BETA

51 Amendments of Massimiliano SALINI related to 2017/0225(COD)

Amendment 93 #
Proposal for a regulation
Recital 2
(2) The use of network and information systems by citizens, businesses and governments across the Union is now pervasive. Digitisation and connectivity are becoming core features in an ever growing number of products and services and with the advent of the Internet of Things (IoT) millions, if not billions, of connected digital devices are expected to be deployed across the EU during the next decade. While an increasing number of devices are connected to the Internet, security and resilience are not sufficiently built in by design, leading to insufficient cybersecurity. In this context, the limited use of certification leads to insufficient information for organisational and individual users about the cybersecurity features of ICT products, processes and services, undermining trust in digital solutions. This ambition is at the heart of the European Commission’s reform agenda to achieve a digital single market as ICT networks provide the backbone for digital products and services which have the potential to support all aspects of our lives and drive Europe’s economic growth. To ensure that the objectives of the digital single market are fully achieved the essential technology building blocks on which important areas such as eHealth, IoT, Artificial Intelligence, Quantum technology as well as intelligent transport system and advanced manufacturing rely must be in place.
2018/04/30
Committee: ITRE
Amendment 96 #
Proposal for a regulation
Recital 3 a (new)
(3 a) Believes that the objectives and tasks of ENISA should be further aligned with the Joint Communication with regards to its reference to the promotion of cyber hygiene and awareness; notes that cyber resilience can be achieved by implementing basic cyber hygiene principles;
2018/04/30
Committee: ITRE
Amendment 97 #
Proposal for a regulation
Recital 5
(5) In light of the increased cybersecurity challenges faced by the Union, there is a need for a comprehensive set of measures that would build on previous Union action and foster mutually reinforcing objectives. These include the need to further increase capabilities and preparedness of Member States and businesses, as well as to improve cooperation and coordination across Member States and EU institutions, agencies and bodies. Furthermore, given the borderless nature of cyber threats, there is a need to increase capabilities at Union level that could complement the action of Member States, in particular in the case of large scale cross-border cyber incidents and crises. Additional efforts are also needed to increase awareness of citizens and businesses on cybersecurity issues. Moreover, the trust in the digital single markegiven that cyber incidents undermine trust in digital service providers and in the digital single market itself, especially among consumers, trust should be further improved by offering transparent information on the level of security of ICT products and servic, services and processes. This can be facilitated by EU- wide certification providing common cybersecurity requirements and evaluation criteria across national markets and sectors. Alongside EU-wide certification and given the growing availability of IoT devices, there are a range of voluntary measures that the private sector should take to reinforce trust in the security of ICT products, services and processes, such as encryption and blockchain technologies.
2018/04/30
Committee: ITRE
Amendment 98 #
Proposal for a regulation
Recital 5
(5) In light of the increased cybersecurity challenges faced by the Union, there is a need for a comprehensive set of measures that would build on previous Union action and foster mutually reinforcing objectives. These include the need to further increase capabilities and preparedness of Member States and businesses, as well as to improve cooperation and coordination across Member States and EU institutions, agencies and bodies. Furthermore, given the borderless nature of cyber threats, there is a need to increase capabilities at Union level that could complement the action of Member States, in particular in the case of large scale cross-border cyber incidents and crises. Additional efforts are also needed to deliver a coordinated EU response and increase awareness of citizens and businesses on cybersecurity issues. Moreover, the trust in the digital single market should be further improved by offering transparent information on the level of security of ICT products and services. This can be facilitated by EU- wide certification providing common cybersecurity requirements and evaluation criteria across national markets and sectors. Alongside EU-wide certification, there is a range of voluntary measures widely accepted in the market place, depending on the product, service, use or standard; these measures as well as the industry bottom up approach, including the use of security-by-design, leveraging and contributing to international standards, should be encouraged.
