35 Amendments of Philippe JUVIN related to 2017/0225(COD)
Amendment 54 #
Proposal for a regulation
Recital 2
Recital 2
(2) The use of network and information systems by citizens, businesses and governments across the Union is now pervasive. Digitisation and connectivity are becoming core features in an ever growing number of products and services and with the advent of the Internet of Things (IoT) millions, if not billions, of connected digital devices are expected to be deployed across the EU during the next decade. While an increasing number of devices are connected to the Internet, security and resilience are not sufficiently built in by design, leading to insufficient cybersecurity. In this context, the limited use of certification leads to insufficient information for organisational and individual users about the cybersecurity features of ICT products and services, undermining the trust in digital solutions that is essential for establishment of the digital single market.
Amendment 57 #
Proposal for a regulation
Recital 3
Recital 3
(3) Increased digitisation and connectivity lead to considerably increased cybersecurity risks, thus making society at large more vulnerable to cyber threats and exacerbating dangers faced by individuals, including vulnerable persons such as children. In order to mitigate this risk to society, all necessary actions need to be taken to improve cybersecurity in the EU to better protect network and information systems, telecommunication networks, digital products, services and devices used by citizens, governments and business – from SMEs to operators of critical infrastructures – from cyber threats.
Amendment 61 #
Proposal for a regulation
Recital 5
Recital 5
(5) In light of the increased cybersecurity challenges faced by the Union, there is a need for a comprehensive set of measures that would build on previous Union action and foster mutually reinforcing objectives. These include the need to further increase capabilities and preparedness of Member States and businesses, as well as to improve cooperation and coordination across Member States and EU institutions, agencies and bodies. Furthermore, given the borderless nature of cyber threats, there is a need to increase capabilities at Union level that could complement the action of Member States, in particular in the case of large scale cross-border cyber incidents and crises. Additional efforts are also needed to increase awareness of citizens and businesses on cybersecurity issues. Moreover, the trust in the digital single market should be further improved by offering transparent information on the level of security of ICT products and services. This can be facilitated by standardised EU- wide certification providing common cybersecurity requirements and evaluation criteria across national markets and sectors.
Amendment 64 #
Proposal for a regulation
Recital 11
Recital 11
(11) Given the increasing cybersecurity threats and challenges the Union is facing, the financial and human resources allocated to the Agency should be increased to reflect its enhanced role and tasks, and its critical position in the ecosystem of organisations defending the European digital ecosystem.
Amendment 86 #
Proposal for a regulation
Recital 48
Recital 48
(48) CEuropean cybersecurity certification plays an importantessential role in increasing trust and security in ICT products and services. The digital single market, and particularly the data economy and the Internet of Things, can only thrive if there is general public trust that such products and services provide a certainhigh level of cybersecurity assurance. Connected and automated cars, electronic medical devices, industrial automation control systems or smart grids are only some examples of sectors in which certification is already widely used or is likely to be used in the near future. The sectors regulated by the NIS Directive are also sectors in which cybersecurity certification is critical.
Amendment 92 #
Proposal for a regulation
Recital 52
Recital 52
(52) In view of the above, it is necessary to adopt a common approach and establish a European cybersecurity certification framework laying down the main horizontal requirements for European cybersecurity certification schemes to be developed and allowing certificates for ICT products and services to be recognised and used in all Member States. The European framework should have a twofold purpose: on the one hand, it should help increase trust in ICT products and services that have been certified according to such schemes. On the other hand, it should avoid the multiplication of conflicting or overlapping national cybersecurity certifications and thus reduce costs for undertakings operating in the digital single market. The schemes should be non-discriminatory and based on international and / or Union standards, unless those standards are ineffective or inappropriate to fulfil the EU’s legitimate objectives in that regard.
Amendment 93 #
Proposal for a regulation
Recital 52 a (new)
Recital 52 a (new)
(52a) The European cybersecurity certification framework should be established in a uniform manner in all Member States in order to prevent ‘certification shopping’ based on differences in costs or levels of stringency between Member States.
Amendment 106 #
Proposal for a regulation
Recital 56
Recital 56
(56) The Commission should be empowered to request ENISA to prepare candidate schemes for specific ICT products or services. The Commission, based on the candidate scheme proposed by ENISA, should then be empowered to adopt the European cybersecurity certification scheme by means of implementing acts. Taking account of the general purpose and security objectives identified in this Regulation, European cybersecurity certification schemes adopted by the Commission should specify a minimum set of elements concerning the subject-matter, the scope and functioning of the individual scheme. These should include among others the scope and object of the cybersecurity certification, including the categories of ICT products and services covered, the detailed specification of the cybersecurity requirements, for example by reference to standards or technical specifications, the specific evaluation criteria and evaluation methods, as well as the intended level of assurance: basic, substantial and/or high. The security requirements should depend on the risk resulting from the ICT product or service.
