@ansvar/eu-regulations-mcp 0.1.0

package/data/seed/cybersecurity-act.json

@@ -0,0 +1,534 @@
+{
+  "id": "CYBERSECURITY_ACT",
+  "full_name": "EU Cybersecurity Act",
+  "celex_id": "32019R0881",
+  "effective_date": "2019-06-27",
+  "eur_lex_url": "https://eur-lex.europa.eu/eli/reg/2016/679/oj",
+  "articles": [
+    {
+      "number": "1",
+      "title": "Subject matter and scope",
+      "text": "1.   With a view to ensuring the proper functioning of the internal market while aiming to achieve a high level of cybersecurity, cyber resilience and trust within the Union, this Regulation lays down:\n\n(a)\n\nobjectives, tasks and organisational matters relating to ENISA (the European Union Agency for Cybersecurity); and\n\n(b)\n\na framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity for ICT products, ICT services and ICT processes in the Union, as well as for the purpose of avoiding the fragmentation of the internal market with regard to cybersecurity certification schemes in the Union.\n\nThe framework referred to in point (b) of the first subparagraph applies without prejudice to specific provisions in other Union legal acts regarding voluntary or mandatory certification.\n\n2.   This Regulation is without prejudice to the competences of the Member States regarding activities concerning public security, defence, national security and the activities of the State in areas of criminal law."
+    },
+    {
+      "number": "2",
+      "title": "Definitions",
+      "text": "For the purposes of this Regulation, the following definitions apply:\n\n(1)\n\n‘cybersecurity’ means the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats;\n\n(2)\n\n‘network and information system’ means a network and information system as defined in point (1) of Article 4 of Directive (EU) 2016/1148;\n\n(3)\n\n‘national strategy on the security of network and information systems’ means a national strategy on the security of network and information systems as defined in point (3) of Article 4 of Directive (EU) 2016/1148;\n\n(4)\n\n‘operator of essential services’ means an operator of essential services as defined in point (4) of Article 4 of Directive (EU) 2016/1148;\n\n(5)\n\n‘digital service provider’ means a digital service provider as defined in point (6) of Article 4 of Directive (EU) 2016/1148;\n\n(6)\n\n‘incident’ means an incident as defined in point (7) of Article 4 of Directive (EU) 2016/1148;\n\n(7)\n\n‘incident handling’ means incident handling as defined in point (8) of Article 4 of Directive (EU) 2016/1148;\n\n(8)\n\n‘cyber threat’ means any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons;\n\n(9)\n\n‘European cybersecurity certification scheme’ means a comprehensive set of rules, technical requirements, standards and procedures that are established at Union level and that apply to the certification or conformity assessment of specific ICT products, ICT services or ICT processes;\n\n(10)\n\n‘national cybersecurity certification scheme’ means a comprehensive set of rules, technical requirements, standards and procedures developed and adopted by a national public authority and that apply to the certification or conformity assessment of ICT products, ICT services and ICT processes falling under the scope of the specific scheme;\n\n(11)\n\n‘European cybersecurity certificate’ means a document issued by a relevant body, attesting that a given ICT product, ICT service or ICT process has been evaluated for compliance with specific security requirements laid down in a European cybersecurity certification scheme;\n\n(12)\n\n‘ICT product’ means an element or a group of elements of a network or information system;\n\n(13)\n\n‘ICT service’ means a service consisting fully or mainly in the transmission, storing, retrieving or processing of information by means of network and information systems;\n\n(14)\n\n‘ICT process’ means a set of activities performed to design, develop, deliver or maintain an ICT product or ICT service;\n\n(15)\n\n‘accreditation’ means accreditation as defined in point (10) of Article 2 of Regulation (EC) No 765/2008;\n\n(16)\n\n‘national accreditation body’ means a national accreditation body as defined in point (11) of Article 2 of Regulation (EC) No 765/2008;\n\n(17)\n\n‘conformity assessment’ means a conformity assessment as defined in point (12) of Article 2 of Regulation (EC) No 765/2008;\n\n(18)\n\n‘conformity assessment body’ means a conformity assessment body as defined in point (13) of Article 2 of Regulation (EC) No 765/2008;\n\n(19)\n\n‘standard’ means a standard as defined in point (1) of Article 2 of Regulation (EU) No 1025/2012;\n\n(20)\n\n‘technical specification’ means a document that prescribes the technical requirements to be met by, or conformity assessment procedures relating to, an ICT product, ICT service or ICT process;\n\n(21)\n\n‘assurance level’ means a basis for confidence that an ICT product, ICT service or ICT process meets the security requirements of a specific European cybersecurity certification scheme, indicates the level at which an ICT product, ICT service or ICT process has been evaluated but as such does not measure the security of the ICT product, ICT service or ICT process concerned;\n\n(22)\n\n‘conformity self-assessment’ means an action carried out by a manufacturer or provider of ICT products, ICT services or ICT processes, which evaluates whether those ICT products, ICT services or ICT processes meet the requirements of a specific European cybersecurity certification scheme.\n\nTITLE II\n\nENISA (THE EUROPEAN UNION AGENCY FOR CYBERSECURITY)\n\nMandate and objectives",
+      "chapter": "I"
+    },
+    {
+      "number": "3",
+      "title": "Mandate",
+      "text": "1.   ENISA shall carry out the tasks assigned to it under this Regulation for the purpose of achieving a high common level of cybersecurity across the Union, including by actively supporting Member States, Union institutions, bodies, offices and agencies in improving cybersecurity. ENISA shall act as a reference point for advice and expertise on cybersecurity for Union institutions, bodies, offices and agencies as well as for other relevant Union stakeholders.\n\nENISA shall contribute to reducing the fragmentation of the internal market by carrying out the tasks assigned to it under this Regulation.\n\n2.   ENISA shall carry out the tasks assigned to it by Union legal acts that set out measures for approximating Member State laws, regulations and administrative provisions which are related to cybersecurity.\n\n3.   When carrying out its tasks, ENISA shall act independently while avoiding the duplication of Member State activities and taking into consideration existing Member State expertise.\n\n4.   ENISA shall develop its own resources, including technical and human capabilities and skills, necessary to perform the tasks assigned to it under this Regulation.",
+      "chapter": "I"
+    },
+    {
+      "number": "4",
+      "title": "Objectives",
+      "text": "1.   ENISA shall be a centre of expertise on cybersecurity by virtue of its independence, the scientific and technical quality of the advice and assistance it delivers, the information it provides, the transparency of its operating procedures, the methods of operation, and its diligence in carrying out its tasks.\n\n2.   ENISA shall assist the Union institutions, bodies, offices and agencies, as well as Member States, in developing and implementing Union policies related to cybersecurity, including sectoral policies on cybersecurity.\n\n3.   ENISA shall support capacity-building and preparedness across the Union by assisting the Union institutions, bodies, offices and agencies, as well as Member States and public and private stakeholders, to increase the protection of their network and information systems, to develop and improve cyber resilience and response capacities, and to develop skills and competencies in the field of cybersecurity.\n\n4.   ENISA shall promote cooperation, including information sharing and coordination at Union level, among Member States, Union institutions, bodies, offices and agencies, and relevant private and public stakeholders on matters related to cybersecurity.\n\n5.   ENISA shall contribute to increasing cybersecurity capabilities at Union level in order to support the actions of Member States in preventing and responding to cyber threats, in particular in the event of cross-border incidents.\n\n6.   ENISA shall promote the use of European cybersecurity certification, with a view to avoiding the fragmentation of the internal market. ENISA shall contribute to the establishment and maintenance of a European cybersecurity certification framework in accordance with Title III of this Regulation, with a view to increasing the transparency of the cybersecurity of ICT products, ICT services and ICT processes, thereby strengthening trust in the digital internal market and its competitiveness.\n\n7.   ENISA shall promote a high level of cybersecurity awareness, including cyber-hygiene and cyber-literacy among citizens, organisations and businesses.\n\nTasks",
+      "chapter": "II"
+    },
+    {
+      "number": "5",
+      "title": "Development and implementation of Union policy and law",
+      "text": "ENISA shall contribute to the development and implementation of Union policy and law, by:\n\n(1)\n\nassisting and advising on the development and review of Union policy and law in the field of cybersecurity and on sector-specific policy and law initiatives where matters related to cybersecurity are involved, in particular by providing its independent opinion and analysis as well as carrying out preparatory work;\n\n(2)\n\nassisting Member States to implement the Union policy and law regarding cybersecurity consistently, in particular in relation to Directive (EU) 2016/1148, including by means of issuing opinions, guidelines, providing advice and best practices on topics such as risk management, incident reporting and information sharing, as well as by facilitating the exchange of best practices between competent authorities in that regard;\n\n(3)\n\nassisting Member States and Union institutions, bodies, offices and agencies in developing and promoting cybersecurity policies related to sustaining the general availability or integrity of the public core of the open internet;\n\n(4)\n\ncontributing to the work of the Cooperation Group pursuant to Article 11 of Directive (EU) 2016/1148, by providing its expertise and assistance;\n\n(5)\n\nsupporting:\n\n(a)\n\nthe development and implementation of Union policy in the field of electronic identity and trust services, in particular by providing advice and issuing technical guidelines, as well as by facilitating the exchange of best practices between competent authorities;\n\n(b)\n\nthe promotion of an enhanced level of security of electronic communications, including by providing advice and expertise, as well as by facilitating the exchange of best practices between competent authorities;\n\n(c)\n\nMember States in the implementation of specific cybersecurity aspects of Union policy and law relating to data protection and privacy, including by providing advice to the European Data Protection Board upon request;\n\n(6)\n\nsupporting the regular review of Union policy activities by preparing an annual report on the state of the implementation of the respective legal framework regarding:\n\n(a)\n\ninformation on Member States’ incident notifications provided by the single points of contact to the Cooperation Group pursuant to Article 10(3) of Directive (EU) 2016/1148;\n\n(b)\n\nsummaries of notifications of breach of security or loss of integrity received from trust service providers provided by the supervisory bodies to ENISA, pursuant to Article 19(3) of Regulation (EU) No 910/2014 of the European Parliament and of the Council (23);\n\n(c)\n\nnotifications of security incidents transmitted by the providers of public electronic communications networks or of publicly available electronic communications services, provided by the competent authorities to ENISA, pursuant to Article 40 of Directive (EU) 2018/1972.",
+      "chapter": "II"
+    },
+    {
+      "number": "6",
+      "title": "Capacity-building",
