(1)

In light of the Council Conclusions of 12 February 2016 on the fight against the financing of terrorism, the Communication from the Commission to the European Parliament and the Council of 2 February 2016 on an Action Plan for strengthening the fight against terrorist financing and Directive (EU) 2017/541 of the European Parliament and of the Council (2), common rules on trade with third countries should be adopted so as to ensure the effective protection against illicit trade in cultural goods and against their loss or destruction, the preservation of humanity’s cultural heritage and the prevention of terrorist financing and money laundering through the sale of pillaged cultural goods to buyers in the Union.

(2)

The exploitation of peoples and territories can lead to the illicit trade in cultural goods, in particular when such illicit trade originates from a context of armed conflict. In this respect, this Regulation should take into account regional and local characteristics of peoples and territories, rather than the market value of cultural goods.

(3)

Cultural goods are a part of cultural heritage and are often of major cultural, artistic, historical and scientific importance. Cultural heritage constitutes one of the basic elements of civilisation having, inter alia, symbolic value, and forming part of the cultural memory of humankind. It enriches the cultural life of all peoples and unites people through shared memory, knowledge and development of civilisation. It should therefore be protected from unlawful appropriation and pillage. Pillaging of archaeological sites has always happened, but has now reached an industrial scale and, together with trade in illegally excavated cultural goods, is a serious crime that causes significant suffering to those directly or indirectly affected. The illicit trade in cultural goods in many cases contributes to forceful cultural homogenisation or forceful loss of cultural identity, while the pillage of cultural goods leads, inter alia, to the disintegration of cultures. As long as it is possible to engage in lucrative trade in illegally excavated cultural goods and to profit therefrom without any notable risk, such excavations and pillaging will continue. Due to the economic and artistic value of cultural goods they are in high demand on the international market. The absence of strong international legal measures and the ineffective enforcement of any measures that do exist, lead to the transfer of such goods to the shadow economy. The Union should accordingly prohibit the introduction into the customs territory of the Union of cultural goods unlawfully exported from third countries, with particular emphasis on cultural goods from third countries affected by armed conflict, in particular where such cultural goods have been illicitly traded by terrorist or other criminal organisations. While that general prohibition should not entail systematic controls, Member States should be allowed to intervene when receiving intelligence regarding suspicious shipments and to take all appropriate measures to intercept illicitly exported cultural goods.

(4)

In view of different rules applying in Member States regarding the import of cultural goods into the customs territory of the Union, measures should be taken in particular to ensure that certain imports of cultural goods are subject to uniform controls upon their entry into the customs territory of the Union, on the basis of existing processes, procedures and administrative tools aiming to achieve a uniform implementation of Regulation (EU) No 952/2013 of the European Parliament and of the Council (3).

(5)

The protection of cultural goods which are considered national treasures of the Member States is already covered by Council Regulation (EC) No 116/2009 (4) and Directive 2014/60/EU of the European Parliament and of the Council (5). Consequently, this Regulation should not apply to cultural goods which were created or discovered in the customs territory of the Union. The common rules introduced by this Regulation should cover the customs treatment of non-Union cultural goods entering the customs territory of the Union. For the purposes of this Regulation, the relevant customs territory should be the customs territory of the Union at the time of import.

(6)

Control measures to be put in place regarding free zones and so-called ‘free ports’ should have as broad a scope as possible in terms of the customs procedures concerned in order to prevent circumvention of this Regulation through the exploitation of those free zones, which have the potential to be used for the continued proliferation of illicit trade. Those control measures should therefore not only concern cultural goods released for free circulation but also cultural goods placed under a special customs procedure. However, the scope should not go beyond the objective of preventing illicitly exported cultural goods from entering the customs territory of the Union. Accordingly, while encompassing the release for free circulation and some of the special customs procedures under which goods entering the customs territory of the Union may be placed, systematic control measures should exclude transit.

(7)

Many third countries and most Member States are familiar with the definitions used in the Unesco Convention on the Means of Prohibiting and Preventing the Illicit Import, Export and Transfer of Ownership of Cultural Property signed in Paris on 14 November 1970 (‘the 1970 Unesco Convention’) to which a significant number of Member States are a party, and in the UNIDROIT Convention on Stolen or Illegally Exported Cultural Objects signed in Rome on 24 June 1995. For that reason the definitions used in this Regulation are based on those definitions.

(8)

The legality of export of cultural goods should be primarily examined based on the laws and regulations of the country where those cultural goods were created or discovered. However, in order not to impede legitimate trade unreasonably, a person who seeks to import cultural goods into the customs territory of the Union should, in certain cases, be exceptionally allowed to demonstrate instead the licit export from a different third country where the cultural goods were located before their dispatch to the Union. That exception should apply in cases where the country in which the cultural goods were created or discovered cannot be reliably determined or when the export of the cultural goods in question took place before the 1970 Unesco Convention entered into force, namely 24 April 1972. In order to prevent circumvention of this Regulation by simply sending illicitly exported cultural goods to another third country prior to importing them into the Union, the exceptions should be applicable where the cultural goods have been located in a third country for a period of more than five years for purposes other than temporary use, transit, re-export or transhipment. Where those conditions are fulfilled for more than one country, the relevant country should be the last of those countries before the introduction of the cultural goods into the customs territory of the Union.

(9)

Article 5 of the 1970 Unesco Convention calls on the States Parties to establish one or more national services for the protection of cultural goods against illicit import, export and transfer of ownership. Such national services should be equipped with qualified staff sufficient in number to ensure that protection in accordance with that Convention, and should also enable the necessary active collaboration between the competent authorities of Member States which are Parties to that Convention in the area of security and in the fight against the illegal import of cultural goods, especially from areas affected by armed conflict.

(10)

In order not to disproportionately impede trade in cultural goods across the Union’s external border, this Regulation should only apply to cultural goods above a certain age limit, which is established by this Regulation. It also seems appropriate to set a financial threshold in order to exclude cultural goods of lower value from the application of the conditions and procedures for import into the customs territory of the Union. Those thresholds will ensure that the measures provided for in this Regulation focus on those cultural goods most likely to be targeted by pillagers in conflict areas, without excluding other goods the control of which is necessary for ensuring the protection of cultural heritage.

(11)

Illicit trade in pillaged cultural goods has been identified as a possible source of terrorist financing and money laundering activities in the context of the supranational risk assessment on money laundering and terrorist financing risks affecting the internal market.

(12)

Since certain categories of cultural goods, namely archaeological objects and elements of monuments, are particularly vulnerable to pillage and destruction, it seems necessary to provide for a system of increased scrutiny before they are permitted to enter the customs territory of the Union. Such a system should require the presentation of an import licence issued by the competent authority of a Member State prior to the release for free circulation of those cultural goods into the Union or their placement under a special customs procedure other than transit. Persons seeking to obtain such a licence should be able to prove licit export from the country where the cultural goods were created or discovered with the appropriate supportive documents and evidence, such as export certificates, ownership titles, invoices, sales contracts, insurance documents, transport documents and experts appraisals. Based on complete and accurate applications, the competent authorities of the Member States should decide whether to issue a licence without undue delay. All import licences should be stored in an electronic system.

(13)

An icon is any representation of a religious figure or a religious event. It can be produced in various media and sizes and can be monumental or portable. In cases where an icon was once part, for example, of the interior of a church, a monastery, a chapel, either free-standing or as part of architectural furniture, for example an iconostasis or icon stand, it is a vital and inseparable part of divine worship and liturgical life, and should be considered as forming an integral part of a religious monument which has been dismembered. Even in cases where the specific monument that the icon belonged to is unknown, but where there is evidence that it once formed an integral part of a monument, in particular when there are signs or elements present which indicate that it was once part of an iconostasis or an icon stand, the icon should still be covered by the category ‘elements of artistic or historical monuments or archaeological sites which have been dismembered’ listed in the Annex.

(14)

Taking into account the particular nature of the cultural goods, the role of the customs authorities is extremely relevant and they should be able, where necessary, to require additional information from the declarant and to analyse the cultural goods by means of a physical examination.

(15)

For categories of cultural goods the import of which does not require an import licence, the persons seeking to import such goods into the customs territory of the Union should, by means of a statement, certify and assume responsibility for their lawful export from the third country and should provide sufficient information for those cultural goods to be identified by the customs authorities. In order to facilitate the procedure and for reasons of legal certainty, the information about the cultural goods should be provided using a standardised document. The Object ID standard, recommended by Unesco, could be used to describe the cultural goods. The holder of the goods should register those details in an electronic system, in order to facilitate identification by the customs authorities, to allow for risk analysis and targeted controls and to ensure traceability after the cultural goods enter the internal market.

(16)

In the context of the EU Single Window environment for customs, the Commission should be responsible for the establishment of a centralised electronic system for the submission of applications for import licences and of importer statements, as well as the storage and the exchange of information between the authorities of the Member States, in particular regarding importer statements and import licences.

(17)

It should be possible for the processing of data under this Regulation to also cover personal data and such processing should be carried out in accordance with Union law. Member States and the Commission should process personal data only for the purposes of this Regulation or in duly justified circumstances for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Any collection, disclosure, transmission, communication and other processing of personal data within the scope of this Regulation should be subject to the requirements of Regulations (EU) 2016/679 (6) and (EU) 2018/1725 (7) of the European Parliament and of the Council. The processing of personal data for the purposes of this Regulation should also respect the right to respect for private and family life recognised by Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms of the Council of Europe, as well as the right to respect for private and family life, and the right to the protection of personal data recognised, respectively, by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.

(18)

Cultural goods which were not created or discovered in the customs territory of the Union but which have been exported as Union goods should not be subject to the presentation of an import licence or of an importer statement when they are returned to that territory as returned goods within the meaning of Regulation (EU) No 952/2013.

(19)

The temporary admission of cultural goods for the purpose of education, science, conservation, restoration, exhibition, digitisation, performing arts, research conducted by academic institutions or cooperation between museums or similar institutions should not be subject to the presentation of an import licence or of an importer statement.

(20)

The storage of cultural goods from countries affected by armed conflict or a natural disaster for the exclusive purpose of ensuring their safe keeping and preservation by, or under the supervision of, a public authority should not be subject to the presentation of an import licence or an importer statement.

(21)

In order to facilitate the presentation of cultural goods at commercial art fairs, an import licence should not be necessary where the cultural goods are under temporary admission, within the meaning of Article 250 of Regulation (EU) No 952/2013, and where an importer statement has been provided instead of the import licence. However, the presentation of an import licence should be required where such cultural goods are to remain in the Union after the art fair.

(22)

In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission to adopt detailed arrangements for: cultural goods that are returned goods or, the temporary admission of cultural goods into the customs territory of the Union and their safe keeping, the templates for import licence applications and for import licence forms, the templates for importer statements and their accompanying documents, and further procedural rules on their submission and processing. Implementing powers should also be conferred on the Commission to make arrangements for the establishment of an electronic system for the submission of applications for import licences and importer statements and for the storage of information and the exchange of information between Member States. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (8).

(23)

In order to ensure effective coordination and to avoid duplication of efforts when organising training, capacity building activities and awareness-raising campaigns, as well as to commission relevant research and the development of standards, where appropriate, the Commission and the Member States should cooperate with international organisations and bodies, such as Unesco, INTERPOL, EUROPOL, the World Customs Organization, the International Centre for the Preservation and Restoration of Cultural Property and the International Council of Museums (ICOM).

(24)

Relevant information on trade flows of cultural goods should be electronically collected and shared by Member States and the Commission in order to support the efficient implementation of this Regulation and to provide the basis for its future evaluation. In the interest of transparency and public scrutiny, as much information as possible should be made public. Trade flows of cultural goods cannot be efficiently monitored by their value or weight only. It is essential to electronically collect information on the number of items declared. As no supplementary measurement unit is specified in the Combined Nomenclature for cultural goods, it is necessary to require that the number of items is declared.

(25)

The EU Strategy and Action Plan for customs Risk Management aims, inter alia, to strengthen capacities of customs authorities to increase the responsiveness to risks in the area of cultural goods. The common risk management framework laid down in Regulation (EU) No 952/2013 should be used and relevant risk information should be exchanged between customs authorities.

(26)

In order to benefit from the expertise of international organisations and bodies which are active in cultural matters and from their experience with illicit trade in cultural goods, recommendations and guidance issued from those organisations and bodies should be taken into consideration in the common risk management framework when identifying risks related to cultural goods. In particular, the Red Lists published by ICOM should serve as guidance to identify those third countries whose heritage is most at risk and the objects exported from there that would more often be the object of illicit trade.

(27)

It is necessary to establish awareness-raising campaigns targeted at buyers of cultural goods regarding the risk of illicit trade and to assist market actors in their understanding and application of this Regulation. Member States should involve relevant national contact points and other information provision services in the dissemination of that information.

(28)

The Commission should ensure that micro, small and medium-sized enterprises (SMEs) benefit from adequate technical assistance and should facilitate the provision of information to them in order to efficiently implement this Regulation. SMEs established in the Union which import cultural goods should therefore benefit from current and future Union programmes in support of the competitiveness of small and medium-sized enterprises.

(29)

In order to encourage compliance and deter circumvention, Member States should introduce effective, proportionate and dissuasive penalties for failing to comply with the provisions of this Regulation and communicate those penalties to the Commission. Penalties introduced by Member States for infringements of this Regulation should have an equivalent deterrent effect across the Union.

(30)

Member States should ensure that the customs authorities and the competent authorities agree on measures under Article 198 of Regulation (EU) No 952/2013. The details of those measures should be subject to national law.

(31)

The Commission should, without delay, adopt rules implementing this Regulation, in particular those regarding the appropriate electronic standardised forms to be used to apply for an import licence or to prepare an importer statement, and establish the electronic system afterwards within the shortest possible timeframe. The application of the provisions regarding import licences and importer statements should be deferred accordingly.

