78 Amendments of Morten LØKKEGAARD related to 2017/0225(COD)
Amendment 59 #
Proposal for a regulation
Recital 5
Recital 5
(5) In light of the increased cybersecurity challenges faced by the Union, there is a need for a comprehensive set of measures that would build on previous Union action and foster mutually reinforcing objectives. These include the need to further increase capabilities and preparedness of Member States and businesses, as well as to improve cooperation and coordination across Member States and EU institutions, agencies and bodies. Furthermore, given the borderless nature of cyber threats, there is a need to increase capabilities at Union level that could complement the action of Member States, in particular in the case of large scale cross-border cyber incidents and crises. Additional efforts are also needed to increase awareness of citizens and businesses on cybersecurity issues. Moreover, the trust in the digital single markegiven that cyber incidents undermine trust in digital service providers and in the digital single market itself, especially among consumers, trust should be further improved by offering transparent information on the level of security of ICT products and services. This can be facilitated by EU- wide certification providing common cybersecurity requirements and evaluation criteria across national markets and sectors. Alongside Union-wide certification, there are a range of voluntary measures that the private sector itself should take to bolster trust in the security of ICT products and services, in particular in view of the growing availability of IoT devices. For example, more effective use should be made of encryption and other technologies as well as technologies to prevent successful cyber-attacks, in order to improve the security of end-users’ data and communications and the overall security of network and information systems in the Union.
Amendment 66 #
Proposal for a regulation
Recital 28
Recital 28
(28) The Agency should contribute towards raising the awareness of the public about risks related to cybersecurity and provide guidance on good practices for individual users aimed at citizens and organisations. The Agency should also contribute to promote cyber-hygiene best practices and solutions at the level of individuals and organisations by collecting and analysing publicly available information regarding significant incidents, and by compiling reports with a view to providing guidance to businesses and citizens and improving the overall level of preparedness and resilience. The Agency should furthermore organise, in cooperation with the Member States and the Union institutions, bodies, offices and agencies regular outreach and public education campaigns directed to end-users, aiming at promoting safer individual online behaviour and raising awareness of potential threats in cyberspace, including cybercrimes such as phishing attacks, botnets, financial and banking fraud, as well as promoting basic multi-factor authentication, patching, encryption, and access management principles and data protection advice. The Agency should play a central role in accelerating end-user awareness on security of devices. The Agency should encourage all end users to take appropriate steps to prevent and minimise the impact of incidents affecting the security of their networks and information systems.
Amendment 72 #
Proposal for a regulation
Recital 33
Recital 33
(33) The Agency should further develop and maintain its expertise on cybersecurity certification with a view to supporting the Union policy in this field. The Agency should promote the uptake of cybersecuritypromote the use of certification while avoiding the fragmentation caused by lack of coordination between existing certification withschemes in the Union, including by. The Agency should contributinge to the establishment and maintenance of a cybersecurity certification framework at Union level in accordance with Articles 43 to 54 [Title III], with a view to increasing the transparency of cybersecurity assurance of ICT products and services and thus strengthening trust in the digital sinternalgle market.
Amendment 94 #
Proposal for a regulation
Recital 3
Recital 3
(3) Increased digitisation and connectivity lead to increased cybersecurity risks, thus making society at large more vulnerable to cyber threats and exacerbating dangers faced by individuals, including vulnerable persons such as children. In order to mitigate this risk to society, all necessary actions need to be taken to improve cybersecurity in the EU to better protect network and information systems, telecommunication networks, digital products, services and devices used by citizens, governments and business – from SMEs to operators of critical infrastructures – from cyber threats. In this respect the Digital Education Action Plan published by the European Commission on 17 January 2018 is a step in the right direction, in particular the EU-wide awareness-raising campaign targeting educators, parents and learners to foster online safety, cyber hygiene and media literacy as well as the cyber-security teaching initiative building on the Digital Competence Framework for Citizens, to empower people to use technology confidently and responsibly.
