42 Amendments of Martina WERNER related to 2017/0225(COD)
Amendment 101 #
Proposal for a regulation
Recital 5
Recital 5
(5) In light of the increased cybersecurity challenges faced by the Union, there is a need for a comprehensive set of measures that would build on previous Union action and foster mutually reinforcing objectives. These include the need to further increase capabilities and preparedness of Member States and businesses, as well as to improve cooperation and, coordination and information sharing across Member States and EU institutions, agencies and bodies. Furthermore, given the borderless nature of cyber threats, there is a need to increase capabilities at Union level that could complement the action of Member States, in particular in the case of large scale cross-border cyber incidents and crises. Additional efforts are also needed to increase awareness of citizens and businesses on cybersecurity issues, also with regard to an awareness of the increased relevance of information- sharing rather than concealment as a main deterrent to cyber attacks. Moreover, the trust in the digital single market should be further improved by offering transparent information on the level of security of ICT products and services. This can be facilitated by EU- wide certification providing common cybersecurity requirements and evaluation criteria across national markets and sectors.
Amendment 110 #
Proposal for a regulation
Recital 11
Recital 11
(11) Given the increasing cybersecurity challenges the Union is facing, the financial and human resources allocated to the Agency should be increased to reflect its enhanced role and tasks, and its critical position in the ecosystem of organisations defending the European digital ecosystem, allowing ENISA to effectively carry out the tasks conferred on it by this Regulation.
Amendment 113 #
Proposal for a regulation
Recital 13
Recital 13
(13) The Agency should assist the Commission, on its own initiative and upon request, by means of advice, opinions and analyses on all the Union matters related to policy and law development, update and review in the area of cybersecurity, including critical infrastructure protection and cyber resilience. The Agency should act as a reference point of advice and expertise for Union sector-specific policy and law initiatives where matters related to cybersecurity are involved. The Agency should regularly provide Parliament with updates, analysis and review in the area of cybersecurity and the evolution of its tasks.
Amendment 117 #
Proposal for a regulation
Recital 15
Recital 15
(15) The Agency should assist the Member States and Union institutions, bodies, offices and agencies in their efforts to build and enhance capabilities and preparedness to prevent, detect and respond to cybersecurity problems and incidents and in relation to the security of network and information systems. In particular, the Agency should support the development and enhancement of national CSIRTs, with a view of achieving a high common level of their maturity in the Union. The Agency should also assist with the development and update of Union and Member States strategies on the security of network and information systems, in particular on cybersecurity, promote their dissemination and track progress of their implementation. TConsidering that human mistakes are one of the most pertinent risks to cyber security, the Agency should also offer trainings and training material to public bodies, and where appropriatto the maximum extent possible "train the trainers" with a view to assisting Member States and Union institutions and agencies in developing their own training capabilities.
Amendment 121 #
Proposal for a regulation
Recital 19
Recital 19
(19) The Agency should contribute to an EU level response in case of large-scale cross-border cybersecurity incidents and crises. This function should include gathering relevant information and acting as facilitator between the CSIRTs Network and the technical community as well as decision makers responsible for crisis management. Furthermore, the Agency could support the handling of incidents from a technical perspective, for example by facilitating relevant technical exchange of solutions between Member States and by providing input into public communications. The Agency should support the process by testing modalities of such cooperation through yearly cybersecurity exercises.
Amendment 126 #
Proposal for a regulation
Recital 28
Recital 28
(28) The Agency should contribute towards raising the awareness of the public about risks related to cybersecurity and provide guidance on good practices for individual users aimed at citizens and, organisations and businesses. The Agency should also contribute to promote best practices and solutions at the level of individuals and, organisations and businesses by collecting and analysing publicly available information regarding significant incidents, and by compiling reports with a view to providing guidance to businesses and citizens and improving the overall level of preparedness and resilience. The Agency should furthermore organise, in cooperation with the Member States and the Union institutions, bodies, offices and agencies regular outreach and public education campaigns directed to end-users, aiming at promoting safer individual online behaviour, digital literacy and raising awareness of potential threats in cyberspace, including cybercrimes such as phishing attacks, botnets, financial and banking fraud, as well as promoting basic authentication and data protection advice. The Agency should play a central role in accelerating end-user awareness on security of devices. Given that individual mistakes and unawareness of cyber risks constitutes a main factor of uncertainty in cyber security, the Agency should be provided with adequate resources for exercising this function to the maximum degree possible.
