BETA

Activities of Pavel TELIČKA related to 2017/0225(COD)

Plenary speeches (1)

EU Cybersecurity Act - European Cybersecurity Industrial, Technology and Research Competence Centre and Network of National Coordination Centres (debate)
2016/11/22
Dossiers: 2017/0225(COD)

Shadow reports (1)

REPORT on the proposal for a regulation of the European Parliament and of the Council on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act'') PDF (1 MB) DOC (324 KB)
2016/11/22
Committee: ITRE
Dossiers: 2017/0225(COD)
Documents: PDF(1 MB) DOC(324 KB)

Amendments (48)

Amendment 43 #
Proposal for a regulation
Recital 28
(28) The Agency should contribute towards raising the awareness of the public about risks related to cybersecurity and provide guidance on good practices for individual users aimed at citizens and organisations. The Agency should also contribute to promote best practices and solutions at the level of individuals and organisations by collecting and analysing publicly available information regarding significant incidents, and by compiling reports with a view to providing guidance to businesses and citizens and improving the overall level of preparedness and resilience. The Agency should furthermore organise, in cooperation with the Member States and the Union institutions, bodies, offices and agencies regular outreach and public education campaigns directed to end-users, aiming at promoting cybersecurity education, safer individual online behaviour and raising awareness of potential threats in cyberspace, including cybercrimes such as phishing attacks, botnets, financial and banking fraud, as well as promoting basic authentication and data protection advice. The Agency should play a central role in accelerating end-user awareness on security of devices.
2018/02/09
Committee: LIBE
Amendment 46 #
Proposal for a regulation
Recital 30
(30) To ensure that it fully achieves its objectives, the Agency should liaise with relevant institutions, agencies and bodies, including CERT-EU, European Cybercrime Centre (EC3) at Europol, European Defence Agency (EDA), European Agency for the operational management of large-scale IT systems (eu- LISA), European Aviation Safety Agency (EASA) and any other EU Agency that is involved in cybersecurity. It should also liaise with European and national authorities dealing with data protection in order to exchange know-how and best practices and provide advice on cybersecurity aspects that might have an impact on their work. Representatives of national and Union law enforcement and data protection authorities should be eligible to be represented in the Agency’s Permanent Stakeholders Group. In liaising with law enforcement bodies regarding network and information security aspects that might have an impact on their work, the Agency should respect existing channels of information and established networks.
2018/02/09
Committee: LIBE
Amendment 53 #
Proposal for a regulation
Recital 52
(52) In view of the above, it is necessary to establish a harmonised European cybersecurity certification framework laying down the main horizontal requirements for European cybersecurity certification schemes to be developed and allowing certificates for ICT products and services to be recognised and used in all Member States. The European framework should have a twofold purpose: on the one hand, it should help increase trust in ICT products and services that have been certified according to such schemes. On the other hand, it should avoid the multiplication of conflicting or overlapping national cybersecurity certifications and thus reduce costs for undertakings operating in the digital single market. The schemes should be non-discriminatory and based on international and / or Union standards, unless those standards are ineffective or inappropriate to fulfil the EU’s legitimate objectives in that regard.
2018/02/09
Committee: LIBE
Amendment 69 #
Proposal for a regulation
Article 4 – paragraph 5
5. The Agency shall increase cybersecurity capabilities at Union level in order to complement and support the action of Member States in preventing and responding to cyber threats, notably in the event of cross- border incidents.
2018/02/09
Committee: LIBE
Amendment 94 #
Proposal for a regulation
Recital 3
(3) Increased digitisation and connectivity lead to increased cybersecurity risks, thus making society at large more vulnerable to cyber threats and exacerbating dangers faced by individuals, including vulnerable persons such as children. In order to mitigate this risk to society, all necessary actions need to be taken to improve cybersecurity in the EU to better protect network and information systems, telecommunication networks, digital products, services and devices used by citizens, governments and business – from SMEs to operators of critical infrastructures – from cyber threats. In this respect the Digital Education Action Plan published by the European Commission on 17 January 2018 is a step in the right direction, in particular the EU-wide awareness-raising campaign targeting educators, parents and learners to foster online safety, cyber hygiene and media literacy as well as the cyber-security teaching initiative building on the Digital Competence Framework for Citizens, to empower people to use technology confidently and responsibly.
