69 Amendments of Roberta METSOLA related to 2017/0225(COD)
Amendment 24 #
Proposal for a regulation
Recital 3
Recital 3
(3) Increased digitisation and connectivity lead to increased cybersecurity risks, thus making society at large more vulnerable to cyber threats and exacerbating dangers faced by individuals, including vulnerable persons such as children. Moreover, the increasingly frequent conduct of malicious cyber operations by third-country actors, both non-state actors and governments, threatens to disrupt democratic processes and to destabilize democratic societies across Europe. In order to mitigate thisese risks to society, all necessary actions need to be taken to improve cybersecurity in the EU to better protect network and information systems, telecommunication networks, digital products, services and devices used by citizens, governments and business – from SMEs to operators of critical infrastructures – from cyber threats.
Amendment 42 #
Proposal for a regulation
Recital 28
Recital 28
(28) The Agency should contribute towards raising the awareness of the public about risks related to cybersecurity and provide guidance on good practices for individual users aimed at citizens and organisations. To improve the overall level of preparedness and resilience, the Agency should also contribute to promote best practices and solutions at the level of individuals and organisations by collecting and analysing publicly available information regarding significant incidents, and by compiling reports with a view to providing guidance to businesses and, citizens and improving the overall level of preparedness and resiliencerelevant authorities at European and national level. The Agency should furthermore organise, in cooperation with the Member States and the Union institutions, bodies, offices and agencies regular outreach and public education campaigns directed to end-users, aiming at. These campaigns should promotinge safer individual online behaviour and raisinge awareness of potential threats in cyberspace, including cybercrimes such as phishing attacks, botnets, financial and banking fraud, as well as promoting basic authentication and data protection adviceforgery and illegal content, as well as advocate data protection and basic authentication to prevent data and identity theft. The Agency should play a central role in accelerating end-user awareness on security of devices.
Amendment 44 #
Proposal for a regulation
Recital 28 a (new)
Recital 28 a (new)
(28a) The Agency should raise the awareness of the public about risks of data fraud incidents and thefts that may seriously affect the fundamental rights of individuals, pose threat to the rule of law and endanger the stability of democratic societies including democratic processes in the Member States.
Amendment 48 #
Proposal for a regulation
Recital 35
Recital 35
(35) The Agency should encourage Member States and, hardware and software producers as well as service providers to raise their general security standards so that all internet users can take the necessary steps to ensure their own personal cybersecurity. In particular, service providers and product manufacturers should withdraw or recyclensure that the products and services that do nothey place on the market meet cybersecurity standards. In cooperation with competent authorities, ENISA may disseminate information regarding the level of cybersecurity of the products and services offered in the internal market, and issue warnings targeting providers and manufacturers and requiring them to improve the security, including cybersecurity, of their products and services.
Amendment 49 #
Proposal for a regulation
Recital 37
Recital 37
(37) Cybersecurity problemthreats are a global issues. There is a need for cchallenge. Closer international cooperation to improveis needed to mitigate these threats, in particular as regards information sharing and the development of common security standards, including the definition of common norms of behaviour, and information sharing, promoting swifter international collaboration in response to, as well as a common global approach to, network and information security issues. Furthermore, international collaboration in response to network and information security issues should be accelerated and a global approach on these issues promoted. To that end, the Agency should support further Union involvement and cooperation with third countries and international organisations by providing, where appropriate, the necessary expertise and analysis to the relevant Union institutions, bodies, offices and agencies..
Amendment 54 #
Proposal for a regulation
Recital 55
Recital 55
(55) The purpose of European cybersecurity certification schemes should be to ensure that ICT products and services certified under such a scheme comply with specified requirements. Such requirements concern the ability to resist, at a given level of assurance, actions that aim to compromise the availability, authenticity, integrity and confidentiality of stored or transmitted or processed data or the related functions of or services offered by, or accessible via those products, processes, services and systems within the meaning of this Regulation. It is not possible to set out in detail in this Regulation the cybersecurity requirements relating to all ICT products and services. ICT products and services and related cybersecurity needs are so diverse, as is their lifecycle, that it is very difficult to come up with general cybersecurity requirements valid across the board. It is, therefore necessary to adopt a broad and general notion of cybersecurity for the purpose of certification, complemented by a set of specific cybersecurity objectives that need to be taken into account when designing European cybersecurity certification schemes. The modalities with which such objectives will be achieved in specific ICT products and services should then be further specified in detail at the level of the individual certification scheme adopted by the Commission, for example by reference to standards or technical specifications in close consultation with the Member States and industrial stakeholders, for example by reference to standards or technical specifications. The individual certification schemes should be designed in such a way that all actors involved in the development of relevant IT products and services are encouraged to develop and adopt standards, norms and principles which ensure the highest possible level of security throughout the lifecycle.
