11 Amendments of Maria da Graça CARVALHO related to 2023/0108(COD)
Amendment 18 #
Proposal for a regulation
Recital 2
Recital 2
(2) Managed security services, which are services consisting of carrying out, or providing assistance for, activities relating to their customers’ cybersecurity risk management, including incident prevention, detection, responce or recovery, have gained increasing importance in the prevention and mitigation of cybersecurity incidents. Accordingly, the providers of those services are considered as essential or important entities belonging to a sector of high criticality pursuant to Directive (EU) 2022/2555 of the European Parliament and of the Council8 . Pursuant to Recital 86 of that Directive, managed security service providers in areas such as incident response, penetration testing, security audits and consultancy, play a particularly important role in assisting entities in their efforts to prevent, detect, respond to or recover from incidents. Managed security service providers have however also themselves been the target of cyberattacks and pose a particular risk because of their close integration in the operations of their customers. Essential and important entities within the meaning of Directive (EU) 2022/2555 should therefore exercise increased diligence in selecting a managed security service provider. __________________ 8 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80).
Amendment 23 #
Proposal for a regulation
Recital 4 a (new)
Recital 4 a (new)
(4 a) European certification schemes for managed security services should facilitate the use of these services, particularly for smaller entities, including local and regional authorities or SMEs, which often do not have the financial and human capacity to conduct these services by themselves, but are vulnerable to cyber attacks with potentially significant consequences.
Amendment 25 #
Proposal for a regulation
Recital 5
Recital 5
(5) In addition to the deployment of ICT products, ICT services or ICT processes, managed security services often provide additional service features that rely on the competences, expertise and experience of their personnel. A very high level of these competences, expertise and experience as well as appropriate internal procedures should be part of the security objectives in order to ensure a very high quality and reliability of the managed security services provided. In order to ensure that all aspects of a managed security service can be covered by a certification scheme, it is therefore necessary to amend Regulation (EU) 2019/881. The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council and delivered an opinion on [DD/MM/YYYY
Amendment 27 #
Proposal for a regulation
Recital 5 a (new)
Recital 5 a (new)
(5 a) Given that the European cybersecurity schemes should certifiy that managed security services are provided by highly-skilled personnel that is able to reliably deliver these services and ensure the highest standards of cybersecurity, it is imperative that there is sufficient availability of highly-qualified personnel in the Union. Yet, the Union is faced with a talent gap, characterized by a shortage of skilled professionals, and a rapidly evolving threat landscape as acknowledged in the Commission communication of 18 April 2023 on the Cybersecurity Skills Academy. It is important to bridge this talent gap by strengthening cooperation and coordination among the different stakeholders, including the private sector, academia, Member States, the Commission and ENISA to scale up and create synergies for the investment in education and training, the development of public-private partnerships, support of research and innovation initiatives, the development and mutual recognition of common standards and certification of cybersecurity skills, including through the European Cyber Security Skills Framework. This should also facilitate the mobility of cybersecurity professionals within the Union.
Amendment 35 #
Proposal for a regulation
Article 1 – paragraph 1 – point 2 – point b
Article 1 – paragraph 1 – point 2 – point b
(14a) ‘managed security service’ means a managed service consisting of carrying out, or providing assistance for, activities relating to cybersecurity risk management, including incident presponse, penetration vention, detescting, security audits and consultancon, response, or recovery;
Amendment 39 #
Proposal for a regulation
Article 1 – paragraph 1 – point 7
Article 1 – paragraph 1 – point 7
Regulation (EU) 2019/881
Article 49 – paragraph 7
Article 49 – paragraph 7
Amendment 42 #
Proposal for a regulation
Article 1 – paragraph 1 – point 7 a (new)
Article 1 – paragraph 1 – point 7 a (new)
Regulation (EU) 2019/881
Article 49 – paragraph 7a (new)
Article 49 – paragraph 7a (new)
(7 a) the following paragraph is inserted: '7a. The Commission, based on the candidate scheme prepared by ENISA, may adopt delegated acts providing for a European cybersecurity certification scheme for managed security services which meets the requirements set out in Articles 51, 52, and 54. Those delegated acts shall be adopted in accordance with the procedure referred to in Article 66a.'
Amendment 43 #
Proposal for a regulation
Article 1 – paragraph 1 – point 9
Article 1 – paragraph 1 – point 9
Regulation (EU) 2019/881
Article 51a – paragraph 1 – point b
Article 51a – paragraph 1 – point b
(b) ensure that the provider has appropriate internal procedures in place to ensure that the managed security services are provided at a very high level of quality and reliability at all times ;
Amendment 44 #
Proposal for a regulation
Article 1 – paragraph 1 – point 9
Article 1 – paragraph 1 – point 9
Regulation (EU) 2019/881
Article 51a – paragraph 1 – point g
Article 51a – paragraph 1 – point g
(g) ensure that the ICT products, ICT services and ICT processes [and the hardware] deployed in the provision of the managed security services are secure by default and by design, are provided with up-to-date software and hardware, do not contain known vulnerabilities and include the latest security updates;;
Amendment 46 #
Proposal for a regulation
Article 1 – paragraph 1 – point 13 – point b – point ii – point aa
Article 1 – paragraph 1 – point 13 – point b – point ii – point aa
Regulation (EU) 2019/881
Article 56 – paragraph 3 – third subparagraph – point a
Article 56 – paragraph 3 – third subparagraph – point a
(a) take into account the impact of the measures on the manufacturers or providers of such ICT products, ICT services, ICT processes or managed security services and on the users in terms of the cost of those measures and the societal or economic benefits stemming from the anticipated enhanced level of security for the targeted ICT products, ICT services, ICT processes or managed security services;, , including SMEs. The Commission shall ensure that SMEs have access to appropriate financial support in the implementation of the measures through already existing Union programmes;
Amendment 48 #
Proposal for a regulation
Article 1 – paragraph 1 – point 16 a (new)
Article 1 – paragraph 1 – point 16 a (new)
Regulation (EU) 2019/881
Article 66a (new)
Article 66a (new)