30 Amendments of Andreas SCHWAB related to 2017/0225(COD)
Amendment 93 #
Proposal for a regulation
Recital 52 a (new)
Recital 52 a (new)
(52a) The European cybersecurity certification framework should be established in a uniform manner in all Member States in order to prevent ‘certification shopping’ based on differences in costs or levels of stringency between Member States.
Amendment 106 #
Proposal for a regulation
Recital 56
Recital 56
(56) The Commission should be empowered to request ENISA to prepare candidate schemes for specific ICT products or services. The Commission, based on the candidate scheme proposed by ENISA, should then be empowered to adopt the European cybersecurity certification scheme by means of implementing acts. Taking account of the general purpose and security objectives identified in this Regulation, European cybersecurity certification schemes adopted by the Commission should specify a minimum set of elements concerning the subject-matter, the scope and functioning of the individual scheme. These should include among others the scope and object of the cybersecurity certification, including the categories of ICT products and services covered, the detailed specification of the cybersecurity requirements, for example by reference to standards or technical specifications, the specific evaluation criteria and evaluation methods, as well as the intended level of assurance: basic, substantial and/or high. The security requirements should depend on the risk resulting from the ICT product or service.
Amendment 116 #
Proposal for a regulation
Recital 57
Recital 57
(57) Recourse to European cybersecurity certification should remain voluntary, except for ICT products and services with high security requirements and unless otherwise provided in Union or national legislation. However, with a view to achieving the objectives of this Regulation and avoiding the fragmentation of the internal market, national cybersecurity certification schemes or procedures for the ICT products and services covered by a European cybersecurity certification scheme should cease to produce effects from the date established by the Commission by means of the implementing act. Moreover, Member States should not introduce new national certification schemes providing cybersecurity certification schemes for ICT products and services already covered by an existing European cybersecurity certification scheme.
Amendment 121 #
Proposal for a regulation
Recital 58
Recital 58
(58) Once a European cybersecurity certification scheme is adopted, manufacturers of ICT products or providers of ICT services should be able to submit an application for certification of their products or services to a conformity assessment body of their choice. Products and services with high security requirements shall be subject to mandatory third-party certification. For all other ICT products and services, third- party certification shall be voluntary, unless otherwise specified in Union law. Conformity assessment bodies should be accredited by an accreditation body if they comply with certain specified requirements set out in this Regulation. Accreditation should be issued for a maximum of five years and may be renewed on the same conditions provided that the conformity assessment body meets the requirements. Accreditation bodies should revoke an accreditation of a conformity assessment body where the conditions for the accreditation are not, or are no longer, met or where actions taken by a conformity assessment body infringe this Regulation.
Amendment 144 #
Proposal for a regulation
Article 2 – paragraph 1 – point 16 a (new)
Article 2 – paragraph 1 – point 16 a (new)
(16a) ‘self-declaration of conformity’ means the statement by which the manufacturer demonstrates that specified requirements relating to a product or service, have been fulfilled;
Amendment 222 #
Proposal for a regulation
Article 43 – paragraph 1
Article 43 – paragraph 1
A European cybersecurity certification scheme shall be established in order to boost the level of security within the digital single market and adopt a harmonised approach, at EU level, to European certification, with a view to ensuring that ICT products, services and systems are resistant to cyber-attacks. It shall attest that the ICT products and services that have been certified in accordance with such scheme comply with specified common requirements as regards their ability to resist at a given level of assurance, actions that aim to compromise the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, processes, services and systems.
Amendment 240 #
Proposal for a regulation
Article 44 – paragraph 2
Article 44 – paragraph 2
2. When preparing candidate schemes referred to in paragraph 1 of this Article, ENISA shall take into account already existing national and international standards. ENISA shall consult all relevant stakeholders and closely cooperate with the Group. The Group shall provide ENISA with the assistance and expert advice required by ENISA in relation to the preparation of the candidate scheme, including by providing opinions where necessary.
Amendment 243 #
Proposal for a regulation
Article 44 – paragraph 2 a (new)
Article 44 – paragraph 2 a (new)
2a. ENISA shall coordinate the compilation of a checklist of risks associated with the hardware or software of the ICT product or service. The risks shall be matched with corresponding cybersecurity features to be included in the candidate European cybersecurity certification scheme.
Amendment 247 #
Proposal for a regulation
Article 44 – paragraph 2 b (new)
Article 44 – paragraph 2 b (new)
2b. The checklist prepared shall draw from Member States’ experience in designing and implementing cybersecurity certificates within their jurisdictions. A list of expected risks will be drawn up, analysed and depending on an assessment of the risk environment that the ICT software or hardware product or ICT service will eventually operate in as well as the expected end user.
Amendment 256 #
Proposal for a regulation
Article 44 – paragraph 5 a (new)
Article 44 – paragraph 5 a (new)
5a. ENISA requires a branch office in Brussels, to monitor the work on EU certification closely and to work in close contact with Commission and Parliament to establish European common standards on cybersecurity.
Amendment 270 #
Proposal for a regulation
Article 45 – paragraph 1 – point g
Article 45 – paragraph 1 – point g
(g) ensure that ICT products and services are provided with up to date software thatdates, upgrades and patches, which does not contain known vulnerabilities, and are provided mechanisms for secure software updateswhich must be offered during a reasonable lifecycle of the product or service to enable continuous protection.
Amendment 277 #
Proposal for a regulation
Article 46 – title
Article 46 – title
Amendment 281 #
Proposal for a regulation
Article 46 – paragraph 1
Article 46 – paragraph 1
1. A European cybersecurity certification scheme may specify one or more of the following assurance levelsecurity requirements: basic, substantial and/or high, for ICT products and services issued under that scheme. The security requirements shall be defined following a risk-based approach and taking into account the intended use of the ICT product or service.