2018/04/30
Committee: ITRE
Amendment 105 #
Proposal for a regulation
Recital 5 a (new)
(5 a) Businesses as well as individual consumers should have accurate information regarding the level of security of their ICT products. At the same time, it has to be understood that no product is cyber secure and that basic rules of cyber hygiene have to be promoted and prioritized.
2018/04/30
Committee: ITRE
Amendment 108 #
Proposal for a regulation
Recital 8
(8) It is recognised that, since the adoption of the 2013 EU Cybersecurity Strategy and the last revision of the Agency's mandate, the overall policy context has changed significantly, also in relation to a more uncertain and less secure global environment. In this context and in the context of the positive role the Agency has played over the years in pooling of expertise, coordination, capacity building and within the framework of the new Union cybersecurity policy, it is necessary to review the mandate of ENISA to define its role in the changed cybersecurity ecosystem and ensure it contributes effectively to the Union's response to cybersecurity challenges emanating from this radically transformed threat landscape, for which, as recognised by the evaluation of the Agency, the current mandate is not sufficient.
2018/04/30
Committee: ITRE
Amendment 112 #
Proposal for a regulation
Recital 12 a (new)
(12 a) The role of the Agency should be subject to continuous assessment and timely review, in particular its coordinating role vis-à-vis the Member States and their national authorities, the eventual possibility of acting as a One- Stop-Shop for Member States and EU bodies and institutions. The Agency´s role in the avoidance of fragmentation of the internal market and the possible introduction of mandatory cybersecurity certification schemes, should the situation in the future require such a shift, should also be assessed as well as the Agency´s role in respect of the assessment of third country products entering the EU market and the possible blacklisting of companies which do not comply with EU criteria.
2018/04/30
Committee: ITRE
Amendment 116 #
Proposal for a regulation
Recital 15
(15) The Agency should assist the Member States and Union institutions, bodies, offices and agencies in their efforts to build and enhance capabilities and preparedness to prevent, detect and respond to cybersecurity problems and incidents and in relation to the security of network and information systems. In particular, the Agency should support the development and enhancement of national CSIRTs, with a view of achieving a high common level of their maturity in the Union. The Agency should also assist with the development and update of Union and Member States strategies on the security of network and information systems, in particular on cybersecurity, promote their dissemination and track progress of their implementation. The Agency should also offer trainings and training material to public bodies, and where appropriate "train the trainers" with a view to assisting Member States in developing their own training capabilities. The Agency should also serve as a contact point for Member States and Union institutions, who should be able to request an assistance of the Agency within the competences and roles assigned to it.
2018/04/30
Committee: ITRE
Amendment 129 #
Proposal for a regulation
Recital 28
(28) The Agency should contribute towards raising the awareness of the public about risks related to cybersecurity and provide guidance on good practices for individual users aimed at citizens and organisations. The Agency should also contribute to promote best practices and solutions at the level of individuals and organisations by collecting and analysing publicly available information regarding significant incidents, and by compiling reports with a view to providing guidance to businesses and citizens and improving the overall level of preparedness and resilience. The Agency should furthermore organise, in line with the Digital Education Action Plan and in cooperation with the Member States and the Union institutions, bodies, offices and agencies regular outreach and public education campaigns directed to end-users, aiming at promoting safer individual online behaviour and raising awareness of potential threats in cyberspace, including cybercrimes such as phishing attacks, botnets, financial and banking fraud, as well as promoting basic authentication and data protection advice. The Agency should play a central role in accelerating end-user awareness on security of devices.
