Activities of Jaromír ŠTĚTINA related to 2017/0225(COD)
Shadow opinions (1)
OPINION on the proposal for a regulation of the European Parliament and of the Council on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act'')
Amendments (17)
Amendment 24 #
Proposal for a regulation
Recital 3
Recital 3
(3) Increased digitisation and connectivity lead to increased cybersecurity risks, thus making society at large more vulnerable to cyber threats and exacerbating dangers faced by individuals, including vulnerable persons such as children. Moreover, the increasingly frequent conduct of malicious cyber operations by third-country actors, both non-state actors and governments, threatens to disrupt democratic processes and to destabilize democratic societies across Europe. In order to mitigate thisese risks to society, all necessary actions need to be taken to improve cybersecurity in the EU to better protect network and information systems, telecommunication networks, digital products, services and devices used by citizens, governments and business – from SMEs to operators of critical infrastructures – from cyber threats.
Amendment 30 #
Proposal for a regulation
Recital 5
Recital 5
(5) In light of the increased cybersecurity challenges faced by the Union, there is a need for a comprehensive set of measures that would build on previous Union action and foster mutually reinforcing objectives. These include the need to further increase capabilities and preparedness of Member States and businesses, as well as to improve cooperation and coordination across Member States and EU institutions, agencies and bodies. Furthermore, given the borderless nature of cyber threats, there is a need to increase capabilities at Union level that could complement the action of Member States, in particular in the case of large scale cross-border cyber incidents and crises. Additional efforts are also needed to increase awareness of citizens and businesses on cybersecurity issues. Moreover, the trust in the digital single market should be further improved by offering transparent information on the level of privacy and security of ICT products and services. This can be facilitated by EU- wide certification providing common cybersecurity requirements and evaluation criteria across national markets and sectors can contribute to this objective. However, voluntary measures implemented by the private sector, inter alia by IoT operators and service providers, should also be encouraged.
Amendment 42 #
Proposal for a regulation
Recital 28
Recital 28
(28) The Agency should contribute towards raising the awareness of the public about risks related to cybersecurity and provide guidance on good practices for individual users aimed at citizens and organisations. To improve the overall level of preparedness and resilience, the Agency should also contribute to promote best practices and solutions at the level of individuals and organisations by collecting and analysing publicly available information regarding significant incidents, and by compiling reports with a view to providing guidance to businesses and, citizens and improving the overall level of preparedness and resiliencerelevant authorities at European and national level. The Agency should furthermore organise, in cooperation with the Member States and the Union institutions, bodies, offices and agencies regular outreach and public education campaigns directed to end-users, aiming at. These campaigns should promotinge safer individual online behaviour and raisinge awareness of potential threats in cyberspace, including cybercrimes such as phishing attacks, botnets, financial and banking fraud, as well as promoting basic authentication and data protection adviceforgery and illegal content, as well as advocate data protection and basic authentication to prevent data and identity theft. The Agency should play a central role in accelerating end-user awareness on security of devices.
Amendment 44 #
Proposal for a regulation
Recital 28 a (new)
Recital 28 a (new)
(28a) The Agency should raise the awareness of the public about risks of data fraud incidents and thefts that may seriously affect the fundamental rights of individuals, pose threat to the rule of law and endanger the stability of democratic societies including democratic processes in the Member States.
Amendment 48 #
Proposal for a regulation
Recital 35
Recital 35
(35) The Agency should encourage Member States and, hardware and software producers as well as service providers to raise their general security standards so that all internet users can take the necessary steps to ensure their own personal cybersecurity. In particular, service providers and product manufacturers should withdraw or recyclensure that the products and services that do nothey place on the market meet cybersecurity standards. In cooperation with competent authorities, ENISA may disseminate information regarding the level of cybersecurity of the products and services offered in the internal market, and issue warnings targeting providers and manufacturers and requiring them to improve the security, including cybersecurity, of their products and services.
Amendment 49 #
Proposal for a regulation
Recital 37
Recital 37
(37) Cybersecurity problemthreats are a global issues. There is a need for cchallenge. Closer international cooperation to improveis needed to mitigate these threats, in particular as regards information sharing and the development of common security standards, including the definition of common norms of behaviour, and information sharing, promoting swifter international collaboration in response to, as well as a common global approach to, network and information security issues. Furthermore, international collaboration in response to network and information security issues should be accelerated and a global approach on these issues promoted. To that end, the Agency should support further Union involvement and cooperation with third countries and international organisations by providing, where appropriate, the necessary expertise and analysis to the relevant Union institutions, bodies, offices and agencies..
