DIGITAL ELEMENTS

AND AMENDING REGULATIONS (EU) NO 168/2013 AND (EU) 2019/1020 AND DIRECTIVE (EU) 2020/1828

(CYBER RESILIENCE ACT)

第一章
総則

第1条 主題

この規則はこう定めている：

(a) rules for the making available on the market of products with digital elements to ensure the cybersecurity of such products;

(b) essential cybersecurity requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to those products with respect to cybersecurity;

(c) essential cybersecurity requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the time the products are expected to be in use, and obligations for economic operators in relation to those processes;

(d) rules on market surveillance, including monitoring, and enforcement of the rules and requirements referred to in this Article.

第2条 スコープ

1. This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network.

2.本規則は、以下の連邦法が適用されるデジタル要素を含む製品には適用されない：

(a) 規則(EU)2017/745；

(b) 規則（EU）2017/746；

3.本規則は、規則（EU）2018/1139に従って認証されたデジタル要素を有する製品には適用されない。

4.本規則は、欧州議会および理事会指令 2014/90/EU の適用範囲内にある機器には適用されない。

5. The application of this Regulation to products with digital elements covered by other Union rules laying down requirements that address all or some of the risks covered by the essential cybersecurity requirements set out in Annex I may be limited or excluded where:

(a) such limitation or exclusion is consistent with the overall regulatory framework that applies to those products; and

(b) the sectoral rules achieve the same or a higher level of protection as that provided for by this Regulation. The Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation by specifying whether such limitation or exclusion is necessary, the products and rules concerned, as well as the scope of the limitation, if relevant.

6. This Regulation does not apply to spare parts that are made available on the market to replace identical components in products with digital elements and that are manufactured according to the same specifications as the components that they are intended to replace.

7.本規定は、国家安全保障または防衛の目的のみに開発または修正されたデジタル要素を有する製品、または機密情報を処理するために特別に設計された製品には適用されない。

8. The obligations laid down in this Regulation shall not entail the supply of information the disclosure of which would be contrary to the essential interests of Member States’ national security, public security or defence.

第3条 - 定義

本規定においては、以下の定義が適用される：

(1) ‘product with digital elements’ means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;

(2) ‘remote data processing’ means data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions;

(3) ‘cybersecurity’ means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;

(4)「ソフトウェア」とは、電子情報システムのうち、コンピュータコードで構成される部分を指す；

(5) ‘hardware’ means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data;

(6) 「コンポーネント」とは、電子情報システムへの統合を意図したソフトウェアまたはハードウェアをいう；

(7) ‘electronic information system’ means a system, including electrical or electronic equipment, capable of processing, storing or transmitting digital data;

(8) 「論理接続」とは、ソフトウェアインターフェースを通じて実装されるデータ接続の仮想的な表現を意味する；

(9) ‘physical connection’ means a connection between electronic information systems or components implemented using physical means, including through electrical, optical or mechanical interfaces, wires or radio waves;

(10)「間接接続」とは、装置またはネットワークへの接続を意味し、直接行われるのではなく、むしろ当該装置またはネットワークに直接接続可能なより大規模なシステムの一部として行われる；

(11) ‘end-point’ means any device that is connected to a network and serves as an entry point to that network;

(12) ‘economic operator’ means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation;

(13) ‘manufacturer’ means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;

(14) ‘open-source software steward’ means a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products;

(15) ‘authorised representative’ means a natural or legal person established within the Union who has received a written mandate from a manufacturer to act on its behalf in relation to specified tasks;

(16) ‘importer’ means a natural or legal person established in the Union who places on the market a product with digital elements that bears the name or trademark of a natural or legal person established outside the Union;

(17) ‘distributor’ means a natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market without affecting its properties;

(18) ‘consumer’ means a natural person who acts for purposes which are outside that person’s trade, business, craft or profession;

(19) ‘microenterprises’, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC;

(20) ‘support period’ means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;

(21) 「上市」とは、デジタル要素を含む製品を連合市場において最初に入手可能にすることをいう；

(22) 「市場で入手できるようにする」とは、商業活動の過程において、有償であるか無償であるかを問わず、連合市場において頒布または使用するために、デジタル要素を含む製品を供給することを意味する；

(23) 「意図された目的」とは、製造者が使用説明書、販売促進資料、明細書、および技術文書において提供する情報に明記されている、具体的な使用状況および使用条件を含む、デジタル要素を有する製品が意図する用途を意味する；

(24) 「合理的に予見可能な使用」とは、使用説明書、宣伝用資料、販売用資料、および技術文書において製造者が提供した意図した目的とは必ずしも一致しないが、合理的に予見可能な人間の行動または技術的操作もしくは相互作用から生じる可能性のある使用をいう；

(25)「合理的に予見可能な誤用」とは、デジタル要素を含む製品を、その意図された目的に沿わない方法で使用することを意味するが、合理的に予見可能な人間の行動または他のシステムとの相互作用から生じる可能性がある；

(26) 「通告当局」とは，適合性評価機関の審査，指定及び通告並びにそれらの監視のために必要な手続きの設定及び実施に責任を負う国家当局を意味する；

(27) ‘conformity assessment’ means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled;

(28) ‘conformity assessment body’ means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008;

(29) ‘notified body’ means a conformity assessment body designated in accordance with Article 43 and other relevant Union harmonisation legislation;

(30) ‘substantial modification’ means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed;

(31) ‘CE marking’ means a marking by which a manufacturer indicates that a product with digital elements and the processes put in place by the manufacturer are in conformity with the essential cybersecurity requirements set out in Annex I and other applicable Union harmonisation legislation providing for its affixing;

(32) 「EU 調和法令」とは、規則(EU)2019/1020 の附属書Ⅰに記載されているEU法令及び同規則が適用される製品の販売条件を調和させるその他のEU法令をいう；

(33) 「市場監視当局」とは、規則(EU)2019/1020の第3条、ポイント(4)に定義される市場監視当局を意味する；

(34) 「国際規格」とは、規則(EU)No 1025/2012の第2条(1)(a)に定義される国際規格を意味する；

(35) ‘European standard’ means a European standard as defined in Article 2, point (1)(b), of Regulation (EU) No 1025/2012;

(36) ‘harmonised standard’ means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;

(37) 「サイバーセキュリティリスク」とは、インシデントによって引き起こされる損失または混乱の可能性を意味し、そのような損失または混乱の大きさとインシデントの発生可能性の組み合わせとして表現される；

(38)「重大なサイバーセキュリティリスク」とは、その技術的特徴に基づき、相当な重大又は非重要な損失や混乱を引き起こすなど、深刻な悪影響をもたらすインシデントが発生する可能性が高いと想定できるサイバーセキュリティリスクをいう；

(39) ‘software bill of materials’ means a formal record containing details and supply chain relationships of components included in the software elements of a product with digital elements;

(40) 「脆弱性」とは、サイバー脅威によって悪用される可能性のある、デジタル要素を持つ製品の弱点、感受性、欠陥を意味する；

(41) ‘exploitable vulnerability’ means a vulnerability that has the potential to be effectively used by an adversary under practical operational conditions;

(42) ‘actively exploited vulnerability’ means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner;

(43) ‘incident’ means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;

(44) ‘incident having an impact on the security of the product with digital elements’ means an incident that negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of data or functions;

(45) 「ニアミス」とは、指令(EU)2022/2555の第6条(5)に定義されるニアミスを意味する；

(46)「サイバー脅威」とは、規則(EU)2019/881の第2条(8)に定義されるサイバー脅威を意味する；

(47) ‘personal data’ means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;

(48) ‘free and open-source software’ means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable;

(49)「リコール」とは、規則(EU)2019/1020の第3条(22)に定義されるリコールを意味する；

(50)「離脱」とは、規則(EU)2019/1020の第3条(23)に定義される離脱を意味する；

(51) ‘CSIRT designated as coordinator’ means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555.

第4条移動の自由

1.加盟国は、本規則が対象とする事項について、本規則に準拠するデジタル要素を有する製品の市販を妨げてはならない。

2. At trade fairs, exhibitions, demonstrations or similar events, Member States shall not prevent the presentation or use of a product with digital elements which does not comply with this Regulation, including its prototypes, provided that the product is presented with a visible sign clearly indicating that it does not comply with this Regulation and that it is not to be made available on the market until it does so.

3. Member States shall not prevent the making available on the market of unfinished software which does not comply with this Regulation, provided that the software is made available only for a limited period required for testing purposes with a visible sign clearly indicating that it does not comply with this Regulation and that it will not be available on the market for purposes other than testing.

4. Paragraph 3 does not apply to safety components as referred to in Union harmonisation legislation other than this Regulation.

第5条プロの調達または使用デジタル・エレメント付きダクト

1. This Regulation shall not prevent Member States from subjecting products with digital elements to additional cybersecurity requirements for the procurement or use of those products for specific purposes, including where those products are procured or used for national security or defence purposes, provided that such requirements are consistent with Member States’ obligations laid down in Union law and that they are necessary and proportionate for the achievement of those purposes.

2. Without prejudice to Directives 2014/24/EU and 2014/25/EU, where products with digital elements that fall within the scope of this Regulation are procured, Member States shall ensure that compliance with the essential cybersecurity requirements set out in Annex I to this Regulation, including the manufacturers’ ability to handle vulnerabilities effectively, are taken into consideration in the procurement process.

第6条 - デジタル要素を含む製品の要件

Products with digital elements shall be made available on the market only where:

(a) they meet the essential cybersecurity requirements set out in Part I of Annex I, provided that they are properly installed, maintained, used for their intended purpose or under conditions which can reasonably be foreseen, and, where applicable, the necessary security updates have been installed; and

(b) the processes put in place by the manufacturer comply with the essential cybersecurity requirements set out in Part II of Annex I.

第7条 - 重要 デジタル製品

1.附属書Ⅲに定める製品分類の中核的機能を有するデジタル要素を備えた製品は、デジタル要素を備えた重要な製品とみなされ、第32条(2)及び(3)にいう適合性評価手続の対象となる。附属書IIIに定める製品分類の中核的機能を有するデジタル要素を備えた製品の統合は、それ自体、それが統合された製品を第32条(2)及び(3)にいう適合性評価手続の対象とするものであってはならない。

2. The categories of products with digital elements referred to in paragraph 1 of this Article, divided into classes I and II as set out in Annex III, meet at least one of the following criteria:

(a) the product with digital elements primarily performs functions critical to the cybersecurity of other products, networks or services, including securing authentication and access, intrusion prevention and detection, end-point security or network protection;

(b) the product with digital elements performs a function which carries a significant risk of adverse effects in terms of its intensity and ability to disrupt, control or cause damage to a large number of other products or to the health, security or safety of its users through direct manipulation, such as a central system function, including network management, configuration control, virtualisation or processing of personal data.

3. The Commission is empowered to adopt delegated acts in accordance with Article 61 to amend Annex III by including in the list a new category within each class of the categories of products with digital elements and specifying its definition, moving a category of products from one class to the other or withdrawing an existing category from that list. When assessing the need to amend the list set out in Annex III, the Commission shall take into account the cybersecurity-related functionalities or the function and the level of cybersecurity risk posed by the products with digital elements as set out by the criteria referred to in paragraph 2 of this Article.

The delegated acts referred to in the first subparagraph of this paragraph shall, where appropriate, provide for a minimum transitional period of 12 months, in particular where a new category of important products with digital elements is added to class I or II or is moved from class I to II as set out in Annex III, before the relevant conformity assessment procedures as referred to in Article 32(2) and (3) start applying, unless a shorter transitional period is justified on imperative grounds of urgency.

4. By … [12 months from the date of entry into force of this Regulation], the Commission shall adopt an implementing act specifying the technical description of the categories of products with digital elements under classes I and II as set out in Annex III and the technical description of the categories of products with digital elements as set out in Annex IV. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 62(2).

第8条-デジタル要素を含む重要製品

1. The Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation to determine which products with digital elements that have the core functionality of a product category that is set out in Annex IV to this Regulation are to be required to obtain a European cybersecurity certificate at assurance level at least ‘substantial’ under a European cybersecurity certification scheme adopted pursuant to Regulation (EU) 2019/881, to demonstrate conformity with the essential cybersecurity requirements set out in Annex I to this Regulation or parts thereof, provided that a European cybersecurity certification scheme covering those categories of products with digital elements has been adopted pursuant to Regulation (EU) 2019/881 and is available to manufacturers. Those delegated acts shall specify the required assurance level that shall be proportionate to the level of cybersecurity risk associated with the products with digital elements and shall take account of their intended purpose, including the critical dependency on them by essential entities as referred to in Article 3(1) of Directive (EU) 2022/2555.

Before adopting such delegated acts, the Commission shall carry out an assessment of the potential market impact of the envisaged measures and shall carry out consultations with relevant stakeholders, including the European Cybersecurity Certification Group established under Regulation (EU) 2019/881. The assessment shall take into account the readiness and the capacity level of the Member States for the implementation of the relevant European cybersecurity certification scheme. Where no delegated acts as referred to in the first subparagraph of this paragraph have been adopted, products with digital elements which have the core functionality of a product category as set out in Annex IV shall be subject to the conformity assessment procedures referred to in Article 32(3).

The delegated acts referred to in the first subparagraph shall provide for a minimum transitional period of six months, unless a shorter transitional period is justified for imperative reasons of urgency.

