99 Amendments of Dita CHARANZOVÁ related to 2017/0225(COD)
Amendment 59 #
Proposal for a regulation
Recital 5
Recital 5
(5) In light of the increased cybersecurity challenges faced by the Union, there is a need for a comprehensive set of measures that would build on previous Union action and foster mutually reinforcing objectives. These include the need to further increase capabilities and preparedness of Member States and businesses, as well as to improve cooperation and coordination across Member States and EU institutions, agencies and bodies. Furthermore, given the borderless nature of cyber threats, there is a need to increase capabilities at Union level that could complement the action of Member States, in particular in the case of large scale cross-border cyber incidents and crises. Additional efforts are also needed to increase awareness of citizens and businesses on cybersecurity issues. Moreover, the trust in the digital single markegiven that cyber incidents undermine trust in digital service providers and in the digital single market itself, especially among consumers, trust should be further improved by offering transparent information on the level of security of ICT products and services. This can be facilitated by EU- wide certification providing common cybersecurity requirements and evaluation criteria across national markets and sectors. Alongside Union-wide certification, there are a range of voluntary measures that the private sector itself should take to bolster trust in the security of ICT products and services, in particular in view of the growing availability of IoT devices. For example, more effective use should be made of encryption and other technologies as well as technologies to prevent successful cyber-attacks, in order to improve the security of end-users’ data and communications and the overall security of network and information systems in the Union.
Amendment 66 #
Proposal for a regulation
Recital 28
Recital 28
(28) The Agency should contribute towards raising the awareness of the public about risks related to cybersecurity and provide guidance on good practices for individual users aimed at citizens and organisations. The Agency should also contribute to promote cyber-hygiene best practices and solutions at the level of individuals and organisations by collecting and analysing publicly available information regarding significant incidents, and by compiling reports with a view to providing guidance to businesses and citizens and improving the overall level of preparedness and resilience. The Agency should furthermore organise, in cooperation with the Member States and the Union institutions, bodies, offices and agencies regular outreach and public education campaigns directed to end-users, aiming at promoting safer individual online behaviour and raising awareness of potential threats in cyberspace, including cybercrimes such as phishing attacks, botnets, financial and banking fraud, as well as promoting basic multi-factor authentication, patching, encryption, and access management principles and data protection advice. The Agency should play a central role in accelerating end-user awareness on security of devices. The Agency should encourage all end users to take appropriate steps to prevent and minimise the impact of incidents affecting the security of their networks and information systems.
Amendment 72 #
Proposal for a regulation
Recital 33
Recital 33
(33) The Agency should further develop and maintain its expertise on cybersecurity certification with a view to supporting the Union policy in this field. The Agency should promote the uptake of cybersecuritypromote the use of certification while avoiding the fragmentation caused by lack of coordination between existing certification withschemes in the Union, including by. The Agency should contributinge to the establishment and maintenance of a cybersecurity certification framework at Union level in accordance with Articles 43 to 54 [Title III], with a view to increasing the transparency of cybersecurity assurance of ICT products and services and thus strengthening trust in the digital sinternalgle market.
Amendment 96 #
Proposal for a regulation
Recital 55
Recital 55
(55) The purpose of European cybersecurity certification schemes should be to ensure that ICT products and services certified under such a scheme comply with specified requirements. Such requirements concern the ability to resist, at a given level of assurance, actions that aim to compromise the availability, authenticity, integrity and confidentiality of stored or transmitted or processed data or the related functions of or services offered by, or accessible via those products, processes, services and systems within the meaning of this Regulation. It is not possible to set out in detail in this Regulation the cybersecurity requirements relating to all ICT products and services. ICT products and services and related cybersecurity needs are so diverse that it is very difficult to come up with general cybersecurity requirements valid across the board. It is, therefore necessary to adopt a broad and general notion of cybersecurity for the purpose of certification, complemented by a set of specific cybersecurity objectives that need to be taken into account when designing European cybersecurity certification schemes. The modalities with which such objectives will be achieved in specific ICT products and services should then be further specified in detail at the level of the individual certification scheme adopted by the Commission, for example by reference to standards or technical specifications. It is of paramount importance that each European cybersecurity certification scheme be designed in such a way as to stimulate and encourage all actors involved in the sector concerned to develop and adopt security standards, technical norms and security-by-design principles, at all stages of the product or service lifecycle.
