50 Amendments of Carlos COELHO related to 2017/0225(COD)
Amendment 21 #
Proposal for a regulation
Recital 2
Recital 2
(2) The use of network and information systems by citizens, businesses and governments across the Union is now pervasive. Digitisation and connectivity are becoming core features in an ever growing number of products and services and with the advent of the Internet of Things (IoT) millions, if not billions, of connected digital devices are expected to be deployed across the EU during the next decade. While an increasing number of devices are connected to the Internet, security and resilience are not sufficiently built in by design, leading to insufficient cybersecurity. In this context, the limited use of certification leads to insufficient information for organisational and individual users about the cybersecurity features of ICT products and services, undermining trust in digital solutions. This ambition is at the heart of the European Commission’s reform agenda to achieve a digital single market as ICT networks provide the backbone for digital products and services which have the potential to support all aspects of our lives and drive Europe’s economic growth. To ensure that the objectives of digital single market are fully achieved the essential technology building blocks on which important areas such as eHealth, IoT, Artificial Intelligence, Quantum technology as well as intelligent transport system and advanced manufacturing rely must be in place.
Amendment 29 #
Proposal for a regulation
Recital 5
Recital 5
(5) In light of the increased cybersecurity challenges faced by the Union, there is a need for a comprehensive set of measures that would build on previous Union action and foster mutually reinforcing objectives. These include the need to further increase capabilities and preparedness of Member States and businesses, as well as to improve cooperation and coordination across Member States and EU institutions, agencies and bodies. Furthermore, given the borderless nature of cyber threats, there is a need to increase capabilities at Union level that could complement the action of Member States, in particular in the case of large scale cross-border cyber incidents and crises. Additional efforts are also needed to deliver a co-ordinated EU response and increase awareness of citizens and businesses on cybersecurity issues. Moreover, the trust in the digital single market should be further improved by offering transparent information on the level of security of ICT products and services. This can be facilitated by EU- wide certification providing common cybersecurity requirements and evaluation criteria across national markets and sectors. Alongside EU-wide certification, there is a range of voluntary measures widely accepted in the market place, depending on the product, service, use or standard; these measures as well as the industry bottom up approach, including the use of security-by-design, leveraging and contributing to international standards, should be encouraged.
Amendment 32 #
Proposal for a regulation
Recital 7
Recital 7
(7) The Union has already taken important steps to ensure cybersecurity and increase trust in digital technologies. In 2013, an EU Cybersecurity Strategy was adopted to guide the Union’s policy response to cybersecurity threats and risks. In its effort to better protect Europeans online, in 2016 the Union adopted the first legislative act in the area of cybersecurity, the Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (the “NIS Directive”). The NIS Directive fulfils the digital single market strategy and together with other instruments, such as Directive establishing the European Electronic Communications Code, Regulation (EU) 2016/679 and Directive 2002/58/EC, puts in place requirements concerning national capabilities in the area of cybersecurity, established the first mechanisms to enhance strategic and operational cooperation between Member States, and introduced obligations concerning security measures and incident notifications across sectors which are vital for economy and society such as energy, transport, water, banking, financial market infrastructures, healthcare, digital infrastructure as well as key digital service providers (search engines, cloud computing services and online marketplaces). A key role was attributed to ENISA in supporting implementation of this Directive. In addition, effective fight against cybercrime is an important priority in the European Agenda on Security, contributing to the overall aim of achieving a high level of cybersecurity.
Amendment 38 #
Proposal for a regulation
Recital 14
Recital 14
(14) The underlying task of the Agency is to promote the consistent implementation of the relevant legal framework, in particular the effective implementation of the NIS Directive, Directive establishing the European Electronic Communications Code, Regulation (EU) 2016/679 and Directive 2002/58/EC, which is essential in order to increase cyber resilience. In view of the fast evolving cybersecurity threat landscape, it is clear that Member States must be supported by more comprehensive, cross-policy approach to building cyber resilience.
