31 Amendments of Pilar del CASTILLO VERA related to 2017/0225(COD)
Amendment 144 #
Proposal for a regulation
Recital 40
Recital 40
(40) The Management Board, composed of the Member States and the Commission, should define the general direction of the Agency’s operations and ensure that it carries out its tasks in accordance with this Regulation. The Management Board should be entrusted with the powers necessary to establish the budget, verify its execution, adopt the appropriate financial rules, establish transparent working procedures for decision making by the Agency, adopt the Agency’s Single Programming Document, adopt its own rules of procedure, appoint the Executive Director and decide on the extension of the Executive Director’s term of office and on the termination thereof. Taking into account the highly technical nature of the Agency's mission, members of the Management Board should have appropriate experience in issues within the scope of the Agency's mission.
Amendment 163 #
Proposal for a regulation
Recital 47
Recital 47
(47) Conformity assessment is the process demonstrating whether specified requirements relating to a product, process, service, system, person or body have been fulfilled. For the purposes of this Regulation, certification should be considered as a type of conformity assessment regarding the cybersecurity features ofand practices comprised in a product, process, service, system, or a combination of those ("ICT products and services") by an independent third party, other than the product manufacturer or service provider. Certification cannot guarantee per se that certified ICT processes and systems result in ICT products and services that are cyber secure. It is rather a procedure and technical methodology to attest that ICT products and services as well as processes and systems have been tested and that they comply with certain cybersecurity requirements laid down elsewhere, for example as specified in technicalrelevant standards.
Amendment 203 #
Proposal for a regulation
Article 1 – paragraph 1 – point b
Article 1 – paragraph 1 – point b
(b) lays down a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity of ICT products, processes and services in the Union. Such framework shall apply without prejudice to specific provisions regarding voluntary or mandatory certification in other Union acts.
Amendment 216 #
Proposal for a regulation
Article 2 – paragraph 1 – point 9
Article 2 – paragraph 1 – point 9
(9) ‘European cybersecurity certification scheme’ means the comprehensive set of rules, technical requirements, standards and procedures defined at Union level and according to standards or ICT technical specifications as defined in Regulation (EU) No 1025/2012, applying to the certification of Information and Communication Technology (ICT) products, processes and services falling under the scope of that specific scheme;
Amendment 221 #
Proposal for a regulation
Article 2 – paragraph 1 – point 9
Article 2 – paragraph 1 – point 9
(9) ‘European cybersecurity certification scheme’ means the comprehensive set of rules, technical requirements, standards and procedures defined at Union level applying to the certification of Information and Communication Technology (ICT) products and services falling under the scope of that specific scheme;
Amendment 231 #
Proposal for a regulation
Article 2 – paragraph 1 – point 11
Article 2 – paragraph 1 – point 11
(11) ‘ICT product and service’ means any product, process, service that is an element or group of elements of network and information systems;
Amendment 322 #
Proposal for a regulation
Article 8 – paragraph 1 – point a – point 1
Article 8 – paragraph 1 – point a – point 1
(1) In cooperation with industry stakeholders in a formal, standardised and transparent process, identifying and preparing candidate European cybersecurity certification schemes for ICT products and services in accordance with Article 44 of this Regulation;
Amendment 330 #
Proposal for a regulation
Article 8 – paragraph 1 – point a – point 3
Article 8 – paragraph 1 – point a – point 3
(3) compiling and publishing guidelines and developing good practices concerning the cybersecurity requirements of ICT products and services, in cooperation with national certification supervisory authorities and the industry in a formal, standardised and transparent process;
Amendment 341 #
Proposal for a regulation
Article 8 – paragraph 1 – point b – point i (new)
Article 8 – paragraph 1 – point b – point i (new)
i) b) promote, depending on the level of risk, the use of additional means to certification of conformance to cybersecurity standards
Amendment 403 #
Proposal for a regulation
Article 43 – paragraph 1
Article 43 – paragraph 1
A European cybersecurity certification scheme shall attest that the ICT products, processes and services that have been certified in accordance with such scheme comply with specified requirements according to standards, as regards their ability to resist at a given level of assurance, actions that aim to compromise the availability, authenticity, integrity or confidentiality of stored or transmitted or processed dat a or the functions or services offered by, or accessible via, those products, processes, services and systemsgiven level of assurance.
Amendment 423 #
Proposal for a regulation
Article 44 – paragraph 2
Article 44 – paragraph 2
2. When preparing candidate schemes referred to in paragraph 1 of this Article, ENISA shall consult all relevant stakeholders in a formal, standardised and transparent process, and closely cooperate with the Group. The Group and all relevant stakeholders shall provide ENISA with the assistance and expert advice required by ENISA in relation to the preparation of the candidate scheme, including by providing opinions where necessary.
Amendment 435 #
Proposal for a regulation
Article 44 – paragraph 4
Article 44 – paragraph 4
4. The Commission, based on the candidate scheme proposed by ENISA, may adopt implementing acts, in accordance with Article 55(1), providing for European cybersecurity certification schemes for ICT products, processes and services meeting the requirements of Articles 45, 46 and 47 of this Regulation.