+      "text": "1.   ENISA shall assist:\n\n(a)\n\nMember States in their efforts to improve the prevention, detection and analysis of, and the capability to respond to cyber threats and incidents by providing them with knowledge and expertise;\n\n(b)\n\nMember States and Union institutions, bodies, offices and agencies in establishing and implementing vulnerability disclosure policies on a voluntary basis;\n\n(c)\n\nUnion institutions, bodies, offices and agencies in their efforts to improve the prevention, detection and analysis of cyber threats and incidents and to improve their capabilities to respond to such cyber threats and incidents, in particular through appropriate support for the CERT-EU;\n\n(d)\n\nMember States in developing national CSIRTs, where requested pursuant to Article 9(5) of Directive (EU) 2016/1148;\n\n(e)\n\nMember States in developing national strategies on the security of network and information systems, where requested pursuant to Article 7(2) of Directive (EU) 2016/1148, and promote the dissemination of those strategies and note the progress in their implementation across the Union in order to promote best practices;\n\n(f)\n\nUnion institutions in developing and reviewing Union strategies regarding cybersecurity, promoting their dissemination and tracking the progress in their implementation;\n\n(g)\n\nnational and Union CSIRTs in raising the level of their capabilities, including by promoting dialogue and exchanges of information, with a view to ensuring that, with regard to the state of the art, each CSIRT possesses a common set of minimum capabilities and operates according to best practices;\n\n(h)\n\nMember States by regularly organising the cybersecurity exercises at Union level referred to in Article 7(5) on at least a biennial basis and by making policy recommendations based on the evaluation process of the exercises and lessons learned from them;\n\n(i)\n\nrelevant public bodies by offering trainings regarding cybersecurity, where appropriate in cooperation with stakeholders;\n\n(j)\n\nthe Cooperation Group, in the exchange of best practices, in particular with regard to the identification by Member States of operators of essential services, pursuant to point (l) of Article 11(3) of Directive (EU) 2016/1148, including in relation to cross-border dependencies, regarding risks and incidents.\n\n2.   ENISA shall support information sharing in and between sectors, in particular in the sectors listed in Annex II to Directive (EU) 2016/1148, by providing best practices and guidance on available tools, procedures, as well as on how to address regulatory issues related to information-sharing.",
+      "chapter": "II"
+    },
+    {
+      "number": "7",
+      "title": "Operational cooperation at Union level",
+      "text": "1.   ENISA shall support operational cooperation among Member States, Union institutions, bodies, offices and agencies, and between stakeholders.\n\n2.   ENISA shall cooperate at the operational level and establish synergies with Union institutions, bodies, offices and agencies, including the CERT-EU, with the services dealing with cybercrime and with supervisory authorities dealing with the protection of privacy and personal data, with a view to addressing issues of common concern, including by means of:\n\n(a)\n\nthe exchange of know-how and best practices;\n\n(b)\n\nthe provision of advice and issuing of guidelines on relevant matters related to cybersecurity;\n\n(c)\n\nthe establishment of practical arrangements for the execution of specific tasks, after consulting the Commission.\n\n3.   ENISA shall provide the secretariat of the CSIRTs network pursuant to Article 12(2) of Directive (EU) 2016/1148, and in that capacity shall actively support the information sharing and the cooperation among its members.\n\n4.   ENISA shall support Member States with respect to operational cooperation within the CSIRTs network by:\n\n(a)\n\nadvising on how to improve their capabilities to prevent, detect and respond to incidents and, at the request of one or more Member States, providing advice in relation to a specific cyber threat;\n\n(b)\n\nassisting, at the request of one or more Member States, in the assessment of incidents having a significant or substantial impact through the provision of expertise and facilitating the technical handling of such incidents including in particular by supporting the voluntary sharing of relevant information and technical solutions between Member States;\n\n(c)\n\nanalysing vulnerabilities and incidents on the basis of publicly available information or information provided voluntarily by Member States for that purpose; and\n\n(d)\n\nat the request of one or more Member States, providing support in relation to ex-post technical inquiries regarding incidents having a significant or substantial impact within the meaning of Directive (EU) 2016/1148.\n\nIn performing those tasks, ENISA and CERT-EU shall engage in structured cooperation to benefit from synergies and to avoid the duplication of activities.\n\n5.   ENISA shall regularly organise cybersecurity exercises at Union level, and shall support Member States and Union institutions, bodies, offices and agencies in organising cybersecurity exercises following their requests. Such cybersecurity exercises at Union level may include technical, operational or strategic elements. On a biennial basis, ENISA shall organise a large-scale comprehensive exercise.\n\nWhere appropriate, ENISA shall also contribute to and help organise sectoral cybersecurity exercises together with relevant organisations that also participate in cybersecurity exercises at Union level.\n\n6.   ENISA, in close cooperation with the Member States, shall prepare a regular in-depth EU Cybersecurity Technical Situation Report on incidents and cyber threats based on publicly available information, its own analysis, and reports shared by, among others, the Member States’ CSIRTs or the single points of contact established by Directive (EU) 2016/1148, both on a voluntary basis, EC3 and CERT-EU.\n\n7.   ENISA shall contribute to developing a cooperative response at Union and Member States level to large-scale cross-border incidents or crises related to cybersecurity, mainly by:\n\n(a)\n\naggregating and analysing reports from national sources that are in the public domain or shared on a voluntary basis with a view to contributing to the establishment of common situational awareness;\n\n(b)\n\nensuring the efficient flow of information and the provision of escalation mechanisms between the CSIRTs network and the technical and political decision-makers at Union level;\n\n(c)\n\nupon request, facilitating the technical handling of such incidents or crises, including, in particular, by supporting the voluntary sharing of technical solutions between Member States;\n\n(d)\n\nsupporting Union institutions, bodies, offices and agencies and, at their request, Member States, in the public communication relating to such incidents or crises;\n\n(e)\n\ntesting the cooperation plans for responding to such incidents or crises at Union level and, at their request, supporting Member States in testing such plans at national level.",
+      "chapter": "II"
+    },
+    {
+      "number": "8",
+      "title": "Market, cybersecurity certification, and standardisation",
+      "text": "1.   ENISA shall support and promote the development and implementation of Union policy on cybersecurity certification of ICT products, ICT services and ICT processes, as established in Title III of this Regulation, by:\n\n(a)\n\nmonitoring developments, on an ongoing basis, in related areas of standardisation and recommending appropriate technical specifications for use in the development of European cybersecurity certification schemes pursuant to point (c) of Article 54(1) where standards are not available;\n\n(b)\n\npreparing candidate European cybersecurity certification schemes (‘candidate schemes’) for ICT products, ICT services and ICT processes in accordance with Article 49;\n\n(c)\n\nevaluating adopted European cybersecurity certification schemes in accordance with Article 49(8);\n\n(d)\n\nparticipating in peer reviews pursuant to Article 59(4);\n\n(e)\n\nassisting the Commission in providing the secretariat of the ECCG pursuant to Article 62(5).\n\n2.   ENISA shall provide the secretariat of the Stakeholder Cybersecurity Certification Group pursuant to Article 22(4).\n\n3.   ENISA shall compile and publish guidelines and develop good practices, concerning the cybersecurity requirements for ICT products, ICT services and ICT processes, in cooperation with national cybersecurity certification authorities and industry in a formal, structured and transparent way.\n\n4.   ENISA shall contribute to capacity-building related to evaluation and certification processes by compiling and issuing guidelines as well as by providing support to Member States at their request.\n\n5.   ENISA shall facilitate the establishment and take-up of European and international standards for risk management and for the security of ICT products, ICT services and ICT processes.\n\n6.   ENISA shall draw up, in collaboration with Member States and industry, advice and guidelines regarding the technical areas related to the security requirements for operators of essential services and digital service providers, as well as regarding already existing standards, including Member States’ national standards, pursuant to Article 19(2) of Directive (EU) 2016/1148.\n\n7.   ENISA shall perform and disseminate regular analyses of the main trends in the cybersecurity market on both the demand and supply sides, with a view to fostering the cybersecurity market in the Union.",
+      "chapter": "II"
+    },
+    {
+      "number": "9",
+      "title": "Knowledge and information",
+      "text": "ENISA shall:\n\n(a)\n\nperform analyses of emerging technologies and provide topic-specific assessments on the expected societal, legal, economic and regulatory impact of technological innovations on cybersecurity;\n\n(b)\n\nperform long-term strategic analyses of cyber threats and incidents in order to identify emerging trends and help prevent incidents;\n\n(c)\n\nin cooperation with experts from Member States authorities and relevant stakeholders, provide advice, guidance and best practices for the security of network and information systems, in particular for the security of the infrastructures supporting the sectors listed in Annex II to Directive (EU) 2016/1148 and those used by the providers of the digital services listed in Annex III to that Directive;\n\n(d)\n\nthrough a dedicated portal, pool, organise and make available to the public information on cybersecurity provided by the Union institutions, bodies, offices and agencies and information on cybersecurity provided on a voluntary basis by Member States and private and public stakeholders;\n\n(e)\n\ncollect and analyse publicly available information regarding significant incidents and compile reports with a view to providing guidance to citizens, organisations and businesses across the Union.",
+      "chapter": "II"
+    },
+    {
+      "number": "10",
+      "title": "Awareness-raising and education",
+      "text": "ENISA shall:\n\n(a)\n\nraise public awareness of cybersecurity risks, and provide guidance on good practices for individual users aimed at citizens, organisations and businesses, including cyber-hygiene and cyber-literacy;\n\n(b)\n\nin cooperation with the Member States, Union institutions, bodies, offices and agencies and industry, organise regular outreach campaigns to increase cybersecurity and its visibility in the Union and encourage a broad public debate;\n\n(c)\n\nassist Member States in their efforts to raise cybersecurity awareness and promote cybersecurity education;\n\n(d)\n\nsupport closer coordination and exchange of best practices among Member States on cybersecurity awareness and education.",
+      "chapter": "II"
+    },
+    {
+      "number": "11",
+      "title": "Research and innovation",
