25 Amendments of Morten PETERSEN related to 2017/0225(COD)
Amendment 22 #
Proposal for a regulation
Recital 2
Recital 2
(2) The use of network and information systems by citizens, businesses and governments across the Union is now pervasive. Digitisation and connectivity are becoming core features in an ever growing number of products and services and with the advent of the Internet of Things (IoT) millions, if not billions, of connected digital devices are expected to be deployed across the EU during the next decade. While an increasing number of devices are connected to the Internet, security and resilience are not sufficiently built in by design, leading to insufficient cybersecurity. In this context, the limited and fragmented use of certification leads to insufficient information for organisational and individual users about the cybersecurity features of ICT products and services, undermining trust in digital solutions.
Amendment 43 #
Proposal for a regulation
Recital 28
Recital 28
(28) The Agency should contribute towards raising the awareness of the public about risks related to cybersecurity and provide guidance on good practices for individual users aimed at citizens and organisations. The Agency should also contribute to promote best practices and solutions at the level of individuals and organisations by collecting and analysing publicly available information regarding significant incidents, and by compiling reports with a view to providing guidance to businesses and citizens and improving the overall level of preparedness and resilience. The Agency should furthermore organise, in cooperation with the Member States and the Union institutions, bodies, offices and agencies regular outreach and public education campaigns directed to end-users, aiming at promoting cybersecurity education, safer individual online behaviour and raising awareness of potential threats in cyberspace, including cybercrimes such as phishing attacks, botnets, financial and banking fraud, as well as promoting basic authentication and data protection advice. The Agency should play a central role in accelerating end-user awareness on security of devices.
Amendment 46 #
Proposal for a regulation
Recital 30
Recital 30
(30) To ensure that it fully achieves its objectives, the Agency should liaise with relevant institutions, agencies and bodies, including CERT-EU, European Cybercrime Centre (EC3) at Europol, European Defence Agency (EDA), European Agency for the operational management of large-scale IT systems (eu- LISA), European Aviation Safety Agency (EASA) and any other EU Agency that is involved in cybersecurity. It should also liaise with European and national authorities dealing with data protection in order to exchange know-how and best practices and provide advice on cybersecurity aspects that might have an impact on their work. Representatives of national and Union law enforcement and data protection authorities should be eligible to be represented in the Agency’s Permanent Stakeholders Group. In liaising with law enforcement bodies regarding network and information security aspects that might have an impact on their work, the Agency should respect existing channels of information and established networks.
Amendment 53 #
Proposal for a regulation
Recital 52
Recital 52
(52) In view of the above, it is necessary to establish a harmonised European cybersecurity certification framework laying down the main horizontal requirements for European cybersecurity certification schemes to be developed and allowing certificates for ICT products and services to be recognised and used in all Member States. The European framework should have a twofold purpose: on the one hand, it should help increase trust in ICT products and services that have been certified according to such schemes. On the other hand, it should avoid the multiplication of conflicting or overlapping national cybersecurity certifications and thus reduce costs for undertakings operating in the digital single market. The schemes should be non-discriminatory and based on international and / or Union standards, unless those standards are ineffective or inappropriate to fulfil the EU’s legitimate objectives in that regard.
Amendment 55 #
Proposal for a regulation
Recital 55 a (new)
Recital 55 a (new)
(55a) ENISA should develop a certification scheme with a global perspective in order to prevent future trade barriers. In the process of developing the criteria for the certification scheme ENISA should engage in dialogue with relevant partners in the sector to ensure market feasibility.
Amendment 69 #
Proposal for a regulation
Article 4 – paragraph 5
Article 4 – paragraph 5
5. The Agency shall increase cybersecurity capabilities at Union level in order to complement and support the action of Member States in preventing and responding to cyber threats, notably in the event of cross- border incidents.
Amendment 80 #
Proposal for a regulation
Article 6 – paragraph 1 – point f a (new)
Article 6 – paragraph 1 – point f a (new)
(fa) and cooperate with national data protection supervisory authorities, where necessary
Amendment 87 #
Proposal for a regulation
Article 9 – paragraph 1 – point e
Article 9 – paragraph 1 – point e
(e) raise awareness of the public about cybersecurity risks, disseminate adequate measures for prevention of incidents, and provide guidance on good practices for individual users aimed at citizens and organisations;
Amendment 94 #
Proposal for a regulation
Recital 3
Recital 3
(3) Increased digitisation and connectivity lead to increased cybersecurity risks, thus making society at large more vulnerable to cyber threats and exacerbating dangers faced by individuals, including vulnerable persons such as children. In order to mitigate this risk to society, all necessary actions need to be taken to improve cybersecurity in the EU to better protect network and information systems, telecommunication networks, digital products, services and devices used by citizens, governments and business – from SMEs to operators of critical infrastructures – from cyber threats. In this respect the Digital Education Action Plan published by the European Commission on 17 January 2018 is a step in the right direction, in particular the EU-wide awareness-raising campaign targeting educators, parents and learners to foster online safety, cyber hygiene and media literacy as well as the cyber-security teaching initiative building on the Digital Competence Framework for Citizens, to empower people to use technology confidently and responsibly.
