BETA

25 Amendments of Arndt KOHN related to 2017/0225(COD)

Amendment 69 #
Proposal for a regulation
Recital 28
(28) The Agency should contribute towards raising the awareness of the public about risks related to cybersecurity and provide guidance on good practices for individual users aimed at citizens and organisations. The Agency should also contribute to promote best practices and solutions at the level of individuals and organisations by collecting and analysing publicly available information regarding significant incidents, and by compiling reports with a view to providing guidance to businesses and citizens and improving the overall level of preparedness and resilience. The Agency should furthermore organise, in cooperation with the Member States and the Union institutions, bodies, offices and agencies regular outreach and public education campaigns directed to end-users, aiming at promoting safer individual online behaviour and raising awareness of potential threats in cyberspace, including cybercrimes such as phishing attacks, ransomware attacks, hijacking, botnets, financial and banking fraud, as well as promoting basic authentication and data protection advice. The Agency should play a central role in accelerating end-user awareness on security of devices.
2018/03/02
Committee: IMCO
Amendment 70 #
Proposal for a regulation
Recital 28 a (new)
(28a) The Agency should promote mainstreaming the security by design principle, which is paramount to improving the security of connected devices. Security by design is especially important for devices targeted at vulnerable end-users, such as children.
2018/03/02
Committee: IMCO
Amendment 101 #
Proposal for a regulation
Recital 55 a (new)
(55a) In light of innovation trends, and the growing accessibility and constantly increasing number of IoT devices in all sectors of society, particular attention must be paid to the security of all and even the simplest of IoT products. Therefore, as certification is a key method for increasing trust in the market and increasing security and resilience, emphasis should be given to IoT products and services in the new EU cybersecurity certification framework, in order to make them less vulnerable and safer for consumers and businesses.
2018/03/02
Committee: IMCO
Amendment 103 #
Proposal for a regulation
Recital 56
(56) The Commission should be empowered to request ENISA to prepare candidate schemes for specific ICT products or services. The Commission, basedpower to adopt acts in accordance with Article 290 onf the candidate scheme proposed by ENISA, should then be empowered to adopt the European cybersecurity certification scheme by means of implementing acts. Taking account of the general purpose and security objectives identified in this Regulation, European cybersecurity certification schemes adopted by the Commission should specify a minimum set of elements concerning the subject-matter,Treaty on the Functioning of the European Union should be delegated to the Commission in respect of establishing European cybersecurity certification schemes for ICT products and services. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those scope and functioning of the individual scheme. These should include among others the scope and object of the cybersecurity certification, including the categories of ICT products and services covered, the detailed specification of the cybersecurity requirements, for example by reference to standards or technical specifications, the specific evaluation criteria and evaluation methods, as well nsultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts. When adopting those delegated acts, the Commission should base the intended level of assurance: basic, substantial and/or highcybersecurity certification schemes for ICT products and services on any relevant candidate schemes proposed by ENISA.
2018/03/02
Committee: IMCO
Amendment 109 #
Proposal for a regulation
Recital 56 a (new)
(56a) Among the evaluation methods and assessment procedures related to each European cybersecurity certification scheme, ethical hacking, the aim of which is to locate weaknesses and vulnerabilities of devices and information systems by anticipating the intended actions and skills of malicious hackers, should be promoted at Union level.
2018/03/02
Committee: IMCO
Amendment 156 #
Proposal for a regulation
Article 4 – paragraph 7
7. The Agency shall promote a high level of awareness of citizens, authorities and businesses on issues related to the cybersecurity.
2018/03/02
Committee: IMCO
Amendment 159 #
Proposal for a regulation
Article 5 – paragraph 1 – point 1
1. assisting and advising, in particular by providing its independent opinion and supplying preparatory work, on the development and review of Union policy and law in the area of cybersecurity, as well as sector-specific policy and law initiatives where matters related to cybersecurity are involved;
2018/03/02
Committee: IMCO
Amendment 169 #
Proposal for a regulation
Article 5 – paragraph 1 – point 4 – point 2
(2) the promotion of an enhanced level of security of electronic communications, data storage and data processing, including by providing expertise and advice, as well as facilitating the exchange of best practices between competent authorities;
2018/03/02
Committee: IMCO
Amendment 177 #
Proposal for a regulation
Article 7 – paragraph 8 – point a
(a) aggregating reports from national and international sources with a view to contribute to establishing common situational awareness;
2018/03/02
Committee: IMCO
Amendment 181 #
Proposal for a regulation
Article 8 – paragraph 1 – point a – point 1 a (new)
(1a) carrying out independent periodic ex-post checks on the compliance of certified ICT products and services with this Regulation;
2018/03/02
Committee: IMCO
Amendment 203 #
Proposal for a regulation
Article 13 – paragraph 1
1. The Management Board shall be composed of one representative of each Member State, and two representatives appointed by the Commission and the European Parliament. All representatives shall have voting rights.
2018/03/02
Committee: IMCO
Amendment 209 #
Proposal for a regulation
Article 20 – paragraph 1
1. The Management Board, acting on a proposal by the Executive Director, shall set up a Permanent Stakeholders’ Group composed of recognised experts representing the relevant stakeholders, such as the ICT industry, providers of electronic communications networks or services available to the public, consumer groups, academic experts in the cybersecurity, the European Forum for Accreditation, conformity assessment bodies, and representatives of competent authorities notified under [Directive establishing the European Electronic Communications Code] as well as of law enforcement and data protection supervisory authorities.