2018/04/30
Committee: ITRE
Amendment 107 #
Proposal for a regulation
Recital 7
(7) The Union has already taken important steps to ensure cybersecurity and increase trust in digital technologies. In 2013, an EU Cybersecurity Strategy was adopted to guide the Union's policy response to cybersecurity threats and risks. In its effort to better protect Europeans online, in 2016 the Union adopted the first legislative act in the area of cybersecurity, the Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (the "NIS Directive"). The NIS Directive fulfills the digital single market strategy and together with other instruments, such as the Directive establishing the European Electronic Communications Code, Regulation (EU) 2016/679 and Directive 2002/58/EC, puts in place requirements concerning national capabilities in the area of cybersecurity, established the first mechanisms to enhance strategic and operational cooperation between Member States, and introduced obligations concerning security measures and incident notifications across sectors which are vital for economy and society such as energy, transport, water, banking, financial market infrastructures, healthcare, digital infrastructure as well as key digital service providers (search engines, cloud computing services and online marketplaces). A key role was attributed to ENISA in supporting implementation of this Directive. In addition, effective fight against cybercrime is an important priority in the European Agenda on Security, contributing to the overall aim of achieving a high level of cybersecurity.
2018/04/30
Committee: ITRE
Amendment 114 #
Proposal for a regulation
Recital 14
(14) The underlying task of the Agency is to promote the consistent implementation of the relevant legal framework, in particular the effective implementation of the NIS Directive, the Directive establishing the European Electronic Communications Code, Regulation (EU) 2016/679 and Directive 2002/58/EC, which is essential in order to increase cyber resilience. In view of the fast evolving cybersecurity threat landscape, it is clear that Member States must be supported by more comprehensive, cross-policy approach to building cyber resilience.
2018/04/30
Committee: ITRE
Amendment 122 #
Proposal for a regulation
Recital 26
(26) To understand better the challenges in the field of cybersecurity, and with a view to providing strategic long term advice to Member States and Union institutions, the Agency needs to analyse current and emerging risks, incidents, threats and vulnerabilities. For that purpose, the Agency should, in cooperation with Member States and, as appropriate, with statistical bodies and others, collect relevant information and perform analyses of emerging technologies and provide topic-specific assessments on expected societal, legal, economic and regulatory impacts of technological innovations on network and information security, in particular cybersecurity. The Agency should furthermore support Member States and Union institutions, agencies and bodies in identifying emerging trends and preventing problems related to cybersecurity, by performing analyses of threats and, incidents and vulnerabilities.
2018/04/30
Committee: ITRE
Amendment 130 #
Proposal for a regulation
Recital 28
(28) The Agency should contribute towards raising the awareness of the public about risks related to cybersecurity and provide guidance on good practices for individual users aimed at citizens and organisations. The Agency should also contribute to promote best practices, cyber hygiene and solutions at the level of individuals and organisations by collecting and analysing publicly available information regarding significant incidents, and by compiling reports with a view to providing guidance to businesses and citizens and improving the overall level of preparedness and resilience. The Agency should furthermore organise, in cooperation with the Member States and the Union institutions, bodies, offices and agencies regular outreach and public education campaigns directed to end-users, aiming at promoting safer individual online behaviour and raising awareness of potential threats in cyberspace, including cybercrimes such as phishing attacks, botnets, financial and banking fraud, as well as promoting basic authentication and data protection advice. The Agency should play a central role in accelerating end-user awareness on security of devices.
2018/04/30
Committee: ITRE
Amendment 140 #
Proposal for a regulation
Recital 35
(35) The Agency should encourage Member States and service providers to raise their general security standards so that all internet users can take the necessary steps to ensure their own personal cybersecurity. In particular, service providers and product manufacturers should withdraw or recycle products and services that do not meet cybersecurity standards. In cooperation with competent authorities, ENISA may disseminate information regarding the level of cybersecurity of the products and services offered in the internal market, and issue warnings targeting providers and manufacturers and requiring them to improve the security, including cybersecurity, of their products and services. The Agency should work together with stakeholders towards developing a EU-wide approach to responsible vulnerabilities disclosure and should promote best practices in this area.
