My favourites

Chapter III – Organisation of ENISA (Art. 13-28)

Art. 13 CSA - Structure of ENISA arrow_right_alt

Art. 14 CSA - Composition of the Management Board arrow_right_alt

Art. 15 CSA - Functions of the Management Board arrow_right_alt

Art. 16 CSA - Chairperson of the Management Board arrow_right_alt

Art. 17 CSA - Meetings of the Management Board arrow_right_alt

Art. 18 CSA - Voting rules of the Management Board arrow_right_alt

Art. 19 CSA - Executive Board arrow_right_alt

Art. 20 CSA - Duties of the Executive Director arrow_right_alt

Art. 21 CSA - ENISA Advisory Group arrow_right_alt

Art. 22 CSA - Stakeholder Cybersecurity Certification Group arrow_right_alt

  1. The Stakeholder Cybersecurity Certification Group shall be established.
  2. The Stakeholder Cybersecurity Certification Group shall be composed of members selected from among recognised experts representing the relevant stakeholders. The Commission, following a transparent and open call, shall select, on the basis of a proposal from ENISA, members of the Stakeholder Cybersecurity Certification Group ensuring a balance between the different stakeholder groups as well as an appropriate gender and geographical balance.
  3. The Stakeholder Cybersecurity Certification Group shall:
    1. advise the Commission on strategic issues regarding the European cybersecurity certification framework;
    2. upon request, advise ENISA on general and strategic matters concerning ENISA’s tasks relating to market, cybersecurity certification, and standardisation;
    3. assist the Commission in the preparation of the Union rolling work programme referred to in Article 47;
    4. issue an opinion on the Union rolling work programme pursuant to Article 47(4); and
    5. in urgent cases, provide advice to the Commission and the ECCG on the need for additional certification schemes not included in the Union rolling work programme, as outlined in Articles 47 and 48.
  4. The Stakeholder Certification Group shall be co-chaired by the representatives of the Commission and of ENISA, and its secretariat shall be provided by ENISA.
Related
Close tabsclose
  • 62
  • 84

Recital 62

The Stakeholder Cybersecurity Certification Group should be established in order to help ENISA and the Commission facilitate the consultation of relevant stakeholders. The Stakeholder Cybersecurity Certification Group should be composed of members representing industry in balanced proportions, both on the demand side and the supply side of ICT products and ICT services, and including, in particular, SMEs, digital service providers, European and international standardisation bodies, national accreditation bodies, data protection supervisory authorities and conformity assessment bodies pursuant to Regulation (EC) No 765/2008 of the European Parliament and of the Council (1), and academia as well as consumer organisations.


(1) Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93 (OJ L 218, 13.8.2008, p. 30).

Recital 84

The Commission should prepare, with the support of the European Cybersecurity Certification Group (the ‘ECCG’) and the Stakeholder Cybersecurity Certification Group and after an open and wide consultation, a Union rolling work programme for European cybersecurity certification schemes and should publish it in the form of a non-binding instrument. The Union rolling work programme should be a strategic document that allows industry, national authorities and standardisation bodies, in particular, to prepare in advance for future European cybersecurity certification schemes. The Union rolling work programme should include a multiannual overview of the requests for candidate schemes which the Commission intends to submit to ENISA for preparation on the basis of specific grounds. The Commission should take into account the Union rolling work programme while preparing its Rolling Plan for ICT Standardisation and standardisation requests to European standardisation organisations. In light of the rapid introduction and uptake of new technologies, the emergence of previously unknown cybersecurity risks, and legislative and market developments, the Commission or the ECCG should be entitled to request ENISA to prepare candidate schemes which have not been included in the Union rolling work programme. In such cases, the Commission and the ECCG should also assess the necessity of such a request, taking into account the overall aims and objectives of this Regulation and the need to ensure continuity as regards ENISA’s planning and use of resources.

Following such a request, ENISA should prepare the candidate schemes for specific ICT products, ICT services and ICT processes without undue delay. The Commission should evaluate the positive and negative impact of its request on the specific market in question, especially its impact on SMEs, on innovation, on barriers to entry to that market and on costs to end users. The Commission, on the basis of the candidate scheme prepared by ENISA, should be empowered to adopt the European cybersecurity certification scheme by means of implementing acts. Taking account of the general purpose and security objectives laid down in this Regulation, European cybersecurity certification schemes adopted by the Commission should specify a minimum set of elements concerning the subject matter, scope and functioning of the individual scheme. Those elements should include, among other things, the scope and object of the cybersecurity certification, including the categories of ICT products, ICT services and ICT processes covered, the detailed specification of the cybersecurity requirements, for example by reference to standards or technical specifications, the specific evaluation criteria and evaluation methods, as well as the intended assurance level (‘basic’, ‘substantial’ or ‘high’) and the evaluation levels where applicable. ENISA should be able to refuse a request by the ECCG. Such decisions should be taken by the Management Board and should be duly reasoned.

Art. 23 CSA - National Liaison Officers Network arrow_right_alt

Art. 24 CSA - Single programming document arrow_right_alt

Art. 25 CSA - Declaration of interests arrow_right_alt

Art. 26 CSA - Transparency arrow_right_alt

Art. 27 CSA - Confidentiality arrow_right_alt

Art. 28 CSA - Access to documents arrow_right_alt