26 Amendments of Matthijs van MILTENBURG related to 2017/0225(COD)
Amendment 129 #
Proposal for a regulation
Article 1 – paragraph 1 – point b
Article 1 – paragraph 1 – point b
(b) lays down a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity of ICT products, processes and services in the Union. Such framework shall apply without prejudice to specific provisions regarding voluntary or mandatory certification in other Union acts. (This amendment applies throughout the text. Adopting it will necessitate corresponding changes throughout.)
Amendment 138 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘European cybersecurity certificate’ means a document issued by a conformity assessment body attesting that a given ICT product, process or service fulfils the specific requirements laid down in a European cybersecurity certification scheme;
Amendment 149 #
Proposal for a regulation
Article 3 – paragraph 2 a (new)
Article 3 – paragraph 2 a (new)
2a. The Agency shall assist Member States and Union institutions in establishing policies and practices for the responsible management and coordinated disclosure of vulnerabilities in ICT products and services that are not publicly known.
Amendment 158 #
Proposal for a regulation
Article 4 – paragraph 7 a (new)
Article 4 – paragraph 7 a (new)
7a. The Agency shall assist and advise Member States and Union institutions in establishing policies and practices for the responsible management and coordinated disclosure of vulnerabilities in ICT products and services that are not publicly known, inter alia by establishing government vulnerability disclosure review processes and coordinated vulnerability disclosure policies.
Amendment 160 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2
Article 5 – paragraph 1 – point 2
2. assisting Member States to implement consistently the Union policy and law regarding cybersecurity notably in relation to Directive (EU) 2016/1148, including by means of opinions, guidelines, advice and best practices on topics such as risk management, incident reporting and information sharing, technical and organisational measures, in particular the establishment of coordinated vulnerability disclosure programmes, as well as facilitating the exchange of best practices between competent authorities in this regard;
Amendment 162 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 a (new)
Article 5 – paragraph 1 – point 2 a (new)
Amendment 170 #
Proposal for a regulation
Article 5 – paragraph 1 – point 4 – point 2 a (new)
Article 5 – paragraph 1 – point 4 – point 2 a (new)
(2a) the development and promotion of policies that would sustain the general availability or integrity of the public core of the open internet, which provide the essential functionality to the Internet as a whole and which underpin its normal operation, including, but not limited to, the security and stability of key protocols (in particular DNS, BGP, and IPv6), the operation of the Domain Name System (including those of all Top Level Domains), and the operation of the Root Zone
Amendment 172 #
Proposal for a regulation
Article 6 – paragraph 1 – point a a (new)
Article 6 – paragraph 1 – point a a (new)
(aa) Members States and Union institutions in establishing and implementing coordinated vulnerability disclosure policies and government vulnerability disclosure review processes, whose practices and determinations should be transparent and subject to independent oversight.
Amendment 179 #
Proposal for a regulation
Article 7 – paragraph 8 – point e a (new)
Article 7 – paragraph 8 – point e a (new)
(ea) assisting and advising Member States on establishing and implementing coordinated vulnerability disclosure policies and government vulnerability disclosure review processes.
Amendment 190 #
Proposal for a regulation
Article 8 – paragraph 1 – point c a (new)
Article 8 – paragraph 1 – point c a (new)
(ca) support and promote the development and implementation of coordinated vulnerability disclosure policies and government vulnerability disclosure review processes;
Amendment 204 #
Proposal for a regulation
Article 1 – paragraph 1 – point b
Article 1 – paragraph 1 – point b
(b) lays down a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity of ICT products, processes and services in the Union. Such framework shall apply without prejudice to specific provisions regarding voluntary or mandatory certification in other Union acts.
Amendment 228 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘European cybersecurity certificate’ means a document issued by a conformity assessment body attesting that a given ICT product, process or service fulfils the specific requirements laid down in a European cybersecurity certification scheme;
Amendment 241 #
Proposal for a regulation
Article 3 – paragraph 2 a (new)
Article 3 – paragraph 2 a (new)
2 a. The Agency shall assist Member States and Union institutions in establishing policies and practices for the responsible management and coordinated disclosure of vulnerabilities in ICT products and services that are not publicly known.
Amendment 271 #
Proposal for a regulation
Article 4 – paragraph 7 a (new)
Article 4 – paragraph 7 a (new)
7 a. The Agency shall assist and advise Member States and Union institutions in establishing policies and practices for the responsible management and coordinated disclosure of vulnerabilities in ICT products and services that are not publicly known, inter alia, by establishing government vulnerability disclosure review processes and coordinated vulnerability disclosure policies.
