Activities of Antonio LÓPEZ-ISTÚRIZ WHITE related to 2017/0225(COD)
Legal basis opinions (0)
Amendments (31)
Amendment 135 #
Proposal for a regulation
Article 2 – paragraph 1 – point 9
Article 2 – paragraph 1 – point 9
(9) ‘European cybersecurity certification scheme’ means the comprehensive set of rules, technical requirements, standards and procedures defined at Union level applying to the certification of Information and Communication Technology (ICT) hardware and software products and services falling under the scope of that specific scheme;
Amendment 143 #
Proposal for a regulation
Article 2 – paragraph 1 – point 16 a (new)
Article 2 – paragraph 1 – point 16 a (new)
(16a) ‘self-declaration of conformity’ means the statement by the manufacturer that attests their ICT product or service conforms with the specified European cybersecurity certification schemes.
Amendment 313 #
Proposal for a regulation
Article 46 – paragraph 2 b (new)
Article 46 – paragraph 2 b (new)
Amendment 314 #
Proposal for a regulation
Article 47 – title
Article 47 – title
Elements of European cybersecurity certification schemes
Amendment 318 #
Proposal for a regulation
Article 47 – paragraph 1 – introductory part
Article 47 – paragraph 1 – introductory part
1. A European cybersecurity certification scheme shall include the following elements:
Amendment 324 #
Proposal for a regulation
Article 47 – paragraph 1 – point b
Article 47 – paragraph 1 – point b
(b) detailed specification of the cybersecurity requirements against which the specific ICT products and services are evaluated, for example bywith particular reference to Union or international standards or technical specifications;
Amendment 331 #
Proposal for a regulation
Article 47 – paragraph 1 – point e
Article 47 – paragraph 1 – point e
(e) in relation to the scheme’s third- party certification option referred to in Article 47a(2)(b), information to be supplied to the conformity assessment bodies by an applicant which is necessary for certification;
Amendment 334 #
Proposal for a regulation
Article 47 – paragraph 1 – point g
Article 47 – paragraph 1 – point g
Amendment 337 #
Proposal for a regulation
Article 47 – paragraph 1 – point h
Article 47 – paragraph 1 – point h
Amendment 341 #
Proposal for a regulation
Article 47 – paragraph 1 – point i
Article 47 – paragraph 1 – point i
Amendment 347 #
Proposal for a regulation
Article 47 – paragraph 1 – point j
Article 47 – paragraph 1 – point j
(j) rules concerning how previously undetected cybersecurity vulnerabilities in ICT products and services are to be reported and dealt with;
Amendment 348 #
Proposal for a regulation
Article 47 – paragraph 1 – point k
Article 47 – paragraph 1 – point k
(k) in relation to the scheme’s third- party certification option referred to in Article 47a(2)(b), rules concerning the retention of records by conformity assessment bodies;
Amendment 351 #
Proposal for a regulation
Article 47 – paragraph 1 – point l
Article 47 – paragraph 1 – point l
(l) identification of national cybersecurity certification or self- assessment schemes covering the same type orf categories of ICT products and services; and
Amendment 363 #
Proposal for a regulation
Article 47 – paragraph 2
Article 47 – paragraph 2
2. The specified requirements of the scheme shall not contradict any applicable legal requirements, in particular requirements emanating from harmonised Union legislation.
Amendment 365 #
Proposal for a regulation
Article 47 – paragraph 4 a (new)
Article 47 – paragraph 4 a (new)
4a. Schemes created pursuant to this Regulation shall not require notification of changes, amendments of certifications, or recertification, unless such changes have a substantial adverse effect on the security of ICT products and services. This includes: (a) A reduction in the scope of a certificate; (b) Enhancements to the priorities referred to in Article 45; (c) Software updates, as referred to in Article 45(c); and (d) Any other measure intended to address previously undetected cybersecurity vulnerabilities referred to in Article 45(c).
Amendment 366 #
Proposal for a regulation
Article 47 a (new)
Article 47 a (new)
Article 47a First- and third-party assessment 1. A European cybersecurity scheme shall provide options for both self- assessment and third-party certification, as described in paragraphs 2(a) and 2(b) respectively. 2. The manufacturer or provider of ICT products and services may freely decide whether the assessment and certification of such products or services under a European cybersecurity scheme should be undertaken by: (a) the manufacturer or provider itself (“self-assessment”); or (b) a conformity assessment body referred to in Article 51 (“third-party certification”).
Amendment 368 #
Proposal for a regulation
Article 48 – paragraph 1
Article 48 – paragraph 1
1. ICT hardware and software products and services that have been certified under a European cybersecurity certification scheme adopted pursuant to Article 44 shall be presumed to be compliant with the requirements of such scheme.
Amendment 377 #
Proposal for a regulation
Article 48 – paragraph 3
Article 48 – paragraph 3
3. A European cybersecurity certificate pursuant to this Article shall be issued either by self-declaration of conformity or by the conformity assessment bodies referred to in Article 51 on the basis of criteria included in the European cybersecurity certification scheme, adopted pursuant to Article 44.
