BETA

52 Amendments of Jakop G. DALUNDE related to 2017/0225(COD)

Amendment 125 #
Proposal for a regulation
Recital 28
(28) (28) The Agency should contribute towards raising the awareness of the public about risks related to cyberIT security and provide guidance on good practices for individual users aimed at citizens and organisations. The Agency should also contribute to promote best practices and solutions at the level of individuals and organisations by collecting and analysing publicly available information regarding significant incidents, and by compiling reportand publishing reports and guides with a view to providing guidance to businesses and citizens and improving the overall level of preparedness and resilience. The Agency should furthermore organise, in cooperation with the Member States and the Union institutions, bodies, offices and agencies regular outreach and public education campaigns directed to end-users, aiming at promoting safer individual online behaviour and raising awareness of potential threats in cyberspace, including cybercrimes such as phishing attacks, botnets, financial and banking fraud, as well as promoting basic authentication, encryption, anonymisation and data protection advice. The Agency should play a central role in accelerating end-user awareness on security of devices and secure use of services, popularising security by design at Union level, privacy by design and the incidents and their solutions. In achieving this objective the Agency should make the best use of available best practices and experience, especially from academic institutions and IT security researchers.
2018/04/30
Committee: ITRE
Amendment 132 #
Proposal for a regulation
Recital 30
(30) To ensure that it fully achieves its objectives, the Agency should liaise with relevant institutions, agencies and bodies, including CERT-EU, European Cybercrime Centre (EC3) at Europol, European Defence Agency (EDA), European Agency for the operational management of large-scale IT systems (eu- LISA), European Aviation Safety Agency (EASA) and any other EU Agency that is involved in cyberIT security. It should also liaise with authorities dealing with data protection in order to exchange know-how and best practices and provide advice on cyberIT security aspects that might have an impact on their work. Representatives of national and Union law enforcement and data protection authorities should be eligible to be represented in the Agency’s Permanent Stakeholders Group. In liaising with law enforcement bodies regarding network and information security aspects that might have an impact on their work, the Agency should respect existing channels of information and established networks. Partnerships should be established with academic institutions that have research initiatives in the relevant areas, while the input from consumer organisations and other organisations should have appropriate channels and should always be analysed.
2018/04/30
Committee: ITRE
Amendment 139 #
Proposal for a regulation
Recital 35
(35) The Agency should encourage Member States and service providers to raise their general security standards so that all internet users can take the necessary steps to ensure their own personal cybersecurityIT security and refrain from allowing the sales or use of devices that do not meet minimum security conditions (for example containing hardware, software or firmware components with any known exploitable security vulnerabilities, unchangeable or uncrypted passwords or access code, incapable of accepting trusted and properly authenticated security updates, without an adequate hierarchy of remedies from the manufacturer or vendor or without proper lifecycle documentation). In particular, service providers and product manufacturers should withdraw or recycle products and services that do not meet cyberIT security standards. In cooperation with competent authorities, ENISA may disseminate information regarding the level of cyberIT security of the products and services offered in the internal market, and issue warnings targeting providers and manufacturers and requiring them to improve the security, including cyberIT security, of their products and services.
2018/04/30
Committee: ITRE
Amendment 146 #
Proposal for a regulation
Recital 41
(41) In order for the Agency to function properly and effectively, the Commission and the Member States should ensure that persons to be appointed to the Management Board have appropriate professional expertise and experience in functional areas. The Commission and the Member States should also make efforts to limit the turnover of their respective Representatives on the Management Board in order to ensure continuity in its work. Due to the high market value of the skills required in the Agency's work, it is necessary to ensure that the salaries and the social conditions offered to all Agency staff are competitive and ensure that the best professionals can choose to work there.