Amendment 41 #
Proposal for a regulation
Recital 26
Recital 26
(26) To understand better the challenges in the field of cybersecurity, and with a view to providing strategic long term advice to Member States and Union institutions, the Agency needs to analyse current and emerging risks, incidents and vulnerabilities. For that purpose, the Agency should, in cooperation with Member States and, as appropriate, with statistical bodies and others, collect relevant information and perform analyses of emerging technologies and provide topic-specific assessments on expected societal, legal, economic and regulatory impacts of technological innovations on network and information security, in particular cybersecurity. The Agency should furthermore support Member States and Union institutions, agencies and bodies in identifying emerging trends and preventing problems related to cybersecurity, by performing analyses of threats and, incidents and vulnerabilities.
Amendment 47 #
Proposal for a regulation
Recital 35
Recital 35
(35) The Agency should encourage Member States and service providers to raise their general security standards so that all internet users can take the necessary steps to ensure their own personal cybersecurity. In particular, service providers and product manufacturers should withdraw or recycle products and services that do not meet cybersecurity standards. In cooperation with competent authorities, ENISA may disseminate information regarding the level of cybersecurity of the products and services offered in the internal market, and issue warnings targeting providers and manufacturers and requiring them to improve the security, including cybersecurity, of their products and services. The agency should work together with stakeholder towards developing a EU-wide approach to responsible vulnerabilities disclosure and should promote best practice in this area.
Amendment 50 #
Proposal for a regulation
Recital 44
Recital 44
(44) The Agency should have a Permanent Stakeholders’ Group as an advisory body, to ensure regular dialogue with the private sector, consumers’ organisations and other relevant stakeholders. The Permanent Stakeholders’ Group, set up by the Management Board on a proposal by the Executive Director, should focus on issues relevant to stakeholders and bring them to the attention of the Agency. The composition of the Permanent Stakeholders Group and the tasks assigned to this Group, to be consulted in particular regarding the draft Work Programme, should ensure sufficient representation of stakeholders in the work of the Agency. Given the importance of certification requirements to ensure trust in IoT, the Commission will specifically consider implementing measures to ensure the pan-EU security standards harmonisation for IoT devices.
Amendment 51 #
Proposal for a regulation
Recital 50
Recital 50
(50) Currently, the cybersecurity certification of ICT products and services is used only to a limited extent. When it exists, it mostly occurs at Member State level or in the framework of industry driven schemes. In this context, a certificate issued by one national cybersecurity authority is not in principle recognised by other Member States. Companies thus may have to certify their products and services in several Member States where they operate, for example with a view to participating in national procurement procedures. Moreover, while new schemes are emerging, there seems to be no coherent and holistic approach with regard to horizontal cybersecurity issues, for instance in the field of the Internet of Things. Existing schemes present significant shortcomings and differences in terms of product coverage, levels of assurance, substantive criteria and actual utilisation. A case by case approach is required to ensure that services and products are subject to appropriate certification schemes. Additionally, a risk- based approach is needed for effective identification and mitigation of risks whilst acknowledging that a one size fits all scheme is not possible.
Amendment 57 #
Proposal for a regulation
Recital 57
Recital 57
(57) Recourse to European cybersecurity certification should remain voluntary, unless otherwise provided in Union or national legislation. After this initial stage, and depending on the maturity of implementation in the EU Member States and the criticality of a product or service, it is recognised that, in the future, potentially mandatory schemes for certain ICT products and services may begin to evolve in a phased approach for the future generations of technology and in response to the policy objectives of tomorrow. However, with a view to achieving the objectives of this Regulation and avoiding the fragmentation of the internal market, national cybersecurity certification schemes or procedures for the ICT products and services covered by a European cybersecurity certification scheme should cease to produce effects from the date established by the Commission by means of the implementing act. Moreover, Member States should not introduce new national certification schemes providing cybersecurity certification schemes for ICT products and services already covered by an existing European cybersecurity certification scheme.
