29 Amendments of Christel SCHALDEMOSE related to 2017/0225(COD)
Amendment 55 #
(3) Increased digitisation and connectivity lead to increased cybersecurity risks, thus making society at large more vulnerable to cyber threats and exacerbating dangers faced by individuals, including vulnerable persons such as children. The transformative power of Artificial Intelligence and machine learning will be harnessed by society at large, but also by cyber criminals. In order to mitigate thisese risks to society, all necessary actions need to be taken to improve cybersecurity in the EU to better protect network and information systems, telecommunication networks, digital products, services and devices used by citizens, governments and business – from SMEs to operators of critical infrastructures – from cyber threats.
Amendment 69 #
Proposal for a regulation
Recital 28
Recital 28
(28) The Agency should contribute towards raising the awareness of the public about risks related to cybersecurity and provide guidance on good practices for individual users aimed at citizens and organisations. The Agency should also contribute to promote best practices and solutions at the level of individuals and organisations by collecting and analysing publicly available information regarding significant incidents, and by compiling reports with a view to providing guidance to businesses and citizens and improving the overall level of preparedness and resilience. The Agency should furthermore organise, in cooperation with the Member States and the Union institutions, bodies, offices and agencies regular outreach and public education campaigns directed to end-users, aiming at promoting safer individual online behaviour and raising awareness of potential threats in cyberspace, including cybercrimes such as phishing attacks, ransomware attacks, hijacking, botnets, financial and banking fraud, as well as promoting basic authentication and data protection advice. The Agency should play a central role in accelerating end-user awareness on security of devices.
Amendment 70 #
Proposal for a regulation
Recital 28 a (new)
Recital 28 a (new)
(28a) The Agency should promote mainstreaming the security by design principle, which is paramount to improving the security of connected devices. Security by design is especially important for devices targeted at vulnerable end-users, such as children.
Amendment 85 #
Proposal for a regulation
Recital 47
Recital 47
(47) Conformity assessment is the process demonstrating whether specified requirements relating to a product, process, service, system, person or body have been fulfilled. For the purposes of this Regulation, certification should be considered as a type of conformity assessment regarding the cybersecurity features of a product, process, service, system, or a combination of those (“ICT products and services”) by an independent third party, other than the product manufacturer or service provider. Certification cannot guarantee per se that certified ICT products and services are cyber secure and the end user should be made aware of it. It is rather a procedure and technical methodology to attest that ICT products and services have been tested and that they comply with certain cybersecurity requirements laid down elsewhere, for example as specified in technical standards.
Amendment 98 #
Proposal for a regulation
Recital 55
Recital 55
(55) The purpose of European cybersecurity certification schemes should be to ensure that ICT products and services certified under such a scheme comply with specified requirements. Such requirements concern the ability to resist, at a given level of assurance, actions that aim to compromise the availability, authenticity, integrity and confidentiality of stored or transmitted or processed data or the related functions of or services offered by, or accessible via those products, processes, services and systems within the meaning of this Regulation. It is not possible to set out in detail in this Regulation the cybersecurity requirements relating to all ICT products and services. ICT products and services and related cybersecurity needs are so diverse that it is very difficult to come up with general cybersecurity requirements valid across the board. It is, therefore necessary to adopt a broad and general notion of cybersecurity for the purpose of certification, complemented by a set of specific cybersecurity objectives that need to be taken into account when designing European cybersecurity certification schemes. The modalities with which such objectives will be achieved in specific ICT products and services should then be further specified in detail at the level of the individual certification scheme adopted by the Commission, for example by reference to standards or technical specifications. Where the certification scheme provides for marks or labels, the conditions under which such marks or labels may be used have to be outlined; The marks and labels must be clear and easily understandable for the end-user.
Amendment 101 #
Proposal for a regulation
Recital 55 a (new)
Recital 55 a (new)
(55a) In light of innovation trends, and the growing accessibility and constantly increasing number of IoT devices in all sectors of society, particular attention must be paid to the security of all and even the simplest of IoT products. Therefore, as certification is a key method for increasing trust in the market and increasing security and resilience, emphasis should be given to IoT products and services in the new EU cybersecurity certification framework, in order to make them less vulnerable and safer for consumers and businesses.