Amendment 102 #
Proposal for a regulation
Recital 56
Recital 56
(56) The Commission should be empowered to request ENISA to prepare candidate schemes for specific ICT products or services. The Commission, based on the candidate scheme proposed by ENISA, should then be empowered to adopt the European cybersecurity certification scheme by means of implementing acts. In order to underpin trust and predictability in, and raise public awareness of, the cybersecurity certification framework, ENISA should maintain a dedicated website with an easy-to-use online tool listing information on adopted schemes, candidate schemes, and schemes requested by the Commission. Taking account of the general purpose and security objectives identified in this Regulation, European cybersecurity certification schemes adopted by the Commission should specify a minimum set of elements concerning the subject-matter, the scope and functioning of the individual scheme. These should include among others the scope and object of the cybersecurity certification, including the categories of ICT products and servic, services and processes covered, the detailed specification of the cybersecurity requirements, for example by reference to standards or technical specifications, the specific evaluation criteria and evaluation methods associated with the operation and use of an ICT product, process or service, as well as the intended level of assurance: basicsecure, substantial and/or highly secure, highly secure, or any combination thereof.
Amendment 115 #
Proposal for a regulation
Recital 57
Recital 57
(57) Recourse to European cybersecurity certification should remain voluntary, unless otherwise provided in Union or national leg. This should not, however, prevent the Union or the Member States’ administrations from requiring a European cybersecurity certification inter alia as part of the authorislation. However, w for infrastructure projects or public procurements. With a view to achieving the objectives of this Regulation and avoiding the fragmentation of the internal market, national cybersecurity certification schemes or procedures for the ICT products and services covered by a European cybersecurity certification scheme should cease to produce effects from the date established by the Commission by means of the implementing act. Moreover, Member States should not introduce new national certification schemes providing cybersecurity certification schemes for ICT products and services already covered by an existing European cybersecurity certification scheme.
Amendment 122 #
Proposal for a regulation
Recital 58
Recital 58
(58) Once a European cybersecurity certification scheme is adopted, manufacturers of ICT products or providers of ICT services should be able to submit an application for certification of their products or, services or processes to a conformity assessment body of their choice. Conformity assessment bodies should be accredited by an accreditation body if they comply with certain specified requirements set out in this Regulation. Accreditation should be issued for a maximum of five years and may be renewed on the same conditions provided that the conformity assessment body meets the requirements. Accreditation bodies should revoke an accreditation of a conformity assessment body where the conditions for the accreditation are not, or are no longer, met or where actions taken by a conformity assessment body infringe this Regulation.
Amendment 126 #
Proposal for a regulation
Recital 65
Recital 65
(65) The examination procedure should be used for the adoption of implementing acts on European cybersecurity certification schemes for ICT products and servic, services and processes; on modalities of carrying enquiries by the Agency; as well as on the circumstances, formats and procedures of notifications of accredited conformity assessment bodies by the national certification supervisory authorities to the Commission.
Amendment 129 #
Proposal for a regulation
Article 1 – paragraph 1 – point b
Article 1 – paragraph 1 – point b
(b) lays down a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity of ICT products, processes and services in the Union. Such framework shall apply without prejudice to specific provisions regarding voluntary or mandatory certification in other Union acts. (This amendment applies throughout the text. Adopting it will necessitate corresponding changes throughout.)
Amendment 131 #
Proposal for a regulation
Article 1 – paragraph 1 – point b
Article 1 – paragraph 1 – point b
(b) lays down a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity of ICT products and, services and processes in the Union. Such framework shall apply without prejudice to specific provisions regarding voluntary or mandatory certification in other Union acts.
Amendment 132 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 a (new)
Article 2 – paragraph 1 – point 1 a (new)
(1a) ‘cyber-hygiene’ means simple, established routine measures, such as multi-factor authentication, patching, encryption, and access management, that end-users can take to minimise the risks from cyber threats;
Amendment 134 #
Proposal for a regulation
Article 2 – paragraph 1 – point 9
Article 2 – paragraph 1 – point 9
(9) ‘European cybersecurity certification scheme’ means the comprehensive set of rules, technical requirements, standards in accordance with Regulation (EU) 2012/1025, and procedures defined at Union level applying to the certification of Information and Communication Technology (ICT) products and servic, services and processes falling under the scope of that specific scheme;
Amendment 138 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘European cybersecurity certificate’ means a document issued by a conformity assessment body attesting that a given ICT product, process or service fulfils the specific requirements laid down in a European cybersecurity certification scheme;
Amendment 139 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘European cybersecurity certificate’ means a document issued by a conformity assessment body attesting that a given ICT product or, service or process fulfils the specific requirements laid down in a European cybersecurity certification scheme;
Amendment 149 #
Proposal for a regulation
Article 3 – paragraph 2 a (new)
Article 3 – paragraph 2 a (new)
2a. The Agency shall assist Member States and Union institutions in establishing policies and practices for the responsible management and coordinated disclosure of vulnerabilities in ICT products and services that are not publicly known.
