58 Amendments of Marco ZULLO related to 2017/0225(COD)
Amendment 115 #
Proposal for a regulation
Recital 15
Recital 15
(15) The Agency should assist the Member States and Union institutions, bodies, offices and agencies in their efforts to build and enhance capabilities and preparedness to prevent, detect and respond to cybersecurity problems and incidents and in relation to the security of network and information systems. In particular, the Agency should support the development and enhancement of national CSIRTs, with a view of achieving a high common level of their maturity in the Union. The Agency should also assist with the development and update of Union and Member States strategies on the security of network and information systems, in particular on cybersecurity, promote their dissemination and track progress of their implementation. TMoreover, the Agency should assist and advise Members States and Union institutions in establishing transparent policies and practices for the management and coordinated disclosure of vulnerabilities in ICT products, processes, services and systems that are not publicly known, including the establishment of a government vulnerability disclosure review process and coordinated vulnerability disclosure policies. Finally, the Agency should also offer trainings and training material to public bodies, and where appropriate "train the trainers" with a view to assisting Member States in developing their own training capabilities.
Amendment 127 #
Proposal for a regulation
Recital 28
Recital 28
(28) The Agency should contribute towards raising the awareness of the public about risks related to cybersecurity and provide guidance on good practices for individual users aimed at citizens and organisations. The Agency should also contribute to promote best practices and solutions at the level of individuals and organisations by collecting and analysing publicly available information regarding significant incidents, and by compiling reports with a view to providing guidance to businesses and citizens and improving the overall level of preparedness and resilience. The Agency should furthermore organise, in cooperation with the Member States and the Union institutions, bodies, offices and agencies regular outreach and public education campaigns directed to end-users, aiming at promoting safer individual online behaviour and raising awareness of potential threats in cyberspace, including cybercrimes such as phishing attacks, botnets, financial and banking fraud, as well as promoting basic authentication and data protection advice. The Agency should play a central role in accelerating end-user awareness on security of devices and ICT products, processes, services and systems complying with the principle of security by design and by default, while provide end-users guidance on the best cyber hygiene practices also through awareness raising campaigns.
Amendment 138 #
Proposal for a regulation
Recital 35
Recital 35
(35) The Agency should encourage Member States, manufacturers and service providers to raise their general security standards so that all internet users canof their ICT products, processes, services and systems which should comply with basic security obligations in line with the principle of security by design and by default, so that all internet users can be secured and incentivised to take the necessary steps to ensure their own personal cybersecurity. In particular, service providers and product manufacturers should recall, withdraw or recycle products and services that do not meet basic cybersecurity standardobligations, while importers and distributors should make sure that ICT products, processes, services and systems they place on the EU market comply with the applicable requirements and do not present a risk to European consumers. In cooperation with competent authorities, ENISA may disseminate information regarding the level of cybersecurity of the products and services offered in the internal market, and issue warnings targeting providers and, manufacturers and requiring them to improve the security, including cybersecurity, of their products and service, processes, services and systems.
Amendment 147 #
Proposal for a regulation
Recital 42
Recital 42
(42) The smooth functioning of the Agency requires that its Executive Director be appointed on grounds of merit and documented administrative and managerial skills, as well as competence and experience relevant for cybersecurity, and that the duties of the Executive Director be carried out with complete independence. The Executive Director should prepare a proposal for the Agency’s work programme, after prior consultation with the Commission, and take all necessary steps to ensure the proper execution of the work programme of the Agency. The Executive Director should prepare an annual report to be submitted to the Management Board, draw up a draft statement of estimates of revenue and expenditure for the Agency, and implement the budget. Furthermore, the Executive Director should have the option of setting up ad hoc Working Groups to address specific matters, in particular of a scientific, technical, legal or socioeconomic nature. The Executive Director should ensure that the ad hoc Working Groups’ members are selected according to the highest standards of expertise, taking due account of a representative and gender balance, as appropriate according to the specific issues in question, between the public administrations of the Member States, the Union institutions and the private sector, including industry, users, and academic experts in network and information security.
