Progress: Procedure completed, awaiting publication in Official Journal
Role | Committee | Rapporteur | Shadows |
---|---|---|---|
Lead | ITRE | CUTAJAR Josianne ( S&D) | TOŠENOVSKÝ Evžen ( ECR) |
Committee Opinion | IMCO | ||
Committee Opinion | LIBE |
Lead committee dossier:
Legal Basis:
T, r, e, a, t, y, , o, n, , t, h, e, , F, u, n, c, t, i, o, n, i, n, g, , o, f, , t, h, e, , E, U, , T, F, E, U, , 1, 1, 4
Legal Basis:
T, r, e, a, t, y, , o, n, , t, h, e, , F, u, n, c, t, i, o, n, i, n, g, , o, f, , t, h, e, , E, U, , T, F, E, U, , 1, 1, 4Subjects
Events
The European Parliament adopted by 53 votes to 5, with 33 abstentions, a legislative resolution on the proposal for a regulation of the European Parliament and of the Council amending Regulation (EU) 2019/881 as regards managed security services.
The European Parliament’s position adopted at first reading under the ordinary legislative procedure amends the proposal as follows:
Subject matter
The proposed Regulation aims to enable the adoption of European cybersecurity certification schemes for managed security services. The definition of managed security services under this Regulation includes a non-exhaustive list of managed security services that could qualify for certification schemes, such as incident handling, penetration testing, security audits, and consulting related to technical support.
European certification schemes for managed security services should lead to the uptake of those services and to increased competition between providers offering managed security services. Without prejudice for the objective of ensuring sufficient and appropriate levels of relevant technical knowledge and professional integrity of such providers, certification schemes should, therefore, facilitate market entry and the offering of managed security services, by simplifying, to the extent possible, the potential regulatory, administrative and financial burden that providers, especially microenterprises or small and medium-sized enterprises (SMEs), could encounter when offering managed security services.
Additionally, in order to encourage the uptake of, and stimulate the demand for, managed security services, the schemes should contribute to the accessibility thereof, especially for smaller actors, such as microenterprises and SMEs, as well as local and regional authorities which have limited capacity and resources, but which are more prone to cybersecurity breaches with financial, legal, reputational, and operational implications.
The Union certification scheme for managed security services should contribute to the availability of secure and high-quality services which guarantee a safe digital transition and to the achievement of targets set up in the Digital Decade Policy Programme, especially with regard to the goal that 75% of Union undertakings start using Cloud, AI or Big Data, that more than 90% of microenterprises and SMEs reach at least a basic level of digital intensity and that key public services are offered online.
Preparation, adoption and review of a European cybersecurity certification scheme
Following a request from the Commission, ENISA will prepare a candidate scheme that meets the applicable requirements set out in the Regulation. Following a request from the European Cybersecurity Certification Group (ECCG) may prepare a candidate scheme that meets the applicable requirements. If ENISA rejects such a request, it will have to give reasons for its refusal. Any decision to reject such an application will be taken by the Management Board.
When preparing a candidate scheme, ENISA should consult all relevant stakeholders in a timely manner through a formal, open, transparent and inclusive consultation process. For each candidate scheme, ENISA should set up an ad hoc working group to provide specific advice and expertise. The ad hoc working groups set up for this purpose should include, where appropriate, experts from Member States' public administrations, EU institutions, bodies, offices and agencies and the private sector.
Information and consultation on the European cybersecurity certification schemes
The Commission should make the information on its request to ENISA to prepare a candidate scheme. During the preparation of a candidate scheme by ENISA, the European Parliament as well as the Council may request the Commission in its capacity as chair of the European Cybersecurity Certification Group (ECCG) and ENISA to present relevant information on a draft candidate scheme on a quarterly basis. Upon the request of the European Parliament or the Council, ENISA, in agreement with the Commission, may make available to the European Parliament and to the Council relevant parts of a draft candidate scheme in a manner appropriate to the confidentiality level required, and where appropriate in a restricted manner.
In order to enhance the dialogue between the Union institutions and to contribute to a formal, open, transparent and inclusive consultation process, the European Parliament as well as the Council may invite the Commission and ENISA to discuss matters concerning the functioning of European cybersecurity certification schemes for ICT products, ICT services, ICT processes or managed security services.
A new annex contains the requirements to be met by conformity assessment bodies wishing to be accredited.
In a statement , the Commission recalled that it is recognised that a thorough review of the Cybersecurity Regulation is of the utmost importance, including the evaluation of the procedures leading to the development, adoption and review of European cybersecurity certification schemes.