Amendment 63 #
Proposal for a regulation
Article 2 – paragraph 1 – point 8
Article 2 – paragraph 1 – point 8
(8) ‘cyber threat’ means any potential circumstance, capability or event that may adversely impact network and information systems, their users and affected persons.
Amendment 71 #
Proposal for a regulation
Article 4 – paragraph 6
Article 4 – paragraph 6
6. The Agency shall promote the use of certification, including by contributing to the development of European and international standards on cybersecurity, the establishment and maintenance of a cybersecurity certification framework at Union level in accordance with Title III of this Regulation, with a view to increasing transparency of cybersecurity assurance of ICT products and services and thus strengthen trust in the digital internal market.
Amendment 83 #
Proposal for a regulation
Recital 47
Recital 47
(47) Conformity assessment is the process demonstrating whether specified requirements relating to a product, process, service, system, person or body have been fulfilled. For the purposes of this Regulation, certification should be considered as a type of conformity assessment regarding the cybersecurity features of a product, process, service, system, or a combination of those (“ICT hardware and software products and services”) by an independent third party, other than the product manufacturer or servrough a strict procedure of self- declaration of conformity as outlined in Article 2(16a), Article 46, Article provider50 and Article 51 of this Regulation. Certification cannot guarantee per se that certified ICT products and services are cyber secure. It is rather a procedure and technical methodology to attest that ICT hardware and software products and services have been tested and that they comply with certain cybersecurity requirements laid down elsewhere, for example as specified in technical standards.
Amendment 84 #
Proposal for a regulation
Article 8 – paragraph 1 – point a – point 1
Article 8 – paragraph 1 – point a – point 1
(1) preparing candidate European cybersecurity certification schemes for ICT products and services in cooperation with industry in accordance with Article 44 of this Regulation;
Amendment 86 #
Proposal for a regulation
Article 9 – paragraph 1 – point d
Article 9 – paragraph 1 – point d
(d) pool, organise and make available to the public, through a dedicated portal, information on cybersecurity, provided by the Union institutions, agencies and bodies and made available by Member States and public and private stakeholders;
Amendment 87 #
Proposal for a regulation
Recital 49
Recital 49
(49) In the 2016 Communication “Strengthening Europe’s Cyber Resilience System and Fostering a Competitive and Innovative Cybersecurity Industry”, the Commission outlined the need for high- quality, affordable and interoperable cybersecurity products and solutions. The supply of ICT hardware and software products and services within the single market remains very fragmented geographically. This is because the cybersecurity industry in Europe has developed largely on the basis of national governmental demand. In addition, the lack of interoperable solutions (technical standards), practices and EU-wide mechanisms of certification are among the other gaps affecting the single market in cybersecurity. On the one hand, this makes it difficult for European companies to compete at national, European and global level. On the other, it reduces the choice of viable and usable cybersecurity technologies that individuals and enterprises have access to. Similarly, in the Mid-Term Review on the implementation of the Digital Single Market Strategy, the Commission highlighted the need for safe connected products and systems, and indicated that the creation of a European ICT security framework setting rules on how to organise ICT security certification in the Union could both preserve trust in the internet and tackle the current fragmentation of the cybersecurity market.
Amendment 88 #
Proposal for a regulation
Article 9 – paragraph 1 – point e a (new)
Article 9 – paragraph 1 – point e a (new)
Amendment 89 #
Proposal for a regulation
Recital 50
Recital 50
(50) Currently, the cybersecurity certification of ICT products and services is used only to a limited extent. When it exists, it mostly occurs at Member State level or in the framework of industry driven schemes. In this context, a certificate issued by one national cybersecurity authority is not in principle recognised by other Member States. Companies thus may have to certify their products and services in several Member States where they operate, for example with a view to participating in national procurement procedures. Moreover, while new schemes are emerging, there seems to be no coherent and holistic approach with regard to horizontal cybersecurity issues, for instance in the field of the Internet of Things. Existing schemes present significant shortcomings and differences in terms of product coverage, levels of risk- based assurance, substantive criteria and actual utilisation.