Amendment 131 #
Proposal for a regulation
Recital 30
Recital 30
(30) To ensure that it fully achieves its objectives, the Agency should liaise with relevant institutions, agencies and bodies, including CERT-EU, European Cybercrime Centre (EC3) at Europol, European Defence Agency (EDA), European Agency for the operational management of large-scale IT systems (eu- LISA), European Aviation Safety Agency (EASA), European Central bank (ECB), European Banking Authority (EBA), the Single Resolution Board (SRB), European Securities and Markets Authority (ESMA), other European and national supervisory authorities as appropriate, the European Standards Organisations (ESOs), relevant stakeholders as appropriate, and any other EU Agency that is involved in cybersecurity. It should also liaise with authorities dealing with data protection in order to exchange know-how and best practices and provide advice on cybersecurity aspects that might have an impact on their work. Representatives of national and Union law enforcement and data protection authorities should be eligible to be represented in the Agency’s Permanent Stakeholders Group. In liaising with law enforcement bodies regarding network and information security aspects that might have an impact on their work, the Agency should respect existing channels of information and established networks.
Amendment 142 #
Proposal for a regulation
Recital 37
Recital 37
(37) Cybersecurity problems are global issues. There is a need for closer international cooperation to improve security standards, including the definition of common norms of behaviour and codes of conduct, use of international standards, and information sharing, promoting swifter international collaboration in response to, as well as a common global approach to, network and information security issues. To that end, the Agency should support further Union involvement and cooperation with third countries and international organisations by providing, where appropriate, the necessary expertise and analysis to the relevant Union institutions, bodies, offices and agencies.
Amendment 152 #
Proposal for a regulation
Recital 44
Recital 44
(44) The Agency should have a Permanent Stakeholders’ Group as an advisory body, to ensure regular dialogue with the private sector, consumers’ organisations and other relevant stakeholders. The Permanent Stakeholders’ Group, set up by the Management Board on a proposal by the Executive Director, should focus on issues relevant to stakeholders and bring them to the attention of the Agency. The composition of the Permanent Stakeholders Group and the tasks assigned to this Group, to be consulted in particular regarding the draft Work Programme, should ensure sufficient representation of stakeholders in the work of the Agency. The Permanent Stakeholder Group should be empowered to suggest the preparation of candidate certification schemes.
Amendment 158 #
Proposal for a regulation
Recital 47
Recital 47
(47) Conformity assessment is the process demonstrating whether specified requirements relating to a product, process, service, system, person or body have been fulfilled. For the purposes of this Regulation, certification and, where permitted, self-assessment should be considered as a type of conformity assessment regarding the cybersecurity features of a product, process, service, system, or a combination of those ("ICT products and services"). Certification is undertaken by an independent third party, other than the product manufacturer or service provider. Self-assessment may be undertaken by the product manufacturer or service provider, as foreseen in and according to the New Legislative Framework and specified in this Regulation, where the likelihood of a cybersecurity incident occurring, or the likelihood of such an incident causing substantial harm to the user, society, or a part thereof, is not expected to be high. Certification cannot guarantee per se that certified ICT products and services are cyber secure. It is rather a procedure and technical methodology to attest that ICT products and services have been tested and that they comply with certain cybersecurity requirements laid down elsewhere, for example as specified in technical standards.