This review should be based on a deep analysis and broad consultation on the impact, effectiveness and efficiency of the functioning of the European cybersecurity certification framework. The analysis carried out as part of the evaluation established in Article 67 of the Cybersecurity Act should include on-going scheme development activities, such as the one concerning European cybersecurity certification scheme for cloud services (EUCS) as well as those of adopted schemes such as the one concerning the European Common Criteria-based cybersecurity certification scheme (EUCC).
Accordingly, the Commission, which is responsible for the review of the Cybersecurity Act, should ensure that the review takes into account as appropriate the necessary elements mentioned in light of Article 67 when presenting the review to the co-legislators.
Text adopted by Parliament, 1st reading/single reading
The Committee on Industry, Research and Energy adopted the report by Josianne CUTAJAR (S&D, MT) on the proposal for a regulation of the European Parliament and of the Council amending Regulation (EU) 2019/881 as regards managed security services.
The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows:
Changes to the definition of managed security service
The report stated that managed security services, which are services consisting of carrying out, or providing assistance for, activities relating to their customers’ cybersecurity risk management, including detection, response to or recovery from incidents, have gained increasing importance in the prevention and mitigation of cybersecurity incidents. The activities of the providers of managed security services consist of services relating to prevention, identification, protection, detection, analysis, containment, response and recovery, including, but not limited to, cyber threat intelligence provision, real time threat monitoring through proactive techniques, including security-by-design, risk assessment, extended detection, remediation and response.
The Union rolling work programme for European cybersecurity certification
According to Members, the Union rolling work programme should include a list of ICT products, ICT services and ICT processes or categories thereof, and managed security services, that are capable of benefiting from being included in the scope of a European cybersecurity certification scheme. In that context, the Commission should include an in-depth assessment of existing training paths to bridge identified skills gaps and a list of proposals for addressing the needs for skilled employees and types of skills.
SMEs
Members considered that the Commission should ensure appropriate financial support in the regulatory framework of existing Union programmes, in particular in order to ease the financial burden on microenterprises and SMEs, including start-ups acting in the field of managed security services.
Evaluation and review
By 28 June 2024, and every three years thereafter, the Commission should assess the impact, effectiveness and efficiency of ENISA and of its working practices, the possible need to modify ENISA’s mandate and the financial implications of any such modification. The evaluation should assess: (i) the efficiency and effectiveness of the procedures leading to consultation, preparation and adoption of European cybersecurity certification schemes, as well as ways to improve and accelerate those procedures; (ii) whether essential cybersecurity requirements for access to the internal market are necessary in order to prevent ICT products, ICT services, ICT processes and managed security services which do not meet basic cybersecurity requirements from entering the Union market.
Committee report tabled for plenary, 1st reading/single reading
PURPOSE: to create European cybersecurity certification schemes for managed security services.
PROPOSED ACT: Regulation of the European Parliament and of the Council.
ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.
BACKGROUND: Regulation (EU) 2019/881 of the European Parliament and of the Council on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification sets up a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity for ICT products, ICT services and ICT processes in the Union, as well as for the purpose of avoiding the fragmentation of the internal market with regard to cybersecurity certification schemes in the Union.
Managed security services , which are services consisting of carrying out, or providing assistance for, activities relating to their customers’ cybersecurity risk management, have gained increasing importance in the prevention and mitigation of cybersecurity incidents. Accordingly, the providers of those services are considered as essential or important entities belonging to a sector of high criticality pursuant to Directive (EU) 2022/2555 of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union.
Managed security service providers in areas such as incident response, penetration testing, security audits and consultancy, play a particularly important role in assisting entities in their efforts to prevent, detect, respond to or recover from incidents. They have however also themselves been the target of cyberattacks and pose a particular risk because of their close integration in the operations of their customers.
Some Member States have already begun adopting certification schemes for managed security services. There is therefore a growing risk of fragmentation of the internal market for managed security services owing to inconsistencies in cybersecurity certification schemes across the Union. This proposal aims to prevent such fragmentation.
CONTENT: the proposed targeted amendment to amend the scope of the European cybersecurity certification framework in the Cybersecurity Act aims to enable, by means of Commission implementing acts, the adoption of European cybersecurity certification schemes for ‘managed security services’ , in addition to information and technology (ICT) products, ICT services and ICT processes, which are already covered under the Cybersecurity Act.
The proposal also introduces a definition of those services, which is very closely aligned to the definition of ‘managed security services providers’ under the NIS 2 Directive (Article 2 of the Cybersecurity Act). It also adds new provisions on the security objectives of European cybersecurity certification adapted to ‘managed security services’.
Lastly, a number of technical amendments are made to ensure that the relevant articles apply also to ‘managed security services’.
Legislative proposal
PURPOSE: to create European cybersecurity certification schemes for managed security services.
PROPOSED ACT: Regulation of the European Parliament and of the Council.
ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.
