Activities of Jiří MAŠTÁLKA related to 2017/0225(COD)
Shadow opinions (1)
OPINION on the proposal for a regulation of the European Parliament and of the Council on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act'')
Amendments (28)
Amendment 60 #
Proposal for a regulation
Recital 5
Recital 5
(5) In light of the increased cybersecurity challenges faced by the Union, there is a need for a comprehensive set of measures that would build on previous Union action and foster mutually reinforcing objectives. These include the need to further increase capabilities and preparedness of Member States and businesses, as well as to improve cooperation and coordination across Member States and EU institutions, agencies and bodies. Furthermore, given the borderless nature of cyber threats, there is a need to increase capabilities at Union level that could complement the action of Member States, in particular in the case of large scale cross-border cyber incidents and crises. Additional efforts are also needed to increase awareness of citizens and businesses on cybersecurity issues. Moreover, the trust in the digital single market should be further improved by offering transparent information on the level of security of ICT products and services. This can be facilitated by EU- wide certification, relying on European or international standards and providing common cybersecurity requirements and evaluation criteria across national markets and sectors.
Amendment 112 #
(57) Recourse to European cybersecurity certification should remain voluntary, unless otherwise provided in Union or national legislation. After this initial stage, and depending on the maturity of implementation in the EU Members States and the criticality of a product or service, it is recognised that, in the future, the mandatory schemes for certain ICT products, processes and services may begin to evolve in s phased approach. However, with a view to achieving the objectives of this Regulation and avoiding the fragmentation of the internal market, national cybersecurity certification schemes or procedures for the ICT products and services covered by a European cybersecurity certification scheme should cease to produce effects from the date established by the Commission by means of the implementing act. Moreover, Member States should not introduce new national certification schemes providing cybersecurity certification schemes for ICT products and services already covered by an existing European cybersecurity certification scheme. This is, however, without prejudice to national schemes covering ICT products, processes and services used for Member States’ sovereign domain needs, for which they have sole responsibility.
Amendment 130 #
Proposal for a regulation
Article 1 – paragraph 1 – point b
Article 1 – paragraph 1 – point b
(b) lays down a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity of ICT products, processes and services in the Union. Such framework shall apply without prejudice to specific provisions regarding voluntary or mandatory certification in other Union acts.
Amendment 142 #
Proposal for a regulation
Article 2 – paragraph 1 – point 15
Article 2 – paragraph 1 – point 15
(15) ‘conformity assessment body’ means conformity assessment body of a Member State that performs conformity assessment activities including calibration, testing, certification and inspection as defined in point (13), Article 2 of Regulation (EC) No 765/2008;
Amendment 210 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. The Management Board, acting on a proposal by the Executive Director, shall set up a Permanent Stakeholders’ Group composed of recognised security experts representing the relevant stakeholders, such as the European ICT industry, European providers of electronic communications networks or services available to the public, consumer groups, academic experts in the cybersecurity, and representatives of competent authorities notified under [Directive establishing the European Electronic Communications Code] as well as of law enforcement and data protection supervisory authorities.
Amendment 216 #
Proposal for a regulation
Article 20 – paragraph 5
Article 20 – paragraph 5
5. The Permanent Stakeholders’ Group shall advise the Agency in respect of the performance of its activities. It shall in particular advise the Executive Director on drawing up a proposal for the Agency’s work programme, and on ensuring communication with the relevant stakeholders on all issues related to the work programme. It shall give its formal approval for any candidate certification scheme prepared by the Agency before being transmitted to the European Commission for endorsement.
Amendment 223 #
Proposal for a regulation
Article 43 – paragraph 1
Article 43 – paragraph 1
A European cybersecurity certification scheme shall attest that the ICT products, processes and services that have been certified in accordance with such scheme comply with specified requirements as regards their ability to resist at a given level of assurance, actions that aim to compromise the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, processes, services and systemccording to standards, as regards their ability to meet specified security objectives.
Amendment 227 #
Proposal for a regulation
Article 43 a (new)
Article 43 a (new)
Article 43a Working Plan In consultation with the Consultation Committee referred to in Article 44, the Commission shall, not later than six months after the Regulation enters into force and then every two years, establish a working plan which shall be made publicly available.
Amendment 232 #
Proposal for a regulation
Article 44 – paragraph 1 a (new)
Article 44 – paragraph 1 a (new)
1a. With the support of the European Commission and Members States, ENISA shall set up a Consultation Committee with balanced participation of the European Cybersecurity Certification group and all interested parties, such as industry, including SMEs, trade unions, standard development organisations, traders, retailers, importers or end- consumers, concerned with the ICT product, process or service in question. This Committee shall be involved in each stage of the preparation of a candidate European cybersecurity certification scheme, including the definition of its elements and assurance requirements. The Consultation committee shall be consulted at least before the elaboration of a candidate scheme, at least once when the first draft of a candidate scheme is available, and before the adoption of the implementing measures. The Consultation Committee can submit a request to ENISA for the preparation of a candidate European cyber security certification scheme, including to cover industry-led initiatives.