2. The Commission is empowered to adopt delegated acts in accordance with Article 61 to amend Annex IV by adding or withdrawing categories of critical products with digital elements. When determining such categories of critical products with digital elements and the required assurance level, in accordance with paragraph 1 of this Article, the Commission shall take into account the criteria referred to in Article 7(2) and ensure that the categories of products with digital elements meet at least one of the following criteria:

(a) there is a critical dependency of essential entities as referred to in Article 3 of Directive (EU) 2022/2555 on the category of products with digital elements;

(b) incidents and exploited vulnerabilities concerning the category of products with digital elements could lead to serious disruptions of critical supply chains across the internal market.

Before adopting such delegated acts, the Commission shall carry out an assessment of the type referred to in paragraph 1. The delegated acts referred to in the first subparagraph shall provide for a minimum transitional period of six months, unless a shorter transitional period is justified for imperative reasons of urgency.

第9条ステークホルダーとの協議

1. When preparing measures for the implementation of this Regulation, the Commission shall consult and take into account the views of relevant stakeholders, such as relevant Member State authorities, private sector undertakings, including microenterprises and small and medium-sized enterprises, the open-source software community, consumer associations, academia, and relevant Union agencies and bodies as well as expert groups established at Union level. In particular, the Commission shall, in a structured manner, where appropriate, consult and seek the views of those stakeholders when:

(a) preparing the guidance referred to in Article 26;

(b) preparing the technical descriptions of the product categories set out in Annex III in accordance with Article 7(4), assessing the need for potential updates of the list of product categories in accordance with Article 7(3) and Article 8(2), or carrying out the assessment of the potential market impact referred to in Article 8(1), without prejudice to Article 61;

2.欧州委員会は、少なくとも年1回、定期的な協議および説明会を開催し、本規則の実施に関する第1項の利害関係者の意見を収集する。

第10条サイバーに強いデジタル環境におけるスキルの向上

For the purposes of this Regulation and in order to respond to the needs of professionals in support of the implementation of this Regulation, Member States with, where appropriate, the support of the Commission, the European Cybersecurity Competence Centre and ENISA, while fully respecting the responsibility of the Member States in the education field, shall promote measures and strategies aiming to:

(a) develop cybersecurity skills and create organisational and technological tools to ensure sufficient availability of skilled professionals in order to support the activities of the market surveillance authorities and conformity assessment bodies;

(b) increase collaboration between the private sector, economic operators, including via re-skilling or up-skilling for manufacturers’ employees, consumers, training providers as well as public administrations, thereby expanding the options for young people to access jobs in the cybersecurity sector.

第11条 一般的な製品の安全性

By way of derogation from Article 2(1), third subparagraph, point (b), of Regulation (EU) 2023/988, Chapter III, Section 1, Chapters V and VII, and Chapters IX to XI of that Regulation shall apply to products with digital elements with respect to aspects and risks or categories of risks that are not covered by this Regulation where those products are not subject to specific safety requirements laid down in other ‘Union harmonisation legislation’ as defined in Article 3, point (27), of Regulation (EU) 2023/988.

第12条ハイリスクAIシステム

1. Without prejudice to the requirements relating to accuracy and robustness set out in Article 15 of Regulation (EU) 2024/1689, products with digital elements which fall within the scope of this Regulation and which are classified as high-risk AI systems pursuant to Article 6 of that Regulation shall be deemed to comply with the cybersecurity requirements set out in Article 15 of that Regulation where:

(a) those products fulfil the essential cybersecurity requirements set out in Part I of Annex I;

(b) the processes put in place by the manufacturer comply with the essential cybersecurity requirements set out in Part II of Annex I; and

(c) the achievement of the level of cybersecurity protection required under Article 15 of Regulation (EU) 2024/1689 is demonstrated in the EU declaration of conformity issued under this Regulation.

2. For the products with digital elements and cybersecurity requirements referred to in paragraph 1 of this Article, the relevant conformity assessment procedure provided for in Article 43 of Regulation (EU) 2024/1689 shall apply. For the purposes of that assessment, notified bodies which are competent to control the conformity of the high-risk AI systems under Regulation (EU) 2024/1689 shall also be competent to control the conformity of high-risk AI systems which fall within the scope of this Regulation with the requirements set out in Annex I to this Regulation, provided that the compliance of those notified bodies with the requirements laid down in Article 39 of this Regulation has been assessed in the context of the notification procedure under Regulation (EU) 2024/1689.

3. By way of derogation from paragraph 2 of this Article, important products with digital elements as listed in Annex III to this Regulation, which are subject to the conformity assessment procedures referred to in Article 32(2), points (a) and (b), and Article 32(3) of this Regulation and critical products with digital elements as listed in Annex IV to this Regulation which are required to obtain a European cybersecurity certificate pursuant to Article 8(1) of this Regulation or, absent that, which are subject to the conformity assessment procedures referred to in Article 32(3) of this Regulation, and which are classified as high-risk AI systems pursuant to Article 6 of Regulation (EU) 2024/1689, and to which the conformity assessment procedure based on internal control as referred to in Annex VI to Regulation (EU) 2024/1689 applies, shall be subject to the conformity assessment procedures provided for in this Regulation in so far as the essential cybersecurity requirements set out in this Regulation are concerned.

4. Manufacturers of products with digital elements as referred to in paragraph 1 of this Article may participate in the AI regulatory sandboxes referred to in Article 57 of Regulation (EU) 2024/1689.

第二章
フリー・オープンソースソフトウェアに関する経済事業者の義務と但し書き

第13条 - 製造者の義務

1. When placing a product with digital elements on the market, manufacturers shall ensure that it has been designed, developed and produced in accordance with the essential cybersecurity requirements set out in Part I of Annex I.

2. For the purpose of complying with paragraph 1, manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including in relation to the health and safety of users.

3. The cybersecurity risk assessment shall be documented and updated as appropriate during a support period to be determined in accordance with paragraph 8 of this Article. That cybersecurity risk assessment shall comprise at least an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use, as well as the conditions of use, of the product with digital elements, such as the operational environment or the assets to be protected, taking into account the length of time the product is expected to be in use. The cybersecurity risk assessment shall indicate whether and, if so in what manner, the security requirements set out in Part I, point (2), of Annex I are applicable to the relevant product with digital elements and how those requirements are implemented as informed by the cybersecurity risk assessment. It shall also indicate how the manufacturer is to apply Part I, point (1), of Annex I and the vulnerability handling requirements set out in Part II of Annex I.

4. When placing a product with digital elements on the market, the manufacturer shall include the cybersecurity risk assessment referred to in paragraph 3 of this Article in the technical documentation required pursuant to Article 31 and Annex VII. For products with digital elements as referred to in Article 12, which are also subject to other Union legal acts, the cybersecurity risk assessment may be part of the risk assessment required by those Union legal acts. Where certain essential cybersecurity requirements are not applicable to the product with digital elements, the manufacturer shall include a clear justification to that effect in that technical documentation.

5.第 1 項を遵守するため、製造者は、第三者から提供されたコンポーネントを統合する際に、当該コンポーネントがデジタル要素を含む製品のサイバーセキュリティを損なわないよう、十分な注意を払わなければならない（商業活動の過程で市場に提供されていないフリーソフトウェアやオープンソースソフトウェアのコンポーネントを統合する場合を含む）。

6. Manufacturers shall, upon identifying a vulnerability in a component, including in an open source-component, which is integrated in the product with digital elements report the vulnerability to the person or entity manufacturing or maintaining the component, and address and remediate the vulnerability in accordance with the vulnerability handling requirements set out in Part II of Annex I. Where manufacturers have developed a software or hardware modification to address the vulnerability in that component, they shall share the relevant code or documentation with the person or entity manufacturing or maintaining the component, where appropriate in a machine-readable format.

7. The manufacturers shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the products with digital elements, including vulnerabilities of which they become aware and any relevant information provided by third parties, and shall, where applicable, update the cybersecurity risk assessment of the products.

8. Manufacturers shall ensure, when placing a product with digital elements on the market, and for the support period, that vulnerabilities of that product, including its components, are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I.

Manufacturers shall determine the support period so that it reflects the length of time during which the product is expected to be in use, taking into account, in particular, reasonable user expectations, the nature of the product, including its intended purpose, as well as relevant Union law determining the lifetime of products with digital elements. When determining the support period, manufacturers may also take into account the support periods of products with digital elements offering a similar functionality placed on the market by other manufacturers, the availability of the operating environment, the support periods of integrated components that provide core functions and are sourced from third parties as well as relevant guidance provided by the dedicated administrative cooperation group (ADCO) established pursuant to Article 52(15) and the Commission. The matters to be taken into account in order to determine the support period shall be considered in a manner that ensures proportionality.

第2号を損なうことなく、サポート期間は少なくとも5年間とする。デジタル要素を含む製品の使用期間が5年未満であると予想される場合、サポート期間は予想される使用期間に対応するものとする。

Taking into account ADCO recommendations as referred to in Article 52(16), the Commission may adopt delegated acts in accordance with Article 61 to supplement this Regulation by specifying the minimum support period for specific product categories where the market surveillance data suggests inadequate support periods.

Manufacturers shall include the information that was taken into account to determine the support period of a product with digital elements in the technical documentation as set out in Annex VII.

Manufacturers shall have appropriate policies and procedures, including coordinated vulnerability disclosure policies, referred to in Part II, point (5), of Annex I to process and remediate potential vulnerabilities in the product with digital elements reported from internal or external sources.

9. Manufacturers shall ensure that each security update, as referred to in Part II, point (8), of Annex I, which has been made available to users during the support period, remains available after it has been issued for a minimum of 10 years or for the remainder of the support period, whichever is longer.

10. Where a manufacturer has placed subsequent substantially modified versions of a software product on the market, that manufacturer may ensure compliance with the essential cybersecurity requirement set out in Part II, point (2), of Annex I only for the version that it has last placed on the market, provided that the users of the versions that were previously placed on the market have access to the version last placed on the market free of charge and do not incur additional costs to adjust the hardware and software environment in which they use the original version of that product.

11.製造業者は、ユーザーが過去のバージョンにアクセスできるよう、公開ソフトウェア・アーカイブを維持することができる。このような場合、サポートされていないソフトウェアを使用することに伴うリスクについて、容易にアクセスできる方法でユーザーに明確に通知するものとする。

12. Before placing a product with digital elements on the market, manufacturers shall draw up the technical documentation referred to in Article 31. They shall carry out the chosen conformity assessment procedures as referred to in Article 32 or have them carried out. Where compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I and of the processes put in place by the manufacturer with the essential cybersecurity requirements set out in Part II of Annex I has been demonstrated by that conformity assessment procedure, manufacturers shall draw up the EU declaration of conformity in accordance with Article 28 and affix the CE marking in accordance with Article 30.

13. Manufacturers shall keep the technical documentation and the EU declaration of conformity at the disposal of the market surveillance authorities for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer.

14. Manufacturers shall ensure that procedures are in place for products with digital elements that are part of a series of production to remain in conformity with this Regulation. Manufacturers shall adequately take into account changes in the development and production process or in the design or characteristics of the product with digital elements and changes in the harmonised standards, European cybersecurity certification schemes or common specifications as referred to in Article 27 by reference to which the conformity of the product with digital elements is declared or by application of which its conformity is verified.

15. Manufacturers shall ensure that their products with digital elements bear a type, batch or serial number or other element allowing their identification, or, where that is not possible, that that information is provided on their packaging or in a document accompanying the product with digital elements.

16. Manufacturers shall indicate the name, registered trade name or registered trademark of the manufacturer, and the postal address, email address or other digital contact details, as well as, where applicable, the website where the manufacturer can be contacted, on the product with digital elements, on its packaging or in a document accompanying the product with digital elements. That information shall also be included in the information and instructions to the user set out in Annex II. The contact details shall be in a language which can be easily understood by users and market surveillance authorities.

17.本規則の目的のため、製造者は、デジタル要素を有する製品の脆弱性に関する報告を容易にするためも含め、利用者が直接かつ迅速に連絡を取ることができるよう、単一の連絡窓口を指定しなければならない。

Manufacturers shall ensure that the single point of contact is easily identifiable by the users. They shall also include the single point of contact in the information and instructions to the user set out in Annex II. The single point of contact shall allow users to choose their preferred means of communication and shall not limit such means to automated tools.

18. Manufacturers shall ensure that products with digital elements are accompanied by the information and instructions to the user set out in Annex II, in paper or electronic form.

Such information and instructions shall be provided in a language which can be easily understood by users and market surveillance authorities. They shall be clear, understandable, intelligible and legible. They shall allow for the secure installation, operation and use of products with digital elements. Manufacturers shall keep the information and instructions to the user set out in Annex II at the disposal of users and market surveillance authorities for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. Where such information and instructions are provided online, manufacturers shall ensure that they are accessible, user-friendly and available online for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer.

19. Manufacturers shall ensure that the end date of the support period referred to in paragraph 8, including at least the month and the year, is clearly and understandably specified at the time of purchase in an easily accessible manner and, where applicable, on the product with digital elements, its packaging or by digital means. Where technically feasible in light of the nature of the product with digital elements, manufacturers shall display a notification to users informing them that their product with digital elements has reached the end of its support period.