BACKGROUND: Regulation (EU) 2019/881 of the European Parliament and of the Council on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification sets up a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity for ICT products, ICT services and ICT processes in the Union, as well as for the purpose of avoiding the fragmentation of the internal market with regard to cybersecurity certification schemes in the Union.
Managed security services , which are services consisting of carrying out, or providing assistance for, activities relating to their customers’ cybersecurity risk management, have gained increasing importance in the prevention and mitigation of cybersecurity incidents. Accordingly, the providers of those services are considered as essential or important entities belonging to a sector of high criticality pursuant to Directive (EU) 2022/2555 of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union.
Managed security service providers in areas such as incident response, penetration testing, security audits and consultancy, play a particularly important role in assisting entities in their efforts to prevent, detect, respond to or recover from incidents. They have however also themselves been the target of cyberattacks and pose a particular risk because of their close integration in the operations of their customers.
Some Member States have already begun adopting certification schemes for managed security services. There is therefore a growing risk of fragmentation of the internal market for managed security services owing to inconsistencies in cybersecurity certification schemes across the Union. This proposal aims to prevent such fragmentation.
CONTENT: the proposed targeted amendment to amend the scope of the European cybersecurity certification framework in the Cybersecurity Act aims to enable, by means of Commission implementing acts, the adoption of European cybersecurity certification schemes for ‘managed security services’ , in addition to information and technology (ICT) products, ICT services and ICT processes, which are already covered under the Cybersecurity Act.
The proposal also introduces a definition of those services, which is very closely aligned to the definition of ‘managed security services providers’ under the NIS 2 Directive (Article 2 of the Cybersecurity Act). It also adds new provisions on the security objectives of European cybersecurity certification adapted to ‘managed security services’.
Lastly, a number of technical amendments are made to ensure that the relevant articles apply also to ‘managed security services’.
Legislative proposal
Documents
- Draft final act: 00093/2024/LEX
- Commission response to text adopted in plenary: SP(2024)394
- Decision by Parliament, 1st reading: T9-0354/2024
- Results of vote in Parliament: Results of vote in Parliament
- Coreper letter confirming interinstitutional agreement: GEDA/A/(2024)001687
- Text agreed during interinstitutional negotiations: PE760.887
- Approval in committee of the text agreed at 1st reading interinstitutional negotiations: PE760.887
- Approval in committee of the text agreed at 1st reading interinstitutional negotiations: GEDA/A/(2024)001687
- Committee report tabled for plenary, 1st reading: A9-0307/2023
- Amendments tabled in committee: PE753.562
- Specific opinion: PE749.983
- Committee draft report: PE752.802
- Contribution: COM(2023)0208
- Contribution: COM(2023)0208
- ESC: CES2408/2023
- Contribution: COM(2023)0208
- Legislative proposal: COM(2023)0208
- Legislative proposal: Go to the pageEur-Lex
- Legislative proposal published: COM(2023)0208
- Legislative proposal published: Go to the page Eur-Lex
- Committee draft report: PE752.802
- Amendments tabled in committee: PE753.562
- Specific opinion: PE749.983
- Text agreed during interinstitutional negotiations: PE760.887
- Coreper letter confirming interinstitutional agreement: GEDA/A/(2024)001687
- Draft final act: 00093/2024/LEX
- Legislative proposal: COM(2023)0208 Go to the pageEur-Lex
- Commission response to text adopted in plenary: SP(2024)394
- Contribution: COM(2023)0208
- Contribution: COM(2023)0208
- Contribution: COM(2023)0208
- ESC: CES2408/2023
Activities
- Josianne CUTAJAR
Plenary Speeches (1)
Votes
A9-0307/2023 – Josianne Cutajar – Provisional agreement – Am 2 #
Amendments | Dossier |
36 |
2023/0108(COD)
2023/09/21
ITRE
36 amendments...
Amendment 17 #
Proposal for a regulation Recital 2 (2) Managed security services
Amendment 18 #
Proposal for a regulation Recital 2 (2) Managed security services, which are services consisting of carrying out, or providing assistance for, activities relating to their customers’ cybersecurity risk management, including incident prevention, detection, responce or recovery, have gained increasing importance in the prevention and mitigation of cybersecurity incidents. Accordingly, the providers of those services are considered as essential or important entities belonging to a sector of high criticality pursuant to Directive (EU) 2022/2555 of the European Parliament and of the Council8 . Pursuant to Recital 86 of that Directive, managed security service providers in areas such as incident response, penetration testing, security audits and consultancy, play a particularly important role in assisting entities in their efforts to prevent, detect, respond to or recover from incidents. Managed security service providers have however also themselves been the target of cyberattacks and pose a particular risk because of their close integration in the operations of their customers. Essential and important entities within the meaning of Directive (EU) 2022/2555 should therefore exercise increased diligence in selecting a managed security service provider.