Amendment 96 #
Proposal for a regulation
Recital 55
Recital 55
(55) The purpose of European cybersecurity certification schemes should be to ensure that ICT products and services certified under such a scheme comply with specified requirements. Such requirements concern the ability to resist, at a given level of assurance, actions that aim to compromise the availability, authenticity, integrity and confidentiality of stored or transmitted or processed data or the related functions of or services offered by, or accessible via those products, processes, services and systems within the meaning of this Regulation. It is not possible to set out in detail in this Regulation the cybersecurity requirements relating to all ICT products and services. ICT products and services and related cybersecurity needs are so diverse that it is very difficult to come up with general cybersecurity requirements valid across the board. It is, therefore necessary to adopt a broad and general notion of cybersecurity for the purpose of certification, complemented by a set of specific cybersecurity objectives that need to be taken into account when designing European cybersecurity certification schemes. The modalities with which such objectives will be achieved in specific ICT products and services should then be further specified in detail at the level of the individual certification scheme adopted by the Commission, for example by reference to standards or technical specifications. It is of paramount importance that each European cybersecurity certification scheme be designed in such a way as to stimulate and encourage all actors involved in the sector concerned to develop and adopt security standards, technical norms and security-by-design principles, at all stages of the product or service lifecycle.
Amendment 102 #
Proposal for a regulation
Recital 56
Recital 56
(56) The Commission should be empowered to request ENISA to prepare candidate schemes for specific ICT products or services. The Commission, based on the candidate scheme proposed by ENISA, should then be empowered to adopt the European cybersecurity certification scheme by means of implementing acts. In order to underpin trust and predictability in, and raise public awareness of, the cybersecurity certification framework, ENISA should maintain a dedicated website with an easy-to-use online tool listing information on adopted schemes, candidate schemes, and schemes requested by the Commission. Taking account of the general purpose and security objectives identified in this Regulation, European cybersecurity certification schemes adopted by the Commission should specify a minimum set of elements concerning the subject-matter, the scope and functioning of the individual scheme. These should include among others the scope and object of the cybersecurity certification, including the categories of ICT products and servic, services and processes covered, the detailed specification of the cybersecurity requirements, for example by reference to standards or technical specifications, the specific evaluation criteria and evaluation methods associated with the operation and use of an ICT product, process or service, as well as the intended level of assurance: basicsecure, substantial and/or highly secure, highly secure, or any combination thereof.
Amendment 105 #
Proposal for a regulation
Recital 5 a (new)
Recital 5 a (new)
(5 a) Businesses as well as individual consumers should have accurate information regarding the level of security of their ICT products. At the same time, it has to be understood that no product is cyber secure and that basic rules of cyber hygiene have to be promoted and prioritized.
Amendment 108 #
Proposal for a regulation
Recital 8
Recital 8
(8) It is recognised that, since the adoption of the 2013 EU Cybersecurity Strategy and the last revision of the Agency's mandate, the overall policy context has changed significantly, also in relation to a more uncertain and less secure global environment. In this context and in the context of the positive role the Agency has played over the years in pooling of expertise, coordination, capacity building and within the framework of the new Union cybersecurity policy, it is necessary to review the mandate of ENISA to define its role in the changed cybersecurity ecosystem and ensure it contributes effectively to the Union's response to cybersecurity challenges emanating from this radically transformed threat landscape, for which, as recognised by the evaluation of the Agency, the current mandate is not sufficient.
Amendment 112 #
Proposal for a regulation
Recital 12 a (new)
Recital 12 a (new)
(12 a) The role of the Agency should be subject to continuous assessment and timely review, in particular its coordinating role vis-à-vis the Member States and their national authorities, the eventual possibility of acting as a One- Stop-Shop for Member States and EU bodies and institutions. The Agency´s role in the avoidance of fragmentation of the internal market and the possible introduction of mandatory cybersecurity certification schemes, should the situation in the future require such a shift, should also be assessed as well as the Agency´s role in respect of the assessment of third country products entering the EU market and the possible blacklisting of companies which do not comply with EU criteria.
Amendment 116 #
Proposal for a regulation
Recital 15
Recital 15
(15) The Agency should assist the Member States and Union institutions, bodies, offices and agencies in their efforts to build and enhance capabilities and preparedness to prevent, detect and respond to cybersecurity problems and incidents and in relation to the security of network and information systems. In particular, the Agency should support the development and enhancement of national CSIRTs, with a view of achieving a high common level of their maturity in the Union. The Agency should also assist with the development and update of Union and Member States strategies on the security of network and information systems, in particular on cybersecurity, promote their dissemination and track progress of their implementation. The Agency should also offer trainings and training material to public bodies, and where appropriate "train the trainers" with a view to assisting Member States in developing their own training capabilities. The Agency should also serve as a contact point for Member States and Union institutions, who should be able to request an assistance of the Agency within the competences and roles assigned to it.