20.製造者は、EU適合宣言書の写し、またはデジタル要素を含む簡易EU適合宣言書のいずれかを製品に添付しなければならない。簡易EU適合宣言書を提供する場合、完全なEU適合宣言書にアクセスできる正確なインターネットアドレスを記載しなければならない。

21. From the placing on the market and for the support period, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential cybersecurity requirements set out in Annex I shall immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, or to withdraw or recall the product, as appropriate.

22. Manufacturers shall, upon a reasoned request from a market surveillance authority, provide that authority, in a language which can be easily understood by that authority, with all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements and of the processes put in place by the manufacturer with the essential cybersecurity requirements set out in Annex I.

Manufacturers shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by the product with digital elements which they have placed on the market.

23. A manufacturer that ceases its operations and, as a result, is not able to comply with this Regulation shall inform, before the cessation of operations takes effect, the relevant market surveillance authorities as well as, by any means available and to the extent possible, the users of the relevant products with digital elements placed on the market, of the impending cessation of operations.

24. The Commission may, by means of implementing acts taking into account European or international standards and best practices, specify the format and elements of the software bill of materials referred to in Part II, point (1), of Annex I. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

25. In order to assess the dependence of Member States and of the Union as a whole on software components and in particular on components qualifying as free and open-source software, ADCO may decide to conduct a Union wide dependency assessment for specific categories of products with digital elements. For that purpose, market surveillance authorities may request manufacturers of such categories of products with digital elements to provide the relevant software bills of materials as referred to in Part II, point (1), of Annex I. On the basis of such information, the market surveillance authorities may provide ADCO with anonymised and aggregated information about software dependencies. ADCO shall submit a report on the results of the dependency assessment to the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555.

第14条製造業者の報告義務

1. A manufacturer shall notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16.

2. For the purposes of the notification referred to in paragraph 1, the manufacturer shall submit:

(a) 活発に悪用されている脆弱性について、過度の遅滞なく、いかなる場合でも製造者がそれを認識してから24時間以内に、早期警告通知を行うこと；

(b) unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be;

(i) 脆弱性の説明（その重大性と影響を含む）；

(ii) 利用可能な場合、脆弱性を悪用した、または悪用している悪意のある行為者に関する情報；

(iii) 脆弱性を是正するために提供されたセキュリティアップデートまたはその他の是正措置の詳細。

3. A manufacturer shall notify any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platform established pursuant to Article 16.

4. For the purposes of the notification referred to in paragraph 3, the manufacturer shall submit:

(a) an early warning notification of a severe incident having an impact on the security of the product with digital elements, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, including at least whether the incident is suspected of being caused by unlawful or malicious acts, which shall also indicate, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available;

(b) unless the relevant information has already been provided, an incident notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the incident, which shall provide general information, where available, about the nature of the incident, an initial assessment of the incident, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be;

(i)その重大性と影響を含む、事故の詳細な説明；

(ii) インシデントの引き金となったと思われる脅威の種類または根本原因；

(iii) 適用済みおよび継続中の緩和策。

5. For the purposes of paragraph 3, an incident having an impact on the security of the product with digital elements shall be considered to be severe where:

(a) it negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of sensitive or important data or functions; or

(b) it has led or is capable of leading to the introduction or execution of malicious code in a product with digital elements or in the network and information systems of a user of the product with digital elements.

6.必要な場合、最初に通知を受領したコーディネータとして指定された CSIRT は、デジタル要素を含む製品のセキュリティに影響を及ぼす、積極的に悪用された脆弱性又は深刻なインシデントに関する関連する状況の更新について、中間報告を提供するよう製造者に要求することができる。

7. The notifications referred to in paragraphs 1 and 3 of this Article shall be submitted via the single reporting platform referred to in Article 16 using one of the electronic notification end-points referred to in Article 16(1). The notification shall be submitted using the electronic notification end-point of the CSIRT designated as coordinator of the Member State where the manufacturers have their main establishment in the Union and shall be simultaneously accessible to ENISA. For the purposes of this Regulation, a manufacturer shall be considered to have its main establishment in the Union in the Member State where the decisions related to the cybersecurity of its products with digital elements are predominantly taken. If such a Member State cannot be determined, the main establishment shall be considered to be in the Member State where the manufacturer concerned has the establishment with the highest number of employees in the Union.

Where a manufacturer has no main establishment in the Union, it shall submit the notifications referred to in paragraphs 1 and 3 using the electronic notification end point of the CSIRT designated as coordinator in the Member State determined pursuant to the following order and based on the information available to the manufacturer:

(a) 当該製造事業者のデジタル要素を搭載した製品の数が最も多い製造事業者を代理する公認代理人が設立されている加盟国；

(b) 当該製造業者のデジタル要素を搭載した製品を最も多く市場に出している輸入業者が設立されている加盟国；

(d) the Member State in which the highest number of users of products with digital elements of that manufacturer are located. In relation to the third subparagraph, point (d), a manufacturer may submit notifications related to any subsequent actively exploited vulnerability or severe incident having an impact on the security of the product with digital elements to the same CSIRT designated as coordinator to which it first reported.

第15条自主報告

1. Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA.

2. Manufacturers as well as other natural or legal persons may notify any incident having an impact on the security of the product with digital elements as well as near misses that could have resulted in such an incident on a voluntary basis to a CSIRT designated as coordinator or ENISA.

3.コーディネータとして指定された CSIRT または ENISA は、第 16 条に定める手続きに従い、本条第 1 項および第 2 項の通知を処理する。

コーディネータに指名された CSIRT は、自発的な届出よりも義務的な届出を優先して処理することができる。

4. Where a natural or legal person other than the manufacturer notifies an actively exploited vulnerability or a severe incident having an impact on the security of a product with digital elements in accordance with paragraph 1 or 2, the CSIRT designated as coordinator shall without undue delay inform the manufacturer.

5. The CSIRTs designated as coordinators as well as ENISA shall ensure the confidentiality and appropriate protection of the information provided by a notifying natural or legal person. Without prejudice to the prevention, investigation, detection and prosecution of criminal offences, voluntary reporting shall not result in the imposition of any additional obligations upon a notifying natural or legal person to which it would not have been subject had it not submitted the notification.

第16条単一報告プラットフォームの確立

In exceptional circumstances and, in particular, upon request by the manufacturer and in light of the level of sensitivity of the notified information as indicated by the manufacturer under Article 14(2), point (a), of this Regulation, the dissemination of the notification may be delayed based on justified cybersecurity-related grounds for a period of time that is strictly necessary, including where a vulnerability is subject to a coordinated vulnerability disclosure procedure as referred to in Article 12(1) of Directive (EU) 2022/2555. Where a CSIRT decides to withhold a notification, it shall immediately inform ENISA about the decision and provide both a justification for withholding the notification as well as an indication of when it will disseminate the notification in accordance with the dissemination procedure laid down in this paragraph. ENISA may support the CSIRT on the application of cybersecurity-related grounds in relation to delaying the dissemination of the notification. In particularly exceptional circumstances, where the manufacturer indicates in the notification referred to in Article 14(2), point (b):

(a) that the notified vulnerability has been actively exploited by a malicious actor and, according to the information available, it has been exploited in no other Member State than the one of the CSIRT designated as coordinator to which the manufacturer has notified the vulnerability;

(b) 通知された脆弱性を直ちにさらに広めることは、当該加盟国の本質的利益に反する情報の開示につながる可能性が高いこと。

only the information that a notification was made by the manufacturer, the general information about the product, the information on the general nature of the exploit and the information that security related grounds were raised are to be made available simultaneously to ENISA until the full notification is disseminated to the CSIRTs concerned and ENISA. Where, based on that information, ENISA considers that there is a systemic risk affecting security in the internal market, it shall recommend to the recipient CSIRT that it disseminate the full notification to the other CSIRTs designated as coordinators and to ENISA itself.

3. After receiving a notification of an actively exploited vulnerability in a product with digital elements or of a severe incident having an impact on the security of a product with digital elements, the CSIRTs designated as coordinators shall provide the market surveillance authorities of their respective Member States with the notified information necessary for the market surveillance authorities to fulfil their obligations under this Regulation.

4.ENISAは、単一報告プラットフォームのセキュリティ、及び単一報告プラットフォームを通じて提出され、または拡散される情報にもたらされるリスクを管理するため、適切かつ相応の技術的、運用的、組織的措置を講じるものとする。ENISAは、単一報告プラットフォームに影響を及ぼすセキュリティインシデントが発生した場合、過度の遅滞なく、CSIRTsネットワークおよび欧州委員会に通知するものとする。

5. ENISA, in cooperation with the CSIRTs network, shall provide and implement specifications on the technical, operational and organisational measures regarding the establishment, maintenance and secure operation of the single reporting platform referred to in paragraph 1, including at least the security arrangements related to the establishment, operation and maintenance of the single reporting platform, as well as the electronic notification end-points set up by the CSIRTs designated as coordinators at national level and ENISA at Union level, including procedural aspects to ensure that, where a notified vulnerability has no corrective or mitigating measures available, information about that vulnerability is shared in line with strict security protocols and on a need-to-know basis.

6. Where a CSIRT designated as coordinator has been made aware of an actively exploited vulnerability as part of a coordinated vulnerability disclosure procedure as referred to in Article 12(1) of Directive (EU) 2022/2555, the CSIRT designated as coordinator initially receiving the notification may delay the dissemination of the relevant notification via the single reporting platform based on justified cybersecurity-related grounds for a period that is no longer than is strictly necessary and until consent for disclosure by the involved coordinated vulnerability disclosure parties is given. That requirement shall not prevent manufacturers from notifying such a vulnerability on a voluntary basis in accordance with the procedure laid down in this Article.

第17条 - 報告に関するその他の規定

1. ENISA may submit to the European cyber crisis liaison organisation network (EU-CyCLONe) established under Article 16 of Directive (EU) 2022/2555 information notified pursuant to Article 14(1) and (3) and Article 15(1) and (2) of this Regulation if such information is relevant for the coordinated management of large-scale cybersecurity incidents and crises at an operational level. For the purpose of determining such relevance, ENISA may consider technical analyses performed by the CSIRTs network, where available.

2. Where public awareness is necessary to prevent or mitigate a severe incident having an impact on the security of the product with digital elements or to handle an ongoing incident, or where disclosure of the incident is otherwise in the public interest, the CSIRT designated as coordinator of the relevant Member State may, after consulting the manufacturer concerned and, where appropriate, in cooperation with ENISA, inform the public about the incident or require the manufacturer to do so.

3. ENISA, on the basis of the notifications received pursuant to Article 14(1) and (3) and Article 15(1) and (2) of this Regulation, shall prepare, every 24 months, a technical report on emerging trends regarding cybersecurity risks in products with digital elements and submit it to the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555. The first such report shall be submitted within 24 months of the date of application of the obligations laid down in Article 14(1) and (3) of this Regulation. ENISA shall include relevant information from its technical reports in its report on the state of cybersecurity in the Union pursuant to Article 18 of Directive (EU) 2022/2555.

4.第14条(1)および(3)、または第15条(1)および(2)に従った単なる通知行為は、通知した自然人または法人に増加責任を負わせるものではない。

5. After a security update or another form of corrective or mitigating measure is available, ENISA shall, in agreement with the manufacturer of the product with digital elements concerned, add the publicly known vulnerability notified pursuant to Article 14(1) or Article 15(1) of this Regulation to the European vulnerability database established pursuant to Article 12(2) of Directive (EU) 2022/2555.

6. The CSIRTs designated as coordinators shall provide helpdesk support in relation to the reporting obligations pursuant to Article 14 to manufacturers and in particular manufacturers that qualify as microenterprises or as small or medium-sized enterprises.

第18条委任代理人

1.製造事業者は，書面による委任によって，認定代理人を任命することができる。

2. The obligations laid down in Article 13(1) to (11), Article 13(12), first subparagraph, and Article 13(14) shall not form part of the authorised representative’s mandate.

3.認定代理人は，製造事業者から受領した委任事項で指定された業務を実施しなければならない。認定代理店は，要請に応じて，委任の写しを市場監視当局に提出しなければならない。委任状は，認定代理人が少なくとも次のことを行うことを認めなければならない：

(a) keep the EU declaration of conformity referred to in Article 28 and the technical documentation referred to in Article 31 at the disposal of the market surveillance authorities for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer;

(b) 市場監視当局からの合理的な要請があった場合、当該当局に対し、製品のデジタル要素への適合性を証明するために必要なすべての情報及び文書を提供すること；

(c) cooperate with the market surveillance authorities, at their request, on any action taken to eliminate the risks posed by a product with digital elements covered by the authorised representative’s mandate.

第19条 - 輸入業者の義務

1. Importers shall place on the market only products with digital elements that comply with the essential cybersecurity requirements set out in Part I of Annex I and where the processes put in place by the manufacturer comply with the essential cybersecurity requirements set out in Part II of Annex I.

2.デジタル要素を含む製品を市場に出す前に、輸入者は以下を確認しなければならない：

(a) the appropriate conformity assessment procedures as referred to in Article 32 have been carried out by the manufacturer;

(b) 製造者が技術文書を作成したこと；

(c) the product with digital elements bears the CE marking referred to in Article 30 and is accompanied by the EU declaration of conformity referred to in Article 13(20) and the information and instructions to the user as set out in Annex II in a language which can be easily understood by users and market surveillance authorities;

(d) the manufacturer has complied with the requirements set out in Article 13(15), (16) and (19). For the purposes of this paragraph, importers shall be able to provide the necessary documents proving the fulfilment of the requirements set out in this Article.

