30 Amendments of Gesine MEISSNER related to 2017/0225(COD)
Amendment 94 #
Proposal for a regulation
Recital 3
Recital 3
(3) Increased digitisation and connectivity lead to increased cybersecurity risks, thus making society at large more vulnerable to cyber threats and exacerbating dangers faced by individuals, including vulnerable persons such as children. In order to mitigate this risk to society, all necessary actions need to be taken to improve cybersecurity in the EU to better protect network and information systems, telecommunication networks, digital products, services and devices used by citizens, governments and business – from SMEs to operators of critical infrastructures – from cyber threats. In this respect the Digital Education Action Plan published by the European Commission on 17 January 2018 is a step in the right direction, in particular the EU-wide awareness-raising campaign targeting educators, parents and learners to foster online safety, cyber hygiene and media literacy as well as the cyber-security teaching initiative building on the Digital Competence Framework for Citizens, to empower people to use technology confidently and responsibly.
Amendment 105 #
Proposal for a regulation
Recital 5 a (new)
Recital 5 a (new)
(5 a) Businesses as well as individual consumers should have accurate information regarding the level of security of their ICT products. At the same time, it has to be understood that no product is cyber secure and that basic rules of cyber hygiene have to be promoted and prioritized.
Amendment 108 #
Proposal for a regulation
Recital 8
Recital 8
(8) It is recognised that, since the adoption of the 2013 EU Cybersecurity Strategy and the last revision of the Agency's mandate, the overall policy context has changed significantly, also in relation to a more uncertain and less secure global environment. In this context and in the context of the positive role the Agency has played over the years in pooling of expertise, coordination, capacity building and within the framework of the new Union cybersecurity policy, it is necessary to review the mandate of ENISA to define its role in the changed cybersecurity ecosystem and ensure it contributes effectively to the Union's response to cybersecurity challenges emanating from this radically transformed threat landscape, for which, as recognised by the evaluation of the Agency, the current mandate is not sufficient.
Amendment 112 #
Proposal for a regulation
Recital 12 a (new)
Recital 12 a (new)
(12 a) The role of the Agency should be subject to continuous assessment and timely review, in particular its coordinating role vis-à-vis the Member States and their national authorities, the eventual possibility of acting as a One- Stop-Shop for Member States and EU bodies and institutions. The Agency´s role in the avoidance of fragmentation of the internal market and the possible introduction of mandatory cybersecurity certification schemes, should the situation in the future require such a shift, should also be assessed as well as the Agency´s role in respect of the assessment of third country products entering the EU market and the possible blacklisting of companies which do not comply with EU criteria.
Amendment 116 #
Proposal for a regulation
Recital 15
Recital 15
(15) The Agency should assist the Member States and Union institutions, bodies, offices and agencies in their efforts to build and enhance capabilities and preparedness to prevent, detect and respond to cybersecurity problems and incidents and in relation to the security of network and information systems. In particular, the Agency should support the development and enhancement of national CSIRTs, with a view of achieving a high common level of their maturity in the Union. The Agency should also assist with the development and update of Union and Member States strategies on the security of network and information systems, in particular on cybersecurity, promote their dissemination and track progress of their implementation. The Agency should also offer trainings and training material to public bodies, and where appropriate "train the trainers" with a view to assisting Member States in developing their own training capabilities. The Agency should also serve as a contact point for Member States and Union institutions, who should be able to request an assistance of the Agency within the competences and roles assigned to it.
Amendment 129 #
Proposal for a regulation
Recital 28
Recital 28
(28) The Agency should contribute towards raising the awareness of the public about risks related to cybersecurity and provide guidance on good practices for individual users aimed at citizens and organisations. The Agency should also contribute to promote best practices and solutions at the level of individuals and organisations by collecting and analysing publicly available information regarding significant incidents, and by compiling reports with a view to providing guidance to businesses and citizens and improving the overall level of preparedness and resilience. The Agency should furthermore organise, in line with the Digital Education Action Plan and in cooperation with the Member States and the Union institutions, bodies, offices and agencies regular outreach and public education campaigns directed to end-users, aiming at promoting safer individual online behaviour and raising awareness of potential threats in cyberspace, including cybercrimes such as phishing attacks, botnets, financial and banking fraud, as well as promoting basic authentication and data protection advice. The Agency should play a central role in accelerating end-user awareness on security of devices.
Amendment 161 #
Proposal for a regulation
Recital 47
Recital 47
(47) Conformity assessment is the process demonstrating whether specified requirements relating to a product, process, service, system, person or body have been fulfilled. For the purposes of this Regulation, certification should be considered as a type of conformity assessment regarding the cybersecurity features of a product, process, service, system, or a combination of those ("ICT products and services") by an independent third party, other than the product manufacturer or service provider. Certification cannot guarantee per se that certified ICT products and services are cyber secure. It is rather a procedure and technical methodology to attest that ICT products and services have been tested and that they comply with certain cybersecurity requirements laid down elsewhere, for example as specified in technical standards. Undertakings should also ensure the security by design and by default of their ICT products and services taking into account the state of the art.