2018/04/30
Committee: ITRE
Amendment 148 #
Proposal for a regulation
Recital 42
(42) The smooth functioning of the Agency requires that its Executive Director be appointed on grounds of merit and documented administrative and managerial skills, as well as competence and experience relevant for cyberIT security, and that the duties of the Executive Director be carried out with complete independence. The Executive Director should prepare a proposal for the Agency’s work programme, after prior consultation with the Commission, and take all necessary steps to ensure the proper execution of the work programme of the Agency. The Executive Director should prepare an annual report to be submitted to the Management Board, draw up a draft statement of estimates of revenue and expenditure for the Agency, and implement the budget. Furthermore, the Executive Director should have the option of setting up ad hoc Working Groups to address specific matters, in particular of a scientific, technical, legal or socioeconomic nature. The Executive Director should ensure that the ad hoc Working Groups’ members are selected according to the highest standards of expertise, taking due account of a representative and gender balance, as appropriate according to the specific issues in question, between the public administrations of the Member States, the Union institutions and the private sector, including industry, users, and academic experts in network and information security.
2018/04/30
Committee: ITRE
Amendment 151 #
Proposal for a regulation
Recital 44
(44) The Agency should have a Permanent Stakeholders’ Group as an advisory body, to ensure regular dialogue with the private sector, consumers’ organisations, academia and other relevant stakeholders. The Permanent Stakeholders’ Group, set up by the Management Board on a proposal by the Executive Director, should focus on issues relevant to stakeholders and bring them to the attention of the Agency, providing input on which ICT products and services to cover in future European IT security certification schemes . The composition of the Permanent Stakeholders Group and the tasks assigned to this Group, to be consulted in particular regarding the draft Work Programme, should ensure suefficient and equitable representation of stakeholders in the work of the Agency.
2018/04/30
Committee: ITRE
Amendment 167 #
Proposal for a regulation
Recital 52
(52) In view of the above, it is necessary to establish a European cyberIT security certification framework laying down the main horizontal requirements for European cyberIT security certification schemes to be developed and allowing certificates for ICT products and services to be recognised and used in all Member States. The European framework should have a twofold purpose: on the one hand, it should help increase trust in ICT products and services that have been certified according to such schemes. On the other hand, it should avoid the multiplication of conflicting or overlapping national cyberIT security certifications and thus reduce costs for undertakings operating in the digital single market. The schemes should be guided by security-by-design and the principles referred in Regulation (EU) 2016/679, be non-discriminatory and based on internationalselected ISO/IEC and / or Union standards, unless those standards are ineffective or inappropriate to fulfil the EU’s legitimate objectives in that regard.
2018/04/30
Committee: ITRE
Amendment 178 #
Proposal for a regulation
Recital 57
(57) Recourse to European cybersecurity certification should remain voluntary, unless otherwise provided in Union or national legislation. However, was the existence of baseline IT security requirements is of utmost importance for the consumers as well as for the security of networks, some situations needs to be treated in a harmonised and mandatory way. Solutions need to be implemented on all consumer devices and services in order to tackle the challenges of an increasingly connected world. Such minimal requirements could include authentication, security of connections and patches for the discovered vulnerabilities. With a view to achieving the objectives of this Regulation and avoiding the fragmentation of the internal market, national cybersecurity certification schemes or procedures for the ICT products and services covered by a European cybersecurity certification scheme should cease to produce effects from the date established by the Commission by means of the implementing act. Moreover, Member States should not introduce new national certification schemes providing cybersecurity certification schemes for ICT products and services already covered by an existing European cybersecurity certification scheme.
2018/04/30
Committee: ITRE
Amendment 189 #
Proposal for a regulation
Recital 58 a (new)
(58 a) (58 a) Clear and mandatory baseline IT security requirements should be devised by the Agency, and should be proposed to the Commission to be promoted through binding acts, for all IT devices sold in or exported from the Union. Those requirements should be developed within two years after the date of entry into force of this Regulation and revised every two years thereafter, in order to ensure constant and dynamic improvements. These baseline IT security requirements should require, inter alia, that the device does not contain any known security vulnerability, that it is capable of accepting trusted security updates, that the vendor notifies competent authorities of known vulnerabilities and repairs or replaces the affected device, or that the vendor informs when security support for such device will end.