Amendment 54 #
Proposal for a regulation
Recital 55
Recital 55
(55) The purpose of European cybersecurity certification schemes should be to ensure that ICT products and services certified under such a scheme comply with specified requirements. Such requirements concern the ability to resist, at a given level of assurance, actions that aim to compromise the availability, authenticity, integrity and confidentiality of stored or transmitted or processed data or the related functions of or services offered by, or accessible via those products, processes, services and systems within the meaning of this Regulation. It is not possible to set out in detail in this Regulation the cybersecurity requirements relating to all ICT products and services. ICT products and services and related cybersecurity needs are so diverse, as is their lifecycle, that it is very difficult to come up with general cybersecurity requirements valid across the board. It is, therefore necessary to adopt a broad and general notion of cybersecurity for the purpose of certification, complemented by a set of specific cybersecurity objectives that need to be taken into account when designing European cybersecurity certification schemes. The modalities with which such objectives will be achieved in specific ICT products and services should then be further specified in detail at the level of the individual certification scheme adopted by the Commission, for example by reference to standards or technical specifications in close consultation with the Member States and industrial stakeholders, for example by reference to standards or technical specifications. The individual certification schemes should be designed in such a way that all actors involved in the development of relevant IT products and services are encouraged to develop and adopt standards, norms and principles which ensure the highest possible level of security throughout the lifecycle.
Amendment 63 #
Proposal for a regulation
Article 2 – paragraph 1 – point 8
Article 2 – paragraph 1 – point 8
(8) ‘cyber threat’ means any potential circumstance, capability or event that may adversely impact network and information systems, their users and affected persons.
Amendment 71 #
Proposal for a regulation
Article 4 – paragraph 6
Article 4 – paragraph 6
6. The Agency shall promote the use of certification, including by contributing to the development of European and international standards on cybersecurity, the establishment and maintenance of a cybersecurity certification framework at Union level in accordance with Title III of this Regulation, with a view to increasing transparency of cybersecurity assurance of ICT products and services and thus strengthen trust in the digital internal market.
Amendment 84 #
Proposal for a regulation
Article 8 – paragraph 1 – point a – point 1
Article 8 – paragraph 1 – point a – point 1
(1) preparing candidate European cybersecurity certification schemes for ICT products and services in cooperation with industry in accordance with Article 44 of this Regulation;
Amendment 86 #
Proposal for a regulation
Article 9 – paragraph 1 – point d
Article 9 – paragraph 1 – point d
(d) pool, organise and make available to the public, through a dedicated portal, information on cybersecurity, provided by the Union institutions, agencies and bodies and made available by Member States and public and private stakeholders;
Amendment 88 #
Proposal for a regulation
Article 9 – paragraph 1 – point e a (new)
Article 9 – paragraph 1 – point e a (new)
Amendment 89 #
Proposal for a regulation
Article 9 – paragraph 1 – point g
Article 9 – paragraph 1 – point g
(g) organise, in cooperation with the Member States and Union institutions, bodies, offices and agencie, agencies and other relevant stakeholders regular outreach campaigns to increase cybersecurity and its visibility in the Union.
Amendment 98 #
Proposal for a regulation
Article 30 – paragraph 1
Article 30 – paragraph 1
1. In order to facilitate the combating of fraud, corruption and other unlawful activities under Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council39 , the Agency shall, within six months from the day it becomes operational, accede to the Interinstitutional Agreement of 25 May, 1999 concerning internal investigations by the European Anti-fraud Office (OLAF) and shall adopt without delay the appropriate provisions applicable to all the employees of the Agency, using the template set out in the Annex to that Agreement. _________________ 39 Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 concerning investigations conducted by the European Anti-Fraud Office (OLAF) and repealing Regulation (EC) No 1073/1999 of the European Parliament and of the Council and Council Regulation (Euratom) No 1074/1999 (OJ L 248, 18.9.2013, p. 1).
Amendment 99 #
Proposal for a regulation
Article 30 – paragraph 2
Article 30 – paragraph 2
2. The Court of Auditors shall have the power of audit, on the basis of documents and on the spot inspections, over all grant beneficiaries, contractors and subcontractors who have received Union funds from the Agency.
Amendment 101 #
Proposal for a regulation
Article 44 – paragraph 1
Article 44 – paragraph 1
1. Following a request from the Commission, ENISA shall prepare a candidate European cybersecurity certification scheme which meets the requirements set out in Articles 45, 46 and 47 of this Regulation. Member States or, the European Cybersecurity Certification Group (the ‘Group’) established under Article 53, or industry representatives may propose the preparation of a candidate European cybersecurity certification scheme to the Commission.
Amendment 121 #
Proposal for a regulation
Article 48 – paragraph 6
Article 48 – paragraph 6
6. Certificates shall be issued for a maximum period of three years and may be renewed, under the same conditions,determined on a case by case basis for each scheme and may be renewed provided that the relevant requirements continue to be met.