Amendment 19 #
Proposal for a regulation Recital 3 (3) Managed security services providers also play an important role in the EU Cybersecurity Reserve whose gradual set-up is supported by Regulation (EU) …/…. [laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents] The EU Cybersecurity Reserve is to be used to support response and immediate recovery actions in case of significant and large- scale cybersecurity incidents. Regulation (EU) …/…[laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents] lays down a selection process for the trusted managed security service providers forming the EU Cybersecurity Reserve, which should, inter alia, take into account whether the provider concerned has obtained a European or national cybersecurity certification.
Amendment 20 #
Proposal for a regulation Recital 4 (4) Certification of managed security services is not only relevant in the selection process for the EU Cybersecurity Reserve but it is also an essential quality indicator for private and public entities that intend to purchase such services. In light of the criticality of the managed security services and the sensitivity of the data they process, certification could provide potential customers with important guidance and assurance about the trustworthiness of these services. European certification schemes for managed security services contribute to avoiding fragmentation of the single market. This Regulation therefore aims at enhancing the functioning of the internal market. At the same time, these multiple purposes of the regulation should strike a balance with the potential regulatory burden and costs associated with certification, given that compliance with certification requirements will involve additional expenses and administrative efforts, which could be a concern for smaller providers.
Amendment 21 #
Proposal for a regulation Recital 4 a (new) (4 a) As the market and the educational systems offer variety of educational resources and formal trainings, it must be underlined that knowledge is also aquired in non-formal ways and skills can be demonstrated via degrees and certification but not exclusively. Especially in the curent fast evolving threat landscape, Member States and the beneficiaries of managed security services should take into account the highly skilled vulnerability researchers. Moreover entities and natural persons researching vulnerabilities may in some Member States be exposed to criminal and civil liability therefore Member States are encouraged to issue guidelines for non- prosecution of information security research and an exception for civil liability for those activities.
Amendment 22 #
Proposal for a regulation Recital 4 a (new) (4 a) The Union certification scheme for managed security services should ensure the availability of secure and high quality services which guarantee a safe digital transition and contribute to the achievement of targets set up in the Path to the Digital Decade Policy Programme8a, especially with regards to the goal that 75% of EU companies start using Cloud/AI/Big Data, that more than 90% of SMEs reach at least a basic level of digital intensity and that key public services are offered online. __________________ 8a Decision (EU) 2022/2481 of the European Parliament and of the Council of 14 December 2022 establishing the Digital Decade Policy Programme 2030
Amendment 23 #
Proposal for a regulation Recital 4 a (new) (4 a) European certification schemes for managed security services should facilitate the use of these services, particularly for smaller entities, including local and regional authorities or SMEs, which often do not have the financial and human capacity to conduct these services by themselves, but are vulnerable to cyber attacks with potentially significant consequences.
Amendment 24 #
Proposal for a regulation Recital 5 (5) In addition to the deployment of ICT products, ICT services or ICT processes, managed security services often provide additional service features that rely on the competences, expertise and experience of their personnel. A very high level of these competences, expertise and experience as well as appropriate internal procedures should be part of the security objectives in order to ensure a very high quality of the managed security services provided. In order to ensure that all aspects of a managed security service can be covered by a certification scheme, it is therefore necessary to amend Regulation (EU) 2019/881. The certification scheme established under this Regulation should also take into account the results and recommendations of the evaluation and review provided for under Article 67 thereof. The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council and delivered an opinion on [DD/MM/YYYY
Amendment 25 #
Proposal for a regulation Recital 5 (5) In addition to the deployment of ICT products, ICT services or ICT processes, managed security services often provide additional service features that rely on the competences, expertise and experience of their personnel. A very high level of these competences, expertise and experience as well as appropriate internal procedures should be part of the security objectives in order to ensure a very high quality and reliability of the managed security services provided. In order to ensure that all aspects of a managed security service can be covered by a certification scheme, it is therefore necessary to amend Regulation (EU) 2019/881. The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council and delivered an opinion on [DD/MM/YYYY
Amendment 26 #
Proposal for a regulation Recital 5 (5) In addition to the deployment of ICT products, ICT services or ICT processes, managed security services often provide additional service features that rely on the competences, expertise and experience of their personnel. A very high level of these competences, expertise and experience as well as appropriate internal procedures should be part of the security objectives in order to ensure a very high quality of the managed security services
Amendment 27 #
Proposal for a regulation Recital 5 a (new) (5 a) Given that the European cybersecurity schemes should certifiy that managed security services are provided by highly-skilled personnel that is able to reliably deliver these services and ensure the highest standards of cybersecurity, it is imperative that there is sufficient availability of highly-qualified personnel in the Union. Yet, the Union is faced with a talent gap, characterized by a shortage of skilled professionals, and a rapidly evolving threat landscape as acknowledged in the Commission communication of 18 April 2023 on the Cybersecurity Skills Academy. It is important to bridge this talent gap by strengthening cooperation and coordination among the different stakeholders, including the private sector, academia, Member States, the Commission and ENISA to scale up and create synergies for the investment in education and training, the development of public-private partnerships, support of research and innovation initiatives, the development and mutual recognition of common standards and certification of cybersecurity skills, including through the European Cyber Security Skills Framework. This should also facilitate the mobility of cybersecurity professionals within the Union.