Amendment 89 #
Proposal for a regulation
Article 9 – paragraph 1 – point g
Article 9 – paragraph 1 – point g
(g) organise, in cooperation with the Member States and Union institutions, bodies, offices and agencie, agencies and other relevant stakeholders regular outreach campaigns to increase cybersecurity and its visibility in the Union.
Amendment 91 #
Proposal for a regulation
Recital 52
Recital 52
(52) In view of the above, it is necessary to establish a European cybersecurity certification framework laying down the main horizontal requirements for European cybersecurity certification schemes to be developed and allowing certificates for ICT hardware and software products and services to be recognised and used in all Member States. The European framework should have a twofold purpose: on the one hand, it should help increase trust in ICT hardware and software products and services that have been certified according to such schemes. On the other hand, it should avoid the multiplication of conflicting or overlapping national cybersecurity certifications and thus reduce costs for undertakings operating in the digital single market. The schemes should be non-discriminatory and based on international and / or Union standards, unless those standards are ineffective or inappropriate to fulfil the EU’s legitimate objectives in that regard.
Amendment 94 #
Proposal for a regulation
Recital 53
Recital 53
(53) The Commission should be empowered to adopt European cybersecurity certification schemes concerning specific groups of ICT hardware and software products and services. These schemes should be implemented and supervised by national certification supervisory authorities and certificates issued within these schemes should be valid and recognised throughout the Union. Certification schemes operated by the industry or other private organisations should fall outside the scope of the Regulation. However, the bodies operating such schemes may propose to the Commission to consider such schemes as a basis for approving them as a European scheme.
Amendment 97 #
Proposal for a regulation
Recital 55
Recital 55
(55) The purpose of European cybersecurity certification schemes should be to ensure that ICT hardware and software products and services certified under such a scheme comply with specified requirements. Such requirements concern the ability to resist, at a given level of assurance, actions that aim to compromise the availability, authenticity, integrity and confidentiality of stored or transmitted or processed data or the related functions of or services offered by, or accessible via those products, processes, services and systems within the meaning of this Regulation. It is not possible to set out in detail in this Regulation the cybersecurity requirements relating to all ICT hardware and software products and services. ICT hardware and software products and services and related cybersecurity needs are so diverse that it is very difficult to come up with general cybersecurity requirements valid across the board. It is, therefore necessary to adopt a broad and general notion of cybersecurity for the purpose of certification, complemented by a set of specific cybersecurity objectives that need to be taken into account when designing European cybersecurity certification schemes. This shall be done by means of a checklist listing the risks that the ICT hardware or software product or service is expected to face by a given category of users in a particular environment. The modalities with which such objectives will be achieved in specific ICT hardware and software products and services should then be further specified in detail at the level of the individual certification scheme adopted by the Commission, for example by reference to standards or technical specifications.
Amendment 99 #
Proposal for a regulation
Article 30 – paragraph 2
Article 30 – paragraph 2
2. The Court of Auditors shall have the power of audit, on the basis of documents and on the spot inspections, over all grant beneficiaries, contractors and subcontractors who have received Union funds from the Agency.
Amendment 108 #
Proposal for a regulation
Recital 56
Recital 56
(56) The Commission should be empowered to request ENISA to prepare candidate schemes for specific ICT products or services. The Commission, based on the candidate scheme proposed by ENISA, should then be empowered to adopt the European cybersecurity certification scheme by means of implementing acts. Taking account of the general purpose and security objectives identified in this Regulation, European cybersecurity certification schemes adopted by the Commission should specify a minimum set of elements concerning the subject-matter, the scope and functioning of the individual scheme. These should include among others the scope and object of the cybersecurity certification, including the categories of ICT hardware and software products and services covered, the detailed specification of the cybersecurity requirements, for example by reference to standards or technical specifications, the specific evaluation criteria and evaluation methods, as well as the intended level of risk-based assurance: basicelemental, substantial and/or high.
