BETA

Activities of Peter KOUROUMBASHEV related to 2017/0225(COD)

Plenary speeches (1)

EU Cybersecurity Act - European Cybersecurity Industrial, Technology and Research Competence Centre and Network of National Coordination Centres (debate) BG
2016/11/22
Dossiers: 2017/0225(COD)

Shadow reports (1)

REPORT on the proposal for a regulation of the European Parliament and of the Council on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act'') PDF (1 MB) DOC (324 KB)
2016/11/22
Committee: ITRE
Dossiers: 2017/0225(COD)
Documents: PDF(1 MB) DOC(324 KB)

Amendments (115)

Amendment 100 #
Proposal for a regulation
Recital 5
(5) In light of the increased cybersecurity challenges faced by the Union, there is a need for a comprehensive set of measures that would build on previous Union action and foster mutually reinforcing objectives. These include the need to further increase capabilities and preparedness of Member States and businesses, as well as to improve cooperation and coordination across Member States and EU institutions, agencies and bodies. Furthermore, given the borderless nature of cyber threats, there is a need to increase capabilities at Union level that could complement the action of Member States, in particular in the case of large scale cross-border cyber incidents and crises. Additional efforts are also needed to increase awareness of citizens and businesses on cybersecurity issues. Moreover, the trust in the digital single market should be further improved by offering transparent information on the level of security of ICT products and services. This can be facilitated by EU- wide certification providing common cybersecurity requirements and evaluation criteria across national markets and sectors. The challenges faced should be proportianally reflected on the budget allocated to the Agency, so as to ensure the optimal functionality under the current circumstances.
2018/04/30
Committee: ITRE
Amendment 102 #
Proposal for a regulation
Recital 5
(5) In light of the increased cybersecurity challenges faced by the Union, there is a need for a comprehensive set of measures that would build on previous Union action and foster mutually reinforcing objectives. These include the need to further increase capabilities and preparedness of Member States and businesses, as well as to improve cooperation and coordination across Member States and EU institutions, agencies and bodies. Furthermore, given the borderless nature of cyber threats, there is a need to increase capabilities at Union level that could complement the action of Member States, in particular in the case of large scale cross-border cyber incidents and crises. Additional efforts are also needed to increase awareness of citizens and businesses on cybersecurity issues. Moreover, the trust in the digital single market should be further improved by offering transparent information on the level of security of ICT products and services stressing that even a high level of cybersecurity certification cannot guarantee that an ICT product or service is completely safe. This can be facilitated by EU- wide certification providing common cybersecurity requirements and evaluation criteria across national markets and sectors as well as promoting cyber literacy.
2018/04/30
Committee: ITRE
Amendment 120 #
Proposal for a regulation
Recital 19
(19) The Agency should contribute to an EU level response in case of large-scale cross-border cybersecurity incidents and crises. This function should include convening Member States' authorities and assisting in the coordination of their response, gathering relevant information and acting as facilitator between the CSIRTs Network and the technical community as well as decision makers responsible for crisis management. Furthermore, the Agency could support the handling of incidents from a technical perspective by facilitating relevant technical exchange of solutions between Member States and by providing input into public communications. The Agency should support the process by testing modalities of such cooperation through yearly cybersecurity exercises.
2018/04/30
Committee: ITRE
Amendment 133 #
Proposal for a regulation
Recital 30
(30) To ensure that it fully achieves its objectives, the Agency should liaise with relevant institutions, EU supervisory and other competent authorities, agencies and bodies, including CERT-EU, European Cybercrime Centre (EC3) at Europol, European Defence Agency (EDA), European Agency for the operational management of large-scale IT systems (eu- LISA), European Central Bank (ECB), European Banking Authority (EBA), European Data Protection Board (EDPB), European Aviation Safety Agency (EASA) and any other EU Agency that is involved in cybersecurity. It should also liaise with authorities dealing with data protection in order to exchange know- how and best practices and provide advice on cybersecurity aspects that might have an impact on their work. Representatives of national and Union law enforcement and data protection authorities should be eligible to be represented in the Agency’s Permanent Stakeholders Group. In liaising with law enforcement bodies regarding network and information security aspects that might have an impact on their work, the Agency should respect existing channels of information and established networks.
2018/04/30
Committee: ITRE
Amendment 134 #
Proposal for a regulation
Recital 30
(30) To ensure that it fully achieves its objectives, the Agency should liaise with relevant institutions, EU supervisory and other competent authorities, agencies and bodies, including CERT-EU, European Cybercrime Centre (EC3) at Europol, European Defence Agency (EDA), European Agency for the operational management of large-scale IT systems (eu- LISA), European Central Bank (ECB), European Banking Authority (EBA), European Aviation Safety Agency (EASA) and any other EU Agency that is involved in cybersecurity. It should also liaise with authorities dealing with data protection in order to exchange know-how and best practices and provide advice on cybersecurity aspects that might have an impact on their work. Representatives of national and Union law enforcement and data protection authorities should be eligible to be represented in the Agency’s Permanent Stakeholders Group. In liaising with law enforcement bodies regarding network and information security aspects that might have an impact on their work, the Agency should respect existing channels of information and established networks.
2018/04/30
Committee: ITRE
Amendment 142 #
Proposal for a regulation
Recital 37
(37) Cybersecurity problems are global issues. There is a need for closer international cooperation to improve security standards, including the definition of common norms of behaviour and codes of conduct, use of international standards, and information sharing, promoting swifter international collaboration in response to, as well as a common global approach to, network and information security issues. To that end, the Agency should support further Union involvement and cooperation with third countries and international organisations by providing, where appropriate, the necessary expertise and analysis to the relevant Union institutions, bodies, offices and agencies.
2018/04/30
Committee: ITRE
Amendment 159 #
Proposal for a regulation
Recital 47
(47) Conformity assessment is the process demonstrating whether specified requirements relating to a product, process, service, system, person or body have been fulfilled. For the purposes of this Regulation, certification and self- assessment should be considered as a type of conformity assessment regarding the cybersecurity features of a product, process, service, system, or a combination of those ("ICT products and services"). Certification is undertaken by an independent third party, other than the product manufacturer or service provider. CertificationSelf-assessment may be undertaken by the product manufacturer or operator where the likelihood of a cybersecurity incident occurring, and/or the likelihood of such incident causing substantial harm to society or a large section thereof, is not expected to be high, taking into account the manufacturer or service provider’s intended use of the product or service in question. Conformity assessment cannot guarantee per se that certified ICT products and services are cyber secure. It is rather a procedure and technical methodology to attest that ICT products and services have been tested and that they comply with certain cybersecurity requirements laid down elsewhere, for example as specified in technical standards.
