BETA

11 Amendments of Maria da Graça CARVALHO related to 2023/0108(COD)

Amendment 18 #
Proposal for a regulation
Recital 2
(2) Managed security services, which are services consisting of carrying out, or providing assistance for, activities relating to their customers’ cybersecurity risk management, including incident prevention, detection, responce or recovery, have gained increasing importance in the prevention and mitigation of cybersecurity incidents. Accordingly, the providers of those services are considered as essential or important entities belonging to a sector of high criticality pursuant to Directive (EU) 2022/2555 of the European Parliament and of the Council8 . Pursuant to Recital 86 of that Directive, managed security service providers in areas such as incident response, penetration testing, security audits and consultancy, play a particularly important role in assisting entities in their efforts to prevent, detect, respond to or recover from incidents. Managed security service providers have however also themselves been the target of cyberattacks and pose a particular risk because of their close integration in the operations of their customers. Essential and important entities within the meaning of Directive (EU) 2022/2555 should therefore exercise increased diligence in selecting a managed security service provider. __________________ 8 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80).
2023/09/21
Committee: ITRE
Amendment 23 #
Proposal for a regulation
Recital 4 a (new)
(4 a) European certification schemes for managed security services should facilitate the use of these services, particularly for smaller entities, including local and regional authorities or SMEs, which often do not have the financial and human capacity to conduct these services by themselves, but are vulnerable to cyber attacks with potentially significant consequences.
2023/09/21
Committee: ITRE
Amendment 25 #
Proposal for a regulation
Recital 5
(5) In addition to the deployment of ICT products, ICT services or ICT processes, managed security services often provide additional service features that rely on the competences, expertise and experience of their personnel. A very high level of these competences, expertise and experience as well as appropriate internal procedures should be part of the security objectives in order to ensure a very high quality and reliability of the managed security services provided. In order to ensure that all aspects of a managed security service can be covered by a certification scheme, it is therefore necessary to amend Regulation (EU) 2019/881. The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council and delivered an opinion on [DD/MM/YYYY
2023/09/21
Committee: ITRE
Amendment 27 #
Proposal for a regulation
Recital 5 a (new)
(5 a) Given that the European cybersecurity schemes should certifiy that managed security services are provided by highly-skilled personnel that is able to reliably deliver these services and ensure the highest standards of cybersecurity, it is imperative that there is sufficient availability of highly-qualified personnel in the Union. Yet, the Union is faced with a talent gap, characterized by a shortage of skilled professionals, and a rapidly evolving threat landscape as acknowledged in the Commission communication of 18 April 2023 on the Cybersecurity Skills Academy. It is important to bridge this talent gap by strengthening cooperation and coordination among the different stakeholders, including the private sector, academia, Member States, the Commission and ENISA to scale up and create synergies for the investment in education and training, the development of public-private partnerships, support of research and innovation initiatives, the development and mutual recognition of common standards and certification of cybersecurity skills, including through the European Cyber Security Skills Framework. This should also facilitate the mobility of cybersecurity professionals within the Union.
2023/09/21
Committee: ITRE
Amendment 35 #
Proposal for a regulation
Article 1 – paragraph 1 – point 2 – point b
(14a) ‘managed security service’ means a managed service consisting of carrying out, or providing assistance for, activities relating to cybersecurity risk management, including incident presponse, penetration vention, detescting, security audits and consultancon, response, or recovery;
2023/09/21
Committee: ITRE
Amendment 39 #
Proposal for a regulation
Article 1 – paragraph 1 – point 7
Regulation (EU) 2019/881
Article 49 – paragraph 7
(7) in Article 49, paragraph 7 is replaced by the following: 7. The Commission, based on the candidate scheme prepared by ENISA, may adopt implementing acts providing for a European cybersecurity certification scheme for ICT products, ICT services, ICT processes and managed security services which meets the requirements set out in Articles 51, 52 and 54. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 66(2).;deleted
2023/09/21
Committee: ITRE
Amendment 42 #
Proposal for a regulation
Article 1 – paragraph 1 – point 7 a (new)
Regulation (EU) 2019/881
Article 49 – paragraph 7a (new)
(7 a) the following paragraph is inserted: '7a. The Commission, based on the candidate scheme prepared by ENISA, may adopt delegated acts providing for a European cybersecurity certification scheme for managed security services which meets the requirements set out in Articles 51, 52, and 54. Those delegated acts shall be adopted in accordance with the procedure referred to in Article 66a.'
2023/09/21
Committee: ITRE
Amendment 43 #
Proposal for a regulation
Article 1 – paragraph 1 – point 9
Regulation (EU) 2019/881
Article 51a – paragraph 1 – point b
(b) ensure that the provider has appropriate internal procedures in place to ensure that the managed security services are provided at a very high level of quality and reliability at all times ;
2023/09/21
Committee: ITRE
Amendment 44 #
Proposal for a regulation
Article 1 – paragraph 1 – point 9
Regulation (EU) 2019/881
Article 51a – paragraph 1 – point g
(g) ensure that the ICT products, ICT services and ICT processes [and the hardware] deployed in the provision of the managed security services are secure by default and by design, are provided with up-to-date software and hardware, do not contain known vulnerabilities and include the latest security updates;;
2023/09/21
Committee: ITRE
Amendment 46 #
Proposal for a regulation
Article 1 – paragraph 1 – point 13 – point b – point ii – point aa
Regulation (EU) 2019/881
Article 56 – paragraph 3 – third subparagraph – point a
(a) take into account the impact of the measures on the manufacturers or providers of such ICT products, ICT services, ICT processes or managed security services and on the users in terms of the cost of those measures and the societal or economic benefits stemming from the anticipated enhanced level of security for the targeted ICT products, ICT services, ICT processes or managed security services;, , including SMEs. The Commission shall ensure that SMEs have access to appropriate financial support in the implementation of the measures through already existing Union programmes;
2023/09/21
Committee: ITRE
Amendment 48 #
Proposal for a regulation
Article 1 – paragraph 1 – point 16 a (new)
Regulation (EU) 2019/881
Article 66a (new)
(16 a) The following Article is inserted: Article 66a (new) Exercise of the delegation 1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article. 2. The power to adopt delegated acts referred to in Article 49 (7a) shall be conferred on the Commission for a period of 5 years from … [date of entry into force of the basic legislative act or any other date set by the co-legislators]. The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the 5 year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period. 3. The delegation of power referred to in Article 49 (7a) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force 4. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making. 5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council. 6. A delegated act adopted pursuant to Article 49 (7a) shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by [two months] at the initiative of the European Parliament or of the Council.
2023/09/21
Committee: ITRE