18 Amendments of Caroline NAGTEGAAL related to 2017/0225(COD)
Amendment 105 #
Proposal for a regulation
Recital 5 a (new)
Recital 5 a (new)
(5 a) Businesses as well as individual consumers should have accurate information regarding the level of security of their ICT products. At the same time, it has to be understood that no product is cyber secure and that basic rules of cyber hygiene have to be promoted and prioritized.
Amendment 108 #
Proposal for a regulation
Recital 8
Recital 8
(8) It is recognised that, since the adoption of the 2013 EU Cybersecurity Strategy and the last revision of the Agency's mandate, the overall policy context has changed significantly, also in relation to a more uncertain and less secure global environment. In this context and in the context of the positive role the Agency has played over the years in pooling of expertise, coordination, capacity building and within the framework of the new Union cybersecurity policy, it is necessary to review the mandate of ENISA to define its role in the changed cybersecurity ecosystem and ensure it contributes effectively to the Union's response to cybersecurity challenges emanating from this radically transformed threat landscape, for which, as recognised by the evaluation of the Agency, the current mandate is not sufficient.
Amendment 116 #
Proposal for a regulation
Recital 15
Recital 15
(15) The Agency should assist the Member States and Union institutions, bodies, offices and agencies in their efforts to build and enhance capabilities and preparedness to prevent, detect and respond to cybersecurity problems and incidents and in relation to the security of network and information systems. In particular, the Agency should support the development and enhancement of national CSIRTs, with a view of achieving a high common level of their maturity in the Union. The Agency should also assist with the development and update of Union and Member States strategies on the security of network and information systems, in particular on cybersecurity, promote their dissemination and track progress of their implementation. The Agency should also offer trainings and training material to public bodies, and where appropriate "train the trainers" with a view to assisting Member States in developing their own training capabilities. The Agency should also serve as a contact point for Member States and Union institutions, who should be able to request an assistance of the Agency within the competences and roles assigned to it.
Amendment 161 #
Proposal for a regulation
Recital 47
Recital 47
(47) Conformity assessment is the process demonstrating whether specified requirements relating to a product, process, service, system, person or body have been fulfilled. For the purposes of this Regulation, certification should be considered as a type of conformity assessment regarding the cybersecurity features of a product, process, service, system, or a combination of those ("ICT products and services") by an independent third party, other than the product manufacturer or service provider. Certification cannot guarantee per se that certified ICT products and services are cyber secure. It is rather a procedure and technical methodology to attest that ICT products and services have been tested and that they comply with certain cybersecurity requirements laid down elsewhere, for example as specified in technical standards. Undertakings should also ensure the security by design and by default of their ICT products and services taking into account the state of the art.
Amendment 164 #
Proposal for a regulation
Recital 48 a (new)
Recital 48 a (new)
(48 a) Despite the fact that it is not possible to foresee future technology and market developments, producers should take into account all known threats when developing their products. Producers should also be liable for the quality of a product put on the EU market, including cyber resilience. At the same time, consumers should assume their share of responsibility by following basic rules of cyber hygiene, which could significantly reduce the number of human errors in the field of cybersecurity.
Amendment 172 #
Proposal for a regulation
Recital 53 a (new)
Recital 53 a (new)
(53 a) The Agency and the Commission should make the best use of already existing certification schemes on the EU and / or international level. ENISA should be able to assess which schemes already in use are fit for purpose and can be brought in the European legislation in cooperation with EU standardisation organisations and, as far as possible, internationally recognised. Existing good practices should be collected and shared among Member States.
Amendment 237 #
Proposal for a regulation
Article 2 – paragraph 1 – point 16 a (new)
Article 2 – paragraph 1 – point 16 a (new)
Amendment 247 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
2. The Agency shall assist the Union institutions, agencies and bodies, as well as Member States, in developing and implementing policies related to cybersecurity and raising awareness among citizens and businesses.
Amendment 261 #
Proposal for a regulation
Article 4 – paragraph 6
Article 4 – paragraph 6
6. The Agency shall promote the use of certification, including by contributing to the establishment and maintenance of a cybersecurity certification framework at Union level in accordance with Title III of this Regulation, with a view to increasing transparency of cybersecurity assurance of ICT products and services, reducing fragmentation of the internal market and thus strengthen trust in the digital internal market.
Amendment 443 #
Proposal for a regulation
Article 44 – paragraph 5 a (new)
Article 44 – paragraph 5 a (new)
5a. Adopted schemes shall be reviewed and if necessary updated on regular basis in cooperation with relevant stakeholders and the Group within the structure established under this regulation.
Amendment 484 #
Proposal for a regulation
Article 46 – paragraph 2 – point a
Article 46 – paragraph 2 – point a
(a) certificate assurance level basic shall refer to a certificatcorrespond to the iassued in the context of a European cybersecurity certification scheme, which provides a limited degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of cybersecurity incidentsessment by a third party that the basic risks of cyber incidents for ICT processes, products or services are covered;
Amendment 490 #
Proposal for a regulation
Article 46 – paragraph 2 – point a a (new)
Article 46 – paragraph 2 – point a a (new)
(aa) This assessment shall include the review of the technical documentation of the ICT product, service or process;
Amendment 494 #
Proposal for a regulation
Article 46 – paragraph 2 – point b
Article 46 – paragraph 2 – point b
(b) certificate assurance level substantial shall refer to a certificatcorrespond to the iassued in the context of a European cybersecurity certification scheme, which provides a substantial degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease substantially the risk of cybersecurity incidentsessment by a third party that the substantial risks of cyber incidents for ICT processes, products or services are covered;
Amendment 499 #
Proposal for a regulation
Article 46 – paragraph 2 – point b a (new)
Article 46 – paragraph 2 – point b a (new)
(ba) This assessment shall include the review of the technical documentation and the testing of the security functionalities implemented, in accordance with the requirements set out in the technical documentation;
Amendment 503 #
Proposal for a regulation
Article 46 – paragraph 2 – point c
Article 46 – paragraph 2 – point c
(c) assurance level high shall refer to a certificate issued in the context of a European cybersecurity certification scheme, wcertification assurance hicgh provides a higher degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service than certificates with the assurance level substantial, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to prevent cybersecurity incidents.shall correspond to the assessment by a third party that high risks of cyber incidents for ICT processes, products or services are covered;
Amendment 509 #
Proposal for a regulation
Article 46 – paragraph 2 – point c a (new)
Article 46 – paragraph 2 – point c a (new)
(ca) This assessment shall include the review of the technical documentation, the testing of the security functionalities implemented, in accordance with the requirements set out in the technical documentation and the assessment of the resistance of the ICT processes, products or services to skilled attackers having significant to unlimited resources, through penetration testing.
Amendment 519 #
Proposal for a regulation
Article 47 – paragraph 1 – point b
Article 47 – paragraph 1 – point b
(b) detailed specification of the cybersecurity requirements against which the specific ICT products and services are evaluated, for example by reference to Union and / or international standards or technical specifications. Already existing international standards should be taken into account;
Amendment 525 #
Proposal for a regulation
Article 47 – paragraph 1 – point c
Article 47 – paragraph 1 – point c
(c) where applicable, one or more assurance levels taking into account inter- alia a risk-based approach;