Amendment 105 #
Proposal for a regulation
Recital 56
Recital 56
(56) The Commission should be empowered to request ENISA to prepare candidate schemes for specific ICT products or services. The Commission, based on the candidate scheme proposed by ENISA, should then be empowered to adopt the European cybersecurity certification scheme by means of implementing acts. Taking account of the general purpose and security objectives identified in this Regulation, European cybersecurity certification schemes adopted by the Commission should specify a minimum set of elements concerning the subject-matter, the scope and functioning of the individual scheme. These should include among others the scope and object of the cybersecurity certification, including the categories of ICT products and services covered, the detailed specification of the cybersecurity requirements, for example by reference to standards or technical specifications, the specific evaluation criteria and evaluation methods, as well as the intended level of assurance: basic, substantial and/or high. Schemes providing for marks or labels could be an incentive for businesses to achieve best-practice in security.
Amendment 156 #
Proposal for a regulation
Article 4 – paragraph 7
Article 4 – paragraph 7
7. The Agency shall promote a high level of awareness of citizens, authorities and businesses on issues related to the cybersecurity.
Amendment 169 #
Proposal for a regulation
Article 5 – paragraph 1 – point 4 – point 2
Article 5 – paragraph 1 – point 4 – point 2
(2) the promotion of an enhanced level of security of electronic communications, data storage and data processing, including by providing expertise and advice, as well as facilitating the exchange of best practices between competent authorities;
Amendment 177 #
Proposal for a regulation
Article 7 – paragraph 8 – point a
Article 7 – paragraph 8 – point a
(a) aggregating reports from national and international sources with a view to contribute to establishing common situational awareness;
Amendment 181 #
Proposal for a regulation
Article 8 – paragraph 1 – point a – point 1 a (new)
Article 8 – paragraph 1 – point a – point 1 a (new)
Amendment 191 #
Proposal for a regulation
Article 9 – paragraph 1 – point d
Article 9 – paragraph 1 – point d
(d) pool, organise and make available to the public, through a dedicated portal, information on cybersecurity, provided by the Union institutions, agencies and bodies, including information about significant cybersecurity incidents, major data breaches, and information on any providers or manufacturers who have received a warning from ENISA regarding the level of cybersecurity of their products;
Amendment 203 #
Proposal for a regulation
Article 13 – paragraph 1
Article 13 – paragraph 1
1. The Management Board shall be composed of one representative of each Member State, and two representatives appointed by the Commission and the European Parliament. All representatives shall have voting rights.
Amendment 208 #
Proposal for a regulation
Article 19 – paragraph 2
Article 19 – paragraph 2
2. The Executive Director shall report annually to the European Parliament on the performance of his or her duties or when invited to do so. The Council may invite the Executive Director to report on the performance of his or her duties.
Amendment 209 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. The Management Board, acting on a proposal by the Executive Director, shall set up a Permanent Stakeholders’ Group composed of recognised experts representing the relevant stakeholders, such as the ICT industry, providers of electronic communications networks or services available to the public, consumer groups, academic experts in the cybersecurity, the European Forum for Accreditation, conformity assessment bodies, and representatives of competent authorities notified under [Directive establishing the European Electronic Communications Code] as well as of law enforcement and data protection supervisory authorities.
Amendment 233 #
Proposal for a regulation
Article 44 – paragraph 2
Article 44 – paragraph 2
2. When preparing candidate schemes referred to in paragraph 1 of this Article, ENISA shall consult all relevant stakeholders and closely cooperate with the Group. The Group shall provide ENISA with the assistance and expert advice required by ENISA in relation to the preparation of the candidate scheme, including by providing opinions where necessary. ENISA shall ensure the participation of Member States’ representatives and all important parties concerned with the ICT product group or service in question. This includes parties along the value chains, such as trade unions, traders, retailers, importers, conformity assessment bodies, end-users and others. Business stakeholders including, but not limited to: manufacturers, cybersecurity solution providers, system integrators, security practitioners and asset owners, shall also be involved.
Amendment 239 #
Proposal for a regulation
Article 44 – paragraph 2
Article 44 – paragraph 2
2. When preparing candidate schemes referred to in paragraph 1 of this Article, ENISA shall consult all relevant stakeholders, including the relevant civil society representatives such as consumer organisations, and closely cooperate with the Group. The Group shall provide ENISA with the assistance and expert advice required by ENISA in relation to the preparation of the candidate scheme, including by providing opinions where necessary.