Amendment 153 #
Proposal for a regulation
Article 4 – paragraph 6
Article 4 – paragraph 6
6. The Agency shall promote the use of certification, including by contributing while avoiding the fragmentation caused by lack of coordination between existing certification schemes in the Union. The Agency shall contribute to the establishment and maintenance of a cybersecurity certification framework at Union level in accordance with Title III of this RegulationArticles 43 to 54 [Title III], with a view to increasing the transparency of cybersecurity assurance of ICT products and services and thus strengthening trust in the digital sinternalgle market.
Amendment 154 #
Proposal for a regulation
Article 4 – paragraph 7
Article 4 – paragraph 7
7. The Agency shall promote a high level of cyber-hygiene and awareness of citizens and businesses on issues related to the cybersecurity.
Amendment 157 #
Proposal for a regulation
Article 4 – paragraph 7 a (new)
Article 4 – paragraph 7 a (new)
7a. The Agency shall assist and advise the Member States and the Union institutions with regard to the establishment of policies and practices promoting the responsible management and coordinated disclosure of vulnerabilities in ICT products and services that are not publicly known, such as the establishment of government vulnerability disclosure review processes and coordinated vulnerability disclosure policies.
Amendment 158 #
Proposal for a regulation
Article 4 – paragraph 7 a (new)
Article 4 – paragraph 7 a (new)
7a. The Agency shall assist and advise Member States and Union institutions in establishing policies and practices for the responsible management and coordinated disclosure of vulnerabilities in ICT products and services that are not publicly known, inter alia by establishing government vulnerability disclosure review processes and coordinated vulnerability disclosure policies.
Amendment 160 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2
Article 5 – paragraph 1 – point 2
2. assisting Member States to implement consistently the Union policy and law regarding cybersecurity notably in relation to Directive (EU) 2016/1148, including by means of opinions, guidelines, advice and best practices on topics such as risk management, incident reporting and information sharing, technical and organisational measures, in particular the establishment of coordinated vulnerability disclosure programmes, as well as facilitating the exchange of best practices between competent authorities in this regard;
Amendment 162 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 a (new)
Article 5 – paragraph 1 – point 2 a (new)
Amendment 170 #
Proposal for a regulation
Article 5 – paragraph 1 – point 4 – point 2 a (new)
Article 5 – paragraph 1 – point 4 – point 2 a (new)
(2a) the development and promotion of policies that would sustain the general availability or integrity of the public core of the open internet, which provide the essential functionality to the Internet as a whole and which underpin its normal operation, including, but not limited to, the security and stability of key protocols (in particular DNS, BGP, and IPv6), the operation of the Domain Name System (including those of all Top Level Domains), and the operation of the Root Zone
Amendment 172 #
Proposal for a regulation
Article 6 – paragraph 1 – point a a (new)
Article 6 – paragraph 1 – point a a (new)
(aa) Members States and Union institutions in establishing and implementing coordinated vulnerability disclosure policies and government vulnerability disclosure review processes, whose practices and determinations should be transparent and subject to independent oversight.
Amendment 173 #
Proposal for a regulation
Article 6 – paragraph 1 – point a a (new)
Article 6 – paragraph 1 – point a a (new)
(aa) Members States and the Union institutions in establishing and implementing coordinated vulnerability disclosure policies and government vulnerability equities processes, the practices and determinations of which are subject to independent oversight and transparency;
Amendment 174 #
Proposal for a regulation
Article 6 – paragraph 2
Article 6 – paragraph 2
2. The Agency shall facilitate the establishment of and continuously support sectoral Information Sharing and Analysis Centres (ISACs), in particular in the sectors listed in Annex II of Directive (EU) 2016/1148, by providing best practices and guidance on available tools, procedure, cyber-hygiene principles, as well as on how to address regulatory issues related to information sharing.
Amendment 179 #
Proposal for a regulation
Article 7 – paragraph 8 – point e a (new)
Article 7 – paragraph 8 – point e a (new)
(ea) assisting and advising Member States on establishing and implementing coordinated vulnerability disclosure policies and government vulnerability disclosure review processes.
