32 Amendments of Miroslav POCHE related to 2017/0225(COD)
Amendment 142 #
Proposal for a regulation
Recital 37
Recital 37
(37) Cybersecurity problems are global issues. There is a need for closer international cooperation to improve security standards, including the definition of common norms of behaviour and codes of conduct, use of international standards, and information sharing, promoting swifter international collaboration in response to, as well as a common global approach to, network and information security issues. To that end, the Agency should support further Union involvement and cooperation with third countries and international organisations by providing, where appropriate, the necessary expertise and analysis to the relevant Union institutions, bodies, offices and agencies.
Amendment 171 #
Proposal for a regulation
Recital 53
Recital 53
(53) The Commission should be empowered to adopt, the European Cybersecurity Certification Group and the Stakeholer Certification Group should propose to ENISA to prepare a European cybersecurity certification schemes concerning specific groups of ICT products and services. These schemes should be implemented and supervised by national certification supervisory authorities and certificates issued within these schemes should be valid and recognised throughout the Union. Certification schemes operated by the industry or other private organisations should fall outside the scope of the Regulation. However, the bodies operating such schemes may propose to the Commission to consider such schemes as a basis for approving them as a European scheme.
Amendment 177 #
Proposal for a regulation
Recital 56
Recital 56
(56) TAfter the completion of an appropriate stakeholder consultation by the Commission, ENISA should be empowered to request ENISA to prepare candidate schemes for specific ICT products or services. The Commission, based on the candidate scheme proposed by ENISA, should then be empowered to adopt the European cybersecurity certification scheme by means of implementingdelegated acts. Taking account of the general purpose and security objectives identified in this Regulation, European cybersecurity certification schemes adopted by the Commission should specify a minimum set of elements concerning the subject-matter, the scope and functioning of the individual scheme. These should include among others the scope and object of the cybersecurity certification, including the categories of ICT products and services covered, the detailed specification of the cybersecurity requirements, for example by reference to standards or technical specifications, the specific evaluation criteria and evaluation methods, as well as the intended level of assurance: basic, substantial and/or high.
Amendment 188 #
Proposal for a regulation
Recital 58
Recital 58
(58) Once a European cybersecurity certification scheme is adopted, manufacturers of ICT products or providers of ICT services should be able to submit an application for certification of their products or services to a conformity assessment body of their choice, anywhere in the Union. Conformity assessment bodies should be accredited by an accreditation body if they comply with certain specified requirements set out in this Regulation. Accreditation should be issued for a maximum of five years and may be renewed on the same conditions provided that the conformity assessment body meets the requirements. Accreditation bodies should revoke an accreditation of a conformity assessment body where the conditions for the accreditation are not, or are no longer, met or where actions taken by a conformity assessment body infringe this Regulation.
Amendment 191 #
Proposal for a regulation
Recital 59
Recital 59
(59) It is necessary to require all Member States to designate one cybersecurity certification supervisory authority to supervise compliance of conformity assessment bodies and of certificates issued by conformity assessment bodies established in their territory with the requirements of this Regulation and of the relevant cybersecurity certification schemes, and to ensure that the European cybersecurity certificates are recognised on their territory. National certification supervisory authorities should handle complaints lodged by natural or legal persons in relation to certificates issued by conformity assessment bodies established in their territories, or in relation to alleged failures to recognise certificates on their territory, investigate to the extent appropriate the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable time period. Moreover, they should cooperate with other national certification supervisory authorities or other public authority, including by sharing information on possible non-compliance of ICT products and services with the requirements of this Regulation or specific cybersecurity schemes, or the non- recognition of European cybersecurity certificates.