Amendment 187 #
Proposal for a regulation
Recital 58
Recital 58
(58) Once a European cybersecurity certification scheme is adopted, manufacturers of ICT products or providers of ICT services should be able to submit an application for certification of their products or services to a conformity assessment body of their choice. Conformity assessment bodies should be accredited by an accreditation body if they comply with certain specified requirements set out in this Regulation. Accreditation should be issued for a maximum of five years and may be renewed on the same conditions provided that the conformity assessment body meets the requirements. Accreditation bodies should revoke an accreditation of a conformity assessment body where the conditions for the accreditation are not, or are no longer, met or where actions taken by a conformity assessment body infringe this Regulation. Audits by the Agency should be carried out to ensure an equivalent level of quality and diligence of conformity assessment bodies with a view to avoiding regulatory arbitrage. The results should be reported to the Agency, the Commission and Parliament and should be made publicly available.
Amendment 194 #
Proposal for a regulation
Recital 63
Recital 63
(63) In order to specify further the criteria for the accreditation of conformity assessment bodies, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission. The Commission should carry out appropriate consultations during its preparatory work, including at expert level and with relevant stakeholders, as appropriate. Those consultations should be conducted in accordance with the principles laid down in the Interinstitutional Agreement on Better Law-Making of 13 April 2016. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council should receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.
Amendment 202 #
Proposal for a regulation
Article 1 – paragraph 1 – point b
Article 1 – paragraph 1 – point b
(b) lays down a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity of ICT products and servic, services and processes in the Union. Such framework shall apply without prejudice to specific provisions regarding voluntary or mandatory certification in other Union acts.
Amendment 220 #
Proposal for a regulation
Article 2 – paragraph 1 – point 9
Article 2 – paragraph 1 – point 9
(9) ‘European cybersecurity certification scheme’ means the comprehensive set of rules, technical requirements, standards and procedures defined at Union level applying to the certification of Information and Communication Technology (ICT) products and servic, services and processes falling under the scope of that specific scheme;
Amendment 222 #
Proposal for a regulation
Article 2 – paragraph 1 – point 9 a (new)
Article 2 – paragraph 1 – point 9 a (new)
(9 a) ‘European cybersecurity self- assurance scheme’ means the comprehensive set of rules, technical specifications or requirements, standards and procedures defined at Union level applying to the self-assessment of ICT products, services and processes falling under the scope of that specific scheme;
Amendment 227 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘European cybersecurity certificate’ means a document issued either by a conformity assessment body or by self- assessment, where permitted, attesting that a given ICT product, process or service fulfils the specific requirements laid down in a European cybersecurity certification scheme;
Amendment 229 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘European cybersecurity certificate’ means a document issued by a conformity assessment body attesting that a given ICT product or, service, process fulfills the specific requirements laid down in a European cybersecurity certification scheme;
Amendment 249 #
Proposal for a regulation
Article 4 – paragraph 3
Article 4 – paragraph 3
3. The Agency shall support capacity building and preparedness across the Union, by assisting the Union, Member States and public and private stakeholders in order to increase the protection of their network and information systems, develop skills, awareness and competencies in the field of cybersecurity, and achieve cyber resilience and response capacities.
Amendment 253 #
Proposal for a regulation
Article 4 – paragraph 4
Article 4 – paragraph 4
4. The Agency shall promote cooperation and, coordination and information sharing at Union level among Member States, Union institutions, agencies and bodies, and relevant stakeholders, including the private sector, on matters related to cybersecurity.
Amendment 262 #
Proposal for a regulation
Article 4 – paragraph 6
Article 4 – paragraph 6
6. The Agency shall promote the use of certification, including by contributing to the establishment and maintenance of a cybersecurity certification framework at Union level in accordance with Title III of this Regulation, with a view to increasing transparency of cybersecurity assurance of ICT products and servic, services and processes and thus strengthen trust in the digital internal market.
Amendment 266 #
Proposal for a regulation
Article 4 – paragraph 7
Article 4 – paragraph 7
7. The Agency shall promote a high level of awareness and digital literacy of citizens and businesses on issues related to the cybersecurity.