Amendment 28 #
Proposal for a regulation Recital 5 a (new) (5 a) Given that, certification schemes will add complexity to an already complex regulatory landscape, it is of critical importance to prevent potential overlaps or conflicts with existing cybersecurity regulations and standards. Stresses further the need for careful consideration and proportionality in the implementation of the regulation, in order to reduce negative effects on market freedom and innovation.
Amendment 29 #
Proposal for a regulation Recital 5 a (new) Amendment 30 #
Proposal for a regulation Article 1 – paragraph 1 – point 2 – point a – introductory part (a) points 7, 9, 10 and 11 are replaced by the following:
Amendment 31 #
Proposal for a regulation Article 1 – paragraph 1 – point 2 – point a Regulation (EU) 2019/881 Article 2 – point 7 (7) ‘incident handling’ means incident handling as defined in point (8) of Article 6 of Directive (EU) 2022/2555;
Amendment 32 #
Proposal for a regulation Article 1 – paragraph 1 – point 2 – point b – introductory part (b) the following point
Amendment 33 #
Proposal for a regulation Article 1 – paragraph 1 – point 2 – point b Regulation (EU) 2019/881 Article 2 – point 7a (7a) ‘risk’ means risk as defined in point (9) of Article 6 of Directive (EU) 2022/2555;
Amendment 34 #
Proposal for a regulation Article 1 – paragraph 1 – point 2 – point b Regulation (EU) 2019/881 Article 2 – point 14a (14a) ‘managed security service’ means a
Amendment 35 #
Proposal for a regulation Article 1 – paragraph 1 – point 2 – point b (14a) ‘managed security service’ means a managed service consisting of carrying out, or providing assistance for, activities relating to cybersecurity risk management, including incident pre
Amendment 36 #
Proposal for a regulation Article 1 – paragraph 1 – point 2 – point b Regulation (EU) 2019/881 Article 2 – point 14aa (14aa) ‘managed security service provider’ means managed a security service provider as defined in point (40) of Article 6 of Directive (EU) 2022/2555;
Amendment 37 #
Proposal for a regulation Article 1 – paragraph 1 – point 6 Regulation (EU) 2019/881 Article 47 – paragraph 2 2. The Union rolling work programme shall in particular include a list of ICT products, ICT services and ICT processes
Amendment 38 #
Proposal for a regulation Article 1 – paragraph 1 – point 6 Regulation (EU) 2019/881 Article 47 – paragraph 3 – point a (a) the availability and the development of national cybersecurity certification schemes and international and industry standards covering a specific category of ICT products, ICT services, or ICT processes or managed security services and, in particular, as regards the risk of fragmentation;
Amendment 39 #
Proposal for a regulation Article 1 – paragraph 1 – point 7 Regulation (EU) 2019/881 Article 49 – paragraph 7 Amendment 40 #
Proposal for a regulation Article 1 – paragraph 1 – point 7 Regulation (EU) 2019/881 Article 49 – paragraph 7 7. The Commission, based on the candidate scheme prepared by ENISA, may adopt
Amendment 41 #
Proposal for a regulation Article 1 – paragraph 1 – point 7 Regulation (EU) 2019/881 Article 49 – paragraph 7a (new) 7 a. Prior to adopting such delegated acts, the Commission, in cooperation with ENISA, shall carry out and publish an impact assessment of the proposed European cybersecurity certiciation scheme. While preparing the impact assessment, the Commission shall carry out public consultations and consultations with the SCCG and ECCG.
Amendment 42 #
Proposal for a regulation Article 1 – paragraph 1 – point 7 a (new) Regulation (EU) 2019/881 Article 49 – paragraph 7a (new) (7 a) the following paragraph is inserted: '7a. The Commission, based on the candidate scheme prepared by ENISA, may adopt delegated acts providing for a European cybersecurity certification scheme for managed security services which meets the requirements set out in Articles 51, 52, and 54. Those delegated acts shall be adopted in accordance with the procedure referred to in Article 66a.'