Amendment 182 #
Proposal for a regulation
Article 8 – paragraph 1 – point a – point 3
Article 8 – paragraph 1 – point a – point 3
(3) compiling and publishing guidelines and developing good practices, including on cyber-hygiene principles, concerning the cybersecurity requirements of ICT products and services, in cooperation with national certification supervisory authorities and the industry in a formal, standardised and transparent process;
Amendment 190 #
Proposal for a regulation
Article 8 – paragraph 1 – point c a (new)
Article 8 – paragraph 1 – point c a (new)
(ca) support and promote the development and implementation of coordinated vulnerability disclosure policies and government vulnerability disclosure review processes;
Amendment 193 #
Proposal for a regulation
Article 9 – paragraph 1 – point e
Article 9 – paragraph 1 – point e
(e) raise awareness of the public about cybersecurity risks, and provide guidance on good cyber-hygiene practices for individual users aimed at citizens and organisations;
Amendment 197 #
Proposal for a regulation
Article 9 – paragraph 1 – point g a (new)
Article 9 – paragraph 1 – point g a (new)
(ga) support closer coordination and the exchange of best practices among Member States on cybersecurity education, cyber-hygiene and awareness by facilitating the creation and maintenance of a network of national education points of contact;
Amendment 200 #
Proposal for a regulation
Article 11 – paragraph 1 – point c a (new)
Article 11 – paragraph 1 – point c a (new)
(ca) promoting multilateral collaboration in regulation and standardisation to set a level playing field matching the global reach of the WTO;
Amendment 201 #
Proposal for a regulation
Article 11 – paragraph 1 – point c b (new)
Article 11 – paragraph 1 – point c b (new)
(cb) supporting efforts for the inclusion of rules for cybersecurity into free trade agreements;
Amendment 204 #
Proposal for a regulation
Article 1 – paragraph 1 – point b
Article 1 – paragraph 1 – point b
(b) lays down a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity of ICT products, processes and services in the Union. Such framework shall apply without prejudice to specific provisions regarding voluntary or mandatory certification in other Union acts.
Amendment 211 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. The Management Board, acting on a proposal by the Executive Director, shall set up a Permanent Stakeholders’ Group composed of recognised experts representing the relevant stakeholders, such as the Union’s ICT industry, Union providers of electronic communications networks or services available to the public, consumer groups, academic experts in the cybersecurity, and representatives of competent authorities notified under [Directive establishing the European Electronic Communications Code] as well as of law enforcement and data protection supervisory authorities.
Amendment 217 #
Proposal for a regulation
Article 20 – paragraph 5 a (new)
Article 20 – paragraph 5 a (new)
5a. The Permanent Stakeholders’ Group shall meet at least four times per year. The agenda for at least one of those meetings shall be dedicated to matters referred to in Articles 43 to 54 [Title III].
Amendment 225 #
Proposal for a regulation
Article 43 – paragraph 1
Article 43 – paragraph 1
A European cybersecurity certification scheme shall attest that the ICT products and servic, services and processes that have been certified in accordance with such scheme comply with specified requirements and properties as regards their ability to resist at a given level of assurance, actions that aim to compromise the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, processes, services and systems.
Amendment 228 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘European cybersecurity certificate’ means a document issued by a conformity assessment body attesting that a given ICT product, process or service fulfils the specific requirements laid down in a European cybersecurity certification scheme;
Amendment 230 #
Proposal for a regulation
Article 44 – paragraph 1
Article 44 – paragraph 1
1. Following a request from the Commission, ENISA shall prepare a candidate European cybersecurity certification scheme which meets the requirements set out in Articles 45, 46 and 47 of this Regulation. Member States or the European Cybersecurity Certification Group (the ‘Group’) established under Article 53 may propose the preparation of a candidate European cybersecurity certification scheme to the CommissMember States, the Permanent Stakeholders’ Group established under Article 20, or an industry representative body may propose the preparation of a candidate European cybersecurity certification scheme to the Commission or to the European Cybersecurity Certification Group (the ‘Group’). Following a request from the Commission or the Group, ENISA shall prepare a candidate European cybersecurity certification scheme which meets the requirements set out in Articles 45, 46 and 47 of this Regulation.
Amendment 236 #
Proposal for a regulation
Article 44 – paragraph 2
Article 44 – paragraph 2
2. When preparing candidate schemes referred to in paragraph 1 of this Article, ENISA shall consult all relevant stakeholdersthe Permanent Stakeholders’ Group, in particular the European standardisation organisations, and all other relevant stakeholders in a formal, standardised and transparent process, and closely cooperate with the Group. The Group and all other relevant stakeholders shall provide ENISA with the assistance and expert advice required by ENISA in relation to the preparation of the candidate scheme, including by providing opinions where necessary.
Amendment 241 #
Proposal for a regulation
Article 3 – paragraph 2 a (new)
Article 3 – paragraph 2 a (new)
2 a. The Agency shall assist Member States and Union institutions in establishing policies and practices for the responsible management and coordinated disclosure of vulnerabilities in ICT products and services that are not publicly known.
Amendment 246 #
Proposal for a regulation
Article 44 – paragraph 2 a (new)
Article 44 – paragraph 2 a (new)
2a. ENISA shall observe professional secrecy with regard to all information obtained in carrying out its tasks under this Regulation.
Amendment 248 #
Proposal for a regulation
Article 44 – paragraph 3
Article 44 – paragraph 3
3. ENISA shall transmitUpon approval by the Group of the candidate European cybersecurity certification scheme, ENISA shall, after consulting the Permanent Stakeholders’ Group, transmit the candidate scheme prepared in accordance with paragraph 2 of this Article to the Commission.