Amendment 119 #
Proposal for a regulation
Recital 57
Recital 57
(57) Recourse to European cybersecurity certification should remain voluntary, unless otherwise provided in Union or national legislation. However, with a view to achieving the objectives of this Regulation and avoiding the fragmentation of the internal market, national cybersecurity certification schemes or procedures for the ICT products and services covered by a European cybersecurity certification scheme should cease to produce effects from the date established by the Commission by means of the implementing act. Moreover, Member States should not introduce new national certification schemes providing cybersecurity certification schemes for ICT hardware and software products and services already covered by an existing European cybersecurity certification scheme.
Amendment 120 #
Proposal for a regulation
Recital 58
Recital 58
(58) Once a European cybersecurity certification scheme is adopted, manufacturers of ICT hardware and software products or providers of ICT services should be able to submit an application for certification of their products or services to a conformity assessment body of their choice. These manufacturers may also decide to self- declare conformity with the relevant European cybersecurity certification scheme and shall be subject to scrutiny by the national certification supervisory authority, which, in turn will report the results of these assessments to the European Cybersecurity Certification Group and to ENISA. Conformity assessment bodies should be accredited by an accreditation body if they comply with certain specified requirements set out in this Regulation. Accreditation should be issued for a maximum of five yearsperiod determined in the relevant European cybersecurity certification scheme and may be renewed on the same conditions provided that the conformity assessment body meets the requirements. Accreditation bodies should revoke an accreditation of a conformity assessment body where the conditions for the accreditation are not, or are no longer, met or where actions taken by a conformity assessment body infringe this Regulation.
Amendment 124 #
Proposal for a regulation
Recital 58 a (new)
Recital 58 a (new)
Amendment 125 #
Proposal for a regulation
Recital 59
Recital 59
(59) It is necessary to require all Member States to designate one cybersecurity certification supervisory authority to supervise compliance of conformity assessment bodies and of certificates issued by conformity assessment bodies established in their territory with the requirements of this Regulation and of the relevant cybersecurity certification schemes. National certification supervisory authorities should handle complaints lodged by natural or legal persons in relation to certificates issued by conformity assessment bodies established in their territories, investigate to the extent appropriate the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable time period. Moreover, they should cooperate with other national certification supervisory authorities or other public authority, including by sharing information on possible non-compliance of ICT hardware and software products and services with the requirements of this Regulation or specific cybersecurity schemes. Furthermore, they should supervise and verify the compliance of the self-declarations of conformity and that European cybersecurity certificates have been issued by conformity assessment bodies with the requirements set out in this Regulation including the rules adopted by the European Cybersecurity Certification Group and the requirements set out in the corresponding European cybersecurity certification scheme.
Amendment 135 #
Proposal for a regulation
Article 2 – paragraph 1 – point 9
Article 2 – paragraph 1 – point 9
(9) ‘European cybersecurity certification scheme’ means the comprehensive set of rules, technical requirements, standards and procedures defined at Union level applying to the certification of Information and Communication Technology (ICT) hardware and software products and services falling under the scope of that specific scheme;
Amendment 143 #
Proposal for a regulation
Article 2 – paragraph 1 – point 16 a (new)
Article 2 – paragraph 1 – point 16 a (new)
(16a) ‘self-declaration of conformity’ means the statement by the manufacturer that attests their ICT product or service conforms with the specified European cybersecurity certification schemes.
Amendment 224 #
Proposal for a regulation
Article 43 – paragraph 1
Article 43 – paragraph 1
A European cybersecurity certification scheme shall attest that the ICT hardware and software products and services that have been certified in accordance with such scheme comply with specified requirements as regards their ability to resist at a given level of risk-based assurance, actions that aim to compromise the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products,hardware and software products, development and maintenance processes, services and systems.
Amendment 235 #
Proposal for a regulation
Article 44 – paragraph 2
Article 44 – paragraph 2
2. When preparing candidate schemes referred to in paragraph 1 of this Article, ENISA shall consult all relevant stakeholders and closely cooperate with the Group in defining the security objectives of the candidate certification scheme in line with Article 45, which will lead to the compilation of a checklist of risks and corresponding cybersecurity features. The Group shall provide ENISA with the assistance and expert advice required by ENISA in relation to the preparation of the candidate scheme, including by providing opinions where necessary.
