For products with digital elements presenting a significant cybersecurity risk, and where there is reason to believe that they do not comply with this Regulation, or for products that comply with this Regulation, but that present other important risks, such as risks to the health or safety of persons, to compliance with obligations under Union or national law intended to protect fundamental rights or to the availability, authenticity, integrity or confidentiality of services offered using an electronic information system by essential entities as referred to in Article 3(1) of Directive (EU) 2022/2555, the Commission should be able to request ENISA to carry out an evaluation. Based on that evaluation, the Commission should be able to adopt, by means of implementing acts, corrective or restrictive measures at Union level, including requiring the products with digital elements concerned to be withdrawn from the market or recalled, within a reasonable period, commensurate with the nature of the risk. The Commission should be able to have recourse to such intervention only in exceptional circumstances that justify an immediate intervention to preserve the proper functioning of the internal market, and only where no effective measures have been taken by market surveillance authorities to remedy the situation. Such exceptional circumstances may be emergency situations where, for example, a non-compliant product with digital elements is widely made available by the manufacturer throughout several Member States, used also in key sectors by entities that fall within the scope of Directive (EU) 2022/2555 while containing known vulnerabilities that are being exploited by malicious actors and for which the manufacturer does not provide available patches. The Commission should be able to intervene in such emergency situations only for the duration of the exceptional circumstances and if non-compliance with this Regulation or the important risks presented persist.
This recital provides context for:
Leave a Reply