Amendment 122 #
Proposal for a regulation
Recital 58
Recital 58
(58) Once a European cybersecurity certification scheme is adopted, manufacturers of ICT products or providers of ICT services should be able to submit an application for certification of their products or, services or processes to a conformity assessment body of their choice. Conformity assessment bodies should be accredited by an accreditation body if they comply with certain specified requirements set out in this Regulation. Accreditation should be issued for a maximum of five years and may be renewed on the same conditions provided that the conformity assessment body meets the requirements. Accreditation bodies should revoke an accreditation of a conformity assessment body where the conditions for the accreditation are not, or are no longer, met or where actions taken by a conformity assessment body infringe this Regulation.
Amendment 126 #
Proposal for a regulation
Recital 65
Recital 65
(65) The examination procedure should be used for the adoption of implementing acts on European cybersecurity certification schemes for ICT products and servic, services and processes; on modalities of carrying enquiries by the Agency; as well as on the circumstances, formats and procedures of notifications of accredited conformity assessment bodies by the national certification supervisory authorities to the Commission.
Amendment 129 #
Proposal for a regulation
Recital 28
Recital 28
(28) The Agency should contribute towards raising the awareness of the public about risks related to cybersecurity and provide guidance on good practices for individual users aimed at citizens and organisations. The Agency should also contribute to promote best practices and solutions at the level of individuals and organisations by collecting and analysing publicly available information regarding significant incidents, and by compiling reports with a view to providing guidance to businesses and citizens and improving the overall level of preparedness and resilience. The Agency should furthermore organise, in line with the Digital Education Action Plan and in cooperation with the Member States and the Union institutions, bodies, offices and agencies regular outreach and public education campaigns directed to end-users, aiming at promoting safer individual online behaviour and raising awareness of potential threats in cyberspace, including cybercrimes such as phishing attacks, botnets, financial and banking fraud, as well as promoting basic authentication and data protection advice. The Agency should play a central role in accelerating end-user awareness on security of devices.
Amendment 131 #
Proposal for a regulation
Article 1 – paragraph 1 – point b
Article 1 – paragraph 1 – point b
(b) lays down a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity of ICT products and, services and processes in the Union. Such framework shall apply without prejudice to specific provisions regarding voluntary or mandatory certification in other Union acts.
Amendment 132 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 a (new)
Article 2 – paragraph 1 – point 1 a (new)
(1a) ‘cyber-hygiene’ means simple, established routine measures, such as multi-factor authentication, patching, encryption, and access management, that end-users can take to minimise the risks from cyber threats;
Amendment 134 #
Proposal for a regulation
Article 2 – paragraph 1 – point 9
Article 2 – paragraph 1 – point 9
(9) ‘European cybersecurity certification scheme’ means the comprehensive set of rules, technical requirements, standards in accordance with Regulation (EU) 2012/1025, and procedures defined at Union level applying to the certification of Information and Communication Technology (ICT) products and servic, services and processes falling under the scope of that specific scheme;
Amendment 139 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘European cybersecurity certificate’ means a document issued by a conformity assessment body attesting that a given ICT product or, service or process fulfils the specific requirements laid down in a European cybersecurity certification scheme;
Amendment 153 #
Proposal for a regulation
Article 4 – paragraph 6
Article 4 – paragraph 6
6. The Agency shall promote the use of certification, including by contributing while avoiding the fragmentation caused by lack of coordination between existing certification schemes in the Union. The Agency shall contribute to the establishment and maintenance of a cybersecurity certification framework at Union level in accordance with Title III of this RegulationArticles 43 to 54 [Title III], with a view to increasing the transparency of cybersecurity assurance of ICT products and services and thus strengthening trust in the digital sinternalgle market.
Amendment 154 #
Proposal for a regulation
Article 4 – paragraph 7
Article 4 – paragraph 7
7. The Agency shall promote a high level of cyber-hygiene and awareness of citizens and businesses on issues related to the cybersecurity.