Amendment 153 #
Proposal for a regulation
Recital 44
Recital 44
(44) The Agency should have a Permanent Stakeholders’ Group as an advisory body, to ensure regular dialogue with the private sector, civil society and consumers’ organisations and other relevant stakeholders. The Permanent Stakeholders’ Group, set up by the Management Board on a proposal by the Executive Director, should focus on issues relevant to stakeholders and bring them to the attention of the Agency. The composition of the Permanent Stakeholders Group and the tasks assigned to this Group, to be consulted in particular regarding the draft Work Programme, should ensure sufficient representation of stakeholders in the work of the Agency and gender balance should be pursued.
Amendment 174 #
Proposal for a regulation
Recital 55
Recital 55
(55) The purpose of European cybersecurity certification schemes should be to ensure that ICT products and services certified under such a scheme comply with specified requirementscybersecurity requirements defined on a risk assessment checklist developed by ENISA. Such requirements concern the ability to resist, at a given level of assurance, actions that aim to compromise the availability, authenticity, integrity and confidentiality of stored or transmitted or processed data or the related functions of or services offered by, or accessible via those products, processes, services and systems within the meaning of this Regulation. It is not possible to set out in detail in this Regulation the cybersecurity requirements relating to all ICT products and services. ICT products and services and related cybersecurity needs are so diverse that it is very difficult to come up with general cybersecurity requirements valid across the board. It is, therefore necessary to adopt a broad and general notion of cybersecurity for the purpose of certification, complemented by a set of specific cybersecurity objectives that need to be taken into account when designing European cybersecurity certification schemes. The modalities with which such objectives will be achieved in specific ICT products and services should then be further specified in detail at the level of the individual certification scheme adopted by the Commission, for example by reference to standards or technical specifications.
Amendment 175 #
Proposal for a regulation
Recital 56
Recital 56
(56) The Commission should be empowered to request ENISA to prepare candidate schemes for specific ICT products or services on the basis of justified grounds (i.e. fragmentation of the internal market, need to support specific Union legislation or consensual request from Members States, the European Cybersecurity Certification group and the Permanent Stakeholder Group) . The Commission, based on the candidate scheme proposed by ENISA, should then be empowered to adopt the European cybersecurity certification scheme by means of implementing acts. Taking account of the general purpose and security objectives identified in this Regulation, European cybersecurity certification schemes adopted by the Commission should specify a minimum set of elements concerning the subject-matter, the scope and functioning of the individual scheme. These should include among others the scope and object of the cybersecurity certification, including the categories of ICT products and services covered, the detailed specification of the cybersecurity requirements, for example by reference to standards or technical specifications, the specific evaluation criteria and evaluation methods, as well as the intended level of assurance: basic, substantial and/or high.
Amendment 180 #
Proposal for a regulation
Recital 57
Recital 57
(57) Recourse to European cybersecurity certification should remain voluntary, unless otherwise provided in Union or national legislation. However, wthe present Regulation or other Union and national legislation. European cybersecurity certification should for instance be mandatory for ICT product, processes, services and systems with high inherent risk intended for use by operators of essential services, by children, at home, in connected cars and medical devices, among others. With a view to achieving the objectives of this Regulation and avoiding the fragmentation of the internal market, national cybersecurity certification schemes or procedures for the ICT products and services covered by a European cybersecurity certification scheme should cease to produce effects from the date established by the Commission by means of the implementing act. Moreover, Member States should not introduce new national certification schemes providing cybersecurity certification schemes for ICT products and services already covered by an existing European cybersecurity certification scheme.
Amendment 198 #
Proposal for a regulation
Article 1 – paragraph 1 – introductory part
Article 1 – paragraph 1 – introductory part
With a view to ensuring the proper functioning of the internal market while aiming at a high level of cybersecurity, cyber resilience resilience, cybersecurity and trust within the Union, this Regulation:
Amendment 199 #
Proposal for a regulation
Article 1 – paragraph 1 – point a
Article 1 – paragraph 1 – point a
(a) lays down the objectives, tasks and organisational aspects of ENISA, the "EU Cybersecurity resilience Agency", hereinafter ‘the Agency’; and (This amendment applies throughout the text and its adoption will entail corresponding change throughout.)
Amendment 201 #
Proposal for a regulation
Article 1 – paragraph 1 – point b
Article 1 – paragraph 1 – point b
(b) lays down a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity of ICT products and service, processes, services and systems in the Union. Such framework shall apply without prejudice to specific provisions regarding voluntary or mandatory certification in other Union acts. (This amendment applies throughout the text and its adoption will entail corresponding change throughout.)