2018/04/30
Committee: ITRE
Amendment 218 #
Proposal for a regulation
Article 2 – paragraph 1 – point 9
(9) ‘European cybersecurity certification scheme’ means the comprehensive set of rules, technical requirements, standards and procedures defined at Union level and according to ISO/IEC and European standards selected by ENISA, applying to the certification of Information and Communication Technology (ICT) products, processes and services falling under the scope of that specific scheme;
2018/04/30
Committee: ITRE
Amendment 226 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
(10) ‘European cybersecurity certificate’ means a document issued by an attestation issued either through self assessment or through an accredited conformity assessment body attesting that a given ICT process, product or service fulfils the specific requirements laid down in a European cybersecurity certification scheme;
2018/04/30
Committee: ITRE
Amendment 240 #
Proposal for a regulation
Article 3 – paragraph 1
1. The Agency shall undertake the tasks assigned to it by this Regulation for the purpose of contributachieving to a high level of cyberIT security within the Union.
2018/04/30
Committee: ITRE
Amendment 242 #
Proposal for a regulation
Article 3 – paragraph 3
3. The objectives and the tasks of the Agency shall be without prejudice to the exclusive competences of the Member States regarding cybersecurity, and in any case, without prejudice to activities concerning public security, defence, national security and the activities of the state in areas of criminal lawIT security.
2018/04/30
Committee: ITRE
Amendment 251 #
Proposal for a regulation
Article 4 – paragraph 4
4. The Agency shall promote cooperation and coordination at Union level among Member States, Union institutions, agencies and bodies, and relevant stakeholders, including the private sector, consumer organizations and other civil society organisations, on matters related to cyberIT security.
2018/04/30
Committee: ITRE
Amendment 275 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 a (new)
2 a. assisting the European Data Protection Board established by Regulation (EU) 2016/679 in developing guidelines to specify at the technical level the conditions allowing the licit use of personal data by data controllers for IT security purposes with the objective of protecting their infrastructure by detecting and blocking attacks against their information systems in the context of: (i) Regulation (EU) 2016/6791a; (ii) Directive (EU) 2016/11481b; and (iii) Directive 2002/58/EC1c; (1a Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1). 1b Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, p. 1). 1c Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201 , 31.7.2002, p. 37)).
2018/04/30
Committee: ITRE
Amendment 280 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 b (new)
2 b. proposing policies with the objective of ensuring that ICT manufacturers act with due diligence regarding the timely fixing of IT security vulnerabilities in their products and services in order to avoid unduly exposing their users to cybercrime;
2018/04/30
Committee: ITRE
Amendment 281 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 c (new)
2 c. proposing policies establishing a strong responsibility and liability framework for all stakeholders taking part in ICT eco- systems;
2018/04/30
Committee: ITRE
Amendment 282 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 d (new)
2 d. proposing policies strengthening regulation regarding the responsibilities of operators of critical network infrastructures in the case of an attack against their information systems affecting their users due to a lack of due diligence by some of the users of by the operator itself, where the operator has failed to take reasonable action to prevent the incident or to mitigate its effects on all users;
2018/04/30
Committee: ITRE
Amendment 283 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 e (new)
2 e. proposing policies to limit the purchase and use of “Zero days” by public authorities with the purpose of attacking information systems; promoting software audits and financing expert staff;
2018/04/30
Committee: ITRE
Amendment 284 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 f (new)
2 f. proposing policies for public authorities, private companies, researchers, universities and other stakeholders to publish all critical security vulnerabilities that are not yet publicly known within the framework of a responsible disclosure;
2018/04/30
Committee: ITRE
Amendment 285 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 g (new)
2 g. proposing policies for the extension of the use of “verifiable open- source code” for IT solutions in the public sector as well as for the related use of automated tools to ease review of source code and to easily verify absence of backdoors and other possible security vulnerabilities;
2018/04/30
Committee: ITRE
Amendment 295 #
Proposal for a regulation
Article 6 – paragraph 2 a (new)
2 a. The Agency shall facilitate the establishment and launch of a long-term European IT security project to support the growth of an independent EU IT security industry, and to mainstream IT security into all EU IT developments.