Amendment 161 #
Proposal for a regulation
Recital 47
Recital 47
(47) Conformity assessment is the process demonstrating whether specified requirements relating to a product, process, service, system, person or body have been fulfilled. For the purposes of this Regulation, certification should be considered as a type of conformity assessment regarding the cybersecurity features of a product, process, service, system, or a combination of those ("ICT products and services") by an independent third party, other than the product manufacturer or service provider. Certification cannot guarantee per se that certified ICT products and services are cyber secure. It is rather a procedure and technical methodology to attest that ICT products and services have been tested and that they comply with certain cybersecurity requirements laid down elsewhere, for example as specified in technical standards. Undertakings should also ensure the security by design and by default of their ICT products and services taking into account the state of the art.
Amendment 166 #
Proposal for a regulation
Recital 50
Recital 50
(50) Currently, the cybersecurity certification of ICT products and services is used only to a limited extent. When it exists, it mostly occurs at Member State level or in the framework of industry driven schemes. In this context, a certificate issued by one national cybersecurity authority is not in principle recognised by other Member States. Companies thus may have to certify their products and services in several Member States where they operate, for example with a view to participating in national procurement procedures. Moreover, while new schemes are emerging, there seems to be no coherent and holistic approach with regard to horizontal cybersecurity issues, for instance in the field of the Internet of Things. Existing schemes present significant shortcomings and differences in terms of product coverage, levels of assurance, substantive criteria and actual utilisation. Mutual recognition and trust among Member States is a key element in this respect. ENISA has an important role to play in helping the Member States develop a solid institutional structure and expertise in protection against potential cyber attacks.
Amendment 172 #
Proposal for a regulation
Recital 53 a (new)
Recital 53 a (new)
(53 a) The Agency and the Commission should make the best use of already existing certification schemes on the EU and / or international level. ENISA should be able to assess which schemes already in use are fit for purpose and can be brought in the European legislation in cooperation with EU standardisation organisations and, as far as possible, internationally recognised. Existing good practices should be collected and shared among Member States.
Amendment 182 #
Proposal for a regulation
Article 8 – paragraph 1 – point a – point 3
Article 8 – paragraph 1 – point a – point 3
(3) compiling and publishing guidelines and developing good practices, including on cyber-hygiene principles, concerning the cybersecurity requirements of ICT products and services, in cooperation with national certification supervisory authorities and the industry in a formal, standardised and transparent process;
Amendment 193 #
Proposal for a regulation
Article 9 – paragraph 1 – point e
Article 9 – paragraph 1 – point e
(e) raise awareness of the public about cybersecurity risks, and provide guidance on good cyber-hygiene practices for individual users aimed at citizens and organisations;
Amendment 197 #
Proposal for a regulation
Article 9 – paragraph 1 – point g a (new)
Article 9 – paragraph 1 – point g a (new)
(ga) support closer coordination and the exchange of best practices among Member States on cybersecurity education, cyber-hygiene and awareness by facilitating the creation and maintenance of a network of national education points of contact;
Amendment 200 #
Proposal for a regulation
Article 11 – paragraph 1 – point c a (new)
Article 11 – paragraph 1 – point c a (new)
(ca) promoting multilateral collaboration in regulation and standardisation to set a level playing field matching the global reach of the WTO;
Amendment 201 #
Proposal for a regulation
Article 11 – paragraph 1 – point c b (new)
Article 11 – paragraph 1 – point c b (new)
(cb) supporting efforts for the inclusion of rules for cybersecurity into free trade agreements;
Amendment 204 #
Proposal for a regulation
Article 1 – paragraph 1 – point b
Article 1 – paragraph 1 – point b
(b) lays down a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity of ICT products, processes and services in the Union. Such framework shall apply without prejudice to specific provisions regarding voluntary or mandatory certification in other Union acts.
Amendment 211 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. The Management Board, acting on a proposal by the Executive Director, shall set up a Permanent Stakeholders’ Group composed of recognised experts representing the relevant stakeholders, such as the Union’s ICT industry, Union providers of electronic communications networks or services available to the public, consumer groups, academic experts in the cybersecurity, and representatives of competent authorities notified under [Directive establishing the European Electronic Communications Code] as well as of law enforcement and data protection supervisory authorities.
Amendment 217 #
Proposal for a regulation
Article 20 – paragraph 5 a (new)
Article 20 – paragraph 5 a (new)
5a. The Permanent Stakeholders’ Group shall meet at least four times per year. The agenda for at least one of those meetings shall be dedicated to matters referred to in Articles 43 to 54 [Title III].