3. Where an importer considers or has reason to believe that a product with digital elements or the processes put in place by the manufacturer are not in conformity with this Regulation, the importer shall not place the product on the market until that product or the processes put in place by the manufacturer have been brought into conformity with this Regulation. Furthermore, where the product with digital elements presents a significant cybersecurity risk, the importer shall inform the manufacturer and the market surveillance authorities to that effect. Where an importer has reason to believe that a product with digital elements may present a significant cybersecurity risk in light of non-technical risk factors, the importer shall inform the market surveillance authorities to that effect. Upon receipt of such information, the market surveillance authorities shall follow the procedures referred to in Article 54(2).

4. Importers shall indicate their name, registered trade name or registered trademark, the postal address, email address or other digital contact as well as, where applicable, the website at which they can be contacted on the product with digital elements or on its packaging or in a document accompanying the product with digital elements. The contact details shall be in a language easily understood by users and market surveillance authorities.

5. Importers who know or have reason to believe that a product with digital elements which they have placed on the market is not in conformity with this Regulation shall immediately take the corrective measures necessary to ensure that the product with digital elements is brought into conformity with this Regulation, or to withdraw or recall the product, if appropriate.

Upon becoming aware of a vulnerability in the product with digital elements, importers shall inform the manufacturer without undue delay about that vulnerability. Furthermore, where the product with digital elements presents a significant cybersecurity risk, importers shall immediately inform the market surveillance authorities of the Member States in which they have made the product with digital elements available on the market to that effect, giving details, in particular, of non-compliance and of any corrective measures taken.

6.輸入者は、デジタル要素を含む製品が上市されてから少なくとも10年間、またはサポート期間のいずれか長い方の期間、EU適合宣言書の写しを市場監視当局が自由に入手できるように保管し、要請に応じて技術文書を同当局が入手できるようにしなければならない。

7. Importers shall, further to a reasoned request from a market surveillance authority, provide it with all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I as well as of the processes put in place by the manufacturer with the essential cybersecurity requirements set out in Part II of Annex I in a language that can be easily understood by that authority. They shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by a product with digital elements, which they have placed on the market.

8. Where the importer of a product with digital elements becomes aware that the manufacturer of that product has ceased its operations and, as result, is not able to comply with the obligations laid down in this Regulation, the importer shall inform the relevant market surveillance authorities about this situation, as well as, by any means available and to the extent possible, the users of the products with digital elements placed on the market.

第20条 - 代理店の義務

1.デジタル要素を含む製品を市場に流通させる場合、販売業者は、本規則に規定される要件に関して十分な注意を払って行動するものとする。

2.販売業者は、デジタル要素を含む製品を市場に流通させる前に、以下を確認するものとする：

(a) デジタル要素を含む製品にCEマーキングが付されていること；

(b) the manufacturer and the importer have complied with the obligations set out in Article 13(15), (16), (18), (19) and (20) and Article19(4), and have provided all necessary documents to the distributor.

3. Where a distributor considers or has reason to believe, on the basis of information in its possession, that a product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential cybersecurity requirements set out in Annex I, the distributor shall not make the product with digital elements available on the market until that product or the processes put in place by the manufacturer have been brought into conformity with this Regulation. Furthermore, where the product with digital elements poses a significant cybersecurity risk, the distributor shall inform, without undue delay, the manufacturer and the market surveillance authorities to that effect.

4.ディストリビューターは、その保有する情報に基づき、自らが市場に提供しているデジタル要素を含む製品またはその製造者が実施するプロセスが本規則に適合していないことを知り、またはそう信じる理由がある場合、当該デジタル要素を含む製品またはその製造者が実施するプロセスを適合させるために必要な是正措置を講じること、または適切な場合には、当該製品を撤回または回収することを確認しなければなりません。

デジタル要素を含む製品に脆弱性があることを知った場合、販売業者はその脆弱性について過度な遅滞なく製造業者に通知するものとする。さらに、デジタル要素付き製品が重大なサイバーセキュリティ・リスクをもたらす場合、販売業者は、デジタル要素付き製品を市場に提供している加盟国の市場監視当局に直ちにその旨を通知し、特に、コンプライアンス違反の詳細および講じられた是正措置について報告しなければならない。

5. Distributors shall, further to a reasoned request from a market surveillance authority, provide all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements and the processes put in place by its manufacturer with this Regulation in a language that can be easily understood by that authority. They shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by a product with digital elements which they have made available on the market.

6. Where the distributor of a product with digital elements becomes aware, on the basis of information in its possession, that the manufacturer of that product has ceased its operations and, as result, is not able to comply with the obligations laid down in this Regulation, the distributor shall inform, without undue delay, the relevant market surveillance authorities about this situation, as well as, by any means available and to the extent possible, the users of the products with digital elements placed on the market.

第21条 - 製造業者の義務が輸入業者および販売業者に適用される場合

An importer or distributor shall be considered to be a manufacturer for the purposes of this Regulation and shall be subject to Articles 13 and 14, where that importer or distributor places a product with digital elements on the market under its name or trademark or carries out a substantial modification of a product with digital elements already placed on the market.

第22条 - 製造者の義務が適用されるその他の場合

1. A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of a product with digital elements and makes that product available on the market, shall be considered to be a manufacturer for the purposes of this Regulation.

2. The person referred to in paragraph 1 of this Article shall be subject to the obligations set out in Articles 13 and 14 for the part of the product with digital elements that is affected by the substantial modification or, if the substantial modification has an impact on the cybersecurity of the product with digital elements as a whole, for the entire product.

第23条 - 経済事業者の特定

1. Economic operators shall, on request, provide the market surveillance authorities with the following information:

(a) the name and address of any economic operator who has supplied them with a product with digital elements;

(b) where available, the name and address of any economic operator to whom they have supplied a product with digital elements.

2. Economic operators shall be able to present the information referred to in paragraph 1 for 10 years after they have been supplied with the product with digital elements and for 10 years after they have supplied the product with digital elements.

第24条オープンソースソフトウェアのスチュワードの義務

1. Open-source software stewards shall put in place and document in a verifiable manner a cybersecurity policy to foster the development of a secure product with digital elements as well as an effective handling of vulnerabilities by the developers of that product. That policy shall also foster the voluntary reporting of vulnerabilities as laid down in Article 15 by the developers of that product and take into account the specific nature of the opensource software steward and the legal and organisational arrangements to which it is subject. That policy shall, in particular, include aspects related to documenting, addressing and remediating vulnerabilities and promote the sharing of information concerning discovered vulnerabilities within the open-source community.

2.オープンソースソフトウェアのスチュワードは、市場監視当局の要請に応じて、フリーソフトウェアおよびオープンソースソフトウェアとして適格なデジタル要素を持つ製品がもたらすサイバーセキュリティ上のリスクを軽減する目的で、市場監視当局と協力しなければならない。

Further to a reasoned request from a market surveillance authority, open-source software stewards shall provide that authority, in a language which can be easily understood by that authority, with the document tion referred to in paragraph 1, in paper or electronic form.

3. The obligations laid down in Article 14(1) shall apply to open-source software stewards to the extent that they are involved in the development of the products with digital elements. The obligations laid down in Article 14(3) and (8) shall apply to open-source software stewards to the extent that severe incidents having an impact on the security of products with digital elements affect network and information systems provided by the open-source software stewards for the development of such products.

第25条フリーソフトウェアおよびオープンソースソフトウェアのセキュリティ認証

In order to facilitate the due diligence obligation set out in Article 13(5), in particular as regards manufacturers that integrate free and open-source software components in their products with digital elements, the Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation by establishing voluntary security attestation programmes allowing the developers or users of products with digital elements qualifying as free and open-source software as well as other third parties to assess the conformity of such products with all or certain essential cybersecurity requirements or other obligations laid down in this Regulation.

第26条指導

1. In order to facilitate implementation and ensure the consistency of such implementation, the Commission shall publish guidance to assist economic operators in applying this Regulation, with a particular focus on facilitating compliance by microenterprises and small and medium-sized enterprises.

2.第1項にいうガイダンスを提供しようとする場合、欧州委員会は、少なくとも以下の点を取り上げなければならない：

(a) 遠隔データ処理ソリューションおよびフリー・オープンソースソフトウェアに特に焦点を当てた、本規則の適用範囲；

(b) the application of support periods in relation to particular categories of products with digital elements;

(c) guidance targeted at manufacturers subject to this Regulation that are also subject to Union harmonisation legislation other than this Regulation or to other related Union legal acts;

(d) the concept of substantial modification.

また、欧州委員会は、この規則に従って採択された委任法および実施法の一覧表を、アクセスしやすいように維持するものとする。

3.本条に基づくガイダンスを作成する際、欧州委員会は関係する利害関係者と協議するものとする。

第三章
デジタル要素と製品の適合性

第27条適合性の推定

1. Products with digital elements and processes put in place by the manufacturer which are in conformity with harmonised standards or parts thereof, the references of which have been published in the Official Journal of the European Union, shall be presumed to be in conformity with the essential cybersecurity requirements set out in Annex I covered by those standards or parts thereof.

The Commission shall, in accordance with Article 10(1) of Regulation (EU) No 1025/2012, request one or more European standardisation organisations to draft harmonised standards for the essential cybersecurity requirements set out in Annex I to this Regulation. When preparing standardisation requests for this Regulation, the Commission shall strive to take into account existing European and international standards for cybersecurity that are in place or under development in order to simplify the development of harmonised standards, in accordance with Regulation (EU) No 1025/2012.

2. The Commission may adopt implementing acts establishing common specifications covering technical requirements that provide a means to comply with the essential cybersecurity requirements set out in Annex I for products with digital elements that fall within the scope of this Regulation. Those implementing acts shall be adopted only where the following conditions are fulfilled:

(a) the Commission has requested, pursuant to Article 10(1) of Regulation (EU) No 1025/2012, one or more European standardisation organisations to draft a harmonised standard for the essential cybersecurity requirements set out in Annex I and:

(i) リクエストが受理されなかった；

(ii) the harmonised standards addressing that request are not delivered within the deadline set in accordance with Article 10(1) of Regulation (EU) No 1025/2012; or

(iii) ハーモナイズド規格がその要請に適合していない。

(b) no reference to harmonised standards covering the relevant essential cybersecurity requirements set out in Annex I to this Regulation has been published in the Official Journal of the European Union in accordance with Regulation (EU) No 1025/2012 and no such reference is expected to be published within a reasonable period. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

3. Before preparing the draft implementing act referred to in paragraph 2 of this Article, the Commission shall inform the committee referred to in Article 22 of Regulation (EU) No 1025/2012 that it considers that the conditions in paragraph 2 of this Article have been fulfilled.

4. When preparing the draft implementing act referred to in paragraph 2, the Commission shall take into account the views of relevant bodies and shall duly consult all relevant stakeholders.

5. Products with digital elements and processes put in place by the manufacturer which are in conformity with the common specifications established by implementing acts referred to in paragraph 2 of this Article, or parts thereof, shall be presumed to be in conformity with the essential cybersecurity requirements set out in Annex I covered by those common specifications or parts thereof.

6. Where a harmonised standard is adopted by a European standardisation organisation and proposed to the Commission for the purpose of publishing its reference in the Official Journal of the European Union, the Commission shall assess the harmonised standard in accordance with Regulation (EU) No 1025/2012. When a reference of a harmonised standard is published in the Official Journal of the European Union, the Commission shall repeal the implementing acts referred to in paragraph 2 of this Article, or parts thereof which cover the same essential cybersecurity requirements as those covered by that harmonised standard.

7. Where a Member State considers that a common specification does not entirely satisfy the essential cybersecurity requirements set out in Annex I, it shall inform the Commission thereof by submitting a detailed explanation. The Commission shall assess that detailed explanation and may, if appropriate, amend the implementing act establishing the common specification in question.

8. Products with digital elements and processes put in place by the manufacturer for which an EU statement of conformity or certificate has been issued under a European cybersecurity certification scheme adopted pursuant to Regulation (EU) 2019/881 shall be presumed to be in conformity with the essential cybersecurity requirements set out in Annex I in so far as the EU statement of conformity or European cybersecurity certificate, or parts thereof, cover those requirements.

9. The Commission is empowered to adopt delegated acts in accordance with Article 61 of this Regulation to supplement this Regulation by specifying the European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 that can be used to demonstrate conformity of products with digital elements with the essential cybersecurity requirements or parts thereof as set out in Annex I to this Regulation. Furthermore, the issuance of a European cybersecurity certificate issued under such schemes, at least at assurance level ‘substantial’, eliminates the obligation of a manufacturer to carry out a third-party conformity assessment for the corresponding requirements, as set out in Article 32(2), points (a) and (b), and Article 32(3), points (a) and (b), of this Regulation.

第28条 EU適合宣言

1. The EU declaration of conformity shall be drawn up by manufacturers in accordance with Article 13(12) and state that the fulfilment of the applicable essential cybersecurity requirements set out in Annex I has been demonstrated.

