23 Amendments of Seán KELLY related to 2017/0225(COD)
Amendment 96 #
Proposal for a regulation
Recital 3 a (new)
Recital 3 a (new)
(3 a) Believes that the objectives and tasks of ENISA should be further aligned with the Joint Communication with regards to its reference to the promotion of cyber hygiene and awareness; notes that cyber resilience can be achieved by implementing basic cyber hygiene principles;
Amendment 98 #
Proposal for a regulation
Recital 5
Recital 5
(5) In light of the increased cybersecurity challenges faced by the Union, there is a need for a comprehensive set of measures that would build on previous Union action and foster mutually reinforcing objectives. These include the need to further increase capabilities and preparedness of Member States and businesses, as well as to improve cooperation and coordination across Member States and EU institutions, agencies and bodies. Furthermore, given the borderless nature of cyber threats, there is a need to increase capabilities at Union level that could complement the action of Member States, in particular in the case of large scale cross-border cyber incidents and crises. Additional efforts are also needed to deliver a coordinated EU response and increase awareness of citizens and businesses on cybersecurity issues. Moreover, the trust in the digital single market should be further improved by offering transparent information on the level of security of ICT products and services. This can be facilitated by EU- wide certification providing common cybersecurity requirements and evaluation criteria across national markets and sectors. Alongside EU-wide certification, there is a range of voluntary measures widely accepted in the market place, depending on the product, service, use or standard; these measures as well as the industry bottom up approach, including the use of security-by-design, leveraging and contributing to international standards, should be encouraged.
Amendment 107 #
Proposal for a regulation
Recital 7
Recital 7
(7) The Union has already taken important steps to ensure cybersecurity and increase trust in digital technologies. In 2013, an EU Cybersecurity Strategy was adopted to guide the Union's policy response to cybersecurity threats and risks. In its effort to better protect Europeans online, in 2016 the Union adopted the first legislative act in the area of cybersecurity, the Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (the "NIS Directive"). The NIS Directive fulfills the digital single market strategy and together with other instruments, such as the Directive establishing the European Electronic Communications Code, Regulation (EU) 2016/679 and Directive 2002/58/EC, puts in place requirements concerning national capabilities in the area of cybersecurity, established the first mechanisms to enhance strategic and operational cooperation between Member States, and introduced obligations concerning security measures and incident notifications across sectors which are vital for economy and society such as energy, transport, water, banking, financial market infrastructures, healthcare, digital infrastructure as well as key digital service providers (search engines, cloud computing services and online marketplaces). A key role was attributed to ENISA in supporting implementation of this Directive. In addition, effective fight against cybercrime is an important priority in the European Agenda on Security, contributing to the overall aim of achieving a high level of cybersecurity.
Amendment 114 #
Proposal for a regulation
Recital 14
Recital 14
(14) The underlying task of the Agency is to promote the consistent implementation of the relevant legal framework, in particular the effective implementation of the NIS Directive, the Directive establishing the European Electronic Communications Code, Regulation (EU) 2016/679 and Directive 2002/58/EC, which is essential in order to increase cyber resilience. In view of the fast evolving cybersecurity threat landscape, it is clear that Member States must be supported by more comprehensive, cross-policy approach to building cyber resilience.
Amendment 122 #
Proposal for a regulation
Recital 26
Recital 26
(26) To understand better the challenges in the field of cybersecurity, and with a view to providing strategic long term advice to Member States and Union institutions, the Agency needs to analyse current and emerging risks, incidents, threats and vulnerabilities. For that purpose, the Agency should, in cooperation with Member States and, as appropriate, with statistical bodies and others, collect relevant information and perform analyses of emerging technologies and provide topic-specific assessments on expected societal, legal, economic and regulatory impacts of technological innovations on network and information security, in particular cybersecurity. The Agency should furthermore support Member States and Union institutions, agencies and bodies in identifying emerging trends and preventing problems related to cybersecurity, by performing analyses of threats and, incidents and vulnerabilities.