Amendment 43 #
Proposal for a regulation Article 1 – paragraph 1 – point 9 Regulation (EU) 2019/881 Article 51a – paragraph 1 – point b (b) ensure that the provider has appropriate internal procedures in place to ensure that the managed security services are provided at a very high level of quality and reliability at all times ;
Amendment 44 #
Proposal for a regulation Article 1 – paragraph 1 – point 9 Regulation (EU) 2019/881 Article 51a – paragraph 1 – point g (g) ensure that the ICT products, ICT services and ICT processes [and the hardware] deployed in the provision of the managed security services are secure by default and by design, are provided with up-to-date software and hardware, do not contain known vulnerabilities and include the latest security updates;;
Amendment 45 #
Proposal for a regulation Article 1 – paragraph 1 – point 9 Regulation (EU) 2019/881 Article 51a – paragraph 1 – point g (g) ensure that the ICT products, ICT services and ICT processes
Amendment 46 #
Proposal for a regulation Article 1 – paragraph 1 – point 13 – point b – point ii – point aa Regulation (EU) 2019/881 Article 56 – paragraph 3 – third subparagraph – point a (a) take into account the impact of the measures on the manufacturers or providers of such ICT products, ICT services, ICT processes or managed security services and on the users in terms of the cost of those measures and the societal or economic benefits stemming from the anticipated enhanced level of security for the targeted ICT products, ICT services, ICT processes or managed security services
Amendment 47 #
Proposal for a regulation Article 1 – paragraph 1 – point 14 1. Without prejudice to paragraph 3 of this Article, national cybersecurity certification schemes, and the related procedures for the ICT products, ICT services, ICT processes and managed security services that are covered by a European cybersecurity certification scheme shall cease to produce effects from the date established in the
Amendment 48 #
Proposal for a regulation Article 1 – paragraph 1 – point 16 a (new) Regulation (EU) 2019/881 Article 66a (new) Amendment 49 #
Proposal for a regulation Article 1 – paragraph 1 – point 17 – introductory part Regulation (EU)2019/881 Article 67 (17) in Article 67, paragraphs
Amendment 50 #
Proposal for a regulation Article 1 – paragraph 1 – point 17 Regulation (EU) 2019/881 Article 67 – paragraph 1 1 By 28 June 2024, and every four years thereafter, the Commission shall evaluate the impact, effectiveness and efficiency of ENISA and of its working practices, the possible need to modify ENISA’s mandate and the financial implications of any such modification. The evaluation shall take into account any feedback provided to ENISA in response to its activities. Where the Commission considers that the continued operation of ENISA is no longer justified in light of the objectives, mandate and tasks assigned to it, the Commission may propose that this Regulation be amended with regard to the provisions related to ENISA.
Amendment 51 #
Proposal for a regulation Article 1 – paragraph 1 – point 17 Regulation (EU) 2019/881 Article 67 – paragraph 2 2. The evaluation shall also assess the impact, effectiveness and efficiency of the provisions of Title III of this Regulation with regard to the objectives of ensuring an adequate level of cybersecurity of ICT products, ICT services, ICT processes and managed security services in the Union and improving the functioning of the internal market, including assessment of the procedure and timelines leading to preparation and adoption of the first European cybersecurity certification schemes and how this procedure could be improved and accelerated for subsequent certification schemes.
Amendment 52 #
Proposal for a regulation Article 1 – paragraph 1 – point 17 Regulation (EU) 2019/881 Article 67 – paragraph 4 4. By 28 June 2024, and every four years thereafter, the Commission shall transmit a report on the evaluation together with its conclusions to the European Parliament, to the Council and to the Management Board. The findings of that report shall be made public. The report shall be accompanied, where necessary, by a legislative proposal.
