29 Amendments of Eva MAYDELL related to 2017/0225(COD)
Amendment 133 #
Proposal for a regulation
Article 2 – paragraph 1 – point 8 a (new)
Article 2 – paragraph 1 – point 8 a (new)
(8a) “Cyber hygiene” means the establishing of routine measures that users and businesses can take to minimise the risks from cyber threats and protect themselves online.
Amendment 135 #
Proposal for a regulation
Article 2 – paragraph 1 – point 9
Article 2 – paragraph 1 – point 9
(9) ‘European cybersecurity certification scheme’ means the comprehensive set of rules, technical requirements, standards and procedures defined at Union level applying to the certification of Information and Communication Technology (ICT) hardware and software products and services falling under the scope of that specific scheme;
Amendment 137 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘European cybersecurity certificate’ means a document issued by a conformity assessment body attesting that a given ICT product, process, systems or service fulfils the specific requirements laid down in a European cybersecurity certification scheme;
Amendment 141 #
Proposal for a regulation
Article 2 – paragraph 1 – point 11 a (new)
Article 2 – paragraph 1 – point 11 a (new)
(11a) “ICT process and system” means a set of procedures integrated in the development, deployment and maintenance of ICT products and services.
Amendment 171 #
Proposal for a regulation
Article 6 – paragraph 1 – point a
Article 6 – paragraph 1 – point a
(a) Member States in their efforts to improve the prevention, detection and analysis, and the capacity to respond to, cybersecurity problems and incidents by providing them with the necessary knowledge and expertise;, including with a set of cyber hygiene routines to be followed by staff and citizens.
Amendment 195 #
Proposal for a regulation
Article 9 – paragraph 1 – point e a (new)
Article 9 – paragraph 1 – point e a (new)
(ea) support closer cooperation with Member States on cybersecurity education, awareness and cyber hygiene;
Amendment 224 #
Proposal for a regulation
Article 43 – paragraph 1
Article 43 – paragraph 1
A European cybersecurity certification scheme shall attest that the ICT hardware and software products and services that have been certified in accordance with such scheme comply with specified requirements as regards their ability to resist at a given level of risk-based assurance, actions that aim to compromise the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products,hardware and software products, development and maintenance processes, services and systems.
Amendment 254 #
4. The Commission, based on the candidate scheme proposed by ENISA, may adopt implementing acts, in accordance with Article 55(1), providing for European cybersecurity certification schemes for ICT hardware and software products and services meeting the requirements of Articles 45, 46 and 47 of this Regulation.
Amendment 255 #
Proposal for a regulation
Article 44 – paragraph 5
Article 44 – paragraph 5
5. ENISA shall maintain a dedicated website providing information on, and publicity of, European cybersecurity certification schemes as well as candidate cybersecurity certification schemes in preparation.
Amendment 258 #
Proposal for a regulation
Article 45 – paragraph 1 – introductory part
Article 45 – paragraph 1 – introductory part
A European cybersecurity certification scheme shall be so designed to take into account, as applicable, the following non- exhaustive list of security objectives:
Amendment 272 #
Proposal for a regulation
Article 45 – paragraph 1 – point g
Article 45 – paragraph 1 – point g
(g) ensure that ICT hardware and software products and services are provided with up to date software that does not contain known vulnerabilities, and are provided with mechanisms for secure software updates.
Amendment 276 #
Proposal for a regulation
Article 46 – title
Article 46 – title
Risk-Based Assurance levels of European cybersecurity certification schemes
Amendment 291 #
Proposal for a regulation
Article 46 – paragraph 2 – introductory part
Article 46 – paragraph 2 – introductory part
2. The risk-based assurance levels basicelemental, substantial and high shall meet the following criteria respectively:
Amendment 302 #
(b) risk-based assurance level substantial shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a substantial degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls that are generally used at industry level, the purpose of which is to decrease substantially the risk of cybersecurity incidents;
Amendment 309 #
Proposal for a regulation
Article 46 – paragraph 2 – point c
Article 46 – paragraph 2 – point c
(c) risk-based assurance level high shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a higher degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service than certificates with the assurance level substantial, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls that are generally used at industrial level, the purpose of which is to prevent cybersecurity incidents.