Amendment 124 #
Proposal for a regulation
Recital 28
Recital 28
(28) The Agency should contribute towards raising the awareness of the public about risks related to cybersecurity and provide guidance on good practices for individual users aimed at citizens and organisations. The Agency should also contribute to promote cyber hygiene best practices and solutions at the level of individuals and organisations by collecting and analysing publicly available information regarding significant incidents, and by compiling reports with a view to providing guidance to businesses and citizens and improving the overall level of preparedness and resilience. The Agency should furthermore organise, in cooperation with the Member States and the Union institutions, bodies, offices and agencies regular outreach and public education campaigns directed to end-users, aiming at promoting safer individual online behaviour and raising awareness of potential threats in cyberspace, including cybercrimes such as phishing attacks, botnets, financial and banking fraud, as well as promoting basic multi-factor authentication, patching, encryption, micro-segmentation, least privilege principles, and data protection advice. The Agency should play a central role in accelerating end-user awareness on security of devices. Least Privilege refers to the case when users are allowed only the minimum necessary access to perform their job and nothing more, and system components are allowed only the minimum necessary function needed to perform their purpose and nothing more. The principle of micro-segmentation requires that the whole IT or network environment is divided into smaller subsystems and sub-networks to make it more manageable to protect and contain the damage if one subsystem or sub- network gets compromised.
Amendment 140 #
Proposal for a regulation
Recital 35
Recital 35
(35) The Agency should encourage Member States and service providers to raise their general security standards so that all internet users can take the necessary steps to ensure their own personal cybersecurity. In particular, service providers and product manufacturers should withdraw or recycle products and services that do not meet cybersecurity standards. In cooperation with competent authorities, ENISA may disseminate information regarding the level of cybersecurity of the products and services offered in the internal market, and issue warnings targeting providers and manufacturers and requiring them to improve the security, including cybersecurity, of their products and services. The Agency should work together with stakeholders towards developing a EU-wide approach to responsible vulnerabilities disclosure and should promote best practices in this area.
Amendment 141 #
Proposal for a regulation
Recital 36 a (new)
Recital 36 a (new)
(36 a) Standards are a voluntary, market- driven tool providing technical requirements and guidance and resulting from an open, transparent and inclusive process. The Agency should regularly consult and work in close cooperation with the standardization organizations, in particular when preparing the European Cybersecurity Certification Schemes.
Amendment 155 #
Proposal for a regulation
Recital 46
Recital 46
(46) In order to guarantee the full autonomy and independence of the Agency and to enable it to perform additional and new tasks, including unforeseen emergency tasks, the Agency should be granted a sufficient and autonomous budget whose revenue comes primarily from a contribution from the Union and contributions from third countries participating in the Agency’s work. The appropriate budget is paramount to ensure that the Agency has sufficient capacities to fulfill all its growing tasks and objectives. The majority of the Agency staff should be directly engaged in the operational implementation of the Agency’s mandate. The host Member State, or any other Member State, should be allowed to make voluntary contributions to the revenue of the Agency. The Union’s budgetary procedure should remain applicable as far as any subsidies chargeable to the general budget of the Union are concerned. Moreover, the Court of Auditors should audit the Agency’s accounts to ensure transparency and accountability.
Amendment 165 #
Proposal for a regulation
Recital 50
Recital 50
(50) Currently, the cybersecurity certification of ICT products and services is used only to a limited extent. When it exists, it mostly occurs at Member State level or in the framework of industry driven schemes. In this context, a certificate issued by one national cybersecurity authority is not in principle recognised by other Member States. Companies thus may have to certify their products and services in several Member States where they operate, for example with a view to participating in national procurement procedures. Moreover, while new schemes are emerging, there seems to be no coherent and holistic approach with regard to horizontal cybersecurity issues, for instance in the field of the Internet of Things. Existing schemes present significant shortcomings and differences in terms of product coverage, levels of assurance, substantive criteria and actual utilisation. A case by case approach is required to ensure that services, processes and products are subject to appropriate certification schemes. Additionally, a risk- based approach is needed for effective identification and mitigation of risks whilst acknowledging that a one size fits all scheme is not possible.
Amendment 168 #
Proposal for a regulation
Recital 52 a (new)
Recital 52 a (new)
(52 a) Notes that certification schemes should build upon what already exists at national and international level, learning from current strong points and assessing and correcting weaknesses.