source: 753.562
|
History
(these mark the time of scraping, not the official date of the change)
procedure/stage_reached |
Old
Awaiting signature of actNew
Procedure completed, awaiting publication in Official Journal |
committees/0 |
|
committees/0 |
|
committees/1/rapporteur |
|
council |
|
docs/0 |
|
docs/0 |
|
docs/0/body |
Old
EPNew
European Parliament |
docs/1 |
|
docs/1 |
|
docs/1/body |
Old
EPNew
European Parliament |
docs/2 |
|
docs/2 |
|
docs/2/body |
Old
EPNew
European Parliament |
docs/3 |
|
docs/3 |
|
docs/3/body |
Old
EPNew
European Parliament |
docs/4 |
|
docs/4 |
|
docs/4/body |
Old
CSLNew
Council of the EU |
docs/5 |
|
docs/5 |
|
docs/6 |
|
docs/6 |
|
docs/7 |
|
docs/7/body |
Old
ECNew
European Commission |
docs/11 |
|
events/0 |
|
events/0 |
|
events/4/summary/10 |
Committee report tabled for plenary, 1st reading/single reading
|
events/7/docs/1 |
|
events/8 |
|
events/8 |
|
events/8/summary/17 |
Text adopted by Parliament, 1st reading/single reading
|
events/9 |
|
events/9 |
|
events/9/docs/0/url |
Old
https://oeil.secure.europarl.europa.eu/oeil/popups/sda.do?id=60652&l=enNew
https://oeil.secure.europarl.europa.eu/oeil/en/sda-vote-result?sdaId=60652 |
events/10 |
|
procedure/dossier_of_the_committee |
Old
New
ITRE/9/11804 |
procedure/instrument/1 |
Amending Regulation 2019/881
|
procedure/instrument/1 |
Amending Regulation 2019/881 2017/0225(COD)
|
procedure/instrument/2 |
2017/0225(COD)
|
procedure/legal_basis |
Old
New
Treaty on the Functioning of the EU TFEU 114 |
procedure/stage_reached |
Old
Awaiting Council's 1st reading positionNew
Awaiting signature of act |
docs/6/docs/0/url |
Old
/oeil/spdoc.do?i=60652&j=0&l=enNew
https://data.europarl.europa.eu/distribution/doc/SP-2024-394-TA-9-2024-0354_en.docx |
docs/6/docs/0/url |
Old
/oeil/spdoc.do?i=60652&j=0&l=enNew
https://data.europarl.europa.eu/distribution/doc/SP-2024-394-TA-9-2024-0354_en.docx |
docs/6/docs/0/url |
Old
/oeil/spdoc.do?i=60652&j=0&l=enNew
https://data.europarl.europa.eu/distribution/doc/SP-2024-394-TA-9-2024-0354_en.docx |
docs/6/docs/0/url |
Old
/oeil/spdoc.do?i=60652&j=0&l=enNew
https://data.europarl.europa.eu/distribution/doc/SP-2024-394-TA-9-2024-0354_en.docx |
docs/6/docs/0/url |
Old
/oeil/spdoc.do?i=60652&j=0&l=enNew
https://data.europarl.europa.eu/distribution/doc/SP-2024-394-TA-9-2024-0354_en.docx |
docs/6/docs/0/url |
Old
/oeil/spdoc.do?i=60652&j=0&l=enNew
https://data.europarl.europa.eu/distribution/doc/SP-2024-394-TA-9-2024-0354_en.docx |
docs/6/docs/0/url |
Old
/oeil/spdoc.do?i=60652&j=0&l=enNew
https://data.europarl.europa.eu/distribution/doc/SP-2024-394-TA-9-2024-0354_en.docx |
docs/6/docs/0/url |
Old
/oeil/spdoc.do?i=60652&j=0&l=enNew
https://data.europarl.europa.eu/distribution/doc/SP-2024-394-TA-9-2024-0354_en.docx |
docs/6/docs/0/url |
Old
/oeil/spdoc.do?i=60652&j=0&l=enNew
https://data.europarl.europa.eu/distribution/doc/SP-2024-394-TA-9-2024-0354_en.docx |
docs/6/docs/0/url |
Old
/oeil/spdoc.do?i=60652&j=0&l=enNew
https://data.europarl.europa.eu/distribution/doc/SP-2024-394-TA-9-2024-0354_en.docx |
docs/6/docs/0/url |
Old
/oeil/spdoc.do?i=60652&j=0&l=enNew
https://data.europarl.europa.eu/distribution/doc/SP-2024-394-TA-9-2024-0354_en.docx |
docs/6/docs/0/url |
Old
/oeil/spdoc.do?i=60652&j=0&l=enNew
https://data.europarl.europa.eu/distribution/doc/SP-2024-394-TA-9-2024-0354_en.docx |
docs/6/docs/0/url |
Old
/oeil/spdoc.do?i=60652&j=0&l=enNew
https://data.europarl.europa.eu/distribution/doc/SP-2024-394-TA-9-2024-0354_en.docx |
docs/6/docs/0/url |
Old
/oeil/spdoc.do?i=60652&j=0&l=enNew
nulldistribution/doc/SP-2024-394-TA-9-2024-0354_en.docx |
docs/6 |
|
events/8 |
|
docs/6 |
|
events/8 |