2018/04/30
Committee: ITRE
Amendment 141 #
Proposal for a regulation
Recital 36 a (new)
(36 a) Standards are a voluntary, market- driven tool providing technical requirements and guidance and resulting from an open, transparent and inclusive process. The Agency should regularly consult and work in close cooperation with the standardization organizations, in particular when preparing the European Cybersecurity Certification Schemes.
2018/04/30
Committee: ITRE
Amendment 145 #
Proposal for a regulation
Recital 40
(40) The Management Board, composed ofrepresenting the Member States and the Commission as well as stakeholders relevant for the Agency's objectives, should define the general direction of the Agency’s operations and ensure that it carries out its tasks in accordance with this Regulation. The Management Board should be entrusted with the powers necessary to establish the budget, verify its execution, adopt the appropriate financial rules, establish transparent working procedures for decision making by the Agency, adopt the Agency’s Single Programming Document, adopt its own rules of procedure, appoint the Executive Director and decide on the extension of the Executive Director’s term of office and on the termination thereof.
2018/04/30
Committee: ITRE
Amendment 150 #
Proposal for a regulation
Recital 44
(44) The Agency should have a Permanent Stakeholders’ Group as an advisory body, to ensure regular dialogue with the private sector, consumers’ organisations and other relevant stakeholders. The Permanent Stakeholders’ Group, set up by the Management Board on a proposal by the Executive Director, should focus on issues relevant to stakeholders and bring them to the attention of the Agency. The composition of the Permanent Stakeholders Group and the tasks assigned to this Group, to be consulted in particular regarding the draft Work Programme, should ensure sufficient representation of stakeholders in the work of the Agency. Given the importance of certification requirements for ensuring trust in the IoT, the Commission should specifically consider implementing measures to ensure the pan-EU security standards harmonisation for IoT devices.
2018/04/30
Committee: ITRE
Amendment 155 #
Proposal for a regulation
Recital 46
(46) In order to guarantee the full autonomy and independence of the Agency and to enable it to perform additional and new tasks, including unforeseen emergency tasks, the Agency should be granted a sufficient and autonomous budget whose revenue comes primarily from a contribution from the Union and contributions from third countries participating in the Agency’s work. The appropriate budget is paramount to ensure that the Agency has sufficient capacities to fulfill all its growing tasks and objectives. The majority of the Agency staff should be directly engaged in the operational implementation of the Agency’s mandate. The host Member State, or any other Member State, should be allowed to make voluntary contributions to the revenue of the Agency. The Union’s budgetary procedure should remain applicable as far as any subsidies chargeable to the general budget of the Union are concerned. Moreover, the Court of Auditors should audit the Agency’s accounts to ensure transparency and accountability.
2018/04/30
Committee: ITRE
Amendment 165 #
Proposal for a regulation
Recital 50
(50) Currently, the cybersecurity certification of ICT products and services is used only to a limited extent. When it exists, it mostly occurs at Member State level or in the framework of industry driven schemes. In this context, a certificate issued by one national cybersecurity authority is not in principle recognised by other Member States. Companies thus may have to certify their products and services in several Member States where they operate, for example with a view to participating in national procurement procedures. Moreover, while new schemes are emerging, there seems to be no coherent and holistic approach with regard to horizontal cybersecurity issues, for instance in the field of the Internet of Things. Existing schemes present significant shortcomings and differences in terms of product coverage, levels of assurance, substantive criteria and actual utilisation. A case by case approach is required to ensure that services, processes and products are subject to appropriate certification schemes. Additionally, a risk- based approach is needed for effective identification and mitigation of risks whilst acknowledging that a one size fits all scheme is not possible.
2018/04/30
Committee: ITRE
Amendment 168 #
Proposal for a regulation
Recital 52 a (new)
(52 a) Notes that certification schemes should build upon what already exists at national and international level, learning from current strong points and assessing and correcting weaknesses.