Amendment 459 #
Proposal for a regulation
Article 45 – paragraph 1 – point g – point i (new)
Article 45 – paragraph 1 – point g – point i (new)
(i) (h) ensure that ICT products and services are developed according to the security requirements of the particular scheme
Amendment 470 #
Proposal for a regulation
Article 46 – paragraph 1
Article 46 – paragraph 1
1. A European cybersecurity certification scheme may specify one or more of the following assurance levels: basic, substantial and/or high, for ICT products andassurance requirements based on the risks and threats determined by the context in which the product, process or services issued under that schem to operate.
Amendment 473 #
Proposal for a regulation
Article 46 – paragraph 1 – subparagraph 1 (new)
Article 46 – paragraph 1 – subparagraph 1 (new)
2. ENISA shall identify or develop assurance levels to be specified in European cybersecurity certification schemes in consultation with interested stakeholders.
Amendment 475 #
Proposal for a regulation
Article 46 – paragraph 2
Article 46 – paragraph 2
Amendment 516 #
Proposal for a regulation
Article 47 – paragraph 1 – point a
Article 47 – paragraph 1 – point a
(a) subject-matter and scope of the certification, including the type or categories of ICT products, processes and services covered;
Amendment 518 #
Proposal for a regulation
Article 47 – paragraph 1 – point b
Article 47 – paragraph 1 – point b
(b) detailed specification of the cybersecurity requirements against which the specific ICT products and services are evaluated, for example by reference to Union or international standards or technical specifications; certification requirements should be defined in such a way that certification can be built into or based on the producer's systematic security processes followed during the development and lifecycle of the product or service in question;
Amendment 523 #
Proposal for a regulation
Article 47 – paragraph 1 – point b – point i (new)
Article 47 – paragraph 1 – point b – point i (new)
(i) (c) where appropriate promoting "security by design"
Amendment 531 #
Proposal for a regulation
Article 47 – paragraph 1 – point h
Article 47 – paragraph 1 – point h
(h) conditions for granting, maintaining, continuing, renewing, extending and reducing the scope of certification;
Amendment 536 #
Proposal for a regulation
Article 47 – paragraph 1 – point l
Article 47 – paragraph 1 – point l
(l) identification of national or international cybersecurity certification schemes covering the same type or categories of ICT products and services, security requirements and evaluation criteria and methods;
Amendment 537 #
Proposal for a regulation
Article 47 – paragraph 1 – point l
Article 47 – paragraph 1 – point l
(l) identification of national or international cybersecurity certification schemes or industry-led initiatives covering the same type or categories of ICT products, processes and services;
Amendment 538 #
Proposal for a regulation
Article 47 – paragraph 1 – point l a (new)
Article 47 – paragraph 1 – point l a (new)
(la) (ma) where applicable, the validity period of the certificate.
Amendment 549 #
Proposal for a regulation
Article 48 – paragraph 1
Article 48 – paragraph 1
1. ICT products, processes and services that have been certified under a European cybersecurity certification scheme adopted pursuant to Article 44 shall be presumed to be compliant with the requirements of such scheme.
Amendment 568 #
Proposal for a regulation
Article 48 – paragraph 5
Article 48 – paragraph 5
5. The natural or legal person which submits its ICT products, processes or services to the certification mechanism shall provide the conformity assessment body referred to in Article 51 with all information necessary to conduct the certification procedure.
Amendment 572 #
Proposal for a regulation
Article 48 – paragraph 6
Article 48 – paragraph 6
6. Certificates shall be issued for a maximum period of three years the period defined by the particular certification scheme and may be renewed, under the same conditions, provided that the relevant requirements continue to be met.
Amendment 580 #
Proposal for a regulation
Article 49 – paragraph 1
Article 49 – paragraph 1
1. Without prejudice to paragraph 3, national cybersecurity certification schemes and the related procedures for the ICT products, processes and services covered by a European cybersecurity certification scheme shall cease to produce effects from the date established in the implementing act adopted pursuant Article 44(4). Existing national cybersecurity certification schemes and the related procedures for the ICT products, processes and services not covered by a European cybersecurity certification scheme shall continue to exist.
Amendment 583 #
Proposal for a regulation
Article 49 – paragraph 2
Article 49 – paragraph 2
2. Member States shall not introduce new national cybersecurity certification schemes for ICT products, processes and services covered by a European cybersecurity certification scheme in force.
Amendment 596 #
Proposal for a regulation
Article 50 – paragraph 6 – point d
Article 50 – paragraph 6 – point d
(d) cooperate with other national certification supervisory authorities or other public authorities, including by sharing information on possible non- compliance of ICT products, processes and services with the requirements of this Regulation or specific European cybersecurity certification schemes;
Amendment 600 #
Proposal for a regulation
Article 50 – paragraph 8
Article 50 – paragraph 8
8. National certification supervisory authorities shall cooperate amongst each other and the Commission and, in particular, exchange information, experiences and good practices as regards cybersecurity certification and technical issues concerning cybersecurity of ICT products, processes and services.
Amendment 612 #
Proposal for a regulation
Article 53 – paragraph 3 – point f – point i (new)
Article 53 – paragraph 3 – point f – point i (new)
(i) (g) to facilitate alignment of European cybersecurity schemes with internationally recognised standards, including by: reviewing existing European cybersecurity schemes and, where appropriate, making recommendations to ENISA to engage with relevant international standardisation organisations to address insufficiencies or gaps in available internationally recognised standards.