2. The EU declaration of conformity shall have the model structure set out in Annex V and shall contain the elements specified in the relevant conformity assessment procedures set out in Annex VIII. Such a declaration shall be updated as appropriate. It shall be made available in the languages required by the Member State in which the product with digital elements is placed on the market or made available on the market.

The simplified EU declaration of conformity referred to in Article 13(20) shall have the model structure set out in Annex VI. It shall be made available in the languages required by the Member State in which the product with digital elements is placed on the market or made available on the market.

3. Where a product with digital elements is subject to more than one Union legal act requiring an EU declaration of conformity, a single EU declaration of conformity shall be drawn up in respect of all such Union legal acts. That declaration shall contain the identification of the Union legal acts concerned, including their publication references.

4.EU適合宣言書を作成することにより、製造者は、製品がデジタル要素に適合する責任を負うものとする。

5. The Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation by adding elements to the minimum content of the EU declaration of conformity set out in Annex V to take account of technological developments.

第29条 - CEマーキングの一般原則

The CE marking shall be subject to the general principles set out in Article 30 of Regulation (EC) No 765/2008.

第30条 CEマーキングの貼付に関する規則および条件

1. The CE marking shall be affixed visibly, legibly and indelibly to the product with digital elements. Where that is not possible or not warranted on account of the nature of the product with digital elements, it shall be affixed to the packaging and to the EU declaration of conformity referred to in Article 28 accompanying the product with digital elements. For products with digital elements which are in the form of software, the CE marking shall be affixed either to the EU declaration of conformity referred to in Article 28 or on the website accompanying the software product. In the latter case, the relevant section of the website shall be easily and directly accessible to consumers.

2.デジタル要素を有する製品の性質上、デジタル要素を有する製品に貼付されるCEマーキングの高さは、視認性及び可読性を維持することを条件に、5mm未満とすることができる。

3. The CE marking shall be affixed before the product with digital elements is placed on the market. It may be followed by a pictogram or any other mark indicating a special cybersecurity risk or use set out in the implementing acts referred to in paragraph 6.

4. The CE marking shall be followed by the identification number of the notified body, where that body is involved in the conformity assessment procedure based on full quality assurance (based on module H) referred to in Article 32. The identification number of the notified body shall be affixed by the body itself or, under its instructions, by the manufacturer or the manufacturer’s authorised representative.

5. Member States shall build upon existing mechanisms to ensure correct application of the regime governing the CE marking and shall take appropriate action in the event of improper use of that marking. Where the product with digital elements is subject to Union harmonisation legislation, other than this Regulation, which also provides for the affixing of the CE marking, the CE marking shall indicate that the product also fulfils the requirements set out in such other Union harmonisation legislation.

6. The Commission may, by means of implementing acts, lay down technical specifications for labels, pictograms or any other marks related to the security of the products with digital elements, their support periods and mechanisms to promote their use and to increase public awareness about the security of products with digital elements. When preparing the draft implementing acts, the Commission shall consult relevant stakeholders, and, if it has already been established pursuant to Article 52(15), ADCO. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

第31条 - 技術文書

1. The technical documentation shall contain all relevant data or details of the means used by the manufacturer to ensure that the product with digital elements and the processes put in place by the manufacturer comply with the essential cybersecurity requirements set out in Annex I. It shall at least contain the elements set out in Annex VII.

2. The technical documentation shall be drawn up before the product with digital elements is placed on the market and shall be continuously updated, where appropriate, at least during the support period.

3. For products with digital elements as referred to in Article 12, which are also subject to other Union legal acts which provide for technical documentation, a single set of technical documentation shall be drawn up containing the information referred to in Annex VII and the information required by those Union legal acts.

4.適合性評価手続に関する技術文書及び通信文書は，その通告機関が設立されている加盟国の公用語又はその通告機関が受け入れ可能な言語で作成しなければならない。

5.欧州委員会は、第61条に従い、技術的発展、および本規則の実施過程で遭遇する発展を考慮し、附属書VIIに定める技術文書に含めるべき要素を追加することにより、本規則を補足する委任法を採択する権限を有する。そのために、欧州委員会は、零細企業および中小企業の事務負担が適切なものとなるよう努めるものとする。

第32条-デジタル要素を持つ製品の適合性評価手続き

1. The manufacturer shall perform a conformity assessment of the product with digital elements and the processes put in place by the manufacturer to determine whether the essential cybersecurity requirements set out in Annex I are met. The manufacturer shall demonstrate conformity with the essential cybersecurity requirements by using any of the following procedures:

(a) 付属文書VIIIに定める内部統制手順（モジュールAに基づく）；

(b) 附属書VIIIに定めるEU型審査手順（モジュールBに基づく）、次いで附属書VIIIに定める内部生産管理に基づくEU型への適合（モジュールCに基づく）；

(d) where available and applicable, a European cybersecurity certification scheme pursuant to Article 27(9).

2. Where, in assessing the compliance of an important product with digital elements that falls under class I as set out in Annex III and the processes put in place by its manufacturer with the essential cybersecurity requirements set out in Annex I, the manufacturer has not applied or has applied only in part harmonised standards, common specifications or European cybersecurity certification schemes at assurance level at least ‘substantial’ as referred to in Article 27, or where such harmonised standards, common specifications or European cybersecurity certification schemes do not exist, the product with digital elements concerned and the processes put in place by the manufacturer shall be submitted with regard to those essential cybersecurity requirements to either of the following procedures:

(a) 附属書VIIIに定めるEU型審査手順（モジュールBに基づく）、次いで附属書VIIIに定める内部製造管理（モジュールCに基づく）に基づくEU型への適合。

(b) a conformity assessment based on full quality assurance (based on module H) set out in Annex VIII.

3. Where the product is an important product with digital elements that falls under class II as set out in Annex III, the manufacturer shall demonstrate conformity with the essential cybersecurity requirements set out in Annex I by using any of the following procedures:

(a) 附属書VIIIに定めるEU型審査手順（モジュールBに基づく）、次いで附属書VIIIに定める内部製造管理（モジュールCに基づく）に基づくEU型への適合；

(b) a conformity assessment based on full quality assurance (based on module H) set out in Annex VIII; or

(c) where available and applicable, a European cybersecurity certification scheme pursuant to Article 27(9) of this Regulation at assurance level at least ‘substantial’ pursuant to Regulation (EU) 2019/881.

4. Critical products with digital elements listed in Annex IV shall demonstrate conformity with the essential cybersecurity requirements set out in Annex I by using one of the following procedures:

(a) a European cybersecurity certification scheme in accordance with Article 8(1); or

(b) 第8条第1項の条件を満たさない場合、本条第3項のいずれかの手続。

5. Manufacturers of products with digital elements qualifying as free and open-source software, which fall under the categories set out in Annex III, shall be able to demonstrate conformity with the essential cybersecurity requirements set out in Annex I by using one of the procedures referred to in paragraph 1 of this Article, provided that the technical documentation referred to in Article 31 is made available to the public at the time of the placing on the market of those products.

6. The specific interests and needs of microenterprises and small and medium-sized enterprises, including start-ups, shall be taken into account when setting the fees for conformity assessment procedures and those fees shall be reduced proportionately to their specific interests and needs.

第33条新興企業を含む零細・中小企業に対する支援措置

1. Member States shall, where appropriate, undertake the following actions, tailored to the needs of microenterprises and small enterprises:

(a) 本規則の適用に関する具体的な啓発・研修活動を組織すること；

(b) establish a dedicated channel for communication with microenterprises and small enterprises and, as appropriate, local public authorities to provide advice and respond to queries about the implementation of this Regulation;

(c) support testing and conformity assessment activities, including where relevant with the support of the European Cybersecurity Competence Centre.

2. Member States may, where appropriate, establish cyber resilience regulatory sandboxes. Such regulatory sandboxes shall provide for controlled testing environments for innovative products with digital elements to facilitate their development, design, validation and testing for the purpose of complying with this Regulation for a limited period of time before the placing on the market. The Commission and, where appropriate, ENISA, may provide technical support, advice and tools for the establishment and operation of regulatory sandboxes. The regulatory sandboxes shall be set up under the direct supervision, guidance and support by the market surveillance authorities. Member States shall inform the Commission and the other market surveillance authorities of the establishment of a regulatory sandbox through ADCO. The regulatory sandboxes shall not affect the supervisory and corrective powers of the competent authorities. Member States shall ensure open, fair, and transparent access to regulatory sandboxes, and in particular facilitate access by microenterprises and small enterprises, including start ups.

3. In accordance with Article 26, the Commission shall provide guidance for microenterprises and small and medium-sized enterprises in relation to the implementation of this Regulation.

4. The Commission shall advertise available financial support in the regulatory framework of existing Union programmes, in particular in order to ease the financial burden on microenterprises and small enterprises.

5. Microenterprises and small enterprises may provide all elements of the technical documentation specified in Annex VII by using a simplified format. For that purpose, the Commission shall, by means of implementing acts, specify the simplified technical documentation form targeted at the needs of microenterprises and small enterprises, including how the elements set out in Annex VII are to be provided. Where a microenterprise or small enterprise opts to provide the information set out in Annex VII in a simplified manner, it shall use the form referred to in this paragraph. Notified bodies shall accept that form for the purposes of conformity assessment. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

第34条相互承認協定

第三国の技術開発レベルおよび適合性評価に関するアプローチを考慮し、EUは、国際貿易を促進および円滑化するために、TFEU第218条に従い、第三国と相互承認協定を締結することができる。

第四章
適合性評価機関通知

第35条 - 通知

1. Member States shall notify the Commission and the other Member States of bodies authorised to carry out conformity assessments in accordance with this Regulation.

2. Member States shall strive to ensure, by … [24 months from the date of entry into force of this Regulation] that there is a sufficient number of notified bodies in the Union to carry out conformity assessments, in order to avoid bottlenecks and hindrances to market entry.

第36条当局への通知

1. Each Member State shall designate a notifying authority that shall be responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and their monitoring, including compliance with Article 41.

2. Member States may decide that the assessment and monitoring referred to in paragraph 1 shall be carried out by a national accreditation body within the meaning of and in accordance with Regulation (EC) No 765/2008.

3. Where the notifying authority delegates or otherwise entrusts the assessment, notification or monitoring referred to in paragraph 1 of this Article to a body which is not a governmental entity, that body shall be a legal entity and shall comply mutatis mutandis with Article 37. In addition, it shall have arrangements in place to cover liabilities arising from its activities.

4. The notifying authority shall take full responsibility for the tasks performed by the body referred to in paragraph 3.

第37条 - 通知当局に関する要件

1.通知機関は，適合性評価機関との利害の対立が生じないように設立しなければならない。

2.通告機関は、その活動の客観性と公平性を守るように組織され、機能しなければならない。

3.届出機関は，適合性評価機関の届出に関連する各決定が，審査を実施した者とは異なる能力者によって行われるように組織されなければならない。

4.届出機関は，適合性評価機関が行う活動又はコンサルタント業務を商業ベース又は競争ベースで提供してはならない。

5.届出機関は、入手した情報の秘密を守らなければならない。

6. A notifying authority shall have a sufficient number of competent personnel at its disposal for the proper performance of its tasks

第38条 - 通知当局の情報義務

1. Member States shall inform the Commission of their procedures for the assessment and notification of conformity assessment bodies and the monitoring of notified bodies, and of any changes thereto.

2.欧州委員会は、第1項の情報を公開しなければならない。

第39条-ノーティファイド・ボディに関する要求事項

1.適合性評価機関は，届出の目的上，第 2 項から第 12 項に規定する要件を満たさなければならない。

2.適合性評価機関は，国内法に基づいて設立され，法人格を持たなければならない。

3.適合性評価機関は、評価する組織又はデジタル要素を含む製品から独立した第三者機関でなければならない。

A body belonging to a business association or professional federation representing undertakings involved in the design, development, production, provision, assembly, use or maintenance of products with digital elements which it assesses, may, on condition that its independence and the absence of any conflict of interest are demonstrated, be considered to be such a third-party body.

4. A conformity assessment body, its top level management and the personnel responsible for carrying out the conformity assessment tasks shall not be the designer, developer, manufacturer, supplier, importer, distributor, installer, purchaser, owner, user or maintainer of the products with digital elements which they assess, nor the authorised representative of any of those parties. This shall not preclude the use of assessed products that are necessary for the operations of the conformity assessment body or the use of such products for personal purposes. A conformity assessment body, its top level management and the personnel responsible for carrying out the conformity assessment tasks shall not be directly involved in the design, development, production, import, distribution, the marketing, installation, use or maintenance of the products with digital elements which they assess, or represent the parties engaged in those activities. They shall not engage in any activity that may conflict with their independence of judgement or integrity in relation to conformity assessment activities for which they are notified. This shall in particular apply to consultancy services.

