Activities of Evžen TOŠENOVSKÝ related to 2023/0108(COD)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council amending Regulation (EU) 2019/881 as regards managed security services
Amendments (14)
Amendment 17 #
Proposal for a regulation
Recital 2
Recital 2
(2) Managed security services, which ar are services provided by the managed security service providers pursuant to point (40) of Article 6 of Directive (EU) 2022/2555 of the European Parliament and of the Council. Those services consisting of carrying out, or providing assistance for, activities relating to their customers’ cybersecurity risk management, have gained increasing importance in the prevention and mitigation of cybersecurity incidents. Accordingly, the providers of those servicemanaged security service providers are considered as essential or important entities belonging to a sector of high criticality pursuant to point 10 of Annex I of Directive (EU) 2022/2555 of the European Parliament and of the Council8 . Pursuant to Recital 86 of that Directive, managed security service providers in areas such as incident response, penetration testing, security audits and consultancy, play a particularly important role in assisting entities in their efforts to prevent, detect, respond to or recover from incidents. Managed security service providers have however also themselves been the target of cyberattacks and pose a particular risk because of their close integration in the operations of their customers. Essential and important entities within the meaning of Directive (EU) 2022/2555 should therefore exercise increased diligence in selecting a managed security service provider. __________________ 8 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80).
Amendment 19 #
Proposal for a regulation
Recital 3
Recital 3
(3) Managed security services providers also play an important role in the EU Cybersecurity Reserve whose gradual set-up is supported by Regulation (EU) …/…. [laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents] The EU Cybersecurity Reserve is to be used to support response and immediate recovery actions in case of significant and large- scale cybersecurity incidents. Regulation (EU) …/…[laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents] lays down a selection process for the trusted managed security service providers forming the EU Cybersecurity Reserve, which should, inter alia, take into account whether the provider concerned has obtained a European or national cybersecurity certification. The relevant services provided by ‘trusted providers’ according to Regulation (EU) …./…..[laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents] correspond to ‘managed security services’ in accordance with this RegulationMoreover, once an European cybersecurity certification scheme for managed security service is in place, which would also replace all relevant national cybersecurity certification schemes, a compulsory certificication in accordance with that certification scheme should apply for inclusion of the trusted managed security service providers in the EU Cybersecurity Reserve.
Amendment 26 #
Proposal for a regulation
Recital 5
Recital 5
(5) In addition to the deployment of ICT products, ICT services or ICT processes, managed security services often provide additional service features that rely on the competences, expertise and experience of their personnel. A very high level of these competences, expertise and experience as well as appropriate internal procedures should be part of the security objectives in order to ensure a very high quality of the managed security services provided. In order to ensure that all aspects of a managed security service can be covered by a dedicated certification scheme, it is therefore necessary to amend Regulation (EU) 2019/881. The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council and delivered an opinion on [DD/MM/YYYY
Amendment 30 #
Proposal for a regulation
Article 1 – paragraph 1 – point 2 – point a – introductory part
Article 1 – paragraph 1 – point 2 – point a – introductory part
(a) points 7, 9, 10 and 11 are replaced by the following:
Amendment 31 #
Proposal for a regulation
Article 1 – paragraph 1 – point 2 – point a
Article 1 – paragraph 1 – point 2 – point a
Regulation (EU) 2019/881
Article 2 – point 7
Article 2 – point 7
(7) ‘incident handling’ means incident handling as defined in point (8) of Article 6 of Directive (EU) 2022/2555;
Amendment 32 #
Proposal for a regulation
Article 1 – paragraph 1 – point 2 – point b – introductory part
Article 1 – paragraph 1 – point 2 – point b – introductory part
(b) the following point iss are inserted:
Amendment 33 #
Proposal for a regulation
Article 1 – paragraph 1 – point 2 – point b
Article 1 – paragraph 1 – point 2 – point b
Regulation (EU) 2019/881
Article 2 – point 7a
Article 2 – point 7a
(7a) ‘risk’ means risk as defined in point (9) of Article 6 of Directive (EU) 2022/2555;
Amendment 34 #
Proposal for a regulation
Article 1 – paragraph 1 – point 2 – point b
Article 1 – paragraph 1 – point 2 – point b
Regulation (EU) 2019/881
Article 2 – point 14a
Article 2 – point 14a
(14a) ‘managed security service’ means a service consisting of carrying out, or providing assistance for, activities relatmanaged security service withing to cybersecurity risk management, including incident response, penetration testing, security audits and consultancyhe meaning of point (40) of Article 6 of Directive (EU) 2022/2555;
Amendment 36 #
Proposal for a regulation
Article 1 – paragraph 1 – point 2 – point b
Article 1 – paragraph 1 – point 2 – point b
Regulation (EU) 2019/881
Article 2 – point 14aa
Article 2 – point 14aa
(14aa) ‘managed security service provider’ means managed a security service provider as defined in point (40) of Article 6 of Directive (EU) 2022/2555;
Amendment 45 #
Proposal for a regulation
Article 1 – paragraph 1 – point 9
Article 1 – paragraph 1 – point 9
Regulation (EU) 2019/881
Article 51a – paragraph 1 – point g
Article 51a – paragraph 1 – point g
(g) ensure that the ICT products, ICT services and ICT processes [and the hardware] deployed in the provision of the managed security services are secure by default and by design, do not contain known vulnerabilities and include the latest security updates;;
Amendment 49 #
Proposal for a regulation
Article 1 – paragraph 1 – point 17 – introductory part
Article 1 – paragraph 1 – point 17 – introductory part
Regulation (EU)2019/881
Article 67
Article 67
(17) in Article 67, paragraphs 21, 2, 3 and 34 are replaced by the following:
Amendment 50 #
Proposal for a regulation
Article 1 – paragraph 1 – point 17
Article 1 – paragraph 1 – point 17
Regulation (EU) 2019/881
Article 67 – paragraph 1
Article 67 – paragraph 1
1 By 28 June 2024, and every four years thereafter, the Commission shall evaluate the impact, effectiveness and efficiency of ENISA and of its working practices, the possible need to modify ENISA’s mandate and the financial implications of any such modification. The evaluation shall take into account any feedback provided to ENISA in response to its activities. Where the Commission considers that the continued operation of ENISA is no longer justified in light of the objectives, mandate and tasks assigned to it, the Commission may propose that this Regulation be amended with regard to the provisions related to ENISA.
Amendment 51 #
Proposal for a regulation
Article 1 – paragraph 1 – point 17
Article 1 – paragraph 1 – point 17
Regulation (EU) 2019/881
Article 67 – paragraph 2
Article 67 – paragraph 2
2. The evaluation shall also assess the impact, effectiveness and efficiency of the provisions of Title III of this Regulation with regard to the objectives of ensuring an adequate level of cybersecurity of ICT products, ICT services, ICT processes and managed security services in the Union and improving the functioning of the internal market, including assessment of the procedure and timelines leading to preparation and adoption of the first European cybersecurity certification schemes and how this procedure could be improved and accelerated for subsequent certification schemes.
Amendment 52 #
Proposal for a regulation
Article 1 – paragraph 1 – point 17
Article 1 – paragraph 1 – point 17
Regulation (EU) 2019/881
Article 67 – paragraph 4
Article 67 – paragraph 4
4. By 28 June 2024, and every four years thereafter, the Commission shall transmit a report on the evaluation together with its conclusions to the European Parliament, to the Council and to the Management Board. The findings of that report shall be made public. The report shall be accompanied, where necessary, by a legislative proposal.