Amendment 225 #
Proposal for a regulation
Article 43 – paragraph 1
Article 43 – paragraph 1
A European cybersecurity certification scheme shall attest that the ICT products and servic, services and processes that have been certified in accordance with such scheme comply with specified requirements and properties as regards their ability to resist at a given level of assurance, actions that aim to compromise the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, processes, services and systems.
Amendment 228 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘European cybersecurity certificate’ means a document issued by a conformity assessment body attesting that a given ICT product, process or service fulfils the specific requirements laid down in a European cybersecurity certification scheme;
Amendment 236 #
Proposal for a regulation
Article 44 – paragraph 2
Article 44 – paragraph 2
2. When preparing candidate schemes referred to in paragraph 1 of this Article, ENISA shall consult all relevant stakeholdersthe Permanent Stakeholders’ Group, in particular the European standardisation organisations, and all other relevant stakeholders in a formal, standardised and transparent process, and closely cooperate with the Group. The Group and all other relevant stakeholders shall provide ENISA with the assistance and expert advice required by ENISA in relation to the preparation of the candidate scheme, including by providing opinions where necessary.
Amendment 241 #
Proposal for a regulation
Article 3 – paragraph 2 a (new)
Article 3 – paragraph 2 a (new)
2 a. The Agency shall assist Member States and Union institutions in establishing policies and practices for the responsible management and coordinated disclosure of vulnerabilities in ICT products and services that are not publicly known.
Amendment 246 #
Proposal for a regulation
Article 44 – paragraph 2 a (new)
Article 44 – paragraph 2 a (new)
2a. ENISA shall observe professional secrecy with regard to all information obtained in carrying out its tasks under this Regulation.
Amendment 247 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
2. The Agency shall assist the Union institutions, agencies and bodies, as well as Member States, in developing and implementing policies related to cybersecurity and raising awareness among citizens and businesses.
Amendment 248 #
Proposal for a regulation
Article 44 – paragraph 3
Article 44 – paragraph 3
3. ENISA shall transmitUpon approval by the Group of the candidate European cybersecurity certification scheme, ENISA shall, after consulting the Permanent Stakeholders’ Group, transmit the candidate scheme prepared in accordance with paragraph 2 of this Article to the Commission.
Amendment 257 #
Proposal for a regulation
Article 44 a (new)
Article 44 a (new)
Article 44a Working Programme 1. After consulting the Group and the Permanent Stakeholders’ Group, ENISA, as an addition to, or part of, its general working programme, shall, after approval by the Commission and in any event by ... [six months after the date of entry into force of this Regulation] and every two years thereafter, establish a working plan for the development of European cybersecurity certification schemes, which shall be made publicly available. The working plans shall set out, for the following two years, an indicative list of products, processes and services which are considered to be priorities for the adoption of European cybersecurity certification schemes. The working plan shall be amended by ENISA, where appropriate, after consulting the Commission, the Group and the Permanent Stakeholders’ Group in order to take into account, inter alia, the demands of the internal market.
Amendment 261 #
Proposal for a regulation
Article 4 – paragraph 6
Article 4 – paragraph 6
6. The Agency shall promote the use of certification, including by contributing to the establishment and maintenance of a cybersecurity certification framework at Union level in accordance with Title III of this Regulation, with a view to increasing transparency of cybersecurity assurance of ICT products and services, reducing fragmentation of the internal market and thus strengthen trust in the digital internal market.
Amendment 265 #
Proposal for a regulation
Article 45 – paragraph 1 – point c a (new)
Article 45 – paragraph 1 – point c a (new)
(ca) protect and secure devices against spoofing and other forms of device mimicking;
Amendment 271 #
Proposal for a regulation
Article 4 – paragraph 7 a (new)
Article 4 – paragraph 7 a (new)
7 a. The Agency shall assist and advise Member States and Union institutions in establishing policies and practices for the responsible management and coordinated disclosure of vulnerabilities in ICT products and services that are not publicly known, inter alia, by establishing government vulnerability disclosure review processes and coordinated vulnerability disclosure policies.