Amendment 257 #
Proposal for a regulation
Article 44 a (new)
Article 44 a (new)
Article 44a Working Programme 1. After consulting the Group and the Permanent Stakeholders’ Group, ENISA, as an addition to, or part of, its general working programme, shall, after approval by the Commission and in any event by ... [six months after the date of entry into force of this Regulation] and every two years thereafter, establish a working plan for the development of European cybersecurity certification schemes, which shall be made publicly available. The working plans shall set out, for the following two years, an indicative list of products, processes and services which are considered to be priorities for the adoption of European cybersecurity certification schemes. The working plan shall be amended by ENISA, where appropriate, after consulting the Commission, the Group and the Permanent Stakeholders’ Group in order to take into account, inter alia, the demands of the internal market.
Amendment 260 #
Proposal for a regulation
Article 45 – paragraph 1 – introductory part
Article 45 – paragraph 1 – introductory part
A European cybersecurity certification scheme shall be so designed as to take into account, as applicable, the following security objectives:
Amendment 265 #
Proposal for a regulation
Article 45 – paragraph 1 – point c a (new)
Article 45 – paragraph 1 – point c a (new)
(ca) protect and secure devices against spoofing and other forms of device mimicking;
Amendment 271 #
Proposal for a regulation
Article 4 – paragraph 7 a (new)
Article 4 – paragraph 7 a (new)
7 a. The Agency shall assist and advise Member States and Union institutions in establishing policies and practices for the responsible management and coordinated disclosure of vulnerabilities in ICT products and services that are not publicly known, inter alia, by establishing government vulnerability disclosure review processes and coordinated vulnerability disclosure policies.
Amendment 271 #
Proposal for a regulation
Article 45 – paragraph 1 – point g
Article 45 – paragraph 1 – point g
(g) ensure that ICT products and services are provided with up -to -date hardware and software , that does not contain known vulnerabilities, and are provided with mechanisms for secure software updates., including automatic security updates;
Amendment 273 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2
Article 5 – paragraph 1 – point 2
2. assisting Member States to implement consistently the Union policy and law regarding cybersecurity notably in relation to Directive (EU) 2016/1148, including by means of opinions, guidelines, advice and best practices on topics such as secure software and systems development, risk management, incident reporting and information sharing, technical and organisational measures, in particular the establishment of coordinated vulnerability disclosure programmes, as well as facilitating the exchange of best practices between competent authorities in this regard;
Amendment 274 #
Proposal for a regulation
Article 45 – paragraph 1 – point g a (new)
Article 45 – paragraph 1 – point g a (new)
(ga) ensure that ICT products and services are developed and operated in accordance with appropriate security standards and policies and that the highest appropriate level of cybersecurity and data protection is preconfigured by default into products, services and processes.
Amendment 277 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 a (new)
Article 5 – paragraph 1 – point 2 a (new)
2 a. proposing a blueprint which establishes the roles, responsibilities and legal obligations of vendors, manufacturers, CERTs and CSIRTs, and which further clarifies the legal rights and protections of information security researchers in the context of a coordinated vulnerability disclosure programme, in particular in cases of multi-party vulnerability disclosures that affect multiple vulnerability finders and vendors in different Member States
Amendment 283 #
Proposal for a regulation
Article 46 – paragraph 1
Article 46 – paragraph 1
1. AEach European cybersecurity certification scheme may specify one or more of the following assurance levels: basic - “functionally secure”, “substantial and/or highly secure”, “highly secure”, for ICT products and services issued under that schema combination thereof - for cybersecurity certificates issued under that scheme, taking into account, inter alia, their intended use.
Amendment 286 #
Proposal for a regulation
Article 5 – paragraph 1 – point 4 – point 2 a (new)
Article 5 – paragraph 1 – point 4 – point 2 a (new)
(2 a) the development and promotion of policies that would sustain the general availability or integrity of the public core of the open internet, which provide the essential functionality to the Internet as a whole and which underpin its normal operation, including, but not limited to, the security and stability of key protocols (in particular DNS, BGP, and IPv6), the operation of the Domain Name System (including those of all Top Level Domains), and the operation of the Root Zone
Amendment 288 #
Proposal for a regulation
Article 6 – paragraph 1 – point a a (new)
Article 6 – paragraph 1 – point a a (new)
(a a) Members States and Union institutions in establishing and implementing coordinated vulnerability disclosure policies and government vulnerability disclosure review processes, whose practices and determinations should be transparent and subject to independent oversight.
