The Weekly Pulse: 2nd – 6th January
What’s HOT in our Regulatory World
What are our clients looking at?
This week’s trending sources in C2P
- Turkey: Restriction of the Use of Certain Hazardous Substances in Electrical and Electronic Equipment, Regulation, December 2022
- Spain: Packaging and Packaging Waste, Royal Decree No. 1055/2022
- Italy: Introduction of the Plastic Tax, Law No. 160/2019 – Amendment – (on postponement of the plastic tax until 2024) Law No. 197/2022
What is our Content Team talking about?
China in process of revising RoHS labelling Standard SJ/T 11364-2014 – Joyce Costello
Following the Chinese Ministry of Industry and Information Technology (MIIT) announcement last year that it plans to add four new phthalates to China’s RoHS legislation, revision of China RoHS labelling standard SJ/T 11364-2014 has commenced. The revision will also address implementation problems experienced with the existing version of the standard.
As such a draft for comment was released at the close of 2022, the primary purpose of which is the addition of Entries 7-10 to Table A.1 List of Hazardous Substances in Electrical and Electronic Products of SJ/T 11364.
Entries 7-10 will comprise:
- DEHP: diethylhexyl phthalate
- BBP: benzylbutyl phthalate
- DBP: dibutyl phthalate
- DIBP: diisobutyl phthalate
Some definition and explanation deletions are also of note, owing mainly to terms being already clearly defined in the Administrative Measures, or explanations at odds with those already set out in the Administrative Measures FAQ.
Per Section 5.1, producers and/or importers of electrical and electronic products must ensure that the restricted use of hazardous substances in electrical and electronic products is marked on the visible parts of the product when consumers use the product, and it neither fades easily or is easily removed.
However, Section 5.2.2 would provide that if the product has an image display function, the sign of restricted use of hazardous substances in electrical and electronic products can be built into the product system software in digital form, and when the product is running, the user can view it through the user interface. The sign for the restricted use of hazardous substances in electrical and electronic products in digital format shall be factory-set as read-only data.
Comments are being accepted on the contents of the proposal until 16 January 2023.
What are our Knowledge Partners talking about?
Medical devices and IVDs fall outside the scope of the proposed CRA – but for how long? – Cooley
The European Commission published a proposal for a Cyber Resilience Act (“CRA”). The aim of the proposed CRA is to strengthen cybersecurity for connected products. The proposed CRA would establish common cybersecurity standards for software and hardware products the foreseeable or intended use of which involves connection to a network.
While it is now certain that the medical device and IVD industry will be required to comply with the cybersecurity requirements in the NIS 2 Directive, as discussed in our previous blog post, whether or not it will be in scope of the CRA is still unknown. The proposed CRA which was published by the European Commission on September 15, 2022, excludes medical devices and IVDs governed by the Regulation (EU) 2017/745 on medical devices (“MDR”) and Regulation (EU) 2017/746 2017 on in vitro diagnostic medical devices (“IVDR”) (“Regulations”) from its scope of application. The draft CRA considers that the Regulations provide sufficient information technology security obligations for manufacturers of medical devices and IVDs throughout the life cycle of their products by establishing risk management principles and conformity assessment procedures listed in Annex I of the Regulations.
However, the European Data Protection Supervisor (“EDPS”) disagrees with this conclusion and the related justification. In its recently published opinion, the EDPS notes that the general safety measures established in sectoral legislation are not sufficiently concrete. Specifically, the EDPS considers that the MDR does not impose an obligation on medical device manufacturers to ensure that unknown vulnerabilities are not present in their final products and does not require data encryption for medical devices. Moreover, the EDPS suggests that while the MDR requires manufacturers to establish a risk management system, it is unclear whether cybersecurity and data protection are covered under this system.
The EDPS opinion does not, however, take into consideration the guidance of the Medical Device Coordination Group on cybersecurity. This guidance lays down requirements to support manufacturers in developing their products on the basis of principles of risk management, including information security. Although it is non-binding, experience suggests that the cybersecurity requirements foreseen in the guidance are respected by the med tech industry.
Unlike the EDPS, Med Tech Europe supports a sectoral approach to cybersecurity requirements for medical devices. Med Tech Europe’s response to the European Commission’s impact assessment for the CRA highlighted the need to avoid potential inconsistencies between cybersecurity obligations foreseen in the CRA and the Regulations that could cause legal uncertainty and create unnecessary burdens on manufacturers.
Next steps
The proposed CRA will now be reviewed, and potentially amended, by the European Parliament and the Council of the European Union in accordance with the Ordinary Legislative Procedure. Although it is difficult to predict when the European Parliament and the Council will reach an agreement on the final text of the Act, it is estimated that this may take up to two or possibly three years. According to the proposed text, the CRA would apply two years after its date of adoption. There is an exception from this implementation date for cybersecurity incident and vulnerability reporting obligations which would enter into application one year after the CRA enters into force.
Main provisions of the proposed CRA
If the scope of the proposed CRA were extended to apply to medical devices and IVDs, it would establish minimum cybersecurity requirements for connected medical devices and IVDs and impose transparency obligations on manufacturers in relation to cybersecurity properties of devices.
Some key provisions of the proposed CRA are:
- products with digital elements will be required to meet “essential cybersecurity requirements” listed in Annex I to the proposed CRA to be placed and remain on the EU market. These requirements include technical standards and organizational measures;
- manufacturers will be required to conduct a risk assessment and consider the results of such assessment throughout all stages of the life cycle of their product;
- manufacturers will be required to perform due diligence on components supplied by third party economic operators and incorporated in their products;
- products will be accompanied by security information and instructions listed in Annex II to the proposed CRA, including the type of IT security support provided by the manufacturer, instructions detailing the installation of security-related updates, information on the impact of changes to the product on data security, etc.;
- products designated as “critical” will have to undergo a conformity assessment involving a third-party body. All other products will be subject to a self-assessment procedure to establish conformity;
- actively exploited vulnerabilities and incidents are to be reported to ENISA within 24 hours of awareness and users are to be informed of incidents and corrective measures available without undue delay; and
- national authorities are to impose administrative fines of a maximum of € 15 million or 2.5% of the total worldwide annual turnover for non-compliance with essential cybersecurity requirements.
What are our clients asking about?
“Hello, could you please confirm whether Netherlands: Extended Producer Responsibility for Textiles, Draft Decree, November 2021 has been adopted already?”
Answer by Corine Laurijsen
It’s getting close!
The draft Decree went through public consultation at the end of 2021/beginning of 2022 and was approved by the Council of Ministers on 14 April 2022. It was submitted to Parliament from April 22 to May 22, 2022, without any changes. The Advice of the Council of State was issued on 8 December 2022.
The date of entry into force was originally set for 1 January 2023, but as the legislative process of the Ministry of Infrastructure & Water Management wasn’t able to complete the decree on time, the EPR for Textiles is now expected to take effect in April 2023.
Stay Updated On Global Regulations With The Weekly Pulse
This information is based on the most viewed regulations on C2P this month.
Sign up to get the latest compliance news delivered to your inbox weekly, for free!
The Pulse – Weekly Newsletter
Get the latest compliance news delivered straight to your inbox