Amendment 243 #
Proposal for a regulation
Article 44 – paragraph 2 a (new)
Article 44 – paragraph 2 a (new)
2a. ENISA shall coordinate the compilation of a checklist of risks associated with the hardware or software of the ICT product or service. The risks shall be matched with corresponding cybersecurity features to be included in the candidate European cybersecurity certification scheme.
Amendment 247 #
Proposal for a regulation
Article 44 – paragraph 2 b (new)
Article 44 – paragraph 2 b (new)
2b. The checklist prepared shall draw from Member States’ experience in designing and implementing cybersecurity certificates within their jurisdictions. A list of expected risks will be drawn up, analysed and depending on an assessment of the risk environment that the ICT software or hardware product or ICT service will eventually operate in as well as the expected end user.
Amendment 254 #
4. The Commission, based on the candidate scheme proposed by ENISA, may adopt implementing acts, in accordance with Article 55(1), providing for European cybersecurity certification schemes for ICT hardware and software products and services meeting the requirements of Articles 45, 46 and 47 of this Regulation.
Amendment 255 #
Proposal for a regulation
Article 44 – paragraph 5
Article 44 – paragraph 5
5. ENISA shall maintain a dedicated website providing information on, and publicity of, European cybersecurity certification schemes as well as candidate cybersecurity certification schemes in preparation.
Amendment 258 #
Proposal for a regulation
Article 45 – paragraph 1 – introductory part
Article 45 – paragraph 1 – introductory part
A European cybersecurity certification scheme shall be so designed to take into account, as applicable, the following non- exhaustive list of security objectives:
Amendment 272 #
Proposal for a regulation
Article 45 – paragraph 1 – point g
Article 45 – paragraph 1 – point g
(g) ensure that ICT hardware and software products and services are provided with up to date software that does not contain known vulnerabilities, and are provided with mechanisms for secure software updates.
Amendment 276 #
Proposal for a regulation
Article 46 – title
Article 46 – title
Risk-Based Assurance levels of European cybersecurity certification schemes
Amendment 284 #
Proposal for a regulation
Article 46 – paragraph 1
Article 46 – paragraph 1
1. A European cybersecurity certification scheme may specify one or more of the following assurance levels: basicelemental, substantial and/or high, for ICT hardware and software products and services issued under that scheme.
Amendment 287 #
Proposal for a regulation
Article 46 – paragraph 1 a (new)
Article 46 – paragraph 1 a (new)
1a. A European cybersecurity certification scheme shall specify whether self-declaration of conformity is permissible or third party assessment strictly required.
Amendment 291 #
Proposal for a regulation
Article 46 – paragraph 2 – introductory part
Article 46 – paragraph 2 – introductory part
2. The risk-based assurance levels basicelemental, substantial and high shall meet the following criteria respectively:
Amendment 297 #
Proposal for a regulation
Article 46 – paragraph 2 – point a
Article 46 – paragraph 2 – point a
(a) risk-based assurance level basicelemental shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a limitedn essential minimum degree of confidence and security in the event of common cyber-security threats faced by predominantly consumer products in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of cybersecurity incidents;
Amendment 302 #
(b) risk-based assurance level substantial shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a substantial degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls that are generally used at industry level, the purpose of which is to decrease substantially the risk of cybersecurity incidents;
Amendment 309 #
Proposal for a regulation
Article 46 – paragraph 2 – point c
Article 46 – paragraph 2 – point c
(c) risk-based assurance level high shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a higher degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service than certificates with the assurance level substantial, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls that are generally used at industrial level, the purpose of which is to prevent cybersecurity incidents.
Amendment 311 #
Proposal for a regulation
Article 46 – paragraph 2 a (new)
Article 46 – paragraph 2 a (new)
2a. The risk-based assurance level for a candidate European cybersecurity certification scheme shall be identified on the basis of the risks identified in the checklist established in Article 44(2) and the availability of cybersecurity measures to counter those risks in the ICT hardware and software products and services to which the certification scheme applies.