Amendment 251 #
Proposal for a regulation
Article 44 – paragraph 4
Article 44 – paragraph 4
4. The Commission, based on the candidate scheme proposed by ENISA, may adopt implementing is empowered to adopt delegated acts, in accordance with Article 55(1), providing fora, concerning the establishment of European cybersecurity certification schemes for ICT products and services meeting the requirements of Articles 45, 46 and 47 of this Regulation. When adopting those delegated acts, the Commission shall base the cybersecurity certification schemes for ICT products and services on any relevant candidate scheme proposed by ENISA.
Amendment 275 #
Proposal for a regulation
Article 45 – paragraph 1 – point g a (new)
Article 45 – paragraph 1 – point g a (new)
(ga) ensure that ICT products and services are developed according to the principle of ‘security by design’, following a risk-based approach depending on the context and severity of the situation as defined in Article 46.
Amendment 282 #
Proposal for a regulation
Article 46 – paragraph 1
Article 46 – paragraph 1
1. AEach European cybersecurity certification scheme may specify one or more of the following assurance levels: basic - “functionally secure”, “substantially secure” and/or “high,ly secure” - for ICT products and services issued under that scheme, taking into account, inter alia, their intended use and their inherent risk.
Amendment 286 #
Proposal for a regulation
Article 46 – paragraph 1 a (new)
Article 46 – paragraph 1 a (new)
1a. Each scheme shall indicate the assessment methodology or evaluation process that is to be followed for issuing certificates at each assurance level, depending on the intended use and the risk inherent to the ICT products and services under that scheme.
Amendment 295 #
Proposal for a regulation
Article 46 – paragraph 2 – point a
Article 46 – paragraph 2 – point a
(a) assurance level basic shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a limited degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of cybersecurity inciden“functionally secure” shall be related to a low risk of an ICT product and service. A low level of risk exists when an attack on the ICT product and service does not compromise the confidentiality, integrity, availability, privacy or other important objectives, nor the health of users or third parties, the environment, other important legal interests or critical infrastructure and its supporting systems or products;.
Amendment 301 #
Proposal for a regulation
Article 46 – paragraph 2 – point b
Article 46 – paragraph 2 – point b
(b) assurance level “substantial shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a substantial degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease substantially the risk of cybersecurity incidenly secure” shall be related to a higher risk of an ICT product and service. A higher level of risk exists when an attack on the ICT product and service compromises the confidentiality, integrity, availability, privacy or other important objectives, and has implications to the health of users or third parties, the environment, other important legal interests or critical infrastructure and its supporting systems or products;.
Amendment 306 #
Proposal for a regulation
Article 46 – paragraph 2 – point c
Article 46 – paragraph 2 – point c
(c) assurance level “high shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a higher degree of confidence in the claimed or asserted cybersecurity qualitiesly secure” shall be related to a high risk of an ICT product and service. A high level of risk exists when an attack ofn an ICT product orand service than certificates with the assurance level substantial, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to prevent cybercompromises the confidentiality, integrity, availability, privacy or other important objectives and reasonably endangers the national sovereignty or public security incidentof states.
Amendment 307 #
Proposal for a regulation
Article 46 – paragraph 2 – point c
Article 46 – paragraph 2 – point c
(c) assurance level high shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a higher degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service than certificates with the assurance level substantial, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to prevent cybersecurity incidents. This assurance level must not suggest absolute security, so as not to mislead the end-user.
Amendment 339 #
Proposal for a regulation
Article 47 – paragraph 1 – point h a (new)
Article 47 – paragraph 1 – point h a (new)
(ha) The certification scheme shall specify the conditions for recertification or assessment of a product or service. This is of particular importance for software services possessing continuous security and update features, such as patches, for which a rapid assessment or re-certification is necessary in order to avoid detrimental impacts on that product or service’s overall security.
Amendment 340 #
Proposal for a regulation
Article 47 – paragraph 1 – point h a (new)
Article 47 – paragraph 1 – point h a (new)
(ha) the specific cases for recertification of an ICT product and service shall be defined in the corresponding certification scheme. Security and feature updates with reference to any security measures need to follow an assessment and, if necessary, a recertification process;
Amendment 408 #
Proposal for a regulation
Article 50 – paragraph 3
Article 50 – paragraph 3
3. Each national certification supervisory authority shall, in its organisation, funding decisions, legal structure and decision-making, be independent of the entities they supervise and shall not be a conformity assessment body or a national accreditation body.
Amendment 444 #
Proposal for a regulation
Annex I – paragraph 1 – point 3
Annex I – paragraph 1 – point 3