|
docs/6 |
|
events/8 |
|
docs/6 |
|
events/8 |
|
docs/6 |
|
events/8 |
|
docs/6 |
|
events/8 |
|
docs/6 |
|
events/8 |
|
docs/6 |
|
events/8 |
|
docs/6 |
|
events/8 |
|
docs/6 |
|
events/8 |
|
docs/6 |
|
events/8 |
|
docs/6 |
|
events/8 |
|
docs/6 |
|
events/8 |
|
docs/6 |
|
events/8 |
|
docs/6 |
|
events/8 |
|
docs/6 |
|
events/8 |
|
docs/6 |
|
events/8 |
|
docs/6 |
|
events/8 |
|
docs/6 |
|
events/8 |
|
docs/6 |
|
events/8 |
|
docs/6 |
|
events/8 |
|
docs/6 |
|
events/8 |
|
docs/6 |
|
events/8 |
|
docs/6 |
|
events/8 |
|
docs/6 |
|
events/8 |
|
docs/6 |
|
events/8 |
|
events/8 |
|
events/8 |
|
events/8 |
|
events/8 |
|
events/8 |
|
events/8 |
|
events/8 |
|
events/8 |
|
events/8 |
|
events/8 |
|
events/8 |
|
events/8 |
|
events/8 |
|
events/8 |
|
procedure/Other legal basis |
Old
Rules of Procedure EP 159New
Rules of Procedure EP 165 |
procedure/Other legal basis |
Old
Rules of Procedure EP 159New
Rules of Procedure EP 165 |
procedure/Other legal basis |
Old
Rules of Procedure EP 159New
Rules of Procedure EP 165 |
procedure/Other legal basis |
Old
Rules of Procedure EP 159New
Rules of Procedure EP 165 |
procedure/Other legal basis |
Old
Rules of Procedure EP 159New
Rules of Procedure EP 165 |
procedure/Other legal basis |
Old
Rules of Procedure EP 159New
Rules of Procedure EP 165 |
docs/6 |
|
events/8/summary |
|
docs/6 |
|
events/8/summary |
|
docs/6 |
|
events/8/summary |
|
docs/6 |
|
events/8/summary |
|
docs/6 |
|
events/8/summary |
|
docs/6 |
|
events/8/summary |
|
docs/6 |
|
events/8/summary |
|
docs/6 |
|
events/8/summary |
|
docs/6 |
|
events/8/summary |
|
docs/6 |
|
events/8 |
|
forecasts |
|
procedure/stage_reached |
Old
Awaiting Parliament's position in 1st readingNew
Awaiting Council's 1st reading position |
docs/6 |
|
events/8 |
|
forecasts |
|
procedure/stage_reached |
Old
Awaiting Parliament's position in 1st readingNew
Awaiting Council's 1st reading position |
forecasts/0 |
|
forecasts/0 |
|
forecasts/0 |
|
forecasts/0 |
|
forecasts/0 |
|
forecasts/0 |
|
forecasts/0 |
|
forecasts/0 |
|
forecasts/0 |
|
forecasts/0 |
|
forecasts/0 |
|
forecasts/0 |
|
docs/4 |
|
events/7/docs |
|
docs/4 |
|
events/7/docs |
|
docs/4 |
|
events/7/docs |
|
docs/4 |
|
events/7/docs |
|
docs/4 |
|
events/7/docs |
|
docs/4 |
|
events/7/docs |
|
docs/4 |
|
events/7 |
|
docs/4 |
|
events/7 |
|
docs/4 |
|
events/7 |
|
docs/4 |
|
events/7 |
|
docs/4 |
|
events/7 |
|
forecasts/0/date |
Old
2024-03-11T00:00:00New
2024-04-22T00:00:00 |
forecasts/0/date |
Old
2024-04-10T00:00:00New
2024-03-11T00:00:00 |
forecasts/0/date |
Old
2024-02-05T00:00:00New
2024-04-10T00:00:00 |
forecasts |
|
links |
|
docs/4 |
|
events/4/summary |
|
events/6 |
|
events/5 |
|
docs/4 |
|
docs/4 |
|
docs/5 |
|
docs/5 |
|
docs/5/date |
Old
2023-06-28T00:00:00New
2023-06-29T00:00:00 |
docs/6 |
|
docs/6 |
|
docs/6/date |
Old
2023-07-19T00:00:00New
2023-07-20T00:00:00 |
docs/7 |
|
docs/7/date |
Old
2023-07-31T00:00:00New
2023-08-01T00:00:00 |
events/4 |
|
procedure/stage_reached |
Old
Awaiting committee decisionNew
Awaiting Parliament's position in 1st reading |
events/2 |
|
events/3 |
|
procedure/Other legal basis |
Rules of Procedure EP 159
|
docs/2 |
|
docs/3 |
|
docs/1 |
|
docs/3 |
|
docs/0 |
|
docs/2 |
|
committees/0/shadows/3 |
|
committees/0/shadows/2 |
|
docs/0 |
|
docs/0 |
|
committees/0/shadows/1 |
|
committees/0/shadows |
|
committees/1/rapporteur |
|
committees/2/opinion |
False
|
commission |
|
events/1 |
|
procedure/dossier_of_the_committee |
|
procedure/stage_reached |
Old
Preparatory phase in ParliamentNew
Awaiting committee decision |
events/0/summary |
|
committees/0/rapporteur |
|
docs/0/docs/1 |
|
events/0/docs/1 |
|