Amendment 313 #
Proposal for a regulation
Article 46 – paragraph 2 b (new)
Article 46 – paragraph 2 b (new)
Amendment 317 #
Proposal for a regulation
Article 47 – paragraph 1 – introductory part
Article 47 – paragraph 1 – introductory part
1. A European cybersecurity certification scheme shall include at least the following elements:
Amendment 320 #
Proposal for a regulation
Article 47 – paragraph 1 – point a
Article 47 – paragraph 1 – point a
(a) subject-matter and scope of the certification, including the type or categories of ICT hardware and software products and services covered;
Amendment 322 #
Proposal for a regulation
Article 47 – paragraph 1 – point b
Article 47 – paragraph 1 – point b
(b) detailed specification of the cybersecurity requirements against which the specific ICT hardware and software products and services are evaluated, for example by reference to Union or international standards or technical specifications;
Amendment 327 #
Proposal for a regulation
Article 47 – paragraph 1 – point c
Article 47 – paragraph 1 – point c
(c) where applicable, one or more risk- based assurance levels;
Amendment 329 #
Proposal for a regulation
Article 47 – paragraph 1 – point c a (new)
Article 47 – paragraph 1 – point c a (new)
(ca) the applicable conformity assessment procedure and/or self- declaration of conformity
Amendment 330 #
Proposal for a regulation
Article 47 – paragraph 1 – point c b (new)
Article 47 – paragraph 1 – point c b (new)
(cb) certification requirements defined in a way that certification can be incorporated into or based on the producer’s systematic cybersecurity processes followed during the design, development and lifecycle of the ICT product or service;
Amendment 333 #
Proposal for a regulation
Article 47 – paragraph 1 – point f
Article 47 – paragraph 1 – point f
(f) where the scheme provides for marks or labels, such an EU Cybersecurity Conformity Label signifying that the ICT product or service conforms to the criteria of a European cybersecurity certificate scheme, the conditions under which such marks or labels may be used;
Amendment 342 #
Proposal for a regulation
Article 47 – paragraph 1 – point i
Article 47 – paragraph 1 – point i
(i) rules concerning the consequences of non-conformity of certified ICT hardware and software products and services with the certification requirements, including general information about the penalties to be incurred as laid down in Article 54 of this Regulation;
Amendment 343 #
Proposal for a regulation
Article 47 – paragraph 1 – point j
Article 47 – paragraph 1 – point j
(j) rulesthe requirement that an ICT hardware or software product trader or service provider has procedures and rules in place concerning how previously undetected cybersecurity vulnerabilities in ICT hardware and software products and services are to be reported and dealt with;
Amendment 350 #
Proposal for a regulation
Article 47 – paragraph 1 – point l
Article 47 – paragraph 1 – point l
(l) identification of national cybersecurity certification schemes or industry-led methods covering the same type or categories of ICT hardware and software products and services;
Amendment 359 #
Proposal for a regulation
Article 47 – paragraph 1 – point m a (new)
Article 47 – paragraph 1 – point m a (new)
(ma) the period of validity of the certificate
Amendment 368 #
Proposal for a regulation
Article 48 – paragraph 1
Article 48 – paragraph 1
1. ICT hardware and software products and services that have been certified under a European cybersecurity certification scheme adopted pursuant to Article 44 shall be presumed to be compliant with the requirements of such scheme.
Amendment 377 #
Proposal for a regulation
Article 48 – paragraph 3
Article 48 – paragraph 3
3. A European cybersecurity certificate pursuant to this Article shall be issued either by self-declaration of conformity or by the conformity assessment bodies referred to in Article 51 on the basis of criteria included in the European cybersecurity certification scheme, adopted pursuant to Article 44.
Amendment 383 #
Proposal for a regulation
Article 48 – paragraph 6
Article 48 – paragraph 6
6. Certificates shall be issued and shall remain valid for a maximum period defined in each cybersecurity certification scheme according to Article 47(1)(n) and depending on the risk environment, the hardware and/or software product or services’ expected uses for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant requirements continue to be met.
Amendment 386 #
Proposal for a regulation
Article 48 – paragraph 6 a (new)
Article 48 – paragraph 6 a (new)
6a. A European cybersecurity certification scheme shall remain valid for all new versions, patches, fixes, updates, etc. issued by the ICT hardware or software product or service trader and/or manufacturer to address security vulnerabilities that have been addressed through the trader and/or manufacturer’s procedures as defined under Article 47(1)(j).
