Activities of Jan Philipp ALBRECHT related to 2017/0225(COD)
Shadow opinions (1)
OPINION on the proposal for a regulation of the European Parliament and of the Council on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act'')
Amendments (57)
Amendment 52 #
Proposal for a regulation
Title
Title
Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on ENISA, the “EU CybersNetwork and Information Security Agency”, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cyberIT security certification (“CybersIT Security Act”) (Text with EEA relevance) (This amendment applies throughout the text. Adopting it will necessitate corresponding changes throughout.)
Amendment 67 #
Proposal for a regulation
Recital 28
Recital 28
(28) The Agency should contribute towards raising the awareness of the public about risks related to cyberIT security and provide guidance on good practices for individual users aimed at citizens and organisations. The Agency should also contribute to promote best practices and solutions at the level of individuals and organisations by collecting and analysing publicly available information regarding significant incidents, and by compiling reportand publishing reports and guides with a view to providing guidance to businesses and citizens and improving the overall level of preparedness and resilience. The Agency should furthermore organise, in cooperation with the Member States and the Union institutions, bodies, offices and agencies regular outreach and public education campaigns directed to end-users, aiming at promoting safer individual online behaviour and raising awareness of potential threats in cyberspace, including cybercrimes such as phishing attacks, botnets, financial and banking fraud, as well as promoting basic authentication, encryption, anonymisation and data protection advice. The Agency should play a central role in accelerating end-user awareness on security of devices and popularising at EU level security-by- design, privacy-by-design and the incidents and their solutions.
Amendment 71 #
Proposal for a regulation
Recital 30
Recital 30
(30) To ensure that it fully achieves its objectives, the Agency should liaise with relevant institutions, agencies and bodies, including CERT-EU, European Cybercrime Centre (EC3) at Europol, European Defence Agency (EDA), European Agency for the operational management of large-scale IT systems (eu- LISA), European Aviation Safety Agency (EASA) and any other EU Agency that is involved in cyberIT security. It should also liaise with authorities dealing with data protection in order to exchange know-how and best practices and provide advice on cyberIT security aspects that might have an impact on their work. Representatives of national and Union law enforcement and data protection authorities should be eligible to be represented in the Agency’s Permanent Stakeholders Group. In liaising with law enforcement bodies regarding network and information security aspects that might have an impact on their work, the Agency should respect existing channels of information and established networks. Partnerships should be established with academic institutions that have research initiatives in the relevant areas, while the input from consumer organisations and other organisations should have appropriate channels and be always analysed.
Amendment 74 #
Proposal for a regulation
Recital 35
Recital 35
(35) The Agency should encourage Member States and service providers to raise their general security standards so that all internet users can take the necessary steps to ensure their own personal cybersecurityIT security and refrain from allowing the sales or use of devices that do not meet minimum security conditions. In particular, service providers and product manufacturers should withdraw or recycle products and services that do not meet cyberIT security standards. In cooperation with competent authorities, ENISA may disseminate information regarding the level of cyberIT security of the products and services offered in the internal market, and issue warnings targeting providers and manufacturers and requiring them to improve the security, including cyberIT security, of their products and services.
Amendment 75 #
Proposal for a regulation
Recital 41
Recital 41
(41) In order for the Agency to function properly and effectively, the Commission and the Member States should ensure that persons to be appointed to the Management Board have appropriate professional expertise and experience in functional areas. The Commission and the Member States should also make efforts to limit the turnover of their respective Representatives on the Management Board in order to ensure continuity in its work. Due to the high market value of the skills required in the Agency work, it is necessary to ensure that the salaries and the social conditions offered to all Agency staff are competitive and ensure that the best professionals can choose to work there.
Amendment 77 #
Proposal for a regulation
Recital 42
Recital 42
(42) The smooth functioning of the Agency requires that its Executive Director be appointed on grounds of merit and documented administrative and managerial skills, as well as competence and experience relevant for cyberIT security, and that the duties of the Executive Director be carried out with complete independence. The Executive Director should prepare a proposal for the Agency’s work programme, after prior consultation with the Commission, and take all necessary steps to ensure the proper execution of the work programme of the Agency. The Executive Director should prepare an annual report to be submitted to the Management Board, draw up a draft statement of estimates of revenue and expenditure for the Agency, and implement the budget. Furthermore, the Executive Director should have the option of setting up ad hoc Working Groups to address specific matters, in particular of a scientific, technical, legal or socioeconomic nature. The Executive Director should ensure that the ad hoc Working Groups’ members are selected according to the highest standards of expertise, taking due account of a representative and gender balance, as appropriate according to the specific issues in question, between the public administrations of the Member States, the Union institutions and the private sector, including industry, users, and academic experts in network and information security.