2018/04/30
Committee: ITRE
Amendment 169 #
Proposal for a regulation
Recital 52 b (new)
(52 b) Flexible cybersecurity solutions are necessary for industry to stay ahead of malicious attacks and threats, therefore any certification scheme should avoid the risk of being outdated quickly.
2018/04/30
Committee: ITRE
Amendment 173 #
Proposal for a regulation
Recital 55
(55) The purpose of European cybersecurity certification schemes should be to ensure that ICT products and servic, services and processes certified under such a scheme comply with specified requirements. Such requirements concern the ability to resist, at a given level of assurancerisk, actions that aim to compromise the availability, authenticity, integrity and confidentiality of stored or transmitted or processed data or the related functions of or services offered by, or accessible via those products, processes, services and systems within the meaning of this Regulation. It is not possible to set out in detail in this Regulation the cybersecurity requirements relating to all ICT products and services. ICT products and servic, services and processes. ICT products, services and processes and related cybersecurity needs are so diverse that it is very difficult to come up with general cybersecurity requirements valid across the board. It is, therefore necessary to adopt a broad and general notion of cybersecurity for the purpose of certification, complemented by a set of specific cybersecurity objectives that need to be taken into account when designing European cybersecurity certification schemes. The modalities with which such objectives will be achieved in specific ICT products and servic, services and processes should then be further specified in detail at the level of the individual certification scheme adopted by the Commission, for example by reference to standards or technical specifications. All actors involved in a given supply chain should be encouraged in order to develop and adopt security standards, technical norms and security by design principles, at all stages of the product, service or process lifecycle; each European cybersecurity certification scheme should be designed to reach this scope.
2018/04/30
Committee: ITRE
Amendment 179 #
Proposal for a regulation
Recital 57
(57) Recourse to European cybersecurity certification should remain voluntary, unless otherwise provided in Union or national legislation. After this initial stage, and depending on the maturity of implementation in the Member States and the criticality of a product or service, it is recognised that, in the future, potentially mandatory schemes for certain ICT products, processes and services may begin to evolve in a phased approach for the future generations of technology and in response to the policy objectives of tomorrow. However, with a view to achieving the objectives of this Regulation and avoiding the fragmentation of the internal market, national cybersecurity certification schemes or procedures for the ICT products and services covered by a European cybersecurity certification scheme should cease to produce effects from the date established by the Commission by means of the implementing act. Moreover, Member States should not introduce new national certification schemes providing cybersecurity certification schemes for ICT products and services already covered by an existing European cybersecurity certification scheme.
2018/04/30
Committee: ITRE
Amendment 206 #
Proposal for a regulation
Article 1 – paragraph 1 – point b
(b) lays down a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity of ICT products, processes and services in the Union. Such framework shall apply without prejudice to specific provisions regarding voluntary or mandatory certification in other Union acts.
2018/04/30
Committee: ITRE
Amendment 223 #
Proposal for a regulation
Article 2 – paragraph 1 – point 9 a (new)
(9 a) "Cyber hygiene" means multi- factor authentication, patching, encryption, micro-segmentation that can minimise the risks from cyber threats and apply the principle of least privilege;
2018/04/30
Committee: ITRE
Amendment 263 #
Proposal for a regulation
Article 4 – paragraph 6 a (new)
6 a. The Agency shall promote cyber hygiene principles
2018/04/30
Committee: ITRE
Amendment 274 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2
2. assisting Member States to implement consistently the Union policy and law regarding cybersecurity notably in relation to Directive (EU) 2016/1148, Directive establishing the European Electronic Communications Code, Regulation (EU) 2016/679 and Directive 2002/58/EC, including by means of opinions, guidelines, advice and best practices on topics such as risk management, incident reporting and information sharing, as well as facilitating the exchange of best practices between competent authorities in this regard;
2018/04/30
Committee: ITRE
Amendment 294 #
Proposal for a regulation
Article 6 – paragraph 2
2. The Agency shall facilitate the establishment of and continuously support sectoral Information Sharing and Analysis Centres (ISACs), in particular in the sectors listed in Annex II of Directive (EU) 2016/1148, by providing best practices and guidance on available tools, procedure, cyber hygiene principles, as well as on how to address regulatory issues related to information sharing.