Amendment 383 #
Proposal for a regulation
Article 48 – paragraph 6
Article 48 – paragraph 6
6. Certificates shall be issued and shall remain valid for a maximum period defined in each cybersecurity certification scheme according to Article 47(1)(n) and depending on the risk environment, the hardware and/or software product or services’ expected uses for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant requirements continue to be met.
Amendment 386 #
Proposal for a regulation
Article 48 – paragraph 6 a (new)
Article 48 – paragraph 6 a (new)
6a. A European cybersecurity certification scheme shall remain valid for all new versions, patches, fixes, updates, etc. issued by the ICT hardware or software product or service trader and/or manufacturer to address security vulnerabilities that have been addressed through the trader and/or manufacturer’s procedures as defined under Article 47(1)(j).
Amendment 409 #
Proposal for a regulation
Article 50 – paragraph 6 – point a
Article 50 – paragraph 6 – point a
(a) monitor and enforce the application of the provisions under this Title at national level and supervise and verify the compliance of the self-declarations of conformity and the cybersecurity certificates that have been issued by conformity assessment bodies established in their respective territories with the requirements set out in this Title and in the corresponding European cybersecurity certification scheme in accordance with the rules adopted by the European Cybersecurity Certification Group pursuant to Article 53(3)(ba);
Amendment 411 #
Proposal for a regulation
Article 50 – paragraph 6 – point b
Article 50 – paragraph 6 – point b
(b) monitor and, supervise and assess the activities of conformity assessment bodies for the purpose of this Regulation, including in relation to the notification of conformity assessment bodies and the related tasks set out in Article 52 of this Regulation;
Amendment 412 #
Proposal for a regulation
Article 50 – paragraph 6 – point b a (new)
Article 50 – paragraph 6 – point b a (new)
(ba) scrutinise self-declarations of conformity, and monitor, supervise and assess the activities of firms that issue them for the purpose of this Regulation;
Amendment 413 #
Proposal for a regulation
Article 50 – paragraph 6 – point b b (new)
Article 50 – paragraph 6 – point b b (new)
(bb) report the results of verifications under point (a) and the assessments under points (b) and (c) to the European Cybersecurity Certification Group and to ENISA;
Amendment 415 #
Proposal for a regulation
Article 50 – paragraph 6 – point c
Article 50 – paragraph 6 – point c
(c) handle complaints lodged by natural or legal persons in relation to certificates issued by self-declaration and by conformity assessment bodies established in their territories, investigate, to the extent appropriate, the subject matter of the complaint, and inform the complainant of the progress and the outcome of the investigation within a reasonable time period;
Amendment 420 #
Proposal for a regulation
Article 50 – paragraph 7 – point e
Article 50 – paragraph 7 – point e
(e) to withdraw, in accordance with national law, certificates that are not compliant with this Regulation or a European cybersecurity certification scheme and inform national accreditation bodies accordingly;
Amendment 429 #
Proposal for a regulation
Article 51 – paragraph 2 a (new)
Article 51 – paragraph 2 a (new)
2a. Where manufacturers opt for ‘self- declaration of conformity’ as established in Article 48(3) of this Regulation, conformity assessment bodies will take additional steps to verify the internal procedures undertaken by the manufacturer to ensure that their products and/or services conform with the requirements of the European cybersecurity certification scheme.
Amendment 430 #
Proposal for a regulation
Article 51 a (new)
Article 51 a (new)
Article 51 a Peer-Review Assessment 1. National accreditation bodies shall subject themselves to peer evaluation coordinated by ENISA. 2. Member States shall ensure that their national accreditation bodies periodically undergo peer evaluation. 3. Peer evaluation shall be conducted based on a set of transparent evaluation criteria and procedures that include structural resources, human resources, certification conformity procedures, confidentiality and complaints. National accreditation bodies shall have recourse to appeal procedures against decisions taken as a result of this peer evaluation. 4. Peer evaluation shall ascertain whether the national accreditation bodies meet the requirements enshrined in Regulation 765/2008/EC. 5. ENISA shall publish and communicate the outcome of the peer evaluation exercises to all Member States and to the Commission. 6. Together with Member States, the commission shall oversee the rules and the proper functioning of the peer evaluation system.
Amendment 432 #
Proposal for a regulation
Article 53 – paragraph 3 – point a a (new)
Article 53 – paragraph 3 – point a a (new)
(aa) to provide ENISA with strategic guidance and to establish a work programme including the common actions to be undertaken at EU level to ensure the consistent application of this Title across all Member States;
Amendment 433 #
Proposal for a regulation
Article 53 – paragraph 3 – point a b (new)
Article 53 – paragraph 3 – point a b (new)
(ab) to establish and periodically update a priority list of ICT products and services that urgently require an EU cybersecurity certification scheme;
Amendment 434 #
Proposal for a regulation
Article 53 – paragraph 3 – point b a (new)
Article 53 – paragraph 3 – point b a (new)
(ba) to adopt binding rules determining the intervals at which national certification supervisory authorities are to carry out verifications of certificates and the criteria, scale and scope of these verifications and to adopt common rules and standards for reporting, in accordance with Article 50(6).