+      "text": "In relation to research and innovation, ENISA shall:\n\n(a)\n\nadvise the Union institutions, bodies, offices and agencies and the Member States on research needs and priorities in the field of cybersecurity, with a view to enabling effective responses to current and emerging risks and cyber threats, including with respect to new and emerging information and communications technologies, and with a view to using risk-prevention technologies effectively;\n\n(b)\n\nwhere the Commission has conferred the relevant powers on it, participate in the implementation phase of research and innovation funding programmes or as a beneficiary;\n\n(c)\n\ncontribute to the strategic research and innovation agenda at Union level in the field of cybersecurity.",
+      "chapter": "II"
+    },
+    {
+      "number": "12",
+      "title": "International cooperation",
+      "text": "ENISA shall contribute to the Union’s efforts to cooperate with third countries and international organisations as well as within relevant international cooperation frameworks to promote international cooperation on issues related to cybersecurity, by:\n\n(a)\n\nwhere appropriate, engaging as an observer in the organisation of international exercises, and analysing and reporting to the Management Board on the outcome of such exercises;\n\n(b)\n\nat the request of the Commission, facilitating the exchange of best practices;\n\n(c)\n\nat the request of the Commission, providing it with expertise;\n\n(d)\n\nproviding advice and support to the Commission on matters concerning agreements for the mutual recognition of cybersecurity certificates with third countries, in collaboration with the ECCG established under Article 62.\n\nOrganisation of ENISA",
+      "chapter": "III"
+    },
+    {
+      "number": "13",
+      "title": "Structure of ENISA",
+      "text": "The administrative and management structure of ENISA shall be composed of the following:\n\n(a)\n\na Management Board;\n\n(b)\n\nan Executive Board;\n\n(c)\n\nan Executive Director;\n\n(d)\n\nan ENISA Advisory Group;\n\n(e)\n\na National Liaison Officers Network.\n\nSection 1\n\nManagement Board",
+      "chapter": "III"
+    },
+    {
+      "number": "14",
+      "title": "Composition of the Management Board",
+      "text": "1.   The Management Board shall be composed of one member appointed by each Member State, and two members appointed by the Commission. All members shall have the right to vote.\n\n2.   Each member of the Management Board shall have an alternate. That alternate shall represent the member in the member’s absence.\n\n3.   Members of the Management Board and their alternates shall be appointed on the basis of their knowledge in the field of cybersecurity, taking into account their relevant managerial, administrative and budgetary skills. The Commission and the Member States shall make efforts to limit the turnover of their representatives on the Management Board, in order to ensure continuity of the Management Board’s work. The Commission and the Member States shall aim to achieve gender balance on the Management Board.\n\n4.   The term of office of the members of the Management Board and their alternates shall be four years. That term shall be renewable.",
+      "chapter": "III"
+    },
+    {
+      "number": "15",
+      "title": "Functions of the Management Board",
+      "text": "1.   The Management Board shall:\n\n(a)\n\nestablish the general direction of the operation of ENISA and ensure that ENISA operates in accordance with the rules and principles laid down in this Regulation; it shall also ensure the consistency of ENISA’s work with activities conducted by the Member States as well as at Union level;\n\n(b)\n\nadopt ENISA’s draft single programming document referred to in Article 24, before its submission to the Commission for an opinion;\n\n(c)\n\nadopt ENISA’s single programming document, taking into account the Commission opinion;\n\n(d)\n\nsupervise the implementation of the multiannual and annual programming included in the single programming document;\n\n(e)\n\nadopt the annual budget of ENISA and exercise other functions in respect of ENISA’s budget in accordance with Chapter IV;\n\n(f)\n\nassess and adopt the consolidated annual report on ENISA’s activities, including the accounts and a description of how ENISA has met its performance indicators, submit both the annual report and the assessment thereof by 1 July of the following year, to the European Parliament, to the Council, to the Commission and to the Court of Auditors, and make the annual report public;\n\n(g)\n\nadopt the financial rules applicable to ENISA in accordance with Article 32;\n\n(h)\n\nadopt an anti-fraud strategy that is proportionate to the fraud risks, having regard to a cost-benefit analysis of the measures to be implemented;\n\n(i)\n\nadopt rules for the prevention and management of conflicts of interest in respect of its members;\n\n(j)\n\nensure adequate follow-up to the findings and recommendations resulting from investigations of the European Anti-Fraud Office (OLAF) and the various internal or external audit reports and evaluations;\n\n(k)\n\nadopt its rules of procedure, including rules for provisional decisions on the delegation of specific tasks, pursuant to Article 19(7);\n\n(l)\n\nwith respect to the staff of ENISA, exercise the powers conferred by the Staff Regulations of Officials (the ‘Staff Regulations of Officials’) and the Conditions of Employment of Other Servants of the European Union (the ‘Conditions of Employment of Other Servants’), laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (24) on the appointing authority and on the Authority Empowered to Conclude a Contract of Employment (‘appointing authority powers’) in accordance with paragraph 2 of this Article;\n\n(m)\n\nadopt rules implementing the Staff Regulations of Officials and the Conditions of Employment of Other Servants in accordance with the procedure provided for in Article 110 of the Staff Regulations of Officials;\n\n(n)\n\nappoint the Executive Director and where relevant extend his or her term of office or remove him or her from office in accordance with Article 36;\n\n(o)\n\nappoint an accounting officer, who may be the Commission’s accounting officer, who shall be wholly independent in the performance of his or her duties;\n\n(p)\n\ntake all decisions concerning the establishment of ENISA’s internal structures and, where necessary, the modification of those internal structures, taking into consideration ENISA’s activity needs and having regard to sound budgetary management;\n\n(q)\n\nauthorise the establishment of working arrangements with regard to Article 7;\n\n(r)\n\nauthorise the establishment or conclusion of working arrangements in accordance with Article 42.\n\n2.   In accordance with Article 110 of the Staff Regulations of Officials, the Management Board shall adopt a decision based on Article 2(1) of the Staff Regulations of Officials and Article 6 of the Conditions of Employment of Other Servants, delegating the relevant appointing authority powers to the Executive Director and determining the conditions under which that delegation of powers can be suspended. The Executive Director may sub-delegate those powers.\n\n3.   Where exceptional circumstances so require, the Management Board may adopt a decision to temporarily suspend the delegation of appointing authority powers to the Executive Director and any appointing authority powers sub-delegated by the Executive Director and instead exercise them itself or delegate them to one of its members or to a staff member other than the Executive Director.",
+      "chapter": "III"
+    },
+    {
+      "number": "16",
+      "title": "Chairperson of the Management Board",
+      "text": "The Management Board shall elect a Chairperson and a Deputy Chairperson from among its members, by a majority of two thirds of the members. Their terms of office shall be four years, which shall be renewable once. If, however, their membership of the Management Board ends at any time during their term of office, their term of office shall automatically expire on that date. The Deputy Chair shall replace the Chairperson ex officio if the Chairperson is unable to attend to his or her duties.",
+      "chapter": "III"
+    },
+    {
+      "number": "17",
+      "title": "Meetings of the Management Board",
+      "text": "1.   Meetings of the Management Board shall be convened by its Chairperson.\n\n2.   The Management Board shall hold at least two ordinary meetings a year. It shall also hold extraordinary meetings at the request of its Chairperson, at the request of the Commission, or at the request of at least one third of its members.\n\n3.   The Executive Director shall take part in the meetings of the Management Board but shall not have the right to vote.\n\n4.   Members of the ENISA Advisory Group may take part in the meetings of the Management Board at the invitation of the Chairperson, but shall not have the right to vote.\n\n5.   The members of the Management Board and their alternates may be assisted at the meetings of the Management Board by advisers or experts, subject to the rules of procedure of the Management Board.\n\n6.   ENISA shall provide the secretariat of the Management Board.",
+      "chapter": "III"
+    },
+    {
+      "number": "18",
+      "title": "Voting rules of the Management Board",
+      "text": "1.   The Management Board shall take its decisions by a majority of its members.\n\n2.   A majority of two-thirds of the members of the Management Board shall be required for the adoption of the single programming document and of the annual budget and for the appointment, extension of the term of office or removal of the Executive Director.\n\n3.   Each member shall have one vote. In the absence of a member, their alternate shall be entitled to exercise the member’s right to vote.\n\n4.   The Chairperson of the Management Board shall take part in the voting.\n\n5.   The Executive Director shall not take part in the voting.\n\n6.   The Management Board’s rules of procedure shall establish more detailed voting arrangements, in particular the circumstances in which a member may act on behalf of another member.\n\nSection 2\n\nExecutive Board",
+      "chapter": "III"
+    },
+    {
+      "number": "19",
+      "title": "Executive Board",
+      "text": "1.   The Management Board shall be assisted by an Executive Board.\n\n2.   The Executive Board shall:\n\n(a)\n\nprepare decisions to be adopted by the Management Board;\n\n(b)\n\ntogether with the Management Board, ensure the adequate follow-up to the findings and recommendations stemming from investigations of OLAF and the various internal or external audit reports and evaluations;\n\n(c)\n\nwithout prejudice to the responsibilities of the Executive Director set out in Article 20, assist and advise the Executive Director in implementing the decisions of the Management Board on administrative and budgetary matters pursuant to Article 20.\n\n3.   The Executive Board shall be composed of five members. The members of the Executive Board shall be appointed from among the members of the Management Board. One of the members shall be the Chairperson of the Management Board, who may also chair the Executive Board, and another shall be one of the representatives of the Commission. The appointments of the members of the Executive Board shall aim to ensure gender balance on the Executive Board. The Executive Director shall take part in the meetings of the Executive Board but shall not have the right to vote.\n\n4.   The term of office of the members of the Executive Board shall be four years. That term shall be renewable.\n\n5.   The Executive Board shall meet at least once every three months. The Chairperson of the Executive Board shall convene additional meetings at the request of its members.\n\n6.   The Management Board shall lay down the rules of procedure of the Executive Board.\n\n7.   When necessary because of urgency, the Executive Board may take certain provisional decisions on behalf of the Management Board, in particular on administrative management matters, including the suspension of the delegation of the appointing authority powers and budgetary matters. Any such provisional decisions shall be notified to the Management Board without undue delay. The Management Board shall then decide whether to approve or reject the provisional decision no later than three months after the decision was taken. The Executive Board shall not take decisions on behalf of the Management Board that require the approval of a majority of two-thirds of the members of the Management Board.\n\nSection 3\n\nExecutive Director",