Amendment 73 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2
Article 5 – paragraph 1 – point 2
2. assisting Member States to implement consistently the Union policy and law regarding cybersecurity notably in relation to Directive (EU) 2016/1148, Directive establishing the European Electronic Communications Code, Regulation (EU) 2016/679 and Directive2002/58/EC, including by means of opinions, guidelines, advice and best practices on topics such as risk management, incident reporting and information sharing, as well as facilitating the exchange of best practices between competent authorities in this regard;
Amendment 96 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. The Management Board, acting on a proposal by the Executive Director, shall set up a Permanent Stakeholders’ Group composed of recognised experts representing the relevant stakeholders, such as the ICT industry, providers of electronic communications networks or services available to the public, consumer groups, the European standardisation organisations, academic experts in the cybersecurity, and representatives of competent authorities notified under [Directive establishing the European Electronic Communications Code] as well as of law enforcement and data protection supervisory authorities.
Amendment 100 #
Proposal for a regulation
Article 44 – paragraph 1
Article 44 – paragraph 1
1. Following a request from the Commission, ENISA shall prepare a candidate European cybersecurity certification scheme which meets the requirements set out in Articles 45, 46 and 47 of this Regulation. Member States or the European Cybersecurity Certification Group (the ‘Group’) or the Permanent Stakeholders’ Group established under Article 5320 and 53 respectively may propose the preparation of a candidate European cybersecurity certification scheme to the Commission.
Amendment 102 #
Proposal for a regulation
Article 44 – paragraph 2
Article 44 – paragraph 2
2. When preparing candidate schemes referred to in paragraph 1 of this Article, ENISA shall consult all relevant stakeholders and closely cooperate with the Group. The and the Permanent Stakeholders’ Group. The Group and the Permanent Stakeholders’ Group shall provide ENISA with the assistance and expert advice required by ENISA in relation to the preparation of the candidate scheme, including by providing opinions where necessary. Where relevant, ENISA may in addition set up a certification stakeholder working group, composed of members of the Permanent Stakeholders’ Group and any other relevant stakeholders, to provide expert advice on areas covered by a specific candidate scheme.
Amendment 109 #
2. The assurance levels basic, substantial and high shall meet the following criteria respectively:refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a corresponding degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of cybersecurity incidents; the assurance level shall be defined on a case by case basis.
Amendment 110 #
Proposal for a regulation
Article 46 – paragraph 2 – point a
Article 46 – paragraph 2 – point a
Amendment 112 #
Proposal for a regulation
Article 46 – paragraph 2 – point b
Article 46 – paragraph 2 – point b
Amendment 114 #
Proposal for a regulation
Article 46 – paragraph 2 – point c
Article 46 – paragraph 2 – point c
Amendment 116 #
Proposal for a regulation
Article 47 – paragraph 1 – point a a (new)
Article 47 – paragraph 1 – point a a (new)
(aa) the conformity assessment and auditing bodies
Amendment 117 #
Proposal for a regulation
Article 47 – paragraph 1 – point l
Article 47 – paragraph 1 – point l
(l) identification of national cybersecurity certification schemes, pursuant to Article 49, covering the same type or categories of ICT products and services;
Amendment 121 #
Proposal for a regulation
Article 48 – paragraph 6
Article 48 – paragraph 6
6. Certificates shall be issued for a maximum period of three years and may be renewed, under the same conditions,determined on a case by case basis for each scheme and may be renewed provided that the relevant requirements continue to be met.
Amendment 135 #
Proposal for a regulation
Article 2 – paragraph 1 – point 9
Article 2 – paragraph 1 – point 9
(9) ‘European cybersecurity certification scheme’ means the comprehensive set of rules, technical requirements, standards and procedures defined at Union level applying to the certification of Information and Communication Technology (ICT) hardware and software products and services falling under the scope of that specific scheme;
Amendment 224 #
Proposal for a regulation
Article 43 – paragraph 1
Article 43 – paragraph 1
A European cybersecurity certification scheme shall attest that the ICT hardware and software products and services that have been certified in accordance with such scheme comply with specified requirements as regards their ability to resist at a given level of risk-based assurance, actions that aim to compromise the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products,hardware and software products, development and maintenance processes, services and systems.
