52 Amendments of Reinhard BÜTIKOFER related to 2017/0225(COD)
Amendment 125 #
Proposal for a regulation
Recital 28
Recital 28
(28) (28) The Agency should contribute towards raising the awareness of the public about risks related to cyberIT security and provide guidance on good practices for individual users aimed at citizens and organisations. The Agency should also contribute to promote best practices and solutions at the level of individuals and organisations by collecting and analysing publicly available information regarding significant incidents, and by compiling reportand publishing reports and guides with a view to providing guidance to businesses and citizens and improving the overall level of preparedness and resilience. The Agency should furthermore organise, in cooperation with the Member States and the Union institutions, bodies, offices and agencies regular outreach and public education campaigns directed to end-users, aiming at promoting safer individual online behaviour and raising awareness of potential threats in cyberspace, including cybercrimes such as phishing attacks, botnets, financial and banking fraud, as well as promoting basic authentication, encryption, anonymisation and data protection advice. The Agency should play a central role in accelerating end-user awareness on security of devices and secure use of services, popularising security by design at Union level, privacy by design and the incidents and their solutions. In achieving this objective the Agency should make the best use of available best practices and experience, especially from academic institutions and IT security researchers.
Amendment 132 #
Proposal for a regulation
Recital 30
Recital 30
(30) To ensure that it fully achieves its objectives, the Agency should liaise with relevant institutions, agencies and bodies, including CERT-EU, European Cybercrime Centre (EC3) at Europol, European Defence Agency (EDA), European Agency for the operational management of large-scale IT systems (eu- LISA), European Aviation Safety Agency (EASA) and any other EU Agency that is involved in cyberIT security. It should also liaise with authorities dealing with data protection in order to exchange know-how and best practices and provide advice on cyberIT security aspects that might have an impact on their work. Representatives of national and Union law enforcement and data protection authorities should be eligible to be represented in the Agency’s Permanent Stakeholders Group. In liaising with law enforcement bodies regarding network and information security aspects that might have an impact on their work, the Agency should respect existing channels of information and established networks. Partnerships should be established with academic institutions that have research initiatives in the relevant areas, while the input from consumer organisations and other organisations should have appropriate channels and should always be analysed.
Amendment 139 #
Proposal for a regulation
Recital 35
Recital 35
(35) The Agency should encourage Member States and service providers to raise their general security standards so that all internet users can take the necessary steps to ensure their own personal cybersecurityIT security and refrain from allowing the sales or use of devices that do not meet minimum security conditions (for example containing hardware, software or firmware components with any known exploitable security vulnerabilities, unchangeable or uncrypted passwords or access code, incapable of accepting trusted and properly authenticated security updates, without an adequate hierarchy of remedies from the manufacturer or vendor or without proper lifecycle documentation). In particular, service providers and product manufacturers should withdraw or recycle products and services that do not meet cyberIT security standards. In cooperation with competent authorities, ENISA may disseminate information regarding the level of cyberIT security of the products and services offered in the internal market, and issue warnings targeting providers and manufacturers and requiring them to improve the security, including cyberIT security, of their products and services.
Amendment 146 #
Proposal for a regulation
Recital 41
Recital 41
(41) In order for the Agency to function properly and effectively, the Commission and the Member States should ensure that persons to be appointed to the Management Board have appropriate professional expertise and experience in functional areas. The Commission and the Member States should also make efforts to limit the turnover of their respective Representatives on the Management Board in order to ensure continuity in its work. Due to the high market value of the skills required in the Agency's work, it is necessary to ensure that the salaries and the social conditions offered to all Agency staff are competitive and ensure that the best professionals can choose to work there.
Amendment 148 #
Proposal for a regulation
Recital 42
Recital 42
(42) The smooth functioning of the Agency requires that its Executive Director be appointed on grounds of merit and documented administrative and managerial skills, as well as competence and experience relevant for cyberIT security, and that the duties of the Executive Director be carried out with complete independence. The Executive Director should prepare a proposal for the Agency’s work programme, after prior consultation with the Commission, and take all necessary steps to ensure the proper execution of the work programme of the Agency. The Executive Director should prepare an annual report to be submitted to the Management Board, draw up a draft statement of estimates of revenue and expenditure for the Agency, and implement the budget. Furthermore, the Executive Director should have the option of setting up ad hoc Working Groups to address specific matters, in particular of a scientific, technical, legal or socioeconomic nature. The Executive Director should ensure that the ad hoc Working Groups’ members are selected according to the highest standards of expertise, taking due account of a representative and gender balance, as appropriate according to the specific issues in question, between the public administrations of the Member States, the Union institutions and the private sector, including industry, users, and academic experts in network and information security.