2018/04/30
Committee: ITRE
Amendment 161 #
Proposal for a regulation
Recital 47
(47) Conformity assessment is the process demonstrating whether specified requirements relating to a product, process, service, system, person or body have been fulfilled. For the purposes of this Regulation, certification should be considered as a type of conformity assessment regarding the cybersecurity features of a product, process, service, system, or a combination of those ("ICT products and services") by an independent third party, other than the product manufacturer or service provider. Certification cannot guarantee per se that certified ICT products and services are cyber secure. It is rather a procedure and technical methodology to attest that ICT products and services have been tested and that they comply with certain cybersecurity requirements laid down elsewhere, for example as specified in technical standards. Undertakings should also ensure the security by design and by default of their ICT products and services taking into account the state of the art.
2018/04/30
Committee: ITRE
Amendment 164 #
Proposal for a regulation
Recital 48 a (new)
(48 a) Despite the fact that it is not possible to foresee future technology and market developments, producers should take into account all known threats when developing their products. Producers should also be liable for the quality of a product put on the EU market, including cyber resilience. At the same time, consumers should assume their share of responsibility by following basic rules of cyber hygiene, which could significantly reduce the number of human errors in the field of cybersecurity.
2018/04/30
Committee: ITRE
Amendment 166 #
Proposal for a regulation
Recital 50
(50) Currently, the cybersecurity certification of ICT products and services is used only to a limited extent. When it exists, it mostly occurs at Member State level or in the framework of industry driven schemes. In this context, a certificate issued by one national cybersecurity authority is not in principle recognised by other Member States. Companies thus may have to certify their products and services in several Member States where they operate, for example with a view to participating in national procurement procedures. Moreover, while new schemes are emerging, there seems to be no coherent and holistic approach with regard to horizontal cybersecurity issues, for instance in the field of the Internet of Things. Existing schemes present significant shortcomings and differences in terms of product coverage, levels of assurance, substantive criteria and actual utilisation. Mutual recognition and trust among Member States is a key element in this respect. ENISA has an important role to play in helping the Member States develop a solid institutional structure and expertise in protection against potential cyber attacks.
2018/04/30
Committee: ITRE
Amendment 172 #
Proposal for a regulation
Recital 53 a (new)
(53 a) The Agency and the Commission should make the best use of already existing certification schemes on the EU and / or international level. ENISA should be able to assess which schemes already in use are fit for purpose and can be brought in the European legislation in cooperation with EU standardisation organisations and, as far as possible, internationally recognised. Existing good practices should be collected and shared among Member States.
2018/04/30
Committee: ITRE
Amendment 204 #
Proposal for a regulation
Article 1 – paragraph 1 – point b
(b) lays down a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity of ICT products, processes and services in the Union. Such framework shall apply without prejudice to specific provisions regarding voluntary or mandatory certification in other Union acts.
2018/04/30
Committee: ITRE
Amendment 228 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
(10) ‘European cybersecurity certificate’ means a document issued by a conformity assessment body attesting that a given ICT product, process or service fulfils the specific requirements laid down in a European cybersecurity certification scheme;
2018/04/30
Committee: ITRE
Amendment 237 #
Proposal for a regulation
Article 2 – paragraph 1 – point 16 a (new)
(16 a) ʽself-assessmentʼ is defined on the basis of Regulation (EC) 768/2008, module H Or. en (768/2008/EC, module H http://eur- lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:218:0082:0128:en:PDF)
2018/04/30
Committee: ITRE
Amendment 241 #
Proposal for a regulation
Article 3 – paragraph 2 a (new)
2 a. The Agency shall assist Member States and Union institutions in establishing policies and practices for the responsible management and coordinated disclosure of vulnerabilities in ICT products and services that are not publicly known.
2018/04/30
Committee: ITRE
Amendment 247 #
Proposal for a regulation
Article 4 – paragraph 2
2. The Agency shall assist the Union institutions, agencies and bodies, as well as Member States, in developing and implementing policies related to cybersecurity and raising awareness among citizens and businesses.