(32)

In accordance with the principle of proportionality, it is necessary and appropriate for the achievement of the basic objectives of this Regulation to lay down rules on the introduction, and the conditions and procedures for the import, of cultural goods into the customs territory of the Union. This Regulation does not go beyond what is necessary in order to achieve the objectives pursued, in accordance with Article 5(4) of the Treaty on European Union,

(1)

Network and information systems and electronic communications networks and services play a vital role in society and have become the backbone of economic growth. Information and communications technology (ICT) underpins the complex systems which support everyday societal activities, keep our economies running in key sectors such as health, energy, finance and transport, and, in particular, support the functioning of the internal market.

(2)

The use of network and information systems by citizens, organisations and businesses across the Union is now pervasive. Digitisation and connectivity are becoming core features in an ever growing number of products and services and with the advent of the internet of Things (IoT) an extremely high number of connected digital devices are expected to be deployed across the Union during the next decade. While an increasing number of devices is connected to the internet, security and resilience are not sufficiently built in by design, leading to insufficient cybersecurity. In that context, the limited use of certification leads to individual, organisational and business users having insufficient information about the cybersecurity features of ICT products, ICT services and ICT processes, which undermines trust in digital solutions. Network and information systems are capable of supporting all aspects of our lives and drive the Union’s economic growth. They are the cornerstone for achieving the digital single market.

(3)

Increased digitisation and connectivity increase cybersecurity risks, thus making society as a whole more vulnerable to cyber threats and exacerbating the dangers faced by individuals, including vulnerable persons such as children. In order to mitigate those risks, all necessary actions need to be taken to improve cybersecurity in the Union so that network and information systems, communications networks, digital products, services and devices used by citizens, organisations and businesses – ranging from small and medium-sized enterprises (SMEs), as defined in Commission Recommendation 2003/361/EC (4), to operators of critical infrastructure – are better protected from cyber threats.

(4)

By making the relevant information available to the public, the European Union Agency for Network and Information Security (ENISA), as established by Regulation (EU) No 526/2013 of the European Parliament and of the Council (5) contributes to the development of the cybersecurity industry in the Union, in particular SMEs and start-ups. ENISA should strive for closer cooperation with universities and research entities in order to contribute to reducing dependence on cybersecurity products and services from outside the Union and to reinforce supply chains inside the Union.

(5)

Cyberattacks are on the increase and a connected economy and society that is more vulnerable to cyber threats and attacks requires stronger defences. However, while cyberattacks often take place across borders, the competence of, and policy responses by, cybersecurity and law enforcement authorities are predominantly national. Large-scale incidents could disrupt the provision of essential services across the Union. This necessitates effective and coordinated responses and crisis management at Union level, building on dedicated policies and wider instruments for European solidarity and mutual assistance. Moreover, a regular assessment of the state of cybersecurity and resilience in the Union, based on reliable Union data, as well as systematic forecasts of future developments, challenges and threats, at Union and global level, are important for policy makers, industry and users.

(6)

In light of the increased cybersecurity challenges faced by the Union, there is a need for a comprehensive set of measures that would build on previous Union action and would foster mutually reinforcing objectives. Those objectives include further increasing the capabilities and preparedness of Member States and businesses, as well as improving cooperation, information sharing and coordination across Member States and Union institutions, bodies, offices and agencies. Furthermore, given the borderless nature of cyber threats, there is a need to increase capabilities at Union level that could complement the action of Member States, in particular in cases of large-scale cross-border incidents and crises, while taking into account the importance of maintaining and further enhancing the national capabilities to respond to cyber threats of all scales.

(7)

Additional efforts are also needed to increase citizens’, organisations’ and businesses’ awareness of cybersecurity issues. Moreover, given that incidents undermine trust in digital service providers and in the digital single market itself, especially among consumers, trust should be further strengthened by offering information in a transparent manner on the level of security of ICT products, ICT services and ICT processes that stresses that even a high level of cybersecurity certification cannot guarantee that an ICT product, ICT service or ICT process is completely secure. An increase in trust can be facilitated by Union-wide certification providing for common cybersecurity requirements and evaluation criteria across national markets and sectors.

(8)

Cybersecurity is not only an issue related to technology, but one where human behaviour is equally important. Therefore, ‘cyber-hygiene’, namely, simple, routine measures that, where implemented and carried out regularly by citizens, organisations and businesses, minimise their exposure to risks from cyber threats, should be strongly promoted.

(9)

For the purpose of strengthening Union cybersecurity structures, it is important to maintain and develop the capabilities of Member States to comprehensively respond to cyber threats, including to cross-border incidents.

(10)

Businesses and individual consumers should have accurate information regarding the assurance level with which the security of their ICT products, ICT services and ICT processes has been certified. At the same time, no ICT product or ICT service is wholly cyber-secure and basic rules of cyber-hygiene have to be promoted and prioritised. Given the growing availability of IoT devices, there is a range of voluntary measures that the private sector can take to reinforce trust in the security of ICT products, ICT services and ICT processes.

(11)

Modern ICT products and systems often integrate and rely on one or more third-party technologies and components such as software modules, libraries or application programming interfaces. This reliance, which is referred to as a ‘dependency’, could pose additional cybersecurity risks as vulnerabilities found in third-party components could also affect the security of the ICT products, ICT services and ICT processes. In many cases, identifying and documenting such dependencies enables end users of ICT products, ICT services and ICT processes to improve their cybersecurity risk management activities by improving, for example, users’ cybersecurity vulnerability management and remediation procedures.

(12)

Organisations, manufacturers or providers involved in the design and development of ICT products, ICT services or ICT processes should be encouraged to implement measures at the earliest stages of design and development to protect the security of those products, services and processes to the highest possible degree, in such a way that the occurrence of cyberattacks is presumed and their impact is anticipated and minimised (‘security-by-design’). Security should be ensured throughout the lifetime of the ICT product, ICT service or ICT process by design and development processes that constantly evolve to reduce the risk of harm from malicious exploitation.

(13)

Undertakings, organisations and the public sector should configure the ICT products, ICT services or ICT processes designed by them in a way that ensures a higher level of security which should enable the first user to receive a default configuration with the most secure settings possible (‘security by default’), thereby reducing the burden on users of having to configure an ICT product, ICT service or ICT process appropriately. Security by default should not require extensive configuration or specific technical understanding or non-intuitive behaviour on the part of the user, and should work easily and reliably when implemented. If, on a case-by-case basis, a risk and usability analysis leads to the conclusion that such a setting by default is not feasible, users should be prompted to opt for the most secure setting.

(14)

Regulation (EC) No 460/2004 of the European Parliament and of the Council (6) established ENISA with the purposes of contributing to the goals of ensuring a high and effective level of network and information security within the Union, and developing a culture of network and information security for the benefit of citizens, consumers, enterprises and public administrations. Regulation (EC) No 1007/2008 of the European Parliament and of the Council (7) extended ENISA’s mandate until March 2012. Regulation (EU) No 580/2011 of the European Parliament and of the Council (8) further extended ENISA’s mandate until 13 September 2013. Regulation (EU) No 526/2013 extended ENISA’s mandate until 19 June 2020.

(15)

The Union has already taken important steps to ensure cybersecurity and to increase trust in digital technologies. In 2013, the Cybersecurity Strategy of the European Union was adopted to guide the Union’s policy response to cyber threats and risks. In an effort to better protect citizens online, the Union’s first legal act in the field of cybersecurity was adopted in 2016 in the form of Directive (EU) 2016/1148 of the European Parliament and of the Council (9). Directive (EU) 2016/1148 put in place requirements concerning national capabilities in the field of cybersecurity, established the first mechanisms to enhance strategic and operational cooperation between Member States, and introduced obligations concerning security measures and incident notifications across sectors which are vital for the economy and society, such as energy, transport, drinking water supply and distribution, banking, financial market infrastructures, healthcare, digital infrastructure as well as key digital service providers (search engines, cloud computing services and online marketplaces).

A key role was attributed to ENISA in supporting the implementation of that Directive. In addition, fighting effectively against cybercrime is an important priority in the European Agenda on Security, contributing to the overall aim of achieving a high level of cybersecurity. Other legal acts such as Regulation (EU) 2016/679 of the European Parliament and of the Council (10) and Directives 2002/58/EC (11) and (EU) 2018/1972 (12) of the European Parliament and of the Council also contribute to a high level of cybersecurity in the digital single market.

(16)

Since the adoption of the Cybersecurity Strategy of the European Union in 2013 and the last revision of ENISA’s mandate, the overall policy context has changed significantly as the global environment has become more uncertain and less secure. Against that background and in the context of the positive development of the role of ENISA as a reference point for advice and expertise, as a facilitator of cooperation and of capacity-building as well as within the framework of the new Union cybersecurity policy, it is necessary to review ENISA’s mandate, to establish its role in the changed cybersecurity ecosystem and to ensure that it contributes effectively to the Union’s response to cybersecurity challenges emanating from the radically transformed cyber threat landscape, for which, as recognised during the evaluation of ENISA, the current mandate is not sufficient.

(17)

ENISA as established by this Regulation should succeed ENISA as established by Regulation (EU) No 526/2013. ENISA should carry out the tasks conferred on it by this Regulation and other legal acts of the Union in the field of cybersecurity, among other things, by providing advice and expertise and by acting as a Union centre of information and knowledge. It should promote the exchange of best practices between Member States and private stakeholders, offer policy suggestions to the Commission and the Member States, act as a reference point for Union sectoral policy initiatives with regard to cybersecurity matters, and foster operational cooperation, both between Member States and between the Member States and Union institutions, bodies, office and agencies.

(18)

Within the framework of Decision 2004/97/EC, Euratom taken by common agreement between the Representatives of the Member States, meeting at Head of State or Government level (13), the representatives of the Member States decided that ENISA would have its seat in a town in Greece to be determined by the Greek Government. ENISA’s host Member State should ensure the best possible conditions for the smooth and efficient operation of ENISA. It is imperative for the proper and efficient performance of its tasks, for staff recruitment and retention and for enhancing the efficiency of networking activities that ENISA be based in an appropriate location, among other things providing appropriate transport connections and facilities for spouses and children accompanying members of staff of ENISA. The necessary arrangements should be laid down in an agreement between ENISA and the host Member State concluded after obtaining the approval of the Management Board of ENISA.

(19)

Given the increasing cybersecurity risks and challenges the Union is facing, the financial and human resources allocated to ENISA should be increased to reflect its enhanced role and tasks, and its critical position in the ecosystem of organisations defending the digital ecosystem of the Union, allowing ENISA to effectively carry out the tasks conferred on it by this Regulation.

(20)

ENISA should develop and maintain a high level of expertise and operate as a reference point, establishing trust and confidence in the single market by virtue of its independence, the quality of the advice it delivers, the quality of information it disseminates, the transparency of its procedures, the transparency of its methods of operation, and its diligence in carrying out its tasks. ENISA should actively support national efforts and should proactively contribute to Union efforts while carrying out its tasks in full cooperation with the Union institutions, bodies, offices and agencies and with the Member States, avoiding any duplication of work and promoting synergy. In addition, ENISA should build on input from and cooperation with the private sector as well as other relevant stakeholders. A set of tasks should establish how ENISA is to accomplish its objectives while allowing flexibility in its operations.

(21)

In order to be able to provide adequate support to the operational cooperation between Member States, ENISA should further strengthen its technical and human capabilities and skills. ENISA should increase its know-how and capabilities. ENISA and Member States, on a voluntary basis, could develop programmes for seconding national experts to ENISA, creating pools of experts and staff exchanges.

(22)

ENISA should assist the Commission by means of advice, opinions and analyses regarding all Union matters related to policy and law development, updates and reviews in the field of cybersecurity and sector-specific aspects thereof in order to enhance the relevance of Union policies and laws with a cybersecurity dimension and to enable consistency in the implementation of those policies and laws at national level. ENISA should act as a reference point for advice and expertise for Union sector-specific policy and law initiatives where matters related to cybersecurity are involved. ENISA should regularly inform the European Parliament about its activities.

(23)

The public core of the open internet, namely its main protocols and infrastructure, which are a global public good, provides the essential functionality of the internet as a whole and underpins its normal operation. ENISA should support the security of the public core of the open internet and the stability of its functioning, including, but not limited to, key protocols (in particular DNS, BGP, and IPv6), the operation of the domain name system (such as the operation of all top-level domains), and the operation of the root zone.

(24)

The underlying task of ENISA is to promote the consistent implementation of the relevant legal framework, in particular the effective implementation of Directive (EU) 2016/1148 and other relevant legal instruments containing cybersecurity aspects, which is essential to increasing cyber resilience. In light of the fast evolving cyber threat landscape, it is clear that Member States have to be supported by more comprehensive, cross-policy approach to building cyber resilience.

(25)

ENISA should assist the Member States and Union institutions, bodies, offices and agencies in their efforts to build and enhance capabilities and preparedness to prevent, detect and respond to cyber threats and incidents and in relation to the security of network and information systems. In particular, ENISA should support the development and enhancement of national and Union computer security incident response teams (‘CSIRTs’) provided for in Directive (EU) 2016/1148, with a view to achieving a high common level of their maturity in the Union. Activities carried out by ENISA relating to the operational capacities of Member States should actively support actions taken by Member States to comply with their obligations under Directive (EU) 2016/1148 and therefore should not supersede them.

(26)

ENISA should also assist with the development and updating of strategies on the security of network and information systems at Union level and, upon request, at Member State level, in particular on cybersecurity, and should promote the dissemination of such strategies and follow the progress of their implementation. ENISA should also contribute to covering the need for training and training materials, including the needs of public bodies, and where appropriate, to a high extent, ‘train the trainers’, building on the Digital Competence Framework for Citizens with a view to assisting Member States and Union institutions, bodies, offices and agencies in developing their own training capabilities.

(27)

ENISA should support Member States in the field of cybersecurity awareness-raising and education by facilitating closer coordination and the exchange of best practices between Member States. Such support could consist in the development of a network of national education points of contact and the development of a cybersecurity training platform. The network of national education points of contact could operate within the National Liaison Officers Network and be a starting point for future coordination within the Members States.