Amendment 409 #
Proposal for a regulation
Article 50 – paragraph 6 – point a
Article 50 – paragraph 6 – point a
(a) monitor and enforce the application of the provisions under this Title at national level and supervise and verify the compliance of the self-declarations of conformity and the cybersecurity certificates that have been issued by conformity assessment bodies established in their respective territories with the requirements set out in this Title and in the corresponding European cybersecurity certification scheme in accordance with the rules adopted by the European Cybersecurity Certification Group pursuant to Article 53(3)(ba);
Amendment 411 #
Proposal for a regulation
Article 50 – paragraph 6 – point b
Article 50 – paragraph 6 – point b
(b) monitor and, supervise and assess the activities of conformity assessment bodies for the purpose of this Regulation, including in relation to the notification of conformity assessment bodies and the related tasks set out in Article 52 of this Regulation;
Amendment 412 #
Proposal for a regulation
Article 50 – paragraph 6 – point b a (new)
Article 50 – paragraph 6 – point b a (new)
(ba) scrutinise self-declarations of conformity, and monitor, supervise and assess the activities of firms that issue them for the purpose of this Regulation;
Amendment 413 #
Proposal for a regulation
Article 50 – paragraph 6 – point b b (new)
Article 50 – paragraph 6 – point b b (new)
(bb) report the results of verifications under point (a) and the assessments under points (b) and (c) to the European Cybersecurity Certification Group and to ENISA;
Amendment 415 #
Proposal for a regulation
Article 50 – paragraph 6 – point c
Article 50 – paragraph 6 – point c
(c) handle complaints lodged by natural or legal persons in relation to certificates issued by self-declaration and by conformity assessment bodies established in their territories, investigate, to the extent appropriate, the subject matter of the complaint, and inform the complainant of the progress and the outcome of the investigation within a reasonable time period;
Amendment 420 #
Proposal for a regulation
Article 50 – paragraph 7 – point e
Article 50 – paragraph 7 – point e
(e) to withdraw, in accordance with national law, certificates that are not compliant with this Regulation or a European cybersecurity certification scheme and inform national accreditation bodies accordingly;
Amendment 429 #
Proposal for a regulation
Article 51 – paragraph 2 a (new)
Article 51 – paragraph 2 a (new)
2a. Where manufacturers opt for ‘self- declaration of conformity’ as established in Article 48(3) of this Regulation, conformity assessment bodies will take additional steps to verify the internal procedures undertaken by the manufacturer to ensure that their products and/or services conform with the requirements of the European cybersecurity certification scheme.
Amendment 430 #
Proposal for a regulation
Article 51 a (new)
Article 51 a (new)
Article 51 a Peer-Review Assessment 1. National accreditation bodies shall subject themselves to peer evaluation coordinated by ENISA. 2. Member States shall ensure that their national accreditation bodies periodically undergo peer evaluation. 3. Peer evaluation shall be conducted based on a set of transparent evaluation criteria and procedures that include structural resources, human resources, certification conformity procedures, confidentiality and complaints. National accreditation bodies shall have recourse to appeal procedures against decisions taken as a result of this peer evaluation. 4. Peer evaluation shall ascertain whether the national accreditation bodies meet the requirements enshrined in Regulation 765/2008/EC. 5. ENISA shall publish and communicate the outcome of the peer evaluation exercises to all Member States and to the Commission. 6. Together with Member States, the commission shall oversee the rules and the proper functioning of the peer evaluation system.
Amendment 432 #
Proposal for a regulation
Article 53 – paragraph 3 – point a a (new)
Article 53 – paragraph 3 – point a a (new)
(aa) to provide ENISA with strategic guidance and to establish a work programme including the common actions to be undertaken at EU level to ensure the consistent application of this Title across all Member States;
Amendment 433 #
Proposal for a regulation
Article 53 – paragraph 3 – point a b (new)
Article 53 – paragraph 3 – point a b (new)
(ab) to establish and periodically update a priority list of ICT products and services that urgently require an EU cybersecurity certification scheme;
Amendment 434 #
Proposal for a regulation
Article 53 – paragraph 3 – point b a (new)
Article 53 – paragraph 3 – point b a (new)
(ba) to adopt binding rules determining the intervals at which national certification supervisory authorities are to carry out verifications of certificates and the criteria, scale and scope of these verifications and to adopt common rules and standards for reporting, in accordance with Article 50(6).