19 Amendments of Cornelia ERNST related to 2017/0225(COD)
Amendment 20 #
Proposal for a regulation
Title
Title
Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on ENISA, the “EU Cybersuropean Network and Information Security Agency”, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (‘‘Cybersecurity Act’’) (Text with EEA relevance)
Amendment 23 #
Proposal for a regulation
Recital 2
Recital 2
(2) The use of network and information systems by citizens, businesses and governments across the Union is now pervasive. Digitisation and connectivity are becoming core features in an ever growing number of products and services and with the advent of the Internet of Things (IoT) millions, if not billions, of connected digital devices are expected to be deployed across the EU during the next decade. While an increasing number of devices are connected to the Internet, security and resilience are not sufficiently built in by design, leading to insufficient cyberIT security. In this context, the limited use of certification leads to insufficient information for organisational and individual users about the cybersecurity features of ICT products and services, undermining trust in digital solutions. (This amendment replaces the term “cybersecurity” by the more appropriate term “IT security”. It should apply throughout the text.)
Amendment 26 #
Proposal for a regulation
Recital 3
Recital 3
(3) Increased digitisation and connectivity lead to increased cybersecurity risks, thus making society at large more vulnerable to cyberomputer oriented threats and exacerbating dangers faced by individuals, including vulnerable persons such as children. In order to mitigate this risk to society, all necessary actions need to be taken to improve cybersecurity in the EU to better protect network and information systems, telecommunication networks, digital products, services and devices used by citizens, governments and business – from SMEs to operators of critical infrastructures – from cyber threats.omputer oriented threats. (This amendment replaces the misleading term “cyber threat” by the more appropriate term “computer oriented threat”. It should apply throughout the text.)
Amendment 27 #
Proposal for a regulation
Recital 4
Recital 4
(4) Cyber-omputer oriented attacks are on the increase and a connected economy and society that is more vulnerable to cyber threats and attacks requires stronger defences. However, while cyber-attacks are often cross-border, policy responses by cybersecurity authorities and law enforcement competences are predominantly national. Large-scale cyberIT security incidents could disrupt the provision of essential services across the EU. This requires effective EU level response and crisis management, building upon dedicated policies and wider instruments for European solidarity and mutual assistance. Moreover, a regular assessment of the state of cybersecurity and resilience in the Union, based on reliable Union data, as well as systematic forecast of future developments, challenges and threats, both at Union and global level, is therefore important for policy makers, industry and users. (This amendment replaces the term “cyber attack” by the more appropriate term “computer oriented attack”. It should apply throughout the text.)
Amendment 36 #
Proposal for a regulation
Recital 11 a (new)
Recital 11 a (new)
(11a) The challenges in the field of IT security are, in the digital age, often closely interlinked with challenges in the field of data protection, the protection of private life as well as the protection of electronic communications. In order for the agency to appropriately be able to address these challenges, close cooperation and frequent consultation with the bodies established under Regulation (EC) 45/2001, Regulation (EU) 2016/679, Directive (EU) 2016/680 and Regulation (EC) No 1211/2009 should form an integral part of the agency’s activities.
Amendment 61 #
Proposal for a regulation
Article 1 – paragraph 1 – point a
Article 1 – paragraph 1 – point a
(a) lays down the objectives, tasks and organisational aspects of ENISA, the “EU Cybersuropean Network and Information Security Agency”, hereinafter ‘the Agency’; and
Amendment 62 #
Proposal for a regulation
Article 1 – paragraph 1 – point b
Article 1 – paragraph 1 – point b
(b) lays down a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity of ICT products and services in the Union. Such framework shall apply without prejudice to specific provisions regarding voluntary or mandatory certification in other Union acts.
Amendment 64 #
Proposal for a regulation
Title II
Title II
ENISA – the “EU Cybersuropean Network and Information Security Agency”
