1 Amendments of Bart GROOTHUIS related to 2022/0085(COD)
Amendment 393 #
Proposal for a regulation
Annex I – paragraph 1 a (new)
Annex I – paragraph 1 a (new)
In order to assess whether the Institutions, bodies and agencies have sufficient control over the security of their ICT systems, a complete cybersecurity review, including a risk, vulnerability and threat assessment, and penetration-test of the ICT systems and devices of the Institutions should be carried out by a leading and verified third party external to the EU institutions, bodies and agencies (such as a leading cybersecurity company) when this regulation enters into force and each following year. It should take due consideration of the information security requirements of the respective institutions (e.g. the handling of confidential or secret information). The reported risks and vulnerabilities should be mitigated in cybersecurity updates, and the recommendations from the assessment should be implemented through cybersecurity policy and can include replacement of infected ICT systems if deemed necessary.