Amendment 210 #
Proposal for a regulation
Article 2 – paragraph 1 – point 5 a (new)
Article 2 – paragraph 1 – point 5 a (new)
(5 a) “national certification supervisory authority” means an authority of a Member State responsible for carrying out monitoring, enforcement and supervisory tasks in relation to IT security certification on its territory;
Amendment 230 #
Proposal for a regulation
Article 2 – paragraph 1 – point 11
Article 2 – paragraph 1 – point 11
(11) ‘ICT product and service’ mean, process, service and system’ means a product, service, process, system or a combination thereof that it is any element or group of elements of network and information systems; (This amendment applies throughout the text and its adoption will entail corresponding changes throughout.)
Amendment 238 #
Proposal for a regulation
Title 2
Title 2
ENISA – the "EU Cybersecurity resilience Agency"
Amendment 239 #
Proposal for a regulation
Article 3 – paragraph 1
Article 3 – paragraph 1
1. The Agency shall undertake the tasks assigned to it by this Regulation for the purpose of contributachieving to a high level of cyber resilience and in particular cybersecurity within the Union.
Amendment 243 #
Proposal for a regulation
Article 3 – paragraph 3 a (new)
Article 3 – paragraph 3 a (new)
3 a. The agency shall assist Member States and Union institutions in establishing transparent policies and practices for the responsible management and coordinated disclosure of vulnerabilities in ICT products, processes, services and systems that are not publicly known.
Amendment 250 #
Proposal for a regulation
Article 4 – paragraph 4
Article 4 – paragraph 4
4. The Agency shall promote cooperation and coordination at Union level among Member States, Union institutions, agencies and bodies, and relevant stakeholders, including civil society organisations, including consumers’ organisations and the private sector, on matters related to cybersecurity.
Amendment 265 #
Proposal for a regulation
Article 4 – paragraph 7
Article 4 – paragraph 7
7. The Agency shall promote a high level of awareness of citizens and businesses on issues related to the cybersecurity and provide guidance on improving their cyber resilience.
Amendment 270 #
Proposal for a regulation
Article 4 – paragraph 7 a (new)
Article 4 – paragraph 7 a (new)
7 a. The agency shall advise and assist Member States and the Union institutions in establishing policies and practices for the responsible management and coordinated disclosure of vulnerabilities in ICT products, processes, services and systems that are not publicly known, including in particular the establishment of government vulnerability disclosure review processes and coordinated vulnerability disclosure policies.
Amendment 278 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 a (new)
Article 5 – paragraph 1 – point 2 a (new)
2 a. assisting and advising Member States and the Union institutions in establishing policies and practices for the responsible management and coordinated disclosure of vulnerabilities in ICT products, processes, services and systems that are not publicly known, including in particular the establishment of government vulnerability disclosure review processes and coordinated vulnerability disclosure policies.
Amendment 279 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 b (new)
Article 5 – paragraph 1 – point 2 b (new)
2 b. proposing policies aimed at ensuring ICT manufacturers, service providers, importers and distributors act with due diligence regarding the timely fixing of IT security vulnerabilities in their products, processes and services in order to avoid unduly exposing their users to cybercrime;
Amendment 287 #
Proposal for a regulation
Article 5 – paragraph 1 – point 5 – point c a (new)
Article 5 – paragraph 1 – point 5 – point c a (new)
(c a) the state of the implementation of coordinated vulnerability disclosure review process by Member States and Union Institutions.
Amendment 290 #
Proposal for a regulation
Article 6 – paragraph 1 – point g
Article 6 – paragraph 1 – point g
(g) the Member States by organising regularly and at least a yearly large-scale cybersecurity exercises at the Union level referred to in Article 7(6) and by making policy recommendations based on the evaluation process of the exercises and lessons learned from them;
Amendment 291 #
Proposal for a regulation
Article 6 – paragraph 1 – point i a (new)
Article 6 – paragraph 1 – point i a (new)
(i a) Member States and Union institutions in establishing coordinated vulnerability disclosure policies and government vulnerability disclosure review processes which are transparent and subject to independent assessment.
Amendment 312 #
Proposal for a regulation
Article 7 – paragraph 8 – point e a (new)
Article 7 – paragraph 8 – point e a (new)
(e a) assisting Member States on establishing and implementing coordinated vulnerability disclosure policies and government vulnerability disclosure review processes.