2018/04/30
Committee: ITRE
Amendment 171 #
Proposal for a regulation
Recital 53
(53) The Commission should be empowered to adopt, the European Cybersecurity Certification Group and the Stakeholer Certification Group should propose to ENISA to prepare a European cybersecurity certification schemes concerning specific groups of ICT products and services. These schemes should be implemented and supervised by national certification supervisory authorities and certificates issued within these schemes should be valid and recognised throughout the Union. Certification schemes operated by the industry or other private organisations should fall outside the scope of the Regulation. However, the bodies operating such schemes may propose to the Commission to consider such schemes as a basis for approving them as a European scheme.
2018/04/30
Committee: ITRE
Amendment 177 #
Proposal for a regulation
Recital 56
(56) TAfter the completion of an appropriate stakeholder consultation by the Commission, ENISA should be empowered to request ENISA to prepare candidate schemes for specific ICT products or services. The Commission, based on the candidate scheme proposed by ENISA, should then be empowered to adopt the European cybersecurity certification scheme by means of implementingdelegated acts. Taking account of the general purpose and security objectives identified in this Regulation, European cybersecurity certification schemes adopted by the Commission should specify a minimum set of elements concerning the subject-matter, the scope and functioning of the individual scheme. These should include among others the scope and object of the cybersecurity certification, including the categories of ICT products and services covered, the detailed specification of the cybersecurity requirements, for example by reference to standards or technical specifications, the specific evaluation criteria and evaluation methods, as well as the intended level of assurance: basic, substantial and/or high.
2018/04/30
Committee: ITRE
Amendment 188 #
Proposal for a regulation
Recital 58
(58) Once a European cybersecurity certification scheme is adopted, manufacturers of ICT products or providers of ICT services should be able to submit an application for certification of their products or services to a conformity assessment body of their choice, anywhere in the Union. Conformity assessment bodies should be accredited by an accreditation body if they comply with certain specified requirements set out in this Regulation. Accreditation should be issued for a maximum of five years and may be renewed on the same conditions provided that the conformity assessment body meets the requirements. Accreditation bodies should revoke an accreditation of a conformity assessment body where the conditions for the accreditation are not, or are no longer, met or where actions taken by a conformity assessment body infringe this Regulation.
2018/04/30
Committee: ITRE
Amendment 191 #
Proposal for a regulation
Recital 59
(59) It is necessary to require all Member States to designate one cybersecurity certification supervisory authority to supervise compliance of conformity assessment bodies and of certificates issued by conformity assessment bodies established in their territory with the requirements of this Regulation and of the relevant cybersecurity certification schemes, and to ensure that the European cybersecurity certificates are recognised on their territory. National certification supervisory authorities should handle complaints lodged by natural or legal persons in relation to certificates issued by conformity assessment bodies established in their territories, or in relation to alleged failures to recognise certificates on their territory, investigate to the extent appropriate the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable time period. Moreover, they should cooperate with other national certification supervisory authorities or other public authority, including by sharing information on possible non-compliance of ICT products and services with the requirements of this Regulation or specific cybersecurity schemes, or the non- recognition of European cybersecurity certificates.
2018/04/30
Committee: ITRE
Amendment 192 #
Proposal for a regulation
Recital 60 a (new)
(60 a) With a view to ensuring the consistent and future-proof application of the European cybersecurity certification framework, a Stakeholder Certification Group should be established within ENISA. It should consist of recognised experts representing academics, standardisation bodies, consumer groups, ICT industry and non-public sector operators of essential services as defined in Annex II of Directive (EU) 2016/1148, who will advise and assist ENISA to ensure a consistent implementation and application of the European cybersecurity certification framework; assist and closely cooperate with the Agency in the preparation and adoption of candidate cybersecurity certification schemes; recommend candidate European cybersecurity certification schemes; and adopt opinions addressed to the Commission relating to the maintenance and review of existing European cybersecurity certifications schemes. The Stakeholder Certification Group should be set up with the objective to allow expert input from relevant stakeholders to the European cybersecurity certification framework. The structure of the Stakeholder Certification Group should allow for ad-hoc members to be invited to contribute to the work on the proposal, development or adoption of any new candidate scheme.
2018/04/30
Committee: ITRE
Amendment 193 #
Proposal for a regulation
Recital 63
(63) In order to specify further the criteria for the accreditation of conformity assessment bodies and to ensure uniform conditions for the implementation of this Regulation, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission. The Commission should carry out appropriate consultations during its preparatory work, including at expert level and with all interested stakeholders, including those that do not participate in the above groups. Those consultations should be conducted in accordance with the principles laid down in the Interinstitutional Agreement on Better Law-Making of 13 April 2016. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council should receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.
2018/04/30
Committee: ITRE
Amendment 195 #
Proposal for a regulation
Recital 64
(64) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission when provided for by this Regulation. Those powers should be exercised in accordance with Regulation (EU) No 182/2011.deleted
2018/04/30
Committee: ITRE
Amendment 196 #
Proposal for a regulation
Recital 65
(65) The examination procedure should be used for the adoption of implementing actsDelegated acts could be furthermore adopted on European cybersecurity certification schemes for ICT products and services; on modalities of carrying enquiries by the Agency; as well as on the circumstances, formats and procedures of notifications of accredited conformity assessment bodies by the national certification supervisory authorities to the Commission.
2018/04/30
Committee: ITRE
Amendment 202 #
Proposal for a regulation
Article 1 – paragraph 1 – point b
(b) lays down a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity of ICT products and servic, services and processes in the Union. Such framework shall apply without prejudice to specific provisions regarding voluntary or mandatory certification in other Union acts.
2018/04/30
Committee: ITRE
Amendment 211 #
Proposal for a regulation
Article 2 – paragraph 1 – point 8
(8) ‘cyber threat’ means any action including an automated command, potential circumstance or event, that may adversely impact network and information systems, their users and affected persons.;
2018/04/30
Committee: ITRE
Amendment 212 #
Proposal for a regulation
Article 2 – paragraph 1 – point 8
(8) ‘cyber threat’ means any pointentional circumstance or eventaction, including an automated command, that may adversely impact network and information systems, their users and affected persons.;
2018/04/30
Committee: ITRE
Amendment 213 #
Proposal for a regulation
Article 2 – paragraph 1 – point 8 a (new)
(8 a) Cyber hygiene refers to establishing simple routine measures, such as multi-factor authentication, patching, encryption, micro-segmentation, and least privilege, that users and businesses can take to minimise the risks from cyber threats and better protect themselves online.