+      "chapter": "III"
+    },
+    {
+      "number": "20",
+      "title": "Duties of the Executive Director",
+      "text": "1.   ENISA shall be managed by its Executive Director, who shall be independent in the performance of his or her duties. The Executive Director shall be accountable to the Management Board.\n\n2.   The Executive Director shall report to the European Parliament on the performance of his or her duties when invited to do so. The Council may invite the Executive Director to report on the performance of his or her duties.\n\n3.   The Executive Director shall be responsible for:\n\n(a)\n\nthe day-to-day administration of ENISA;\n\n(b)\n\nimplementing the decisions adopted by the Management Board;\n\n(c)\n\npreparing the draft single programming document and submitting it to the Management Board for approval before its submission to the Commission;\n\n(d)\n\nimplementing the single programming document and reporting to the Management Board thereon;\n\n(e)\n\npreparing the consolidated annual report on ENISA’s activities, including the implementation of ENISA’s annual work programme, and presenting it to the Management Board for assessment and adoption;\n\n(f)\n\npreparing an action plan that follows up on the conclusions of the retrospective evaluations, and reporting on progress every two years to the Commission;\n\n(g)\n\npreparing an action plan that follows up on the conclusions of internal or external audit reports, as well as on investigations by OLAF and reporting on progress biannually to the Commission and regularly to the Management Board;\n\n(h)\n\npreparing the draft financial rules applicable to ENISA as referred to in Article 32;\n\n(i)\n\npreparing ENISA’s draft statement of estimates of revenue and expenditure and implementing its budget;\n\n(j)\n\nprotecting the financial interests of the Union by the application of preventive measures against fraud, corruption and any other illegal activities, by effective checks and, if irregularities are detected, by the recovery of the amounts wrongly paid and, where appropriate, by effective, proportionate and dissuasive administrative and financial penalties;\n\n(k)\n\npreparing an anti-fraud strategy for ENISA and presenting it to the Management Board for approval;\n\n(l)\n\ndeveloping and maintaining contact with the business community and consumers’ organisations to ensure regular dialogue with relevant stakeholders;\n\n(m)\n\nexchanging views and information regularly with Union institutions, bodies, offices and agencies regarding their activities relating to cybersecurity to ensure coherence in the development and the implementation of Union policy;\n\n(n)\n\ncarrying out other tasks assigned to the Executive Director by this Regulation.\n\n4.   Where necessary and within ENISA’s objectives and tasks, the Executive Director may set up ad hoc working groups composed of experts, including experts from the Member States’ competent authorities. The Executive Director shall inform the Management Board in advance thereof. The procedures regarding in particular the composition of the working groups, the appointment of the experts of the working groups by the Executive Director and the operation of the working groups shall be specified in ENISA’s internal rules of operation.\n\n5.   Where necessary, for the purpose of carrying out ENISA’s tasks in an efficient and effective manner and based on an appropriate cost-benefit analysis, the Executive Director may decide to establish one or more local offices in one or more Member States. Before deciding to establish a local office, the Executive Director shall seek the opinion of the Member States concerned, including the Member State in which the seat of ENISA is located, and shall obtain the prior consent of the Commission and the Management Board. In cases of disagreement during the consultation process between the Executive Director and the Member States concerned, the issue shall be brought to the Council for discussion. The aggregate number of staff in all local offices shall be kept to a minimum and shall not exceed 40 % of the total number of ENISA’s staff located in the Member State in which the seat of ENISA is located. The number of the staff in each local office shall not exceed 10 % of the total number of ENISA’s staff located in the Member State in which the seat of ENISA is located.\n\nThe decision establishing a local office shall specify the scope of the activities to be carried out at the local office in a manner that avoids unnecessary costs and duplication of administrative functions of ENISA.\n\nSection 4\n\nENISA Advisory Group, Stakeholder Cybersecurity Certification Group and National Liaison Officers Network",
+      "chapter": "III"
+    },
+    {
+      "number": "21",
+      "title": "ENISA Advisory Group",
+      "text": "1.   The Management Board, acting on a proposal from the Executive Director, shall establish in a transparent manner the ENISA Advisory Group composed of recognised experts representing the relevant stakeholders, such as the ICT industry, providers of electronic communications networks or services available to the public, SMEs, operators of essential services, consumer groups, academic experts in the field of cybersecurity, and representatives of competent authorities notified in accordance with Directive (EU) 2018/1972, of European standardisation organisations, as well as of law enforcement and data protection supervisory authorities. The Management Board shall aim to ensure an appropriate gender and geographical balance as well as a balance between the different stakeholder groups.\n\n2.   Procedures for the ENISA Advisory Group, in particular regarding its composition, the proposal by the Executive Director referred to in paragraph 1, the number and appointment of its members and the operation of the ENISA Advisory Group, shall be specified in ENISA’s internal rules of operation and shall be made public.\n\n3.   The ENISA Advisory Group shall be chaired by the Executive Director or by any person whom the Executive Director appoints on a case-by-case basis.\n\n4.   The term of office of the members of the ENISA Advisory Group shall be two-and-a-half years. Members of the Management Board shall not be members of the ENISA Advisory Group. Experts from the Commission and the Member States shall be entitled to be present at the meetings of the ENISA Advisory Group and to participate in its work. Representatives of other bodies deemed to be relevant by the Executive Director, who are not members of the ENISA Advisory Group, may be invited to attend the meetings of the ENISA Advisory Group and to participate in its work.\n\n5.   The ENISA Advisory Group shall advise ENISA in respect of the performance of ENISA’s tasks, except of the application of the provisions of Title III of this Regulation. It shall in particular advise the Executive Director on the drawing up of a proposal for ENISA’s annual work programme, and on ensuring communication with the relevant stakeholders on issues related to the annual work programme.\n\n6.   The ENISA Advisory Group shall inform the Management Board of its activities on a regular basis.",
+      "chapter": "III"
+    },
+    {
+      "number": "22",
+      "title": "Stakeholder Cybersecurity Certification Group",
+      "text": "1.   The Stakeholder Cybersecurity Certification Group shall be established.\n\n2.   The Stakeholder Cybersecurity Certification Group shall be composed of members selected from among recognised experts representing the relevant stakeholders. The Commission, following a transparent and open call, shall select, on the basis of a proposal from ENISA, members of the Stakeholder Cybersecurity Certification Group ensuring a balance between the different stakeholder groups as well as an appropriate gender and geographical balance.\n\n3.   The Stakeholder Cybersecurity Certification Group shall:\n\n(a)\n\nadvise the Commission on strategic issues regarding the European cybersecurity certification framework;\n\n(b)\n\nupon request, advise ENISA on general and strategic matters concerning ENISA’s tasks relating to market, cybersecurity certification, and standardisation;\n\n(c)\n\nassist the Commission in the preparation of the Union rolling work programme referred to in Article 47;\n\n(d)\n\nissue an opinion on the Union rolling work programme pursuant to Article 47(4); and\n\n(e)\n\nin urgent cases, provide advice to the Commission and the ECCG on the need for additional certification schemes not included in the Union rolling work programme, as outlined in Articles 47 and 48.\n\n4.   The Stakeholder Certification Group shall be co-chaired by the representatives of the Commission and of ENISA, and its secretariat shall be provided by ENISA.",
+      "chapter": "III"
+    },
+    {
+      "number": "23",
+      "title": "National Liaison Officers Network",
+      "text": "1.   The Management Board, acting on a proposal from the Executive Director, shall set up a National Liaison Officers Network composed of representatives of all Member States (National Liaison Officers). Each Member State shall appoint one representative to the National Liaison Officers Network. The meetings of the National Liaison Officers Network may be held in different expert formations.\n\n2.   The National Liaison Officers Network shall in particular facilitate the exchange of information between ENISA and the Member States, and shall support ENISA in disseminating its activities, findings and recommendations to the relevant stakeholders across the Union.\n\n3.   National Liaison Officers shall act as a point of contact at national level to facilitate cooperation between ENISA and national experts in the context of the implementation of ENISA’s annual work programme.\n\n4.   While National Liaison Officers shall cooperate closely with the Management Board representatives of their respective Member States, the National Liaisons Officers Network itself shall not duplicate the work of the Management Board or of other Union forums.\n\n5.   The functions and procedures of the National Liaisons Officers Network shall be specified in ENISA’s internal rules of operation and shall be made public.\n\nSection 5\n\nOperation",
+      "chapter": "III"
+    },
+    {
+      "number": "24",
+      "title": "Single programming document",
+      "text": "1.   ENISA shall operate in accordance with a single programming document containing its annual and multiannual programming, which shall include all of its planned activities.\n\n2.   Each year, the Executive Director shall draw up a draft single programming document containing its annual and multiannual programming with the corresponding financial and human resources planning in accordance with Article 32 of Commission Delegated Regulation (EU) No 1271/2013 (25) and taking into account the guidelines set by the Commission.\n\n3.   By 30 November each year, the Management Board shall adopt the single programming document referred to in paragraph 1 and shall transmit it to the European Parliament, to the Council and to the Commission by 31 January of the following year, as well as any subsequently updated versions of that document.\n\n4.   The single programming document shall become final after the definitive adoption of the general budget of the Union and shall be adjusted as necessary.\n\n5.   The annual work programme shall comprise detailed objectives and expected results including performance indicators. It shall also contain a description of the actions to be financed and an indication of the financial and human resources allocated to each action, in accordance with the principles of activity-based budgeting and management. The annual work programme shall be coherent with the multiannual work programme referred to in paragraph 7. It shall clearly indicate tasks that have been added, changed or deleted in comparison with the previous financial year.\n\n6.   The Management Board shall amend the adopted annual work programme when a new task is assigned to ENISA. Any substantial amendments to the annual work programme shall be adopted by the same procedure as for the initial annual work programme. The Management Board may delegate the power to make non-substantial amendments to the annual work programme to the Executive Director.\n\n7.   The multiannual work programme shall set out the overall strategic programming including objectives, expected results and performance indicators. It shall also set out the resource programming including multi-annual budget and staff.\n\n8.   The resource programming shall be updated annually. The strategic programming shall be updated where appropriate and in particular where necessary to address the outcome of the evaluation referred to in Article 67.",