2018/04/30
Committee: ITRE
Amendment 261 #
Proposal for a regulation
Article 4 – paragraph 6
6. The Agency shall promote the use of certification, including by contributing to the establishment and maintenance of a cybersecurity certification framework at Union level in accordance with Title III of this Regulation, with a view to increasing transparency of cybersecurity assurance of ICT products and services, reducing fragmentation of the internal market and thus strengthen trust in the digital internal market.
2018/04/30
Committee: ITRE
Amendment 271 #
Proposal for a regulation
Article 4 – paragraph 7 a (new)
7 a. The Agency shall assist and advise Member States and Union institutions in establishing policies and practices for the responsible management and coordinated disclosure of vulnerabilities in ICT products and services that are not publicly known, inter alia, by establishing government vulnerability disclosure review processes and coordinated vulnerability disclosure policies.
2018/04/30
Committee: ITRE
Amendment 273 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2
2. assisting Member States to implement consistently the Union policy and law regarding cybersecurity notably in relation to Directive (EU) 2016/1148, including by means of opinions, guidelines, advice and best practices on topics such as secure software and systems development, risk management, incident reporting and information sharing, technical and organisational measures, in particular the establishment of coordinated vulnerability disclosure programmes, as well as facilitating the exchange of best practices between competent authorities in this regard;
2018/04/30
Committee: ITRE
Amendment 277 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 a (new)
2 a. proposing a blueprint which establishes the roles, responsibilities and legal obligations of vendors, manufacturers, CERTs and CSIRTs, and which further clarifies the legal rights and protections of information security researchers in the context of a coordinated vulnerability disclosure programme, in particular in cases of multi-party vulnerability disclosures that affect multiple vulnerability finders and vendors in different Member States
2018/04/30
Committee: ITRE
Amendment 286 #
Proposal for a regulation
Article 5 – paragraph 1 – point 4 – point 2 a (new)
(2 a) the development and promotion of policies that would sustain the general availability or integrity of the public core of the open internet, which provide the essential functionality to the Internet as a whole and which underpin its normal operation, including, but not limited to, the security and stability of key protocols (in particular DNS, BGP, and IPv6), the operation of the Domain Name System (including those of all Top Level Domains), and the operation of the Root Zone
2018/04/30
Committee: ITRE
Amendment 288 #
Proposal for a regulation
Article 6 – paragraph 1 – point a a (new)
(a a) Members States and Union institutions in establishing and implementing coordinated vulnerability disclosure policies and government vulnerability disclosure review processes, whose practices and determinations should be transparent and subject to independent oversight.
2018/04/30
Committee: ITRE
Amendment 306 #
Proposal for a regulation
Article 7 – paragraph 7 a (new)
7 a. The Agency shall prepare, together with the EEAS, a regular global Cybersecurity Situational Report on incidents and threats towards individuals, including towards vulnerable users outside the EU such as lawyers, journalists, or human rights defenders, in order to help the Union institutions respond to external needs and uphold its human rights responsibilities abroad
2018/04/30
Committee: ITRE
Amendment 311 #
Proposal for a regulation
Article 7 – paragraph 8 – point e a (new)
(e a) assisting and advising Member States on establishing and implementing coordinated vulnerability disclosure policies and government vulnerability disclosure review processes.