2018/04/30
Committee: ITRE
Amendment 309 #
Proposal for a regulation
Article 7 – paragraph 8 – point c a (new)
(c a) put in place certification schemes deterring the implementation by ICT manufacturers and service providers of secret backdoors intentionally weakening the IT security of commercial products and services and having a detrimental impact on the global security of the internet.
2018/04/30
Committee: ITRE
Amendment 337 #
Proposal for a regulation
Article 8 – paragraph 1 – point b
(b) consult the ISO/IEC international standardisation bodies and European standardisation organisations on the development of standards, to ensure the appropriateness of standards used in European Cybersecurity certification schemes and facilitate the establishment and take-up of European and internationalISO/IEC standards for risk management and for the security of ICT products and services, as well as draw up, in collaboration with Member States, advice and guidelines regarding the technical areas related to the security requirements for operators of essential services and digital service providers, as well as regarding already existing standards, including Member States' national standards, pursuant to Article 19(2) of Directive (EU) 2016/1148;
2018/04/30
Committee: ITRE
Amendment 343 #
Proposal for a regulation
Article 8 – paragraph 1 – point c a (new)
(c a) put in place certification schemes deterring the implementation by ICT manufacturers and service providers of secret backdoors intentionally weakening the IT security of commercial products and services and having a detrimental impact on the global security of the internet.
2018/04/30
Committee: ITRE
Amendment 345 #
Proposal for a regulation
Article 8 – paragraph 1 – point c b (new)
(c b) draw up guidelines concerning how and when Member States are to inform each other when they acquire knowledge of a vulnerability that is not publicly known in an ICT product or service that is certified in accordance with Title III of this Regulation, including guidelines on the coordination of vulnerability disclosure policies;
2018/04/30
Committee: ITRE
Amendment 346 #
Proposal for a regulation
Article 8 – paragraph 1 – point c c (new)
(c c) draw up guides and recommendations on minimum security requirements for IT devices placed on the market in the Union or exported from the Union, thus supporting the fast legislative process needed for this particular case;
2018/04/30
Committee: ITRE
Amendment 349 #
Proposal for a regulation
Article 9 – paragraph 1 – point e
(e) raise awareness of the public about cybersecurity risks, and provide guidance on good practices for individual users aimed at citizens and organisations and promote the adoption of preventive strong IT security measures and reliable data protection and privacy;
2018/04/30
Committee: ITRE
Amendment 355 #
Proposal for a regulation
Article 9 – paragraph 1 – point g a (new)
(g a) promote the widespread adoption by all actors on the Digital Single Market of preventive strong IT security measures and reliable data protection and privacy enhancing technologies as the first line of defence against attacks against information systems.
2018/04/30
Committee: ITRE
Amendment 361 #
Proposal for a regulation
Article 10 – paragraph 1 – point a
(a) advise the Union and the Member States on research needs and priorities in the areas of cybersecurity, data protection and privacy, with a view to enabling effective responses to current and emerging risks and threats, including with respect to new and emerging information and communications technologies, and to using risk-prevention technologies effectively;
2018/04/30
Committee: ITRE
Amendment 366 #
Proposal for a regulation
Article 13 – paragraph 1
1. The Management Board shall be composed of one representative of each Member State, three representatives of the Permanent Stakeholder Group, one of which must represent the consumer interest, and two representatives appointed by the Commission. All representatives shall have voting rights.
2018/04/30
Committee: ITRE
Amendment 368 #
Proposal for a regulation
Article 13 – paragraph 3
3. Members of the Management Board and their alternates shall be appointed in light of their knowledge in the field of cybersecurity, taking into account relevant managerial, administrative and budgetary skills. The Commission and Member States shall make efforts to limit the turnover of their representatives in the Management Board, in order to ensure continuity of that Board’s work. The Commission and Member States shall aim to achieve a balanced representation between men and womenof genders on the Management Board.