+      "chapter": "III"
+    },
+    {
+      "number": "25",
+      "title": "Declaration of interests",
+      "text": "1.   Members of the Management Board, the Executive Director, and officials seconded by Member States on a temporary basis, shall each make a declaration of commitments and a declaration indicating the absence or presence of any direct or indirect interest which might be considered to be prejudicial to their independence. The declarations shall be accurate and complete, shall be made annually in writing, and shall be updated whenever necessary.\n\n2.   Members of the Management Board, the Executive Director, and external experts participating in ad hoc working groups, shall each accurately and completely declare, at the latest at the start of each meeting, any interest which might be considered to be prejudicial to their independence in relation to the items on the agenda, and shall abstain from participating in the discussion of and voting on such items.\n\n3.   ENISA shall lay down, in its internal rules of operation, the practical arrangements for the rules on declarations of interest referred to in paragraphs 1 and 2.",
+      "chapter": "III"
+    },
+    {
+      "number": "26",
+      "title": "Transparency",
+      "text": "1.   ENISA shall carry out its activities with a high level of transparency and in accordance with Article 28.\n\n2.   ENISA shall ensure that the public and any interested parties are provided with appropriate, objective, reliable and easily accessible information, in particular with regard to the results of its work. It shall also make public the declarations of interest made in accordance with Article 25.\n\n3.   The Management Board, acting on a proposal from the Executive Director, may authorise interested parties to observe the proceedings of some of ENISA’s activities.\n\n4.   ENISA shall lay down, in its internal rules of operation, the practical arrangements for implementing the transparency rules referred to in paragraphs 1 and 2.",
+      "chapter": "III"
+    },
+    {
+      "number": "27",
+      "title": "Confidentiality",
+      "text": "1.   Without prejudice to Article 28, ENISA shall not divulge to third parties information that it processes or receives in relation to which a reasoned request for confidential treatment has been made.\n\n2.   Members of the Management Board, the Executive Director, the members of the ENISA Advisory Group, external experts participating in ad hoc working groups, and members of the staff of ENISA, including officials seconded by Member States on a temporary basis, shall comply with the confidentiality requirements of Article 339 TFEU, even after their duties have ceased.\n\n3.   ENISA shall lay down, in its internal rules of operation, the practical arrangements for implementing the confidentiality rules referred to in paragraphs 1 and 2.\n\n4.   If required for the performance of ENISA’s tasks, the Management Board shall decide to allow ENISA to handle classified information. In that case ENISA, in agreement with the Commission services, shall adopt security rules applying the security principles set out in Commission Decisions (EU, Euratom) 2015/443 (26) and 2015/444 (27). Those security rules shall include provisions for the exchange, processing and storage of classified information.",
+      "chapter": "III"
+    },
+    {
+      "number": "28",
+      "title": "Access to documents",
+      "text": "1.   Regulation (EC) No 1049/2001 shall apply to documents held by ENISA.\n\n2.   The Management Board shall adopt arrangements for implementing Regulation (EC) No 1049/2001 by 28 December 2019.\n\n3.   Decisions taken by ENISA pursuant to Article 8 of Regulation (EC) No 1049/2001 may be the subject of a complaint to the European Ombudsman under Article 228 TFEU or of an action before the Court of Justice of the European Union under Article 263 TFEU.\n\nEstablishment and structure of ENISA’s budget",
+      "chapter": "IV"
+    },
+    {
+      "number": "29",
+      "title": "Establishment of ENISA’s budget",
+      "text": "1.   Each year, the Executive Director shall draw up a draft statement of estimates of ENISA’s revenue and expenditure for the following financial year, and shall transmit it to the Management Board, together with a draft establishment plan. Revenue and expenditure shall be in balance.\n\n2.   Each year the Management Board, on the basis of the draft statement of estimates, shall produce a statement of estimates of ENISA’s revenue and expenditure for the following financial year.\n\n3.   The Management Board, by 31 January each year, shall send the statement of estimates, which shall be part of the draft single programming document, to the Commission and the third countries with which the Union has concluded agreements as referred to in Article 42(2).\n\n4.   On the basis of the statement of estimates, the Commission shall enter in the draft general budget of the Union the estimates it deems to be necessary for the establishment plan and the amount of the contribution to be charged to the general budget of the Union, which it shall submit to the European Parliament and to the Council in accordance with Article 314 TFEU.\n\n5.   The European Parliament and the Council shall authorise the appropriations for the contribution from the Union to ENISA.\n\n6.   The European Parliament and the Council shall adopt ENISA’s establishment plan.\n\n7.   The Management Board shall adopt ENISA’s budget together with the single programming document. ENISA’s budget shall become final following the definitive adoption of the general budget of the Union. Where necessary, the Management Board shall adjust ENISA’s budget and single programming document in accordance with the general budget of the Union.",
+      "chapter": "IV"
+    },
+    {
+      "number": "30",
+      "title": "Structure of ENISA’s budget",
+      "text": "1.   Without prejudice to other resources, ENISA’s revenue shall be composed of:\n\n(a)\n\na contribution from the general budget of the Union;\n\n(b)\n\nrevenue assigned to specific items of expenditure in accordance with its financial rules referred to in Article 32;\n\n(c)\n\nUnion funding in the form of delegation agreements or ad hoc grants in accordance with its financial rules referred to in Article 32 and with the provisions of the relevant instruments supporting the policies of the Union;\n\n(d)\n\ncontributions from third countries participating in the work of ENISA as referred to in Article 42;\n\n(e)\n\nany voluntary contributions from Member States in money or in kind.\n\nMember States that provide voluntary contributions under point (e) of the first subparagraph shall not claim any specific right or service as a result thereof.\n\n2.   The expenditure of ENISA shall include staff, administrative and technical support, infrastructure and operational expenses, and expenses resulting from contracts with third parties.",
+      "chapter": "IV"
+    },
+    {
+      "number": "31",
+      "title": "Implementation of ENISA’s budget",
+      "text": "1.   The Executive Director shall be responsible for the implementation of ENISA’s budget.\n\n2.   The Commission’s internal auditor shall exercise the same powers over ENISA as over Commission departments.\n\n3.   ENISA’s accounting officer shall send the provisional accounts for the financial year (year N) to the Commission’s accounting officer and to the Court of Auditors by 1 March of the following financial year (year N + 1).\n\n4.   Upon the receipt of the Court of Auditors’ observations on ENISA’s provisional accounts pursuant to Article 246 of Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council (28), ENISA’s accounting officer shall draw up ENISA’s final accounts under his or her responsibility and shall submit them to the Management Board for an opinion.\n\n5.   The Management Board shall deliver an opinion on ENISA’s final accounts.\n\n6.   By 31 March of year N + 1, the Executive Director shall transmit the report on the budgetary and financial management to the European Parliament, to the Council, to the Commission and to the Court of Auditors.\n\n7.   By 1 July of year N + 1, ENISA’s accounting officer shall transmit ENISA’s final accounts to the European Parliament, to the Council, to the Commission’s accounting officer and to the Court of Auditors, together with the Management Board’s opinion.\n\n8.   At the same date as the transmission of ENISA’s final accounts, ENISA’s accounting officer shall also send to the Court of Auditors a representation letter covering those final accounts, with a copy to the Commission’s accounting officer.\n\n9.   By 15 November of year N + 1, the Executive Director shall publish ENISA’s final accounts in the Official Journal of the European Union.\n\n10.   By 30 September of year N + 1, the Executive Director shall send the Court of Auditors a reply to its observations and shall also send a copy of that reply to the Management Board and to the Commission.\n\n11.   The Executive Director shall submit to the European Parliament, at the latter’s request, any information required for the smooth application of the discharge procedure for the financial year concerned in accordance with Article 261(3) of Regulation (EU, Euratom) 2018/1046.\n\n12.   On a recommendation from the Council, the European Parliament shall, before 15 May of year N + 2, give a discharge to the Executive Director in respect of the implementation of the budget for the year N.",
+      "chapter": "IV"
+    },
+    {
+      "number": "32",
+      "title": "Financial rules",
+      "text": "The financial rules applicable to ENISA shall be adopted by the Management Board after consulting the Commission. They shall not depart from Delegated Regulation (EU) No 1271/2013 unless such a departure is specifically required for the operation of ENISA and the Commission has given its prior consent.",
+      "chapter": "IV"
+    },
+    {
+      "number": "33",
+      "title": "Combating fraud",
+      "text": "1.   In order to facilitate the combating of fraud, corruption and other unlawful activities under Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council (29), ENISA shall by 28 December 2019, accede to the Interinstitutional Agreement of 25 May 1999 between the European Parliament, the Council of the European Union and the Commission of the European Communities concerning internal investigations by the European Anti-Fraud Office (OLAF) (30). ENISA shall adopt appropriate provisions applicable to all employees of ENISA, using the template set out in the Annex to that Agreement.\n\n2.   The Court of Auditors shall have the power of audit, on the basis of documents and of on-the-spot inspections, over all grant beneficiaries, contractors and subcontractors who have received Union funds from ENISA.\n\n3.   OLAF may carry out investigations, including on-the-spot checks and inspections, in accordance with the provisions and procedures laid down in Regulation (EU, Euratom) No 883/2013 and Council Regulation (Euratom, EC) No 2185/96 (31), with a view to establishing whether there has been fraud, corruption or any other illegal activity affecting the financial interests of the Union in connection with a grant or a contract funded by ENISA.\n\n4.   Without prejudice to paragraphs 1, 2 and 3, cooperation agreements with third countries or international organisations, contracts, grant agreements and grant decisions of ENISA shall contain provisions expressly empowering the Court of Auditors and OLAF to conduct such audits and investigations, according to their respective competences.\n\nStaff",