(28)

ENISA should assist the Cooperation Group created by Directive (EU) 2016/1148 in the execution of its tasks, in particular by providing expertise, advice and by facilitating the exchange of best practices, inter alia, with regard to the identification of operators of essential services by Member States, as well as in relation to cross-border dependencies, regarding risks and incidents.

(29)

With a view to stimulating cooperation between the public and private sector and within the private sector, in particular to support the protection of the critical infrastructures, ENISA should support information sharing within and among sectors, in particular the sectors listed in Annex II to Directive (EU) 2016/1148, by providing best practices and guidance on available tools and on procedure, as well as by providing guidance on how to address regulatory issues related to information sharing, for example through facilitating the establishment of sectoral information sharing and analysis centres.

(30)

Whereas the potential negative impact of vulnerabilities in ICT products, ICT services and ICT processes is constantly increasing, finding and remedying such vulnerabilities plays an important role in reducing the overall cybersecurity risk. Cooperation between organisations, manufacturers or providers of vulnerable ICT products, ICT services and ICT processes and members of the cybersecurity research community and governments who find vulnerabilities has been proven to significantly increase both the rate of discovery and the remedy of vulnerabilities in ICT products, ICT services and ICT processes. Coordinated vulnerability disclosure specifies a structured process of cooperation in which vulnerabilities are reported to the owner of the information system, allowing the organisation the opportunity to diagnose and remedy the vulnerability before detailed vulnerability information is disclosed to third parties or to the public. The process also provides for coordination between the finder and the organisation as regards the publication of those vulnerabilities. Coordinated vulnerability disclosure policies could play an important role in Member States’ efforts to enhance cybersecurity.

(31)

ENISA should aggregate and analyse voluntarily shared national reports from CSIRTs and the inter-institutional computer emergency response team for the Union’s institutions, bodies and agencies established by the Arrangement between the European Parliament, the European Council, the Council of the European Union, the European Commission, the Court of Justice of the European Union, the European Central Bank, the European Court of Auditors, the European External Action Service, the European Economic and Social Committee, the European Committee of the Regions and the European Investment Bank on the organisation and operation of a computer emergency response team for the Union’s institutions, bodies and agencies (CERT-EU) (14) in order to contribute to the setting up of common procedures, language and terminology for the exchange of information. In that context ENISA should involve the private sector within the framework of Directive (EU) 2016/1148 which lays down the grounds for the voluntary exchange of technical information at the operational level, in the computer security incident response teams network (‘CSIRTs network’) created by that Directive.

(32)

ENISA should contribute to responses at Union level in the case of large-scale cross-border incidents and crises related to cybersecurity. That task should be performed in accordance with ENISA’s mandate under this Regulation and an approach to be agreed by Member States in the context of Commission Recommendation (EU) 2017/1584 (15) and the Council conclusions of 26 June 2018 on EU Coordinated Response to Large-Scale Cybersecurity Incidents and Crises. That task could include gathering relevant information and acting as a facilitator between the CSIRTs network and the technical community, as well as between decision makers responsible for crisis management. Furthermore, ENISA should support operational cooperation among Member States, where requested by one or more Member States, in the handling of incidents from a technical perspective, by facilitating relevant exchanges of technical solutions between Member States, and by providing input into public communications. ENISA should support operational cooperation by testing the arrangements for such cooperation through regular cybersecurity exercises.

(33)

In supporting operational cooperation, ENISA should make use of the available technical and operational expertise of CERT-EU through structured cooperation. Such structured cooperation could build on ENISA’s expertise. Where appropriate, dedicated arrangements between the two entities should be established to define the practical implementation of such cooperation and to avoid the duplication of activities.

(34)

In performing its task to support operational cooperation within the CSIRTs network, ENISA should be able to provide support to Member States at their request, such as by providing advice on how to improve their capabilities to prevent, detect and respond to incidents, by facilitating the technical handling of incidents having a significant or substantial impact or by ensuring that cyber threats and incidents are analysed. ENISA should facilitate the technical handling of incidents having a significant or substantial impact in particular by supporting the voluntary sharing of technical solutions between Member States or by producing combined technical information, such as technical solutions voluntarily shared by the Member States. Recommendation (EU) 2017/1584 recommends that Member States cooperate in good faith and share among themselves and with ENISA information on large-scale incidents and crises related to cybersecurity without undue delay. Such information would further help ENISA in performing its task of supporting operational cooperation.

(35)

As part of the regular cooperation at technical level to support Union situational awareness, ENISA, in close cooperation with the Member States, should prepare a regular in-depth EU Cybersecurity Technical Situation Report on incidents and cyber threats, based on publicly available information, its own analysis and reports shared with it by Member States’ CSIRTs or the national single points of contact on the security of network and information systems (‘single points of contact’) provided for in Directive (EU) 2016/1148, both on a voluntary basis, the European Cybercrime Centre (EC3) at Europol, CERT-EU and, where appropriate, the European Union Intelligence and Situation Centre (EU INTCEN) at the European External Action Service. That report should be made available to the Council, the Commission, the High Representative of the Union for Foreign Affairs and Security Policy and the CSIRTs network.

(36)

The support by ENISA for ex-post technical inquiries of incidents having a significant or substantial impact undertaken at the request of the Member States concerned should focus on the prevention of future incidents. The Member States concerned should provide the necessary information and assistance in order to enable ENISA to support the ex-post technical inquiry effectively.

(37)

Member States may invite the undertakings concerned by the incident to cooperate by providing necessary information and assistance to ENISA without prejudice to their right to protect commercially sensitive information and information that is relevant to public security.

(38)

To understand better the challenges in the area of cybersecurity, and with a view to providing strategic long-term advice to Member States and Union institutions, bodies, offices and agencies, ENISA needs to analyse current and emerging cybersecurity risks. For that purpose, ENISA should, in cooperation with Member States and, as appropriate, with statistical bodies and other bodies, collect relevant publicly available or voluntarily shared information and perform analyses of emerging technologies and provide topic-specific assessments on the expected societal, legal, economic and regulatory impact of technological innovations on network and information security, in particular cybersecurity. ENISA should, furthermore, support Member States and Union institutions, bodies, offices and agencies in identifying emerging cybersecurity risks and preventing incidents, by performing analyses of cyber threats, vulnerabilities and incidents.

(39)

In order to increase the resilience of the Union, ENISA should develop expertise in the field of cybersecurity of infrastructures, in particular to support the sectors listed in Annex II to Directive (EU) 2016/1148 and those used by the providers of the digital services listed in Annex III to that Directive, by providing advice, issuing guidelines and exchanging best practices. With a view to ensuring easier access to better-structured information on cybersecurity risks and possible remedies, ENISA should develop and maintain the ‘information hub’ of the Union, a one-stop-shop portal providing the public with information on cybersecurity originating in Union and national institutions, bodies, offices and agencies. Facilitating access to better-structured information on cybersecurity risks and possible remedies could also help Member States bolster their capacities and align their practices, thus increasing their overall resilience to cyberattacks.

(40)

ENISA should contribute to raising the public’s awareness of cybersecurity risks, including through an EU-wide awareness-raising campaign by promoting education, and to providing guidance on good practices for individual users aimed at citizens, organisations and businesses. ENISA should also contribute to promoting best practices and solutions, including cyber-hygiene and cyber-literacy at the level of citizens, organisations and businesses by collecting and analysing publicly available information regarding significant incidents, and by compiling and publishing reports and guidance for citizens, organisations and businesses, to improve their overall level of preparedness and resilience. ENISA should also strive to provide consumers with relevant information on applicable certification schemes, for example by providing guidelines and recommendations. ENISA should furthermore organise, in line with the Digital Education Action Plan established in the Commission Communication of 17 January 2018 and in cooperation with the Member States and Union institutions, bodies, offices and agencies regular outreach and public education campaigns directed at end users, to promote safer online behaviour by individuals and digital literacy, to raise awareness of potential cyber threats, including online criminal activities such as phishing attacks, botnets, financial and banking fraud, data fraud incidents, and to promote basic multi-factor authentication, patching, encryption, anonymisation and data protection advice.

(41)

ENISA should play a central role in accelerating end-user awareness of the security of devices and the secure use of services, and should promote security-by-design and privacy-by-design at Union level. In pursuing that objective, ENISA should make use of available best practices and experience, especially the best practices and experience of academic institutions and IT security researchers.

(42)

In order to support the businesses operating in the cybersecurity sector, as well as the users of cybersecurity solutions, ENISA should develop and maintain a ‘market observatory’ by performing regular analyses and disseminating information on the main trends in the cybersecurity market, on both the demand and supply sides.

(43)

ENISA should contribute to the Union’s efforts to cooperate with international organisations as well as within relevant international cooperation frameworks in the field of cybersecurity. In particular, ENISA should contribute, where appropriate, to cooperation with organisations such as the OECD, the OSCE and NATO. Such cooperation could include joint cybersecurity exercises and joint incident response coordination. Those activities are to be carried out in full respect of the principles of inclusiveness, reciprocity and the decision-making autonomy of the Union, without prejudice to the specific character of the security and defence policy of any Member State.

(44)

In order to ensure that it fully achieves its objectives, ENISA should liaise with the relevant Union supervisory authorities and with other competent authorities in the Union, Union institutions, bodies, offices and agencies, including CERT-EU, EC3, the European Defence Agency (EDA), the European Global Navigation Satellite Systems Agency (European GNSS Agency), the Body of European Regulators for Electronic Communications (BEREC), the European Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), the European Central Bank (ECB), the European Banking Authority (EBA), the European Data Protection Board, the Agency for the Cooperation of Energy Regulators (ACER), the European Union Aviation Safety Agency (EASA) and any other Union agency involved in cybersecurity. ENISA should also liaise with authorities that deal with data protection in order to exchange know-how and best practices and should provide advice on cybersecurity issues that might have an impact on their work. Representatives of national and Union law enforcement and data protection authorities should be eligible to be represented in the ENISA Advisory Group. In liaising with law enforcement authorities regarding network and information security issues that might have an impact on their work, ENISA should respect existing channels of information and established networks.

(45)

Partnerships could be established with academic institutions that have research initiatives in relevant fields, and there should be appropriate channels for input from consumer organisations and other organisations, which should be taken into consideration.

(46)

ENISA, in its role as the secretariat of the CSIRTs network, should support Member States’ CSIRTs and the CERT-EU in the operational cooperation in relation to the relevant tasks of the CSIRTs network, as referred to in Directive (EU) 2016/1148. Furthermore, ENISA should promote and support cooperation between the relevant CSIRTs in the event of incidents, attacks or disruptions of networks or infrastructure managed or protected by the CSIRTs and involving or being capable of involving at least two CSIRTs while taking due account of the Standard Operating Procedures of the CSIRTs network.

(47)

With a view to increasing Union preparedness in responding to incidents, ENISA should regularly organise cybersecurity exercises at Union level, and, at their request, support Member States and Union institutions, bodies, offices and agencies in organising such exercises. Large-scale comprehensive exercises which include technical, operational or strategic elements should be organised on a biennial basis. In addition, ENISA should be able to regularly organise less comprehensive exercises with the same goal of increasing Union preparedness in responding to incidents.

(48)

ENISA should further develop and maintain its expertise on cybersecurity certification with a view to supporting the Union policy in that area. ENISA should build on existing best practices and should promote the uptake of cybersecurity certification within the Union, including by contributing to the establishment and maintenance of a cybersecurity certification framework at Union level (European cybersecurity certification framework) with a view to increasing the transparency of the cybersecurity assurance of ICT products, ICT services and ICT processes, thereby strengthening trust in the digital internal market and its competitiveness.

(49)

Efficient cybersecurity policies should be based on well-developed risk assessment methods, in both the public and private sectors. Risk assessment methods are used at different levels, with no common practice regarding how to apply them efficiently. Promoting and developing best practices for risk assessment and for interoperable risk management solutions in public-sector and private-sector organisations will increase the level of cybersecurity in the Union. To that end, ENISA should support cooperation between stakeholders at Union level and facilitate their efforts relating to the establishment and take-up of European and international standards for risk management and for the measurable security of electronic products, systems, networks and services which, together with software, comprise the network and information systems.

(50)

ENISA should encourage Member States, manufacturers or providers of ICT products, ICT services or ICT processes to raise their general security standards so that all internet users can take the necessary steps to ensure their own personal cybersecurity and should give incentives to do so. In particular, manufacturers and providers of ICT products, ICT services or ICT processes should provide any necessary updates and should recall, withdraw or recycle ICT products, ICT services or ICT processes that do not meet cybersecurity standards, while importers and distributors should make sure that the ICT products, ICT services and ICT processes they place on the Union market comply with the applicable requirements and do not present a risk to Union consumers.

(51)

In cooperation with competent authorities, ENISA should be able to disseminate information regarding the level of the cybersecurity of the ICT products, ICT services and ICT processes offered in the internal market, and should issue warnings targeting manufacturers or providers of ICT products, ICT services or ICT processes and requiring them to improve the security of their ICT products, ICT services and ICT processes, including the cybersecurity.

(52)

ENISA should take full account of the ongoing research, development and technological assessment activities, in particular those activities carried out by the various Union research initiatives to advise Union institutions, bodies, offices and agencies and where relevant, the Member States at their request, on research needs and priorities in the field of cybersecurity. In order to identify the research needs and priorities, ENISA should also consult the relevant user groups. More specifically, cooperation with the European Research Council, the European Institute for Innovation and Technology and the European Union Institute for Security Studies could be established.

(53)

ENISA should regularly consult standardisation organisations, in particular European standardisation organisations, when preparing the European cybersecurity certification schemes.