Amendment 336 #
Proposal for a regulation
Article 8 – paragraph 1 – point a a (new)
Article 8 – paragraph 1 – point a a (new)
(a a) support and promote the development and the implementation of coordinated vulnerability disclosure policies and government vulnerability disclosure review processes, including regard the vulnerabilities of ICT products, processes, services and systems certified under Title II of this regulation;
Amendment 351 #
Proposal for a regulation
Article 9 – paragraph 1 – point e
Article 9 – paragraph 1 – point e
(e) raise awareness of the public about cybersecurity risks and cyber hygiene practices, and provide guidance on good practices for individual users aimed at citizens and organisations with the aim of improving their cyber resilience;
Amendment 356 #
Proposal for a regulation
Article 9 – paragraph 1 – point g a (new)
Article 9 – paragraph 1 – point g a (new)
(g a) promote the adoption by all actors on the Digital Single Market of preventive strong IT security measures and reliable data protection and privacy according to the Regulation (EU) 2016/679 and [Regulation 2017/0003/COD].
Amendment 365 #
Proposal for a regulation
Article 13 – paragraph 1
Article 13 – paragraph 1
1. The Management Board shall be composed of one representative of each Member State, and two representatives appointed by the Commission and the European Parliament and, after its establishment following article 20, three representatives of the Permanent Stakeholder group one of which shall represent consumers’ interests. All representatives shall have voting rights.
Amendment 373 #
Proposal for a regulation
Article 18 – paragraph 3
Article 18 – paragraph 3
3. The Executive Board shall be composed of five members appointed from among the members of the Management Board amongst whom the Chairperson of the Management Board, who may also chair the Executive Board, and one of the representatives of the Commission. The Executive Director shall take part in the meetings of the Executive Board, but shall not have the right to vote. The composition of the Executive Board should aim at a balanced representation of genders.
Amendment 383 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. The Management Board, acting on a proposal by the Executive Director, shall set up a Permanent Stakeholders’ Group composed of recognised experts representing the relevant stakeholders, such as the ICT industry, providers of electronic communications networks or services available to the public, consumer groups and other relevant civil society organisations, academic experts in the cybersecurity, and representatives of competent authorities notified under [Directive establishing the European Electronic Communications Code] as well as of law enforcement and data protection supervisory authorities.
Amendment 385 #
Proposal for a regulation
Article 20 – paragraph 2
Article 20 – paragraph 2
2. Procedures for the Permanent Stakeholders’ Group, in particular regarding the number, composition, and the appointment of its members by the Management Board, the proposal by the Executive Director and the operation of the Group, shall be specified in the Agency’s internal rules of operation and shall be made public. The procedures shall follow best practice for fair representation and equal rights for all stakeholders and shall pursue a gender balanced approach.
Amendment 387 #
Proposal for a regulation
Article 20 – paragraph 2 a (new)
Article 20 – paragraph 2 a (new)
2 a. The composition of the Permanent Stakeholders’ Group shall include a minimum of five organisations representing consumer and/or civil society.
Amendment 392 #
Proposal for a regulation
Article 23 – paragraph 2
Article 23 – paragraph 2
2. The Agency shall ensure that the public and any interested parties are given appropriate, objective, reliable and easily accessible information, in particular with regard to its work plan and relative progress and the results of its work. It shall also make public the declarations of interest made in accordance with Article 22.