Amendment 272 #
Proposal for a regulation
Article 5 – paragraph 1 – point 1
Article 5 – paragraph 1 – point 1
1. assisting and advising, in particular by providing its independent opinion and analysis of relevant activities in cyberspace and supplying preparatory work, on the development and review of Union policy and law in the area of cybersecurity, as well as sector-specific policy and law initiatives where matters related to cybersecurity are involved;
Amendment 276 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 a (new)
Article 5 – paragraph 1 – point 2 a (new)
2 a. assisting Member States to implement consistently the Union policy and law regarding data protection notably in relation to Regulation (EU) 2016/679, as well as assisting the European Data Protection Board (EDPB) in the development of guidelines related to the implementation of Regulation (EU) 2016/679 for cybersecurity purposes. The EDPB should be required to consult ENISA every time it issues an opinion or adopts a decision concerning the implementation of the GDPR and cybersecurity, in particular on, but not limited to, issues related to privacy impact assessments, data breach notification, security processing, security requirements, and privacy by design.
Amendment 300 #
Proposal for a regulation
Article 7 – paragraph 5 – subparagraph 1
Article 7 – paragraph 5 – subparagraph 1
Upon a request by two or morea Member States concerned, and with the sole purpose of providing assistance either in the form of advice for the prevention of future incidents, or in the form of assisting in the response to a current large scale incident, the Agency shall provide support to or carry out an ex- post technical enquiry following notifications by affected undertakings of incidents having a significant or substantial impact pursuant to Directive (EU) 2016/1148. The Agency shall also carry out such an enquiry upon a duly justified request from the Commission in agreement with the concerned Member States in case of such incidents affecting more than twoone Member States.
Amendment 307 #
Proposal for a regulation
Article 7 – paragraph 8 – point a
Article 7 – paragraph 8 – point a
(a) analyzing and aggregating reports from national sources with a view to contribute to establishing common situational awareness;
Amendment 313 #
Proposal for a regulation
Article 7 – paragraph 8 – point e b (new)
Article 7 – paragraph 8 – point e b (new)
(e b) assisting Member States and Union Institutions in developing and adopting a common taxonomy and template for situational reports to describe technical causes and impacts of cybersecurity incidents to further enhance their technical and operational cooperation during crisis.
Amendment 318 #
Proposal for a regulation
Article 8 – paragraph 1 – point a – introductory part
Article 8 – paragraph 1 – point a – introductory part
(a) support and promote the development and implementation of the Union policy on cybersecurity certification of ICT products and servic, services and processes, as established in Title III of this Regulation, by:
Amendment 321 #
Proposal for a regulation
Article 8 – paragraph 1 – point a – point 1
Article 8 – paragraph 1 – point a – point 1
(1) in consultation with stakeholders and standardisation organisations in a formal, standardised and transparent process, preparing candidate European cybersecurity certification schemes for ICT products and services in accordance with Article 44 of this Regulation;
Amendment 352 #
Proposal for a regulation
Article 9 – paragraph 1 – point e
Article 9 – paragraph 1 – point e
(e) raise awareness of the public about cybersecurity risks, and provide trainings and guidance on good practices for individual users aimed at citizens and organisations;
Amendment 357 #
Proposal for a regulation
Article 9 – paragraph 1 – point g a (new)
Article 9 – paragraph 1 – point g a (new)
(g a) support closer coordination and exchange of best practices among Member States on cybersecurity education, training and skills development, cyber hygiene and awareness.
Amendment 379 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. The Management Board, acting on a proposal by the Executive Director, shall set up a Permanent Stakeholders’ Group composed of recognised experts representing the relevant stakeholders, such as the ICT industry, including SME groups, providers of electronic communications networks or services available to the public, consumer groups, academic experts in the cybersecurity, European Standards Organisations and conformity assessment bodies and representatives of competent authorities notified under [Directive establishing the European Electronic Communications Code] as well as of law enforcement and data protection supervisory authorities. The Management Board shall ensure an appropriate balance between different stakeholder groups.