Amendment 317 #
Proposal for a regulation
Article 47 – paragraph 1 – introductory part
Article 47 – paragraph 1 – introductory part
1. A European cybersecurity certification scheme shall include at least the following elements:
Amendment 327 #
Proposal for a regulation
Article 47 – paragraph 1 – point c
Article 47 – paragraph 1 – point c
(c) where applicable, one or more risk- based assurance levels;
Amendment 329 #
Proposal for a regulation
Article 47 – paragraph 1 – point c a (new)
Article 47 – paragraph 1 – point c a (new)
(ca) the applicable conformity assessment procedure and/or self- declaration of conformity
Amendment 330 #
Proposal for a regulation
Article 47 – paragraph 1 – point c b (new)
Article 47 – paragraph 1 – point c b (new)
(cb) certification requirements defined in a way that certification can be incorporated into or based on the producer’s systematic cybersecurity processes followed during the design, development and lifecycle of the ICT product or service;
Amendment 342 #
Proposal for a regulation
Article 47 – paragraph 1 – point i
Article 47 – paragraph 1 – point i
(i) rules concerning the consequences of non-conformity of certified ICT hardware and software products and services with the certification requirements, including general information about the penalties to be incurred as laid down in Article 54 of this Regulation;
Amendment 350 #
Proposal for a regulation
Article 47 – paragraph 1 – point l
Article 47 – paragraph 1 – point l
(l) identification of national cybersecurity certification schemes or industry-led methods covering the same type or categories of ICT hardware and software products and services;
Amendment 359 #
Proposal for a regulation
Article 47 – paragraph 1 – point m a (new)
Article 47 – paragraph 1 – point m a (new)
(ma) the period of validity of the certificate
Amendment 377 #
Proposal for a regulation
Article 48 – paragraph 3
Article 48 – paragraph 3
3. A European cybersecurity certificate pursuant to this Article shall be issued either by self-declaration of conformity or by the conformity assessment bodies referred to in Article 51 on the basis of criteria included in the European cybersecurity certification scheme, adopted pursuant to Article 44.
Amendment 409 #
Proposal for a regulation
Article 50 – paragraph 6 – point a
Article 50 – paragraph 6 – point a
(a) monitor and enforce the application of the provisions under this Title at national level and supervise and verify the compliance of the self-declarations of conformity and the cybersecurity certificates that have been issued by conformity assessment bodies established in their respective territories with the requirements set out in this Title and in the corresponding European cybersecurity certification scheme in accordance with the rules adopted by the European Cybersecurity Certification Group pursuant to Article 53(3)(ba);
Amendment 411 #
Proposal for a regulation
Article 50 – paragraph 6 – point b
Article 50 – paragraph 6 – point b
(b) monitor and, supervise and assess the activities of conformity assessment bodies for the purpose of this Regulation, including in relation to the notification of conformity assessment bodies and the related tasks set out in Article 52 of this Regulation;
Amendment 412 #
Proposal for a regulation
Article 50 – paragraph 6 – point b a (new)
Article 50 – paragraph 6 – point b a (new)
(ba) scrutinise self-declarations of conformity, and monitor, supervise and assess the activities of firms that issue them for the purpose of this Regulation;
Amendment 415 #
Proposal for a regulation
Article 50 – paragraph 6 – point c
Article 50 – paragraph 6 – point c
(c) handle complaints lodged by natural or legal persons in relation to certificates issued by self-declaration and by conformity assessment bodies established in their territories, investigate, to the extent appropriate, the subject matter of the complaint, and inform the complainant of the progress and the outcome of the investigation within a reasonable time period;
Amendment 420 #
Proposal for a regulation
Article 50 – paragraph 7 – point e
Article 50 – paragraph 7 – point e
(e) to withdraw, in accordance with national law, certificates that are not compliant with this Regulation or a European cybersecurity certification scheme and inform national accreditation bodies accordingly;
Amendment 433 #
Proposal for a regulation
Article 53 – paragraph 3 – point a b (new)
Article 53 – paragraph 3 – point a b (new)
(ab) to establish and periodically update a priority list of ICT products and services that urgently require an EU cybersecurity certification scheme;