(54)

Cyber threats are a global issue. There is a need for closer international cooperation to improve cybersecurity standards, including the need for definitions of common norms of behaviour, the adoption of codes of conduct, the use of international standards, and information sharing, promoting swifter international collaboration in response to network and information security issues and promoting a common global approach to such issues. To that end, ENISA should support further Union involvement and cooperation with third countries and international organisations by providing the necessary expertise and analysis to the relevant Union institutions, bodies, offices and agencies, where appropriate.

(55)

ENISA should be able to respond to ad hoc requests for advice and assistance by Member States and Union institutions, bodies, offices and agencies on matters falling within ENISA’s mandate.

(56)

It is sensible and recommended to implement certain principles regarding the governance of ENISA in order to comply with the Joint Statement and Common Approach agreed upon in July 2012 by the Inter-Institutional Working Group on EU decentralised agencies, the purpose of which is to streamline the activities of decentralised agencies and improve their performance. The recommendations in the Joint Statement and Common Approach should also be reflected, as appropriate, in ENISA’s work programmes, evaluations of ENISA, and ENISA’s reporting and administrative practice.

(57)

The Management Board, composed of the representatives of the Member States and of the Commission, should establish the general direction of ENISA’s operations and ensure that it carries out its tasks in accordance with this Regulation. The Management Board should be entrusted with the powers necessary to establish the budget, verify the execution of the budget, adopt appropriate financial rules, establish transparent working procedures for decision making by ENISA, adopt ENISA’s single programming document, adopt its own rules of procedure, appoint the Executive Director and decide on the extension and termination of the Executive Director’s term of office.

(58)

In order for ENISA to function properly and effectively, the Commission and the Member States should ensure that persons to be appointed to the Management Board have appropriate professional expertise and experience. The Commission and the Member States should also make efforts to limit the turnover of their respective representatives on the Management Board in order to ensure continuity in its work.

(59)

The smooth functioning of ENISA requires that its Executive Director be appointed on grounds of merit and documented administrative and managerial skills, as well as competence and experience relevant to cybersecurity. The duties of the Executive Director should be carried out with complete independence. The Executive Director should prepare a proposal for ENISA’s annual work programme, after prior consultation with the Commission, and should take all steps necessary to ensure the proper implementation of that work programme. The Executive Director should prepare an annual report to be submitted to the Management Board, covering the implementation of ENISA’s annual work programme, draw up a draft statement of estimates of revenue and expenditure for ENISA, and implement the budget. Furthermore, the Executive Director should have the option of setting up ad hoc working groups to address specific matters, in particular matters of a scientific, technical, legal or socioeconomic nature. In particular, in relation to the preparation of a specific candidate European cybersecurity certification scheme (‘candidate scheme’), the setting up of an ad hoc working group is considered to be necessary. The Executive Director should ensure that the members of ad hoc working groups are selected according to the highest standards of expertise, aiming to ensure gender balance and an appropriate balance, according to the specific issues in question, between the public administrations of the Member States, the Union institutions, bodies, offices and agencies and the private sector, including industry, users, and academic experts in network and information security.

(60)

The Executive Board should contribute to the effective functioning of the Management Board. As part of its preparatory work related to Management Board decisions, the Executive Board should examine relevant information in detail, explore available options and offer advice and solutions to prepare the decisions of the Management Board.

(61)

ENISA should have an ENISA Advisory Group as an advisory body to ensure regular dialogue with the private sector, consumers’ organisations and other relevant stakeholders. The ENISA Advisory Group, established by the Management Board on a proposal from the Executive Director, should focus on issues relevant to stakeholders and should bring them to the attention of ENISA. The ENISA Advisory Group should be consulted in particular with regard to ENISA’s draft annual work programme. The composition of the ENISA Advisory Group and the tasks assigned to it should ensure sufficient representation of stakeholders in the work of ENISA.

(62)

The Stakeholder Cybersecurity Certification Group should be established in order to help ENISA and the Commission facilitate the consultation of relevant stakeholders. The Stakeholder Cybersecurity Certification Group should be composed of members representing industry in balanced proportions, both on the demand side and the supply side of ICT products and ICT services, and including, in particular, SMEs, digital service providers, European and international standardisation bodies, national accreditation bodies, data protection supervisory authorities and conformity assessment bodies pursuant to Regulation (EC) No 765/2008 of the European Parliament and of the Council (16), and academia as well as consumer organisations.

(63)

ENISA should have rules in place regarding the prevention and the management of conflicts of interest. ENISA should also apply the relevant Union provisions concerning public access to documents as set out in Regulation (EC) No 1049/2001 of the European Parliament and of the Council (17). The processing of personal data by ENISA should be subject to Regulation (EU) 2018/1725 of the European Parliament and of the Council (18). ENISA should comply with the provisions applicable to the Union institutions, bodies, offices and agencies, and with national legislation regarding the handling of information, in particular sensitive non-classified information and European Union classified information (EUCI).

(64)

In order to guarantee the full autonomy and independence of ENISA and to enable it to perform additional tasks, including unforeseen emergency tasks, ENISA should be granted a sufficient and autonomous budget whose revenue should primarily come from a contribution from the Union and contributions from third countries participating in ENISA’s work. An appropriate budget is paramount for ensuring that ENISA has sufficient capacity to perform all of its growing tasks and to achieve its objectives. The majority of ENISA’s staff should be directly engaged in the operational implementation of ENISA’s mandate. The host Member State, and any other Member State, should be allowed to make voluntary contributions to ENISA’s budget. The Union’s budgetary procedure should remain applicable as far as any subsidies chargeable to the general budget of the Union are concerned. Moreover, the Court of Auditors should audit ENISA’s accounts to ensure transparency and accountability.

(65)

Cybersecurity certification plays an important role in increasing trust and security in ICT products, ICT services and ICT processes. The digital single market, and in particular the data economy and the IoT, can thrive only if there is general public trust that such products, services and processes provide a certain level of cybersecurity. Connected and automated cars, electronic medical devices, industrial automation control systems and smart grids are only some examples of sectors in which certification is already widely used or is likely to be used in the near future. The sectors regulated by Directive (EU) 2016/1148 are also sectors in which cybersecurity certification is critical.

(66)

In the 2016 Communication ‘Strengthening Europe’s Cyber Resilience System and Fostering a Competitive and Innovative Cybersecurity Industry’, the Commission outlined the need for high-quality, affordable and interoperable cybersecurity products and solutions. The supply of ICT products, ICT services and ICT processes within the single market remains very fragmented geographically. This is because the cybersecurity industry in Europe has developed largely on the basis of national governmental demand. In addition, the lack of interoperable solutions (technical standards), practices and Union-wide mechanisms of certification are among the other gaps affecting the single market in the field of cybersecurity. This makes it difficult for European businesses to compete at national, Union and global level. It also reduces the choice of viable and usable cybersecurity technologies that individuals and businesses have access to. Similarly, in the 2017 Communication on the Mid-Term Review on the implementation of the Digital Single Market Strategy – A Connected Digital Single Market for All, the Commission highlighted the need for safe connected products and systems, and indicated that the creation of a European ICT security framework setting rules on how to organise ICT security certification in the Union could both preserve trust in the internet and tackle the current fragmentation of the internal market.

(67)

Currently, the cybersecurity certification of ICT products, ICT services and ICT processes is used only to a limited extent. When it exists, it mostly occurs at Member State level or in the framework of industry driven schemes. In that context, a certificate issued by a national cybersecurity certification authority is not in principle recognised in other Member States. Companies thus may have to certify their ICT products, ICT services and ICT processes in several Member States where they operate, for example, with a view to participating in national procurement procedures, which thereby adds to their costs. Moreover, while new schemes are emerging, there seems to be no coherent and holistic approach to horizontal cybersecurity issues, for instance in the field of the IoT. Existing schemes present significant shortcomings and differences in terms of product coverage, levels of assurance, substantive criteria and actual use, impeding mutual recognition mechanisms within the Union.

(68)

Some efforts have been made in order to ensure the mutual recognition of certificates within the Union. However, they have been only partly successful. The most important example in this regard is the Senior Officials Group – Information Systems Security (SOG-IS) Mutual Recognition Agreement (MRA). While it represents the most important model for cooperation and mutual recognition in the field of security certification, SOG-IS includes only some of the Member States. That fact has limited the effectiveness of SOG-IS MRA from the point of view of the internal market.

(69)

Therefore, it is necessary to adopt a common approach and to establish a European cybersecurity certification framework that lays down the main horizontal requirements for European cybersecurity certification schemes to be developed and allows European cybersecurity certificates and EU statements of conformity for ICT products, ICT services or ICT processes to be recognised and used in all Member States. In doing so, it is essential to build on existing national and international schemes, as well as on mutual recognition systems, in particular SOG-IS, and to make possible a smooth transition from the existing schemes under such systems to schemes under the new European cybersecurity certification framework. The European cybersecurity certification framework should have a twofold purpose. First, it should help increase trust in ICT products, ICT services and ICT processes that have been certified under European cybersecurity certification schemes. Second, it should help avoid the multiplication of conflicting or overlapping national cybersecurity certification schemes and thus reduce costs for undertakings operating in the digital single market. The European cybersecurity certification schemes should be non-discriminatory and based on European or international standards, unless those standards are ineffective or inappropriate to fulfil the Union’s legitimate objectives in that regard.

(70)

The European cybersecurity certification framework should be established in a uniform manner in all Member States in order to prevent ‘certification shopping’ based on different levels of stringency in different Member States.

(71)

European cybersecurity certification schemes should be built on what already exists at international and national level and, if necessary, on technical specifications from forums and consortia, learning from current strong points and assessing and correcting weaknesses.

(72)

Flexible cybersecurity solutions are necessary for the industry to stay ahead of cyber threats, and therefore any certification scheme should be designed in a way that avoids the risk of being outdated quickly.

(73)

The Commission should be empowered to adopt European cybersecurity certification schemes concerning specific groups of ICT products, ICT services and ICT processes. Those schemes should be implemented and supervised by national cybersecurity certification authorities, and certificates issued under those schemes should be valid and recognised throughout the Union. Certification schemes operated by the industry or by other private organisations should fall outside of the scope of this Regulation. However, the bodies operating such schemes should be able to propose that the Commission consider such schemes as a basis for approving them as a European cybersecurity certification scheme.

(74)

The provisions of this Regulation should be without prejudice to Union law providing specific rules on the certification of ICT products, ICT services and ICT processes. In particular, Regulation (EU) 2016/679 lays down provisions for the establishment of certification mechanisms and of data protection seals and marks, for the purpose of demonstrating the compliance of processing operations by controllers and processors with that Regulation. Such certification mechanisms and data protection seals and marks should allow data subjects to quickly assess the level of data protection of the relevant ICT products, ICT services and ICT processes. This Regulation is without prejudice to the certification of data processing operations under Regulation (EU) 2016/679, including when such operations are embedded in ICT products, ICT services and ICT processes.

(75)

The purpose of European cybersecurity certification schemes should be to ensure that ICT products, ICT services and ICT processes certified under such schemes comply with specified requirements that aim to protect the availability, authenticity, integrity and confidentiality of stored, transmitted or processed data or of the related functions of or services offered by, or accessible via those products, services and processes throughout their life cycle. It is not possible to set out in detail the cybersecurity requirements relating to all ICT products, ICT services and ICT processes in this Regulation. ICT products, ICT services and ICT processes and the cybersecurity needs related to those products, services and processes are so diverse that it is very difficult to develop general cybersecurity requirements that are valid in all circumstances. It is therefore necessary to adopt a broad and general notion of cybersecurity for the purpose of certification, which should be complemented by a set of specific cybersecurity objectives that are to be taken into account when designing European cybersecurity certification schemes. The arrangements by which such objectives are to be achieved in specific ICT products, ICT services and ICT processes should then be further specified in detail at the level of the individual certification scheme adopted by the Commission, for example by reference to standards or technical specifications if no appropriate standards are available.

(76)

The technical specifications to be used in European cybersecurity certification schemes should respect the requirements set out in Annex II to Regulation (EU) No 1025/2012 of the European Parliament and of the Council (19). Some deviations from those requirements could, however, be considered to be necessary in duly justified cases where those technical specifications are to be used in a European cybersecurity certification scheme referring to assurance level ‘high’. The reasons for such deviations should be made publicly available.

(77)

A conformity assessment is a procedure for evaluating whether specified requirements relating to an ICT product, ICT service or ICT process have been fulfilled. That procedure is carried out by an independent third party that is not the manufacturer or provider of the ICT products, ICT services or ICT processes that are being assessed. A European cybersecurity certificate should be issued following the successful evaluation of an ICT product, ICT service or ICT process. A European cybersecurity certificate should be considered to be a confirmation that the evaluation has been properly carried out. Depending on the assurance level, the European cybersecurity certification scheme should indicate whether the European cybersecurity certificate is to be issued by a private or public body. Conformity assessment and certification cannot guarantee per se that certified ICT products, ICT services and ICT processes are cyber secure. They are instead procedures and technical methodologies for attesting that ICT products, ICT services and ICT processes have been tested and that they comply with certain cybersecurity requirements laid down elsewhere, for example in technical standards.

(78)

The choice of the appropriate certification and associated security requirements by the users of European cybersecurity certificates should be based on an analysis of the risks associated with the use of the ICT products, ICT services or ICT processes. Accordingly, the assurance level should be commensurate with the level of the risk associated with the intended use of an ICT product, ICT service or ICT process.

(79)

European cybersecurity certification schemes could provide for a conformity assessment to be carried out under the sole responsibility of the manufacturer or provider of ICT products, ICT services or ICT processes (‘conformity self-assessment’). In such cases, it should be sufficient that the manufacturer or provider of ICT products, ICT services or ICT processes itself carry out all of the checks to ensure that the ICT products, ICT services or ICT processes conform with the European cybersecurity certification scheme. Conformity self-assessment should be considered to be appropriate for low complexity ICT products, ICT services or ICT processes that present a low risk to the public, such as simple design and production mechanisms. Moreover, conformity self-assessment should be permitted for ICT products, ICT services or ICT processes only where they correspond to assurance level ‘basic’.

