20 Amendments of Xabier BENITO ZILUAGA related to 2017/0225(COD)
Amendment 111 #
Proposal for a regulation
Recital 12
Recital 12
(12) The Agency should develop and maintain a high level of expertise and operate as a point of reference establishing trust and confidence in the single market by virtue of its independence, the quality of the advice it delivers and the information it disseminates, the transparency of its procedures and methods of operation, and its diligence in carrying out its tasks. The Agency should proactively contribute to national and Union efforts while carrying out its tasks in full cooperation with the Union institutions, bodies, offices and agencies and the Member States. In addition, the Agency should build on input from and cooperation with the private and public sectors as well as other relevant stakeholders. A set of tasks should establish how the Agency is to accomplish its objectives while allowing flexibility in its operations.
Amendment 118 #
Proposal for a regulation
Recital 18
Recital 18
(18) The Agency should aggregate and analyse national reports from CSIRTs and CERT-EU, setting up common rules, language and terminology for exchange of information. The Agency should also involve the private and public sectors, within the framework of the NIS Directive which laid down the grounds for voluntary technical information exchange at the operational level with the creation of the CSIRTs Network.
Amendment 128 #
Proposal for a regulation
Recital 28
Recital 28
(28) The Agency should actively contribute towards raising the awareness of the public about risks, threats and vulnerabilities related to cybersecurity and provide guidance on good practices for individual users aimed at citizens and organisations. The Agency should also contribute to promote best practices and solutions at the level of individuals and organisations by collecting and analysing publicly available information regarding significant incidents, and by compiling reports with a view to providing guidance to businesses and citizens and improving the overall level of preparedness and resilience. The Agency should furthermore organise, in cooperation with the Member States and the Union institutions, bodies, offices and agencies regular outreach and public education campaigns, starting at school level, directed to end-users, aiming at promoting safer individual online behaviour and raising awareness of potential threats in cyberspace, including cybercrimes such as phishing attacks, botnets, financial and banking fraud, as well as promoting basic authentication and data protection advice. The Agency should play a central role in accelerating end-user awareness on security of devices.
Amendment 149 #
Proposal for a regulation
Recital 42
Recital 42
(42) The smooth functioning of the Agency requires that its Executive Director be appointed on grounds of merit and documented administrative and managerial skills, as well as competence and experience relevant for cybersecurity, and that the duties of the Executive Director be carried out with complete independence. The Executive Director should prepare a proposal for the Agency’s work programme, after prior consultation with the Commission, and take all necessary steps to ensure the proper execution of the work programme of the Agency. The Executive Director should prepare an annual report to be submitted to the Management Board, draw up a draft statement of estimates of revenue and expenditure for the Agency, and implement the budget. Furthermore, the Executive Director should have the option of setting up ad hoc Working Groups to address specific matters, in particular of a scientific, technical, legal or socioeconomic nature. The Executive Director should ensure that the ad hoc Working Groups’ members are selected according to the highest standards of expertise, taking due account of a representative gender balance, as appropriate according to the specific issues in question, between the public administrations of the Member States, the Union institutions and the private sector, including industry, users, and academic experts in network and information security.
Amendment 154 #
Proposal for a regulation
Recital 44
Recital 44
(44) The Agency should have a Permanent Stakeholders’ Group as an advisory body, to ensure regular dialogue with the public and private sector, consumers’ organisations and other relevant stakeholders. The Permanent Stakeholders’ Group, set up by the Management Board on a proposal by the Executive Director, should focus on issues relevant to stakeholders and bring them to the attention of the Agency. The composition of the Permanent Stakeholders Group and the tasks assigned to this Group, to be consulted in particular regarding the draft Work Programme, should ensure sufficient representation of stakeholders in the work of the Agency.
Amendment 182 #
Proposal for a regulation
Recital 57
Recital 57
(57) Recourse to European cybersecurity certification should remain voluntarybe voluntary for assurance levels considered basic or substantial but should be mandatory for assurance levels considered medium and high, unless otherwise provided in Union or national legislation. However, with a view to achieving the objectives of this Regulation and avoiding the fragmentation of the internal market, national cybersecurity certification schemes or procedures for the ICT products and services covered by a European cybersecurity certification scheme should cease to produce effects from the date established by the Commission by means of the implementing act. Moreover, Member States should not introduce new national certification schemes providing cybersecurity certification schemes for ICT products and services already covered by an existing European cybersecurity certification scheme.