2018/04/30
Committee: ITRE
Amendment 323 #
Proposal for a regulation
Article 8 – paragraph 1 – point a – point 1
(1) preparing candidate European cybersecurity certification schemes for ICT products and services in cooperation with the Permanent Stakeholder Group and the Certification Stakeholder Expert Group in accordance with Article 44 of this Regulation;
2018/04/30
Committee: ITRE
Amendment 324 #
Proposal for a regulation
Article 8 – paragraph 1 – point a – point 1
(1) preparing candidate European cybersecurity certification schemes for ICT products, processes and services in cooperation with the certification stakeholder working group is accordance with Article 44.2 of this Regulation;
2018/04/30
Committee: ITRE
Amendment 358 #
Proposal for a regulation
Article 9 – paragraph 1 – point g a (new)
(g a) support closer coordination and exchange of best practices among Member States on cybersecurity literacy, cyber hygiene and raising awareness;
2018/04/30
Committee: ITRE
Amendment 378 #
Proposal for a regulation
Article 20 – paragraph 1
1. The Management Board, acting on a proposal by the Executive Director, shall set up a Permanent Stakeholders Group per scheme that is composed of recognised experts representing the relevant stakeholders,. such as the ICT industry, providusers and providers, associations of small and medium-sized enterprises, providers and users of electronic communications networks or services available to the public, consumer groups and associations, academic experts in the cybersecurity, the European standardisation organisations, as defined in point (8) of Article 2 of Regulation (EU) No 1025/2012, the relevant sectoral Union agencies and bodies, and representatives of competent authorities notified under [Directive establishing the European Electronic Communications Code] as well as of law enforcement and data protection supervisory authorities.
2018/04/30
Committee: ITRE
Amendment 380 #
Proposal for a regulation
Article 20 – paragraph 1
1. The Management Board, acting on a proposal by the Executive Director, shall, in a transparent manner, set up a Permanent Stakeholders’ Group composed of recognised experts representing the relevant stakeholders, such as the ICT industry, providers of electronic communications networks or services available to the public, consumer groups, standardisation organisations, academic experts in the cybersecurity, and representatives of competent authorities notified under [Directive establishing the European Electronic Communications Code] as well as of law enforcement and data protection supervisory authorities.
2018/04/30
Committee: ITRE
Amendment 388 #
Proposal for a regulation
Article 20 – paragraph 4 a (new)
4 a. The Permanent Stakeholders' Group will provide regular updates on its planning throughout the year and set out the objectives in its work programme which shall be published every six months to ensure transparency;
2018/04/30
Committee: ITRE
Amendment 402 #
Proposal for a regulation
Article 43 – paragraph 1
A European cybersecurity certification scheme shall attest that the ICT products, processes and services that have been certified in accordance with such scheme comply with specified requirements as regards their ability to resist at a given level of assurance, actions that aim to compromise the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, processes, services and systems.ccording to standards as regards their ability to meet security objectives;
2018/04/30
Committee: ITRE
Amendment 404 #
Proposal for a regulation
Article 43 – paragraph 1
A European cybersecurity certification scheme shall attest that the ICT products and services that have been certified in accordance with such scheme have no known vulnerabilities at the time of the certification, and comply with specified requirements as regards their ability to resist dynamically at a given level of assurance, actions that aim to compromise the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, processes, services and systems.
