34 Amendments of Maria GRAPINI related to 2017/0225(COD)
Amendment 25 #
Proposal for a regulation
Recital 3
Recital 3
(3) Increased digitisation and connectivity lead to increased cybersecurity risks, thus making society at large more vulnerable to cyber threats and exacerbating dangers faced by individuals, including vulnerable persons such as children. In order to mitigate this risk to society, all necessary actions need to be taken to improve cybersecurityinformation security against cyberattacks in the EU to better protect network and information systems, telecommunication networks, digital products, services and devices used by citizens, governments and business – from SMEs to operators of critical infrastructures – from cyber threats.
Amendment 28 #
Proposal for a regulation
Recital 4
Recital 4
(4) Cyber-attacks are on the increase and a connected economy and society that is more vulnerable to cyber threats and attacks requires stronger and more secure defences. However, while cyber-attacks are often cross-border, policy responses by cybersecurity authorities and law enforcement competences are predominantly national. Large-scale cyber incidents could disrupt the provision of essential services across the EU. This requires effective EU level response and crisis management, building upon dedicated policies and wider instruments for European solidarity and mutual assistance. Moreover, a regular assessment of the state of cybersecurity and resilience in the Union, based on reliable Union data, as well as systematic forecast of future developments, challenges and threats, both at Union and global level, is therefore important for policy makers, industry and users.
Amendment 31 #
Proposal for a regulation
Recital 5 a (new)
Recital 5 a (new)
(5a) Cybersecurity is an aspect of security as a whole, and competence and expertise in security assessment rests with the Member States. Managing the area of freedom, security and justice is a competence that is shared between the Union and the Member States, but, given the impact of cybersecurity on national security, it is in many respects a matter of national sovereignty. For this reason, as regards the single European certification framework, the role of Member States and of national certification authorities should not be reduced to an advisory one. Member States should have a significant role in the new cybersecurity certification architecture, also taking account of their expertise.
Amendment 40 #
Proposal for a regulation
Recital 21 a (new)
Recital 21 a (new)
(21a) The Commission should propose the introduction of mandatory cooperation between Member States concerning the protection of critical information infrastructure.
Amendment 52 #
Proposal for a regulation
Recital 50
Recital 50
(50) Currently, the cybersecurity certification of ICT products and services is used only to a limited extent. When it exists, it mostly occurs at Member State level or in the framework of industry driven schemes. In this context, a certificate issued by one national cybersecurity authority is not in principle recognised by other Member States. Companies thus may have to certify their products and services in several Member States where they operate, for example with a view to participating in national procurement procedures, and these procedures may entail additional costs for companies. Moreover, while new schemes are emerging, there seems to be no coherent and holistic approach with regard to horizontal cybersecurity issues, for instance in the field of the Internet of Things. Existing schemes present significant shortcomings and differences in terms of product coverage, levels of assurance, substantive criteria and actual utilisation.
Amendment 56 #
Proposal for a regulation
Recital 3
Recital 3
(3) Increased digitisation and connectivity lead to increased cybersecurity risks, thus making society at large more vulnerable to cyber threats and exacerbating dangers faced by individuals, including vulnerable persons such as children. In order to mitigate this risk to society, all necessary actions need to be taken to improve cybersecurity against cyber- attacks in the EU to better protect network and information systems, telecommunication networks, digital products, services and devices used by citizens, governments and business – from SMEs to operators of critical infrastructures – from cyber threats.
Amendment 56 #
Proposal for a regulation
Recital 56 a (new)
Recital 56 a (new)
(56a) This European certification process needs to be analysed to avoid increased costs for producers.
Amendment 58 #
Proposal for a regulation
Recital 4
Recital 4
(4) Cyber-attacks are on the increase and a connected economy and society that is more vulnerable to cyber threats and attacks requires stronger and more secure defences. However, while cyber-attacks are often cross-border, policy responses by cybersecurity authorities and law enforcement competences are predominantly national. Large-scale cyber incidents could disrupt the provision of essential services across the EU. This requires effective EU level response and crisis management, building upon dedicated policies and wider instruments for European solidarity and mutual assistance. Moreover, a regular assessment of the state of cybersecurity and resilience in the Union, based on reliable Union data, as well as systematic forecast of future developments, challenges and threats, both at Union and global level, is therefore important for policy makers, industry and users.
Amendment 62 #
Proposal for a regulation
Recital 5 a (new)
Recital 5 a (new)
(5a) Protection against cyber-attacks is an overarching security issue, with Member States assuming responsibility for security assessment and sharing with the Union responsibility for management of the area of freedom, security and justice (Article 4 TFEU). In view of the implications of cybersecurity in terms of national security, this is largely a question of national sovereignty. For this reason, the role of Member States and hence the national certification authorities should be more than just an advisory one within the European single certification framework. Given their expertise in this area, the Member States should play a substantial part in the new cybersecurity certification system.