Amendment 105 #
Proposal for a regulation
Recital 5 a (new)
Recital 5 a (new)
(5 a) Businesses as well as individual consumers should have accurate information regarding the level of security of their ICT products. At the same time, it has to be understood that no product is cyber secure and that basic rules of cyber hygiene have to be promoted and prioritized.
Amendment 108 #
Proposal for a regulation
Recital 8
Recital 8
(8) It is recognised that, since the adoption of the 2013 EU Cybersecurity Strategy and the last revision of the Agency's mandate, the overall policy context has changed significantly, also in relation to a more uncertain and less secure global environment. In this context and in the context of the positive role the Agency has played over the years in pooling of expertise, coordination, capacity building and within the framework of the new Union cybersecurity policy, it is necessary to review the mandate of ENISA to define its role in the changed cybersecurity ecosystem and ensure it contributes effectively to the Union's response to cybersecurity challenges emanating from this radically transformed threat landscape, for which, as recognised by the evaluation of the Agency, the current mandate is not sufficient.
Amendment 116 #
Proposal for a regulation
Recital 15
Recital 15
(15) The Agency should assist the Member States and Union institutions, bodies, offices and agencies in their efforts to build and enhance capabilities and preparedness to prevent, detect and respond to cybersecurity problems and incidents and in relation to the security of network and information systems. In particular, the Agency should support the development and enhancement of national CSIRTs, with a view of achieving a high common level of their maturity in the Union. The Agency should also assist with the development and update of Union and Member States strategies on the security of network and information systems, in particular on cybersecurity, promote their dissemination and track progress of their implementation. The Agency should also offer trainings and training material to public bodies, and where appropriate "train the trainers" with a view to assisting Member States in developing their own training capabilities. The Agency should also serve as a contact point for Member States and Union institutions, who should be able to request an assistance of the Agency within the competences and roles assigned to it.
Amendment 129 #
Proposal for a regulation
Recital 28
Recital 28
(28) The Agency should contribute towards raising the awareness of the public about risks related to cybersecurity and provide guidance on good practices for individual users aimed at citizens and organisations. The Agency should also contribute to promote best practices and solutions at the level of individuals and organisations by collecting and analysing publicly available information regarding significant incidents, and by compiling reports with a view to providing guidance to businesses and citizens and improving the overall level of preparedness and resilience. The Agency should furthermore organise, in line with the Digital Education Action Plan and in cooperation with the Member States and the Union institutions, bodies, offices and agencies regular outreach and public education campaigns directed to end-users, aiming at promoting safer individual online behaviour and raising awareness of potential threats in cyberspace, including cybercrimes such as phishing attacks, botnets, financial and banking fraud, as well as promoting basic authentication and data protection advice. The Agency should play a central role in accelerating end-user awareness on security of devices.
Amendment 161 #
Proposal for a regulation
Recital 47
Recital 47
(47) Conformity assessment is the process demonstrating whether specified requirements relating to a product, process, service, system, person or body have been fulfilled. For the purposes of this Regulation, certification should be considered as a type of conformity assessment regarding the cybersecurity features of a product, process, service, system, or a combination of those ("ICT products and services") by an independent third party, other than the product manufacturer or service provider. Certification cannot guarantee per se that certified ICT products and services are cyber secure. It is rather a procedure and technical methodology to attest that ICT products and services have been tested and that they comply with certain cybersecurity requirements laid down elsewhere, for example as specified in technical standards. Undertakings should also ensure the security by design and by default of their ICT products and services taking into account the state of the art.
Amendment 164 #
Proposal for a regulation
Recital 48 a (new)
Recital 48 a (new)
(48 a) Despite the fact that it is not possible to foresee future technology and market developments, producers should take into account all known threats when developing their products. Producers should also be liable for the quality of a product put on the EU market, including cyber resilience. At the same time, consumers should assume their share of responsibility by following basic rules of cyber hygiene, which could significantly reduce the number of human errors in the field of cybersecurity.