2018/04/30
Committee: ITRE
Amendment 414 #
Proposal for a regulation
Article 44 – paragraph 1
1. Following a request from the Commission, ENISA shall prepare a candidate European cybersecurity certification scheme which meets the requirements set out in Articles 45, 46 and 47 of this Regulation. Member States or the European Cybersecurity Certification Group (the 'Group') established under Article 53 or other industry interested stakeholders may propose the preparation of a candidate European cybersecurity certification scheme to the Commission.
2018/04/30
Committee: ITRE
Amendment 418 #
Proposal for a regulation
Article 44 – paragraph 2
2. When preparing candidate schemes referred to in paragraph 1 of this Article, ENISA shall consult all relevant stakeholders and closely cooperate with the Group. The Group shall provide ENISA with the assistance and expert advice required by ENISA in relation to the preparation of the candidate scheme, including by providing opinions where necessary. define the security objectives, security requirements and elements of the candidate scheme. All aspects regarding the procedures of the conformity assessment will be defined by the Commission, based on ENISA’s findings. In doing so, ENISA shall cooperate closely with the industry interested stakeholders and consult all relevant stakeholders and closely cooperate with the Group. The Group shall provide ENISA with the assistance and expert advice required by ENISA in relation to the preparation of the candidate scheme, including by providing opinions where necessary. Where relevant, ENISA may in addition set up a certification stakeholder working group, composed of members of the Permanent Stakeholders’ Group, industry stakeholders to ensure industry- led approach and any other relevant stakeholders, to provide expert advice on areas covered by a specific candidate scheme;
2018/04/30
Committee: ITRE
Amendment 433 #
Proposal for a regulation
Article 44 – paragraph 3
3. ENISA shall transmit without delay the candidate European cybersecurity certification scheme prepared in accordance with paragraph 2 of this Article to the Commission.
2018/04/30
Committee: ITRE
Amendment 437 #
Proposal for a regulation
Article 44 – paragraph 4
4. The Commission, based on the candidate scheme proposed by ENISA, may adopt implementing acts, in accordance with Article 55(1), providing for European cybersecurity certification schemes for ICT products, processes and services meeting the requirements of Articles 45, 46 and 47 of this Regulation.
2018/04/30
Committee: ITRE
Amendment 446 #
Proposal for a regulation
Article 45 – paragraph 1 – introductory part
A European cybersecurity certification scheme shall be so designed to take into account, as applicable, the following security objectives to ensure the availability, integrity and confidentiality of services:
2018/04/30
Committee: ITRE
Amendment 467 #
Proposal for a regulation
Article 46 – paragraph 1
1. A European cybersecurity certification scheme may specify one or more of the following assurance levels: basic, substantial and/or high, forrisk-based levels according to the context and intended use of the ICT products, processes and services issued under that scheme: basic, substantial and/or high.
2018/04/30
Committee: ITRE
Amendment 469 #
Proposal for a regulation
Article 46 – paragraph 1
1. A European cybersecurity certification scheme may specify one or more of the following assurance levels: basic, substantial and/or high, for ICT products andassurance requirements based on the risks and threats determined by the context in which the product, process or services issued under that schem to operate.
2018/04/30
Committee: ITRE
Amendment 488 #
Proposal for a regulation
Article 46 – paragraph 2 – point a
(a) assuranceThe risk level basic shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a limited degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of whichcorrespond to a low risk related to an ICT product, process and service. A low level of risk exists when an attack on the ICT product, process and service does not compromise significantly the availability, authenticity, integrity, confidentiality or other important objectives such as the health of users or third parties, the environment, privacy, other important legal interests or critical infrastructures and its to decrease the risk of cybersecurity incidensupporting systems or products;.
2018/04/30
Committee: ITRE
Amendment 498 #
Proposal for a regulation
Article 46 – paragraph 2 – point b
(b) assuranceThe risk level substantial shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a substantial degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease substantially the risk of cybersecurity incidencorrespond to a higher risk related to an ICT product, process and service. A higher level of risk exists when an attack on the ICT product, process and service compromises the availability, authenticity, integrity, confidentiality or other important objectives such as the health of users or third parties, the environment, privacy, other important legal interests or critical infrastructures and its supporting systems or products;.