Amendment 192 #
Proposal for a regulation
Recital 60 a (new)
Recital 60 a (new)
(60 a) With a view to ensuring the consistent and future-proof application of the European cybersecurity certification framework, a Stakeholder Certification Group should be established within ENISA. It should consist of recognised experts representing academics, standardisation bodies, consumer groups, ICT industry and non-public sector operators of essential services as defined in Annex II of Directive (EU) 2016/1148, who will advise and assist ENISA to ensure a consistent implementation and application of the European cybersecurity certification framework; assist and closely cooperate with the Agency in the preparation and adoption of candidate cybersecurity certification schemes; recommend candidate European cybersecurity certification schemes; and adopt opinions addressed to the Commission relating to the maintenance and review of existing European cybersecurity certifications schemes. The Stakeholder Certification Group should be set up with the objective to allow expert input from relevant stakeholders to the European cybersecurity certification framework. The structure of the Stakeholder Certification Group should allow for ad-hoc members to be invited to contribute to the work on the proposal, development or adoption of any new candidate scheme.
Amendment 193 #
Proposal for a regulation
Recital 63
Recital 63
(63) In order to specify further the criteria for the accreditation of conformity assessment bodies and to ensure uniform conditions for the implementation of this Regulation, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission. The Commission should carry out appropriate consultations during its preparatory work, including at expert level and with all interested stakeholders, including those that do not participate in the above groups. Those consultations should be conducted in accordance with the principles laid down in the Interinstitutional Agreement on Better Law-Making of 13 April 2016. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council should receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.
Amendment 202 #
Proposal for a regulation
Article 1 – paragraph 1 – point b
Article 1 – paragraph 1 – point b
(b) lays down a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity of ICT products and servic, services and processes in the Union. Such framework shall apply without prejudice to specific provisions regarding voluntary or mandatory certification in other Union acts.
Amendment 212 #
Proposal for a regulation
Article 2 – paragraph 1 – point 8
Article 2 – paragraph 1 – point 8
(8) ‘cyber threat’ means any pointentional circumstance or eventaction, including an automated command, that may adversely impact network and information systems, their users and affected persons.;
Amendment 215 #
Proposal for a regulation
Article 2 – paragraph 1 – point 8 a (new)
Article 2 – paragraph 1 – point 8 a (new)
(8 a) ‘cyber incident’ means any intentional or unintentional action or event that may adversely impact network and information systems, their users and affected persons;
Amendment 222 #
Proposal for a regulation
Article 2 – paragraph 1 – point 9 a (new)
Article 2 – paragraph 1 – point 9 a (new)
(9 a) ‘European cybersecurity self- assurance scheme’ means the comprehensive set of rules, technical specifications or requirements, standards and procedures defined at Union level applying to the self-assessment of ICT products, services and processes falling under the scope of that specific scheme;
Amendment 229 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘European cybersecurity certificate’ means a document issued by a conformity assessment body attesting that a given ICT product or, service, process fulfills the specific requirements laid down in a European cybersecurity certification scheme;
Amendment 232 #
Proposal for a regulation
Article 2 – paragraph 1 – point 11
Article 2 – paragraph 1 – point 11
(11) ‘ICT product and service, service and process’ means any element or group of elements of network and information systems;
Amendment 233 #
Proposal for a regulation
Article 2 – paragraph 1 – point 11 a (new)
Article 2 – paragraph 1 – point 11 a (new)
(11 a) ‘consumer electronic device’ means a device consisting of hardware and software that process personal data or connect to the Internet for the operation of domotics and home control appliances, office appliances, routing equipment and devices that connect to a network, such as smart TV, toys and gaming consoles, virtual or personal assistants, connected streaming devices, wearables, voice- command and virtual reality systems;
Amendment 254 #
Proposal for a regulation
Article 4 – paragraph 5
Article 4 – paragraph 5
5. The Agency shall increase cybersecurity capabilities at Union level in order to complement the action of Member States in preventing and responding to cyber threats, notably in the event of cross- border incidents, and in order to carry out its task of assisting Union institutions in developing policies related to cybersecurity.