Amendment 166 #
Proposal for a regulation
Recital 50
Recital 50
(50) Currently, the cybersecurity certification of ICT products and services is used only to a limited extent. When it exists, it mostly occurs at Member State level or in the framework of industry driven schemes. In this context, a certificate issued by one national cybersecurity authority is not in principle recognised by other Member States. Companies thus may have to certify their products and services in several Member States where they operate, for example with a view to participating in national procurement procedures. Moreover, while new schemes are emerging, there seems to be no coherent and holistic approach with regard to horizontal cybersecurity issues, for instance in the field of the Internet of Things. Existing schemes present significant shortcomings and differences in terms of product coverage, levels of assurance, substantive criteria and actual utilisation. Mutual recognition and trust among Member States is a key element in this respect. ENISA has an important role to play in helping the Member States develop a solid institutional structure and expertise in protection against potential cyber attacks.
Amendment 172 #
Proposal for a regulation
Recital 53 a (new)
Recital 53 a (new)
(53 a) The Agency and the Commission should make the best use of already existing certification schemes on the EU and / or international level. ENISA should be able to assess which schemes already in use are fit for purpose and can be brought in the European legislation in cooperation with EU standardisation organisations and, as far as possible, internationally recognised. Existing good practices should be collected and shared among Member States.
Amendment 247 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
2. The Agency shall assist the Union institutions, agencies and bodies, as well as Member States, in developing and implementing policies related to cybersecurity and raising awareness among citizens and businesses.
Amendment 261 #
Proposal for a regulation
Article 4 – paragraph 6
Article 4 – paragraph 6
6. The Agency shall promote the use of certification, including by contributing to the establishment and maintenance of a cybersecurity certification framework at Union level in accordance with Title III of this Regulation, with a view to increasing transparency of cybersecurity assurance of ICT products and services, reducing fragmentation of the internal market and thus strengthen trust in the digital internal market.
Amendment 340 #
Proposal for a regulation
Article 8 – paragraph 1 – point b
Article 8 – paragraph 1 – point b
(b) facilitate the establishment and take-up of European and/ or international standards for risk management and for the security of ICT products and services, as well as draw up, in collaboration with Member States, advice and guidelines regarding the technical areas related to the security requirements for operators of essential services and digital service providers, as well as regarding already existing standards, including Member States' national standards, pursuant to Article 19(2) of Directive (EU) 2016/1148 and share this information among Member States;
Amendment 390 #
Proposal for a regulation
Article 20 a (new)
Article 20 a (new)
Article 20 a Consultation Forum The Commission, together with the Agency ,shall ensure that, in the conduct of its activities, it observes, in respect of each implementing measure, a balanced participation of Member States’ representatives and all interested parties concerned with the product or product group in question, such as industry, including SMEs, trade unions, traders, retailers, importers, environmental protection groups and consumer and end- user organisations. These parties shall meet in a Consultation Forum. The outcome of this forum may lead to an impetus for proposal of a candidate scheme. The rules of procedure of the Forum shall be established by the Commission.
Amendment 391 #
Proposal for a regulation
Article 21 a (new)
Article 21 a (new)
Article 21 a Request to the Agency 1. The Agency should establish and manage a single entry point through which requests for advice and assistance falling within the Agency’s objectives and tasks shall be addressed. These requests should be accompanied by background information explaining the issue to be addressed. Agency should draw up the potential resource implications, and, in due course, follow-up to the requests. If the Agency refuses a request, it shall give a justification. 2. Requests referred to in paragraph 1 may be made by: a) the European Parliament b) the Council c) the Commission d) any competent body appointed by a Member State, such as a national regulatory authority defined in Article 2 of Directive 2002/21/EC. 3. The practical arrangements for applying paragraphs 1 and 2, regarding in particular submission, prioritisation, follow-up and information, shall be laid down by the Management Board in the Agency’s internal rules of operation.
Amendment 443 #
Proposal for a regulation
Article 44 – paragraph 5 a (new)
Article 44 – paragraph 5 a (new)
5a. Adopted schemes shall be reviewed and if necessary updated on regular basis in cooperation with relevant stakeholders and the Group within the structure established under this regulation.
Amendment 519 #
Proposal for a regulation
Article 47 – paragraph 1 – point b
Article 47 – paragraph 1 – point b
(b) detailed specification of the cybersecurity requirements against which the specific ICT products and services are evaluated, for example by reference to Union and / or international standards or technical specifications. Already existing international standards should be taken into account;
Amendment 525 #
Proposal for a regulation
Article 47 – paragraph 1 – point c
Article 47 – paragraph 1 – point c
(c) where applicable, one or more assurance levels taking into account inter- alia a risk-based approach;