適合性評価機関は、その子会社または下請業者の活動が、適合性評価活動の機密性、客観性、または公平性に影響を与えないようにしなければならない。

5.適合性評価機関及びその要員は、最高度の専門的誠実さ及び特定分野における必要な技術的能力をもって適合性評価活動を実施しなければならず、また、特にその活動の結果に利害関係を有する個人又は集団に関して、その判断又は適合性評価活動の結果に影響を及ぼす可能性のあるあらゆる圧力及び誘因、特に金銭的なものから自由でなければならない。

6. A conformity assessment body shall be capable of carrying out all the conformity assessment tasks referred to in Annex VIII and in relation to which it has been notified, regardless of whether those tasks are carried out by the conformity assessment body itself or on its behalf and under its responsibility. At all times and for each conformity assessment procedure and each kind or category of products with digital elements in relation to which it has been notified, a conformity assessment body shall have at its disposal the necessary:

(a) 適合性評価業務を実施するための技術的知識及び十分かつ適切な経験を有する要員；

(b) descriptions of procedures in accordance with which conformity assessment is to be carried out, ensuring the transparency of and ability to reproduce those procedures. It shall have appropriate policies and procedures in place that distinguish between tasks it carries out as a notified body and other activities;

(c) procedures for the performance of activities which take due account of the size of an undertaking, the sector in which it operates, its structure, the degree of complexity of the product technology in question and the mass or serial nature of the production process. A conformity assessment body shall have the means necessary to perform the technical and administrative tasks connected with the conformity assessment activities in an appropriate manner and shall have access to all necessary equipment or facilities.

7.適合性評価活動の実施に責任を負う要員は、次の事項を備えていなければならない：

(a) 適合性評価機関が通知を受けた適合性評価活動のすべてを網羅する健全な技術及び職業訓練；

(b) 実施する審査の要件に関する十分な知識及びこれらの審査を実施するための適切な権限；

(c) appropriate knowledge and understanding of the essential cybersecurity requirements set out in Annex I, of the applicable harmonised standards and common specifications, and of the relevant provisions of Union harmonisation legislation and implementing acts;

(d) 評価が実施されたことを証明する証明書、記録、報告書を作成する能力。

8. The impartiality of the conformity assessment bodies, their top level management and of the assessment personnel shall be guaranteed. The remuneration of the top level management and assessment personnel of a conformity assessment body shall not depend on the number of assessments carried out or on the results of those assessments.

9.適合性評価機関は、国内法に従って加盟国が責任を負う場合、又は加盟国自体が適合性評価に直接責任を負う場合を除き、賠償責任保険に加入しなければならない。

10. The personnel of a conformity assessment body shall observe professional secrecy with regard to all information obtained in carrying out their tasks under Annex VIII or any provision of national law giving effect to it, except in relation to the market surveillance authorities of the Member State in which its activities are carried out. Proprietary rights shall be protected. The conformity assessment body shall have documented procedures ensuring compliance with this paragraph.

11.適合性評価機関は，関連する規格化活動及び第 51 条に基づいて設立されたノーティファイドボディ・コーディネーショングループの活動に参加し，又はその審査要員に周知させ，同グループの作業の結果として作成された行政上の決定及び文書を一般的指針として適用しなければならない。

12. Conformity assessment bodies shall operate in accordance with a set of consistent, fair, proportionate and reasonable terms and conditions, while avoiding unnecessary burden for economic operators, in particular taking into account the interests of microenterprises and small and medium-sized enterprises in relation to fees.

第40条 - 届出機関の適合性の推定

適合性評価機関が、欧州連合官報に引用文献が掲載された関連整合規格またはその一部に規定された基準に適合していることを証明する場合、適用される整合規格がこれらの要件を網羅している限りにおいて、第39条に規定された要件に適合していると推定されるものとする。

第41条 - 届出機関の子会社および下請け業者

1.届出機関が適合性評価に関連する特定の業務を外注する場合又は子会社に依頼する場合，その外注先又は子会社が第 39 条に規定する要件を満たしていることを確実なものとし，それに従って届出機関に通知しなければならない。

2. Notified bodies shall take full responsibility for the tasks performed by subcontractors or subsidiaries wherever they are established.

3.製造者の同意がある場合に限り、活動を下請けに出したり、子会社が実施したりすることができる。

4.届出機関は，本規則に基づき，下請業者又は子会社の資格の評価及びそれらによって実施される作業に関する関連文書を，届出当局の自由に保管しなければならない。

第42条届出申請

1.適合性評価機関は，その機関が設立された加盟国の届出当局に届出申請書を提出しなければならない。

2. That application shall be accompanied by a description of the conformity assessment activities, the conformity assessment procedure or procedures and the product or products with digital elements for which that body claims to be competent, as well as, where applicable, by an accreditation certificate issued by a national accreditation body attesting that the conformity assessment body fulfils the requirements laid down in Article 39.

3.当該適合性評価機関が認定証明書を提供できない場合，当該適合性評価機関は，第 39 条に定める要求事項への適合の検証，承認及び定期的な監視に必要なすべての証拠書類を通知機関に提供しなければならない。

第43条 - 通知手続き

1. Notifying authorities shall notify only conformity assessment bodies which have satisfied the requirements laid down in Article 39.

2. The notifying authority shall notify the Commission and the other Member States using the New Approach Notified and Designated Organisations information system developed and managed by the Commission.

3.通知には，適合性評価活動の完全な詳細，適合性評価モジュール及びモジュール並びに当該デジタル要素を備えた製品及び製品並びに関連する能力の証明を含まなければならない。

4. Where a notification is not based on an accreditation certificate as referred to in Article 42(2), the notifying authority shall provide the Commission and the other Member States with documentary evidence which attests to the conformity assessment body’s competence and the arrangements in place to ensure that that body will be monitored regularly and will continue to satisfy the requirements laid down in Article 39.

5. The body concerned may perform the activities of a notified body only where no objections are raised by the Commission or the other Member States within two weeks of a notification where an accreditation certificate is used or within two months of a notification where accreditation is not used. Only such a body shall be considered to be a notified body for the purposes of this Regulation.

6.欧州委員会および他の加盟国は、その後、通達に関連する変更があった場合、その旨を通達されるものとする。

第44条-識別番号およびノーティファイド・ボディのリスト

1. The Commission shall assign an identification number to a notified body. It shall assign a single such number even where the body is notified under several Union legal acts.

2.欧州委員会は、この規則に基づいて通告された団体のリストを、その団体に割り当てられた識別番号および通告された活動を含めて、一般に公開する。

委員会は、そのリストが常に最新の状態に保たれるようにしなければならない。

第45条 - 届出の変更

1.届出機関が第39条に規定された要件をもはや満たしていないこと、又はその義務を履行していないことを確認した場合、又はその旨の通知を受けた場合、届出機関は、その要件を満たしていないこと又はその義務を履行していないことの重大性に応じて、適宜、届出を制限、一時停止又は撤回しなければならない。また、それに応じて、欧州委員会および他の加盟国に直ちに通知しなければならない。

2.届出が制限、一時停止、撤回された場合、又は届出機関がその活動を停止した場合、届出加盟国は、その機関のファイルが他の届出機関によって処理されるか、又は担当の届出及び市場監視当局の要請に応じて利用可能な状態に保たれることを確保するために適切な措置を講じなければならない。

第46条 - 届出機関の能力への挑戦

1.欧州委員会は、ノーティファイド・ボディがその対象となる要件及び責任を満たす能力があるかどうか、または、ノーティファイド・ボディがその要件及び責任を継続的に満たしているかどうかについて疑義がある場合、または、疑義が生じた場合には、すべて調査を行うものとする。

2.通告を行う加盟国は、要求があれば、欧州委員会に対し、通告の根拠または関係機関の権限の維持に関するすべての情報を提供しなければならない。

3.委員会は、調査の過程で入手したすべての機密情報の機密扱いを徹底する。

4.欧州委員会は、届出機関が届出の要件を満たしていない、または満たさなくなったことを確認した場合、その旨を届出加盟国に通知し、必要であれば届出の廃止を含め、必要な是正措置をとるよう要請するものとする。

第47条 - 届出機関の運営義務

1.ノーティファイド機関は，第32条及び附属書VIIIに規定する適合性評価手順に従って適合性評価を実施しなければならない。

2. Conformity assessments shall be carried out in a proportionate manner, avoiding unnecessary burdens for economic operators. Conformity assessment bodies shall perform their activities taking due account of the size of undertakings, in particular as regards microenterprises and small and medium-sized enterprises, the sector in which they operate, their structure, their degree of complexity and the cybersecurity risk level of the products with digital elements and technology in question and the mass or serial nature of the production process.

3. Notified bodies shall however respect the degree of rigour and the level of protection required for the compliance of products with digital elements with this Regulation.

4. Where a notified body finds that the requirements set out in Annex I or in corresponding harmonised standards or common specifications as referred to in Article 27 have not been met by a manufacturer, it shall require that manufacturer to take appropriate corrective measures and shall not issue a certificate of conformity.

5.認証書発行後の適合性監視の過程において、デジタル要素を備えた製品が本規則に規定された要件に適合しなくなったことを通知機関が発見した場合、通知機関は製造者に対し適切な是正措置を講じるよう要求し、必要に応じて認証書を一時停止又は撤回しなければならない。

6.是正措置が講じられない場合、又は要求される効果が得られない場合、届出機関は、適宜、認証の制限、一時停止又は取消しを行うものとする。

第48条 - 通知機関の決定に対する不服申し立て

Member States shall ensure that an appeal procedure against decisions of the notified bodies is available.

第49条 - 届出団体に対する情報義務

1.届出機関は、以下の事項を届出機関に通知しなければならない：

(a) 証明書の拒否、制限、一時停止または撤回；

(b) 届出の範囲および条件に影響を与える状況；

(d) 要請があれば，その届出の範囲内で実施された適合性評価活動及び国境を越えた活動及び下請けを含めて実施されたその他の活動。

2.ノーティファイド機関は，デジタル要素を有する同一の製品を対象とする類似の適合性評価活動を実施する本規則に基づきノーティファイドされた他の機関に対し，否定的な適合性評価結果及び要求に応じて肯定的な適合性評価結果に関連する問題に関する関連情報を提供しなければならない。

第50条 - 経験の交換

The Commission shall provide for the organisation of the exchange of experience between the Member States’ national authorities responsible for notification policy.

第51条通知機関の調整

1. The Commission shall ensure that appropriate coordination and cooperation between notified bodies are put in place and properly operated in the form of a cross-sectoral group of notified bodies.

2.加盟国は、自国から通知された機関が、直接又は指名された代表によって、当該グループの作業に参加することを確保するものとする。

第五章
市場の監視と執行

第52条-連合市場におけるデジタル要素を含む製品の市場監視および管理

1. Regulation (EU) 2019/1020 shall apply to products with digital elements that fall within the scope of this Regulation.

2.各加盟国は、本規則の効果的な実施を確保する目的で、1つまたは複数の市場監視当局を指定しなければならない。加盟国は、既存または新規の当局を、本規則の市場監視当局として指定することができる。

3. The market surveillance authorities designated under paragraph 2 of this Article shall also be responsible for carrying out market surveillance activities in relation to the obligations for open-source software stewards laid down in Article 24. Where a market surveillance authority finds that an open-source software steward does not comply with the obligations set out in that Article, it shall require the open-source software steward to ensure that all appropriate corrective actions are taken. Open-source software stewards shall ensure that all appropriate corrective action is taken in respect of their obligations under this Regulation.

4.関連する場合、市場監視当局は、規則（EU）2019/881の第58条に従って指定された各国のサイバーセキュリティ認証当局と協力し、定期的に情報交換を行うものとする。本規則第14条に基づく報告義務の履行の監督に関して、指定市場監視当局は、調整役として指定されたCSIRT及びENISAと定期的に協力し、情報交換を行うものとする。

5.市場監視当局は、調整者として指定された CSIRT または ENISA に対し、本規則の実施および施行に関連する事項に関する技術的助言を要請することができる。第 54 条に基づく調査を実施する場合、市場監視当局は、調整者として指定された CSIRT または ENISA に対し、デジタル要素を含む製品の適合性評価を支援するための分析を提供するよう要請することができる。

6. Where relevant, the market surveillance authorities shall cooperate with other market surveillance authorities designated on the basis of Union harmonisation legislation other than this Regulation, and exchange information on a regular basis.

7. Market surveillance authorities shall cooperate, as appropriate, with the authorities supervising Union data protection law. Such cooperation includes informing those authorities of any finding relevant for the fulfilment of their competences, including when issuing guidance and advice pursuant to paragraph 10 if such guidance and advice concerns the processing of personal data. Authorities supervising Union data protection law shall have the power to request and access any documentation c eated or maintained under this Regulation when access to that documentation is necessary for the fulfilment of their tasks. They shall inform the designated market surveillance authorities of the Member State concerned of any such request.

8.加盟国は、指定された市場監視当局が、適切な場合には自動処理ツールを含む適切な財政的及び技術的資源、並びに本規則に基づく業務を遂行するために必要なサイバーセキュリティのスキルを有する人的資源を提供されることを確保しなければならない。

9.欧州委員会は、指定市場監視当局間の経験交流を奨励し、促進する。

10. Market surveillance authorities may provide guidance and advice to economic operators on the implementation of this Regulation, with the support of the Commission and, where appropriate, CSIRTs and ENISA.

11. Market surveillance authorities shall inform consumers of where to submit complaints that could indicate non-compliance with this Regulation, in accordance with Article 11 of Regulation (EU) 2019/1020, and shall provide information to consumers on where and how to access mechanisms to facilitate reporting of vulnerabilities, incidents and cyber threats that may affect products with digital elements.

