Activities of Anneleen VAN BOSSUYT related to 2017/0225(COD)
Shadow opinions (1)
OPINION on the proposal for a regulation of the European Parliament and of the Council on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act'')
Amendments (22)
Amendment 68 #
Proposal for a regulation
Recital 28
Recital 28
(28) The Agency should contribute towards raising the awareness of the public about risks related to cybersecurity and provide guidance on good practices for individual users aimed at citizens and organisations. The Agency should also contribute to promote best practices and solutions at the level of individuals and organisations by collecting and analysing publicly available information regarding significant incidents, and by compiling reports with a view to providing guidance to businesses and citizens and improving the overall level of preparedness and resilience. The Agency should furthermore organise, in cooperation with the Member States and the Union institutions, bodies, offices and agencies regular outreach and public education campaigns directed to end-users, aiming at promoting safer individual online behaviour and raising awareness of measures that can be taken to guard against potential threats in cyberspace, including cybercrimes such as phishing attacks, botnets, financial and banking fraud, as well as promoting basic authentication and data protection advice. The Agency should play a central role in accelerating end-user awareness on security of devices and secure use of services.
Amendment 84 #
(47) Conformity assessment is the process demonstrating whether specified requirements relating to a product, process, service, system, person or body have been fulfilled. For the purposes of this Regulation, certification should be considered as a type of conformity assessment regarding the cybersecurity features ofand practices comprised in a product, process, service, system, or a combination of those (“ICT products and services”) by an independent third party, other than the product manufacturer or service provider. Certification cannot guarantee per se that certified ICT products and services are cyber secure. It is rather a procedure and technical methodology to attest that ICT products and services as well as the underlying processes and systems have been tested and that they comply with certain cybersecurity requirements laid down elsewhere, for example as specified in technical standards.
Amendment 104 #
Proposal for a regulation
Recital 56
Recital 56
(56) The Commission should be empowered to request ENISA to prepare candidate schemes for specific ICT products or services. The Commission, based on the candidate scheme proposed by ENISA, should then be empowered to adopt the European cybersecurity certification scheme by means of implementing acts. Taking account of the general purpose and security objectives identified in this Regulation, European cybersecurity certification schemes adopted by the Commission should specify a minimum set of elements concerning the subject-matter, the scope and functioning of the individual scheme. These should include among others the scope and object of the cybersecurity certification, including the categories of ICT products and services covered, the detailed specification of the cybersecurity requirements, for example by reference to standards or technical specifications, the specific evaluation criteria and evaluation methods, as well as the intended level of assurance: basic, substantial and/or high. Consideration should be given in the scheme to the full lifecycle of the product, including any rules applicable to the de- commissioning of products or services.
Amendment 114 #
Proposal for a regulation
Recital 57
Recital 57
(57) Recourse to European cybersecurity certification should remain voluntary, unless otherwise provided in Union or national legislation. However, w. When specific need for certain products or services to demonstrate compliance with a set of harmonised cybersecurity requirements arises in Union law, the requirements and process of assessment and compliance verification should be set down in Union legislation in line with the New Approach. With a view to achieving the objectives of this Regulation and avoiding the fragmentation of the internal market, national cybersecurity certification schemes or procedures for the ICT products and services covered by a European cybersecurity certification scheme should cease to produce effects from the date established by the Commission by means of the implementing act. Moreover, Member States should not introduce new national certification schemes providing cybersecurity certification schemes for ICT products and services already covered by an existing European cybersecurity certification scheme.
Amendment 136 #
Proposal for a regulation
Article 2 – paragraph 1 – point 9
Article 2 – paragraph 1 – point 9
(9) ‘European cybersecurity certification scheme’ means the comprehensive set of rules, technical requirements, standards and procedures defined at Union level applying to the certification of Information and Communication Technology (ICT) products and services falling under the scope of that specific scheme;
Amendment 185 #
Proposal for a regulation
Article 8 – paragraph 1 – point b
Article 8 – paragraph 1 – point b
(b) facilitate the establishment and take-up ofconsult international and European stand internationalardisation organisations on the development of standards for risk management and for the security of ICT products and services, as well as draw up, in collaboration with Member States, advice and guidelines regarding the technical areas related to the security requirements for operators of essential services and digital service providers, as well as regarding already existing standards, including Member States’ national standards, pursuant to Article 19(2) of Directive (EU) 2016/1148nd facilitate the establishment and take-up of relevant international and European standards;
Amendment 187 #
Proposal for a regulation
Article 8 – paragraph 1 – point b a (new)
Article 8 – paragraph 1 – point b a (new)
(ba) draw up, in collaboration with Member States, advice and guidelines regarding the technical areas referred to in point (b), as well as regarding already existing standards, including Member States’ national standards, which would allow for those areas to be covered;
Amendment 215 #
Proposal for a regulation
Article 20 – paragraph 5
Article 20 – paragraph 5
5. The Permanent Stakeholders’ Group shall advise the Agency in respect of the performance of its activities. It shall in particular advise the Executive Director on drawing up a proposal for the Agency’s work programme, and on ensuring communication with the relevant stakeholders on all issues related to the work programme. It may also propose that the Commission request the Agency to prepare candidate European cybersecurity certification schemes in accordance with Article 44, either on its own initiative or following submission of proposals from relevant stakeholders.