Amendment 296 #
Proposal for a regulation
Article 46 – paragraph 2 – point a
Article 46 – paragraph 2 – point a
(a) assurance level basic“functionally secure” shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a limin adequated degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of cybersecurity incidents; where a European cybersecurity certification scheme includes certification of a cybersecurity process by a manufacturer, that certification of a cybersecurity process may include granting permission to a manufacturer for a self-declaration of ICT products or services conformity to the “functionally secure” assurance level;
Amendment 306 #
Proposal for a regulation
Article 7 – paragraph 7 a (new)
Article 7 – paragraph 7 a (new)
7 a. The Agency shall prepare, together with the EEAS, a regular global Cybersecurity Situational Report on incidents and threats towards individuals, including towards vulnerable users outside the EU such as lawyers, journalists, or human rights defenders, in order to help the Union institutions respond to external needs and uphold its human rights responsibilities abroad
Amendment 310 #
Proposal for a regulation
Article 46 – paragraph 2 – point c
Article 46 – paragraph 2 – point c
(c) assurance level “highly secure” shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a higher degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service than certificates with the assurance level “substantially secure”, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to prevent cybersecurity incidents.
Amendment 311 #
Proposal for a regulation
Article 7 – paragraph 8 – point e a (new)
Article 7 – paragraph 8 – point e a (new)
(e a) assisting and advising Member States on establishing and implementing coordinated vulnerability disclosure policies and government vulnerability disclosure review processes.
Amendment 316 #
Proposal for a regulation
Article 47 – paragraph 1 – introductory part
Article 47 – paragraph 1 – introductory part
1. A European cybersecurity certification scheme shall include one or more of the following elements:
Amendment 319 #
Proposal for a regulation
Article 47 – paragraph 1 – point a
Article 47 – paragraph 1 – point a
(a) subject-matter and scope of the certification scheme, including the type or categories of ICT products, processes and services covered, such certification being specific to one or more sector(s) or applying on a horizontal basis;
Amendment 321 #
Proposal for a regulation
Article 47 – paragraph 1 – point b
Article 47 – paragraph 1 – point b
(b) detailed specification of the cybersecurity requirements against which the specific ICT products and services are evaluated, for example by reference to Union or interinternational, European or national standards or technical specifications followed in the evaluation and certification process;
Amendment 325 #
Proposal for a regulation
Article 47 – paragraph 1 – point b a (new)
Article 47 – paragraph 1 – point b a (new)
(ba) detailed specification if a granted certification can apply to only an individual product or can be applied to a product range [different versions/models of the same base product structure];
Amendment 332 #
Proposal for a regulation
Article 47 – paragraph 1 – point f
Article 47 – paragraph 1 – point f
Amendment 336 #
Proposal for a regulation
Article 47 – paragraph 1 – point g
Article 47 – paragraph 1 – point g
(g) where surveillance is part of the scheme, the rules for monitoring compliance with the requirements of the certificates, including, where applicable, mechanisms to demonstrate the continued compliance with the specified cybersecurity requirements;
Amendment 344 #
Proposal for a regulation
Article 8 – paragraph 1 – point c a (new)
Article 8 – paragraph 1 – point c a (new)
(c a) support and promote the development and implementation of coordinated vulnerability disclosure policies and government vulnerability disclosure review processes
Amendment 344 #
Proposal for a regulation
Article 47 – paragraph 1 – point j
Article 47 – paragraph 1 – point j
(j) rules concerning how previously undetected cybersecurity vulnerabilities in ICT products and services are to be reported and dealt with;requiring vulnerabilities in ICT products and services that are not publicly known to be reported expeditiously by the appropriate authorities to relevant vendors and manufacturers using a coordinated vulnerability disclosure process.
Amendment 345 #
Proposal for a regulation
Article 47 – paragraph 1 – point j
Article 47 – paragraph 1 – point j
(j) rules concerning how previously undetected cybersecurity vulnerabilities in ICT products and services are to be reported and dealt withrequiring vulnerabilities in ICT products and services that are not publicly known to be reported expeditiously by the appropriate authorities to relevant vendors and manufacturers using a coordinated vulnerability disclosure process;
Amendment 349 #
Proposal for a regulation
Article 47 – paragraph 1 – point l
Article 47 – paragraph 1 – point l
(l) identification of national or international cybersecurity certification schemes covering the same type or categories of ICT products and service, services, processes, security requirements and evaluation criteria and methods;
Amendment 353 #
Proposal for a regulation
Article 47 – paragraph 1 – point l a (new)
Article 47 – paragraph 1 – point l a (new)
(la) identification of existing international mutual recognition agreements and certifications;
Amendment 354 #
Proposal for a regulation
Article 47 – paragraph 1 – point m a (new)
Article 47 – paragraph 1 – point m a (new)
(ma) governance mechanism for updating, amending and coordinating particular certification schemes, in particular detailed specification on how a certification scheme is to be amended in light of additional security threats, once they become known;
Amendment 355 #
Proposal for a regulation
Article 47 – paragraph 1 – point m a (new)
Article 47 – paragraph 1 – point m a (new)
(ma) Rules concerning how and when Member States are to inform each other when they acquire knowledge of a vulnerability that is not publicly known in an ICT product or service that is certified under this certification scheme.
