46 Amendments of Edouard MARTIN related to 2017/0225(COD)
Amendment 134 #
Proposal for a regulation
Recital 30
Recital 30
(30) To ensure that it fully achieves its objectives, the Agency should liaise with relevant institutions, EU supervisory and other competent authorities, agencies and bodies, including CERT-EU, European Cybercrime Centre (EC3) at Europol, European Defence Agency (EDA), European Agency for the operational management of large-scale IT systems (eu- LISA), European Central Bank (ECB), European Banking Authority (EBA), European Aviation Safety Agency (EASA) and any other EU Agency that is involved in cybersecurity. It should also liaise with authorities dealing with data protection in order to exchange know-how and best practices and provide advice on cybersecurity aspects that might have an impact on their work. Representatives of national and Union law enforcement and data protection authorities should be eligible to be represented in the Agency’s Permanent Stakeholders Group. In liaising with law enforcement bodies regarding network and information security aspects that might have an impact on their work, the Agency should respect existing channels of information and established networks.
Amendment 142 #
Proposal for a regulation
Recital 37
Recital 37
(37) Cybersecurity problems are global issues. There is a need for closer international cooperation to improve security standards, including the definition of common norms of behaviour and codes of conduct, use of international standards, and information sharing, promoting swifter international collaboration in response to, as well as a common global approach to, network and information security issues. To that end, the Agency should support further Union involvement and cooperation with third countries and international organisations by providing, where appropriate, the necessary expertise and analysis to the relevant Union institutions, bodies, offices and agencies.
Amendment 177 #
Proposal for a regulation
Recital 56
Recital 56
(56) TAfter the completion of an appropriate stakeholder consultation by the Commission, ENISA should be empowered to request ENISA to prepare candidate schemes for specific ICT products or services. The Commission, based on the candidate scheme proposed by ENISA, should then be empowered to adopt the European cybersecurity certification scheme by means of implementingdelegated acts. Taking account of the general purpose and security objectives identified in this Regulation, European cybersecurity certification schemes adopted by the Commission should specify a minimum set of elements concerning the subject-matter, the scope and functioning of the individual scheme. These should include among others the scope and object of the cybersecurity certification, including the categories of ICT products and services covered, the detailed specification of the cybersecurity requirements, for example by reference to standards or technical specifications, the specific evaluation criteria and evaluation methods, as well as the intended level of assurance: basic, substantial and/or high.
Amendment 193 #
Proposal for a regulation
Recital 63
Recital 63
(63) In order to specify further the criteria for the accreditation of conformity assessment bodies and to ensure uniform conditions for the implementation of this Regulation, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission. The Commission should carry out appropriate consultations during its preparatory work, including at expert level and with all interested stakeholders, including those that do not participate in the above groups. Those consultations should be conducted in accordance with the principles laid down in the Interinstitutional Agreement on Better Law-Making of 13 April 2016. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council should receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.
Amendment 195 #
Proposal for a regulation
Recital 64
Recital 64
Amendment 196 #
Proposal for a regulation
Recital 65
Recital 65
(65) The examination procedure should be used for the adoption of implementing actsDelegated acts could be furthermore adopted on European cybersecurity certification schemes for ICT products and services; on modalities of carrying enquiries by the Agency; as well as on the circumstances, formats and procedures of notifications of accredited conformity assessment bodies by the national certification supervisory authorities to the Commission.
Amendment 202 #
Proposal for a regulation
Article 1 – paragraph 1 – point b
Article 1 – paragraph 1 – point b
(b) lays down a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity of ICT products and servic, services and processes in the Union. Such framework shall apply without prejudice to specific provisions regarding voluntary or mandatory certification in other Union acts.
Amendment 220 #
Proposal for a regulation
Article 2 – paragraph 1 – point 9
Article 2 – paragraph 1 – point 9
(9) ‘European cybersecurity certification scheme’ means the comprehensive set of rules, technical requirements, standards and procedures defined at Union level applying to the certification of Information and Communication Technology (ICT) products and servic, services and processes falling under the scope of that specific scheme;
Amendment 229 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘European cybersecurity certificate’ means a document issued by a conformity assessment body attesting that a given ICT product or, service, process fulfills the specific requirements laid down in a European cybersecurity certification scheme;
Amendment 232 #
Proposal for a regulation
Article 2 – paragraph 1 – point 11
Article 2 – paragraph 1 – point 11
(11) ‘ICT product and service, service and process’ means any element or group of elements of network and information systems;
Amendment 236 #
Proposal for a regulation
Article 2 – paragraph 1 – point 16 a (new)
Article 2 – paragraph 1 – point 16 a (new)
(16 a) 'functionality information scheme’ means a visual display of data in the form of a label, which aims to provide information to the end user on the functionality, connectivity, sensory, kinetic or security features of a consumer electronic device.