Amendment 151 #
Proposal for a regulation
Recital 44
Recital 44
(44) The Agency should have a Permanent Stakeholders’ Group as an advisory body, to ensure regular dialogue with the private sector, consumers’ organisations, academia and other relevant stakeholders. The Permanent Stakeholders’ Group, set up by the Management Board on a proposal by the Executive Director, should focus on issues relevant to stakeholders and bring them to the attention of the Agency, providing input on which ICT products and services to cover in future European IT security certification schemes . The composition of the Permanent Stakeholders Group and the tasks assigned to this Group, to be consulted in particular regarding the draft Work Programme, should ensure suefficient and equitable representation of stakeholders in the work of the Agency.
Amendment 167 #
Proposal for a regulation
Recital 52
Recital 52
(52) In view of the above, it is necessary to establish a European cyberIT security certification framework laying down the main horizontal requirements for European cyberIT security certification schemes to be developed and allowing certificates for ICT products and services to be recognised and used in all Member States. The European framework should have a twofold purpose: on the one hand, it should help increase trust in ICT products and services that have been certified according to such schemes. On the other hand, it should avoid the multiplication of conflicting or overlapping national cyberIT security certifications and thus reduce costs for undertakings operating in the digital single market. The schemes should be guided by security-by-design and the principles referred in Regulation (EU) 2016/679, be non-discriminatory and based on internationalselected ISO/IEC and / or Union standards, unless those standards are ineffective or inappropriate to fulfil the EU’s legitimate objectives in that regard.
Amendment 178 #
Proposal for a regulation
Recital 57
Recital 57
(57) Recourse to European cybersecurity certification should remain voluntary, unless otherwise provided in Union or national legislation. However, was the existence of baseline IT security requirements is of utmost importance for the consumers as well as for the security of networks, some situations needs to be treated in a harmonised and mandatory way. Solutions need to be implemented on all consumer devices and services in order to tackle the challenges of an increasingly connected world. Such minimal requirements could include authentication, security of connections and patches for the discovered vulnerabilities. With a view to achieving the objectives of this Regulation and avoiding the fragmentation of the internal market, national cybersecurity certification schemes or procedures for the ICT products and services covered by a European cybersecurity certification scheme should cease to produce effects from the date established by the Commission by means of the implementing act. Moreover, Member States should not introduce new national certification schemes providing cybersecurity certification schemes for ICT products and services already covered by an existing European cybersecurity certification scheme.
Amendment 189 #
Proposal for a regulation
Recital 58 a (new)
Recital 58 a (new)
(58 a) (58 a) Clear and mandatory baseline IT security requirements should be devised by the Agency, and should be proposed to the Commission to be promoted through binding acts, for all IT devices sold in or exported from the Union. Those requirements should be developed within two years after the date of entry into force of this Regulation and revised every two years thereafter, in order to ensure constant and dynamic improvements. These baseline IT security requirements should require, inter alia, that the device does not contain any known security vulnerability, that it is capable of accepting trusted security updates, that the vendor notifies competent authorities of known vulnerabilities and repairs or replaces the affected device, or that the vendor informs when security support for such device will end.
Amendment 218 #
Proposal for a regulation
Article 2 – paragraph 1 – point 9
Article 2 – paragraph 1 – point 9
(9) ‘European cybersecurity certification scheme’ means the comprehensive set of rules, technical requirements, standards and procedures defined at Union level and according to ISO/IEC and European standards selected by ENISA, applying to the certification of Information and Communication Technology (ICT) products, processes and services falling under the scope of that specific scheme;
Amendment 226 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘European cybersecurity certificate’ means a document issued by an attestation issued either through self assessment or through an accredited conformity assessment body attesting that a given ICT process, product or service fulfils the specific requirements laid down in a European cybersecurity certification scheme;
Amendment 240 #
Proposal for a regulation
Article 3 – paragraph 1
Article 3 – paragraph 1
1. The Agency shall undertake the tasks assigned to it by this Regulation for the purpose of contributachieving to a high level of cyberIT security within the Union.
Amendment 242 #
Proposal for a regulation
Article 3 – paragraph 3
Article 3 – paragraph 3
3. The objectives and the tasks of the Agency shall be without prejudice to the exclusive competences of the Member States regarding cybersecurity, and in any case, without prejudice to activities concerning public security, defence, national security and the activities of the state in areas of criminal lawIT security.