Amendment 235 #
Proposal for a regulation
Article 44 – paragraph 2
Article 44 – paragraph 2
2. When preparing candidate schemes referred to in paragraph 1 of this Article, ENISA shall consult all relevant stakeholders and closely cooperate with the Group in defining the security objectives of the candidate certification scheme in line with Article 45, which will lead to the compilation of a checklist of risks and corresponding cybersecurity features. The Group shall provide ENISA with the assistance and expert advice required by ENISA in relation to the preparation of the candidate scheme, including by providing opinions where necessary.
Amendment 243 #
Proposal for a regulation
Article 44 – paragraph 2 a (new)
Article 44 – paragraph 2 a (new)
2a. ENISA shall coordinate the compilation of a checklist of risks associated with the hardware or software of the ICT product or service. The risks shall be matched with corresponding cybersecurity features to be included in the candidate European cybersecurity certification scheme.
Amendment 247 #
Proposal for a regulation
Article 44 – paragraph 2 b (new)
Article 44 – paragraph 2 b (new)
2b. The checklist prepared shall draw from Member States’ experience in designing and implementing cybersecurity certificates within their jurisdictions. A list of expected risks will be drawn up, analysed and depending on an assessment of the risk environment that the ICT software or hardware product or ICT service will eventually operate in as well as the expected end user.
Amendment 254 #
4. The Commission, based on the candidate scheme proposed by ENISA, may adopt implementing acts, in accordance with Article 55(1), providing for European cybersecurity certification schemes for ICT hardware and software products and services meeting the requirements of Articles 45, 46 and 47 of this Regulation.
Amendment 255 #
Proposal for a regulation
Article 44 – paragraph 5
Article 44 – paragraph 5
5. ENISA shall maintain a dedicated website providing information on, and publicity of, European cybersecurity certification schemes as well as candidate cybersecurity certification schemes in preparation.
Amendment 258 #
Proposal for a regulation
Article 45 – paragraph 1 – introductory part
Article 45 – paragraph 1 – introductory part
A European cybersecurity certification scheme shall be so designed to take into account, as applicable, the following non- exhaustive list of security objectives:
Amendment 272 #
Proposal for a regulation
Article 45 – paragraph 1 – point g
Article 45 – paragraph 1 – point g
(g) ensure that ICT hardware and software products and services are provided with up to date software that does not contain known vulnerabilities, and are provided with mechanisms for secure software updates.
Amendment 276 #
Proposal for a regulation
Article 46 – title
Article 46 – title
Risk-Based Assurance levels of European cybersecurity certification schemes
Amendment 302 #
(b) risk-based assurance level substantial shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a substantial degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls that are generally used at industry level, the purpose of which is to decrease substantially the risk of cybersecurity incidents;
Amendment 309 #
Proposal for a regulation
Article 46 – paragraph 2 – point c
Article 46 – paragraph 2 – point c
(c) risk-based assurance level high shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a higher degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service than certificates with the assurance level substantial, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls that are generally used at industrial level, the purpose of which is to prevent cybersecurity incidents.
Amendment 311 #
Proposal for a regulation
Article 46 – paragraph 2 a (new)
Article 46 – paragraph 2 a (new)
2a. The risk-based assurance level for a candidate European cybersecurity certification scheme shall be identified on the basis of the risks identified in the checklist established in Article 44(2) and the availability of cybersecurity measures to counter those risks in the ICT hardware and software products and services to which the certification scheme applies.