Amendment 273 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2
Article 5 – paragraph 1 – point 2
2. assisting Member States to implement consistently the Union policy and law regarding cybersecurity notably in relation to Directive (EU) 2016/1148, including by means of opinions, guidelines, advice and best practices on topics such as secure software and systems development, risk management, incident reporting and information sharing, technical and organisational measures, in particular the establishment of coordinated vulnerability disclosure programmes, as well as facilitating the exchange of best practices between competent authorities in this regard;
Amendment 277 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 a (new)
Article 5 – paragraph 1 – point 2 a (new)
2 a. proposing a blueprint which establishes the roles, responsibilities and legal obligations of vendors, manufacturers, CERTs and CSIRTs, and which further clarifies the legal rights and protections of information security researchers in the context of a coordinated vulnerability disclosure programme, in particular in cases of multi-party vulnerability disclosures that affect multiple vulnerability finders and vendors in different Member States
Amendment 286 #
Proposal for a regulation
Article 5 – paragraph 1 – point 4 – point 2 a (new)
Article 5 – paragraph 1 – point 4 – point 2 a (new)
(2 a) the development and promotion of policies that would sustain the general availability or integrity of the public core of the open internet, which provide the essential functionality to the Internet as a whole and which underpin its normal operation, including, but not limited to, the security and stability of key protocols (in particular DNS, BGP, and IPv6), the operation of the Domain Name System (including those of all Top Level Domains), and the operation of the Root Zone
Amendment 288 #
Proposal for a regulation
Article 6 – paragraph 1 – point a a (new)
Article 6 – paragraph 1 – point a a (new)
(a a) Members States and Union institutions in establishing and implementing coordinated vulnerability disclosure policies and government vulnerability disclosure review processes, whose practices and determinations should be transparent and subject to independent oversight.
Amendment 306 #
Proposal for a regulation
Article 7 – paragraph 7 a (new)
Article 7 – paragraph 7 a (new)
7 a. The Agency shall prepare, together with the EEAS, a regular global Cybersecurity Situational Report on incidents and threats towards individuals, including towards vulnerable users outside the EU such as lawyers, journalists, or human rights defenders, in order to help the Union institutions respond to external needs and uphold its human rights responsibilities abroad
Amendment 311 #
Proposal for a regulation
Article 7 – paragraph 8 – point e a (new)
Article 7 – paragraph 8 – point e a (new)
(e a) assisting and advising Member States on establishing and implementing coordinated vulnerability disclosure policies and government vulnerability disclosure review processes.
Amendment 344 #
Proposal for a regulation
Article 8 – paragraph 1 – point c a (new)
Article 8 – paragraph 1 – point c a (new)
(c a) support and promote the development and implementation of coordinated vulnerability disclosure policies and government vulnerability disclosure review processes
Amendment 344 #
Proposal for a regulation
Article 47 – paragraph 1 – point j
Article 47 – paragraph 1 – point j
(j) rules concerning how previously undetected cybersecurity vulnerabilities in ICT products and services are to be reported and dealt with;requiring vulnerabilities in ICT products and services that are not publicly known to be reported expeditiously by the appropriate authorities to relevant vendors and manufacturers using a coordinated vulnerability disclosure process.
Amendment 355 #
Proposal for a regulation
Article 47 – paragraph 1 – point m a (new)
Article 47 – paragraph 1 – point m a (new)
(ma) Rules concerning how and when Member States are to inform each other when they acquire knowledge of a vulnerability that is not publicly known in an ICT product or service that is certified under this certification scheme.
Amendment 511 #
Proposal for a regulation
Article 46 – paragraph 2 a (new)
Article 46 – paragraph 2 a (new)
2a. The methodology to distinguish between the different assurance levels should be guided by a test which assesses the resistance of the security functionalities against attackers that have significant to unlimited resources.
Amendment 534 #
Proposal for a regulation
Article 47 – paragraph 1 – point j
Article 47 – paragraph 1 – point j
(j) rules concerning how previously undetected cybersecurity vulnerabilities in ICT products and services are to be reported and dealt with; requiring vulnerabilities in ICT products and services that are not publicly known to be reported expeditiously by the appropriate authorities to relevant vendors and manufacturers using a coordinated vulnerability disclosure process.
Amendment 540 #
Proposal for a regulation
Article 47 – paragraph 1 – point m a (new)
Article 47 – paragraph 1 – point m a (new)
(ma) rules concerning how and when Member States must inform each other when they acquire knowledge of a vulnerability that is not publicly known in an ICT product or service that is certified under this certification scheme.