Amendment 251 #
Proposal for a regulation
Article 4 – paragraph 4
Article 4 – paragraph 4
4. The Agency shall promote cooperation and coordination at Union level among Member States, Union institutions, agencies and bodies, and relevant stakeholders, including the private sector, consumer organizations and other civil society organisations, on matters related to cyberIT security.
Amendment 275 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 a (new)
Article 5 – paragraph 1 – point 2 a (new)
2 a. assisting the European Data Protection Board established by Regulation (EU) 2016/679 in developing guidelines to specify at the technical level the conditions allowing the licit use of personal data by data controllers for IT security purposes with the objective of protecting their infrastructure by detecting and blocking attacks against their information systems in the context of: (i) Regulation (EU) 2016/6791a; (ii) Directive (EU) 2016/11481b; and (iii) Directive 2002/58/EC1c; (1a Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1). 1b Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, p. 1). 1c Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201 , 31.7.2002, p. 37)).
Amendment 280 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 b (new)
Article 5 – paragraph 1 – point 2 b (new)
2 b. proposing policies with the objective of ensuring that ICT manufacturers act with due diligence regarding the timely fixing of IT security vulnerabilities in their products and services in order to avoid unduly exposing their users to cybercrime;
Amendment 281 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 c (new)
Article 5 – paragraph 1 – point 2 c (new)
2 c. proposing policies establishing a strong responsibility and liability framework for all stakeholders taking part in ICT eco- systems;
Amendment 282 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 d (new)
Article 5 – paragraph 1 – point 2 d (new)
2 d. proposing policies strengthening regulation regarding the responsibilities of operators of critical network infrastructures in the case of an attack against their information systems affecting their users due to a lack of due diligence by some of the users of by the operator itself, where the operator has failed to take reasonable action to prevent the incident or to mitigate its effects on all users;
Amendment 283 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 e (new)
Article 5 – paragraph 1 – point 2 e (new)
2 e. proposing policies to limit the purchase and use of “Zero days” by public authorities with the purpose of attacking information systems; promoting software audits and financing expert staff;
Amendment 284 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 f (new)
Article 5 – paragraph 1 – point 2 f (new)
2 f. proposing policies for public authorities, private companies, researchers, universities and other stakeholders to publish all critical security vulnerabilities that are not yet publicly known within the framework of a responsible disclosure;
Amendment 285 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 g (new)
Article 5 – paragraph 1 – point 2 g (new)
2 g. proposing policies for the extension of the use of “verifiable open- source code” for IT solutions in the public sector as well as for the related use of automated tools to ease review of source code and to easily verify absence of backdoors and other possible security vulnerabilities;
Amendment 295 #
Proposal for a regulation
Article 6 – paragraph 2 a (new)
Article 6 – paragraph 2 a (new)
2 a. The Agency shall facilitate the establishment and launch of a long-term European IT security project to support the growth of an independent EU IT security industry, and to mainstream IT security into all EU IT developments.
Amendment 309 #
Proposal for a regulation
Article 7 – paragraph 8 – point c a (new)
Article 7 – paragraph 8 – point c a (new)
(c a) put in place certification schemes deterring the implementation by ICT manufacturers and service providers of secret backdoors intentionally weakening the IT security of commercial products and services and having a detrimental impact on the global security of the internet.
Amendment 337 #
Proposal for a regulation
Article 8 – paragraph 1 – point b
Article 8 – paragraph 1 – point b
(b) consult the ISO/IEC international standardisation bodies and European standardisation organisations on the development of standards, to ensure the appropriateness of standards used in European Cybersecurity certification schemes and facilitate the establishment and take-up of European and internationalISO/IEC standards for risk management and for the security of ICT products and services, as well as draw up, in collaboration with Member States, advice and guidelines regarding the technical areas related to the security requirements for operators of essential services and digital service providers, as well as regarding already existing standards, including Member States' national standards, pursuant to Article 19(2) of Directive (EU) 2016/1148;
Amendment 343 #
Proposal for a regulation
Article 8 – paragraph 1 – point c a (new)
Article 8 – paragraph 1 – point c a (new)
(c a) put in place certification schemes deterring the implementation by ICT manufacturers and service providers of secret backdoors intentionally weakening the IT security of commercial products and services and having a detrimental impact on the global security of the internet.