Amendment 169 #
Proposal for a regulation
Recital 52 b (new)
Recital 52 b (new)
(52 b) Flexible cybersecurity solutions are necessary for industry to stay ahead of malicious attacks and threats, therefore any certification scheme should avoid the risk of being outdated quickly.
Amendment 214 #
Proposal for a regulation
Article 2 – paragraph 1 – point 8 a (new)
Article 2 – paragraph 1 – point 8 a (new)
(8 a) 'cyber hygiene' refers to establishing simple routine measures, such as multi-factor authentication, patching, encryption, micro-segmentation, and least privilege, that users and businesses can take to minimise the risks from cyber threats and better protect themselves online.
Amendment 268 #
Proposal for a regulation
Article 4 – paragraph 7
Article 4 – paragraph 7
7. The Agency shall promote a high level of cyber hygiene and awareness of citizens and businesses on issues related to the cybersecurity.
Amendment 274 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2
Article 5 – paragraph 1 – point 2
2. assisting Member States to implement consistently the Union policy and law regarding cybersecurity notably in relation to Directive (EU) 2016/1148, Directive establishing the European Electronic Communications Code, Regulation (EU) 2016/679 and Directive 2002/58/EC, including by means of opinions, guidelines, advice and best practices on topics such as risk management, incident reporting and information sharing, as well as facilitating the exchange of best practices between competent authorities in this regard;
Amendment 292 #
Proposal for a regulation
Article 6 – paragraph 2
Article 6 – paragraph 2
2. The Agency shall facilitate the establishment of and continuously support sectoral Information Sharing and Analysis Centres (ISACs), in particular in the sectors listed in Annex II of Directive (EU) 2016/1148, by providing best practices and guidance on available tools, procedure, cyber hygiene principles, as well as on how to address regulatory issues related to information sharing.
Amendment 332 #
Proposal for a regulation
Article 8 – paragraph 1 – point a – point 3
Article 8 – paragraph 1 – point a – point 3
(3) compiling and publishing guidelines and developing good practices, including on cyber hygiene principles, concerning the cybersecurity requirements of ICT products and services, in cooperation with national certification supervisory authorities and the industry;
Amendment 354 #
Proposal for a regulation
Article 9 – paragraph 1 – point g a (new)
Article 9 – paragraph 1 – point g a (new)
(g a) support closer coordination and exchange of best practices among Member States on cybersecurity education, cyber hygiene and awareness by facilitating the creation and maintenance of a network of national education points of contact.
Amendment 380 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. The Management Board, acting on a proposal by the Executive Director, shall, in a transparent manner, set up a Permanent Stakeholders’ Group composed of recognised experts representing the relevant stakeholders, such as the ICT industry, providers of electronic communications networks or services available to the public, consumer groups, standardisation organisations, academic experts in the cybersecurity, and representatives of competent authorities notified under [Directive establishing the European Electronic Communications Code] as well as of law enforcement and data protection supervisory authorities.
Amendment 437 #
Proposal for a regulation
Article 44 – paragraph 4
Article 44 – paragraph 4
4. The Commission, based on the candidate scheme proposed by ENISA, may adopt implementing acts, in accordance with Article 55(1), providing for European cybersecurity certification schemes for ICT products, processes and services meeting the requirements of Articles 45, 46 and 47 of this Regulation.
Amendment 446 #
Proposal for a regulation
Article 45 – paragraph 1 – introductory part
Article 45 – paragraph 1 – introductory part
A European cybersecurity certification scheme shall be so designed to take into account, as applicable, the following security objectives to ensure the availability, integrity and confidentiality of services:
Amendment 460 #
Proposal for a regulation
Article 45 – paragraph 1 – point g a (new)
Article 45 – paragraph 1 – point g a (new)
(ga) ensure that the environment for ICT products and services is divided into smaller sub-systems and sub-networks to make it more manageable to protect and to contain the damage in the event of an incident.
Amendment 569 #
Proposal for a regulation
Article 48 – paragraph 5
Article 48 – paragraph 5
5. The natural or legal person which submits its ICT products, processes or services to the certification mechanism shall provide the conformity assessment body referred to in Article 51 with all information necessary to conduct the certification procedure.