2018/04/30
Committee: ITRE
Amendment 215 #
Proposal for a regulation
Article 2 – paragraph 1 – point 8 a (new)
(8 a) ‘cyber incident’ means any intentional or unintentional action or event that may adversely impact network and information systems, their users and affected persons;
2018/04/30
Committee: ITRE
Amendment 220 #
Proposal for a regulation
Article 2 – paragraph 1 – point 9
(9) ‘European cybersecurity certification scheme’ means the comprehensive set of rules, technical requirements, standards and procedures defined at Union level applying to the certification of Information and Communication Technology (ICT) products and servic, services and processes falling under the scope of that specific scheme;
2018/04/30
Committee: ITRE
Amendment 222 #
Proposal for a regulation
Article 2 – paragraph 1 – point 9 a (new)
(9 a) ‘European cybersecurity self- assurance scheme’ means the comprehensive set of rules, technical specifications or requirements, standards and procedures defined at Union level applying to the self-assessment of ICT products, services and processes falling under the scope of that specific scheme;
2018/04/30
Committee: ITRE
Amendment 224 #
Proposal for a regulation
Article 2 – paragraph 1 – point 9 b (new)
(9 b) ‘European cybersecurity scheme’ means a European cybersecurity certification scheme or a European cybersecurity self-assurance scheme.
2018/04/30
Committee: ITRE
Amendment 229 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
(10) ‘European cybersecurity certificate’ means a document issued by a conformity assessment body attesting that a given ICT product or, service, process fulfills the specific requirements laid down in a European cybersecurity certification scheme;
2018/04/30
Committee: ITRE
Amendment 232 #
Proposal for a regulation
Article 2 – paragraph 1 – point 11
(11) ‘ICT product and service, service and process’ means any element or group of elements of network and information systems;
2018/04/30
Committee: ITRE
Amendment 233 #
Proposal for a regulation
Article 2 – paragraph 1 – point 11 a (new)
(11 a) ‘consumer electronic device’ means a device consisting of hardware and software that process personal data or connect to the Internet for the operation of domotics and home control appliances, office appliances, routing equipment and devices that connect to a network, such as smart TV, toys and gaming consoles, virtual or personal assistants, connected streaming devices, wearables, voice- command and virtual reality systems;
2018/04/30
Committee: ITRE
Amendment 236 #
Proposal for a regulation
Article 2 – paragraph 1 – point 16 a (new)
(16 a) 'functionality information scheme’ means a visual display of data in the form of a label, which aims to provide information to the end user on the functionality, connectivity, sensory, kinetic or security features of a consumer electronic device.
2018/04/30
Committee: ITRE
Amendment 244 #
Proposal for a regulation
Article 4 – paragraph 1
1. The Agency shall be a centre of expertise on theoretical and practical cybersecurity by virtue of its independence, the scientific and technical quality of the advice and assistance it delivers and the information it provides, the transparency of its operating procedures and methods of operation, and its diligence in carrying out its tasks.
2018/04/30
Committee: ITRE
Amendment 254 #
Proposal for a regulation
Article 4 – paragraph 5
5. The Agency shall increase cybersecurity capabilities at Union level in order to complement the action of Member States in preventing and responding to cyber threats, notably in the event of cross- border incidents, and in order to carry out its task of assisting Union institutions in developing policies related to cybersecurity.
2018/04/30
Committee: ITRE
Amendment 259 #
Proposal for a regulation
Article 4 – paragraph 5 a (new)
5 a. The Agency shall have the capabilities to convene the Member States' authorities and assist in the coordination of their response, notably in the event of cross border incidents.
2018/04/30
Committee: ITRE
Amendment 262 #
Proposal for a regulation
Article 4 – paragraph 6
6. The Agency shall promote the use of certification, including by contributing to the establishment and maintenance of a cybersecurity certification framework at Union level in accordance with Title III of this Regulation, with a view to increasing transparency of cybersecurity assurance of ICT products and servic, services and processes and thus strengthen trust in the digital internal market.
2018/04/30
Committee: ITRE
Amendment 264 #
Proposal for a regulation
Article 4 – paragraph 7
7. The Agency shall promote and support projects contributing to a high level of awareness ofand cyber literacy among citizens and businesses on issues related to the cybersecurity.
2018/04/30
Committee: ITRE
Amendment 267 #
Proposal for a regulation
Article 4 – paragraph 7
7. The Agency shall promote a high level of cyber hygiene and awareness of citizens and businesses on issues related to the cybersecurity.
2018/04/30
Committee: ITRE
Amendment 269 #
Proposal for a regulation
Article 4 – paragraph 7
7. The Agency shall promote a high level of cyber hygiene and awareness of citizens and businesses on issues related to the cybersecurity.
2018/04/30
Committee: ITRE
Amendment 272 #
Proposal for a regulation
Article 5 – paragraph 1 – point 1
1. assisting and advising, in particular by providing its independent opinion and analysis of relevant activities in cyberspace and supplying preparatory work, on the development and review of Union policy and law in the area of cybersecurity, as well as sector-specific policy and law initiatives where matters related to cybersecurity are involved;
2018/04/30
Committee: ITRE
Amendment 276 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 a (new)
2 a. assisting Member States to implement consistently the Union policy and law regarding data protection notably in relation to Regulation (EU) 2016/679, as well as assisting the European Data Protection Board (EDPB) in the development of guidelines related to the implementation of Regulation (EU) 2016/679 for cybersecurity purposes. The EDPB should be required to consult ENISA every time it issues an opinion or adopts a decision concerning the implementation of the GDPR and cybersecurity, in particular on, but not limited to, issues related to privacy impact assessments, data breach notification, security processing, security requirements, and privacy by design.
2018/04/30
Committee: ITRE
Amendment 293 #
Proposal for a regulation
Article 6 – paragraph 2
2. The Agency shall facilitate the establishment of and continuously support sectoral Information Sharing and Analysis Centres (ISACs), in particular in the sectors listed in Annex II of Directive (EU) 2016/1148, by providing best practices and guidance on available tools, procedure, cyber hygiene principles, as well as on how to address regulatory issues related to information sharing.