Amendment 360 #
Proposal for a regulation
Article 47 – paragraph 1 – point m b (new)
Article 47 – paragraph 1 – point m b (new)
(mb) resistance and resilience testing for the “highly secure” and “substantially secure” assurance levels;
Amendment 361 #
Proposal for a regulation
Article 47 – paragraph 1 – point m c (new)
Article 47 – paragraph 1 – point m c (new)
(mc) where necessary, applicable self- declaration procedures for the “functionally secure” assurance level;
Amendment 364 #
Proposal for a regulation
Article 47 – paragraph 3
Article 47 – paragraph 3
3. Where a specific Union act so provides, certification under a European cybersecurity certification scheme may be used as an alternative means to demonstrate the presumption of conformity with requirements of that act.
Amendment 369 #
Proposal for a regulation
Article 48 – paragraph 1
Article 48 – paragraph 1
1. ICT products and servic, services and processes that have been certified under a European cybersecurity certification scheme adopted pursuant to Article 44 shall be presumed to be compliant with the requirements of such scheme.
Amendment 373 #
Proposal for a regulation
Article 48 – paragraph 2
Article 48 – paragraph 2
2. The certification shall be voluntary, unless otherwise specified in Union law.
Amendment 380 #
Proposal for a regulation
Article 48 – paragraph 4 – introductory part
Article 48 – paragraph 4 – introductory part
4. By the way of derogation from paragraph 3, in duly justified cases a particular European cybersecurity certification scheme may provide that a European cybersecurity certificate resulting from that scheme can only be issued by a public body. Such public body shall be one of the following:
Amendment 381 #
Proposal for a regulation
Article 48 – paragraph 5
Article 48 – paragraph 5
5. The natural or legal person which submits its ICT products or, services or processes to the certification mechanism shall provide the conformity assessment body referred to in Article 51 with all information necessary to conduct the certification procedure, including information on any known security vulnerabilities.
Amendment 384 #
Proposal for a regulation
Article 48 – paragraph 6
Article 48 – paragraph 6
6. Certificates shall be issued for a maximum period of three years and may be renewed, under the same conditions, provided that the relevantthe period established in the relevant European cybersecurity certification scheme and may be renewed, under the same conditions, provided that the requirements of that European cybersecurity certification scheme, including any revised or amended requirements, continue to be met.
Amendment 387 #
Proposal for a regulation
Article 48 – paragraph 6 a (new)
Article 48 – paragraph 6 a (new)
6a. In particular, a certificate shall remain valid for all new versions of a product or service, where the primary reason for the new version is to patch, fix, or otherwise address known or potential security vulnerabilities or threats.
Amendment 395 #
Proposal for a regulation
Article 49 – paragraph 1
Article 49 – paragraph 1
1. Without prejudice to paragraph 3, national cybersecurity certification schemes and the related procedures for the ICT products and servic, services and processes covered by a European cybersecurity certification scheme shall cease to produce effects from the date established in the implementing act adopted pursuant Article 44(4). Existing national cybersecurity certification schemes and the related procedures for the ICT products and services not covered by a European cybersecurity certification scheme shall continue to exist.
Amendment 400 #
Proposal for a regulation
Article 49 – paragraph 2
Article 49 – paragraph 2
2. Member States shall not introduce new national cybersecurity certification schemes for ICT products and servic, services and processes covered by a European cybersecurity certification scheme in force.
Amendment 403 #
Proposal for a regulation
Article 49 – paragraph 3
Article 49 – paragraph 3
3. Existing certificates issued under national cybersecurity certification schemes and covered by a European cybersecurity certification scheme shall remain valid until their expiry date.
Amendment 404 #
Proposal for a regulation
Article 49 – paragraph 3 a (new)
Article 49 – paragraph 3 a (new)
3a. Where national cybersecurity schemes are recognised under international mutual recognition arrangement(s) for the purpose of security certification, they shall cease to exist only when the European certification scheme qualifies for recognition under the same international arrangement(s) or when the Commission deems the international mutual recognition arrangement to be no longer necessary.