Amendment 397 #
Proposal for a regulation
Title 2 a (new)
Title 2 a (new)
SECURITY BY DESIGN AND BY DEFAULT FRAMEWORK
Amendment 398 #
Proposal for a regulation
Article –43 (new)
Article –43 (new)
Amendment 399 #
Proposal for a regulation
Article –43 a (new)
Article –43 a (new)
Article -43 a Directive (EU)2014/53/EU is amended by adding the following point in Article 3, paragraph 3: (fa) (new) radio equipment is cybersecure by design, by default and by implementation;
Amendment 410 #
Proposal for a regulation
Article 44 – paragraph 1
Article 44 – paragraph 1
1. Following a request from the Commission, ENISA shall prepare a candidate European cybersecurity certification scheme which meets the requirements set out in Articles 45, 46 and 47 of this Regulation. Member States or the European Cybersecurity Certification Group (the 'Group') established under Article 53 may proposeThe request from the Commission to prepare a candidate European cybersecurity certification scheme should be justified with one or more of the following reasons: (a) existing cybersecurity certification schemes are fragmenting the internal market; (b) there is a current or foreseen need to support Union’s legislation; (c) there is a consensual request from Member States, the European Cybersecurity Certification Group (the 'Group') established under Article 53 or the Permanent stakeholder group established under article 20; the European Commission shall make sure that the preparation of a candidate Europequest coming from a Member State is reflective of a balanced participation of the interested parties concerned, such as industries, including SMEs, trade unions, civil society and cybersecurity certification scheme to the Commission. onsumers organisation. In this light, Member States shall ensure appropriate measures to enable the parties to be consulted at national level on the process of preparing and monitoring certification schemes
Amendment 419 #
Proposal for a regulation
Article 44 – paragraph 2
Article 44 – paragraph 2
2. When preparing candidate schemes referred to in paragraph 1 of this Article, ENISA shall consult all relevant stakeholders, including consumers' associations, and closely cooperate with the Group. The G and the Permanent stakeholder group. The Group and the permanent stakeholder group shall provide ENISA with the assistance and expert advice required by ENISA in relation to the preparation of the candidate scheme, including by providing opinions where necessary. When preparing each candidate scheme ENISA shall define a checklist of risks and cybersecurity features to effectively counter those risks;
Amendment 440 #
Proposal for a regulation
Article 44 – paragraph 5
Article 44 – paragraph 5
5. ENISA shall maintain a dedicated website, complying with the Directive (EU) 2016/2102, providing information on, and publicity of, European cybersecurity certification schemes, the withdrawn and the expiration of any certification scheme and certified ICT products, processes, services and systems.
Amendment 462 #
Proposal for a regulation
Article 45 – paragraph 1 – point g a (new)
Article 45 – paragraph 1 – point g a (new)
(ga) ensure that ICT product, process, services and systems are developed and operated in accordance with the principle of security by design and by default complying and the obligations defined in art -43.
Amendment 463 #
Proposal for a regulation
Article 46 – paragraph 1
Article 46 – paragraph 1
1. AWithout prejudice to the security obligations defined in art -43, a European cybersecurity certification scheme may specify one or more of the following risk- based assurance levels: basicfunctionally secure, substantially and/or highly secure, for ICT products and services issued under that scheme, processes, services and systems issued under that scheme. The assurance level shall be based on the checklist of risks and the corresponding cybersecurity features, identified by ENISA according to art 44(2), which are available in the ICT product, process, service or system to which the certification scheme applies.
Amendment 477 #
Proposal for a regulation
Article 46 – paragraph 2 – introductory part
Article 46 – paragraph 2 – introductory part
2. The assurance levels basicfunctionally secure, substantially secure and/or highly secure shall meet the following criteria respectively:
Amendment 486 #
Proposal for a regulation
Article 46 – paragraph 2 – point a
Article 46 – paragraph 2 – point a
(a) assurance level basic"functionally secure" shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a limin adequated degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service as it corresponds to the compliance of the security obligations defined in art [-43] according to the principle of security by design and by default , and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of cybersecurity incidents;
Amendment 497 #
Proposal for a regulation
Article 46 – paragraph 2 – point b
Article 46 – paragraph 2 – point b
(b) assurance level "substantially secure" shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a substantial degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease substantially the risk of cybersecurity incidents;
Amendment 508 #
Proposal for a regulation
Article 46 – paragraph 2 – point c
Article 46 – paragraph 2 – point c
(c) assurance "level highly secure" shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a higher degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service than certificates with the assurance level substantially secure, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to prevent cybersecurity incidents.
Amendment 529 #
Proposal for a regulation
Article 47 – paragraph 1 – point g
Article 47 – paragraph 1 – point g
(g) where surveillance is part of the scheme, the rules for monitoring compliance with the requirements of the certificates, including mechanisms to demonstrate the continued compliance with the specified cybersecurity requirements;
Amendment 533 #
Proposal for a regulation
Article 47 – paragraph 1 – point i a (new)
Article 47 – paragraph 1 – point i a (new)
(ia) rules requiring how and when vulnerabilities in ICT products, processes, services and systems that are not publicly known to be reported by the appropriate authorities to relevant vendors and manufacturers using a coordinated vulnerability disclosure process.