+      "chapter": "V"
+    },
+    {
+      "number": "34",
+      "title": "General provisions",
+      "text": "The Staff Regulations of Officials and the Conditions of Employment of Other Servants, as well as the rules adopted by agreement between the Union institutions for giving effect to the Staff Regulations of Officials and the Conditions of Employment of Other Servants shall apply to the staff of ENISA.",
+      "chapter": "V"
+    },
+    {
+      "number": "35",
+      "title": "Privileges and immunity",
+      "text": "Protocol No 7 on the privileges and immunities of the European Union, annexed to the TEU and to the TFEU, shall apply to ENISA and its staff.",
+      "chapter": "V"
+    },
+    {
+      "number": "36",
+      "title": "Executive Director",
+      "text": "1.   The Executive Director shall be engaged as a temporary agent of ENISA under point (a) of Article 2 of the Conditions of Employment of Other Servants.\n\n2.   The Executive Director shall be appointed by the Management Board from a list of candidates proposed by the Commission, following an open and transparent selection procedure.\n\n3.   For the purpose of concluding the employment contract with the Executive Director, ENISA shall be represented by the Chairperson of the Management Board.\n\n4.   Before appointment, the candidate selected by the Management Board shall be invited to make a statement before the relevant committee of the European Parliament and to answer Members’ questions.\n\n5.   The term of office of the Executive Director shall be five years. By the end of that period, the Commission shall carry out an assessment of the performance of the Executive Director and ENISA’s future tasks and challenges.\n\n6.   The Management Board shall reach decisions on appointment, extension of the term of office or removal from office of the Executive Director in accordance with Article 18(2).\n\n7.   The Management Board, acting on a proposal from the Commission which takes into account the assessment referred to in paragraph 5, may extend the term of office of the Executive Director once by five years.\n\n8.   The Management Board shall inform the European Parliament about its intention to extend the Executive Director’s term of office. Within three months before any such extension, the Executive Director, if invited, shall make a statement before the relevant committee of the European Parliament and answer Members’ questions.\n\n9.   An Executive Director whose term of office has been extended shall not participate in another selection procedure for the same post.\n\n10.   The Executive Director may be removed from office only by decision of the Management Board acting on a proposal from the Commission.",
+      "chapter": "V"
+    },
+    {
+      "number": "37",
+      "title": "Seconded national experts and other staff",
+      "text": "1.   ENISA may make use of seconded national experts or other staff not employed by ENISA. The Staff Regulations of Officials and the Conditions of Employment of Other Servants shall not apply to such staff.\n\n2.   The Management Board shall adopt a decision laying down rules on the secondment of national experts to ENISA.\n\nGeneral provisions concerning ENISA",
+      "chapter": "VI"
+    },
+    {
+      "number": "38",
+      "title": "Legal status of ENISA",
+      "text": "1.   ENISA shall be a body of the Union and shall have legal personality.\n\n2.   In each Member State ENISA shall enjoy the most extensive legal capacity accorded to legal persons under national law. It may, in particular, acquire or dispose of movable and immovable property and be a party to legal proceedings.\n\n3.   ENISA shall be represented by the Executive Director.",
+      "chapter": "VI"
+    },
+    {
+      "number": "39",
+      "title": "Liability of ENISA",
+      "text": "1.   The contractual liability of ENISA shall be governed by the law applicable to the contract in question.\n\n2.   The Court of Justice of the European Union shall have jurisdiction to give judgment pursuant to any arbitration clause contained in a contract concluded by ENISA.\n\n3.   In the case of non-contractual liability, ENISA shall make good any damage caused by it or its staff in the performance of their duties, in accordance with the general principles common to the laws of the Member States.\n\n4.   The Court of Justice of the European Union shall have jurisdiction in any dispute over compensation for damage as referred to in paragraph 3.\n\n5.   The personal liability of ENISA’s staff towards ENISA shall be governed by the relevant conditions applying to ENISA’s staff.",
+      "chapter": "VI"
+    },
+    {
+      "number": "40",
+      "title": "Language arrangements",
+      "text": "1.   Council Regulation No 1 (32) shall apply to ENISA. The Member States and the other bodies appointed by the Member States may address ENISA and receive a reply in the official language of the institutions of the Union that they choose.\n\n2.   The translation services required for the functioning of ENISA shall be provided by the Translation Centre for the Bodies of the European Union.",
+      "chapter": "VI"
+    },
+    {
+      "number": "41",
+      "title": "Protection of personal data",
+      "text": "1.   The processing of personal data by ENISA shall be subject to Regulation (EU) 2018/1725.\n\n2.   The Management Board shall adopt implementing rules as referred to in Article 45(3) of Regulation (EU) 2018/1725. The Management Board may adopt additional measures necessary for the application of Regulation (EU) 2018/1725 by ENISA.",
+      "chapter": "VI"
+    },
+    {
+      "number": "42",
+      "title": "Cooperation with third countries and international organisations",
+      "text": "1.   To the extent necessary in order to achieve the objectives set out in this Regulation, ENISA may cooperate with the competent authorities of third countries or with international organisations or both. To that end, ENISA may establish working arrangements with the authorities of third countries and international organisations, subject to the prior approval of the Commission. Those working arrangements shall not create legal obligations incumbent on the Union and its Member States.\n\n2.   ENISA shall be open to the participation of third countries that have concluded agreements with the Union to that effect. Under the relevant provisions of such agreements, working arrangements shall be established specifying in particular the nature, extent and manner in which those third countries are to participate in ENISA’s work, and shall include provisions relating to participation in the initiatives undertaken by ENISA, to financial contributions and to staff. As regards staff matters, those working arrangements shall comply with the Staff Regulations of Officials and Conditions of Employment of Other Servants in any event.\n\n3.   The Management Board shall adopt a strategy for relations with third countries and international organisations concerning matters for which ENISA is competent. The Commission shall ensure that ENISA operates within its mandate and the existing institutional framework by concluding appropriate working arrangements with the Executive Director.",
+      "chapter": "VI"
+    },
+    {
+      "number": "43",
+      "title": "Security rules on the protection of sensitive non-classified information and classified information",
+      "text": "After consulting the Commission, ENISA shall adopt security rules applying the security principles contained in the Commission’s security rules for protecting sensitive non-classified information and EUCI, as set out in Decisions (EU, Euratom) 2015/443 and 2015/444. ENISA’s security rules shall include provisions for the exchange, processing and storage of such information.",
+      "chapter": "VI"
+    },
+    {
+      "number": "44",
+      "title": "Headquarters Agreement and operating conditions",
+      "text": "1.   The necessary arrangements concerning the accommodation to be provided for ENISA in the host Member State and the facilities to be made available by that Member State together with the specific rules applicable in the host Member State to the Executive Director, members of the Management Board, ENISA’s staff and members of their families shall be laid down in a headquarters agreement between ENISA and the host Member State, concluded after obtaining the approval of the Management Board.\n\n2.   ENISA’s host Member State shall provide the best possible conditions for ensuring the proper functioning of ENISA, taking into account the accessibility of the location, the existence of adequate education facilities for the children of staff members, appropriate access to the labour market, social security and medical care for both children and spouses of staff members.",
+      "chapter": "VI"
+    },
+    {
+      "number": "45",
+      "title": "Administrative control",
+      "text": "The operations of ENISA shall be supervised by the European Ombudsman in accordance with Article 228 TFEU.\n\nTITLE III\n\nCYBERSECURITY CERTIFICATION FRAMEWORK",
+      "chapter": "VI"
+    },
+    {
+      "number": "46",
+      "title": "European cybersecurity certification framework",
+      "text": "1.   The European cybersecurity certification framework shall be established in order to improve the conditions for the functioning of the internal market by increasing the level of cybersecurity within the Union and enabling a harmonised approach at Union level to European cybersecurity certification schemes, with a view to creating a digital single market for ICT products, ICT services and ICT processes.\n\n2.   The European cybersecurity certification framework shall provide for a mechanism to establish European cybersecurity certification schemes and to attest that the ICT products, ICT services and ICT processes that have been evaluated in accordance with such schemes comply with specified security requirements for the purpose of protecting the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, services and processes throughout their life cycle.",
+      "chapter": "VI"
+    },
+    {
+      "number": "47",
+      "title": "The Union rolling work programme for European cybersecurity certification",
+      "text": "1.   The Commission shall publish a Union rolling work programme for European cybersecurity certification (the ‘Union rolling work programme’) that shall identify strategic priorities for future European cybersecurity certification schemes.\n\n2.   The Union rolling work programme shall in particular include a list of ICT products, ICT services and ICT processes or categories thereof that are capable of benefiting from being included in the scope of a European cybersecurity certification scheme.\n\n3.   Inclusion of specific ICT products, ICT services and ICT processes or categories thereof in the Union rolling work programme shall be justified on the basis of one or more of the following grounds:\n\n(a)\n\nthe availability and the development of national cybersecurity certification schemes covering a specific category of ICT products, ICT services or ICT processes and, in particular, as regards the risk of fragmentation;\n\n(b)\n\nrelevant Union or Member State law or policy;\n\n(c)\n\nmarket demand;\n\n(d)\n\ndevelopments in the cyber threat landscape;\n\n(e)\n\nrequest for the preparation of a specific candidate scheme by the ECCG.\n\n4.   The Commission shall take due account of the opinions issued by the ECCG and the Stakeholder Certification Group on the draft Union rolling work programme.\n\n5.   The first Union rolling work programme shall be published by 28 June 2020. The Union rolling work programme shall be updated at least once every three years and more often if necessary.",
+      "chapter": "VI"
+    },
+    {
+      "number": "48",
+      "title": "Request for a European cybersecurity certification scheme",
+      "text": "1.   The Commission may request ENISA to prepare a candidate scheme or to review an existing European cybersecurity certification scheme on the basis of the Union rolling work programme.\n\n2.   In duly justified cases, the Commission or the ECCG may request ENISA to prepare a candidate scheme or to review an existing European cybersecurity certification scheme which is not included in the Union rolling work programme. The Union rolling work programme shall be updated accordingly.",