Amendment 271 #
Proposal for a regulation
Article 45 – paragraph 1 – point g
Article 45 – paragraph 1 – point g
(g) ensure that ICT products and services are provided with up -to -date hardware and software , that does not contain known vulnerabilities, and are provided with mechanisms for secure software updates., including automatic security updates;
Amendment 273 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2
Article 5 – paragraph 1 – point 2
2. assisting Member States to implement consistently the Union policy and law regarding cybersecurity notably in relation to Directive (EU) 2016/1148, including by means of opinions, guidelines, advice and best practices on topics such as secure software and systems development, risk management, incident reporting and information sharing, technical and organisational measures, in particular the establishment of coordinated vulnerability disclosure programmes, as well as facilitating the exchange of best practices between competent authorities in this regard;
Amendment 274 #
Proposal for a regulation
Article 45 – paragraph 1 – point g a (new)
Article 45 – paragraph 1 – point g a (new)
(ga) ensure that ICT products and services are developed and operated in accordance with appropriate security standards and policies and that the highest appropriate level of cybersecurity and data protection is preconfigured by default into products, services and processes.
Amendment 277 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 a (new)
Article 5 – paragraph 1 – point 2 a (new)
2 a. proposing a blueprint which establishes the roles, responsibilities and legal obligations of vendors, manufacturers, CERTs and CSIRTs, and which further clarifies the legal rights and protections of information security researchers in the context of a coordinated vulnerability disclosure programme, in particular in cases of multi-party vulnerability disclosures that affect multiple vulnerability finders and vendors in different Member States
Amendment 288 #
Proposal for a regulation
Article 6 – paragraph 1 – point a a (new)
Article 6 – paragraph 1 – point a a (new)
(a a) Members States and Union institutions in establishing and implementing coordinated vulnerability disclosure policies and government vulnerability disclosure review processes, whose practices and determinations should be transparent and subject to independent oversight.
Amendment 306 #
Proposal for a regulation
Article 7 – paragraph 7 a (new)
Article 7 – paragraph 7 a (new)
7 a. The Agency shall prepare, together with the EEAS, a regular global Cybersecurity Situational Report on incidents and threats towards individuals, including towards vulnerable users outside the EU such as lawyers, journalists, or human rights defenders, in order to help the Union institutions respond to external needs and uphold its human rights responsibilities abroad
Amendment 311 #
Proposal for a regulation
Article 7 – paragraph 8 – point e a (new)
Article 7 – paragraph 8 – point e a (new)
(e a) assisting and advising Member States on establishing and implementing coordinated vulnerability disclosure policies and government vulnerability disclosure review processes.
Amendment 336 #
Proposal for a regulation
Article 47 – paragraph 1 – point g
Article 47 – paragraph 1 – point g
(g) where surveillance is part of the scheme, the rules for monitoring compliance with the requirements of the certificates, including, where applicable, mechanisms to demonstrate the continued compliance with the specified cybersecurity requirements;
Amendment 340 #
Proposal for a regulation
Article 8 – paragraph 1 – point b
Article 8 – paragraph 1 – point b
(b) facilitate the establishment and take-up of European and/ or international standards for risk management and for the security of ICT products and services, as well as draw up, in collaboration with Member States, advice and guidelines regarding the technical areas related to the security requirements for operators of essential services and digital service providers, as well as regarding already existing standards, including Member States' national standards, pursuant to Article 19(2) of Directive (EU) 2016/1148 and share this information among Member States;
Amendment 344 #
Proposal for a regulation
Article 8 – paragraph 1 – point c a (new)
Article 8 – paragraph 1 – point c a (new)
(c a) support and promote the development and implementation of coordinated vulnerability disclosure policies and government vulnerability disclosure review processes
Amendment 349 #
Proposal for a regulation
Article 47 – paragraph 1 – point l
Article 47 – paragraph 1 – point l
(l) identification of national or international cybersecurity certification schemes covering the same type or categories of ICT products and service, services, processes, security requirements and evaluation criteria and methods;
Amendment 353 #
Proposal for a regulation
Article 47 – paragraph 1 – point l a (new)
Article 47 – paragraph 1 – point l a (new)
(la) identification of existing international mutual recognition agreements and certifications;
Amendment 354 #
Proposal for a regulation
Article 47 – paragraph 1 – point m a (new)
Article 47 – paragraph 1 – point m a (new)
(ma) governance mechanism for updating, amending and coordinating particular certification schemes, in particular detailed specification on how a certification scheme is to be amended in light of additional security threats, once they become known;
Amendment 360 #
Proposal for a regulation
Article 47 – paragraph 1 – point m b (new)
Article 47 – paragraph 1 – point m b (new)
(mb) resistance and resilience testing for the “highly secure” and “substantially secure” assurance levels;
Amendment 361 #
Proposal for a regulation
Article 47 – paragraph 1 – point m c (new)
Article 47 – paragraph 1 – point m c (new)
(mc) where necessary, applicable self- declaration procedures for the “functionally secure” assurance level;
Amendment 364 #
Proposal for a regulation
Article 47 – paragraph 3
Article 47 – paragraph 3
3. Where a specific Union act so provides, certification under a European cybersecurity certification scheme may be used as an alternative means to demonstrate the presumption of conformity with requirements of that act.