2018/04/30
Committee: ITRE
Amendment 372 #
Proposal for a regulation
Article 18 – paragraph 3
3. The Executive Board shall be composed of five members appointed from among the members of the Management Board amongst whom the Chairperson of the Management Board, who may also chair the Executive Board, and one of the representatives of the Commission. The Executive Director shall take part in the meetings of the Executive Board, but shall not have the right to vote. The appointments shall aim to achieve a balanced representation of genders on the Executive Board.
2018/04/30
Committee: ITRE
Amendment 384 #
Proposal for a regulation
Article 20 – paragraph 2
2. Procedures for the Permanent Stakeholders’ Group, in particular regarding the number, composition, and the appointment of its members by the Management Board, the proposal by the Executive Director and the operation of the Group, shall be specified in the Agency’s internal rules of operation and shall be made public. The procedures shall follow best practices in ensuring a fair representation and equal rights for all stakeholders and shall aim to ensure a balanced representation of genders.
2018/04/30
Committee: ITRE
Amendment 386 #
Proposal for a regulation
Article 20 – paragraph 2 a (new)
2 a. The composition of the Permanent Stakeholders’ Group shall include a minimum of five consumer organisations and civil society organisations.
2018/04/30
Committee: ITRE
Amendment 393 #
Proposal for a regulation
Article 23 – paragraph 2
2. The Agency shall ensure that the public and any interested parties are given appropriate, objective, reliable and easily accessible information, in particular with regard to the debates and the results of its work. It shall also make public the declarations of interest made in accordance with Article 22.
2018/04/30
Committee: ITRE
Amendment 394 #
Proposal for a regulation
Article 34 – paragraph 2
2. The Management Board shall adopt a decision laying down rules on the secondment to the agency of national experts, amongst others disallowing no- cost practices and promoting fair remuneration.
2018/04/30
Committee: ITRE
Amendment 396 #
Proposal for a regulation
Article 41 – paragraph 2
2. The Agency’s host Member State shall provide the best possible conditions to ensure the proper functioning of the Agency, including the accessibility of the locationheadquarters and other offices location by international airport, the existence of adequate education facilities for the children of staff members, appropriate access to the labour market, social security and medical care for both children and spouses.
2018/04/30
Committee: ITRE
Amendment 409 #
Article 43a Security by design and by default 1. Taking into account the state of the art, producers and service providers shall ensure the security by design and by default of their ICT products and services. Manufacturers and service providers must ensure that the software running on their ICT product or service is secure and does not have any known security vulnerability considering the state of the art technology at the time. ICT products and services must implement the following technical measures: (a) ICT products and services must be provided with up to date software and must include mechanisms to receive secure, properly authenticated and trusted software updates on a regular basis; (b) remote access capabilities of the ICT product or service must be documented and secured against unauthorized access during the installation at the latest; (c) ICT products shall not have the same default hardcoded standard passwords for all devices; (d) Data stored by ICT products and services must be securely protected by state of the art methods such as encryption; (e) ICT products and services shall only accept high-security methods for authentication. 2. Manufacturers and service providers must notify the competent authority of any known security vulnerabilities as soon as they are discovered. In addition, they must provide a timely repair and/or replacement to overcome any new security vulnerability discovered. 3. ICT products and services placed on the market shall comply with the obligations in paragraph 1 during their foreseeable and normal period of use. 4. The Commission shall by means of implementing act, and in cooperation with ENISA, adopt detailed rules on the specificities of the security requirements provided in paragraph 1. 5. Where the market surveillance authorities have reasons to believe that the ICT product or service does not comply with the requirements laid down in this Regulation, they shall without delay require the relevant manufacturer or service provider to take appropriate corrective action to bring the product into compliance with those requirements, to withdraw the product from the market, or to recall it within a reasonable period, commensurate with the nature of the risk, as they may prescribe. 6. Where the manufacturer or service provider does not take adequate corrective action within the period referred to in paragraph 5, the market surveillance authorities shall take appropriate provisional measures to prohibit or restrict the product being made available on their national markets, to withdraw the product from that market or to recall it. 7. Market surveillance authorities shall organise appropriate checks on product compliance and oblige the manufacturers or service providers to recall non-compliant products from the market. When identifying the products that will be subject to compliance check, national certification authorities shall prioritise high risk products for consumers, products embedded with new technologies and/or products with high selling rates.