Amendment 408 #
Proposal for a regulation
Article 43 – paragraph 1
Article 43 – paragraph 1
A European cybersecurity certification scheme shall attest that the ICT products and servic, services and processes that have been certified in accordance with such scheme comply with specified requirements as regards their ability to resist at a given level of assurance, actions that aim to compromise the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, processes, services and systems.
Amendment 425 #
Proposal for a regulation
Article 44 – paragraph 2
Article 44 – paragraph 2
2. When preparing candidate schemes referred to in paragraph 1 of this Article, ENISA shall consult all relevant stakeholders by transparent consultation processes and closely cooperate with the Group. The Group shall provide ENISA with the assistance and expert advice required by ENISA in relation to the preparation of the candidate scheme, including by providing opinions where necessary.
Amendment 436 #
Proposal for a regulation
Article 44 – paragraph 4
Article 44 – paragraph 4
4. The Commission, based on the candidate scheme proposed by ENISA, may adopt implementing acts, in accordance with Article 55(1), providing for European cybersecurity certification schemes for ICT products, processes and services meeting the requirements of Articles 45, 46 and 47 of this Regulation.
Amendment 444 #
Proposal for a regulation
Article 44 – paragraph 5 a (new)
Article 44 – paragraph 5 a (new)
5a. The Agency shall review adopted schemes upon request from the Group, the Commission or at least every five years taking into account feedback received from relevant stakeholders.
Amendment 471 #
Proposal for a regulation
Article 46 – paragraph 1
Article 46 – paragraph 1
1. A European cybersecurity certification scheme may specify one or more of the following assurance levels: basic, substantial and/or high, for ICT products and servic, services and processes issued under that scheme.
Amendment 515 #
Proposal for a regulation
Article 47 – paragraph 1 – point a
Article 47 – paragraph 1 – point a
(a) subject-matter and scope of the certification, including the type or categories of ICT products, processes and services covered;
Amendment 521 #
Proposal for a regulation
Article 47 – paragraph 1 – point b
Article 47 – paragraph 1 – point b
(b) detailed specification of the cybersecurity requirements against which the specific ICT products, processes and services are evaluated, for example by reference to Union or international standards or technical specifications;
Amendment 556 #
Proposal for a regulation
Article 48 – paragraph 2 a (new)
Article 48 – paragraph 2 a (new)
2a. For the assurance level basic, it shall be possible to perform a conformity self-assessment under the sole responsibility of the manufacturer or provider of ICT products, processes and services as laid down in Article 4 and Annex II of Decision No 768/2008/EC.
Amendment 558 #
Proposal for a regulation
Article 48 – paragraph 3
Article 48 – paragraph 3
3. A European cybersecurity certificate pursuant to this Article shall be issued either by self-assessment or by the conformity assessment bodies referred to in Article 51 on the basis of criteria included in the European cybersecurity certification scheme, adopted pursuant to Article 44.
Amendment 567 #
Proposal for a regulation
Article 48 – paragraph 5
Article 48 – paragraph 5
5. The natural or legal person which submits its ICT products or, services or processes to the certification mechanism shall provide the conformity assessment body referred to in Article 51 with all information necessary to conduct the certification procedure. The submission can be made with any conformity assessment body referred to in Article 51.
Amendment 570 #
Proposal for a regulation
Article 48 – paragraph 6
Article 48 – paragraph 6
6. Certificates shall be issued for a maxinimum period of three years and may. They may then be renewed, under the same conditions, provided that the relevant requirements continue to be met. extended without cost for further periods, upon attestation by the certificate-holder that the relevant requirements continue to be met. Such attestation must be provided no sooner than six months and no later than 15 days before the expiry of the relevant period. Extensions of the certificates shall be allowed for the duration of the entire lifespan of the certified product.