BETA

45 Amendments of Lara COMI related to 2017/0225(COD)

Amendment 135 #
Proposal for a regulation
Article 2 – paragraph 1 – point 9
(9) ‘European cybersecurity certification scheme’ means the comprehensive set of rules, technical requirements, standards and procedures defined at Union level applying to the certification of Information and Communication Technology (ICT) hardware and software products and services falling under the scope of that specific scheme;
2018/03/02
Committee: IMCO
Amendment 143 #
Proposal for a regulation
Article 2 – paragraph 1 – point 16 a (new)
(16a) ‘self-declaration of conformity’ means the statement by the manufacturer that attests their ICT product or service conforms with the specified European cybersecurity certification schemes.
2018/03/02
Committee: IMCO
Amendment 224 #
Proposal for a regulation
Article 43 – paragraph 1
A European cybersecurity certification scheme shall attest that the ICT hardware and software products and services that have been certified in accordance with such scheme comply with specified requirements as regards their ability to resist at a given level of risk-based assurance, actions that aim to compromise the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products,hardware and software products, development and maintenance processes, services and systems.
2018/03/02
Committee: IMCO
Amendment 235 #
Proposal for a regulation
Article 44 – paragraph 2
2. When preparing candidate schemes referred to in paragraph 1 of this Article, ENISA shall consult all relevant stakeholders and closely cooperate with the Group in defining the security objectives of the candidate certification scheme in line with Article 45, which will lead to the compilation of a checklist of risks and corresponding cybersecurity features. The Group shall provide ENISA with the assistance and expert advice required by ENISA in relation to the preparation of the candidate scheme, including by providing opinions where necessary.
2018/03/02
Committee: IMCO
Amendment 243 #
Proposal for a regulation
Article 44 – paragraph 2 a (new)
2a. ENISA shall coordinate the compilation of a checklist of risks associated with the hardware or software of the ICT product or service. The risks shall be matched with corresponding cybersecurity features to be included in the candidate European cybersecurity certification scheme.
2018/03/02
Committee: IMCO
Amendment 247 #
Proposal for a regulation
Article 44 – paragraph 2 b (new)
2b. The checklist prepared shall draw from Member States’ experience in designing and implementing cybersecurity certificates within their jurisdictions. A list of expected risks will be drawn up, analysed and depending on an assessment of the risk environment that the ICT software or hardware product or ICT service will eventually operate in as well as the expected end user.
2018/03/02
Committee: IMCO
Amendment 254 #
4. The Commission, based on the candidate scheme proposed by ENISA, may adopt implementing acts, in accordance with Article 55(1), providing for European cybersecurity certification schemes for ICT hardware and software products and services meeting the requirements of Articles 45, 46 and 47 of this Regulation.
2018/03/02
Committee: IMCO
Amendment 255 #
Proposal for a regulation
Article 44 – paragraph 5
5. ENISA shall maintain a dedicated website providing information on, and publicity of, European cybersecurity certification schemes as well as candidate cybersecurity certification schemes in preparation.
2018/03/02
Committee: IMCO
Amendment 258 #
Proposal for a regulation
Article 45 – paragraph 1 – introductory part
A European cybersecurity certification scheme shall be so designed to take into account, as applicable, the following non- exhaustive list of security objectives:
2018/03/02
Committee: IMCO
Amendment 272 #
Proposal for a regulation
Article 45 – paragraph 1 – point g
(g) ensure that ICT hardware and software products and services are provided with up to date software that does not contain known vulnerabilities, and are provided with mechanisms for secure software updates.
2018/03/02
Committee: IMCO
Amendment 276 #
Proposal for a regulation
Article 46 – title
Risk-Based Assurance levels of European cybersecurity certification schemes
2018/03/02
Committee: IMCO
Amendment 284 #
Proposal for a regulation
Article 46 – paragraph 1
1. A European cybersecurity certification scheme may specify one or more of the following assurance levels: basicelemental, substantial and/or high, for ICT hardware and software products and services issued under that scheme.
2018/03/02
Committee: IMCO
Amendment 287 #
Proposal for a regulation
Article 46 – paragraph 1 a (new)
1a. A European cybersecurity certification scheme shall specify whether self-declaration of conformity is permissible or third party assessment strictly required.
2018/03/02
Committee: IMCO
Amendment 291 #
Proposal for a regulation
Article 46 – paragraph 2 – introductory part
2. The risk-based assurance levels basicelemental, substantial and high shall meet the following criteria respectively:
2018/03/02
Committee: IMCO
Amendment 297 #
Proposal for a regulation
Article 46 – paragraph 2 – point a
(a) risk-based assurance level basicelemental shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a limitedn essential minimum degree of confidence and security in the event of common cyber-security threats faced by predominantly consumer products in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of cybersecurity incidents;
2018/03/02
Committee: IMCO
Amendment 302 #
(b) risk-based assurance level substantial shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a substantial degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls that are generally used at industry level, the purpose of which is to decrease substantially the risk of cybersecurity incidents;
2018/03/02
Committee: IMCO
Amendment 309 #
Proposal for a regulation
Article 46 – paragraph 2 – point c
(c) risk-based assurance level high shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a higher degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service than certificates with the assurance level substantial, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls that are generally used at industrial level, the purpose of which is to prevent cybersecurity incidents.