Amendment 313 #
Proposal for a regulation
Article 46 – paragraph 2 b (new)
Article 46 – paragraph 2 b (new)
Amendment 317 #
Proposal for a regulation
Article 47 – paragraph 1 – introductory part
Article 47 – paragraph 1 – introductory part
1. A European cybersecurity certification scheme shall include at least the following elements:
Amendment 320 #
Proposal for a regulation
Article 47 – paragraph 1 – point a
Article 47 – paragraph 1 – point a
(a) subject-matter and scope of the certification, including the type or categories of ICT hardware and software products and services covered;
Amendment 322 #
Proposal for a regulation
Article 47 – paragraph 1 – point b
Article 47 – paragraph 1 – point b
(b) detailed specification of the cybersecurity requirements against which the specific ICT hardware and software products and services are evaluated, for example by reference to Union or international standards or technical specifications;
Amendment 327 #
Proposal for a regulation
Article 47 – paragraph 1 – point c
Article 47 – paragraph 1 – point c
(c) where applicable, one or more risk- based assurance levels;
Amendment 330 #
Proposal for a regulation
Article 47 – paragraph 1 – point c b (new)
Article 47 – paragraph 1 – point c b (new)
(cb) certification requirements defined in a way that certification can be incorporated into or based on the producer’s systematic cybersecurity processes followed during the design, development and lifecycle of the ICT product or service;
Amendment 333 #
Proposal for a regulation
Article 47 – paragraph 1 – point f
Article 47 – paragraph 1 – point f
(f) where the scheme provides for marks or labels, such an EU Cybersecurity Conformity Label signifying that the ICT product or service conforms to the criteria of a European cybersecurity certificate scheme, the conditions under which such marks or labels may be used;
Amendment 342 #
Proposal for a regulation
Article 47 – paragraph 1 – point i
Article 47 – paragraph 1 – point i
(i) rules concerning the consequences of non-conformity of certified ICT hardware and software products and services with the certification requirements, including general information about the penalties to be incurred as laid down in Article 54 of this Regulation;
Amendment 343 #
Proposal for a regulation
Article 47 – paragraph 1 – point j
Article 47 – paragraph 1 – point j
(j) rulesthe requirement that an ICT hardware or software product trader or service provider has procedures and rules in place concerning how previously undetected cybersecurity vulnerabilities in ICT hardware and software products and services are to be reported and dealt with;
Amendment 368 #
Proposal for a regulation
Article 48 – paragraph 1
Article 48 – paragraph 1
1. ICT hardware and software products and services that have been certified under a European cybersecurity certification scheme adopted pursuant to Article 44 shall be presumed to be compliant with the requirements of such scheme.
Amendment 383 #
Proposal for a regulation
Article 48 – paragraph 6
Article 48 – paragraph 6
6. Certificates shall be issued and shall remain valid for a maximum period defined in each cybersecurity certification scheme according to Article 47(1)(n) and depending on the risk environment, the hardware and/or software product or services’ expected uses for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant requirements continue to be met.
Amendment 386 #
Proposal for a regulation
Article 48 – paragraph 6 a (new)
Article 48 – paragraph 6 a (new)
6a. A European cybersecurity certification scheme shall remain valid for all new versions, patches, fixes, updates, etc. issued by the ICT hardware or software product or service trader and/or manufacturer to address security vulnerabilities that have been addressed through the trader and/or manufacturer’s procedures as defined under Article 47(1)(j).
Amendment 411 #
Proposal for a regulation
Article 50 – paragraph 6 – point b
Article 50 – paragraph 6 – point b
(b) monitor and, supervise and assess the activities of conformity assessment bodies for the purpose of this Regulation, including in relation to the notification of conformity assessment bodies and the related tasks set out in Article 52 of this Regulation;
Amendment 420 #
Proposal for a regulation
Article 50 – paragraph 7 – point e
Article 50 – paragraph 7 – point e
(e) to withdraw, in accordance with national law, certificates that are not compliant with this Regulation or a European cybersecurity certification scheme and inform national accreditation bodies accordingly;
Amendment 432 #
Proposal for a regulation
Article 53 – paragraph 3 – point a a (new)
Article 53 – paragraph 3 – point a a (new)
(aa) to provide ENISA with strategic guidance and to establish a work programme including the common actions to be undertaken at EU level to ensure the consistent application of this Title across all Member States;
Amendment 433 #
Proposal for a regulation
Article 53 – paragraph 3 – point a b (new)
Article 53 – paragraph 3 – point a b (new)
(ab) to establish and periodically update a priority list of ICT products and services that urgently require an EU cybersecurity certification scheme;
Amendment 434 #
Proposal for a regulation
Article 53 – paragraph 3 – point b a (new)
Article 53 – paragraph 3 – point b a (new)
(ba) to adopt binding rules determining the intervals at which national certification supervisory authorities are to carry out verifications of certificates and the criteria, scale and scope of these verifications and to adopt common rules and standards for reporting, in accordance with Article 50(6).