Amendment 410 #
Proposal for a regulation
Article 50 – paragraph 6 – point a
Article 50 – paragraph 6 – point a
(a) monitor and enforce the application of the provisions under this Title at national level and supervise compliance of the certificates that have been issued by conformity assessment bodies established in their respective territories with the requirements set out in this Title and in the corresponding European cybersecurity certification scheme or any self- declaration of conformity issued under a scheme for a product or service with a "functionally secure" assurance level;
Amendment 414 #
Proposal for a regulation
Article 50 – paragraph 6 – point c
Article 50 – paragraph 6 – point c
(c) handle complaints lodged by natural or legal persons in relation to certificates issued by conformity assessment bodies established in their territories or any self-declaration of conformity issued under a scheme for a product or service with a "functionally secure" assurance level in relation to certificates issued by conformity assessment bodies established in their territories, investigate, to the extent appropriate, the subject matter of the complaint, and inform the complainant of the progress and the outcome of the investigation within a reasonable time period;
Amendment 417 #
Proposal for a regulation
Article 50 – paragraph 6 – point d
Article 50 – paragraph 6 – point d
(d) cooperate with other national certification supervisory authorities or other public authorities, including by sharing information on possible non- compliance, including deceptive, false, or fraudulent claims of certification, of ICT products and, services or processes with the requirements of this Regulation or specific European cybersecurity certification schemes;
Amendment 422 #
Proposal for a regulation
Article 50 – paragraph 7 a (new)
Article 50 – paragraph 7 a (new)
7a. National accreditation bodies shall establish procedures for internal audits. The internal audits shall be performed at least once a year. However, where a national accreditation body can demonstrate that its management system has been effectively implemented and is stable, the internal audits may be performed less frequently.
Amendment 423 #
Proposal for a regulation
Article 50 – paragraph 8
Article 50 – paragraph 8
8. National certification supervisory authorities shall cooperate amongst each other and the Commission and, in particular, exchange information, experiences and good practices as regards cybersecurity certification and technical issues concerning cybersecurity of ICT products and servic, services and processes.
Amendment 425 #
Proposal for a regulation
Article 50 a (new)
Article 50 a (new)
Amendment 427 #
Proposal for a regulation
Article 51 – paragraph 1 a (new)
Article 51 – paragraph 1 a (new)
1a. The national accreditation body shall be responsible for the assessment, designation, notification and monitoring of conformity assessment bodies, including, where appropriate, the subcontractors or subsidiaries of those conformity assessment bodies.
Amendment 428 #
Proposal for a regulation
Article 51 – paragraph 2 a (new)
Article 51 – paragraph 2 a (new)
2a. Where a conformity assessment body believes preliminary assessment results of a product, service or process suggest deceptive, false, or fraudulent claims or representations, the conformity assessment body shall inform the national certification supervisory authority. The national certification supervisory authority may authorise the conformity assessment body to require the submission of further additional information pursuant to Article 48(5) before the granting of a certification. Where deemed absolutely necessary, this may include disclosure of the source code of products or services.
Amendment 435 #
Proposal for a regulation
Article 53 – paragraph 3 – point c
Article 53 – paragraph 3 – point c
(c) to propose to the Commission that it requests the Agency to prepare a candidate European cybersecurity certification scheme in accordance with Article 44 of this Regulation;
Amendment 440 #
Proposal for a regulation
Article 53 – paragraph 4 – subparagraph 1 a (new)
Article 53 – paragraph 4 – subparagraph 1 a (new)
ENISA shall ensure that the agenda, minutes and a record of decisions taken are registered and that published versions of those documents are made available to the public on the ENISA website after each meeting of the Group.
Amendment 441 #
Proposal for a regulation
Article 55 – paragraph 2
Article 55 – paragraph 2
2. Where reference is made to this paragraph, Article 45 of Regulation (EU) No 182/2011 shall apply.
Amendment 443 #
Proposal for a regulation
Annex I – paragraph 1 – point 2
Annex I – paragraph 1 – point 2
2. A conformity assessment body shall be a third-party body independent of the organisation or the ICT products or, services or processes it assesses.
Amendment 445 #
Proposal for a regulation
Annex I – paragraph 1 – point 9 – introductory part
Annex I – paragraph 1 – point 9 – introductory part
9. At all times and for each conformity assessment procedure and each kind, category or sub-category of ICT products or, services, or processes a conformity assessment body shall have at its disposal the necessary:
Amendment 511 #
Proposal for a regulation
Article 46 – paragraph 2 a (new)
Article 46 – paragraph 2 a (new)
2a. The methodology to distinguish between the different assurance levels should be guided by a test which assesses the resistance of the security functionalities against attackers that have significant to unlimited resources.
Amendment 534 #
Proposal for a regulation
Article 47 – paragraph 1 – point j
Article 47 – paragraph 1 – point j
(j) rules concerning how previously undetected cybersecurity vulnerabilities in ICT products and services are to be reported and dealt with; requiring vulnerabilities in ICT products and services that are not publicly known to be reported expeditiously by the appropriate authorities to relevant vendors and manufacturers using a coordinated vulnerability disclosure process.
Amendment 540 #
Proposal for a regulation
Article 47 – paragraph 1 – point m a (new)
Article 47 – paragraph 1 – point m a (new)
(ma) rules concerning how and when Member States must inform each other when they acquire knowledge of a vulnerability that is not publicly known in an ICT product or service that is certified under this certification scheme.