Amendment 246 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
2. The Agency shall assist the Union institutions, agencies and bodies, as well as Member States, in developing and implementing policies related to cybersecurity, including sectoral cybersecurity policies, in order to enhance the relevance of EU policies and legislation with a cybersecurity dimension and to promote consistency in their implementation at national level.
Amendment 254 #
Proposal for a regulation
Article 4 – paragraph 5
Article 4 – paragraph 5
5. The Agency shall increase cybersecurity capabilities at Union level in order to complement the action of Member States in preventing and responding to cyber threats, notably in the event of cross- border incidents, and in order to carry out its task of assisting Union institutions in developing policies related to cybersecurity.
Amendment 255 #
Proposal for a regulation
Article 4 – paragraph 5
Article 4 – paragraph 5
5. The Agency shall increase cybersecurity capabilities at Union level in order to complement the action of Member States in preventing and responding to cyber threats, notably in the event of cross- border incidents, in accordance with the provisions of Directive (EU)2016/1148.
Amendment 262 #
Proposal for a regulation
Article 4 – paragraph 6
Article 4 – paragraph 6
6. The Agency shall promote the use of certification, including by contributing to the establishment and maintenance of a cybersecurity certification framework at Union level in accordance with Title III of this Regulation, with a view to increasing transparency of cybersecurity assurance of ICT products and servic, services and processes and thus strengthen trust in the digital internal market.
Amendment 276 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 a (new)
Article 5 – paragraph 1 – point 2 a (new)
2 a. assisting Member States to implement consistently the Union policy and law regarding data protection notably in relation to Regulation (EU) 2016/679, as well as assisting the European Data Protection Board (EDPB) in the development of guidelines related to the implementation of Regulation (EU) 2016/679 for cybersecurity purposes. The EDPB should be required to consult ENISA every time it issues an opinion or adopts a decision concerning the implementation of the GDPR and cybersecurity, in particular on, but not limited to, issues related to privacy impact assessments, data breach notification, security processing, security requirements, and privacy by design.
Amendment 299 #
Proposal for a regulation
Article 7 – paragraph 5 – subparagraph 1
Article 7 – paragraph 5 – subparagraph 1
Upon a request by twoone or more Member States concerned, and with the sole purpose of providing assistance either in the form of advice for the prevention of future incidents , or in the form of assisting in the response to a current large scale incidents, the Agency shall provide support to or carry out an ex-post technical enquiry following notifications by affected undertakings of incidents having a significant or substantial impact pursuant to Directive (EU) 2016/1148. The Agency shall perform the above activities by receiving relevant information from the affected Member States and by utilising its own resources on threat analysis as well as resources on incident response made available from CERT EU for that purpose. The Agency shall also carry out such an enquiry upon a duly justified request from the Commission in agreement with the concerned Member States in case of such incidents affecting more than twoone Member States.
Amendment 304 #
Proposal for a regulation
Article 7 – paragraph 7
Article 7 – paragraph 7
7. The Agency shall prepare a regular and in-depth EU Cybersecurity Technical Situation Report on incidents and threats based on open source information, its own analysis, and reports shared by, among others: Member States' CSIRTs (on a voluntary basis) or NIS Directive Single Points of Contact (in accordance with NIS Directive Article 14 (5)); European Cybercrime Centre (EC3) at Europol, CERT-EU. The Executive Director shall present the public findings to the European Parliament.
Amendment 307 #
Proposal for a regulation
Article 7 – paragraph 8 – point a
Article 7 – paragraph 8 – point a
(a) analyzing and aggregating reports from national sources with a view to contribute to establishing common situational awareness;
Amendment 308 #
Proposal for a regulation
Article 7 – paragraph 8 – point c
Article 7 – paragraph 8 – point c
(c) supporting the technical handling of an incident or crisis, based on its own independent expertise and resources including facilitating the sharing of technical solutions between Member States;
Amendment 310 #
Proposal for a regulation
Article 7 – paragraph 8 – point e a (new)
Article 7 – paragraph 8 – point e a (new)
(e a) assisting Member States and Union institutions in establishing and developing an EU Cybersecurity Crisis Response Framework integrating the objectives and modalities of cooperation suggested in the [Commission Recommendation on Coordinated Response to Large Scale Cybersecurity Incidents and Crisis from 13.9.2017].