Amendment 262 #
Proposal for a regulation
Article 4 – paragraph 6
Article 4 – paragraph 6
6. The Agency shall promote the use of certification, including by contributing to the establishment and maintenance of a cybersecurity certification framework at Union level in accordance with Title III of this Regulation, with a view to increasing transparency of cybersecurity assurance of ICT products and servic, services and processes and thus strengthen trust in the digital internal market.
Amendment 272 #
Proposal for a regulation
Article 5 – paragraph 1 – point 1
Article 5 – paragraph 1 – point 1
1. assisting and advising, in particular by providing its independent opinion and analysis of relevant activities in cyberspace and supplying preparatory work, on the development and review of Union policy and law in the area of cybersecurity, as well as sector-specific policy and law initiatives where matters related to cybersecurity are involved;
Amendment 304 #
Proposal for a regulation
Article 7 – paragraph 7
Article 7 – paragraph 7
7. The Agency shall prepare a regular and in-depth EU Cybersecurity Technical Situation Report on incidents and threats based on open source information, its own analysis, and reports shared by, among others: Member States' CSIRTs (on a voluntary basis) or NIS Directive Single Points of Contact (in accordance with NIS Directive Article 14 (5)); European Cybercrime Centre (EC3) at Europol, CERT-EU. The Executive Director shall present the public findings to the European Parliament.
Amendment 318 #
Proposal for a regulation
Article 8 – paragraph 1 – point a – introductory part
Article 8 – paragraph 1 – point a – introductory part
(a) support and promote the development and implementation of the Union policy on cybersecurity certification of ICT products and servic, services and processes, as established in Title III of this Regulation, by:
Amendment 325 #
Proposal for a regulation
Article 8 – paragraph 1 – point a – point 1
Article 8 – paragraph 1 – point a – point 1
(1) preparing candidate European cybersecurity certification schemes for ICT products and servic, services and processes in accordance with Article 44 of this Regulation;
Amendment 357 #
Proposal for a regulation
Article 9 – paragraph 1 – point g a (new)
Article 9 – paragraph 1 – point g a (new)
(g a) support closer coordination and exchange of best practices among Member States on cybersecurity education, training and skills development, cyber hygiene and awareness.
Amendment 389 #
Proposal for a regulation
Article 20 a (new)
Article 20 a (new)
Article 20 a Stakeholder Certification Group 1. The Executive Director shall set up a Stakeholder Certification Group, composed of recognised experts representing consumer groups, academics, standardisation bodies, operators of essential services as defined in Annex II of Directive (EU) 2016/1148 and the ICT industry, including SMEs. 2. Procedures for the Stakeholder Certification Group, in particular regarding the number, composition, and the appointment of its members by the Executive Director and the operation of the Group, shall be specified in the Agency’s internal rules of operation and shall be made public. 3. The term of office of the Stakeholder Certification Group members shall be two-and-a-half years. Their mandate shall be renewable. Members of the Management Board may not be members of the Stakeholder Certification Group. Members of the Permanent Stakeholder Group can be also Members of the Stakeholder Certification Group. Experts from the Commission and the Member States shall be entitled, upon invitation, to be present at the meetings of the Stakeholder Certification Group. Representatives of other bodies deemed relevantly the Executive Director, who are not members of the Stakeholder Certification Group, may be invited to attend the meetings of the Stakeholder Certification Group and to participate in its work. 4. The Stakeholder Certification Group shall advise the Agency in respect of the performance of its activities with regards Title III of the present Regulation. It shall in particular be entitled to propose to ENISA, to the Member States and to the Commission the preparation of a candidate European cybersecurity certification scheme, as conferred to in Article 44 of the present Regulation, as well as to participate in the procedures described in Articles 43 to 48 and Article 53 of the Present Regulation for the approval of such schemes. 5. For the purpose of ensuring that the Stakeholder Certification Group possesses the necessary expertise, the Executive Director or the members of the Stakeholder Certification Group shall nominate ad-hoc members for the proposal, development or adoption of any new candidate scheme. These ad-hoc members shall have the same rights and obligations as the appointed members, and shall be entitled to provide their expertise at any stage of the development and/ or the approval of the respective candidate scheme. An ad-hoc member may contribute to the work of the Stakeholder Certification Group for more than one candidate scheme.