12.市場監視当局は、関連する場合、科学者、研究者及び消費者団体を含む関係ステークホルダーとの協力を促進しなければならない。

13.市場監視当局は，関連する市場監視活動の結果を，年1回，欧州委員会に報告しなければならない。指定市場監視当局は，市場監視活動の過程で確認された，EU競争法の適用に潜在的な関心を持ちうる情報を，遅滞なく，欧州委員会及び関連する各国競争当局に報告しなければならない。

14. For products with digital elements that fall within the scope of this Regulation which are classified as high-risk AI systems pursuant to Article 6 of Regulation (EU) 2024/1689, the market surveillance authorities designated for the purposes of that Regulation shall be the authorities responsible for market surveillance activities required under this Regulation. The market surveillance authorities designated pursuant to Regulation (EU) 2024/1689 shall cooperate, as appropriate, with the market surveillance authorities designated pursuant to this Regulation and, with respect to the supervision of the implementation of the reporting obligations pursuant to Article 14 of this Regulation, with the CSIRTs designated as coordinators and ENISA. Market surveillance authorities designated pursuant to Regulation (EU) 2024/1689 shall in particular inform market surveillance authorities designated pursuant to this Regulation of any finding relevant for the fulfilment of their tasks in relation to the implementation of this Regulation.

15. ADCO shall be established for the uniform application of this Regulation, pursuant to Article 30(2) of Regulation (EU) 2019/1020. ADCO shall be composed of representatives of the designated market surveillance authorities and, if appropriate, representatives of single liaison offices. ADCO shall also address specific matters related to the market surveillance activities in relation to the obligations placed on open-source software stewards.

16.市場監視当局は、製造業者がデジタル要素を有する製品のサポート期間を決定する際に、第 13 条(8)で言及される基準をどのように適用したかを監視しなければならない。

ADCO shall publish in a publicly accessible and user-friendly form relevant statistics on categories of products with digital elements, including average support periods, as determined by the manufacturer pursuant to Article 13(8), as well as provide guidance that includes indicative support periods for categories of products with digital elements.

Where the data suggests inadequate support periods for specific categories of products with digital elements, ADCO may issue recommendations to market surveillance authorities to focus their activities on such categories of products with digital elements.

第53条データおよび文書へのアクセス

Where necessary to assess the conformity of products with digital elements and the processes put in place by their manufacturers with the essential cybersecurity requirements set out in Annex I, the market surveillance authorities shall, upon a reasoned request, be granted access to the data, in a language easily understood by them, required to assess the design, development, production and vulnerability handling of such products, including related internal documentation of the relevant economic operator.

第54条-重大なサイバーセキュリティリスクをもたらすデジタル要素を有する製品に関する国家レベルでの手続き

1. Where the market surveillance authority of a Member State has sufficient reason to consider that a product with digital elements, including its vulnerability handling, presents a significant cybersecurity risk, it shall, without undue delay and, where appropriate, in cooperation with the relevant CSIRT, carry out an evaluation of the product with digital elements concerned in respect of its compliance with all the requirements laid down in this Regulation. The relevant economic operators shall cooperate with the market surveillance authority as necessary.

Where, in the course of that evaluation, the market surveillance authority finds that the product with digital elements does not comply with the requirements laid down in this Regulation, it shall without delay require the relevant economic operator to take all appropriate corrective actions to bring the product with digital elements into compliance with those requirements, to withdraw it from the market, or to recall it within a reasonable period, commensurate with the nature of the cybersecurity risk, as the market surveillance authority may prescribe.

The market surveillance authority shall inform the relevant notified body accordingly. Article 18 of Regulation (EU) 2019/1020 shall apply to the corrective actions.

2. When determining the significance of a cybersecurity risk referred to in paragraph 1 of this Article, the market surveillance authorities shall also consider non-technical risk factors, in particular those established as a result of Union level coordinated security risk assessments of critical supply chains carried out in accordance with Article 22 of Directive (EU) 2022/2555. Where a market surveillance authority has sufficient reason to consider that a product with digital elements presents a significant cybersecurity risk in light of non-technical risk factors, it shall inform the competent authorities designated or established pursuant to Article 8 of Directive (EU) 2022/2555 and cooperate with those authorities as necessary.

3. Where the market surveillance authority considers that non-compliance is not restricted to its national territory, it shall inform the Commission and the other Member States of the results of the evaluation and of the actions which it has required the economic operator to take.

4.経済事業者は、当該経済事業者が域内全域で市販しているデジタル要素を含むすべての製品について、すべての適切な是正措置が講じられることを確保しなければならない。

5.経済事業者が第1項第2号に掲げる期間内に適切な是正措置を講じない場合、市場監視当局は、デジタル要素を有する当該製品が自国の市場で入手可能となることを禁止又は制限し、当該市場から撤去し、又は当該製品を回収するためのあらゆる適切な暫定措置を講じなければならない。

同当局は、欧州委員会および他の加盟国に対し、遅滞なくその措置を通知しなければならない。

6. The information referred to in paragraph 5 shall include all available details, in particular the data necessary for the identification of the non-compliant product with digital elements, the origin of that product with digital elements, the nature of the alleged non-compliance and the risk involved, the nature and duration of the national measures taken and the arguments put forward by the relevant economic operator. In particular, the market surveillance authority shall indicate whether the non-compliance is due to one or more of the following:

(a) a failure of the product with digital elements or of the processes put in place by the manufacturer to meet the essential cybersecurity requirements set out in Annex I;

(b) shortcomings in the harmonised standards, European cybersecurity certification schemes or common specifications, as referred to in Article 27.

7.手続を開始した加盟国の市場監視当局以外の加盟国の市場監視当局は、遅滞なく、採択された措置および当該製品のデジタル要素への不適合に関連する追加情報を欧州委員会および他の加盟国に通知し、通知された国内措置に不服がある場合は、異議申し立てを行うものとする。

8. Where, within three months of receipt of the notification referred to in paragraph 5 of this Article, no objection has been raised by either a Member State or the Commission in respect of a provisional measure taken by a Member State, that measure shall be deemed to be justified. This is without prejudice to the procedural rights of the economic operator concerned in accordance with Article 18 of Regulation (EU) 2019/1020.

9.すべての加盟国の市場監視当局は、当該デジタル要素を有する製品に関して、当該製品の市場からの撤去など、適切な制限措置が遅滞なく講じられることを確保しなければならない。

第55条組合のセーフガード手続き

1.第54条(5)の通告を受けてから3ヶ月以内に、他の加盟国がとった措置に対して加盟国から異議が提起された場合、または、欧州委員会がその措置を同盟法に反するとみなす場合、欧州委員会は、遅滞なく、当該加盟国および経済事業者と協議に入り、国内措置を評価する。その評価結果に基づき、欧州委員会は、第54条(5)に規定する通知から9ヶ月以内に、国内措置が正当であるか否かを決定し、その決定を関係加盟国に通知する。

2.国内措置が正当であるとみなされた場合、すべての加盟国は、デジタル要素を含む非適合製品が自国の市場から撤去されることを保証するために必要な措置を講じ、それに従って欧州委員会に通知しなければならない。国内措置が正当でないとみなされた場合、当該加盟国はその措置を撤回しなければならない。

3. Where the national measure is considered to be justified and the non-compliance of the product with digital elements is attributed to shortcomings in the harmonised standards, the Commission shall apply the procedure provided for in Article 11 of Regulation (EU) No 1025/2012.

4. Where the national measure is considered to be justified and the non-compliance of the product with digital elements is attributed to shortcomings in a European cybersecurity certification scheme as referred to in Article 27, the Commission shall consider whether to amend or repeal any delegated act adopted pursuant to Article 27(9) that specifies the presumption of conformity concerning that certification scheme.

5. Where the national measure is considered to be justified and the non-compliance of the product with digital elements is attributed to shortcomings in common specifications as referred to in Article 27, the Commission shall consider whether to amend or repeal any implementing act adopted pursuant to Article 27(2) setting out those common specifications.

第56条-重大なサイバーセキュリティリスクをもたらすデジタル要素を有する製品に関するEUレベルでの手続き

1.欧州委員会が、ENISAから提供された情報に基づく場合を含め、重大なサイバーセキュリティ上のリスクをもたらすデジタル要素を備えた製品が本規則に規定された要件に適合していないと考える十分な理由を有する場合、欧州委員会は、関連する市場監視当局にその旨を通知する。市場監視当局が、重大なサイバーセキュリティ・リスクをもたらす可能性のあるデジタル要素を有する製品について、本規則に規定された要件への準拠に関する評価を実施する場合、第54条および第55条に言及される手続が適用されるものとする。

2. Where the Commission has sufficient reason to consider that a product with digital elements presents a significant cybersecurity risk in light of non-technical risk factors, it shall inform the relevant market surveillance authorities and, where appropriate, the competent authorities designated or established pursuant to Article 8 of Directive (EU) 2022/2555 and cooperate with those authorities as necessary. The Commission shall also consider the relevance of the identified risks for that product with digital elements in view of its tasks regarding the Union level coordinated security risk assessments of critical supply chains provided for in Article 22 of Directive (EU) 2022/2555, and consult, as necessary, the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555 and ENISA.

3. In circumstances which justify an immediate intervention to preserve the proper functioning of the internal market and where the Commission has sufficient reason to consider that the product with digital elements referred to in paragraph 1 remains
non-compliant with the requirements laid down in this Regulation and no effective measures have been taken by the relevant market surveillance authorities, the Commission shall carry out an evaluation of compliance and may request ENISA to provide an analysis to support it. The Commission shall inform the relevant market surveillance authorities accordingly. The relevant economic operators shall cooperate with ENISA as necessary.

4.第3項の評価に基づき、欧州委員会は、EUレベルで是正措置または制限措置が必要であると決定することができる。そのために、欧州委員会は、遅滞なく、関係加盟国および関連する経済事業者に協議しなければならない。

5. On the basis of the consultation referred to in paragraph 4 of this Article, the Commission may adopt implementing acts to provide for corrective or restrictive measures at Union level, including requiring the products with digital elements concerned to be withdrawn from the market or recalled, within a reasonable period, commensurate with the nature of the risk. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

6.欧州委員会は、第5項で言及された実施法を直ちに関連する経済事業者または事業者に伝達する。加盟国は、遅滞なくこれらの実施法を施行し、それに従って欧州委員会に通知しなければならない。

7.第3項から第6項までの規定は、欧州委員会の介入を正当化した例外的状況の期間中、当該デジタル要素を含む製品が本規則に適合しない場合に限り適用されるものとする。

第57条-重大なサイバーセキュリティリスクをもたらすデジタル要素を有する適合製品

1. The market surveillance authority of a Member State shall require an economic operator to take all appropriate measures where, having performed an evaluation under Article 54, it finds that although a product with digital elements and the processes put in place by the manufacturer are in compliance with this Regulation, they present a significant cybersecurity risk as well as a risk to:

(a) 人の健康または安全；

(b)基本的権利の保護を意図した、連邦法または国内法に基づく義務の遵守；

(c) the availability, authenticity, integrity or confidentiality of services offered using an electronic information system by essential entities as referred to in Article 3(1) of Directive (EU) 2022/2555; or

(d) その他の公益保護の側面。

第1号にいう措置には、当該デジタル要素を有する製品及び製造者が実施したプロセスが、市場で入手可能となった時点でもはや関連するリスクを示さないことを確保するための措置、当該デジタル要素を有する製品の市場からの撤去又は回収を含むことができ、かつ、当該リスクの性質に見合ったものでなければならない。

2.製造者またはその他の関連する経済事業者は、第1項で言及された加盟国の市場監視当局が定めた期限内に、当該デジタル要素を有する製品であって、域内全域で市販されているものに関して、是正措置が講じられることを確保しなければならない。

3.加盟国は、第1項に従って講じた措置について、欧州委員会および他の加盟国に直ちに報告しなければならない。その情報には、入手可能なすべての詳細、特に、関係するデジタル要素を有する製品の特定に必要なデータ、デジタル要素を有する製品の原産地およびサプライチェーン、関係するリスクの性質、講じられた国内措置の性質および期間を含めるものとする。

4.欧州委員会は、遅滞なく加盟国および関連する経済事業者と協議に入り、採られた国内措置を評価する。その評価結果に基づき、欧州委員会は、その措置が正当であるか否かを決定し、必要な場合には、適切な措置を提案する。

5.欧州委員会は、第4項の決定を加盟国に送付する。

6. Where the Commission has sufficient reason to consider, including based on information provided by ENISA, that a product with digital elements, although compliant with this Regulation, presents the risks referred to in paragraph 1 of this Article, it shall inform and may request the relevant market surveillance authority or authorities to carry out an evaluation and follow the procedures referred to in Article 54 and in paragraphs 1, 2 and 3 of this Article.

7. In circumstances which justify an immediate intervention to preserve the proper functioning of the internal market and where the Commission has sufficient reason to consider that the product with digital elements referred to in paragraph 6 continues to present the risks referred to in paragraph 1, and no effective measures have been taken by the relevant national market surveillance authorities, the Commission shall carry out an evaluation of the risks presented by that product with digital elements and may request ENISA to provide an analysis to support that evaluation and shall inform the relevant market surveillance authorities accordingly. The relevant economic operators shall cooperate with ENISA as necessary.