Amendment 320 #
Proposal for a regulation
Article 8 – paragraph 1 – point a – point 1
Article 8 – paragraph 1 – point a – point 1
(1) in cooperation with industry, SMEs, relevant research and academic stakeholders as well as consumer protection organisations in a clear and transparent process, preparing candidate European cybersecurity certification schemes for ICT products and services in accordance with Article 44 of this Regulation;
Amendment 329 #
Proposal for a regulation
Article 8 – paragraph 1 – point a – point 3
Article 8 – paragraph 1 – point a – point 3
(3) compiling and publishing guidelines and developing good practices concerning the cybersecurity requirements of ICT products and services, in cooperation with national certification supervisory authorities and the industry; , industry, SMEs, relevant research and academic stakeholders and consumer protection organisations;
Amendment 338 #
Proposal for a regulation
Article 8 – paragraph 1 – point b
Article 8 – paragraph 1 – point b
(b) facilitate the establishment and take-up of European and international standards for risk management and for the security of ICT products and services, as well as draw up, in collaboration with Member States, industry, SMEs, research and academic stakeholders and consumer protection organisations, advice and guidelines regarding the technical areas related to the security requirements for operators of essential services and digital service providers, as well as regarding already existing standards, including Member States' national standards, pursuant to Article 19(2) of Directive (EU) 2016/1148;
Amendment 342 #
Proposal for a regulation
Article 8 – paragraph 1 – point c
Article 8 – paragraph 1 – point c
(c) perform and disseminate regular analyses of the main trends and vulnerabilities in the cybersecurity market both on the demand and supply side, with a view of fostering the cybersecurity marksafety in the Union.
Amendment 347 #
Proposal for a regulation
Article 9 – paragraph 1 – point b
Article 9 – paragraph 1 – point b
(b) perform long-term strategic analyses of cybersecurity threats, vulnerabilities and incidents in order to identify emerging trends and help prevent problems related to cybersecurity;
Amendment 348 #
Proposal for a regulation
Article 9 – paragraph 1 – point c
Article 9 – paragraph 1 – point c
(c) provide, in cooperation with experts from Member States authorities, industry, SMEs, relevant research and academic stakeholders, and consumer protection organisations, advice, guidance and best practices for the security of network and information systems, in particular for the security of the internet infrastructure and those infrastructures supporting the sectors listed in Annex II of Directive (EU) 2016/1148;
Amendment 350 #
Proposal for a regulation
Article 9 – paragraph 1 – point e
Article 9 – paragraph 1 – point e
(e) develop strategic and wide spread campaigns with the aim to raise awareness of the public about cybersecurity risks and vulnerabilities, and provide guidance and training on good practices for individual users aimed at citizens and organisations;
Amendment 353 #
Proposal for a regulation
Article 9 – paragraph 1 – point g
Article 9 – paragraph 1 – point g
(g) organise, in cooperation with the Member States and Union institutions, bodies, offices and agencies regular outreach campaigns to increase cybersecurity awareness of its potential risks and threats to citizens life and its visibility in the Union.
Amendment 360 #
Proposal for a regulation
Article 10 – paragraph 1 – point a
Article 10 – paragraph 1 – point a
(a) advise the Union and the Member States on research needs and priorities in the area of cybersecurity, with a view to enabling effective responses to current and emerging risks and threat, threats and vulnerabilities, including with respect to new and emerging information and communications technologies, and to using the most advanced risk-prevention technologies effectively without putting at risks citizens' privacy and liberty rights;
Amendment 367 #
Proposal for a regulation
Article 13 – paragraph 1
Article 13 – paragraph 1
1. The Management Board shall be composed of one representative of each Member State, and two representatives appointed by the Commission. All representatives shall have equal voting rights.
Amendment 369 #
Proposal for a regulation
Article 13 – paragraph 3
Article 13 – paragraph 3
3. Members of the Management Board and their alternates shall be appointed in light of their knowledge in the field of cybersecurity, taking into account relevant managerial, administrative and budgetary skills. The Commission and Member States shall make efforts to limit the turnover of their representatives in the Management Board, in order to ensure continuity of that Board’s work. The Commission and Member States shall aim to achieve a gender balanced representation between men and women on the Management Board.
Amendment 382 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. The Management Board, acting on a proposal by the Executive Director, shall set up a Permanent Stakeholders’ Group composed of recognised experts representing the relevant stakeholders, such as the ICT industry, SMEs, providers of electronic communications networks or services available to the public, consumer protection groups, academic and academic experts in the cybersecurity and data protection, and representatives of competent authorities notified under [Directive establishing the European Electronic Communications Code] as well as of law enforcement and data protection supervisory authorities.
Amendment 417 #
Proposal for a regulation
Article 44 – paragraph 1 a (new)
Article 44 – paragraph 1 a (new)
1a. The Commission shall, after having conduced an open and transparent consultation with relevant stakeholders, adopt and publish a multiannual Union work programme for European cybersecurity certification schemes, which shall identify common actions to be undertaken at Union level and strategic priorities. The work programme shall in particular include a priority list of identified ICT products, processes and services subject to a European cybersecurity certification scheme. Prior to adopting the work programme, the Commission shall consult ENISA and have the utmost regard of its opinion.
Amendment 552 #
Proposal for a regulation
Article 48 – paragraph 2
Article 48 – paragraph 2
2. The certification shall be voluntaryfor the assurance level medium and high shall be mandatory. For the assurance levels basic and substantial it shall be voluntary, but the manufacturer must be obliged to comply with the minimum security standards, unless otherwise specified in Union law.