Amendment 313 #
Proposal for a regulation
Article 7 – paragraph 8 – point e b (new)
Article 7 – paragraph 8 – point e b (new)
(e b) assisting Member States and Union Institutions in developing and adopting a common taxonomy and template for situational reports to describe technical causes and impacts of cybersecurity incidents to further enhance their technical and operational cooperation during crisis.
Amendment 316 #
Proposal for a regulation
Article 7 a (new)
Article 7 a (new)
Article 7 a Technical capabilities of the Agency For meeting the objectives described in Articles 5, 6 and 7 the Agency shall develop among others the following technical capabilities and skills: 1. The ability to analyse threat information data at large scale 2. The ability to conduct forensic analysis on devices and terminal equipment 3. The ability to analyse malware, indicators of compromise and other information related to a cybersecurity threat or incident 4. The ability to collect information on cybersecurity threats from open source as well as commercial sources 5. The ability to deploy technical equipment, tools and expertise remotely and on-site at the request of a Member State in case of Article 7 paragraph 5 and paragraph 8 To meet the technical capabilities described in this Article the Agency shall ensure that its recruitment processes reflect the diverse technical skills required. To meet the technical capabilities described in this Article and develop the relevant skills, the Agency shall cooperate with CERT EU and Europol in accordance to Article 7 paragraph 2.
Amendment 318 #
Proposal for a regulation
Article 8 – paragraph 1 – point a – introductory part
Article 8 – paragraph 1 – point a – introductory part
(a) support and promote the development and implementation of the Union policy on cybersecurity certification of ICT products and servic, services and processes, as established in Title III of this Regulation, by:
Amendment 325 #
Proposal for a regulation
Article 8 – paragraph 1 – point a – point 1
Article 8 – paragraph 1 – point a – point 1
(1) preparing candidate European cybersecurity certification schemes for ICT products and servic, services and processes in accordance with Article 44 of this Regulation;
Amendment 370 #
Proposal for a regulation
Article 13 – paragraph 4
Article 13 – paragraph 4
4. The term of office of members of the Management Board and of their alternates shall be fourive years. That term shall be renewable.
Amendment 371 #
Proposal for a regulation
Article 15 – paragraph 1
Article 15 – paragraph 1
The Management Board shall elect by a majority of two-thirds of members its Chairperson and a Deputy Chairperson from among its members for a period of fourive years, which shall be renewable once. If, however, their membership of the Management Board ends at any time during their term of office, their term of office shall automatically expire on that date. The Deputy Chairperson shall ex officio replace the Chairperson if the latter is unable to attend to his or her duties.
Amendment 374 #
Proposal for a regulation
Article 18 – paragraph 3
Article 18 – paragraph 3
3. The Executive Board shall be composed of five members appointed from among the members of the Management Board amongst whom the Chairperson of the Management Board, who mayshall not also chair the Executive Board, and one of the representatives of the Commission. The Executive Director shall take part in the meetings of the Executive Board, but shall not have the right to vote.
Amendment 375 #
Proposal for a regulation
Article 18 – paragraph 4
Article 18 – paragraph 4
4. The term of office of the members of the Executive Board shall be fourive years. That term shall be renewable.
Amendment 376 #
Proposal for a regulation
Article 19 – paragraph 5 a (new)
Article 19 – paragraph 5 a (new)
5 a. The Executive Director shall be required to provide the relevant European Parliament Committees twice a year with a report on the state of cybersecurity in Europe. The Executive Director should also be invited by the Parliament to provide ENISA’s input on any EU legislative instrument imposing cybersecurity obligations.
Amendment 408 #
Proposal for a regulation
Article 43 – paragraph 1
Article 43 – paragraph 1
A European cybersecurity certification scheme shall attest that the ICT products and servic, services and processes that have been certified in accordance with such scheme comply with specified requirements as regards their ability to resist at a given level of assurance, actions that aim to compromise the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, processes, services and systems.
Amendment 438 #
Proposal for a regulation
Article 44 – paragraph 4
Article 44 – paragraph 4
4. The Commission, based on the candidate scheme proposed by ENISA, may adopt implementingdelegated acts, in accordance with Article 55(1), providing for European cybersecurity certification schemes for ICT products and servic, services and processes meeting the requirements of Articles 45, 46 and 47 of this Regulation.
Amendment 471 #
Proposal for a regulation
Article 46 – paragraph 1
Article 46 – paragraph 1
1. A European cybersecurity certification scheme may specify one or more of the following assurance levels: basic, substantial and/or high, for ICT products and servic, services and processes issued under that scheme.