8. Based on the evaluation referred to in paragraph 7, the Commission may establish that a corrective or restrictive measure is necessary at Union level. To that end, it shall without delay consult the Member States concerned and the relevant economic operator or operators.

9. On the basis of the consultation referred to in paragraph 8 of this Article, the Commission may adopt implementing acts to decide on corrective or restrictive measures at Union level, including requiring the products with digital elements concerned to be withdrawn from the market, or recalled, within a reasonable period, commensurate with the nature of the risk. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

10. The Commission shall immediately communicate the implementing acts referred to in paragraph 9 to the relevant economic operator or operators. Member States shall implement those implementing acts without delay and shall inform the Commission accordingly.

11.第6項から第10項までの規定は、欧州委員会の介入を正当化した例外的状況の継続期間中、および、当該デジタル要素を含む製品が第1項で言及したリスクを引き続き有する限り、適用されるものとする。

第58条 - 正式な不遵守

1. Where the market surveillance authority of a Member State makes one of the following findings, it shall require the relevant manufacturer to put an end to the non-compliance concerned:

(a) the CE marking has been affixed in violation of Articles 29 and 30;

(b) the CE marking has not been affixed;

(d) the EU declaration of conformity has not been drawn up correctly;

(e) the identification number of the notified body which is involved in the conformity assessment procedure, where applicable, has not been affixed;

(f) the technical documentation is either not available or not complete.

2.第1項の不遵守が継続する場合、当該加盟国は、デジタル要素を有する製品が市場で入手可能となることを制限もしくは禁止し、または当該製品が市場から回収もしくは撤回されることを確保するためのあらゆる適切な措置を講じるものとする。

第59条-市場監視当局の共同活動

1.市場監視当局は、サイバーセキュリティの確保と消費者保護を目的とした共同活動を、市場に投入された、または市場で入手可能となったデジタル要素を含む特定の製品、特にサイバーセキュリティ上のリスクがしばしば見出されるデジタル要素を含む製品に関して実施するために、他の関連当局と合意することができる。

2. The Commission or ENISA shall propose joint activities for checking compliance with this Regulation to be conducted by market surveillance authorities based on indications or information of potential non-compliance across several Member States of products with digital elements that fall within the scope of this Regulation with the requirements laid down in this Regulation.

3. The market surveillance authorities and, where applicable, the Commission, shall ensure that the agreement to carry out joint activities does not lead to unfair competition between economic operators and does not negatively affect the objectivity, independence and impartiality of the parties to the agreement.

4.市場監視当局は、実施した共同活動の結果として得られたいかなる情報も、自らが行う調査の一部として使用することができる。

5.当該市場監視当局および場合によっては欧州委員会は、関係者の氏名を含む共同活動に関する合意書を一般に公開しなければならない。

第60条スイープ

1.市場監視当局は、デジタル要素を有する特定の製品またはそのカテゴリーについて、本規則への準拠を確認するため、または違反行為を発見するために、同時に協調的な管理措置（スイープ）を実施しなければならない。これらの掃引には、身元を隠して取得されたデジタル要素を有する製品の検査を含めることができる。

2.関係市場監視当局が別途合意しない限り、スイープは欧州委員会が調整する。スイープの調整役は、適切な場合には、集計結果を公表しなければならない。

3. Where, in the performance of its tasks, including based on the notifications received pursuant to Article 14(1) and (3), ENISA identifies categories of products with digital elements for which sweeps may be organised, it shall submit a proposal for a sweep to the coordinator referred to in paragraph 2 of this Article for the consideration of the market surveillance authorities.

4.スイープを実施する場合、関係する市場監視当局は、第52条から第58条に定める調査権限および国内法によって付与されたその他の権限を行使することができる。

5.市場監視当局は、欧州委員会の職員および欧州委員会が許可したその他の同行者をスイープに参加させることができる。

第六章
委任された権限と委員会の手続き

第61条委任の行使

1.委任行為を採択する権限は、本条に定める条件に従い、欧州委員会に付与される。

2.第2条第5項第2号、第7条第3項、第8条第1項および第2項、第13条第8項第4号、第14条第9項、第25条、第27条第9項、第28条第5項および第31条第5項にいう委任行為を採択する権限は、・・・［この規則の発効日］から5年間、欧州委員会に与えられる。欧州委員会は、5年間の期間が終了する9カ月前までに、権限委譲に関する報告書を作成しなければならない。権限の委譲は、各期間の終了の3カ月前までに欧州議会または理事会がその延長に反対しない限り、同一の期間について黙示的に延長されるものとする。

3.第2条第5項第2号、第7条第3項、第8条第1項および第2項、第13条第8項第4号、第14条第9項、第25条、第27条第9項、第28条第5項および第31条第5項に規定する権限の委譲は、欧州議会または理事会によりいつでも撤回することができる。取消の決定は、その決定で指定された権限の委任を終了させる。取り消しの効力は、欧州連合官報に決定が掲載された日の翌日またはその翌日以降に指定された日に発生する。この決定は、すでに発効している委任法の効力には影響しない。

4.委任法の採択に先立ち、欧州委員会は、2016年4月13日の「より良い法づくりに関する機関間協定」に定められた原則に従い、各加盟国が指定する専門家に相談するものとする。

5.欧州委員会は、委任法を採択し次第、欧州議会および理事会に同時に通知する。

6. A delegated act adopted pursuant to Article 2(5), second subparagraph, Article 7(3), Article 8(1) or (2), Article 13(8), fourth subparagraph, Article 14(9), Article 25, Article 27(9), Article 28(5) or Article 31(5) shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of two months of notification of that act to the European Parliament and to the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.

第62条委員会の手続き

1.委員会は、委員会の支援を受けるものとする。この委員会は、規則（EU）No 182/2011の意味における委員会とする。

2.本項に言及する場合、規則（EU）No 182/2011第5条が適用される。

3.書面手続によって委員会の意見を得る場合、意見書の提出期限内に委員長がそう決定するか、委員会委員がそう要請した場合、その手続は結果を得ずに終了するものとする。

第七章
守秘義務と罰則

第63条守秘義務

1.本規則の適用に関与するすべての関係者は、特に以下の事項を保護するような方法で、その任務および活動を遂行する際に入手した情報およびデータの機密性を尊重しなければならない：

(a) intellectual property rights and confidential business information or trade secrets of a natural or legal person, including source code, except the cases referred to in Article 5 of Directive (EU) 2016/943 of the European Parliament and of the Council37;

(b) この規則の効果的な実施、特に検査、調査又は監査の目的；

(d) 刑事手続または行政手続の完全性。

2.第1項を損なうことなく、市場監視当局間および市場監視当局と欧州委員会との間で秘密に基づいて交換された情報は、発信元である市場監視当局の事前の同意がない限り、開示してはならない。

3.第1項および第2項は、情報交換および警告の普及に関する欧州委員会、加盟国および通告を受けた機関の権利および義務、ならびに加盟国の刑法に基づく関係者の情報提供義務に影響を及ぼすものではない。

4.欧州委員会および加盟国は、必要に応じて、適切な保護レベルを保証する二国間または多国間の機密保持協定を締結している第三国の関連当局と、機密情報を交換することができる。

第64条 - 罰則

1. Member States shall lay down the rules on penalties applicable to infringements of this Regulation and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive. Member States shall, without delay, notify the Commission of those rules and measures and shall notify it, without delay, of any subsequent amendment affecting them.

2. Non-compliance with the essential cybersecurity requirements set out in Annex I and the obligations set out in Articles 13 and 14 shall be subject to administrative fines of up to EUR 15 000 000 or, if the offender is an undertaking, up to 2,5 % of the its total worldwide annual turnover for the preceding financial year, whichever is higher.

3. Non-compliance with the obligations set out in Articles 18 to 23, Article 28, Article 30(1) to (4), Article 31(1) to (4), Article 32(1), (2) and (3), Article 33(5), and Articles 39, 41, 47, 49 and 53 shall be subject to administrative fines of up to EUR 10 000 000 or, if the offender is an undertaking, up to 2 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.

4.要求に対する回答として、不正確、不完全、または誤解を招くような情報を届出機関や市場監視当局に提供した場合、5,000,000ユーロ以下の行政罰、または違反者が事業者である場合は、前会計年度の全世界の年間総売上高の1,000,000TP3T以下の行政罰のいずれか高い方の罰金に処される。

5.個々の事案における行政処分の罰金額を決定する際には、具体的な状況に関連するすべての状況を考慮し、以下の点に十分配慮しなければならない：

(a) 侵害の性質、重大性、期間、およびその結果；

(b) 同様の違反に対して、同一または他の市場監視当局が、同一の経済事業者に対して既に行政制裁金を適用しているかどうか；

6.行政制裁金を適用する市場監視当局は、規則（EU）2019/1020の第34条で言及されている情報通信システムを通じて、その適用を他の加盟国の市場監視当局に伝達しなければならない。

7. Each Member State shall lay down rules on whether and to what extent administrative fines may be imposed on public authorities and public bodies established in that Member State.

8.加盟国の法制度によっては、行政罰に関する規則は、加盟国の国内レベルで確立された権限に従って、管轄の国内裁判所またはその他の機関が罰金を科す形で適用される場合がある。これらの加盟国における当該規則の適用は、同等の効果を有するものとする。

9.行政罰は、個々の事案の状況に応じて、同一の違反に対して市場監視当局が適用するその他の是正措置または制限措置に加えて課される場合がある。

10. By way of derogation from paragraphs 3 to 9, the administrative fines referred to in those paragraphs shall not apply to the following:

(a) 第14条(2)の(a)又は第14条(4)の(a)に規定する期限を遵守しなかった製造業者；

(b) オープンソースソフトウェアのスチュワードによる本規定違反。

第65条 - 代表訴訟

指令（EU）2020/1828は、消費者の集団的利益を害する、または害する可能性のある本規則の規定の経済事業者による違反に対して提起される代表訴訟に適用されるものとする。

第8章
経過措置と最終規定

第66条-規則（EU）2019/1020の改正

In Annex I to Regulation (EU) 2019/1020, the following point is added: ‘XX+ . Regulation (EU) 2024/… of the European Parliament and of the Council*++ .

第67条-指令（EU）2020/1828の改正

In Annex I to Directive (EU) 2020/1828, the following point is added: ‘(XX+ ) Regulation (EU) 2024/… of the European Parliament and of the Council*++ .

第68条規則（EU）168/2013の改正

In Part C1, in the table, of Annex II to Regulation (EU) No 168/2013 of the European Parliament and of the Council38, the following entry is added:

第69条 - 経過規定

1. EU type-examination certificates and approval decisions issued regarding cybersecurity requirements for products with digital elements that are subject to Union harmonisation legislation other than this Regulation shall remain valid until … [42 months from the date of entry into force of this Regulation], unless they expire before that date, or unless otherwise specified in such other Union harmonisation legislation, in which case they shall remain valid as referred to in that legislation.

2. Products with digital elements that have been placed on the market before … [36 months from the date of entry into force of this Regulation] shall be subject to the requirements set out in this Regulation only if, from that date, those products are subject to a substantial modification.

3. By way of derogation from paragraph 2 of this Article, the obligations laid down in Article 14 shall apply to all products with digital elements that fall within the scope of this Regulation that have been placed on the market before … [36 months from the date of entry into force of this Regulation].

第70条 - 評価と審査

1. By … [72 months from the date of entry into force of this Regulation] and every four years thereafter, the Commission shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council. Those reports shall be made public.

2. By … [45 months from the date of entry into force of this Regulation], the Commission shall, after consulting ENISA and the CSIRTs network, submit a report to the European Parliament and to the Council, assessing the effectiveness of the single reporting platform set out in Article 16, as well as the impact of the application of the cybersecurity-related grounds referred to Article 16(2) by the CSIRTs designated as coordinators on the effectiveness of the single reporting platform as regards the timely dissemination of received notifications to other relevant CSIRTs.

第71条 - 施行および適用

1.本規則は、欧州連合官報に掲載された翌日から20日目に発効する。

2. This Regulation shall apply from … [36 months from the date of entry into force of this Regulation].

However, Article 14 shall apply from … [21 months from the date of entry into force of this Regulation] and Chapter IV (Articles 35 to 51) shall apply from … [18 months from the date of entry into force of this Regulation].

本規則は、その全体を拘束し、すべての加盟国に直接適用されるものとする。

Done at Strasbourg,

For the European Parliament / The President

For the Council / The President

コンプライアンスを達成する

IOT機器メーカーで

IoT device manufacturers are first in line when it comes to compliance. The CRA will change the way manufacturers operate.

このガイドでは、CRA 遵守に必要な事項、遵守に必要な期間、および遵守しなかった場合の法的影響について説明します。

ソフトウェア開発者

Non-monetized free and open-source software as well as pure SaaS and PaaS are generally excluded from the CRA.

Software enabling remote data processing from IoT devices, provided they establish a data connection and are supplied within a commercial context are subject to the CRA.

私は輸入業者、販売業者です

IoT デバイスの輸入業者、販売業者、再販業者は、サイバーレジリエンス法（CRA）に基づき、多くの要件を遵守する必要があります。場合によっては、製造業者とみなされることもあります。

当社のガイドでは、これらの利害関係者の責任と義務について詳しく説明しています。

コンプライアンスを達成する

IOT機器メーカーで

ソフトウェア開発者

私は輸入業者、販売業者です

目次