2018/04/30
Committee: ITRE
Amendment 299 #
Proposal for a regulation
Article 7 – paragraph 5 – subparagraph 1
Upon a request by twoone or more Member States concerned, and with the sole purpose of providing assistance either in the form of advice for the prevention of future incidents , or in the form of assisting in the response to a current large scale incidents, the Agency shall provide support to or carry out an ex-post technical enquiry following notifications by affected undertakings of incidents having a significant or substantial impact pursuant to Directive (EU) 2016/1148. The Agency shall perform the above activities by receiving relevant information from the affected Member States and by utilising its own resources on threat analysis as well as resources on incident response made available from CERT EU for that purpose. The Agency shall also carry out such an enquiry upon a duly justified request from the Commission in agreement with the concerned Member States in case of such incidents affecting more than twoone Member States.
2018/04/30
Committee: ITRE
Amendment 304 #
Proposal for a regulation
Article 7 – paragraph 7
7. The Agency shall prepare a regular and in-depth EU Cybersecurity Technical Situation Report on incidents and threats based on open source information, its own analysis, and reports shared by, among others: Member States' CSIRTs (on a voluntary basis) or NIS Directive Single Points of Contact (in accordance with NIS Directive Article 14 (5)); European Cybercrime Centre (EC3) at Europol, CERT-EU. The Executive Director shall present the public findings to the European Parliament.
2018/04/30
Committee: ITRE
Amendment 305 #
Proposal for a regulation
Article 7 – paragraph 7 – subparagraph 1 (new)
The Agency shall, where appropriate and subject to prior approval by the Commission, contribute to cross-border cyber cooperation with the NATO Cooperative Cyber Defence Centre of Excellence and the NATO Communications and Information (NCI) Academy.
2018/04/30
Committee: ITRE
Amendment 307 #
Proposal for a regulation
Article 7 – paragraph 8 – point a
(a) analyzing and aggregating reports from national sources with a view to contribute to establishing common situational awareness;
2018/04/30
Committee: ITRE
Amendment 308 #
Proposal for a regulation
Article 7 – paragraph 8 – point c
(c) supporting the technical handling of an incident or crisis, based on its own independent expertise and resources including facilitating the sharing of technical solutions between Member States;
2018/04/30
Committee: ITRE
Amendment 310 #
Proposal for a regulation
Article 7 – paragraph 8 – point e a (new)
(e a) assisting Member States and Union institutions in establishing and developing an EU Cybersecurity Crisis Response Framework integrating the objectives and modalities of cooperation suggested in the [Commission Recommendation on Coordinated Response to Large Scale Cybersecurity Incidents and Crisis from 13.9.2017].
2018/04/30
Committee: ITRE
Amendment 313 #
Proposal for a regulation
Article 7 – paragraph 8 – point e b (new)
(e b) assisting Member States and Union Institutions in developing and adopting a common taxonomy and template for situational reports to describe technical causes and impacts of cybersecurity incidents to further enhance their technical and operational cooperation during crisis.
2018/04/30
Committee: ITRE
Amendment 314 #
Proposal for a regulation
Article 7 – paragraph 8 a (new)
8 a. Convening the Member States' authorities and assisting in the coordination of their response, in compliance with the principles of subsidiarity and proportionality.
2018/04/30
Committee: ITRE
Amendment 316 #
Proposal for a regulation
Article 7 a (new)
Article 7 a Technical capabilities of the Agency For meeting the objectives described in Articles 5, 6 and 7 the Agency shall develop among others the following technical capabilities and skills: 1. The ability to analyse threat information data at large scale 2. The ability to conduct forensic analysis on devices and terminal equipment 3. The ability to analyse malware, indicators of compromise and other information related to a cybersecurity threat or incident 4. The ability to collect information on cybersecurity threats from open source as well as commercial sources 5. The ability to deploy technical equipment, tools and expertise remotely and on-site at the request of a Member State in case of Article 7 paragraph 5 and paragraph 8 To meet the technical capabilities described in this Article the Agency shall ensure that its recruitment processes reflect the diverse technical skills required. To meet the technical capabilities described in this Article and develop the relevant skills, the Agency shall cooperate with CERT EU and Europol in accordance to Article 7 paragraph 2.
2018/04/30
Committee: ITRE
Amendment 318 #
Proposal for a regulation
Article 8 – paragraph 1 – point a – introductory part
(a) support and promote the development and implementation of the Union policy on cybersecurity certification of ICT products and servic, services and processes, as established in Title III of this Regulation, by:
2018/04/30
Committee: ITRE
Amendment 325 #
Proposal for a regulation
Article 8 – paragraph 1 – point a – point 1
(1) preparing candidate European cybersecurity certification schemes for ICT products and servic, services and processes in accordance with Article 44 of this Regulation;
2018/04/30
Committee: ITRE
Amendment 326 #
Proposal for a regulation
Article 8 – paragraph 1 – point a – point 1 a (new)
(1 a) carrying out, in cooperation with the European Cybersecurity Certification Group, assessments of the procedures for issuing European cybersecurity certificates put in place by conformity assessment bodies referred to in Article 51, with a view to ensuring the uniform application of this Regulation by conformity assessment bodies when issuing certificates;
2018/04/30
Committee: ITRE
Amendment 327 #
Proposal for a regulation
Article 8 – paragraph 1 – point a – point 1 b (new)
(1 b) carrying out independent periodic ex-post checks on the compliance of certified ICT products and services with European cybersecurity certification schemes;
2018/04/30
Committee: ITRE
Amendment 333 #
Proposal for a regulation
Article 8 – paragraph 1 – point a – point 3
(3) compiling and publishing guidelines and developing good practices, including on cyber hygiene principles, concerning the cybersecurity requirements of ICT products and services, in cooperation with national certification supervisory authorities and the industry;
2018/04/30
Committee: ITRE
Amendment 334 #
Proposal for a regulation
Article 8 – paragraph 1 – point a – point 3
(3) compiling and publishing guidelines and developing good practices and cyber hygiene principles concerning the cybersecurity requirements of ICT products and, services, and processes in cooperation with national certification supervisory authorities and the industry;
2018/04/30
Committee: ITRE
Amendment 357 #
Proposal for a regulation
Article 9 – paragraph 1 – point g a (new)
(g a) support closer coordination and exchange of best practices among Member States on cybersecurity education, training and skills development, cyber hygiene and awareness.
2018/04/30
Committee: ITRE
Amendment 364 #
Proposal for a regulation
Article 11 – paragraph 1 – point c a (new)
(c a) providing, where appropriate, data collected by the Agency in carrying out its mandate, to international organisations provided that doing so does not violate the Union's data protection legislation.