(80)

European cybersecurity certification schemes could allow for both conformity self-assessments and certifications of ICT products, ICT services or ICT processes. In such a case, the scheme should provide for clear and understandable means for consumers or other users to differentiate between ICT products, ICT services or ICT processes with regard to which the manufacturer or provider of ICT products, ICT services or ICT processes is responsible for the assessment, and ICT products, ICT services or ICT processes that are certified by a third party.

(81)

The manufacturer or provider of ICT products, ICT services or ICT processes who carry out a conformity self-assessment should be able to issue and sign the EU statement of conformity as part of the conformity assessment procedure. An EU statement of conformity is a document that states that a specific ICT product, ICT service or ICT process complies with the requirements of the European cybersecurity certification scheme. By issuing and signing the EU statement of conformity, the manufacturer or provider of ICT products, ICT services or ICT processes assumes responsibility for the compliance of the ICT product, ICT service or ICT process with the legal requirements of the European cybersecurity certification scheme. A copy of the EU statement of conformity should be submitted to the national cybersecurity certification authority and to ENISA.

(82)

Manufacturers or providers of ICT products, ICT services or ICT processes should make the EU statement of conformity, technical documentation, and all other relevant information relating to the conformity of the ICT products, ICT services or ICT processes with a European cybersecurity certification scheme available to the competent national cybersecurity certification authority for a period provided for in the relevant European cybersecurity certification scheme. The technical documentation should specify the requirements applicable under the scheme and should cover the design, manufacture and operation of the ICT product, ICT service or ICT process to the extent relevant to the conformity self-assessment. The technical documentation should be so compiled as to enable the assessment of whether an ICT product or ICT service complies with the requirements applicable under that scheme.

(83)

The governance of the European cybersecurity certification framework takes into account the involvement of Member States as well as the appropriate involvement of stakeholders, and establishes the role of the Commission during the planning and proposing, requesting, preparing, adopting and reviewing of European cybersecurity certification schemes.

(84)

The Commission should prepare, with the support of the European Cybersecurity Certification Group (the ‘ECCG’) and the Stakeholder Cybersecurity Certification Group and after an open and wide consultation, a Union rolling work programme for European cybersecurity certification schemes and should publish it in the form of a non-binding instrument. The Union rolling work programme should be a strategic document that allows industry, national authorities and standardisation bodies, in particular, to prepare in advance for future European cybersecurity certification schemes. The Union rolling work programme should include a multiannual overview of the requests for candidate schemes which the Commission intends to submit to ENISA for preparation on the basis of specific grounds. The Commission should take into account the Union rolling work programme while preparing its Rolling Plan for ICT Standardisation and standardisation requests to European standardisation organisations. In light of the rapid introduction and uptake of new technologies, the emergence of previously unknown cybersecurity risks, and legislative and market developments, the Commission or the ECCG should be entitled to request ENISA to prepare candidate schemes which have not been included in the Union rolling work programme. In such cases, the Commission and the ECCG should also assess the necessity of such a request, taking into account the overall aims and objectives of this Regulation and the need to ensure continuity as regards ENISA’s planning and use of resources.

Following such a request, ENISA should prepare the candidate schemes for specific ICT products, ICT services and ICT processes without undue delay. The Commission should evaluate the positive and negative impact of its request on the specific market in question, especially its impact on SMEs, on innovation, on barriers to entry to that market and on costs to end users. The Commission, on the basis of the candidate scheme prepared by ENISA, should be empowered to adopt the European cybersecurity certification scheme by means of implementing acts. Taking account of the general purpose and security objectives laid down in this Regulation, European cybersecurity certification schemes adopted by the Commission should specify a minimum set of elements concerning the subject matter, scope and functioning of the individual scheme. Those elements should include, among other things, the scope and object of the cybersecurity certification, including the categories of ICT products, ICT services and ICT processes covered, the detailed specification of the cybersecurity requirements, for example by reference to standards or technical specifications, the specific evaluation criteria and evaluation methods, as well as the intended assurance level (‘basic’, ‘substantial’ or ‘high’) and the evaluation levels where applicable. ENISA should be able to refuse a request by the ECCG. Such decisions should be taken by the Management Board and should be duly reasoned.

(85)

ENISA should maintain a website providing information on and publicising European cybersecurity certification schemes, which should include, among other things, the requests for the preparation of a candidate scheme as well as the feedback received in the consultation process carried out by ENISA in the preparation phase. The website should also provide information about the European cybersecurity certificates and EU statements of conformity issued under this Regulation including information regarding the withdrawal and expiry of such European cybersecurity certificates and EU statements of conformity. The website should also indicate the national cybersecurity certification schemes that have been replaced by a European cybersecurity certification scheme.

(86)

The assurance level of a European certification scheme is a basis for confidence that an ICT product, ICT service or ICT process meets the security requirements of a specific European cybersecurity certification scheme. In order to ensure the consistency of the European cybersecurity certification framework, a European cybersecurity certification scheme should be able to specify assurance levels for European cybersecurity certificates and EU statements of conformity issued under that scheme. Each European cybersecurity certificate might refer to one of the assurance levels: ‘basic’, ‘substantial’ or ‘high’, while the EU statement of conformity might only refer to the assurance level ‘basic’. The assurance levels would provide the corresponding rigour and depth of the evaluation of the ICT product, ICT service or ICT process and would be characterised by reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to mitigate or prevent incidents. Each assurance level should be consistent among the different sectorial domains where certification is applied.

(87)

A European cybersecurity certification scheme might specify several evaluation levels depending on the rigour and depth of the evaluation methodology used. Evaluation levels should correspond to one of the assurance levels and should be associated with an appropriate combination of assurance components. For all assurance levels, the ICT product, ICT service or ICT process should contain a number of secure functions, as specified by the scheme, which may include: a secure out-of-the-box configuration, a signed code, secure update and exploit mitigations and full stack or heap memory protections. Those functions should have been developed, and be maintained, using security-focused development approaches and associated tools to ensure that effective software and hardware mechanisms are reliably incorporated.

(88)

For assurance level ‘basic’, the evaluation should be guided at least by the following assurance components: the evaluation should at least include a review of the technical documentation of the ICT product, ICT service or ICT process by the conformity assessment body. Where the certification includes ICT processes, the process used to design, develop and maintain an ICT product or ICT service should also be subject to the technical review. Where a European cybersecurity certification scheme provides for a conformity self-assessment, it should be sufficient that the manufacturer or provider of ICT products, ICT services or ICT processes has carried out a self-assessment of the compliance of the ICT product, ICT service or ICT process with the certification scheme.

(89)

For assurance level ‘substantial’, the evaluation, in addition to the requirements for assurance level ‘basic’, should be guided at least by the verification of the compliance of the security functionalities of the ICT product, ICT service or ICT process with its technical documentation.

(90)

For assurance level ‘high’, the evaluation, in addition to the requirements for assurance level ‘substantial’, should be guided at least by an efficiency testing which assesses the resistance of the security functionalities of ICT product, ICT service or ICT process against elaborate cyberattacks performed by persons who have significant skills and resources.

(91)

Recourse to European cybersecurity certification and to EU statements of conformity should remain voluntary, unless otherwise provided for in Union law, or in Member State law adopted in accordance with Union law. In the absence of harmonised Union law, Member States are able to adopt national technical regulations providing for mandatory certification under a European cybersecurity certification scheme in accordance with Directive (EU) 2015/1535 of the European Parliament and of the Council (20). Member States also have recourse to European cybersecurity certification in the context of public procurement and of Directive 2014/24/EU of the European Parliament and of the Council (21).

(92)

In some areas, it could be necessary in the future to impose specific cybersecurity requirements and make the certification thereof mandatory for certain ICT products, ICT services or ICT processes, in order to improve the level of cybersecurity in the Union. The Commission should regularly monitor the impact of adopted European cybersecurity certification schemes on the availability of secure ICT products, ICT services and ICT processes in the internal market and should regularly assess the level of use of the certification schemes by the manufacturers or providers of ICT products, ICT services or ICT processes in the Union. The efficiency of the European cybersecurity certification schemes, and whether specific schemes should be made mandatory, should be assessed in light of the cybersecurity-related legislation of the Union, in particular Directive (EU) 2016/1148, taking into consideration the security of the network and information systems used by operators of essential services.

(93)

European cybersecurity certificates and EU statements of conformity should help end users to make informed choices. Therefore, ICT products, ICT services and ICT processes that have been certified or for which an EU statement of conformity has been issued should be accompanied by structured information that is adapted to the expected technical level of the intended end user. All such information should be available online, and, where appropriate, in physical form. The end user should have access to information regarding the reference number of the certification scheme, the assurance level, the description of the cybersecurity risks associated with the ICT product, ICT service or ICT process, and the issuing authority or body, or should be able to obtain a copy of the European cybersecurity certificate. In addition, the end user should be informed of the cybersecurity support policy, namely for how long the end user can expect to receive cybersecurity updates or patches, of the manufacturer or provider of ICT products, ICT services or ICT processes. Where applicable, guidance on actions or settings that the end user can implement to maintain or increase the cybersecurity of the ICT product or of the ICT service and contact information of a single point of contact to report and receive support in the case of cyberattacks (in addition to automatic reporting) should be provided. That information should be regularly updated and made available on a website providing information on European cybersecurity certification schemes.

(94)

With a view to achieving the objectives of this Regulation and avoiding the fragmentation of the internal market, national cybersecurity certification schemes or procedures for ICT products, ICT services or ICT processes covered by a European cybersecurity certification scheme should cease to be effective from a date established by the Commission by means of implementing acts. Moreover, Member States should not introduce new national cybersecurity certification schemes for ICT products, ICT services or ICT processes already covered by an existing European cybersecurity certification scheme. However, Member States should not be prevented from adopting or maintaining national cybersecurity certification schemes for national security purposes. Member States should inform the Commission and the ECCG of any intention to draw up new national cybersecurity certification schemes. The Commission and the ECCG should evaluate the impact of the new national cybersecurity certification schemes on the proper functioning of the internal market and in light of any strategic interest in requesting a European cybersecurity certification scheme instead.

(95)

European cybersecurity certification schemes are intended to help harmonise cybersecurity practices within the Union. They need to contribute to increasing the level of cybersecurity within the Union. The design of the European cybersecurity certification schemes should take into account and allow for the development of innovations in the field of cybersecurity.

(96)

European cybersecurity certification schemes should take into account current software and hardware development methods and, in particular, the impact of frequent software or firmware updates on individual European cybersecurity certificates. European cybersecurity certification schemes should specify the conditions under which an update may require that an ICT product, ICT service or ICT process be recertified or that the scope of a specific European cybersecurity certificate be reduced, taking into account any possible adverse effects of the update on compliance with the security requirements of that certificate.

(97)

Once a European cybersecurity certification scheme is adopted, manufacturers or providers of ICT products, ICT services or ICT processes should be able to submit applications for certification of their ICT products or ICT services to the conformity assessment body of their choice anywhere in the Union. Conformity assessment bodies should be accredited by a national accreditation body if they comply with certain specified requirements set out in this Regulation. Accreditation should be issued for a maximum of five years and should be renewable on the same conditions provided that the conformity assessment body still meets the requirements. National accreditation bodies should restrict, suspend or revoke the accreditation of a conformity assessment body where the conditions for the accreditation have not been met or are no longer met, or where the conformity assessment body infringes this Regulation.

(98)

References in national legislation to national standards which have ceased to be effective due to the entry into force of a European cybersecurity certification scheme can be a source of confusion. Therefore, Member States should reflect the adoption of a European cybersecurity certification scheme in their national legislation.

(99)

In order to achieve equivalent standards throughout the Union, to facilitate mutual recognition and to promote the overall acceptance of European cybersecurity certificates and EU statements of conformity, it is necessary to put in place a system of peer review between national cybersecurity certification authorities. Peer review should cover procedures for supervising the compliance of ICT products, ICT services and ICT processes with European cybersecurity certificates, for monitoring the obligations of manufacturers or providers of ICT products, ICT services or ICT processes who carry out the conformity self-assessment, for monitoring conformity assessment bodies, as well as the appropriateness of the expertise of the staff of bodies issuing certificates for assurance level ‘high’. The Commission should be able, by means of implementing acts, to establish at least a five-year plan for peer reviews, as well as lay down criteria and methodologies for the operation of the peer review system.

(100)

Without prejudice to the general peer review system to be put in place across all national cybersecurity certification authorities within the European cybersecurity certification framework, certain European cybersecurity certification schemes may include a peer-assessment mechanism for the bodies that issue European cybersecurity certificates for ICT products, ICT services and ICT processes with an assurance level ‘high’ under such schemes. The ECCG should support the implementation of such peer-assessment mechanisms. The peer assessments should assess in particular whether the bodies concerned carry out their tasks in a harmonised way, and may include appeal mechanisms. The results of the peer assessments should be made publicly available. The bodies concerned may adopt appropriate measures to adapt their practices and expertise accordingly.

(101)

Member States should designate one or more national cybersecurity certification authorities to supervise compliance with obligations arising from this Regulation. A national cybersecurity certification authority may be an existing or new authority. A Member State should also be able to designate, after agreeing with another Member State, one or more national cybersecurity certification authorities in the territory of that other Member State.