2018/04/30
Committee: ITRE
Amendment 340 #
Proposal for a regulation
Article 8 – paragraph 1 – point b
(b) facilitate the establishment and take-up of European and/ or international standards for risk management and for the security of ICT products and services, as well as draw up, in collaboration with Member States, advice and guidelines regarding the technical areas related to the security requirements for operators of essential services and digital service providers, as well as regarding already existing standards, including Member States' national standards, pursuant to Article 19(2) of Directive (EU) 2016/1148 and share this information among Member States;
2018/04/30
Committee: ITRE
Amendment 344 #
Proposal for a regulation
Article 8 – paragraph 1 – point c a (new)
(c a) support and promote the development and implementation of coordinated vulnerability disclosure policies and government vulnerability disclosure review processes
2018/04/30
Committee: ITRE
Amendment 390 #
Proposal for a regulation
Article 20 a (new)
Article 20 a Consultation Forum The Commission, together with the Agency ,shall ensure that, in the conduct of its activities, it observes, in respect of each implementing measure, a balanced participation of Member States’ representatives and all interested parties concerned with the product or product group in question, such as industry, including SMEs, trade unions, traders, retailers, importers, environmental protection groups and consumer and end- user organisations. These parties shall meet in a Consultation Forum. The outcome of this forum may lead to an impetus for proposal of a candidate scheme. The rules of procedure of the Forum shall be established by the Commission.
2018/04/30
Committee: ITRE
Amendment 391 #
Proposal for a regulation
Article 21 a (new)
Article 21 a Request to the Agency 1. The Agency should establish and manage a single entry point through which requests for advice and assistance falling within the Agency’s objectives and tasks shall be addressed. These requests should be accompanied by background information explaining the issue to be addressed. Agency should draw up the potential resource implications, and, in due course, follow-up to the requests. If the Agency refuses a request, it shall give a justification. 2. Requests referred to in paragraph 1 may be made by: a) the European Parliament b) the Council c) the Commission d) any competent body appointed by a Member State, such as a national regulatory authority defined in Article 2 of Directive 2002/21/EC. 3. The practical arrangements for applying paragraphs 1 and 2, regarding in particular submission, prioritisation, follow-up and information, shall be laid down by the Management Board in the Agency’s internal rules of operation.
2018/04/30
Committee: ITRE
Amendment 426 #
Proposal for a regulation
Article 44 – paragraph 2
2. When preparing candidate schemes referred to in paragraph 1 of this Article, ENISA shall consult all relevant stakeholders as requested under Article 20 a and closely cooperate with the Group. The Group shall provide ENISA with the assistance and expert advice required by ENISA in relation to the preparation of the candidate scheme, including by providing opinions where necessary.
2018/04/30
Committee: ITRE
Amendment 443 #
Proposal for a regulation
Article 44 – paragraph 5 a (new)
5a. Adopted schemes shall be reviewed and if necessary updated on regular basis in cooperation with relevant stakeholders and the Group within the structure established under this regulation.
2018/04/30
Committee: ITRE
Amendment 484 #
Proposal for a regulation
Article 46 – paragraph 2 – point a
(a) certificate assurance level basic shall refer to a certificatcorrespond to the iassued in the context of a European cybersecurity certification scheme, which provides a limited degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of cybersecurity incidentsessment by a third party that the basic risks of cyber incidents for ICT processes, products or services are covered;
2018/04/30
Committee: ITRE
Amendment 490 #
Proposal for a regulation
Article 46 – paragraph 2 – point a a (new)
(aa) This assessment shall include the review of the technical documentation of the ICT product, service or process;
2018/04/30
Committee: ITRE
Amendment 494 #
Proposal for a regulation
Article 46 – paragraph 2 – point b
(b) certificate assurance level substantial shall refer to a certificatcorrespond to the iassued in the context of a European cybersecurity certification scheme, which provides a substantial degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease substantially the risk of cybersecurity incidentsessment by a third party that the substantial risks of cyber incidents for ICT processes, products or services are covered;
2018/04/30
Committee: ITRE
Amendment 499 #
Proposal for a regulation
Article 46 – paragraph 2 – point b a (new)
(ba) This assessment shall include the review of the technical documentation and the testing of the security functionalities implemented, in accordance with the requirements set out in the technical documentation;
2018/04/30
Committee: ITRE
Amendment 503 #
Proposal for a regulation
Article 46 – paragraph 2 – point c
(c) assurance level high shall refer to a certificate issued in the context of a European cybersecurity certification scheme, wcertification assurance hicgh provides a higher degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service than certificates with the assurance level substantial, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to prevent cybersecurity incidents.shall correspond to the assessment by a third party that high risks of cyber incidents for ICT processes, products or services are covered;
2018/04/30
Committee: ITRE
Amendment 509 #
Proposal for a regulation
Article 46 – paragraph 2 – point c a (new)
(ca) This assessment shall include the review of the technical documentation, the testing of the security functionalities implemented, in accordance with the requirements set out in the technical documentation and the assessment of the resistance of the ICT processes, products or services to skilled attackers having significant to unlimited resources, through penetration testing.