Amendment 539 #
Proposal for a regulation
Article 47 – paragraph 1 – point m a (new)
Article 47 – paragraph 1 – point m a (new)
(ma) rules concerning how and when Member states must inform each other and affected vendors and manufacturers when they acquire knowledge of a vulnerability that is not publicly known in an ICT product or service that is certified under this certification scheme.
Amendment 550 #
Proposal for a regulation
Article 48 – paragraph 2
Article 48 – paragraph 2
2. The certification shall be voluntarymandatory at least for: (a) ICT products, processes, services and systems employed by operators of essential services as defined in the Directive 2016/1148/EU; (b) ICT products, processes, services and systems intended for children and homes; (c) ICT products, processes, services and systems intended for medical application; (d) ICT products, processes, services used for security purposes; (e) self-driving vehicles The Commission may by way of implementing acts and in cooperation with ENISA, review the categories of products provided in paragraph 1. The certification shall be voluntary for all other products, unless otherwise specified in Union law.
Amendment 587 #
Proposal for a regulation
Article 50 – paragraph 6 – point –a (new)
Article 50 – paragraph 6 – point –a (new)
(-a) organise market checks on certified and non-certified products, in a coordinated manner across Member States in order to avoid check duplication and to maximise the market check, for at least 30% of products certified in the previous year and oblige the certificate holder to recall non-compliant products from the market in accordance with paragraph 6(e). When identifying the 30% of products that will be subject to a compliance check, national certification authorities shall prioritise high risk products for consumers, especially children, products embedded with new technologies and/or products with high selling rates;
Amendment 592 #
Proposal for a regulation
Article 50 – paragraph 6 – point b
Article 50 – paragraph 6 – point b
(b) monitor and, supervise and, at least every year, the activities of conformity assessment bodies for the purpose of this Regulation, including in relation to the notification of conformity assessment bodies and the related tasks set out in Article 52 of this Regulation;
Amendment 595 #
Proposal for a regulation
Article 50 – paragraph 6 – point c a (new)
Article 50 – paragraph 6 – point c a (new)
(ca) report the results of verifications under point (a) and assessment under point (b) to ENISA and the European Cybersecurity Certification group;
Amendment 599 #
Proposal for a regulation
Article 50 – paragraph 7 – point e
Article 50 – paragraph 7 – point e
(e) to withdraw, in accordance with national law, certificates and ICT consumers products, that are not compliant with this Regulation or a European cybersecurity certification scheme;
Amendment 606 #
Proposal for a regulation
Article 51 – paragraph 2
Article 51 – paragraph 2
2. Accreditation shall be issued for a maximum of five years and may be renewed on the same conditions provided that the conformity assessment body meets the requirements set out in this Article. Accreditation bodies shall revoke an accreditation of a conformity assessment body pursuant to paragraph 1 of this Article where the conditions for the accreditation are not, or are no longer, met or where actions taken by a conformity assessment body infringe this Regulation. Conformity assessment bodies shall not accept direct payments for their services from the certificate holders.
Amendment 618 #
Proposal for a regulation
Article 54 – paragraph 1
Article 54 – paragraph 1
Member States shall lay down the rules on penalties applicable to infringements of thisTitle IIa, Title III and European cybersecurity certification schemes, and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive. Member States shall [by …/without delay] notify the Commission of those rules and of those measures and shall notify it of any subsequent amendment affecting them.
Amendment 621 #
Proposal for a regulation
Article 56 – paragraph 1
Article 56 – paragraph 1
1. Not later than fiveour years after the date referred to in Article 58, and every fiveour years thereafter, the Commission shall assess the impact, effectiveness and efficiency of the Agency and its working practices and the possible need to modify the mandate of the Agency and the financial implications of any such modification. The evaluation shall take into account any feedback made to the Agency in response to its activities. Where the Commission considers that the continuation of the Agency is no longer justified with regard to its assigned objectives, mandate and tasks, it may propose that this Regulation be amended with regard to the provisions related to the Agency.
Amendment 623 #
Proposal for a regulation
Article 56 – paragraph 2
Article 56 – paragraph 2
2. The evaluatNot later than four years after the date referred to in article 58, and every four years thereafter, the Commission shall also assess the impact, effectiveness and efficiency of the provisions of Title IIa and III with regard to the objectives of ensuring an adequate level of cybersecurity of ICT products, processes and services in the Union and improving the functioning of the internal market.