2018/04/30
Committee: ITRE
Amendment 413 #
Proposal for a regulation
Article 44 – paragraph 1
1. Following a request from the Commission, ENISA shall prepare a candidate European cyberIT security certification scheme which meets the requirements set out in Articles 45, 46 and 47 of this Regulation. Member States or, the European Cybersecurity Certification Group (the 'Group') established under Article 53 or the Permanent Stakeholders Group established under Article 20, may propose the preparation of a candidate European cyberIT security certification scheme to the Commission.
2018/04/30
Committee: ITRE
Amendment 422 #
Proposal for a regulation
Article 44 – paragraph 2
2. When preparing candidate schemes referred to in paragraph 1 of this Article, ENISA shall consult all relevant stakeholders, as well as the consumer organisations, Article 29 Working Party and the European Data Protection Board as appropriate and closely cooperate with the Group. The Group shall provide ENISA with the assistance and expert advice required by ENISA in relation to the preparation of the candidate scheme, including by providing opinions where necessary.
2018/04/30
Committee: ITRE
Amendment 434 #
Proposal for a regulation
Article 44 – paragraph 4
4. The Commission, based on the candidate scheme proposed by ENISA, may adopt implementing acts, in accordance with Article 55(1), providing for European cybersecurity certification schemes for ICT products and services meeting the requirements of Articles 45, 46 and 47 of this Regulation. The Commission may consult the European Data Protection Board and take account of its view before adopting such implementing acts.
2018/04/30
Committee: ITRE
Amendment 451 #
Proposal for a regulation
Article 45 – paragraph 1 – point c
(c) ensure that authorised persons, programmes or machines can access exclusively the data, services or functions to which their access rights refer and a process is in place to identify and document all dependencies and vulnerabilities in ICT products, processes and services;
2018/04/30
Committee: ITRE
Amendment 453 #
Proposal for a regulation
Article 45 – paragraph 1 – point d
(d) record which data, functions or services have been communicated, at what times and by whomensure that ICT products, processes and services do not contain known exploitable vulnerabilities and resist to a defined level of attack;
2018/04/30
Committee: ITRE
Amendment 457 #
Proposal for a regulation
Article 45 – paragraph 1 – point g
(g) ensure that ICT products and services are provided with up -to -date software and hardware that does not contain known vulnerabilities, and; ensure that they have been designed and implemented in such a way as to effectively limit their susceptibility to vulnerabilities, and ensure that they are provided with mechanisms for secure software updates., including automatic security updates and the possibility of hardware upgrades;
2018/04/30
Committee: ITRE
Amendment 504 #
Proposal for a regulation
Article 46 – paragraph 2 – point c
(c) assurance level high shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a higher degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service than certificates with the assurance level substantial, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to prevent cybersecurity incidents. The evaluation methodology should be guided at least by an efficiency testing which assesses the resistance of the security functionalities against attackers having significant to unlimited resources.
2018/04/30
Committee: ITRE
Amendment 560 #
Proposal for a regulation
Article 48 – paragraph 4 – introductory part
4. By the way of derogation from paragraph 3, and only in duly justified cases, a particular European cybersecurity scheme may provide that a European cybersecurity certificate resulting from that scheme can only be issued by a public body. Such public body shall be one of the following:a body that is accredited as conformity assessment body pursuant to Article 51(1). The natural or legal person which submits its ICT products or services to the certification mechanism shall make available to the conformity assessment body referred to in Article 51 with all information necessary to conduct the certification procedure.