2018/04/30
Committee: ITRE
Amendment 506 #
Proposal for a regulation
Article 46 – paragraph 2 – point c
(c) assuranceThe risk level high shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a higher degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service than certificates with the assurance level substantial, and is characcorrespond to a high risk related to an ICT product, process and service. A high level of risk exists when an attack on the ICT product, process and service compromises the availability, authenticity, integrised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to prevent cyberty, confidentiality or other important objectives and reasonably endangers the national sovereignty or public security incidentof states.
2018/04/30
Committee: ITRE
Amendment 517 #
Proposal for a regulation
Article 47 – paragraph 1 – point a a (new)
(aa) the conformity assessment and auditing bodies;
2018/04/30
Committee: ITRE
Amendment 527 #
Proposal for a regulation
Article 47 – paragraph 1 – point d
(d) Types of conformity assessment, specific evaluation criteria and methods used, including types of evaluationas laid down in Article 4 and Annex II of Decision 768/2008/EC, in order to demonstrate that the specific objectives referred to in Article 45 are achieved;
2018/04/30
Committee: ITRE
Amendment 532 #
Proposal for a regulation
Article 47 – paragraph 1 – point h a (new)
(ha) Rules aiming at treating vulnerabilities that may arise after the certification is issued, through the setting up of a dynamic and continuous organizational process, involving both providers and users;
2018/04/30
Committee: ITRE
Amendment 535 #
Proposal for a regulation
Article 47 – paragraph 1 – point l
(l) where applicable, identification of national cybersecurity certification schemes, pursuant to Article 49, or industry-led initiatives covering the same type or categories of ICT products, processes and services;
2018/04/30
Committee: ITRE
Amendment 544 #
Proposal for a regulation
Article 47 – paragraph 3
3. Where aA specific Union act so provides,may suggest when certification under a European cybersecurity certification scheme may be used to demonstrate the presumption of conformity with requirements of that act.
2018/04/30
Committee: ITRE
Amendment 545 #
Proposal for a regulation
Article 47 – paragraph 4
4. In the absence of harmonised Union legislation, Member State law may also providencourage that a European cybersecurity certification scheme may be used for establishing the presumption of conformity with legal requirements.
2018/04/30
Committee: ITRE
Amendment 569 #
Proposal for a regulation
Article 48 – paragraph 5
5. The natural or legal person which submits its ICT products, processes or services to the certification mechanism shall provide the conformity assessment body referred to in Article 51 with all information necessary to conduct the certification procedure.
2018/04/30
Committee: ITRE
Amendment 571 #
Proposal for a regulation
Article 48 – paragraph 6
6. Certificates shall be issued for a maximum period of three yearsthe period defined in each certification scheme and highly relate to processes and the ability of how entities organise themselves to react to an attack and may be renewed, under the same conditions, provided that the relevant requirements continue to be met.
2018/04/30
Committee: ITRE
Amendment 573 #
Proposal for a regulation
Article 48 – paragraph 6
6. Certificates shall be issued for a maximum period of three yearsdetermined on a case by case basis for each scheme and may be renewed, under the same conditions, provided that the relevant requirements continue to be met.
2018/04/30
Committee: ITRE
Amendment 579 #
Proposal for a regulation
Article 49 – paragraph 1
1. Without prejudice to paragraph 3, national cybersecurity certification schemes and the related procedures for the ICT products, processes and services covered by a European cybersecurity certification scheme shall cease to produce effects from the date established in the implementing act adopted pursuant Article 44(4). Existing national cybersecurity certification schemes and the related procedures for the ICT products, processes and services not covered by a European cybersecurity certification scheme shall continue to exist. Maintenance processes with minor updates shall not invalidate the certification.
2018/04/30
Committee: ITRE