2018/03/02
Committee: IMCO
Amendment 311 #
Proposal for a regulation
Article 46 – paragraph 2 a (new)
2a. The risk-based assurance level for a candidate European cybersecurity certification scheme shall be identified on the basis of the risks identified in the checklist established in Article 44(2) and the availability of cybersecurity measures to counter those risks in the ICT hardware and software products and services to which the certification scheme applies.
2018/03/02
Committee: IMCO
Amendment 313 #
Proposal for a regulation
Article 46 – paragraph 2 b (new)
2b. The characteristics identified in the risk-based assurance level elemental in Article 46(2) are the minimum cybersecurity measures acceptable for consumer products. The characteristics identified in the risk-based assurance levels substantial and high are the minimum cybersecurity measures acceptable for ICT hardware and software products and services used on an industrial scale. These general characteristics should not restrict ENISA, following consultation with the Member States and the Permanent Stakeholders’ Group from selecting a higher risk-based assurance level than is strictly required following a thorough assessment.
2018/03/02
Committee: IMCO
Amendment 317 #
Proposal for a regulation
Article 47 – paragraph 1 – introductory part
1. A European cybersecurity certification scheme shall include at least the following elements:
2018/03/02
Committee: IMCO
Amendment 320 #
Proposal for a regulation
Article 47 – paragraph 1 – point a
(a) subject-matter and scope of the certification, including the type or categories of ICT hardware and software products and services covered;
2018/03/02
Committee: IMCO
Amendment 322 #
Proposal for a regulation
Article 47 – paragraph 1 – point b
(b) detailed specification of the cybersecurity requirements against which the specific ICT hardware and software products and services are evaluated, for example by reference to Union or international standards or technical specifications;
2018/03/02
Committee: IMCO
Amendment 327 #
Proposal for a regulation
Article 47 – paragraph 1 – point c
(c) where applicable, one or more risk- based assurance levels;
2018/03/02
Committee: IMCO
Amendment 329 #
Proposal for a regulation
Article 47 – paragraph 1 – point c a (new)
(ca) the applicable conformity assessment procedure and/or self- declaration of conformity
2018/03/02
Committee: IMCO
Amendment 330 #
Proposal for a regulation
Article 47 – paragraph 1 – point c b (new)
(cb) certification requirements defined in a way that certification can be incorporated into or based on the producer’s systematic cybersecurity processes followed during the design, development and lifecycle of the ICT product or service;
2018/03/02
Committee: IMCO
Amendment 333 #
Proposal for a regulation
Article 47 – paragraph 1 – point f
(f) where the scheme provides for marks or labels, such an EU Cybersecurity Conformity Label signifying that the ICT product or service conforms to the criteria of a European cybersecurity certificate scheme, the conditions under which such marks or labels may be used;
2018/03/02
Committee: IMCO
Amendment 342 #
Proposal for a regulation
Article 47 – paragraph 1 – point i
(i) rules concerning the consequences of non-conformity of certified ICT hardware and software products and services with the certification requirements, including general information about the penalties to be incurred as laid down in Article 54 of this Regulation;
2018/03/02
Committee: IMCO
Amendment 343 #
Proposal for a regulation
Article 47 – paragraph 1 – point j
(j) rulesthe requirement that an ICT hardware or software product trader or service provider has procedures and rules in place concerning how previously undetected cybersecurity vulnerabilities in ICT hardware and software products and services are to be reported and dealt with;
2018/03/02
Committee: IMCO
Amendment 350 #
Proposal for a regulation
Article 47 – paragraph 1 – point l
(l) identification of national cybersecurity certification schemes or industry-led methods covering the same type or categories of ICT hardware and software products and services;
2018/03/02
Committee: IMCO
Amendment 359 #
Proposal for a regulation
Article 47 – paragraph 1 – point m a (new)
(ma) the period of validity of the certificate
2018/03/02
Committee: IMCO
Amendment 368 #
Proposal for a regulation
Article 48 – paragraph 1
1. ICT hardware and software products and services that have been certified under a European cybersecurity certification scheme adopted pursuant to Article 44 shall be presumed to be compliant with the requirements of such scheme.
2018/03/02
Committee: IMCO
Amendment 377 #
Proposal for a regulation
Article 48 – paragraph 3
3. A European cybersecurity certificate pursuant to this Article shall be issued either by self-declaration of conformity or by the conformity assessment bodies referred to in Article 51 on the basis of criteria included in the European cybersecurity certification scheme, adopted pursuant to Article 44.