Amendment 287 #
Proposal for a regulation
Article 46 – paragraph 1 a (new)
Article 46 – paragraph 1 a (new)
1a. A European cybersecurity certification scheme shall specify whether self-declaration of conformity is permissible or third party assessment strictly required.
Amendment 292 #
Proposal for a regulation
Article 46 – paragraph 2 – introductory part
Article 46 – paragraph 2 – introductory part
2. The assurance levelsecurity requirements basic, substantial and high shall meet the following criteria respectively:
Amendment 298 #
Proposal for a regulation
Article 46 – paragraph 2 – point a
Article 46 – paragraph 2 – point a
(a) assurance levelsecurity requirement basic shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a limited degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of cybersecurity incidents;
Amendment 303 #
Proposal for a regulation
Article 46 – paragraph 2 – point b
Article 46 – paragraph 2 – point b
(b) assurance levelsecurity requirement substantial shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a substantial degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease substantially the risk of cybersecurity incidents;
Amendment 308 #
Proposal for a regulation
Article 46 – paragraph 2 – point c
Article 46 – paragraph 2 – point c
(c) assurance levelsecurity requirement high shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a higher degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service than certificates with the assurance levelsecurity requirement substantial, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to prevent cybersecurity incidents. This shall especially apply to critical infrastructure products and services.
Amendment 312 #
Proposal for a regulation
Article 46 – paragraph 2 a (new)
Article 46 – paragraph 2 a (new)
2a. As regards assurance levels substantial and high, the ethical hacking method may be used by national conformity control bodies.
Amendment 328 #
Proposal for a regulation
Article 47 – paragraph 1 – point c
Article 47 – paragraph 1 – point c
(c) where applicable, one or more assurance levelsecurity requirements;
Amendment 335 #
Proposal for a regulation
Article 47 – paragraph 1 – point g
Article 47 – paragraph 1 – point g
(g) where surveillance is part of the scheme, the rules for monitoring compliance with the requirements of the certificates, including mechanisms to demonstrate the continued compliance with the specified cybersecurity requirements, where relevant and possible also through obligatory updates, upgrades or patches of the concerned ICT product or service. For all ICT products and services with substantial and high security requirements, surveillance shall be mandatory on a regular basis;
Amendment 367 #
Proposal for a regulation
Article 48 – paragraph 1
Article 48 – paragraph 1
1. ICT products and services that have been certified under a European cybersecurity certification scheme adopted pursuant to Article 44 shall be presumed to be compliant with the requirements of such scheme. This might include obligatory updates, upgrades or patches where relevant and possible.
Amendment 370 #
Proposal for a regulation
Article 48 – paragraph 2
Article 48 – paragraph 2
2. The certification shall be mandatory for those products and services that fall under a high security requirement. For all other ICT products and services, certification shall be voluntary, unless otherwise specified in Union law.
Amendment 375 #
Proposal for a regulation
Article 48 – paragraph 3
Article 48 – paragraph 3
3. A European cybersecurity certificate pursuant to this Article shall be issued either by self-declaration of conformity, or by the conformity assessment bodies referred to in Article 51 on the basis of criteria included in the European cybersecurity certification scheme, adopted pursuant to Article 44. For ICT products and services with high security requirements, the European cybersecurity certificate shall be issued by the conformity assessment bodies referred to in Article 51, without the possibility of self-declaration of conformity.
Amendment 383 #
Proposal for a regulation
Article 48 – paragraph 6
Article 48 – paragraph 6
6. Certificates shall be issued and shall remain valid for a maximum period defined in each cybersecurity certification scheme according to Article 47(1)(n) and depending on the risk environment, the hardware and/or software product or services’ expected uses for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant requirements continue to be met.
Amendment 386 #
Proposal for a regulation
Article 48 – paragraph 6 a (new)
Article 48 – paragraph 6 a (new)
6a. A European cybersecurity certification scheme shall remain valid for all new versions, patches, fixes, updates, etc. issued by the ICT hardware or software product or service trader and/or manufacturer to address security vulnerabilities that have been addressed through the trader and/or manufacturer’s procedures as defined under Article 47(1)(j).
Amendment 398 #
Proposal for a regulation
Article 49 – paragraph 2
Article 49 – paragraph 2
2. Member States shall not introduce new national cybersecurity certification schemes for ICT products and services covered by a European cybersecurity certification scheme in force. Existing cybersecurity certification schemes shall be entitled to be recognized at the EU level, following an assessment by ENISA.
Amendment 402 #
Proposal for a regulation
Article 49 – paragraph 3
Article 49 – paragraph 3
3. Existing certificates issued under national cybersecurity certification schemes covered by a European cybersecurity certification scheme shall remain valid until their expiry date.
Amendment 416 #
Proposal for a regulation
Article 50 – paragraph 6 – point c
Article 50 – paragraph 6 – point c
(c) handle complaints lodged by natural or legal persons in relation to certificates issued by self-declaration and by conformity assessment bodies established in their territories, investigate, to the extent appropriate, the subject matter of the complaint, and inform the complainant of the progress and the outcome of the investigation within a reasonable time period;
Amendment 431 #
Proposal for a regulation
Article 52 – paragraph 1
Article 52 – paragraph 1
1. For each European cybersecurity certification scheme adopted pursuant Article 44, national certification supervisory authorities shall notify the Commission of the accredited conformity assessment bodies accredited to issue certificates at specified assurance levelsecurity requirements as referred to in Article 46 and, without undue delay, of any subsequent changes thereto.