Amendment 79 #
Proposal for a regulation
Recital 44
Recital 44
(44) The Agency should have a Permanent Stakeholders’ Group as an advisory body, to ensure regular dialogue with the private sector, consumers’ organisations, academia and other relevant stakeholders. The Permanent Stakeholders’ Group, set up by the Management Board on a proposal by the Executive Director, should focus on issues relevant to stakeholders and bring them to the attention of the Agency, providing input on which ICT products and services to cover in future European IT security certification schemes . The composition of the Permanent Stakeholders Group and the tasks assigned to this Group, to be consulted in particular regarding the draft Work Programme, should ensure suefficient and equitable representation of stakeholders in the work of the Agency.
Amendment 82 #
Proposal for a regulation
Recital 47
Recital 47
(47) Conformity assessment is the process demonstrating whether specified requirements relating to a product, process, service, system, person or body have been fulfilled. For the purposes of this Regulation, certification should be considered as a type of conformity assessment regarding the cyberIT security features of a product, process, service, system, or a combination of those (“ICT products and services”) by an independent third party, other than the product manufacturer or service provider. While certification for lower assurance levels than high may require merely conformity assessment, for assurance level high, a profound security assessment and neutral certification is needed. Certificates on this assurance level therefore should be issued only by Cybersecurity Supervisory Authorities. The issuing of those certificates should be subject to mutual peer reviews by other Cybersecurity Supervisory Authorities. Certification cannot guarantee per se that certified ICT products and services are cyber secure. It is rather a procedure and technical methodology to attest that ICT products and services have been tested and that they comply with certain cyberIT security requirements laid down elsewhere, for example as specified in technical standards.
Amendment 90 #
Proposal for a regulation
Recital 52
Recital 52
(52) In view of the above, it is necessary to establish a European cyberIT security certification framework laying down the main horizontal requirements for European cyberIT security certification schemes to be developed and allowing certificates for ICT products and services to be recognised and used in all Member States. The European framework should have a twofold purpose: on the one hand, it should help increase trust in ICT products and services that have been certified according to such schemes. On the other hand, it should avoid the multiplication of conflicting or overlapping national cyberIT security certifications and thus reduce costs for undertakings operating in the digital single market. The schemes should be guided by security-by-design and the principles referred in Regulation 2016/679. They should also be non- discriminatory and based on international and / or Union standards, unless those standards are ineffective or inappropriate to fulfil the EU’s legitimate objectives in that regard.
Amendment 113 #
Proposal for a regulation
Recital 57
Recital 57
(57) Recourse to European cybersecurity certification should remain voluntary, unless otherwise provided in Union or national legislation. However, wbaseline IT security requirements need to be mandatory and implemented on all consumer devices and services in order to tackle the challenges of an increasingly connected world. Such minimal requirements could include authentication, security of connections and patches for the discovered vulnerabilities. With a view to achieving the objectives of this Regulation and avoiding the fragmentation of the internal market, national cybersecurity certification schemes or procedures for the ICT products and services covered by a European cybersecurity certification scheme should cease to produce effects from the date established by the Commission by means of the implementing act. Moreover, Member States should not introduce new national certification schemes providing cybersecurity certification schemes for ICT products and services already covered by an existing European cybersecurity certification scheme.
Amendment 122 #
Proposal for a regulation
Article 48 a (new)
Article 48 a (new)
Amendment 123 #
Proposal for a regulation
Recital 58 a (new)
Recital 58 a (new)
(58a) Clear and mandatory baseline IT security requirements should be devised by the Agency, and should be proposed to the Commission as implementing acts if appropriate, for all IT devices sold in or exported from the Union. Those requirements should be developed within two years after the date of entry into force of this Regulation and revised every two years thereafter, in order to ensure constant and dynamic improvements. Those baseline IT security requirements should require, inter alia, that the device does not contain any known security vulnerability that it is capable of accepting trusted security updates, that the vendor notifies competent authorities of known vulnerabilities and repairs or replaces the affected device, or that the vendor informs when security support for such device will end.
Amendment 128 #
Proposal for a regulation
Article 1 – paragraph 1 – point a
Article 1 – paragraph 1 – point a
(a) lays down the objectives, tasks and organisational aspects of ENISA, the “EU Cybersecurity Agency”, hereinafter ‘Network and Information Security Agency (the “Agency’”); and
Amendment 140 #
Proposal for a regulation
Article 2 – paragraph 1 – point 11 a (new)
Article 2 – paragraph 1 – point 11 a (new)
Amendment 145 #
Proposal for a regulation
Title II
Title II
ENISA – the “EU CybersNetwork and Information Security Agency”
Amendment 147 #
Proposal for a regulation
Article 3 – paragraph 1
Article 3 – paragraph 1
1. The Agency shall undertake the tasks assigned to it by this Regulation for the purpose of contributing toachieving a high level of cybersecurity within the Union.