Amendment 116 #
Proposal for a regulation
Recital 57
Recital 57
(57) Recourse to European cybersecurity certification should remain voluntary, except for ICT products and services with high security requirements and unless otherwise provided in Union or national legislation. However, with a view to achieving the objectives of this Regulation and avoiding the fragmentation of the internal market, national cybersecurity certification schemes or procedures for the ICT products and services covered by a European cybersecurity certification scheme should cease to produce effects from the date established by the Commission by means of the implementing act. Moreover, Member States should not introduce new national certification schemes providing cybersecurity certification schemes for ICT products and services already covered by an existing European cybersecurity certification scheme.
Amendment 121 #
Proposal for a regulation
Recital 58
Recital 58
(58) Once a European cybersecurity certification scheme is adopted, manufacturers of ICT products or providers of ICT services should be able to submit an application for certification of their products or services to a conformity assessment body of their choice. Products and services with high security requirements shall be subject to mandatory third-party certification. For all other ICT products and services, third- party certification shall be voluntary, unless otherwise specified in Union law. Conformity assessment bodies should be accredited by an accreditation body if they comply with certain specified requirements set out in this Regulation. Accreditation should be issued for a maximum of five years and may be renewed on the same conditions provided that the conformity assessment body meets the requirements. Accreditation bodies should revoke an accreditation of a conformity assessment body where the conditions for the accreditation are not, or are no longer, met or where actions taken by a conformity assessment body infringe this Regulation.
Amendment 155 #
Proposal for a regulation
Article 4 – paragraph 7
Article 4 – paragraph 7
7. The Agency shall promote a high level of information for, and awareness of, citizens and businesses on issues related to the cybersecurity.
Amendment 222 #
Proposal for a regulation
Article 43 – paragraph 1
Article 43 – paragraph 1
A European cybersecurity certification scheme shall be established in order to boost the level of security within the digital single market and adopt a harmonised approach, at EU level, to European certification, with a view to ensuring that ICT products, services and systems are resistant to cyber-attacks. It shall attest that the ICT products and services that have been certified in accordance with such scheme comply with specified common requirements as regards their ability to resist at a given level of assurance, actions that aim to compromise the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, processes, services and systems.
Amendment 240 #
Proposal for a regulation
Article 44 – paragraph 2
Article 44 – paragraph 2
2. When preparing candidate schemes referred to in paragraph 1 of this Article, ENISA shall take into account already existing national and international standards. ENISA shall consult all relevant stakeholders and closely cooperate with the Group. The Group shall provide ENISA with the assistance and expert advice required by ENISA in relation to the preparation of the candidate scheme, including by providing opinions where necessary.
Amendment 256 #
Proposal for a regulation
Article 44 – paragraph 5 a (new)
Article 44 – paragraph 5 a (new)
5a. ENISA requires a branch office in Brussels, to monitor the work on EU certification closely and to work in close contact with Commission and Parliament to establish European common standards on cybersecurity.
Amendment 261 #
Proposal for a regulation
Article 45 – paragraph 1 – introductory part
Article 45 – paragraph 1 – introductory part
A European cybersecurity certification scheme shall be so designed to take into account, as applicable, the following security objectives:
Amendment 277 #
Proposal for a regulation
Article 46 – title
Article 46 – title
Amendment 281 #
Proposal for a regulation
Article 46 – paragraph 1
Article 46 – paragraph 1
1. A European cybersecurity certification scheme may specify one or more of the following assurance levelsecurity requirements: basic, substantial and/or high, for ICT products and services issued under that scheme. The security requirements shall be defined following a risk-based approach and taking into account the intended use of the ICT product or service.
Amendment 292 #
Proposal for a regulation
Article 46 – paragraph 2 – introductory part
Article 46 – paragraph 2 – introductory part
2. The assurance levelsecurity requirements basic, substantial and high shall meet the following criteria respectively:
Amendment 298 #
Proposal for a regulation
Article 46 – paragraph 2 – point a
Article 46 – paragraph 2 – point a
(a) assurance levelsecurity requirement basic shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a limited degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of cybersecurity incidents;
Amendment 303 #
Proposal for a regulation
Article 46 – paragraph 2 – point b
Article 46 – paragraph 2 – point b
(b) assurance levelsecurity requirement substantial shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a substantial degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease substantially the risk of cybersecurity incidents;
Amendment 308 #
Proposal for a regulation
Article 46 – paragraph 2 – point c
Article 46 – paragraph 2 – point c
(c) assurance levelsecurity requirement high shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a higher degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service than certificates with the assurance levelsecurity requirement substantial, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to prevent cybersecurity incidents. This shall especially apply to critical infrastructure products and services.