2018/04/30
Committee: ITRE
Amendment 370 #
Proposal for a regulation
Article 13 – paragraph 4
4. The term of office of members of the Management Board and of their alternates shall be fourive years. That term shall be renewable.
2018/04/30
Committee: ITRE
Amendment 371 #
Proposal for a regulation
Article 15 – paragraph 1
The Management Board shall elect by a majority of two-thirds of members its Chairperson and a Deputy Chairperson from among its members for a period of fourive years, which shall be renewable once. If, however, their membership of the Management Board ends at any time during their term of office, their term of office shall automatically expire on that date. The Deputy Chairperson shall ex officio replace the Chairperson if the latter is unable to attend to his or her duties.
2018/04/30
Committee: ITRE
Amendment 374 #
Proposal for a regulation
Article 18 – paragraph 3
3. The Executive Board shall be composed of five members appointed from among the members of the Management Board amongst whom the Chairperson of the Management Board, who mayshall not also chair the Executive Board, and one of the representatives of the Commission. The Executive Director shall take part in the meetings of the Executive Board, but shall not have the right to vote.
2018/04/30
Committee: ITRE
Amendment 375 #
Proposal for a regulation
Article 18 – paragraph 4
4. The term of office of the members of the Executive Board shall be fourive years. That term shall be renewable.
2018/04/30
Committee: ITRE
Amendment 376 #
Proposal for a regulation
Article 19 – paragraph 5 a (new)
5 a. The Executive Director shall be required to provide the relevant European Parliament Committees twice a year with a report on the state of cybersecurity in Europe. The Executive Director should also be invited by the Parliament to provide ENISA’s input on any EU legislative instrument imposing cybersecurity obligations.
2018/04/30
Committee: ITRE
Amendment 377 #
Proposal for a regulation
Article 19 – paragraph 5 b (new)
5 b. The Executive Director shall also be entitled to act as an institutional special adviser on cybersecurity policy to the President of the European Commission, with a mandate defined in Commission Decision C(2014) 541 of 06 February 2014.
2018/04/30
Committee: ITRE
Amendment 389 #
Proposal for a regulation
Article 20 a (new)
Article 20 a Stakeholder Certification Group 1. The Executive Director shall set up a Stakeholder Certification Group, composed of recognised experts representing consumer groups, academics, standardisation bodies, operators of essential services as defined in Annex II of Directive (EU) 2016/1148 and the ICT industry, including SMEs. 2. Procedures for the Stakeholder Certification Group, in particular regarding the number, composition, and the appointment of its members by the Executive Director and the operation of the Group, shall be specified in the Agency’s internal rules of operation and shall be made public. 3. The term of office of the Stakeholder Certification Group members shall be two-and-a-half years. Their mandate shall be renewable. Members of the Management Board may not be members of the Stakeholder Certification Group. Members of the Permanent Stakeholder Group can be also Members of the Stakeholder Certification Group. Experts from the Commission and the Member States shall be entitled, upon invitation, to be present at the meetings of the Stakeholder Certification Group. Representatives of other bodies deemed relevantly the Executive Director, who are not members of the Stakeholder Certification Group, may be invited to attend the meetings of the Stakeholder Certification Group and to participate in its work. 4. The Stakeholder Certification Group shall advise the Agency in respect of the performance of its activities with regards Title III of the present Regulation. It shall in particular be entitled to propose to ENISA, to the Member States and to the Commission the preparation of a candidate European cybersecurity certification scheme, as conferred to in Article 44 of the present Regulation, as well as to participate in the procedures described in Articles 43 to 48 and Article 53 of the Present Regulation for the approval of such schemes. 5. For the purpose of ensuring that the Stakeholder Certification Group possesses the necessary expertise, the Executive Director or the members of the Stakeholder Certification Group shall nominate ad-hoc members for the proposal, development or adoption of any new candidate scheme. These ad-hoc members shall have the same rights and obligations as the appointed members, and shall be entitled to provide their expertise at any stage of the development and/ or the approval of the respective candidate scheme. An ad-hoc member may contribute to the work of the Stakeholder Certification Group for more than one candidate scheme.
2018/04/30
Committee: ITRE
Amendment 408 #
Proposal for a regulation
Article 43 – paragraph 1
A European cybersecurity certification scheme shall attest that the ICT products and servic, services and processes that have been certified in accordance with such scheme comply with specified requirements as regards their ability to resist at a given level of assurance, actions that aim to compromise the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, processes, services and systems.
2018/04/30
Committee: ITRE
Amendment 412 #
Proposal for a regulation
Article 44 – paragraph 1
1. Following a request from the Commission, ENISA shall prepare a candidate European cybersecurity certification scheme which meets the requirements set out in Articles 45, 46 and 47 of this Regulation. Member States or the European Cybersecurity Certification Group (the 'Group') established under Article 53 may, shall propose the preparation of a candidate scheme that falls under the scope of Article 45 (1) (c), while the Stakeholder Certification Group, established under Article [20b], shall propose the preparation of a candidate European cybersecurity certification scheme tohat falls under the scope of Article 45 (1) (a) or (b), to ENISA and the Commission.
2018/04/30
Committee: ITRE
Amendment 428 #
Proposal for a regulation
Article 44 – paragraph 2
2. WhenBefore preparing candidate schemes referred to in paragraph 1 of this Article, ENISA shall consult all relevant stakeholders and closely cooperate with the Group. The Group shall provide ENISA with the assistance and expert advice required by ENISA in relation to the preparation of the candidate scheme, including by providing opinions where necessarythe Commission shall conduct an open public consultation for all relevant stakeholders. In preparing the consultation the Commission shall closely cooperate with the European Cybersecurity Certification Group, ENISA and the Stakeholder Certification Group.
2018/04/30
Committee: ITRE
Amendment 429 #
Proposal for a regulation
Article 44 – paragraph 2 a (new)
2a. The European Cybersecurity Certification Group and the Stakeholder Certification Group shall provide the assistance and expert advice required by ENISA in relation to the preparation of the candidate European cybersecurity scheme, including by providing opinions where necessary.
2018/04/30
Committee: ITRE
Amendment 430 #
Proposal for a regulation
Article 44 – paragraph 2 b (new)
2b. Apart of in relation to the proposal of a scheme that falls under the scope of Article 45 (1) (a) and (b), the Stakeholder Certification Group shall be consulted by the Commission and asked for approval before the final adoption of a European cybersecurity certification scheme. The same shall apply for the proposal of a scheme that falls under the scope of Article 45 (1) (c) vis-à-vis the European Cybersecurity Certification Group.