Amendment 401 #
Proposal for a regulation
Article 43 – paragraph 1
Article 43 – paragraph 1
A European cybersecurity certification scheme shall attest that the ICT products and services that have been certified in accordance with such scheme comply with specified requirements as regards their ability to resist at a given level of assurance, actions that aim to compromise the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, processes, services and systems. A European cybersecurity certification scheme shall establish liability criteria and propose levels of insurance for ICT products and services and where feasible for data recovery.
Amendment 408 #
Proposal for a regulation
Article 43 – paragraph 1
Article 43 – paragraph 1
A European cybersecurity certification scheme shall attest that the ICT products and servic, services and processes that have been certified in accordance with such scheme comply with specified requirements as regards their ability to resist at a given level of assurance, actions that aim to compromise the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, processes, services and systems.
Amendment 468 #
Proposal for a regulation
Article 46 – paragraph 1
Article 46 – paragraph 1
1. A European cybersecurity certification scheme mayshall specify liability criteria for one or more of the following assurance levels: basic, substantial and/or high, for ICT products and services issued under that scheme.
Amendment 524 #
Proposal for a regulation
Article 47 – paragraph 1 – point c
Article 47 – paragraph 1 – point c
(c) where appone or more assurance levels of licable, one or more assurance levelility of the conformity assessment body in case of a breach of a certified ICT products or services;
Amendment 548 #
Proposal for a regulation
Article 48 – paragraph 1
Article 48 – paragraph 1
1. ICT products and servic, services and processes that have been certified under a European cybersecurity certification scheme adopted pursuant to Article 44 shall be presumed to be compliant with the requirements of such scheme.
Amendment 570 #
Proposal for a regulation
Article 48 – paragraph 6
Article 48 – paragraph 6
6. Certificates shall be issued for a maxinimum period of three years and may. They may then be renewed, under the same conditions, provided that the relevant requirements continue to be met. extended without cost for further periods, upon attestation by the certificate-holder that the relevant requirements continue to be met. Such attestation must be provided no sooner than six months and no later than 15 days before the expiry of the relevant period. Extensions of the certificates shall be allowed for the duration of the entire lifespan of the certified product.
Amendment 581 #
Proposal for a regulation
Article 49 – paragraph 1
Article 49 – paragraph 1
1. Without prejudice to paragraph 3, national cybersecurity certification schemes and the related procedures for the ICT products and servic, services and processes covered by a European cybersecurity certification scheme shall cease to produce effects from the date established in the implementingdelegated act adopted pursuant Article 44(4). Existing national cybersecurity certification schemes and the related procedures for the ICT products and services not covered by a European cybersecurity certification scheme shall continue to exist.
Amendment 601 #
Proposal for a regulation
Article 50 – paragraph 8
Article 50 – paragraph 8
8. National certification supervisory authorities shall cooperate amongst each other and the Commission and, in particular, exchange information, experiences and good practices as regards cybersecurity certification and technical issues concerning cybersecurity of ICT products and servic, services and processes.
Amendment 608 #
Proposal for a regulation
Article 52 – paragraph 5
Article 52 – paragraph 5
5. The Commission may, by means of implementingdelegated acts, define the circumstances, formats and procedures of notifications referred to in paragraph 1 of this Article. Those implementingdelegated acts shall be adopted in accordance with the examination procedure referred to in Article 55(2).
Amendment 609 #
Proposal for a regulation
Article 53 – paragraph 2
Article 53 – paragraph 2
2. The Group shall be composed of national certification supervisory authorities. The authorities shall be represented by the heads or by other high level representatives of national certification supervisory authorities. Upon invitation, members of the Stakeholder Certification Group shall be entitled to be present at the meetings of the European Cybersecurity Certification Group and to participate in its work.