+      "chapter": "VI"
+    },
+    {
+      "number": "49",
+      "title": "Preparation, adoption and review of a European cybersecurity certification scheme",
+      "text": "1.   Following a request from the Commission pursuant to Article 48, ENISA shall prepare a candidate scheme which meets the requirements set out in Articles 51, 52 and 54.\n\n2.   Following a request from the ECCG pursuant to Article 48(2), ENISA may prepare a candidate scheme which meets the requirements set out in Articles 51, 52 and 54. If ENISA refuses such a request, it shall give reasons for its refusal. Any decision to refuse such a request shall be taken by the Management Board.\n\n3.   When preparing a candidate scheme, ENISA shall consult all relevant stakeholders by means of a formal, open, transparent and inclusive consultation process.\n\n4.   For each candidate scheme, ENISA shall establish an ad hoc working group in accordance with Article 20(4) for the purpose of providing ENISA with specific advice and expertise.\n\n5.   ENISA shall closely cooperate with the ECCG. The ECCG shall provide ENISA with assistance and expert advice in relation to the preparation of the candidate scheme and shall adopt an opinion on the candidate scheme.\n\n6.   ENISA shall take utmost account of the opinion of the ECCG before transmitting the candidate scheme prepared in accordance with paragraphs 3, 4 and 5 to the Commission. The opinion of the ECCG shall not bind ENISA, nor shall the absence of such an opinion prevent ENISA from transmitting the candidate scheme to the Commission.\n\n7.   The Commission, based on the candidate scheme prepared by ENISA, may adopt implementing acts providing for a European cybersecurity certification scheme for ICT products, ICT services and ICT processes which meets the requirements set out in Articles 51, 52 and 54. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 66(2).\n\n8.   At least every five years, ENISA shall evaluate each adopted European cybersecurity certification scheme, taking into account the feedback received from interested parties. If necessary, the Commission or the ECCG may request ENISA to start the process of developing a revised candidate scheme in accordance with Article 48 and this Article.",
+      "chapter": "VI"
+    },
+    {
+      "number": "50",
+      "title": "Website on European cybersecurity certification schemes",
+      "text": "1.   ENISA shall maintain a dedicated website providing information on, and publicising, European cybersecurity certification schemes, European cybersecurity certificates and EU statements of conformity, including information with regard to European cybersecurity certification schemes which are no longer valid, to withdrawn and expired European cybersecurity certificates and EU statements of conformity, and to the repository of links to cybersecurity information provided in accordance with Article 55.\n\n2.   Where applicable, the website referred to in paragraph 1 shall also indicate the national cybersecurity certification schemes that have been replaced by a European cybersecurity certification scheme.",
+      "chapter": "VI"
+    },
+    {
+      "number": "51",
+      "title": "Security objectives of European cybersecurity certification schemes",
+      "text": "A European cybersecurity certification scheme shall be designed to achieve, as applicable, at least the following security objectives:\n\n(a)\n\nto protect stored, transmitted or otherwise processed data against accidental or unauthorised storage, processing, access or disclosure during the entire life cycle of the ICT product, ICT service or ICT process;\n\n(b)\n\nto protect stored, transmitted or otherwise processed data against accidental or unauthorised destruction, loss or alteration or lack of availability during the entire life cycle of the ICT product, ICT service or ICT process;\n\n(c)\n\nthat authorised persons, programs or machines are able only to access the data, services or functions to which their access rights refer;\n\n(d)\n\nto identify and document known dependencies and vulnerabilities;\n\n(e)\n\nto record which data, services or functions have been accessed, used or otherwise processed, at what times and by whom;\n\n(f)\n\nto make it possible to check which data, services or functions have been accessed, used or otherwise processed, at what times and by whom;\n\n(g)\n\nto verify that ICT products, ICT services and ICT processes do not contain known vulnerabilities;\n\n(h)\n\nto restore the availability and access to data, services and functions in a timely manner in the event of a physical or technical incident;\n\n(i)\n\nthat ICT products, ICT services and ICT processes are secure by default and by design;\n\n(j)\n\nthat ICT products, ICT services and ICT processes are provided with up-to-date software and hardware that do not contain publicly known vulnerabilities, and are provided with mechanisms for secure updates.",
+      "chapter": "VI"
+    },
+    {
+      "number": "52",
+      "title": "Assurance levels of European cybersecurity certification schemes",
+      "text": "1.   A European cybersecurity certification scheme may specify one or more of the following assurance levels for ICT products, ICT services and ICT processes: ‘basic’, ‘substantial’ or ‘high’. The assurance level shall be commensurate with the level of the risk associated with the intended use of the ICT product, ICT service or ICT process, in terms of the probability and impact of an incident.\n\n2.   European cybersecurity certificates and EU statements of conformity shall refer to any assurance level specified in the European cybersecurity certification scheme under which the European cybersecurity certificate or EU statement of conformity is issued.\n\n3.   The security requirements corresponding to each assurance level shall be provided in the relevant European cybersecurity certification scheme, including the corresponding security functionalities and the corresponding rigour and depth of the evaluation that the ICT product, ICT service or ICT process is to undergo.\n\n4.   The certificate or the EU statement of conformity shall refer to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of, or to prevent cybersecurity incidents.\n\n5.   A European cybersecurity certificate or EU statement of conformity that refers to assurance level ‘basic’ shall provide assurance that the ICT products, ICT services and ICT processes for which that certificate or that EU statement of conformity is issued meet the corresponding security requirements, including security functionalities, and that they have been evaluated at a level intended to minimise the known basic risks of incidents and cyberattacks. The evaluation activities to be undertaken shall include at least a review of technical documentation. Where such a review is not appropriate, substitute evaluation activities with equivalent effect shall be undertaken.\n\n6.   A European cybersecurity certificate that refers to assurance level ‘substantial’ shall provide assurance that the ICT products, ICT services and ICT processes for which that certificate is issued meet the corresponding security requirements, including security functionalities, and that they have been evaluated at a level intended to minimise the known cybersecurity risks, and the risk of incidents and cyberattacks carried out by actors with limited skills and resources. The evaluation activities to be undertaken shall include at least the following: a review to demonstrate the absence of publicly known vulnerabilities and testing to demonstrate that the ICT products, ICT services or ICT processes correctly implement the necessary security functionalities. Where any such evaluation activities are not appropriate, substitute evaluation activities with equivalent effect shall be undertaken.\n\n7.   A European cybersecurity certificate that refers to assurance level ‘high’ shall provide assurance that the ICT products, ICT services and ICT processes for which that certificate is issued meet the corresponding security requirements, including security functionalities, and that they have been evaluated at a level intended to minimise the risk of state-of-the-art cyberattacks carried out by actors with significant skills and resources. The evaluation activities to be undertaken shall include at least the following: a review to demonstrate the absence of publicly known vulnerabilities; testing to demonstrate that the ICT products, ICT services or ICT processes correctly implement the necessary security functionalities at the state of the art; and an assessment of their resistance to skilled attackers, using penetration testing. Where any such evaluation activities are not appropriate, substitute activities with equivalent effect shall be undertaken.\n\n8.   A European cybersecurity certification scheme may specify several evaluation levels depending on the rigour and depth of the evaluation methodology used. Each of the evaluation levels shall correspond to one of the assurance levels and shall be defined by an appropriate combination of assurance components.",
+      "chapter": "VI"
+    },
+    {
+      "number": "53",
+      "title": "Conformity self-assessment",
+      "text": "1.   A European cybersecurity certification scheme may allow for the conformity self-assessment under the sole responsibility of the manufacturer or provider of ICT products, ICT services or ICT processes. Conformity self-assessment shall be permitted only in relation to ICT products, ICT services and ICT processes that present a low risk corresponding to assurance level ‘basic’.\n\n2.   The manufacturer or provider of ICT products, ICT services or ICT processes may issue an EU statement of conformity stating that the fulfilment of the requirements set out in the scheme has been demonstrated. By issuing such a statement, the manufacturer or provider of ICT products, ICT services or ICT processes shall assume responsibility for the compliance of the ICT product, ICT service or ICT process with the requirements set out in that scheme.\n\n3.   The manufacturer or provider of ICT products, ICT services or ICT processes shall make the EU statement of conformity, technical documentation, and all other relevant information relating to the conformity of the ICT products or ICT services with the scheme available to the national cybersecurity certification authority referred to in Article 58 for the period provided for in the corresponding European cybersecurity certification scheme. A copy of the EU statement of conformity shall be submitted to the national cybersecurity certification authority and to ENISA.\n\n4.   The issuing of an EU statement of conformity is voluntary, unless otherwise specified in Union law or Member State law.\n\n5.   EU statements of conformity shall be recognised in all Member States.",
+      "chapter": "VI"
+    },
+    {
+      "number": "54",
+      "title": "Elements of European cybersecurity certification schemes",