(102)

National cybersecurity certification authorities should in particular monitor and enforce the obligations of manufacturers or providers of ICT products, ICT services or ICT processes established in its respective territory in relation to the EU statement of conformity, should assist the national accreditation bodies in the monitoring and supervision of the activities of conformity assessment bodies by providing them with expertise and relevant information, should authorise conformity assessment bodies to carry out their tasks where such bodies meet additional requirements set out in a European cybersecurity certification scheme, and should monitor relevant developments in the field of cybersecurity certification. National cybersecurity certification authorities should also handle complaints lodged by natural or legal persons in relation to European cybersecurity certificates issued by those authorities or in relation to European cybersecurity certificates issued by conformity assessment bodies, where such certificates indicate assurance level ‘high’, should investigate, to the extent appropriate, the subject matter of the complaint and should inform the complainant of the progress and the outcome of the investigation within a reasonable period. Moreover, national cybersecurity certification authorities should cooperate with other national cybersecurity certification authorities or other public authorities, including by the sharing of information on the possible non-compliance of ICT products, ICT services and ICT processes with the requirements of this Regulation or with specific European cybersecurity certification schemes. The Commission should facilitate that sharing of information by making available a general electronic information support system, for example the Information and Communication System on Market Surveillance (ICSMS) and the Rapid Alert System for dangerous non-food products (RAPEX), already used by market surveillance authorities pursuant to Regulation (EC) No 765/2008.

(103)

With a view to ensuring the consistent application of the European cybersecurity certification framework, an ECCG that consists of representatives of national cybersecurity certification authorities or other relevant national authorities should be established. The main tasks of the ECCG should be to advise and assist the Commission in its work towards ensuring the consistent implementation and application of the European cybersecurity certification framework, to assist and closely cooperate with ENISA in the preparation of candidate cybersecurity certification schemes, in duly justified cases to request ENISA to prepare a candidate scheme, to adopt opinions addressed to ENISA on candidate schemes and to adopt opinions addressed to the Commission on the maintenance and review of existing European cybersecurity certifications schemes. The ECCG should facilitate the exchange of good practices and expertise between the various national cybersecurity certification authorities that are responsible for the authorisation of conformity assessment bodies and the issuance of European cybersecurity certificates.

(104)

In order to raise awareness and to facilitate the acceptance of future European cybersecurity certification schemes, the Commission may issue general or sector-specific cybersecurity guidelines, for example on good cybersecurity practices or responsible cybersecurity behaviour highlighting the positive effect of the use of certified ICT products, ICT services and ICT processes.

(105)

In order to further facilitate trade, and recognising that ICT supply chains are global, mutual recognition agreements concerning European cybersecurity certificates may be concluded by the Union in accordance with Article 218 of the Treaty on the Functioning of the European Union (TFEU). The Commission, taking into account the advice from ENISA and the European Cybersecurity Certification Group, may recommend the opening of relevant negotiations. Each European cybersecurity certification scheme should provide specific conditions for such mutual recognition agreements with third countries.

(106)

In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (22).

(107)

The examination procedure should be used for the adoption of implementing acts on European cybersecurity certification schemes for ICT products, ICT services or ICT processes, for the adoption of implementing acts on arrangements for carrying out inquiries by ENISA, for the adoption of implementing acts on a plan for the peer review of national cybersecurity certification authorities, as well as for the adoption of implementing acts on the circumstances, formats and procedures of notifications of accredited conformity assessment bodies by the national cybersecurity certification authorities to the Commission.

(108)

ENISA’s operations should be subject to regular and independent evaluation. That evaluation should have regard to ENISA’s objectives, its working practices and the relevance of its tasks, in particular its tasks relating to the operational cooperation at Union level. That evaluation should also assess the impact, effectiveness and efficiency of the European cybersecurity certification framework. In the event of a review, the Commission should evaluate how ENISA’s role as a reference point for advice and expertise can be reinforced and should also evaluate the possibility of a role for ENISA in supporting the assessment of third country ICT products, ICT services and ICT processes that do not comply with Union rules, where such products, services and processes enter the Union.

(109)

Since the objectives of this Regulation cannot be sufficiently achieved by the Member States but can rather, by reason of its scale and effects, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives.

(110)

Regulation (EU) No 526/2013 should be repealed,

(1)

The purpose of this Directive is to contribute to the proper functioning of the internal market by approximating laws, regulations and administrative provisions of the Member States as regards accessibility requirements for certain products and services by, in particular, eliminating and preventing barriers to the free movement of certain accessible products and services arising from divergent accessibility requirements in the Member States. This would increase the availability of accessible products and services in the internal market and improve the accessibility of relevant information.

(2)

The demand for accessible products and services is high and the number of persons with disabilities is projected to increase significantly. An environment where products and services are more accessible allows for a more inclusive society and facilitates independent living for persons with disabilities. In this context, it should be borne in mind that the prevalence of disability in the Union is higher among women than among men.

(3)

This Directive defines persons with disabilities in line with the United Nations Convention on the Rights of Persons with Disabilities, adopted on 13 December 2006 (UN CRPD), to which the Union has been a Party since 21 January 2011 and which all Member States have ratified. The UN CRPD states that persons with disabilities ‘include those who have long-term physical, mental, intellectual or sensory impairments which in interaction with various barriers may hinder their full and effective participation in society on an equal basis with others’. This Directive promotes full and effective equal participation by improving access to mainstream products and services that, through their initial design or subsequent adaptation, address the particular needs of persons with disabilities.

(4)

Other persons who experience functional limitations, such as elderly persons, pregnant women or persons travelling with luggage, would also benefit from this Directive. The concept of ‘persons with functional limitations’, as referred to in this Directive, includes persons who have any physical, mental, intellectual or sensory impairments, age related impairments, or other human body performance related causes, permanent or temporary, which, in interaction with various barriers, result in their reduced access to products and services, leading to a situation that requires those products and services to be adapted to their particular needs.

(5)

The disparities between the laws, regulations and administrative provisions of Member States concerning the accessibility of products and services for persons with disabilities, create barriers to the free movement of products and services and distort effective competition in the internal market. For some products and services, those disparities are likely to increase in the Union after the entry into force of the UN CRPD. Economic operators, in particular small and medium-sized enterprises (SMEs), are particularly affected by those barriers.

(6)

Due to the differences in national accessibility requirements, individual professionals, SMEs and microenterprises in particular are discouraged from entering into business ventures outside their own domestic markets. The national, or even regional or local, accessibility requirements that Member States have put in place currently differ as regards both coverage and level of detail. Those differences negatively affect competitiveness and growth, due to the additional costs incurred in the development and marketing of accessible products and services for each national market.

(7)

Consumers of accessible products and services and of assistive technologies, are faced with high prices due to limited competition among suppliers. Fragmentation among national regulations reduces potential benefits derived from sharing with national and international peers experiences concerning responding to societal and technological developments.

(8)

The approximation of national measures at Union level is therefore necessary for the proper functioning of the internal market in order to put an end to fragmentation in the market of accessible products and services, to create economies of scale, to facilitate cross-border trade and mobility, as well as to help economic operators to concentrate resources on innovation instead of using those resources to cover expenses arising from fragmented legislation across the Union.

(9)

The benefits of harmonising accessibility requirements for the internal market have been demonstrated by the application of Directive 2014/33/EU of the European Parliament and of the Council (3) regarding lifts and Regulation (EC) No 661/2009 of the European Parliament and of the Council (4) in the area of transport.

(10)

In Declaration No 22, regarding persons with a disability, annexed to the Treaty of Amsterdam, the Conference of the Representatives of the Governments of the Member States agreed that, in drawing up measures under Article 114 of the Treaty on the Functioning of the European Union (TFEU), the institutions of the Union are to take account of the needs of persons with disabilities.

(11)

The overall aim of the communication of the Commission of 6 May 2015‘A Digital Single Market Strategy for Europe’, is to deliver sustainable economic and social benefits from a connected digital single market, thereby facilitating trade and promoting employment within the Union. Union consumers still do not enjoy the full benefits of prices and choice that the single market can offer, because cross-border online transactions are still very limited. Fragmentation also limits demand for cross-border e-commerce transactions. There is also a need for concerted action to ensure that electronic content, electronic communications services and access to audiovisual media services are fully available to persons with disabilities. It is therefore necessary to harmonise accessibility requirements across the digital single market and to ensure that all Union citizens, regardless of their abilities, can enjoy its benefits.

(12)

Since the Union became a Party to the UN CRPD, its provisions have become an integral part of the Union legal order and are binding upon the institutions of the Union and on its Member States.

(13)

The UN CRPD requires its Parties to take appropriate measures to ensure that persons with disabilities have access, on an equal basis with others, to the physical environment, to transportation, to information and communications, including information and communications technologies and systems, and to other facilities and services open or provided to the public, both in urban and in rural areas. The United Nations Committee on the Rights of Persons with Disabilities has identified the need to create a legislative framework with concrete, enforceable and time-bound benchmarks for monitoring the gradual implementation of accessibility.

(14)

The UN CRPD calls on its Parties to undertake or promote research and development of, and to promote the availability and use of, new technologies, including information and communications technologies, mobility aids, devices and assistive technologies, suitable for persons with disabilities. The UN CRPD also calls for priority to be given to affordable technologies.

(15)

The entry into force of the UN CRPD in the Member States’ legal orders entails the need to adopt additional national provisions on accessibility of products and services. Without Union action, those provisions would further increase disparities between the laws, regulations and administrative provisions of the Member States.

(16)

It is therefore necessary to facilitate the implementation in the Union of the UN CRPD by providing common Union rules. This Directive also supports Member States in their efforts to fulfil their national commitments, as well as their obligations under the UN CRPD regarding accessibility in a harmonised manner.

(17)

The communication of the Commission of 15 November 2010‘European Disability Strategy 2010-2020 – A Renewed Commitment to a Barrier-Free Europe’ – in line with the UN CRPD, identifies accessibility as one of the eight areas of action, indicates that it is a basic precondition for participation in society, and aims to ensure the accessibility of products and services.

(18)

The determination of the products and services falling within the scope of this Directive is based on a screening exercise which was carried out during the preparation of the Impact Assessment that identified relevant products and services for persons with disabilities, and for which Member States have adopted or are likely to adopt diverging national accessibility requirements disruptive to the functioning of the internal market.

(19)

In order to ensure the accessibility of the services falling within the scope of this Directive, products used in the provision of those services with which the consumer interacts should also be required to comply with the applicable accessibility requirements of this Directive.

(20)

Even if a service, or part of a service, is subcontracted to a third party, the accessibility of that service should not be compromised and the service providers should comply with the obligations of this Directive. Service providers should also ensure proper and continuous training of their personnel in order to ensure that they are knowledgeable about how to use accessible products and services. That training should cover issues such as information provision, advice and advertising.

(21)

Accessibility requirements should be introduced in the manner that is least burdensome for the economic operators and the Member States.

(22)

It is necessary to specify accessibility requirements for the placing on the market of products and services which fall within the scope of this Directive, in order to ensure their free movement in the internal market.

(23)

This Directive should make functional accessibility requirements compulsory and they should be formulated in terms of general objectives. Those requirements should be precise enough to create legally binding obligations and sufficiently detailed so as to make it possible to assess conformity in order to ensure the good functioning of the internal market for the products and services covered by this Directive, as well as leave a certain degree of flexibility in order to allow for innovation.

(24)

This Directive contains a number of functional performance criteria related to modes of operations of products and services. Those criteria are not meant as a general alternative to the accessibility requirements of this Directive but should be used in very specific circumstances only. Those criteria should apply to specific functions or features of the products or services, to make them accessible, when the accessibility requirements of this Directive do not address one or more of those specific functions or features. In addition, in the event that an accessibility requirement contains specific technical requirements, and an alternative technical solution for those technical requirements is provided in the product or service, this alternative technical solution should still comply with the related accessibility requirements, and should result in equivalent or increased accessibility, by applying the relevant functional performance criteria.

(25)

This Directive should cover consumer general purpose computer hardware systems. For those systems to perform in an accessible manner, their operating systems should also be accessible. Such computer hardware systems are characterised by their multipurpose nature and their ability to perform, with the appropriate software, the most common computing tasks requested by consumers and are intended to be operated by consumers. Personal computers, including desktops, notebooks, smartphones and tablets are examples of such computer hardware systems. Specialised computers embedded in consumer electronics products do not constitute consumer general purpose computer hardware systems. This Directive should not cover, on an individual basis, single components with specific functions, such as a mainboard or a memory chip, that are used or that might be used in such a system.

(26)

This Directive should also cover payment terminals, including both their hardware and software, and certain interactive self-service terminals, including both their hardware and software, dedicated to be used for the provision of services covered by this Directive: for example automated teller machines; ticketing machines issuing physical tickets granting access to services such as travel ticket dispensers; bank office queuing ticket machines; check-in machines; and interactive self-service terminals providing information, including interactive information screens.

(27)

However, certain interactive self-service terminals providing information installed as integrated parts of vehicles, aircrafts, ships or rolling stock should be excluded from the scope of this Directive, since these form part of those vehicles, aircrafts, ships or rolling stock which are not covered by this Directive.

(28)

This Directive should also cover electronic communications services including emergency communications as defined in Directive (EU) 2018/1972 of the European Parliament and of the Council (5). At present, the measures taken by Member States to provide access to persons with disabilities are divergent and are not harmonised throughout the internal market. Ensuring that the same accessibility requirements apply throughout the Union will lead to economies of scale for economic operators active in more than one Member State and facilitate the effective access for persons with disabilities, both in their own Member State and when travelling between Member States. For electronic communications services including emergency communications to be accessible, providers should, in addition to voice, provide real time text, and total conversation services where video is provided by them, ensuring the synchronisation of all those communication means. Member States should, in addition to the requirements of this Directive, in accordance with Directive (EU) 2018/1972, be able to determine a relay service provider that could be used by persons with disabilities.

(29)

This Directive harmonises accessibility requirements for electronic communications services and related products and complements Directive (EU) 2018/1972 which sets requirements on equivalent access and choice for end-users with disabilities. Directive (EU) 2018/1972 also sets requirements under universal service obligations on the affordability of internet access and voice communications and on the affordability and availability of related terminal equipment, specific equipment and services for consumers with disabilities.

(30)

This Directive should also cover consumer terminal equipment with interactive computing capability foreseeably to be primarily used to access electronic communications services. For the purposes of this Directive that equipment should be deemed to include equipment used as part of the setup in accessing electronic communications services such as a router or a modem.