Amendment 72 #
Proposal for a regulation
Article 4 – paragraph 7
Article 4 – paragraph 7
7. The Agency shall promote a high level of awareness of citizens and businesses on issues related to the cybersecurity.
Amendment 74 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 a (new)
Article 5 – paragraph 1 – point 2 a (new)
2 a. assisting the bodies established under Regulation (EU) 2016/679 in developing guidelines setting out conditions and safeguards for further processing of personal data for security purposes with the objective of protecting against attacks against network and information systems within the scope of Regulation (EU) 2016/679, Directive (EU) 2016/1148 and Directive 2002/58/EC;
Amendment 75 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 b (new)
Article 5 – paragraph 1 – point 2 b (new)
2 b. proposing policies setting out conditions and deadlines for the fixing of IT security vulnerabilities by ICT vendors with the objective of avoiding any exposure of users to computer oriented threats;
Amendment 76 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 c (new)
Article 5 – paragraph 1 – point 2 c (new)
2 c. proposing policies for public authorities for handling of vulnerabilities that are not known to the public, with the objective of safeguarding the integrity of the ecosystem of information systems;
Amendment 77 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 d (new)
Article 5 – paragraph 1 – point 2 d (new)
2 d. proposing policies and advising public authorities to avoid and limit the deployment of closed-source IT solutions in order to ensure that the ICT ecosystem is free from vulnerabilities, in particular backdoors;
Amendment 85 #
Proposal for a regulation
Article 8 – paragraph 1 – point b a (new)
Article 8 – paragraph 1 – point b a (new)
(ba) facilitate the establishment and take-up of European and international standards for the security of ICT products and services, with the objective of preventing the use and distribution, both intentionally and non-intentionally, of technology, or parts thereof, intentionally weakening the security of ICT products and services (‘backdoors’);
Amendment 92 #
Proposal for a regulation
Article 10 – paragraph 1 – point a
Article 10 – paragraph 1 – point a
(a) advise the Union and the Member States on research needs and priorities in the areas of cybersecurity and data protection and privacy, with a view to enabling effective responses to current and emerging risks and threats, including with respect to new and emerging information and communications technologies, and to using risk-prevention technologies effectively;
Amendment 103 #
Proposal for a regulation
Article 44 – paragraph 2
Article 44 – paragraph 2
2. When preparing candidate schemes referred to in paragraph 1 of this Article, ENISA shall consult all relevant stakeholders and closely cooperate with the Group as well as with the bodies established under Regulation (EC) 45/2001, Regulation (EU) 2016/679, Directive (EU) 2016/680 and, if appropriate, Regulation (EC) No 1211/2009 . The Group shall provide ENISA with the assistance and expert advice required by ENISA in relation to the preparation of the candidate scheme, including by providing opinions where necessary.
Amendment 106 #
Proposal for a regulation
Article 44 – paragraph 4
Article 44 – paragraph 4
4. The Commission, based on the candidate scheme proposed by ENISA, may adopt implementing acts, in accordance with Article 55(1), providing for European cybersecurity certification schemes for ICT products and services meeting the requirements of Articles 45, 46 and 47 of this Regulation. Where appropriate, the Commission shall consult the European Data Protection Board before adopting such decision in order to ensure consistency with certifications under Regulation (EU) 2016/679.
Amendment 123 #
Proposal for a regulation
Article 48 a (new)
Article 48 a (new)
Article 48 a Minimum requirements for IT security 1. The Agency shall, by ... [two years after the date of entry into force of this Regulation], propose to the Commission clear and mandatory minimum requirements of security for all IT devices sold in or exported from the Union such as: (a) the vendor providing a legally binding written certification that the device does not contain any hardware, software or firmware component with any known security vulnerabilities; (b) the device relies on software or firmware components capable of accepting properly authenticated and trusted updates from the vendor; (c) the device does not include any fixed or hard-coded credential used for remote administration, the delivery of updates, or communication; (d) an obligation of the vendor of the internet-enabled device, software, or firmware component to notify the competent authority of any known security vulnerabilities; (e) an obligation of the vendor of the internet-enabled device, software, or firmware component to provide a repair or replacement in respect to any new security vulnerability discovered; (f) an obligation of the vendor of the internet-enabled device, software, or firmware component to provide information on how the device receives updates, the anticipated timeline for ending security support and a formal notification when such security support has ended. 2. The Agency shall review and, where necessary, amend the requirements referred to in paragraph 1 every two years, and submit any amendments as proposals to the Commission. 3. The Commission shall, by way of implementing acts, decide that the proposed or amended requirements referred to in paragraphs 1 and 2 have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 55(2). 4. The Commission shall ensure appropriate publicity for the requirements which have been decided as having general validity in accordance with paragraph 3. 5. The Agency shall collate all proposed requirements and their amendments in a register and shall make them publicly available by way of appropriate means.
Amendment 125 #
Proposal for a regulation
Article 50 – paragraph 6 – point d
Article 50 – paragraph 6 – point d
(d) cooperate with other national certification supervisory authorities or other public authorities, such as national Data Protection Supervisory Authorities, including by sharing information on possible non- compliance of ICT products and services with the requirements of this Regulation or specific European cybersecurity certification schemes;