Amendment 373 #
Proposal for a regulation
Article 48 – paragraph 2
Article 48 – paragraph 2
2. The certification shall be voluntary, unless otherwise specified in Union law.
Amendment 387 #
Proposal for a regulation
Article 48 – paragraph 6 a (new)
Article 48 – paragraph 6 a (new)
6a. In particular, a certificate shall remain valid for all new versions of a product or service, where the primary reason for the new version is to patch, fix, or otherwise address known or potential security vulnerabilities or threats.
Amendment 390 #
Proposal for a regulation
Article 20 a (new)
Article 20 a (new)
Article 20 a Consultation Forum The Commission, together with the Agency ,shall ensure that, in the conduct of its activities, it observes, in respect of each implementing measure, a balanced participation of Member States’ representatives and all interested parties concerned with the product or product group in question, such as industry, including SMEs, trade unions, traders, retailers, importers, environmental protection groups and consumer and end- user organisations. These parties shall meet in a Consultation Forum. The outcome of this forum may lead to an impetus for proposal of a candidate scheme. The rules of procedure of the Forum shall be established by the Commission.
Amendment 391 #
Proposal for a regulation
Article 21 a (new)
Article 21 a (new)
Article 21 a Request to the Agency 1. The Agency should establish and manage a single entry point through which requests for advice and assistance falling within the Agency’s objectives and tasks shall be addressed. These requests should be accompanied by background information explaining the issue to be addressed. Agency should draw up the potential resource implications, and, in due course, follow-up to the requests. If the Agency refuses a request, it shall give a justification. 2. Requests referred to in paragraph 1 may be made by: a) the European Parliament b) the Council c) the Commission d) any competent body appointed by a Member State, such as a national regulatory authority defined in Article 2 of Directive 2002/21/EC. 3. The practical arrangements for applying paragraphs 1 and 2, regarding in particular submission, prioritisation, follow-up and information, shall be laid down by the Management Board in the Agency’s internal rules of operation.
Amendment 404 #
Proposal for a regulation
Article 49 – paragraph 3 a (new)
Article 49 – paragraph 3 a (new)
3a. Where national cybersecurity schemes are recognised under international mutual recognition arrangement(s) for the purpose of security certification, they shall cease to exist only when the European certification scheme qualifies for recognition under the same international arrangement(s) or when the Commission deems the international mutual recognition arrangement to be no longer necessary.
Amendment 417 #
Proposal for a regulation
Article 50 – paragraph 6 – point d
Article 50 – paragraph 6 – point d
(d) cooperate with other national certification supervisory authorities or other public authorities, including by sharing information on possible non- compliance, including deceptive, false, or fraudulent claims of certification, of ICT products and, services or processes with the requirements of this Regulation or specific European cybersecurity certification schemes;
Amendment 425 #
Proposal for a regulation
Article 50 a (new)
Article 50 a (new)
Amendment 426 #
Proposal for a regulation
Article 44 – paragraph 2
Article 44 – paragraph 2
2. When preparing candidate schemes referred to in paragraph 1 of this Article, ENISA shall consult all relevant stakeholders as requested under Article 20 a and closely cooperate with the Group. The Group shall provide ENISA with the assistance and expert advice required by ENISA in relation to the preparation of the candidate scheme, including by providing opinions where necessary.