2018/03/02
Committee: IMCO
Amendment 383 #
Proposal for a regulation
Article 48 – paragraph 6
6. Certificates shall be issued and shall remain valid for a maximum period defined in each cybersecurity certification scheme according to Article 47(1)(n) and depending on the risk environment, the hardware and/or software product or services’ expected uses for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant requirements continue to be met.
2018/03/02
Committee: IMCO
Amendment 386 #
Proposal for a regulation
Article 48 – paragraph 6 a (new)
6a. A European cybersecurity certification scheme shall remain valid for all new versions, patches, fixes, updates, etc. issued by the ICT hardware or software product or service trader and/or manufacturer to address security vulnerabilities that have been addressed through the trader and/or manufacturer’s procedures as defined under Article 47(1)(j).
2018/03/02
Committee: IMCO
Amendment 409 #
Proposal for a regulation
Article 50 – paragraph 6 – point a
(a) monitor and enforce the application of the provisions under this Title at national level and supervise and verify the compliance of the self-declarations of conformity and the cybersecurity certificates that have been issued by conformity assessment bodies established in their respective territories with the requirements set out in this Title and in the corresponding European cybersecurity certification scheme in accordance with the rules adopted by the European Cybersecurity Certification Group pursuant to Article 53(3)(ba);
2018/03/02
Committee: IMCO
Amendment 411 #
Proposal for a regulation
Article 50 – paragraph 6 – point b
(b) monitor and, supervise and assess the activities of conformity assessment bodies for the purpose of this Regulation, including in relation to the notification of conformity assessment bodies and the related tasks set out in Article 52 of this Regulation;
2018/03/02
Committee: IMCO
Amendment 412 #
Proposal for a regulation
Article 50 – paragraph 6 – point b a (new)
(ba) scrutinise self-declarations of conformity, and monitor, supervise and assess the activities of firms that issue them for the purpose of this Regulation;
2018/03/02
Committee: IMCO
Amendment 413 #
Proposal for a regulation
Article 50 – paragraph 6 – point b b (new)
(bb) report the results of verifications under point (a) and the assessments under points (b) and (c) to the European Cybersecurity Certification Group and to ENISA;
2018/03/02
Committee: IMCO
Amendment 415 #
Proposal for a regulation
Article 50 – paragraph 6 – point c
(c) handle complaints lodged by natural or legal persons in relation to certificates issued by self-declaration and by conformity assessment bodies established in their territories, investigate, to the extent appropriate, the subject matter of the complaint, and inform the complainant of the progress and the outcome of the investigation within a reasonable time period;
2018/03/02
Committee: IMCO
Amendment 420 #
Proposal for a regulation
Article 50 – paragraph 7 – point e
(e) to withdraw, in accordance with national law, certificates that are not compliant with this Regulation or a European cybersecurity certification scheme and inform national accreditation bodies accordingly;
2018/03/02
Committee: IMCO
Amendment 429 #
Proposal for a regulation
Article 51 – paragraph 2 a (new)
2a. Where manufacturers opt for ‘self- declaration of conformity’ as established in Article 48(3) of this Regulation, conformity assessment bodies will take additional steps to verify the internal procedures undertaken by the manufacturer to ensure that their products and/or services conform with the requirements of the European cybersecurity certification scheme.
2018/03/02
Committee: IMCO
Amendment 430 #
Proposal for a regulation
Article 51 a (new)
Article 51 a Peer-Review Assessment 1. National accreditation bodies shall subject themselves to peer evaluation coordinated by ENISA. 2. Member States shall ensure that their national accreditation bodies periodically undergo peer evaluation. 3. Peer evaluation shall be conducted based on a set of transparent evaluation criteria and procedures that include structural resources, human resources, certification conformity procedures, confidentiality and complaints. National accreditation bodies shall have recourse to appeal procedures against decisions taken as a result of this peer evaluation. 4. Peer evaluation shall ascertain whether the national accreditation bodies meet the requirements enshrined in Regulation 765/2008/EC. 5. ENISA shall publish and communicate the outcome of the peer evaluation exercises to all Member States and to the Commission. 6. Together with Member States, the commission shall oversee the rules and the proper functioning of the peer evaluation system.
2018/03/02
Committee: IMCO
Amendment 432 #
Proposal for a regulation
Article 53 – paragraph 3 – point a a (new)
(aa) to provide ENISA with strategic guidance and to establish a work programme including the common actions to be undertaken at EU level to ensure the consistent application of this Title across all Member States;
2018/03/02
Committee: IMCO
Amendment 433 #
Proposal for a regulation
Article 53 – paragraph 3 – point a b (new)
(ab) to establish and periodically update a priority list of ICT products and services that urgently require an EU cybersecurity certification scheme;
2018/03/02
Committee: IMCO
Amendment 434 #
Proposal for a regulation
Article 53 – paragraph 3 – point b a (new)
(ba) to adopt binding rules determining the intervals at which national certification supervisory authorities are to carry out verifications of certificates and the criteria, scale and scope of these verifications and to adopt common rules and standards for reporting, in accordance with Article 50(6).
2018/03/02
Committee: IMCO