Amendment 345 #
Proposal for a regulation
Article 8 – paragraph 1 – point c b (new)
Article 8 – paragraph 1 – point c b (new)
(c b) draw up guidelines concerning how and when Member States are to inform each other when they acquire knowledge of a vulnerability that is not publicly known in an ICT product or service that is certified in accordance with Title III of this Regulation, including guidelines on the coordination of vulnerability disclosure policies;
Amendment 346 #
Proposal for a regulation
Article 8 – paragraph 1 – point c c (new)
Article 8 – paragraph 1 – point c c (new)
(c c) draw up guides and recommendations on minimum security requirements for IT devices placed on the market in the Union or exported from the Union, thus supporting the fast legislative process needed for this particular case;
Amendment 349 #
Proposal for a regulation
Article 9 – paragraph 1 – point e
Article 9 – paragraph 1 – point e
(e) raise awareness of the public about cybersecurity risks, and provide guidance on good practices for individual users aimed at citizens and organisations and promote the adoption of preventive strong IT security measures and reliable data protection and privacy;
Amendment 355 #
Proposal for a regulation
Article 9 – paragraph 1 – point g a (new)
Article 9 – paragraph 1 – point g a (new)
(g a) promote the widespread adoption by all actors on the Digital Single Market of preventive strong IT security measures and reliable data protection and privacy enhancing technologies as the first line of defence against attacks against information systems.
Amendment 361 #
Proposal for a regulation
Article 10 – paragraph 1 – point a
Article 10 – paragraph 1 – point a
(a) advise the Union and the Member States on research needs and priorities in the areas of cybersecurity, data protection and privacy, with a view to enabling effective responses to current and emerging risks and threats, including with respect to new and emerging information and communications technologies, and to using risk-prevention technologies effectively;
Amendment 366 #
Proposal for a regulation
Article 13 – paragraph 1
Article 13 – paragraph 1
1. The Management Board shall be composed of one representative of each Member State, three representatives of the Permanent Stakeholder Group, one of which must represent the consumer interest, and two representatives appointed by the Commission. All representatives shall have voting rights.
Amendment 368 #
Proposal for a regulation
Article 13 – paragraph 3
Article 13 – paragraph 3
3. Members of the Management Board and their alternates shall be appointed in light of their knowledge in the field of cybersecurity, taking into account relevant managerial, administrative and budgetary skills. The Commission and Member States shall make efforts to limit the turnover of their representatives in the Management Board, in order to ensure continuity of that Board’s work. The Commission and Member States shall aim to achieve a balanced representation between men and womenof genders on the Management Board.
Amendment 372 #
Proposal for a regulation
Article 18 – paragraph 3
Article 18 – paragraph 3
3. The Executive Board shall be composed of five members appointed from among the members of the Management Board amongst whom the Chairperson of the Management Board, who may also chair the Executive Board, and one of the representatives of the Commission. The Executive Director shall take part in the meetings of the Executive Board, but shall not have the right to vote. The appointments shall aim to achieve a balanced representation of genders on the Executive Board.
Amendment 384 #
Proposal for a regulation
Article 20 – paragraph 2
Article 20 – paragraph 2
2. Procedures for the Permanent Stakeholders’ Group, in particular regarding the number, composition, and the appointment of its members by the Management Board, the proposal by the Executive Director and the operation of the Group, shall be specified in the Agency’s internal rules of operation and shall be made public. The procedures shall follow best practices in ensuring a fair representation and equal rights for all stakeholders and shall aim to ensure a balanced representation of genders.
Amendment 386 #
Proposal for a regulation
Article 20 – paragraph 2 a (new)
Article 20 – paragraph 2 a (new)
2 a. The composition of the Permanent Stakeholders’ Group shall include a minimum of five consumer organisations and civil society organisations.
Amendment 393 #
Proposal for a regulation
Article 23 – paragraph 2
Article 23 – paragraph 2
2. The Agency shall ensure that the public and any interested parties are given appropriate, objective, reliable and easily accessible information, in particular with regard to the debates and the results of its work. It shall also make public the declarations of interest made in accordance with Article 22.
Amendment 394 #
Proposal for a regulation
Article 34 – paragraph 2
Article 34 – paragraph 2
2. The Management Board shall adopt a decision laying down rules on the secondment to the agency of national experts, amongst others disallowing no- cost practices and promoting fair remuneration.
Amendment 396 #
Proposal for a regulation
Article 41 – paragraph 2
Article 41 – paragraph 2
2. The Agency’s host Member State shall provide the best possible conditions to ensure the proper functioning of the Agency, including the accessibility of the locationheadquarters and other offices location by international airport, the existence of adequate education facilities for the children of staff members, appropriate access to the labour market, social security and medical care for both children and spouses.