Amendment 164 #
Proposal for a regulation
Recital 48 a (new)
Recital 48 a (new)
(48 a) Despite the fact that it is not possible to foresee future technology and market developments, producers should take into account all known threats when developing their products. Producers should also be liable for the quality of a product put on the EU market, including cyber resilience. At the same time, consumers should assume their share of responsibility by following basic rules of cyber hygiene, which could significantly reduce the number of human errors in the field of cybersecurity.
Amendment 166 #
Proposal for a regulation
Recital 50
Recital 50
(50) Currently, the cybersecurity certification of ICT products and services is used only to a limited extent. When it exists, it mostly occurs at Member State level or in the framework of industry driven schemes. In this context, a certificate issued by one national cybersecurity authority is not in principle recognised by other Member States. Companies thus may have to certify their products and services in several Member States where they operate, for example with a view to participating in national procurement procedures. Moreover, while new schemes are emerging, there seems to be no coherent and holistic approach with regard to horizontal cybersecurity issues, for instance in the field of the Internet of Things. Existing schemes present significant shortcomings and differences in terms of product coverage, levels of assurance, substantive criteria and actual utilisation. Mutual recognition and trust among Member States is a key element in this respect. ENISA has an important role to play in helping the Member States develop a solid institutional structure and expertise in protection against potential cyber attacks.
Amendment 172 #
Proposal for a regulation
Recital 53 a (new)
Recital 53 a (new)
(53 a) The Agency and the Commission should make the best use of already existing certification schemes on the EU and / or international level. ENISA should be able to assess which schemes already in use are fit for purpose and can be brought in the European legislation in cooperation with EU standardisation organisations and, as far as possible, internationally recognised. Existing good practices should be collected and shared among Member States.
Amendment 237 #
Proposal for a regulation
Article 2 – paragraph 1 – point 16 a (new)
Article 2 – paragraph 1 – point 16 a (new)
Amendment 247 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
2. The Agency shall assist the Union institutions, agencies and bodies, as well as Member States, in developing and implementing policies related to cybersecurity and raising awareness among citizens and businesses.
Amendment 261 #
Proposal for a regulation
Article 4 – paragraph 6
Article 4 – paragraph 6
6. The Agency shall promote the use of certification, including by contributing to the establishment and maintenance of a cybersecurity certification framework at Union level in accordance with Title III of this Regulation, with a view to increasing transparency of cybersecurity assurance of ICT products and services, reducing fragmentation of the internal market and thus strengthen trust in the digital internal market.
Amendment 340 #
Proposal for a regulation
Article 8 – paragraph 1 – point b
Article 8 – paragraph 1 – point b
(b) facilitate the establishment and take-up of European and/ or international standards for risk management and for the security of ICT products and services, as well as draw up, in collaboration with Member States, advice and guidelines regarding the technical areas related to the security requirements for operators of essential services and digital service providers, as well as regarding already existing standards, including Member States' national standards, pursuant to Article 19(2) of Directive (EU) 2016/1148 and share this information among Member States;
Amendment 390 #
Proposal for a regulation
Article 20 a (new)
Article 20 a (new)
Article 20 a Consultation Forum The Commission, together with the Agency ,shall ensure that, in the conduct of its activities, it observes, in respect of each implementing measure, a balanced participation of Member States’ representatives and all interested parties concerned with the product or product group in question, such as industry, including SMEs, trade unions, traders, retailers, importers, environmental protection groups and consumer and end- user organisations. These parties shall meet in a Consultation Forum. The outcome of this forum may lead to an impetus for proposal of a candidate scheme. The rules of procedure of the Forum shall be established by the Commission.
Amendment 391 #
Proposal for a regulation
Article 21 a (new)
Article 21 a (new)
Article 21 a Request to the Agency 1. The Agency should establish and manage a single entry point through which requests for advice and assistance falling within the Agency’s objectives and tasks shall be addressed. These requests should be accompanied by background information explaining the issue to be addressed. Agency should draw up the potential resource implications, and, in due course, follow-up to the requests. If the Agency refuses a request, it shall give a justification. 2. Requests referred to in paragraph 1 may be made by: a) the European Parliament b) the Council c) the Commission d) any competent body appointed by a Member State, such as a national regulatory authority defined in Article 2 of Directive 2002/21/EC. 3. The practical arrangements for applying paragraphs 1 and 2, regarding in particular submission, prioritisation, follow-up and information, shall be laid down by the Management Board in the Agency’s internal rules of operation.
Amendment 426 #
Proposal for a regulation
Article 44 – paragraph 2
Article 44 – paragraph 2
2. When preparing candidate schemes referred to in paragraph 1 of this Article, ENISA shall consult all relevant stakeholders as requested under Article 20 a and closely cooperate with the Group. The Group shall provide ENISA with the assistance and expert advice required by ENISA in relation to the preparation of the candidate scheme, including by providing opinions where necessary.