Amendment 484 #
Proposal for a regulation
Article 46 – paragraph 2 – point a
Article 46 – paragraph 2 – point a
(a) certificate assurance level basic shall refer to a certificatcorrespond to the iassued in the context of a European cybersecurity certification scheme, which provides a limited degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of cybersecurity incidentsessment by a third party that the basic risks of cyber incidents for ICT processes, products or services are covered;
Amendment 490 #
Proposal for a regulation
Article 46 – paragraph 2 – point a a (new)
Article 46 – paragraph 2 – point a a (new)
(aa) This assessment shall include the review of the technical documentation of the ICT product, service or process;
Amendment 494 #
Proposal for a regulation
Article 46 – paragraph 2 – point b
Article 46 – paragraph 2 – point b
(b) certificate assurance level substantial shall refer to a certificatcorrespond to the iassued in the context of a European cybersecurity certification scheme, which provides a substantial degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease substantially the risk of cybersecurity incidentsessment by a third party that the substantial risks of cyber incidents for ICT processes, products or services are covered;
Amendment 499 #
Proposal for a regulation
Article 46 – paragraph 2 – point b a (new)
Article 46 – paragraph 2 – point b a (new)
(ba) This assessment shall include the review of the technical documentation and the testing of the security functionalities implemented, in accordance with the requirements set out in the technical documentation;
Amendment 503 #
Proposal for a regulation
Article 46 – paragraph 2 – point c
Article 46 – paragraph 2 – point c
(c) assurance level high shall refer to a certificate issued in the context of a European cybersecurity certification scheme, wcertification assurance hicgh provides a higher degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service than certificates with the assurance level substantial, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to prevent cybersecurity incidents.shall correspond to the assessment by a third party that high risks of cyber incidents for ICT processes, products or services are covered;
Amendment 509 #
Proposal for a regulation
Article 46 – paragraph 2 – point c a (new)
Article 46 – paragraph 2 – point c a (new)
(ca) This assessment shall include the review of the technical documentation, the testing of the security functionalities implemented, in accordance with the requirements set out in the technical documentation and the assessment of the resistance of the ICT processes, products or services to skilled attackers having significant to unlimited resources, through penetration testing.
Amendment 519 #
Proposal for a regulation
Article 47 – paragraph 1 – point b
Article 47 – paragraph 1 – point b
(b) detailed specification of the cybersecurity requirements against which the specific ICT products and services are evaluated, for example by reference to Union and / or international standards or technical specifications. Already existing international standards should be taken into account;
Amendment 525 #
Proposal for a regulation
Article 47 – paragraph 1 – point c
Article 47 – paragraph 1 – point c
(c) where applicable, one or more assurance levels taking into account inter- alia a risk-based approach;
Amendment 534 #
Proposal for a regulation
Article 47 – paragraph 1 – point j
Article 47 – paragraph 1 – point j
(j) rules concerning how previously undetected cybersecurity vulnerabilities in ICT products and services are to be reported and dealt with; requiring vulnerabilities in ICT products and services that are not publicly known to be reported expeditiously by the appropriate authorities to relevant vendors and manufacturers using a coordinated vulnerability disclosure process.
Amendment 540 #
Proposal for a regulation
Article 47 – paragraph 1 – point m a (new)
Article 47 – paragraph 1 – point m a (new)
(ma) rules concerning how and when Member States must inform each other when they acquire knowledge of a vulnerability that is not publicly known in an ICT product or service that is certified under this certification scheme.
Amendment 546 #
Proposal for a regulation
Article 47 – paragraph 4 a (new)
Article 47 – paragraph 4 a (new)
4a. Certification schemes may be in particular created for those product groups mentioned in Annex I of this regulation.
Amendment 615 #
Proposal for a regulation
Article 53 – paragraph 3 a (new)
Article 53 – paragraph 3 a (new)
3a. (g) to establish a peer review process. This process shall have regard in particular to the required technical expertise of NCSAS in the fulfilment of their tasks, as described in article 48 and 50, and include when necessary the development of guidance and best practice documents to improve compliance of the NCSAs with this Regulation.
Amendment 625 #
Proposal for a regulation
Title 4 a (new)
Title 4 a (new)
ANNEX 1 new Upon launching the EU cybersecurity certification framework it is likely that attention focuses on areas of imminent interest to rise to the challenge posed by emerging technologies. The area of the Internet of Things is of particular interest as it cuts across consumer as well as industry requirements. The following priority list for adoption into the certification framework is proposed: (1) Certification of cloud service provision. (2) Certification of IoT devices including: a. devices at individual level, such as smart wearables; b. devices at community level, such as smart cars, smart homes, health devices; c. devices at society level such as smart cities and smart grids. (3) Industry 4.0 involving intelligent, interconnected cyber-physical systems that automate all phases of industrial operations, spanning from design and manufacturing to operation, supply chain and service maintenance. (4) Certification of technologies and products exploited in every-day life. Such an example could be networking devices, such as home internet routers.