(31)

For the purposes of this Directive, access to audiovisual media services should mean that the access to audiovisual content is accessible, as well as mechanisms that allow users with disabilities to use their assistive technologies. Services providing access to audiovisual media services could include websites, online applications, set-top box-based applications, downloadable applications, mobile device-based services including mobile applications and related media players as well as connected television services. Accessibility of audiovisual media services is regulated in Directive 2010/13/EU of the European Parliament and of the Council (6), with the exception of the accessibility of electronic programme guides (EPGs) which are included in the definition of services providing access to audiovisual media services to which this Directive applies.

(32)

In the context of air, bus, rail and waterborne passenger transport services this Directive should cover, inter alia, the delivery of transport service information including real-time travel information through websites, mobile device-based services, interactive information screens and interactive self-service terminals, required by passengers with disabilities in order to travel. This could include information about the service provider’s passenger transport products and services, pre-journey information, information during the journey and information provided when a service is cancelled or its departure is delayed. Other elements of information could also include information on prices and promotions.

(33)

This Directive should also cover websites, mobile device-based services including mobile applications developed or made available by operators of passenger transport services within the scope of this Directive or on their behalf, electronic ticketing services, electronic tickets and interactive self-service terminals.

(34)

The determination of the scope of this Directive with regard to air, bus, rail and waterborne passenger transport services should be based on the existing sectorial legislation relating to passenger rights. Where this Directive does not apply to certain types of transport services, Member States should encourage service providers to apply the relevant accessibility requirements of this Directive.

(35)

Directive (EU) 2016/2102 of the European Parliament and of the Council (7) already lays down obligations for public sector bodies providing transport services, including urban and suburban transport services and regional transport services, to make their websites accessible. This Directive contains exemptions for microenterprises providing services, including urban and suburban transport services and regional transport services. In addition, this Directive includes obligations to ensure that e-commerce websites are accessible. Since this Directive contains obligations for the large majority of private transport service providers to make their websites accessible, when selling tickets online, it is not necessary to introduce in this Directive further requirements for the websites of urban and suburban transport service providers and regional transport service providers.

(36)

Certain elements of the accessibility requirements, in particular in relation to the provision of information as set out in this Directive, are already covered by existing Union law in the field of passenger transport. This includes elements of Regulation (EC) No 261/2004 of the European Parliament and of the Council (8), Regulation (EC) No 1107/2006 of the European Parliament and of the Council (9), Regulation (EC) No 1371/2007 of the European Parliament and of the Council (10), Regulation (EU) No 1177/2010 of the European Parliament and of the Council (11) and Regulation (EU) No 181/2011 of the European Parliament and of the Council (12). This includes also relevant acts adopted on the basis of Directive 2008/57/EC of the European Parliament and of the Council (13). To ensure regulatory consistency, the accessibility requirements set out in those Regulations and those acts should continue to apply as before. However, additional requirements of this Directive would supplement the existing requirements, improving the functioning of the internal market in the area of transport and benefiting persons with disabilities.

(37)

Certain elements of transport services should not be covered by this Directive when provided outside the territory of the Member States even where the service has been directed towards the Union market. With regard to those elements, a passenger transport service operator should only be obliged to ensure that the requirements of this Directive are met with regard to the part of the service offered within the territory of the Union. However, in the case of air transport, Union air carriers should ensure that the applicable requirements of this Directive are also satisfied on flights departing from an airport situated in a third country and flying to an airport situated within the territory of a Member State. Furthermore, all air carriers, including those which are not licenced in the Union, should ensure that the applicable requirements of this Directive are satisfied in cases where the flights depart from a Union territory to a third country territory.

(38)

Urban authorities should be encouraged to integrate barrier-free accessibility to urban transport services in their Sustainable Urban Mobility Plans (SUMPs), as well as to regularly publish lists of best practices regarding barrier-free accessibility to urban public transport and mobility.

(39)

Union law on banking and financial services aims to protect and provide information to consumers of those services across the Union but does not include accessibility requirements. With a view to enabling persons with disabilities to use those services throughout the Union, including where provided through websites and mobile device-based services including mobile applications, to make well-informed decisions, and to feel confident that they are adequately protected on an equal basis with other consumers, as well as ensure a level playing field for service providers, this Directive should establish common accessibility requirements for certain banking and financial services provided to consumers.

(40)

The appropriate accessibility requirements should also apply to identification methods, electronic signature and payment services, since they are necessary for concluding consumer banking transactions.

(41)

E-book files are based on a electronic computer coding that enables the circulation and consultation of a mostly textual and graphical intellectual work. The degree of precision of this coding determines the accessibility of e-book files, in particular regarding the qualification of the different constitutive elements of the work and the standardised description of its structure. The interoperability in terms of accessibility should optimise the compatibility of those files with the user agents and with current and future assistive technologies. Specific features of special volumes like comics, children’s books and art books should be considered in the light of all applicable accessibility requirements. Divergent accessibility requirements in Member States would make it difficult for publishers and other economic operators to benefit from the advantages of the internal market, could create interoperability problems with e-readers and would limit the access for consumers with disabilities. In the context of e-books, the concept of a service provider could include publishers and other economic operators involved in their distribution.

It is recognised that persons with disabilities continue to face barriers to accessing content which is protected by copyright and related rights, and that certain measures have already been taken to address this situation for example through the adoption of Directive (EU) 2017/1564 of the European Parliament and of the Council (14) and Regulation (EU) 2017/1563 of the European Parliament and of the Council (15), and that further Union measures could be taken in this respect in the future.

(42)

This Directive defines e-commerce services as a service provided at a distance, through websites and mobile device-based services, by electronic means and at the individual request of a consumer, with a view to concluding a consumer contract. For the purposes of that definition ‘at a distance’ means that the service is provided without the parties being simultaneously present; ‘by electronic means’ means that the service is initially sent and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and transmitted, conveyed and received in its entirety by wire, by radio, by optical means or by other electromagnetic means; ‘at the individual request of a consumer’ means that the service is provided on individual request. Given the increased relevance of e-commerce services and their high technological nature, it is important to have harmonised requirements for their accessibility.

(43)

The e-commerce services accessibility obligations of this Directive should apply to the online sale of any product or service and should therefore also apply to the sale of a product or service covered in its own right under this Directive.

(44)

The measures related to the accessibility of the answering of emergency communications should be adopted without prejudice to, and should have no impact on, the organisation of emergency services, which remains in the exclusive competence of Member States.

(45)

In accordance with Directive (EU) 2018/1972, Member States are to ensure that access for end-users with disabilities to emergency services is available through emergency communications and is equivalent to that enjoyed by other end-users, in accordance with Union law harmonising accessibility requirements for products and services. The Commission and the national regulatory or other competent authorities are to take appropriate measures to ensure that, whilst travelling in another Member State, end-users with disabilities can access emergency services on an equivalent basis with other end-users, where feasible without any pre-registration. Those measures seek to ensure interoperability across Member States and are to be based, to the greatest extent possible, on European standards or specifications laid down in accordance with Article 39 of Directive (EU) 2018/1972. Such measures do not prevent Member States from adopting additional requirements in order to pursue the objectives set out in that Directive. As an alternative to fulfilling the accessibility requirements with regard to the answering of emergency communications for users with disabilities set out in this Directive, Member States should be able to determine a third party relay service provider to be used by persons with disabilities to communicate with the public safety answering point, until those public safety answering points are capable of using electronic communications services through internet protocols for ensuring accessibility of answering the emergency communications. In any case, obligations of this Directive should not be understood to restrict or lower any obligations for the benefit of end-users with disabilities, including equivalent access to electronic communications services and emergency services as well as accessibility obligations as set out in Directive (EU) 2018/1972.

(46)

Directive (EU) 2016/2102 defines accessibility requirements for websites and mobile applications of public sector bodies and other related aspects, in particular requirements relating to the compliance of the relevant websites and mobile applications. However, that Directive contains a specific list of exceptions. Similar exceptions are relevant for this Directive. Some activities that take place via websites and mobile applications of public sector bodies, such as passenger transport services or e-commerce services, which fall within the scope of this Directive, should in addition comply with the applicable accessibility requirements of this Directive in order to ensure that the online sale of products and services is accessible for persons with disabilities irrespective whether the seller is a public or private economic operator. The accessibility requirements of this Directive should be aligned to the requirements of Directive (EU) 2016/2102, despite differences, for example, in monitoring, reporting and enforcement.

(47)

The four principles of accessibility of websites and mobile applications, as used in Directive (EU) 2016/2102, are: perceivability, meaning that information and user interface components must be presentable to users in ways they can perceive; operability, meaning that user interface components and navigation must be operable; understandability, meaning that information and the operation of the user interface must be understandable; and robustness, meaning that content must be robust enough to be interpreted reliably by a wide variety of user agents, including assistive technologies. Those principles are also relevant for this Directive.

(48)

Member States should take all appropriate measures to ensure that, where the products and services covered by this Directive comply with the applicable accessibility requirements, their free movement within the Union is not impeded for reasons related to accessibility requirements.

(49)

In some situations, common accessibility requirements of the built environment would facilitate the free movement of the related services and of persons with disabilities. Therefore, this Directive should enable Member States to include the built environment used in the provision of the services under the scope of this Directive, ensuring compliance with the accessibility requirements set out in Annex III.

(50)

Accessibility should be achieved by the systematic removal and prevention of barriers, preferably through a universal design or ‘design for all’ approach, which contributes to ensuring access for persons with disabilities on an equal basis with others. According to the UN CRPD, that approach ‘means the design of products, environments, programmes and services to be usable by all people, to the greatest extent possible, without the need for adaptation or specialized design’. In line with the UN CRPD, ’‘universal design’ shall not exclude assistive devices for particular groups of persons with disabilities where this is needed’. Furthermore, accessibility should not exclude the provision of reasonable accommodation when required by Union law or national law. Accessibility and universal design should be interpreted in line with General Comment No 2(2014) – Article 9: Accessibility as written by the Committee on the Rights of Persons with Disabilities.

(51)

Products and services falling within the scope of this Directive do not automatically fall within the scope of Council Directive 93/42/EEC (16). However, some assistive technologies which are medical devices, might fall within the scope of that Directive.

(52)

Most jobs in the Union are provided by SMEs and microenterprises. They have a crucial importance for future growth, but very often face hurdles and obstacles in developing their products or services, in particular in the cross-border context. It is therefore necessary to facilitate the work of the SMEs and microenterprises by harmonising the national provisions on accessibility while maintaining the necessary safeguards.

(53)

For microenterprises and SMEs to benefit from this Directive they must genuinely fulfil the requirements of Commission Recommendation 2003/361/EC (17), and the relevant case law, aimed at preventing the circumvention of its rules.

(54)

In order to ensure the consistency of Union law, this Directive should be based on Decision No 768/2008/EC of the European Parliament and of the Council (18), since it concerns products already subject to other Union acts, while recognising the specific features of the accessibility requirements of this Directive.

(55)

All economic operators falling within the scope of this Directive and intervening in the supply and distribution chain should ensure that they make available on the market only products which are in conformity with this Directive. The same should apply to economic operators providing services. It is necessary to provide for a clear and proportionate distribution of obligations which correspond to the role of each economic operator in the supply and distribution process.

(56)

Economic operators should be responsible for the compliance of products and services, in relation to their respective roles in the supply chain, so as to ensure a high level of protection of accessibility and to guarantee fair competition on the Union market.

(57)

The obligations of this Directive should apply equally to economic operators from the public and private sectors.

(58)

The manufacturer having detailed knowledge of the design and production process is best placed to carry out the complete conformity assessment. While the responsibility for the conformity of products rests with the manufacturer, market surveillance authorities should play a crucial role in checking whether products made available in the Union are manufactured in accordance with Union law.

(59)

Importers and distributors and should be involved in market surveillance tasks carried out by national authorities, and should participate actively, providing the competent authorities with all necessary information relating to the product concerned.

(60)

Importers should ensure that products from third countries entering the Union market comply with this Directive and in particular that appropriate conformity assessment procedures have been carried out by manufacturers with regard to those products.

(61)

When placing a product on the market, importers should indicate, on the product, their name, registered trade name or registered trade mark and the address at which they can be contacted.

(62)

Distributors should ensure that their handling of the product does not adversely affect the compliance of the product with the accessibility requirements of this Directive.

(63)

Any economic operator that either places a product on the market under its name or trademark or modifies a product already placed on the market in such a way that compliance with applicable requirements might be affected should be considered to be the manufacturer and should assume the obligations of the manufacturer.

(64)

For reasons of proportionality, accessibility requirements should only apply to the extent that they do not impose a disproportionate burden on the economic operator concerned, or to the extent that they do not require a significant change in the products and services which would result in their fundamental alteration in the light of this Directive. Control mechanisms should nevertheless be in place in order to verify entitlement to exceptions to the applicability of accessibility requirements.

(65)

This Directive should follow the principle of ‘think small first’ and should take account of the administrative burdens that SMEs are faced with. It should set light rules in terms of conformity assessment and should establish safeguard clauses for economic operators, rather than providing for general exceptions and derogations for those enterprises. Consequently, when setting up the rules for the selection and implementation of the most appropriate conformity assessment procedures, the situation of SMEs should be taken into account and the obligations to assess conformity of accessibility requirements should be limited to the extent that they do not impose a disproportionate burden on SMEs. In addition, market surveillance authorities should operate in a proportionate manner in relation to the size of undertakings and to the small serial or non-serial nature of the production concerned, without creating unnecessary obstacles for SMEs and without compromising the protection of public interest.