Amendment 443 #
Proposal for a regulation
Article 44 – paragraph 5 a (new)
Article 44 – paragraph 5 a (new)
5a. Adopted schemes shall be reviewed and if necessary updated on regular basis in cooperation with relevant stakeholders and the Group within the structure established under this regulation.
Amendment 484 #
Proposal for a regulation
Article 46 – paragraph 2 – point a
Article 46 – paragraph 2 – point a
(a) certificate assurance level basic shall refer to a certificatcorrespond to the iassued in the context of a European cybersecurity certification scheme, which provides a limited degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of cybersecurity incidentsessment by a third party that the basic risks of cyber incidents for ICT processes, products or services are covered;
Amendment 490 #
Proposal for a regulation
Article 46 – paragraph 2 – point a a (new)
Article 46 – paragraph 2 – point a a (new)
(aa) This assessment shall include the review of the technical documentation of the ICT product, service or process;
Amendment 494 #
Proposal for a regulation
Article 46 – paragraph 2 – point b
Article 46 – paragraph 2 – point b
(b) certificate assurance level substantial shall refer to a certificatcorrespond to the iassued in the context of a European cybersecurity certification scheme, which provides a substantial degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease substantially the risk of cybersecurity incidentsessment by a third party that the substantial risks of cyber incidents for ICT processes, products or services are covered;
Amendment 499 #
Proposal for a regulation
Article 46 – paragraph 2 – point b a (new)
Article 46 – paragraph 2 – point b a (new)
(ba) This assessment shall include the review of the technical documentation and the testing of the security functionalities implemented, in accordance with the requirements set out in the technical documentation;
Amendment 503 #
Proposal for a regulation
Article 46 – paragraph 2 – point c
Article 46 – paragraph 2 – point c
(c) assurance level high shall refer to a certificate issued in the context of a European cybersecurity certification scheme, wcertification assurance hicgh provides a higher degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service than certificates with the assurance level substantial, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to prevent cybersecurity incidents.shall correspond to the assessment by a third party that high risks of cyber incidents for ICT processes, products or services are covered;
Amendment 509 #
Proposal for a regulation
Article 46 – paragraph 2 – point c a (new)
Article 46 – paragraph 2 – point c a (new)
(ca) This assessment shall include the review of the technical documentation, the testing of the security functionalities implemented, in accordance with the requirements set out in the technical documentation and the assessment of the resistance of the ICT processes, products or services to skilled attackers having significant to unlimited resources, through penetration testing.
Amendment 519 #
Proposal for a regulation
Article 47 – paragraph 1 – point b
Article 47 – paragraph 1 – point b
(b) detailed specification of the cybersecurity requirements against which the specific ICT products and services are evaluated, for example by reference to Union and / or international standards or technical specifications. Already existing international standards should be taken into account;
Amendment 525 #
Proposal for a regulation
Article 47 – paragraph 1 – point c
Article 47 – paragraph 1 – point c
(c) where applicable, one or more assurance levels taking into account inter- alia a risk-based approach;
Amendment 546 #
Proposal for a regulation
Article 47 – paragraph 4 a (new)
Article 47 – paragraph 4 a (new)
4a. Certification schemes may be in particular created for those product groups mentioned in Annex I of this regulation.
Amendment 615 #
Proposal for a regulation
Article 53 – paragraph 3 a (new)
Article 53 – paragraph 3 a (new)
3a. (g) to establish a peer review process. This process shall have regard in particular to the required technical expertise of NCSAS in the fulfilment of their tasks, as described in article 48 and 50, and include when necessary the development of guidance and best practice documents to improve compliance of the NCSAs with this Regulation.
Amendment 617 #
Proposal for a regulation
Article 53 – paragraph 3 b (new)
Article 53 – paragraph 3 b (new)
3b. (h) to supervise the surveillance and maintenance of a certificate.
Amendment 625 #
Proposal for a regulation
Title 4 a (new)
Title 4 a (new)
ANNEX 1 new Upon launching the EU cybersecurity certification framework it is likely that attention focuses on areas of imminent interest to rise to the challenge posed by emerging technologies. The area of the Internet of Things is of particular interest as it cuts across consumer as well as industry requirements. The following priority list for adoption into the certification framework is proposed: (1) Certification of cloud service provision. (2) Certification of IoT devices including: a. devices at individual level, such as smart wearables; b. devices at community level, such as smart cars, smart homes, health devices; c. devices at society level such as smart cities and smart grids. (3) Industry 4.0 involving intelligent, interconnected cyber-physical systems that automate all phases of industrial operations, spanning from design and manufacturing to operation, supply chain and service maintenance. (4) Certification of technologies and products exploited in every-day life. Such an example could be networking devices, such as home internet routers.