2018/04/30
Committee: ITRE
Amendment 564 #
Proposal for a regulation
Article 48 – paragraph 4 – point a
(a) a national certification supervisory authority referred to in Article 50(1);deleted
2018/04/30
Committee: ITRE
Amendment 565 #
Proposal for a regulation
Article 48 – paragraph 4 – point b
(b) a body that is accredited as conformity assessment body pursuant to Article 51(1) ordeleted
2018/04/30
Committee: ITRE
Amendment 566 #
Proposal for a regulation
Article 48 – paragraph 4 – point c
(c) a body established under laws, statutory instruments, or other official administrative procedures of a Member State concerned and meeting the requirements for bodies certifying products, processes and services further to ISO/IEC 17065:2012.deleted
2018/04/30
Committee: ITRE
Amendment 577 #
Proposal for a regulation
Article 48 a (new)
Article 48a Baseline IT security requirements 1. The agency shall, by ... [two years after the date of entry into force of this regulation], propose to the Commission clear and mandatory baseline IT security requirements for all IT devices sold in or exported from the Union such as: (a) the manufacturer providing a written certification that the device does not contain any hardware, software or firmware component with any known security vulnerabilities; (b) the device relies on software or firmware components capable of accepting properly authenticated and trusted updates from the vendor; (c) documented remote access capabilities of the device that are secured against unauthorized access during the installation at the latest; no default hardcoded standard passwords for all devices, a documented possibility for updates which clearly points out responsibilities in case the user does not update the device; (d) an obligation of the manufacturer of the internet-connected device, software, or firmware component to notify the competent authority of any known security vulnerabilities; (e) an obligation of the manufacturer of the internet-connected device, software, or firmware component to provide a repair in respect to any new security vulnerability discovered; (f) an obligation of the manufacturer of the internet-connected device, software, or firmware component to provide information on how the device receives updates, the anticipated timeline for ending security support and a notification when such security support has ended. (g) an obligation of the manufacturer to release the source code and documentation after the end of support date; 2. The Agency shall review and, where necessary, amend the requirements referred to in paragraph 1 every two years, and submit any amendments as proposals to the Commission. 3. The Commission may, by way of implementing acts, decide that the proposed or amended requirements referred to in paragraphs 1 and 2 have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 55(2). 4. The Commission shall ensure appropriate publicity for the requirements which have been decided as having general validity in accordance with paragraph 3. 5. The Agency shall collate all proposed requirements and their amendments in a register and shall make them publicly available by way of appropriate means. 6. While manufacturers are responsible for ensuring product compliance of an ICT product or service, importers must make sure that the products they place on the market comply with the applicable requirements and do not present a risk to the European public. The importer has to verify that the manufacturer outside the EU has taken the necessary steps and that the product or service complies with the provisions of paragraph 1. Distributors of ICT products or services must have a basic knowledge of the legal requirements and the accompanying documentation. Distributors shall be able to identify products that are clearly not in compliance and they must be able to demonstrate to national authorities that they have acted with due care and have affirmation from the manufacturer or the importer that the necessary measures have been taken. Furthermore, a distributor must be able to assist national authorities in their efforts to receive the required documentation. 7. In the cases determined in the scheme, based on the nature, lifecycle or cost of the product, as an alternative to the full certification process, compliance with the mandatory baseline IT security requirements could be ensured through self-declaration of conformity following the applicable procedure for conformity assessment.
2018/04/30
Committee: ITRE
Amendment 586 #
Proposal for a regulation
Article 50 – paragraph 3
3. Each national certification supervisory authority shall, in its organisation, funding decisions, legal structure and decision-making, be independent of the entities they supervise. The national certification supervisory authority may not be a certificate body or certificate issuer.
2018/04/30
Committee: ITRE