2018/04/30
Committee: ITRE
Amendment 431 #
Proposal for a regulation
Article 44 – paragraph 2 c (new)
2c. When preparing a candidate scheme, ENISA, with the advice of the European Cybersecurity Certification Group and the Stakeholder Certification Group for their respective candidate schemes, shall define a timeline by when the specific candidate scheme shall become effective. Failure to meet this deadline shall result in the candidate scheme being considered void and revoked.
2018/04/30
Committee: ITRE
Amendment 438 #
Proposal for a regulation
Article 44 – paragraph 4
4. The Commission, based on the candidate scheme proposed by ENISA, may adopt implementingdelegated acts, in accordance with Article 55(1), providing for European cybersecurity certification schemes for ICT products and servic, services and processes meeting the requirements of Articles 45, 46 and 47 of this Regulation.
2018/04/30
Committee: ITRE
Amendment 447 #
Proposal for a regulation
Article 45 – paragraph 1 – introductory part
A European cybersecurity certification scheme shall be so designed to take into account, as applicable, the following security objectivobjectives linked to the following categories:
2018/04/30
Committee: ITRE
Amendment 448 #
Proposal for a regulation
Article 45 – paragraph 1 – point a
(a) protect data stored, transmitted or otherwise processed against accidental or unauthorised storage, processing, access or disclosure;For products corresponding to assurance level basic or the self- declaratory level of certification, consumer electronic devices as defined in Article 2 [(11) a (new)]. The European cybersecurity certification schemes for this category shall support the adoption and commercialisation of international standards from and to the Single Market.
2018/04/30
Committee: ITRE
Amendment 449 #
Proposal for a regulation
Article 45 – paragraph 1 – point b
(b) protect data stored, transmitFor products corresponding to assurance level substantial, ICT products, services and processes performing an industrial control systedm or otherwise processed against accidused in robotics and autonomous vehicles, or software and hardware terminal equipment used for the provision of essential or unauthorised destruction, accidental losservices for operators as defined in Directive (EU)2016/1148. The European cybersecurity certification schemes for althis category shall be based on internation;al standards.
2018/04/30
Committee: ITRE
Amendment 450 #
Proposal for a regulation
Article 45 – paragraph 1 – point c
(c) ensure that authorised persons, programmes or machinFor products corresponding to level of certification high, ICT products, services can access exclusively the data, services or functions to which their access rights refer;d processes used by public administration of a Member State. The European cybersecurity certification schemes for this category shall be based on international standards, existing national or multilateral standards in use by Member States.
2018/04/30
Committee: ITRE
Amendment 452 #
Proposal for a regulation
Article 45 – paragraph 1 – point d
(d) record which data, functions or services have been communicated, at what times and by whom;deleted
2018/04/30
Committee: ITRE
Amendment 454 #
Proposal for a regulation
Article 45 – paragraph 1 – point e
(e) ensure that it is possible to check which data, services or functions have been accessed or used, at what times and by whom;deleted
2018/04/30
Committee: ITRE
Amendment 455 #
Proposal for a regulation
Article 45 – paragraph 1 – point f
(f) restore the availability and access to data, services and functions in a timely manner in the event of physical or technical incident;deleted
2018/04/30
Committee: ITRE
Amendment 456 #
Proposal for a regulation
Article 45 – paragraph 1 – point g
(g) ensure that ICT products and services are provided with up to date software that does not contain known vulnerabilities, and are provided mechanisms for secure software updates.deleted
2018/04/30
Committee: ITRE
Amendment 461 #
Proposal for a regulation
Article 45 – paragraph 1 – point g a (new)
(ga) ensure that the environment for ICT products and services is divided into smaller sub-systems and sub-networks to make it more manageable to protect and to contain the damage in the event of an incident.
2018/04/30
Committee: ITRE
Amendment 465 #
Proposal for a regulation
Article 46 – paragraph 1
1. A European cybersecurity certification scheme may specify one or more of the following assurance levels: basic, substantial and/or high, for ICT products and services issued under that scheme. A certification scheme with varying assurance levels shall be accompanied by information explaining the risk that remains at each assurance level and the need for consumers to be continually vigilant and aware of cyber threats.
2018/04/30
Committee: ITRE
Amendment 471 #
Proposal for a regulation
Article 46 – paragraph 1
1. A European cybersecurity certification scheme may specify one or more of the following assurance levels: basic, substantial and/or high, for ICT products and servic, services and processes issued under that scheme.
2018/04/30
Committee: ITRE
Amendment 487 #
Proposal for a regulation
Article 46 – paragraph 2 – point a
(a) assurance level basic shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a limited degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or ser consumer electronic device, and is characterised with reference to technical specifications, existing international standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of cybersecurity incidents;
2018/04/30
Committee: ITRE
Amendment 489 #
Proposal for a regulation
Article 46 – paragraph 2 – point a
(a) assurance level basic shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a limited degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or servicto a device for consumer use, and is characterised with reference to technical specifications, existing international standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of cybersecurity incidents;
2018/04/30
Committee: ITRE
Amendment 496 #
Proposal for a regulation
Article 46 – paragraph 2 – point b
(b) assurance level substantial shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a substantial degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or, service or process, and is characterised with reference to technical specifications, existing international standards and procedures related thereto, including technical controls, the purpose of which is to decrease substantially the risk of cybersecurity incidents;
2018/04/30
Committee: ITRE
Amendment 507 #
Proposal for a regulation
Article 46 – paragraph 2 – point c
(c) assurance level high shall refer to a certificate issued in the context of a European cybersecurity certification scheme that is based on a national or multilateral standard in use, which provides a higher degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service than certificates with the assurance level substantial, and is characterised with reference to technical specifications, national and multilateral existing international standards and procedures related thereto, including technical controls, the purpose of which is to prevent cybersecurity incidents.
2018/04/30
Committee: ITRE
Amendment 512 #
Proposal for a regulation
Article 46 a (new)
Article 46a According to the analysis of the specific risk, the appropriate conformity assessment method, including self- assessment, shall be identified as laid down in Article 4 and Annex II of Decision No 768/2008/EC.