2018/03/02
Committee: IMCO
Amendment 218 #
Proposal for a regulation
Article 20 – paragraph 5 a (new)
5a. It advises the Agency when the latter prepares candidate schemes.
2018/03/02
Committee: IMCO
Amendment 251 #
Proposal for a regulation
Article 44 – paragraph 4
4. The Commission, based on the candidate scheme proposed by ENISA, may adopt implementing is empowered to adopt delegated acts, in accordance with Article 55(1), providing fora, concerning the establishment of European cybersecurity certification schemes for ICT products and services meeting the requirements of Articles 45, 46 and 47 of this Regulation. When adopting those delegated acts, the Commission shall base the cybersecurity certification schemes for ICT products and services on any relevant candidate scheme proposed by ENISA.
2018/03/02
Committee: IMCO
Amendment 275 #
Proposal for a regulation
Article 45 – paragraph 1 – point g a (new)
(ga) ensure that ICT products and services are developed according to the principle of ‘security by design’, following a risk-based approach depending on the context and severity of the situation as defined in Article 46.
2018/03/02
Committee: IMCO
Amendment 282 #
Proposal for a regulation
Article 46 – paragraph 1
1. AEach European cybersecurity certification scheme may specify one or more of the following assurance levels: basic - “functionally secure”, substantially secure” and/or high,ly secure” - for ICT products and services issued under that scheme, taking into account, inter alia, their intended use and their inherent risk.
2018/03/02
Committee: IMCO
Amendment 286 #
Proposal for a regulation
Article 46 – paragraph 1 a (new)
1a. Each scheme shall indicate the assessment methodology or evaluation process that is to be followed for issuing certificates at each assurance level, depending on the intended use and the risk inherent to the ICT products and services under that scheme.
2018/03/02
Committee: IMCO
Amendment 295 #
Proposal for a regulation
Article 46 – paragraph 2 – point a
(a) assurance level basic shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a limited degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of cybersecurity inciden“functionally secure” shall be related to a low risk of an ICT product and service. A low level of risk exists when an attack on the ICT product and service does not compromise the confidentiality, integrity, availability, privacy or other important objectives, nor the health of users or third parties, the environment, other important legal interests or critical infrastructure and its supporting systems or products;.
2018/03/02
Committee: IMCO
Amendment 301 #
Proposal for a regulation
Article 46 – paragraph 2 – point b
(b) assurance level substantial shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a substantial degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease substantially the risk of cybersecurity incidenly secure” shall be related to a higher risk of an ICT product and service. A higher level of risk exists when an attack on the ICT product and service compromises the confidentiality, integrity, availability, privacy or other important objectives, and has implications to the health of users or third parties, the environment, other important legal interests or critical infrastructure and its supporting systems or products;.
2018/03/02
Committee: IMCO
Amendment 306 #
Proposal for a regulation
Article 46 – paragraph 2 – point c
(c) assurance level high shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a higher degree of confidence in the claimed or asserted cybersecurity qualitiesly secure” shall be related to a high risk of an ICT product and service. A high level of risk exists when an attack ofn an ICT product orand service than certificates with the assurance level substantial, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to prevent cybercompromises the confidentiality, integrity, availability, privacy or other important objectives and reasonably endangers the national sovereignty or public security incidentof states.
2018/03/02
Committee: IMCO
Amendment 340 #
Proposal for a regulation
Article 47 – paragraph 1 – point h a (new)
(ha) the specific cases for recertification of an ICT product and service shall be defined in the corresponding certification scheme. Security and feature updates with reference to any security measures need to follow an assessment and, if necessary, a recertification process;
2018/03/02
Committee: IMCO
Amendment 394 #
Proposal for a regulation
Article 49 – paragraph 1
1. Without prejudice to paragraph 3, national cybersecurity certification schemes and the related procedures for the ICT products and services covered by a European cybersecurity certification scheme shall cease to produce effects from the date established in the implementing act adopted pursuant Article 44(4). The Commission shall monitor compliance with this subparagraph, in order to avoid the existence of concurrent schemes. Existing national cybersecurity certification schemes and the related procedures for the ICT products and services not covered by a European cybersecurity certification scheme shall continue to exist.
2018/03/02
Committee: IMCO
Amendment 408 #
Proposal for a regulation
Article 50 – paragraph 3
3. Each national certification supervisory authority shall, in its organisation, funding decisions, legal structure and decision-making, be independent of the entities they supervise and shall not be a conformity assessment body or a national accreditation body.
2018/03/02
Committee: IMCO
Amendment 442 #
Proposal for a regulation
Article 55 a (new)
Article 55a Exercise of the delegation The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article. The power to adopt delegated acts referred to in Article 44(4) shall be conferred on the Commission for a period of 5 years from [date of entry into force of the basic legislative act]. The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the 5 year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period. The delegation of power referred to in Article 44(4) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council. A delegated act adopted pursuant to Article 44(4) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of [two months] of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by[two months] at the initiative of the European Parliament or of the Council.
2018/03/02
Committee: IMCO
Amendment 444 #
Proposal for a regulation
Annex I – paragraph 1 – point 3
3. A body belonging to a business association or professional federation representing undertakings involved in the design, manufacturing, provision, assembly, use or maintenance of ICT products or services which it assesses, may, on condition that its independence and the absence of any conflict of interest are demonstrated, be considered a conformity assessment body.Deleted
2018/03/02
Committee: IMCO