Amendment 150 #
Proposal for a regulation
Article 3 – paragraph 3
Article 3 – paragraph 3
3. The objectives and the tasks of the Agency shall be without prejudice to the exclusive competences of the Member States regarding cybersecurity, and in any case, without prejudice to activities concerning public security, defence, national security and the activities of the state in areas of criminal lawIT security.
Amendment 152 #
Proposal for a regulation
Article 4 – paragraph 4
Article 4 – paragraph 4
4. The Agency shall promote cooperation and coordination at Union level among Member States, Union institutions, agencies and bodies, and relevant stakeholders, including the private sector, consumer organisations and other civil society organisations, on matters related to cyberIT security.
Amendment 161 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 a (new)
Article 5 – paragraph 1 – point 2 a (new)
Amendment 163 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 b (new)
Article 5 – paragraph 1 – point 2 b (new)
2b. proposing policies with the objective of ensuring that ICT manufacturers act with due diligence regarding the timely fixing of IT security vulnerabilities in their products and services in order to avoid unduly exposing their users to cybercrime;
Amendment 164 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 c (new)
Article 5 – paragraph 1 – point 2 c (new)
2c. proposing policies establishing a strong responsibility and liability framework for all stakeholders taking part in ICT eco- systems;
Amendment 165 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 d (new)
Article 5 – paragraph 1 – point 2 d (new)
2d. proposing policies strengthening regulation regarding the responsibilities of operators of critical network infrastructures in the case of an attack against their information systems affecting their users due to a lack of due diligence by some of the users of by the operator itself, where the operator has failed to take reasonable action to prevent the incident or to mitigate its effects on all users;
Amendment 166 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 e (new)
Article 5 – paragraph 1 – point 2 e (new)
2e. proposing policies to limit the purchase and use of “Zero days” by public authorities with the purpose of attacking information systems; promoting software audits and financing expert staff;
Amendment 167 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 f (new)
Article 5 – paragraph 1 – point 2 f (new)
2f. proposing policies for public authorities, private companies, researchers, universities and other stakeholders to publish all critical security vulnerabilities that are not yet publicly known within the framework of a responsible disclosure;
Amendment 168 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 g (new)
Article 5 – paragraph 1 – point 2 g (new)
2g. proposing policies for the extension of the use of “verifiable open- source code” for IT solutions in the public sector as well as for the related use of automated tools to ease review of source code and to easily verify absence of backdoors and other possible security vulnerabilities;
Amendment 175 #
Proposal for a regulation
Article 6 – paragraph 2 a (new)
Article 6 – paragraph 2 a (new)
2a. The Agency shall facilitate the establishment and launch of a long-term European IT security project to support the growth of an independent EU IT security industry, and to mainstream IT security into all EU IT developments.
Amendment 178 #
Proposal for a regulation
Article 7 – paragraph 8 – point c a (new)
Article 7 – paragraph 8 – point c a (new)
(ca) put in place certification schemes deterring the implementation by ICT manufacturers and service providers of secret backdoors intentionally weakening the IT security of commercial products and services and having a detrimental impact on the global security of the internet.
Amendment 189 #
Proposal for a regulation
Article 8 – paragraph 1 – point c a (new)
Article 8 – paragraph 1 – point c a (new)
(ca) put in place certification schemes deterring the implementation by ICT manufacturers and service providers of secret backdoors intentionally weakening the IT security of commercial products and services and having a detrimental impact on the global security of the internet;
Amendment 194 #
Proposal for a regulation
Article 9 – paragraph 1 – point e
Article 9 – paragraph 1 – point e
(e) raise awareness of the public about cybersecurity risks, and provide guidance on good practices for individual users aimed at citizens and organisations;
Amendment 196 #
Proposal for a regulation
Article 9 – paragraph 1 – point g a (new)
Article 9 – paragraph 1 – point g a (new)
(ga) promote the widespread adoption by all actors on the EU Digital Single Market of preventive strong IT security measures and reliable data protection and privacy enhancing technologies as the first line of defence against attacks against information systems.