2018/04/30
Committee: ITRE
Amendment 514 #
Proposal for a regulation
Article 46 b (new)
Article 46b Without prejudice to paragraphs 1 and 2, ENISA may replace the requirements for the basic assurance level by introducing a functionality information scheme instead, as defined in Article 2. The criteria for such functionality information scheme shall be defined in advance with the participation of the Stakeholder Certification Group.
2018/04/30
Committee: ITRE
Amendment 528 #
Proposal for a regulation
Article 47 – paragraph 1 – point f
(f) where the scheme provides for marks or labels, the conditions under which such marks or labeltechnical feature information schemes, the conditions under which such technical feature information schemes may be used;
2018/04/30
Committee: ITRE
Amendment 530 #
Proposal for a regulation
Article 47 – paragraph 1 – point g a (new)
(ga) conditions for granting, maintaining, continuing, extending and reducing the scope of certification;
2018/04/30
Committee: ITRE
Amendment 541 #
Proposal for a regulation
Article 47 – paragraph 1 – point m a (new)
(ma) types of conformity assessment, evaluation criteria and methods pursuant to Article 4 and Annex II of Decision 768/2008/EC.
2018/04/30
Committee: ITRE
Amendment 542 #
Proposal for a regulation
Article 47 – paragraph 1 – point m a (new)
(ma) Further guidance on best practice in cyber safety and information on the cyber threat that remains despite certification.
2018/04/30
Committee: ITRE
Amendment 543 #
Proposal for a regulation
Article 47 – paragraph 1 a (new)
1a. For their relevant schemes, the Stakeholder Certification Group or the European Cybersecurity Certification Group must approve, following a duly motivated request from ENISA, any proposed addition to, deviation from, or non-reliance on, international or Union standards referred to in paragraph 1(b), at least two weeks prior to the candidate scheme’s transmission to the Commission pursuant to Article 44(3)
2018/04/30
Committee: ITRE
Amendment 547 #
Proposal for a regulation
Article 47 a (new)
Article 47a Schemes created pursuant to this Regulation shall not require notification of changes, amendments of certifications, or re-certification, unless such changes have a substantial adverse effect on the security of ICT products, services and processes as well as consumer electronic devices.
2018/04/30
Committee: ITRE
Amendment 548 #
Proposal for a regulation
Article 48 – paragraph 1
1. ICT products and servic, services and processes that have been certified under a European cybersecurity certification scheme adopted pursuant to Article 44 shall be presumed to be compliant with the requirements of such scheme.
2018/04/30
Committee: ITRE
Amendment 551 #
Proposal for a regulation
Article 48 – paragraph 2
2. The certification shall be voluntary, unless otherwise specified in Union law for ICT products, services and processes that fall under the scope of Article 45 (1) (a) and Article 45 (1) (b), unless otherwise specified in Union law, and mandatory for the ICT products, services and processes that fall under the scope of Article 45 (1) (c), unless otherwise specified in Union law or by the European Cybersecurity Certification Group.
2018/04/30
Committee: ITRE
Amendment 567 #
Proposal for a regulation
Article 48 – paragraph 5
5. The natural or legal person which submits its ICT products or, services or processes to the certification mechanism shall provide the conformity assessment body referred to in Article 51 with all information necessary to conduct the certification procedure. The submission can be made with any conformity assessment body referred to in Article 51.
2018/04/30
Committee: ITRE
Amendment 570 #
Proposal for a regulation
Article 48 – paragraph 6
6. Certificates shall be issued for a maxinimum period of three years and may. They may then be renewed, under the same conditions, provided that the relevant requirements continue to be met. extended without cost for further periods, upon attestation by the certificate-holder that the relevant requirements continue to be met. Such attestation must be provided no sooner than six months and no later than 15 days before the expiry of the relevant period. Extensions of the certificates shall be allowed for the duration of the entire lifespan of the certified product.
2018/04/30
Committee: ITRE
Amendment 574 #
Proposal for a regulation
Article 48 – paragraph 7
7. A European cybersecurity certificate issued pursuant to this Article shall be recognised in all Member States. as satisfying local cybersecurity requirements relating to ICT products and processes and consumer electronic devices covered by that certificate, taking into account the specified assurance level referred to in Article 46, and there shall be no discrimination between such certificates based either on the Member State of origin or the issuing conformity assessment body referred to in Article 51.
2018/04/30
Committee: ITRE
Amendment 576 #
Proposal for a regulation
Article 48 – paragraph 7 a (new)
7a. An application for certification must be completed by 12 months from its date of submission, failing to which the conformity assessment body will lose its accreditation.
2018/04/30
Committee: ITRE
Amendment 578 #
Proposal for a regulation
Article 48 a (new)
Article 48a Compatibility with international mutual recognition schemes 1. In the preparatory phase of a candidate European cybersecurity certification scheme, ENISA and, as appropriate, the Stakeholder Certification Group or the European Cybersecurity Certification Group, shall evaluate the relevance of existing international mutual recognition agreements and certifications. 2. This shall include an evaluation of whether any national cybersecurity certification schemes covered by the candidate scheme are subject to an international mutual recognition agreement. 3. Where relevant international mutual recognition agreements and certifications are determined to exist, ENISA shall aim to ensure compatibility by: (a) predicating the certification on the same standards; (b) aligning the scope, security objectives, evaluation methodology and assurance levels; (c) opening a dialogue with the equivalent governance body for objective of points (a) and (b).
2018/04/30
Committee: ITRE
Amendment 581 #
Proposal for a regulation
Article 49 – paragraph 1
1. Without prejudice to paragraph 3, national cybersecurity certification schemes and the related procedures for the ICT products and servic, services and processes covered by a European cybersecurity certification scheme shall cease to produce effects from the date established in the implementingdelegated act adopted pursuant Article 44(4). Existing national cybersecurity certification schemes and the related procedures for the ICT products and services not covered by a European cybersecurity certification scheme shall continue to exist.
2018/04/30
Committee: ITRE
Amendment 582 #
Proposal for a regulation
Article 49 – paragraph 1 a (new)
1a. Without prejudice to paragraph 3, references in applicable laws, rules, regulations or guidance to a national cybersecurity certification scheme that has ceased to produce legal effects pursuant to paragraph 1, shall be deemed to refer instead to the covering European cybersecurity certification scheme (mutatis mutandis).
2018/04/30
Committee: ITRE
Amendment 584 #
Proposal for a regulation
Article 49 a (new)
Article 49a Upon request by any natural or legal person ENISA shall determine whether, for the purposes of this Article, a specified national cybersecurity scheme is covered by a European cybersecurity scheme, ENISA shall reach its decision and render it public within four weeks of its receipt of the request.