Amendment 229 #
Proposal for a regulation
Article 44 – paragraph 1
Article 44 – paragraph 1
1. Following a request from the Commission, ENISA shall prepare a candidate European cybersecurity certification scheme which meets the requirements set out in Articles 45, 46 and 47 of this Regulation. Member States or, Permanent Stakeholders’ Group, either on its own initiative or following submission of proposals from relevant stakeholders, and the European Cybersecurity Certification Group (the ‘Group’) established under Article 53 may propose the preparation of a candidate European cybersecurity certification scheme to the Commission.
Amendment 234 #
Proposal for a regulation
Article 44 – paragraph 2
Article 44 – paragraph 2
Amendment 250 #
Proposal for a regulation
Article 44 – paragraph 4
Article 44 – paragraph 4
4. The Commission, based shall consult all relevant stakeholders on the candidate scheme proposed by ENISA, and shall assess its suitability for meeting the objectives of the request and whether the scheme contributes to a high level of consumer and end-user protection and European competitiveness. Following a consultation and assessment, the Commission may adopt implementing acts, in accordance with Article 55(1), providing for European cybersecurity certification schemes for ICT products and services meeting the requirements of Articles 45, 46 and 47 of this Regulation.
Amendment 259 #
Proposal for a regulation
Article 45 – paragraph 1 – introductory part
Article 45 – paragraph 1 – introductory part
A European cybersecurity certification scheme shall be so designed to take into account, as applicable,t least the following security objectives, insofar as they are relevant:
Amendment 269 #
Proposal for a regulation
Article 45 – paragraph 1 – point g
Article 45 – paragraph 1 – point g
(g) ensure that ICT products and services are provided with up to date software that does not contain known vulnerabilities critical to the assurance offered by the scheme, have been designed and implemented in such a way as to effectively limit the inclusion or introduction of vulnerabilities, and are provided mechanisms for secure software updates.
Amendment 278 #
Proposal for a regulation
Article 46 – paragraph 1
Article 46 – paragraph 1
1. A European cybersecurity certification scheme may specify one or more of the following assurance levels: basic, substantial and/or high, fordistinct assurance levels for ICT products and services issued under that scheme. Those levels shall be distinguished on the basis of the degree of confidence in the claimed or asserted cybersecurity qualities of an ICT products and or services issued under that scheme, characterised with reference to standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of cybersecurity incidents.
Amendment 289 #
Proposal for a regulation
Article 46 – paragraph 2
Article 46 – paragraph 2
Amendment 323 #
Proposal for a regulation
Article 47 – paragraph 1 – point b
Article 47 – paragraph 1 – point b
(b) detailed specification of the cybersecurity requirements against which the specific ICT products and services are evaluated, for example by reference to Union or international or European standards or technical specifications;
Amendment 358 #
Proposal for a regulation
Article 47 – paragraph 1 – point m a (new)
Article 47 – paragraph 1 – point m a (new)
(ma) the period of validity of issued certificates.
Amendment 372 #
Proposal for a regulation
Article 48 – paragraph 2
Article 48 – paragraph 2
2. The certification shall be voluntary, unless otherwise specified in Union law.
Amendment 376 #
Proposal for a regulation
Article 48 – paragraph 3
Article 48 – paragraph 3
3. A European cybersecurity certificate pursuant to this Article shall be either subject to a declaration of conformity by a manufacturer or service provider or issued by the conformity assessment bodies referred to in Article 51 on the basis of criteria included in the European cybersecurity certification scheme, adopted pursuant to Article 44. Where a scheme offers more than one level of assurance, it may choose a combination of methods to determine compliance with the scheme.
Amendment 378 #
Proposal for a regulation
Article 48 – paragraph 3 a (new)
Article 48 – paragraph 3 a (new)
3a. Where a European certification scheme requires a manufacturer or service provider to draw up a declaration of conformity, these shall be kept by the manufacturer or service provider and provided to the national certification supervisory authorities upon request. By drawing up the declaration of conformity, the manufacturer shall assume responsibility for compliance with the requirements of the Scheme.
Amendment 382 #
Proposal for a regulation
Article 48 – paragraph 6
Article 48 – paragraph 6
6. Certificates shall be issued for a maximum period of three years andas deemed appropriate for each scheme, which shall not be less than 24 months where those are issued by a conformity assessment body. Certificates may be renewed, under the same conditions, provided that the relevant requirements continue to be met. Certificates shall not become invalid following the provision of updates or other changes in hardware or software versions where the requirements of Article 47(1)(j) are complied with.
Amendment 392 #
Proposal for a regulation
Article 49 – paragraph 1
Article 49 – paragraph 1
1. Without prejudice to paragraph 3, national cybersecurity certification schemes and the related procedures for the ICT products and services covered by a European cybersecurity certification scheme shall cease to produce effects from the date established in the implementing act adopted pursuant Article 44(4). Where a European cybersecurity certification has replaced a national scheme, certificates issued under the European scheme shall be accepted as valid in cases where certification under a national scheme was required. Existing national cybersecurity certification schemes and the related procedures for the ICT products and services not covered by a European cybersecurity certification scheme shall continue to exist.