Amendment 409 #
Amendment 413 #
Proposal for a regulation
Article 44 – paragraph 1
Article 44 – paragraph 1
1. Following a request from the Commission, ENISA shall prepare a candidate European cyberIT security certification scheme which meets the requirements set out in Articles 45, 46 and 47 of this Regulation. Member States or, the European Cybersecurity Certification Group (the 'Group') established under Article 53 or the Permanent Stakeholders Group established under Article 20, may propose the preparation of a candidate European cyberIT security certification scheme to the Commission.
Amendment 422 #
Proposal for a regulation
Article 44 – paragraph 2
Article 44 – paragraph 2
2. When preparing candidate schemes referred to in paragraph 1 of this Article, ENISA shall consult all relevant stakeholders, as well as the consumer organisations, Article 29 Working Party and the European Data Protection Board as appropriate and closely cooperate with the Group. The Group shall provide ENISA with the assistance and expert advice required by ENISA in relation to the preparation of the candidate scheme, including by providing opinions where necessary.
Amendment 434 #
Proposal for a regulation
Article 44 – paragraph 4
Article 44 – paragraph 4
4. The Commission, based on the candidate scheme proposed by ENISA, may adopt implementing acts, in accordance with Article 55(1), providing for European cybersecurity certification schemes for ICT products and services meeting the requirements of Articles 45, 46 and 47 of this Regulation. The Commission may consult the European Data Protection Board and take account of its view before adopting such implementing acts.
Amendment 451 #
Proposal for a regulation
Article 45 – paragraph 1 – point c
Article 45 – paragraph 1 – point c
(c) ensure that authorised persons, programmes or machines can access exclusively the data, services or functions to which their access rights refer and a process is in place to identify and document all dependencies and vulnerabilities in ICT products, processes and services;
Amendment 453 #
Proposal for a regulation
Article 45 – paragraph 1 – point d
Article 45 – paragraph 1 – point d
(d) record which data, functions or services have been communicated, at what times and by whomensure that ICT products, processes and services do not contain known exploitable vulnerabilities and resist to a defined level of attack;
Amendment 457 #
Proposal for a regulation
Article 45 – paragraph 1 – point g
Article 45 – paragraph 1 – point g
(g) ensure that ICT products and services are provided with up -to -date software and hardware that does not contain known vulnerabilities, and; ensure that they have been designed and implemented in such a way as to effectively limit their susceptibility to vulnerabilities, and ensure that they are provided with mechanisms for secure software updates., including automatic security updates and the possibility of hardware upgrades;
Amendment 504 #
Proposal for a regulation
Article 46 – paragraph 2 – point c
Article 46 – paragraph 2 – point c
(c) assurance level high shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a higher degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service than certificates with the assurance level substantial, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to prevent cybersecurity incidents. The evaluation methodology should be guided at least by an efficiency testing which assesses the resistance of the security functionalities against attackers having significant to unlimited resources.
Amendment 560 #
Proposal for a regulation
Article 48 – paragraph 4 – introductory part
Article 48 – paragraph 4 – introductory part
4. By the way of derogation from paragraph 3, and only in duly justified cases, a particular European cybersecurity scheme may provide that a European cybersecurity certificate resulting from that scheme can only be issued by a public body. Such public body shall be one of the following:a body that is accredited as conformity assessment body pursuant to Article 51(1). The natural or legal person which submits its ICT products or services to the certification mechanism shall make available to the conformity assessment body referred to in Article 51 with all information necessary to conduct the certification procedure.
Amendment 564 #
Proposal for a regulation
Article 48 – paragraph 4 – point a
Article 48 – paragraph 4 – point a
Amendment 565 #
Proposal for a regulation
Article 48 – paragraph 4 – point b
Article 48 – paragraph 4 – point b
Amendment 566 #
Proposal for a regulation
Article 48 – paragraph 4 – point c
Article 48 – paragraph 4 – point c
Amendment 577 #
Proposal for a regulation
Article 48 a (new)
Article 48 a (new)
Amendment 586 #
Proposal for a regulation
Article 50 – paragraph 3
Article 50 – paragraph 3
3. Each national certification supervisory authority shall, in its organisation, funding decisions, legal structure and decision-making, be independent of the entities they supervise. The national certification supervisory authority may not be a certificate body or certificate issuer.