2018/04/30
Committee: ITRE
Amendment 588 #
Proposal for a regulation
Article 50 – paragraph 6 – point a
(a) monitor and enforce the application of the provisions under this Title at national level and supervise compliance of the certificates that have been issued by conformity assessment bodies established in their respective territories with the requirements set out in this Title and in the correspondingin accordance with the rules adopted by the European cCybersecurity cCertification schemeGroup pursuant to point (da) of Article 53(3);
2018/04/30
Committee: ITRE
Amendment 591 #
Proposal for a regulation
Article 50 – paragraph 6 – point b
(b) monitor and supervise and, at least every two years, assess the activities of conformity assessment bodies for the purpose of this Regulation, including in relation to the notification of conformity assessment bodies and the related tasks set out in Article 52 of this Regulation;
2018/04/30
Committee: ITRE
Amendment 593 #
Proposal for a regulation
Article 50 – paragraph 6 – point c
(c) handle complaints lodged by natural or legal persons in relation to certificates issued by conformity assessment bodies established in their territories or to self-assessment of conformity made, investigate, to the extent appropriate, the subject matter of the complaint, and inform the complainant of the progress and the outcome of the investigation within a reasonable time period;
2018/04/30
Committee: ITRE
Amendment 594 #
Proposal for a regulation
Article 50 – paragraph 6 – point c a (new)
(ca) report the results of verifications under point (a) and the assessments under point (b) to ENISA and the European Cybersecurity Certification Group;
2018/04/30
Committee: ITRE
Amendment 601 #
Proposal for a regulation
Article 50 – paragraph 8
8. National certification supervisory authorities shall cooperate amongst each other and the Commission and, in particular, exchange information, experiences and good practices as regards cybersecurity certification and technical issues concerning cybersecurity of ICT products and servic, services and processes.
2018/04/30
Committee: ITRE
Amendment 603 #
Proposal for a regulation
Article 50 a (new)
Article 50a Peer review 1. National certification supervisory authorities shall be subject to peer review in respect of any activity which they carry out pursuant to Article 50 of this Regulation. 2. Peer review shall cover the assessments of the procedures put in place by national certification supervisory authorities, in particular the procedures for checking the compliance of the products that are subject to cybersecurity certification, the competence of the personnel, the correctness of the checks and the inspection methodology as well as the correctness of the results. Peer review shall also assess whether the national certification supervisory authorities in question have sufficient recourses for the proper performance of their duties as required by paragraph 4 of Article 50. 3. Peer review of a national certification supervisory authority shall be carried out by two national certification supervisory authorities of other Member States and the Commission and shall be carried out at least once every five years. ENISA may participate in the peer review and shall decide on its participation on the basis of a risk assessment analysis. 4. The Commission is empowered, in accordance with Article 55a, to adopt delegated acts, in order to establish a plan for the peer review covering a period of at least five years, laying down criteria concerning the composition of the peer review team, the methodology used for the peer review, the schedule, periodicity and the other tasks related to the peer review. When adopting those delegated acts, the Commission shall take due account of the considerations of the Group. 5. The outcome of the peer review shall be examined by the Group. ENISA shall draw up a summary of the outcome and make it public.
2018/04/30
Committee: ITRE
Amendment 607 #
Proposal for a regulation
Article 51 – paragraph 2
2. Accreditation shall be issued for a maximum of fiveten years and may be renewed on the same conditions provided that the conformity assessment body meets the requirements set out in this Article. Accreditation bodies shall revoke an accreditation of a conformity assessment body pursuant to paragraph 1 of this Article where the conditions for the accreditation are not, or are no longer, met or where actions taken by a conformity assessment body infringe this Regulation.
2018/04/30
Committee: ITRE
Amendment 608 #
Proposal for a regulation
Article 52 – paragraph 5
5. The Commission may, by means of implementingdelegated acts, define the circumstances, formats and procedures of notifications referred to in paragraph 1 of this Article. Those implementingdelegated acts shall be adopted in accordance with the examination procedure referred to in Article 55(2).
2018/04/30
Committee: ITRE
Amendment 609 #
Proposal for a regulation
Article 53 – paragraph 2
2. The Group shall be composed of national certification supervisory authorities. The authorities shall be represented by the heads or by other high level representatives of national certification supervisory authorities. Upon invitation, members of the Stakeholder Certification Group shall be entitled to be present at the meetings of the European Cybersecurity Certification Group and to participate in its work.
2018/04/30
Committee: ITRE
Amendment 611 #
Proposal for a regulation
Article 53 – paragraph 3 – point d a (new)
(da) to adopt binding rules determining the intervals at which national certification supervisory authorities are to carry out verifications of certificates and self-assessment of conformity, and the criteria, scale and scope of those verifications and to adopt common rules and standards for reporting, in accordance with Article50(6).
2018/04/30
Committee: ITRE
Amendment 616 #
Proposal for a regulation
Article 53 – paragraph 3 a (new)
3a. to take into account the results of stakeholder consultation conducted in preparation of a candidate scheme, in accordance of Article 44 of this Regulation;
2018/04/30
Committee: ITRE
Amendment 620 #
Proposal for a regulation
Article 54 a (new)
Article 54a Right to an effective judicial redress against a supervisory authority 1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial redress: (a) against a decision of a conformity assessment body or national certification supervisory authority concerning them, including in relation to the recognition of a European cybersecurity certificate which such person or entity holds; and (b) where a national certification supervisory authority does not handle a complaint for which it is competent. 2. Proceedings against a conformity assessment body or national certification supervisory authority shall be brought before the courts of the Member State where the conformity assessment body or national certification supervisory authority is established.
2018/04/30
Committee: ITRE
Amendment 622 #
Proposal for a regulation
Article 56 – paragraph 2
2. The evaluation shall also assess the impact, effectiveness and efficiency of the provisions of Title III with regard to the objectives of ensuring an adequate level of cybersecurity of ICT products and servic, services and processes in the Union and improving the functioning of the internal market. The Commission shall assess, five years after the adoption of the Regulation, a potential extension of the scope of Title III.
2018/04/30
Committee: ITRE
Amendment 624 #
Proposal for a regulation
Article 56 – paragraph 2 a (new)
2a. The evaluation shall assess the gradual move to mandatory certification, provided that the market assessment and relative stakeholders’ consultation show findings that support such action;
2018/04/30
Committee: ITRE