15 Amendments of Françoise GROSSETÊTE related to 2017/0225(COD)
Amendment 219 #
Proposal for a regulation
Article 2 – paragraph 1 – point 9
Article 2 – paragraph 1 – point 9
(9) ‘European cybersecurity certification scheme’ means the comprehensive set of rules, technical requirements, standards and procedures defined at Union level applying to the certification of Information and Communication Technology (ICT) products and service, processes, services and systems falling under the scope of that specific scheme;
Amendment 296 #
Proposal for a regulation
Article 7 – title
Article 7 – title
Tasks relating to support for operational cooperation at Union level
Amendment 297 #
Proposal for a regulation
Article 7 – paragraph 4 – subparagraph 1 – introductory part
Article 7 – paragraph 4 – subparagraph 1 – introductory part
The Agency shall contribute tosupport the operational cooperation within the CSIRTs Network in accordance with the provisions of Article 12(2) of Directive (EU)2016/1148 providing support to Member States by:
Amendment 301 #
Proposal for a regulation
Article 7 – paragraph 5 – subparagraph 1
Article 7 – paragraph 5 – subparagraph 1
Upon a request by two or more Member States concerned, and with the sole purpose of providing advice for the prevention of future incidents, the Agency shall provide support to or carry out an ex-post technical enquiry following notifications by affected undertakingfor the analysis of incidents having a significant or substantial impact pursuant to Directive (EU) 2016/1148. The Agency shall also carry out such an enquirythis analysis upon a duly justified request from the Commission in agreement with the concerned Member States in case of such incidents affecting more than two Member States.
Amendment 302 #
Proposal for a regulation
Article 7 – paragraph 5 – subparagraph 2
Article 7 – paragraph 5 – subparagraph 2
The scope of the enquiry and the procedure to be followed in conducting such enquiry shall be agreed by the concerned Member States and the Agency and is without prejudice to any on-going criminal investigation concerning the same incident. The enquiryanalysis shall be agreed by the concerned Member States and the Agency. The analysis shall be concluded by a final technical report compiled by the Agency in particular on the basis of information and comments provided by the concerned Member States and undertaking(s) and agreed with the concerned Member States. A summary of the report focussing on the recommendations for the prevention of future incidents will be shared with the CSIRTs network.
Amendment 415 #
Proposal for a regulation
Article 44 – paragraph 1
Article 44 – paragraph 1
1. Following a request from the Commission, ENISA shall prepare a candidate European cybersecurity certification scheme which meets the requirements set out in Articles 45, 46 and 47 of this Regulation. Member States or, the European Cybersecurity Certification Group (the 'Group') established under Article 53, or European industry representatives may propose the preparation of a candidate European cybersecurity certification scheme to the Commission.
Amendment 466 #
Proposal for a regulation
Article 46 – paragraph 1
Article 46 – paragraph 1
1. A European cybersecurity certification scheme may specify one or more of the following risk-based assurance levels: basic, substantial and/or high, for ICT products and services issued under that scheme according to the context and intended use of the following ICT products, processes, systems and services: basic, substantial and/or high.
Amendment 474 #
Proposal for a regulation
Article 46 – paragraph 1 a (new)
Article 46 – paragraph 1 a (new)
1a. The conformity assessment methods that may be used must be specified in the elements of each European cybersecurity certification scheme, pursuant to Article 47 and on the basis of a risk analysis.
Amendment 479 #
Proposal for a regulation
Article 46 – paragraph 2 – introductory part
Article 46 – paragraph 2 – introductory part
2. The assurance levels basic, substantial and high shall meet the following criteria and evaluation method, respectively:
Amendment 485 #
Proposal for a regulation
Article 46 – paragraph 2 – point a
Article 46 – paragraph 2 – point a
(a) assurance level basic shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a limited degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of cybersecurity incidents; the evaluation method must be based on the technical review by an assessment body of the conformity of the technical documentation associated with an information and communication technology product or service;
Amendment 495 #
Proposal for a regulation
Article 46 – paragraph 2 – point b
Article 46 – paragraph 2 – point b
(b) assurance level substantial shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a substantial degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease substantially the risk of cybersecurity incidents; the evaluation method must be based on the verification, by a conformity assessment body, of the conformity of the security features of the product or service.
Amendment 505 #
Proposal for a regulation
Article 46 – paragraph 2 – point c
Article 46 – paragraph 2 – point c
(c) assurance level high shall refer to a certificate issued in the context of a European cybersecurity certification scheme, which provides a higher degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service than certificates with the assurance level substantial, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to prevent cybersecurity incidents. The evaluation method must be based on effectiveness tests to assess the ability of the security features to withstand a high-level attacker.
Amendment 561 #
Proposal for a regulation
Article 48 – paragraph 4 – introductory part
Article 48 – paragraph 4 – introductory part
4. By the way of derogation from paragraph 3, in duly justified cases, such as the assurance level high described in Article 46(c), a particular European cybersecurity scheme mayust provide that a European cybersecurity certificate resulting from that scheme can only be issued by a competent public body following an assessment conducted by an independent, notified conformity assessment body. Such public body shall be one of the following:
Amendment 575 #
Proposal for a regulation
Article 48 – paragraph 7
Article 48 – paragraph 7
7. A European cybersecurity certificate issued pursuant to this Article shall be recognised in all Member States. For the assurance level high, certificates may only be mutually recognised if they are issued by a public body as described in paragraph 4 (a) of Article 48.
Amendment 604 #
Proposal for a regulation
Article 51 – paragraph 1 a (new)
Article 51 – paragraph 1 a (new)
1a. For the assurance level high, the conformity assessment body must, in addition to its accreditation, be notified by the national certification supervisory authority with regard to its competence and expertise in the assessment of cybersecurity. The national certification supervisory authority shall carry out regular audits of the expertise and competences of the notified conformity assessment bodies.