Amendment 65 #
Proposal for a regulation
Recital 21 a (new)
Recital 21 a (new)
(21a) The Commission is called upon to introduce mandatory cooperation provisions between Member States to ensure the protection of vital infrastructure.
Amendment 65 #
Proposal for a regulation
Article 3 – paragraph 1
Article 3 – paragraph 1
1. The Agency shall undertake the tasks assigned to it by this Regulation for the purpose of contributing to a high level of cybersecurityinformation security, in order to prevent cyberattacks within the Union.
Amendment 66 #
Proposal for a regulation
Article 3 – paragraph 2
Article 3 – paragraph 2
2. The Agency shall carry out tasks conferred upon it by Union acts setting out measures for approximating the laws, regulations and administrative provisions of the Member States which are related to cyberthe security of cyberinformation.
Amendment 67 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
2. The Agency shall assist the Union institutions, agencies and bodies, as well as Member States, in developing and implementing policies related to cybersecuritythe security of cyberinformation, for the purpose of preventing cyberattacks.
Amendment 81 #
Proposal for a regulation
Article 7 – paragraph 5 – subparagraph 1
Article 7 – paragraph 5 – subparagraph 1
Upon a request by twoone or more Member States concerned, and with the sole purpose of providing advice for the prevention of future incidents, the Agency shall provide support to or carry out an ex-post technical enquiry following notifications by affected undertakings of incidents having a significant or substantial impact pursuant to Directive (EU) 2016/1148. The Agency shall also carry out such an enquiry upon a duly justified request from the Commission in agreement with the concerned Member States in case of such incidents affecting more than two Member States.
Amendment 88 #
Proposal for a regulation
Recital 50
Recital 50
(50) Currently, the cybersecurity certification of ICT products and services is used only to a limited extent. When it exists, it mostly occurs at Member State level or in the framework of industry driven schemes. In this context, a certificate issued by one national cybersecurity authority is not in principle recognised by other Member States. Companies thus may have to certify their products and services in several Member States where they operate, for example with a view to participating in national procurement procedures, thereby adding to their costs. Moreover, while new schemes are emerging, there seems to be no coherent and holistic approach with regard to horizontal cybersecurity issues, for instance in the field of the Internet of Things. Existing schemes present significant shortcomings and differences in terms of product coverage, levels of assurance, substantive criteria and actual utilisation.
Amendment 94 #
Proposal for a regulation
Article 14 – paragraph 1 – point m
Article 14 – paragraph 1 – point m
(m) appoint the Executive Director through selection based on professional criteria and where relevant extend his term of office or remove him from office in accordance with Article 33 of this Regulation;
Amendment 101 #
Proposal for a regulation
Recital 55 a (new)
Recital 55 a (new)
(55a) In light of innovation trends, and the growing accessibility and constantly increasing number of IoT devices in all sectors of society, particular attention must be paid to the security of all and even the simplest of IoT products. Therefore, as certification is a key method for increasing trust in the market and increasing security and resilience, emphasis should be given to IoT products and services in the new EU cybersecurity certification framework, in order to make them less vulnerable and safer for consumers and businesses.
Amendment 103 #
Proposal for a regulation
Recital 56
Recital 56
(56) The Commission should be empowered to request ENISA to prepare candidate schemes for specific ICT products or services. The Commission, basedpower to adopt acts in accordance with Article 290 onf the candidate scheme proposed by ENISA, should then be empowered to adopt the European cybersecurity certification scheme by means of implementing acts. Taking account of the general purpose and security objectives identified in this Regulation, European cybersecurity certification schemes adopted by the Commission should specify a minimum set of elements concerning the subject-matter,Treaty on the Functioning of the European Union should be delegated to the Commission in respect of establishing European cybersecurity certification schemes for ICT products and services. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those scope and functioning of the individual scheme. These should include among others the scope and object of the cybersecurity certification, including the categories of ICT products and services covered, the detailed specification of the cybersecurity requirements, for example by reference to standards or technical specifications, the specific evaluation criteria and evaluation methods, as well nsultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts. When adopting those delegated acts, the Commission should base the intended level of assurance: basic, substantial and/or highcybersecurity certification schemes for ICT products and services on any relevant candidate schemes proposed by ENISA.
Amendment 109 #
Proposal for a regulation
Recital 56 a (new)
Recital 56 a (new)
(56a) Among the evaluation methods and assessment procedures related to each European cybersecurity certification scheme, ethical hacking, the aim of which is to locate weaknesses and vulnerabilities of devices and information systems by anticipating the intended actions and skills of malicious hackers, should be promoted at Union level.
Amendment 110 #
Proposal for a regulation
Recital 56 a (new)
Recital 56 a (new)
(56a) This European certification process needs to be analysed to avoid increased costs for producers.