Amendment 478 #
Proposal for a regulation
Article 46 – paragraph 2 – introductory part
Article 46 – paragraph 2 – introductory part
2. The assurance levels basic, substantial and high shall meet the following criteria and evaluation methods, respectively:
Amendment 482 #
Proposal for a regulation
Article 46 – paragraph 2 – point a
Article 46 – paragraph 2 – point a
(a) assurance level basic shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a limited degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of cybersecurity incidents; an assurance level basic certificate shall certify that known basic cyber risks are covered. The evaluation method shall be based on the technical review by a conformity assessment body of the technical documentation associated with an information and communication technology product or service;
Amendment 492 #
Proposal for a regulation
Article 46 – paragraph 2 – point b
Article 46 – paragraph 2 – point b
(b) assurance level substantial shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a substantial degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease substantially the risk of cybersecurity incidents; an assurance level substantial certificate shall certify that the known risks of cyber incidents are covered and that the product, service or system can withstand attacks with limited resources. The evaluation method shall be based on the verification, by a conformity assessment body, of the conformity of the security features of the product or service;
Amendment 501 #
Proposal for a regulation
Article 46 – paragraph 2 – point c
Article 46 – paragraph 2 – point c
(c) assurance level high shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a higher degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service than certificates with the assurance level substantial, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to prevent cybersecurity incidents. An assurance level high certificate shall certify that the known risks of cyber incidents are covered and that the product, service or system can withstand sophisticated attacks with significant resources. The evaluation method shall be based on effectiveness tests to evaluate the ability of security features to withstand a high-level attacker;
Amendment 548 #
Proposal for a regulation
Article 48 – paragraph 1
Article 48 – paragraph 1
1. ICT products and servic, services and processes that have been certified under a European cybersecurity certification scheme adopted pursuant to Article 44 shall be presumed to be compliant with the requirements of such scheme.
Amendment 557 #
Proposal for a regulation
Article 48 – paragraph 3
Article 48 – paragraph 3
3. A European cybersecurity certificate assurance level basic or substantial pursuant to this Article shall be issued by the conformity assessment bodies referred to in Article 51 on the basis of criteria included in the European cybersecurity certification scheme, adopted pursuant to Article 44.
Amendment 559 #
Proposal for a regulation
Article 48 – paragraph 3 a (new)
Article 48 – paragraph 3 a (new)
3a. A European cybersecurity certificate assurance level high shall be issued by the national certification supervisory bodies referred to in Article 50 on the basis of the criteria included in the European cybersecurity certification scheme, adopted pursuant to Article 44.
Amendment 581 #
Proposal for a regulation
Article 49 – paragraph 1
Article 49 – paragraph 1
1. Without prejudice to paragraph 3, national cybersecurity certification schemes and the related procedures for the ICT products and servic, services and processes covered by a European cybersecurity certification scheme shall cease to produce effects from the date established in the implementingdelegated act adopted pursuant Article 44(4). Existing national cybersecurity certification schemes and the related procedures for the ICT products and services not covered by a European cybersecurity certification scheme shall continue to exist.
Amendment 601 #
Proposal for a regulation
Article 50 – paragraph 8
Article 50 – paragraph 8
8. National certification supervisory authorities shall cooperate amongst each other and the Commission and, in particular, exchange information, experiences and good practices as regards cybersecurity certification and technical issues concerning cybersecurity of ICT products and servic, services and processes.
Amendment 605 #
Proposal for a regulation
Article 51 – paragraph 1 a (new)
Article 51 – paragraph 1 a (new)
1a. For the assurance level high, the conformity assessment bodies shall be authorised by the national certification supervisory authorities only where they meet the stated competence and expertise requirements demonstrated in regular audits of the said bodies.
Amendment 608 #
Proposal for a regulation
Article 52 – paragraph 5
Article 52 – paragraph 5
5. The Commission may, by means of implementingdelegated acts, define the circumstances, formats and procedures of notifications referred to in paragraph 1 of this Article. Those implementingdelegated acts shall be adopted in accordance with the examination procedure referred to in Article 55(2).
Amendment 613 #
(fa) determine a peer review mechanism to assess compliance with the requirements set out in this Regulation by each national certification supervisory authority, in particular the ability to perform for each level of assurance the tasks described in this Regulation with the required technical expertise. If necessary, the peer review may determine the appropriate measures to be adopted.
Amendment 622 #
Proposal for a regulation
Article 56 – paragraph 2
Article 56 – paragraph 2
2. The evaluation shall also assess the impact, effectiveness and efficiency of the provisions of Title III with regard to the objectives of ensuring an adequate level of cybersecurity of ICT products and servic, services and processes in the Union and improving the functioning of the internal market. The Commission shall assess, five years after the adoption of the Regulation, a potential extension of the scope of Title III.