Amendment 241 #
Proposal for a regulation
Article 44 – paragraph 2
Article 44 – paragraph 2
2. When preparing candidate schemes referred to in paragraph 1 of this Article, ENISA shall consult the Consultation Committee and all relevant stakeholders and closely cooperate with the Group. The Group shall provide ENISA with the assistance and expert advice required by ENISA in relation to the preparation of the candidate scheme, including by providing opinions where necessary.
Amendment 262 #
Proposal for a regulation
Article 45 – paragraph 1 – point a
Article 45 – paragraph 1 – point a
(a) Confidentiality : protect data stored, transmitted or otherwise processed against accidental or unauthorised storage, processing, access or disclosure;
Amendment 263 #
Proposal for a regulation
Article 45 – paragraph 1 – point b
Article 45 – paragraph 1 – point b
(b) Integrity : protect data stored, transmitted or otherwise processed against accidental or unauthorised destruction, accidental loss or alteration;
Amendment 264 #
Proposal for a regulation
Article 45 – paragraph 1 – point c
Article 45 – paragraph 1 – point c
Amendment 266 #
Proposal for a regulation
Article 45 – paragraph 1 – point d
Article 45 – paragraph 1 – point d
Amendment 267 #
Proposal for a regulation
Article 45 – paragraph 1 – point e
Article 45 – paragraph 1 – point e
Amendment 268 #
Proposal for a regulation
Article 45 – paragraph 1 – point f
Article 45 – paragraph 1 – point f
(f) restore the availability and access to data, services and functions in a timely manner in the event of physical or technical incidentAvailability : promote accessibility of data, services and functions by authorised users;
Amendment 280 #
Proposal for a regulation
Article 46 – paragraph 1
Article 46 – paragraph 1
1. A European cybersecurity certification scheme may specify one or more of the following assurance levels: basic, substantial and/or high, for ICT products andassurance requirements based on the risk and threats determined by the context in which the product, process or services issued under that schem to operate.
Amendment 290 #
Proposal for a regulation
Article 46 – paragraph 2 – introductory part
Article 46 – paragraph 2 – introductory part
2. The assurance levels basic, substantial and high shall meet the following criteria respectively:A European cybersecurity certification scheme shall specify whether self-declaration of conformity is permitted and/or third party assessment is required.
Amendment 293 #
Proposal for a regulation
Article 46 – paragraph 2 – point a
Article 46 – paragraph 2 – point a
Amendment 299 #
Proposal for a regulation
Article 46 – paragraph 2 – point b
Article 46 – paragraph 2 – point b
Amendment 305 #
Proposal for a regulation
Article 46 – paragraph 2 – point c
Article 46 – paragraph 2 – point c
Amendment 391 #
Proposal for a regulation
Article 48 a (new)
Article 48 a (new)
Article 48a Compatibility with international mutual recognition schemes 1. In the preparatory phase of a candidate European cyber security certification scheme, ENISA, and as appropriate, the Consultation Committee shall evaluate the relevance of existing international mutual recognition agreement and certifications. 2. In accordance with Article 49(5), this should include an evaluation of whether any national cyber security certification schemes covered by the candidate scheme are subject to an international mutual recognition agreement. 3. Where relevant international mutual recognition agreements and certifications are determined to exist, the ENISA shall aim to ensure compatibility by : (a) predicating the certification on the same standards (b) aligning the scope, security objectives, evaluation methodology and assurance levels, (c) opening a dialogue with the equivalent governance body with a view to joining the mutual recognition agreement, where feasible.
Amendment 399 #
Proposal for a regulation
Article 49 – paragraph 2
Article 49 – paragraph 2
2. Member States shall not introduce new national cybersecurity certification schemes for ICT products, processes and services covered by a European cybersecurity certification scheme in force.
Amendment 401 #
Proposal for a regulation
Article 49 – paragraph 3
Article 49 – paragraph 3
3. Existing certificates issued under national cybersecurity certification schemes shall remain valid until their expiry dateand covered by a European cyber security certification scheme shall remain valid until their expiry date. Maintenance processes that lead to minor updates shall not invalidate the certification.
Amendment 405 #
Proposal for a regulation
Article 49 – paragraph 3 a (new)
Article 49 – paragraph 3 a (new)
3a. Until an equivalent European scheme is adopted, existing certificates delivered according to national schemes could benefit from recognition under Article 48(7) provided they have been previously thoroughly assessed by ENISA to meet specific cyber security requirements.
Amendment 407 #
Proposal for a regulation
Article 49 – paragraph 3 b (new)
Article 49 – paragraph 3 b (new)
3b. Where national cybersecurity schemes are recognised under international mutual recognition arrangement(s) for security certification, they shall only cease to exist when the European certification scheme qualifies for recognition under the same international arrangement(s).
Amendment 418 #
Proposal for a regulation
Article 50 – paragraph 6 – point d
Article 50 – paragraph 6 – point d
(d) cooperate with other national certification supervisory authorities or other public authorities, including by sharing information on possible non- compliance of ICT products, processes and services with the requirements of this Regulation orthat make false claims of certification against specific European cybersecurity certification schemes;
Amendment 424 #
Proposal for a regulation
Article 50 – paragraph 8
Article 50 – paragraph 8
8. National certification supervisory authorities shall cooperate amongst each other and the Commission and, in particular, exchange information, experiences and good practices as regards cybersecurity certification and technical issues concerning cybersecurity of ICT products, processes and services.