(66)

In exceptional cases, where the compliance with accessibility requirements of this Directive would impose a disproportionate burden on economic operators, economic operators should only be required to comply with those requirements to the extent that they do not impose a disproportionate burden. In such duly justified cases, it would not be reasonably possible for an economic operator to fully apply one or more of the accessibility requirements of this Directive. However, the economic operator should make a service or a product that falls within the scope of this Directive as accessible as possible by applying those requirements to the extent that they do not impose a disproportionate burden. Those accessibility requirements which were not considered by the economic operator to impose a disproportionate burden should apply fully. Exceptions to compliance with one or more accessibility requirements due to the disproportionate burden that they impose should not go beyond what is strictly necessary in order to limit that burden with respect to the particular product or service concerned in each individual case. Measures that would impose a disproportionate burden should be understood as measures that would impose an additional excessive organisational or financial burden on the economic operator, while taking into account the likely resulting benefit for persons with disabilities in line with the criteria set out in this Directive. Criteria based on these considerations should be defined in order to enable both economic operators and relevant authorities to compare different situations and to assess in a systematic way whether a disproportionate burden exists. Only legitimate reasons should be taken into account in any assessment of the extent to which the accessibility requirements cannot be met because they would impose a disproportionate burden. Lack of priority, time or knowledge should not be considered to be legitimate reasons.

(67)

The overall assessment of a disproportionate burden should be done using the criteria set out in Annex VI. The assessment of disproportionate burden should be documented by the economic operator taking into account the relevant criteria. Service providers should renew their assessment of a disproportionate burden at least every five years.

(68)

The economic operator should inform the relevant authorities that it has relied on the provisions of this Directive related to fundamental alteration and/or disproportionate burden. Only upon a request from the relevant authorities should the economic operator provide a copy of the assessment explaining why its product or service is not fully accessible and providing evidence of the disproportionate burden or fundamental alteration, or both.

(69)

If on the basis of the required assessment, a service provider concludes that it would constitute a disproportionate burden to require that all self-service terminals, used in the provision of services covered by this Directive, comply with the accessibility requirements of this Directive, the service provider should still apply those requirements to the extent that those requirements do not impose such a disproportionate burden on it. Consequently, the service providers should assess the extent to which a limited level of accessibility in all self-service terminals or a limited number of fully accessible self-service terminals would enable them to avoid a disproportionate burden that would otherwise be imposed on them, and should be required to comply with the accessibility requirements of this Directive only to that extent.

(70)

Microenterprises are distinguished from all other undertakings by their limited human resources, annual turnover or annual balance sheet. The burden of complying with the accessibility requirements for microenterprises therefore, in general, takes a greater share of their financial and human resources than for other undertakings and is more likely to represent a disproportionate share of the costs. A significant proportion of cost for microenterprises comes from completing or keeping paperwork and records to demonstrate compliance with the different requirements set out in Union law. While all economic operators covered by this Directive should be able to assess the proportionality of complying with the accessibility requirements of this Directive and should only comply with them to the extent they are not disproportionate, demanding such an assessment from microenterprises providing services would in itself constitute a disproportionate burden. The requirements and obligations of this Directive should therefore not apply to microenterprises providing services within the scope of this Directive.

(71)

For microenterprises dealing with products falling within the scope of this Directive the requirements and obligations of this Directive should be lighter in order to reduce the administrative burden.

(72)

While some microenterprises are exempted from the obligations of this Directive, all microenterprises should be encouraged to manufacture, import or distribute products and to provide services that comply with the accessibility requirements of this Directive, in order to increase their competitiveness as well as their growth potential in the internal market. Member States should, therefore, provide guidelines and tools to microenterprises to facilitate the application of national measures transposing this Directive.

(73)

All economic operators should act responsibly and in full accordance with the legal requirements applicable when placing or making products available on the market or providing services on the market.

(74)

In order to facilitate the assessment of conformity with the applicable accessibility requirements it is necessary to provide for a presumption of conformity for products and services which are in conformity with voluntary harmonised standards that are adopted in accordance with Regulation (EU) No 1025/2012 of the European Parliament and of the Council (19) for the purpose of drawing up detailed technical specifications of those requirements. The Commission has already issued a number of standardisation requests to the European standardisation organisations on accessibility, such as standardisation mandates M/376, M/473 and M/420, which would be relevant for the preparation of harmonised standards.

(75)

Regulation (EU) No 1025/2012 provides for a procedure for formal objections to harmonised standards that are considered not to comply with the requirements of this Directive.

(76)

European standards should be market-driven, take into account the public interest, as well as the policy objectives clearly stated in the Commission’s request to one or more European standardisation organisations to draft harmonised standards, and be based on consensus. In the absence of harmonised standards and where needed for internal market harmonisation purposes, the Commission should be able to adopt in certain cases implementing acts establishing technical specifications for the accessibility requirements of this Directive. Recourse to technical specifications should be limited to such cases. The Commission should be able to adopt technical specifications for instance when the standardisation process is blocked due to a lack of consensus between stakeholders or there are undue delays in the establishment of a harmonised standard, for example because the required quality is not reached. The Commission should leave enough time between the adoption of a request to one or more European standardisation organisations to draft harmonised standards and the adoption of a technical specification related to the same accessibility requirement. The Commission should not be allowed to adopt a technical specification if it has not previously tried to have the accessibility requirements covered through the European standardisation system, except where the Commission can demonstrate that the technical specifications respect the requirements laid down in Annex II of Regulation (EU) No 1025/2012.

(77)

With a view to establishing, in the most efficient way, harmonised standards and technical specifications that meet the accessibility requirements of this Directive for products and services, the Commission should, where this is feasible, involve European umbrella organisations of persons with disabilities and all other relevant stakeholders in the process.

(78)

To ensure effective access to information for market surveillance purposes, the information required to declare compliance with all applicable Union acts should be made available in a single EU declaration of conformity. In order to reduce the administrative burden on economic operators, they should be able to include in the single EU declaration of conformity all relevant individual declarations of conformity.

(79)

For conformity assessment of products, this Directive should use the Internal production control of ‘Module A’, set out in Annex II to Decision No 768/2008/EC, as it enables economic operators to demonstrate, and the competent authorities to ensure, that products made available on the market conform to the accessibility requirements while not imposing an undue burden.

(80)

When carrying out market surveillance of products and checking compliance of services, authorities should also check the conformity assessments, including whether the relevant assessment of fundamental alteration or disproportionate burden was properly carried out. When carrying out their duties authorities should also do so in cooperation with persons with disabilities and the organisations that represent them and their interests.

(81)

For services, the information necessary to assess conformity with the accessibility requirements of this Directive should be provided in the general terms and conditions, or in an equivalent document, without prejudice to Directive 2011/83/EU of the European Parliament and of the Council (20).

(82)

The CE marking, indicating the conformity of a product with the accessibility requirements of this Directive, is the visible consequence of a whole process comprising conformity assessment in a broad sense. This Directive should follow the general principles governing the CE marking of Regulation (EC) No 765/2008 of the European Parliament and of the Council (21) setting out the requirements for accreditation and market surveillance relating to the marketing of products. In addition to making the EU declaration of conformity, the manufacturer should inform consumers in a cost-effective manner about the accessibility of their products.

(83)

In accordance with Regulation (EC) No 765/2008, by affixing the CE marking to a product, the manufacturer declares that the product is in conformity with all applicable accessibility requirements and that the manufacturer takes full responsibility therefor.

(84)

In accordance with Decision No 768/2008/EC, Member States are responsible for ensuring strong and efficient market surveillance of products in their territories and should allocate sufficient powers and resources to their market surveillance authorities.

(85)

Member States should check the compliance of services with the obligations of this Directive and should follow up complaints or reports related to non-compliance in order to ensure that corrective action has been taken.

(86)

Where appropriate the Commission, in consultation with stakeholders, could adopt non-binding guidelines to support coordination among market surveillance authorities and authorities responsible for checking compliance of services. The Commission and Member States should be able to set up initiatives for the purpose of sharing the resources and expertise of authorities.

(87)

Member States should ensure that market surveillance authorities and authorities responsible for checking compliance of services check the compliance of the economic operators with the criteria set out in Annex VI in accordance with Chapters VIII and IX. Member States should be able to designate a specialised body for carrying out the obligations of market surveillance authorities or authorities responsible for checking compliance of services under this Directive. Member States should be able to decide that the competences of such a specialised body should be limited to the scope of this Directive or certain parts thereof, without prejudice to the Member States’ obligations under Regulation (EC) No 765/2008.

(88)

A safeguard procedure should be set up to apply in the event of disagreement between Member States over measures taken by a Member State under which interested parties are informed of measures intended to be taken with regard to products not complying with the accessibility requirements of this Directive. The safeguard procedure should allow market surveillance authorities, in cooperation with the relevant economic operators, to act at an earlier stage in respect of such products.

(89)

Where the Member States and the Commission agree that a measure taken by a Member State is justified, no further involvement of the Commission should be required, except where non-compliance can be attributed to shortcomings in the harmonised standards or in the technical specifications.

(90)

Directives 2014/24/EU (22) and 2014/25/EU (23) of the European Parliament and of the Council on public procurement, defining procedures for the procurement of public contracts and design contests for certain supplies (products), services and works, establish that, for all procurement which is intended for use by natural persons, whether general public or staff of the contracting authority or entity, the technical specifications are, except in duly justified cases, to be drawn up so as to take into account accessibility criteria for persons with disabilities or design for all users. Furthermore, those Directives require that, where mandatory accessibility requirements are adopted by a legal act of the Union, technical specifications are, as far as accessibility for persons with disabilities or design for all users are concerned, to be established by reference thereto. This Directive should establish mandatory accessibility requirements for products and services covered by it. For products and services not falling under the scope of this Directive, the accessibility requirements of this Directive are not binding. However, the use of those accessibility requirements to fulfil the relevant obligations set out in Union acts other than this Directive would facilitate the implementation of accessibility and contribute to the legal certainty and to the approximation of accessibility requirements across the Union. Authorities should not be prevented from establishing accessibility requirements that go beyond the accessibility requirements set out in Annex I to this Directive.

(91)

This Directive should not change the compulsory or voluntary nature of the provisions related to accessibility in other Union acts.

(92)

This Directive should only apply to procurement procedures for which the call for competition has been sent or, in cases where a call for competition is not foreseen, where the contracting authority or contracting entity has commenced the procurement procedure after the date of application of this Directive.

(93)

In order to ensure the proper application of this Directive, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission in respect of: further specifying the accessibility requirements that, by their very nature, cannot produce their intended effect unless they are further specified in binding legal acts of the Union; changing the period during which economic operators are to be able to identify any other economic operator who has supplied them with a product or to whom they have supplied a product; and further specifying the relevant criteria that are to be taken into account by the economic operator for the assessment of whether compliance with the accessibility requirements would impose a disproportionate burden. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making (24). In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

(94)

In order to ensure uniform conditions for the implementation of this Directive, implementing powers should be conferred on the Commission with regard to the technical specifications. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (25).

(95)

Member States should ensure that adequate and effective means exist to ensure compliance with this Directive and should therefore establish appropriate control mechanisms, such as a posteriori control by the market surveillance authorities, in order to verify that the exemption from the accessibility requirements application is justified. When dealing with complaints related to accessibility, Member States should comply with the general principle of good administration, and in particular with the obligation of officials to ensure that a decision on each complaint is taken within a reasonable time-limit.

(96)

In order to facilitate the uniform implementation of this Directive, the Commission should establish a working group consisting of relevant authorities and stakeholders to facilitate exchange of information and of best practices and to provide advice. Cooperation should be fostered between authorities and relevant stakeholders, including persons with disabilities and organisations that represent them, inter alia, to improve coherence in the application of provisions of this Directive concerning accessibility requirements and to monitor implementation of its provisions on fundamental alteration and disproportionate burden.

(97)

Given the existing legal framework concerning remedies in the areas covered by Directives 2014/24/EU and 2014/25/EU, the provisions of this Directive relating to enforcement and penalties should not be applicable to the procurement procedures subject to the obligations imposed by this Directive. Such exclusion is without prejudice to the obligations of Member States under the Treaties to take all measures necessary to guarantee the application and effectiveness of Union law.

(98)

Penalties should be adequate in relation to the character of the infringements and to the circumstances so as not to serve as an alternative to the fulfilment by economic operators of their obligations to make their products or services accessible.

(99)

Member States should ensure that, in accordance with existing Union law, alternative dispute resolutions mechanisms are in place that allow the resolution of any alleged non-compliance with this Directive prior to an action being brought before courts or competent administrative bodies.

(100)

In accordance with the Joint Political Declaration of 28 September 2011 of Member States and the Commission on explanatory documents (26), Member States have undertaken to accompany, in justified cases, the notification of their transposition measures with one or more documents explaining the relationship between the components of a Directive and the corresponding parts of national transposition instruments. With regard to this Directive, the legislator considers the transmission of such documents to be justified.

(101)

In order to allow service providers sufficient time to adapt to the requirements of this Directive, it is necessary to provide for a transitional period of five years after the date of application of this Directive, during which products used for the provision of a service which were placed on the market before that date do not need to comply with the accessibility requirements of this Directive unless they are replaced by the service providers during the transitional period. Given the cost and long life-cycle of self-service terminals, it is appropriate to provide that, when such terminals are used in the provision of services, they may continue to be used until the end of their economic life, as long as they are not replaced during that period, but not for longer than 20 years.

(102)

The accessibility requirements of this Directive should apply to products placed on the market and services provided after the date of application of the national measures transposing this Directive, including used and second-hand products imported from a third country and placed on the market after that date.

(103)

This Directive respects the fundamental rights and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union (‘the Charter’). In particular, this Directive seeks to ensure full respect for the rights of persons with disabilities to benefit from measures designed to ensure their independence, social and occupational integration and participation in the life of the community and to promote the application of Articles 21, 25 and 26 of the Charter.

(104)

Since the objective of this Directive, namely, the elimination of barriers to the free movement of certain accessible products and services, in order to contribute to the proper functioning of the internal market, cannot be sufficiently achieved by the Member States because it requires the harmonisation of different rules currently existing in their respective legal systems, but can rather, by defining common accessibility requirements and rules for the functioning of the internal market, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality, as set out in that Article, this Directive does not go beyond what is necessary in order to achieve that objective,