2018/04/30
Committee: ITRE
Amendment 511 #
Proposal for a regulation
Article 46 – paragraph 2 a (new)
2a. The methodology to distinguish between the different assurance levels should be guided by a test which assesses the resistance of the security functionalities against attackers that have significant to unlimited resources.
2018/04/30
Committee: ITRE
Amendment 519 #
Proposal for a regulation
Article 47 – paragraph 1 – point b
(b) detailed specification of the cybersecurity requirements against which the specific ICT products and services are evaluated, for example by reference to Union and / or international standards or technical specifications. Already existing international standards should be taken into account;
2018/04/30
Committee: ITRE
Amendment 525 #
Proposal for a regulation
Article 47 – paragraph 1 – point c
(c) where applicable, one or more assurance levels taking into account inter- alia a risk-based approach;
2018/04/30
Committee: ITRE
Amendment 534 #
Proposal for a regulation
Article 47 – paragraph 1 – point j
(j) rules concerning how previously undetected cybersecurity vulnerabilities in ICT products and services are to be reported and dealt with; requiring vulnerabilities in ICT products and services that are not publicly known to be reported expeditiously by the appropriate authorities to relevant vendors and manufacturers using a coordinated vulnerability disclosure process.
2018/04/30
Committee: ITRE
Amendment 540 #
Proposal for a regulation
Article 47 – paragraph 1 – point m a (new)
(ma) rules concerning how and when Member States must inform each other when they acquire knowledge of a vulnerability that is not publicly known in an ICT product or service that is certified under this certification scheme.
2018/04/30
Committee: ITRE
Amendment 546 #
Proposal for a regulation
Article 47 – paragraph 4 a (new)
4a. Certification schemes may be in particular created for those product groups mentioned in Annex I of this regulation.
2018/04/30
Committee: ITRE
Amendment 615 #
Proposal for a regulation
Article 53 – paragraph 3 a (new)
3a. (g) to establish a peer review process. This process shall have regard in particular to the required technical expertise of NCSAS in the fulfilment of their tasks, as described in article 48 and 50, and include when necessary the development of guidance and best practice documents to improve compliance of the NCSAs with this Regulation.
2018/04/30
Committee: ITRE
Amendment 617 #
Proposal for a regulation
Article 53 – paragraph 3 b (new)
3b. (h) to supervise the surveillance and maintenance of a certificate.
2018/04/30
Committee: ITRE
Amendment 625 #
Proposal for a regulation
Title 4 a (new)
ANNEX 1 new Upon launching the EU cybersecurity certification framework it is likely that attention focuses on areas of imminent interest to rise to the challenge posed by emerging technologies. The area of the Internet of Things is of particular interest as it cuts across consumer as well as industry requirements. The following priority list for adoption into the certification framework is proposed: (1) Certification of cloud service provision. (2) Certification of IoT devices including: a. devices at individual level, such as smart wearables; b. devices at community level, such as smart cars, smart homes, health devices; c. devices at society level such as smart cities and smart grids. (3) Industry 4.0 involving intelligent, interconnected cyber-physical systems that automate all phases of industrial operations, spanning from design and manufacturing to operation, supply chain and service maintenance. (4) Certification of technologies and products exploited in every-day life. Such an example could be networking devices, such as home internet routers.
2018/04/30
Committee: ITRE