Amendment 199 #
Proposal for a regulation
Article 10 – paragraph 1 – point a
Article 10 – paragraph 1 – point a
(a) advise the Union and the Member States on research needs and priorities in the areas of cybersecurity and data protection and privacy, with a view to enabling effective responses to current and emerging risks and threats, including with respect to new and emerging information and communications technologies, and to using risk-prevention technologies effectively;
Amendment 202 #
Proposal for a regulation
Article 13 – paragraph 1
Article 13 – paragraph 1
1. The Management Board shall be composed of one representative of each Member State, three representatives of the Permanent Stakeholder Group, one of which must represent the consumer interest, and two representatives appointed by the Commission. All representatives shall have voting rights.
Amendment 204 #
Proposal for a regulation
Article 1 – paragraph 1 – point b
Article 1 – paragraph 1 – point b
(b) lays down a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity of ICT products, processes and services in the Union. Such framework shall apply without prejudice to specific provisions regarding voluntary or mandatory certification in other Union acts.
Amendment 207 #
Proposal for a regulation
Article 18 – paragraph 3
Article 18 – paragraph 3
3. The Executive Board shall be composed of five members appointed, in a gender balanced manner, from among the members of the Management Board amongst whom the Chairperson of the Management Board, who may also chair the Executive Board, and one of the representatives of the Commission. The Executive Director shall take part in the meetings of the Executive Board, but shall not have the right to vote.
Amendment 212 #
Proposal for a regulation
Article 20 – paragraph 2
Article 20 – paragraph 2
2. Procedures for the Permanent Stakeholders’ Group, in particular regarding the number, composition, and the appointment of its members by the Management Board, the proposal by the Executive Director and the operation of the Group, shall be specified in the Agency’s internal rules of operation and shall be made public. The procedures shall follow best practice in ensuring a fair representation and equal rights for all stakeholders and shall enforce a gender balanced approach.
Amendment 213 #
Proposal for a regulation
Article 20 – paragraph 2 a (new)
Article 20 – paragraph 2 a (new)
2a. The composition of the Permanent Stakeholders’ Group shall include a minimum of five consumer organisations and civil society organisations.
Amendment 219 #
Proposal for a regulation
Article 23 – paragraph 2
Article 23 – paragraph 2
2. The Agency shall ensure that the public and any interested parties are given appropriate, objective, reliable and easily accessible information, in particular with regard to the debates and the results of its work. It shall also make public the declarations of interest made in accordance with Article 22.
Amendment 220 #
Proposal for a regulation
Article 34 – paragraph 2
Article 34 – paragraph 2
2. The Management Board shall adopt a decision laying down rules on the secondment to the agency of national experts, amongst others disallowing no- cost practices and promoting fair remuneration.
Amendment 221 #
Proposal for a regulation
Article 41 – paragraph 2
Article 41 – paragraph 2
2. The Agency’s host Member State shall provide the best possible conditions to ensure the proper functioning of the Agency, including the accessibility of the locationheadquarters and other offices location by international airport, the existence of adequate education facilities for the children of staff members, appropriate access to the labour market, social security and medical care for both children and spouses.
Amendment 226 #
Proposal for a regulation
Article 43 a (new)
Article 43 a (new)
Amendment 228 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘European cybersecurity certificate’ means a document issued by a conformity assessment body attesting that a given ICT product, process or service fulfils the specific requirements laid down in a European cybersecurity certification scheme;
Amendment 231 #
Proposal for a regulation
Article 44 – paragraph 1
Article 44 – paragraph 1
1. Following a request from the Commission, ENISA shall prepare a candidate European cyberIT security certification scheme which meets the requirements set out in Articles 45, 46 and 47 of this Regulation. Member States or, the European Cybersecurity Certification Group (the ‘Group’) established under Article 53 or the Permanent Stakeholders Group established under Article 20 may propose the preparation of a candidate European cybersecurity certification scheme to the Commission.
Amendment 238 #
Proposal for a regulation
Article 44 – paragraph 2
Article 44 – paragraph 2
2. When preparing candidate schemes referred to in paragraph 1 of this Article, ENISA shall consult all relevant stakeholders and closely cooperate with the Group as well as with the consumer organisations, Article 29 Working Party and the European Data Protection Board. The Group shall provide ENISA with the assistance and expert advice required by ENISA in relation to the preparation of the candidate scheme, including by providing opinions where necessary.
Amendment 241 #
Proposal for a regulation
Article 3 – paragraph 2 a (new)
Article 3 – paragraph 2 a (new)
2 a. The Agency shall assist Member States and Union institutions in establishing policies and practices for the responsible management and coordinated disclosure of vulnerabilities in ICT products and services that are not publicly known.