Amendment 146 #
Proposal for a regulation
Article 3 – paragraph 1
Article 3 – paragraph 1
1. The Agency shall undertake the tasks assigned to it by this Regulation for the purpose of contributing to a high level of cybersecurityinformation security, in order to prevent cyber-attacks within the Union.
Amendment 148 #
Proposal for a regulation
Article 3 – paragraph 2
Article 3 – paragraph 2
2. The Agency shall carry out tasks conferred upon it by Union acts setting out measures for approximating the laws, regulations and administrative provisions of the Member States which are related to cyberdata security.
Amendment 151 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
2. The Agency shall assist the Union institutions, agencies and bodies, as well as Member States, in developing and implementing policies related to cybersecuritydata security for the purpose of preventing cyber-attacks.
Amendment 176 #
Proposal for a regulation
Article 7 – paragraph 5 – subparagraph 1
Article 7 – paragraph 5 – subparagraph 1
Upon a request by twoone or more Member States concerned, and with the sole purpose of providing advice for the prevention of future incidents, the Agency shall provide support to or carry out an ex-post technical enquiry following notifications by affected undertakings of incidents having a significant or substantial impact pursuant to Directive (EU) 2016/1148. The Agency shall also carry out such an enquiry upon a duly justified request from the Commission in agreement with the concerned Member States in case of such incidents affecting more than two Member States.
Amendment 181 #
Proposal for a regulation
Article 8 – paragraph 1 – point a – point 1 a (new)
Article 8 – paragraph 1 – point a – point 1 a (new)
Amendment 205 #
Proposal for a regulation
Article 14 – paragraph 1 – point m
Article 14 – paragraph 1 – point m
(m) appoint the Executive Director through selection based on professional criteria and where relevant extend his term of office or remove him from office in accordance with Article 33 of this Regulation;
Amendment 218 #
Proposal for a regulation
Article 20 – paragraph 5 a (new)
Article 20 – paragraph 5 a (new)
5a. It advises the Agency when the latter prepares candidate schemes.
Amendment 251 #
Proposal for a regulation
Article 44 – paragraph 4
Article 44 – paragraph 4
4. The Commission, based on the candidate scheme proposed by ENISA, may adopt implementing is empowered to adopt delegated acts, in accordance with Article 55(1), providing fora, concerning the establishment of European cybersecurity certification schemes for ICT products and services meeting the requirements of Articles 45, 46 and 47 of this Regulation. When adopting those delegated acts, the Commission shall base the cybersecurity certification schemes for ICT products and services on any relevant candidate scheme proposed by ENISA.
Amendment 282 #
Proposal for a regulation
Article 46 – paragraph 1
Article 46 – paragraph 1
1. AEach European cybersecurity certification scheme may specify one or more of the following assurance levels: basic - “functionally secure”, “substantially secure” and/or “high,ly secure” - for ICT products and services issued under that scheme, taking into account, inter alia, their intended use and their inherent risk.
Amendment 286 #
Proposal for a regulation
Article 46 – paragraph 1 a (new)
Article 46 – paragraph 1 a (new)
1a. Each scheme shall indicate the assessment methodology or evaluation process that is to be followed for issuing certificates at each assurance level, depending on the intended use and the risk inherent to the ICT products and services under that scheme.
Amendment 394 #
Proposal for a regulation
Article 49 – paragraph 1
Article 49 – paragraph 1
1. Without prejudice to paragraph 3, national cybersecurity certification schemes and the related procedures for the ICT products and services covered by a European cybersecurity certification scheme shall cease to produce effects from the date established in the implementing act adopted pursuant Article 44(4). The Commission shall monitor compliance with this subparagraph, in order to avoid the existence of concurrent schemes. Existing national cybersecurity certification schemes and the related procedures for the ICT products and services not covered by a European cybersecurity certification scheme shall continue to exist.
Amendment 408 #
Proposal for a regulation
Article 50 – paragraph 3
Article 50 – paragraph 3
3. Each national certification supervisory authority shall, in its organisation, funding decisions, legal structure and decision-making, be independent of the entities they supervise and shall not be a conformity assessment body or a national accreditation body.
Amendment 442 #
Proposal for a regulation
Article 55 a (new)
Article 55 a (new)
Article 55a Exercise of the delegation The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article. The power to adopt delegated acts referred to in Article 44(4) shall be conferred on the Commission for a period of 5 years from [date of entry into force of the basic legislative act]. The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the 5 year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period. The delegation of power referred to in Article 44(4) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council. A delegated act adopted pursuant to Article 44(4) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of [two months] of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by[two months] at the initiative of the European Parliament or of the Council.
Amendment 444 #
Proposal for a regulation
Annex I – paragraph 1 – point 3
Annex I – paragraph 1 – point 3