Amendment 312 #
Proposal for a regulation
Article 46 – paragraph 2 a (new)
Article 46 – paragraph 2 a (new)
2a. As regards assurance levels substantial and high, the ethical hacking method may be used by national conformity control bodies.
Amendment 328 #
Proposal for a regulation
Article 47 – paragraph 1 – point c
Article 47 – paragraph 1 – point c
(c) where applicable, one or more assurance levelsecurity requirements;
Amendment 338 #
Proposal for a regulation
Article 47 – paragraph 1 – point h
Article 47 – paragraph 1 – point h
(h) conditions for granting, maintaining, continuing, renewing, extending and reducing the scope of certification;
Amendment 352 #
Proposal for a regulation
Article 47 – paragraph 1 – point l
Article 47 – paragraph 1 – point l
(l) identification of national or international cybersecurity certification schemes covering the same type or categories of ICT products and services;
Amendment 357 #
Proposal for a regulation
Article 47 – paragraph 1 – point m a (new)
Article 47 – paragraph 1 – point m a (new)
(ma) the maximum period of validity of certificates.
Amendment 370 #
Proposal for a regulation
Article 48 – paragraph 2
Article 48 – paragraph 2
2. The certification shall be mandatory for those products and services that fall under a high security requirement. For all other ICT products and services, certification shall be voluntary, unless otherwise specified in Union law.
Amendment 379 #
Proposal for a regulation
Article 48 – paragraph 4 – introductory part
Article 48 – paragraph 4 – introductory part
4. By the way of derogation from paragraph 3, in duly justified cases a particular European cybersecurity certification scheme may provide that a European cybersecurity certificate resulting from that scheme can only be issued by a public body. Such public body shall be one of the following:
Amendment 385 #
Proposal for a regulation
Article 48 – paragraph 6
Article 48 – paragraph 6
6. Certificates shall be issued for a maximum period of three yearsime as defined by the European cybersecurity certification scheme and may be renewed, under the same conditions, provided that the relevant requirements continue to be met.
Amendment 388 #
Proposal for a regulation
Article 48 – paragraph 7 a (new)
Article 48 – paragraph 7 a (new)
Amendment 389 #
Proposal for a regulation
Article 48 – paragraph 7 b (new)
Article 48 – paragraph 7 b (new)
7b. That expert group shall have at least the following powers: - to ask for any information from national conformity assessment bodies and holders of European cybersecurity certificates; - to check compliance with the requirements laid down in Title III of this Regulation; - to take appropriate measures to ensure that national conformity assessment bodies and holders of European cybersecurity certificates comply with the European cybersecurity certification system; - to access the premises of national conformity assessment bodies and holders of European certificates in accordance with the Member States’ law and EU law; - to revoke certificates that do not comply with this Regulation or a European cybersecurity certification scheme; - to revoke the accreditation of national conformity assessment bodies which do not comply with this Regulation.
Amendment 419 #
Proposal for a regulation
Article 50 – paragraph 7 – point c a (new)
Article 50 – paragraph 7 – point c a (new)
(ca) - to revoke the accreditation of the national conformity assessment bodies referred to in Article 51 which do not comply with this Regulation;
Amendment 421 #
Proposal for a regulation
Article 50 – paragraph 7 – point f a (new)
Article 50 – paragraph 7 – point f a (new)
(fa) to suggest experts who could be part of the independent expert group referred to in Article 48(8).
Amendment 431 #
Proposal for a regulation
Article 52 – paragraph 1
Article 52 – paragraph 1
1. For each European cybersecurity certification scheme adopted pursuant Article 44, national certification supervisory authorities shall notify the Commission of the accredited conformity assessment bodies accredited to issue certificates at specified assurance levelsecurity requirements as referred to in Article 46 and, without undue delay, of any subsequent changes thereto.
Amendment 438 #
Proposal for a regulation
Article 53 – paragraph 3 – point f a (new)
Article 53 – paragraph 3 – point f a (new)
(fa) to decide on the composition of the independent-expert group referred to in Article 48(8) of this Regulation.