Article 8, Compliance with obligations for gatekeepers
1. The gatekeeper shall ensure and demonstrate compliance with the obligations laid down in Articles 5, 6 and 7 of this Regulation. The measures implemented by the gatekeeper to ensure compliance with those Articles shall be effective in achieving the objectives of this Regulation and of the relevant obligation. The gatekeeper shall ensure that the implementation of those measures complies with applicable law, in particular Regulation (EU) 2016/679, Directive 2002/58/EC, legislation on cyber security, consumer protection, product safety, as well as with the accessibility requirements.
2. The Commission may, on its own initiative or at the request of a gatekeeper pursuant to paragraph 3 of this Article, open proceedings pursuant to Article 20.
The Commission may adopt an implementing act, specifying the measures that the gatekeeper concerned is to implement in order to effectively comply with the obligations laid down in Articles 6 and 7. That implementing act shall be adopted within 6 months from the opening of proceedings pursuant to Article 20 in accordance with the advisory procedure referred to in Article 50(2).
When opening proceedings on its own initiative for circumvention pursuant to Article 13, such measures may concern the obligations laid down in Articles 5, 6 and 7.
3. A gatekeeper may request the Commission to engage in a process to determine whether the measures that that gatekeeper intends to implement or has implemented to ensure compliance with Articles 6 and 7 are effective in achieving the objective of the relevant obligation in the specific circumstances of the gatekeeper. The Commission shall have discretion in deciding whether to engage in such a process, respecting the principles of equal treatment, proportionality and good administration.
In its request, the gatekeeper shall provide a reasoned submission to explain the measures that it intends to implement or has implemented. The gatekeeper shall furthermore provide a non-confidential version of its reasoned submission that may be shared with third parties pursuant to paragraph 6.
4. Paragraphs 2 and 3 of this Article are without prejudice to the powers of the Commission under Articles 29, 30 and 31.
5. With a view of adopting the decision under paragraph 2, the Commission shall communicate its preliminary findings to the gatekeeper within 3 months from the opening of the proceedings under Article 20. In the preliminary findings, the Commission shall explain the measures that it is considering taking or that it considers the gatekeeper concerned should take in order to effectively address the preliminary findings.
6. In order to effectively enable interested third parties to provide comments, the Commission shall, when communicating its preliminary findings to the gatekeeper pursuant to paragraph 5 or as soon as possible thereafter, publish a non-confidential summary of the case and the measures that it is considering taking or that it considers the gatekeeper concerned should take. The Commission shall specify a reasonable timeframe within which such comments are to be provided.
7. In specifying the measures under paragraph 2, the Commission shall ensure that the measures are effective in achieving the objectives of this Regulation and the relevant obligation, and proportionate in the specific circumstances of the gatekeeper and the relevant service.
8. For the purposes of specifying the obligations under Article 6(11) and (12), the Commission shall also assess whether the intended or implemented measures ensure that there is no remaining imbalance of rights and obligations on business users and that the measures do not themselves confer an advantage on the gatekeeper which is disproportionate to the service provided by the gatekeeper to business users.
9. In respect of proceedings pursuant to paragraph 2, the Commission may, upon request or on its own initiative, decide to reopen them where:
(a) there has been a material change in any of the facts on which the decision was based; or
(b) the decision was based on incomplete, incorrect or misleading information; or
(c) the measures as specified in the decision are not effective.
Cyber Risk GmbH
Tel: +41 79 505 89 60
We process and store data in compliance with both, the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR). The service provider is Hostpoint. The servers are located in the Interxion data center in Zürich, the data is saved exclusively in Switzerland, and the support, development and administration activities are also based entirely in Switzerland.
Understanding Cybersecurity in the European Union.