Amendment 252 #
Proposal for a regulation
Article 44 – paragraph 4
Article 44 – paragraph 4
4. The Commission, based on the candidate scheme proposed by ENISA, may adopt implementing acts, in accordance with Article 55(1), providing for European cybersecurity certification schemes for ICT products and services meeting the requirements of Articles 45, 46 and 47 of this Regulation. The Commission may consult the European Data Protection Board and take account of its view before adopting such implementing acts.
Amendment 271 #
Proposal for a regulation
Article 4 – paragraph 7 a (new)
Article 4 – paragraph 7 a (new)
7 a. The Agency shall assist and advise Member States and Union institutions in establishing policies and practices for the responsible management and coordinated disclosure of vulnerabilities in ICT products and services that are not publicly known, inter alia, by establishing government vulnerability disclosure review processes and coordinated vulnerability disclosure policies.
Amendment 273 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2
Article 5 – paragraph 1 – point 2
2. assisting Member States to implement consistently the Union policy and law regarding cybersecurity notably in relation to Directive (EU) 2016/1148, including by means of opinions, guidelines, advice and best practices on topics such as secure software and systems development, risk management, incident reporting and information sharing, technical and organisational measures, in particular the establishment of coordinated vulnerability disclosure programmes, as well as facilitating the exchange of best practices between competent authorities in this regard;
Amendment 277 #
Proposal for a regulation
Article 5 – paragraph 1 – point 2 a (new)
Article 5 – paragraph 1 – point 2 a (new)
2 a. proposing a blueprint which establishes the roles, responsibilities and legal obligations of vendors, manufacturers, CERTs and CSIRTs, and which further clarifies the legal rights and protections of information security researchers in the context of a coordinated vulnerability disclosure programme, in particular in cases of multi-party vulnerability disclosures that affect multiple vulnerability finders and vendors in different Member States
Amendment 286 #
Proposal for a regulation
Article 5 – paragraph 1 – point 4 – point 2 a (new)
Article 5 – paragraph 1 – point 4 – point 2 a (new)
(2 a) the development and promotion of policies that would sustain the general availability or integrity of the public core of the open internet, which provide the essential functionality to the Internet as a whole and which underpin its normal operation, including, but not limited to, the security and stability of key protocols (in particular DNS, BGP, and IPv6), the operation of the Domain Name System (including those of all Top Level Domains), and the operation of the Root Zone
Amendment 288 #
Proposal for a regulation
Article 6 – paragraph 1 – point a a (new)
Article 6 – paragraph 1 – point a a (new)
(a a) Members States and Union institutions in establishing and implementing coordinated vulnerability disclosure policies and government vulnerability disclosure review processes, whose practices and determinations should be transparent and subject to independent oversight.
Amendment 306 #
Proposal for a regulation
Article 7 – paragraph 7 a (new)
Article 7 – paragraph 7 a (new)
7 a. The Agency shall prepare, together with the EEAS, a regular global Cybersecurity Situational Report on incidents and threats towards individuals, including towards vulnerable users outside the EU such as lawyers, journalists, or human rights defenders, in order to help the Union institutions respond to external needs and uphold its human rights responsibilities abroad
Amendment 311 #
Proposal for a regulation
Article 7 – paragraph 8 – point e a (new)
Article 7 – paragraph 8 – point e a (new)
(e a) assisting and advising Member States on establishing and implementing coordinated vulnerability disclosure policies and government vulnerability disclosure review processes.
Amendment 344 #
Proposal for a regulation
Article 8 – paragraph 1 – point c a (new)
Article 8 – paragraph 1 – point c a (new)
(c a) support and promote the development and implementation of coordinated vulnerability disclosure policies and government vulnerability disclosure review processes
Amendment 390 #
Proposal for a regulation
Article 48 a (new)
Article 48 a (new)
Amendment 511 #
Proposal for a regulation
Article 46 – paragraph 2 a (new)
Article 46 – paragraph 2 a (new)
2a. The methodology to distinguish between the different assurance levels should be guided by a test which assesses the resistance of the security functionalities against attackers that have significant to unlimited resources.
Amendment 534 #
Proposal for a regulation
Article 47 – paragraph 1 – point j
Article 47 – paragraph 1 – point j
(j) rules concerning how previously undetected cybersecurity vulnerabilities in ICT products and services are to be reported and dealt with; requiring vulnerabilities in ICT products and services that are not publicly known to be reported expeditiously by the appropriate authorities to relevant vendors and manufacturers using a coordinated vulnerability disclosure process.
Amendment 540 #
Proposal for a regulation
Article 47 – paragraph 1 – point m a (new)
Article 47 – paragraph 1 – point m a (new)
(ma) rules concerning how and when Member States must inform each other when they acquire knowledge of a vulnerability that is not publicly known in an ICT product or service that is certified under this certification scheme.