+      "text": "1.   A European cybersecurity certification scheme shall include at least the following elements:\n\n(a)\n\nthe subject matter and scope of the certification scheme, including the type or categories of ICT products, ICT services and ICT processes covered;\n\n(b)\n\na clear description of the purpose of the scheme and of how the selected standards, evaluation methods and assurance levels correspond to the needs of the intended users of the scheme;\n\n(c)\n\nreferences to the international, European or national standards applied in the evaluation or, where such standards are not available or appropriate, to technical specifications that meet the requirements set out in Annex II to Regulation (EU) No 1025/2012 or, if such specifications are not available, to technical specifications or other cybersecurity requirements defined in the European cybersecurity certification scheme;\n\n(d)\n\nwhere applicable, one or more assurance levels;\n\n(e)\n\nan indication of whether conformity self-assessment is permitted under the scheme;\n\n(f)\n\nwhere applicable, specific or additional requirements to which conformity assessment bodies are subject in order to guarantee their technical competence to evaluate the cybersecurity requirements;\n\n(g)\n\nthe specific evaluation criteria and methods to be used, including types of evaluation, in order to demonstrate that the security objectives referred to in Article 51 are achieved;\n\n(h)\n\nwhere applicable, the information which is necessary for certification and which is to be supplied or otherwise be made available to the conformity assessment bodies by an applicant;\n\n(i)\n\nwhere the scheme provides for marks or labels, the conditions under which such marks or labels may be used;\n\n(j)\n\nrules for monitoring compliance of ICT products, ICT services and ICT processes with the requirements of the European cybersecurity certificates or the EU statements of conformity, including mechanisms to demonstrate continued compliance with the specified cybersecurity requirements;\n\n(k)\n\nwhere applicable, the conditions for issuing, maintaining, continuing and renewing the European cybersecurity certificates, as well as the conditions for extending or reducing the scope of certification;\n\n(l)\n\nrules concerning the consequences for ICT products, ICT services and ICT processes that have been certified or for which an EU statement of conformity has been issued, but which do not comply with the requirements of the scheme;\n\n(m)\n\nrules concerning how previously undetected cybersecurity vulnerabilities in ICT products, ICT services and ICT processes are to be reported and dealt with;\n\n(n)\n\nwhere applicable, rules concerning the retention of records by conformity assessment bodies;\n\n(o)\n\nthe identification of national or international cybersecurity certification schemes covering the same type or categories of ICT products, ICT services and ICT processes, security requirements, evaluation criteria and methods, and assurance levels;\n\n(p)\n\nthe content and the format of the European cybersecurity certificates and the EU statements of conformity to be issued;\n\n(q)\n\nthe period of the availability of the EU statement of conformity, technical documentation, and all other relevant information to be made available by the manufacturer or provider of ICT products, ICT services or ICT processes;\n\n(r)\n\nmaximum period of validity of European cybersecurity certificates issued under the scheme;\n\n(s)\n\ndisclosure policy for European cybersecurity certificates issued, amended or withdrawn under the scheme;\n\n(t)\n\nconditions for the mutual recognition of certification schemes with third countries;\n\n(u)\n\nwhere applicable, rules concerning any peer assessment mechanism established by the scheme for the authorities or bodies issuing European cybersecurity certificates for assurance level ‘high’ pursuant to Article 56(6). Such mechanism shall be without prejudice to the peer review provided for in Article 59;\n\n(v)\n\nformat and procedures to be followed by manufacturers or providers of ICT products, ICT services or ICT processes in supplying and updating the supplementary cybersecurity information in accordance with Article 55.\n\n2.   The specified requirements of the European cybersecurity certification scheme shall be consistent with any applicable legal requirements, in particular requirements emanating from harmonised Union law.\n\n3.   Where a specific Union legal act so provides, a certificate or an EU statement of conformity issued under a European cybersecurity certification scheme may be used to demonstrate the presumption of conformity with requirements of that legal act.\n\n4.   In the absence of harmonised Union law, Member State law may also provide that a European cybersecurity certification scheme may be used for establishing the presumption of conformity with legal requirements.",
+      "chapter": "VI"
+    },
+    {
+      "number": "55",
+      "title": "Supplementary cybersecurity information for certified ICT products, ICT services and ICT processes",
+      "text": "1.   The manufacturer or provider of certified ICT products, ICT services or ICT processes or of ICT products, ICT services and ICT processes for which an EU statement of conformity has been issued shall make publicly available the following supplementary cybersecurity information:\n\n(a)\n\nguidance and recommendations to assist end users with the secure configuration, installation, deployment, operation and maintenance of the ICT products or ICT services;\n\n(b)\n\nthe period during which security support will be offered to end users, in particular as regards the availability of cybersecurity related updates;\n\n(c)\n\ncontact information of the manufacturer or provider and accepted methods for receiving vulnerability information from end users and security researchers;\n\n(d)\n\na reference to online repositories listing publicly disclosed vulnerabilities related to the ICT product, ICT service or ICT process and to any relevant cybersecurity advisories.\n\n2.   The information referred to in paragraph 1 shall be available in electronic form and shall remain available and be updated as necessary at least until the expiry of the corresponding European cybersecurity certificate or EU statement of conformity.",
+      "chapter": "VI"
+    },
+    {
+      "number": "56",
+      "title": "Cybersecurity certification",
+      "text": "1.   ICT products, ICT services and ICT processes that have been certified under a European cybersecurity certification scheme adopted pursuant to Article 49 shall be presumed to comply with the requirements of such scheme.\n\n2.   The cybersecurity certification shall be voluntary, unless otherwise specified by Union law or Member State law.\n\n3.   The Commission shall regularly assess the efficiency and use of the adopted European cybersecurity certification schemes and whether a specific European cybersecurity certification scheme is to be made mandatory through relevant Union law to ensure an adequate level of cybersecurity of ICT products, ICT services and ICT processes in the Union and improve the functioning of the internal market. The first such assessment shall be carried out by 31 December 2023, and subsequent assessments shall be carried out at least every two years thereafter. Based on the outcome of those assessments, the Commission shall identify the ICT products, ICT services and ICT processes covered by an existing certification scheme which are to be covered by a mandatory certification scheme.\n\nAs a priority, the Commission shall focus on the sectors listed in Annex II to Directive (EU) 2016/1148, which shall be assessed at the latest two years after the adoption of the first European cybersecurity certification scheme.\n\nWhen preparing the assessment the Commission shall:\n\n(a)\n\ntake into account the impact of the measures on the manufacturers or providers of such ICT products, ICT services or ICT processes and on the users in terms of the cost of those measures and the societal or economic benefits stemming from the anticipated enhanced level of security for the targeted ICT products, ICT services or ICT processes;\n\n(b)\n\ntake into account the existence and implementation of relevant Member State and third country law;\n\n(c)\n\ncarry out an open, transparent and inclusive consultation process with all relevant stakeholders and Member States;\n\n(d)\n\ntake into account any implementation deadlines, transitional measures and periods, in particular with regard to the possible impact of the measure on the manufacturers or providers of ICT products, ICT services or ICT processes, including SMEs;\n\n(e)\n\npropose the most speedy and efficient way in which the transition from a voluntary to mandatory certification schemes is to be implemented.\n\n4.   The conformity assessment bodies referred to in Article 60 shall issue European cybersecurity certificates pursuant to this Article referring to assurance level ‘basic’ or ‘substantial’ on the basis of criteria included in the European cybersecurity certification scheme adopted by the Commission pursuant to Article 49.\n\n5.   By way of derogation from paragraph 4, in duly justified cases a European cybersecurity certification scheme may provide that European cybersecurity certificates resulting from that scheme are to be issued only by a public body. Such body shall be one of the following:\n\n(a)\n\na national cybersecurity certification authority as referred to in Article 58(1); or\n\n(b)\n\na public body that is accredited as a conformity assessment body pursuant to Article 60(1).\n\n6.   Where a European cybersecurity certification scheme adopted pursuant to Article 49 requires an assurance level ‘high’, the European cybersecurity certificate under that scheme is to be issued only by a national cybersecurity certification authority or, in the following cases, by a conformity assessment body:\n\n(a)\n\nupon prior approval by the national cybersecurity certification authority for each individual European cybersecurity certificate issued by a conformity assessment body; or\n\n(b)\n\non the basis of a general delegation of the task of issuing such European cybersecurity certificates to a conformity assessment body by the national cybersecurity certification authority.\n\n7.   The natural or legal person who submits ICT products, ICT services or ICT processes for certification shall make available to the national cybersecurity certification authority referred to in Article 58, where that authority is the body issuing the European cybersecurity certificate, or to the conformity assessment body referred to in Article 60 all information necessary to conduct the certification.\n\n8.   The holder of a European cybersecurity certificate shall inform the authority or body referred to in paragraph 7 of any subsequently detected vulnerabilities or irregularities concerning the security of the certified ICT product, ICT service or ICT process that may have an impact on its compliance with the requirements related to the certification. That authority or body shall forward that information without undue delay to the national cybersecurity certification authority concerned.\n\n9.   A European cybersecurity certificate shall be issued for the period provided for in the European cybersecurity certification scheme and may be renewed, provided that the relevant requirements continue to be met.\n\n10.   A European cybersecurity certificate issued pursuant to this Article shall be recognised in all Member States.",
+      "chapter": "VI"
+    },
+    {
+      "number": "57",
+      "title": "National cybersecurity certification schemes and certificates",
+      "text": "1.   Without prejudice to paragraph 3 of this Article, national cybersecurity certification schemes, and the related procedures for the ICT products, ICT services and ICT processes that are covered by a European cybersecurity certification scheme shall cease to produce effects from the date established in the implementing act adopted pursuant to Article 49(7). National cybersecurity certification schemes and the related procedures for the ICT products, ICT services and ICT processes that are not covered by a European cybersecurity certification scheme shall continue to exist.\n\n2.   Member States shall not introduce new national cybersecurity certification schemes for ICT products, ICT services and ICT processes already covered by a European cybersecurity certification scheme that is in force.\n\n3.   Existing certificates that were issued under national cybersecurity certification schemes and are covered by a European cybersecurity certification scheme shall remain valid until their expiry date.\n\n4.   With a view to avoiding the fragmentation of the internal market, Member States shall inform the Commission and the ECCG of any intention to draw up new national cybersecurity certification schemes.",
+      "chapter": "VI"
+    },
+    {
+      "number": "58",
+      "title": "National cybersecurity certification authorities",
+      "text": "1.   Each Member State shall designate one or more national cybersecurity certification authorities in its territory or, with the agreement of another Member State, shall designate one or more national cybersecurity certification authorities established in that other Member State to be responsible for the supervisory tasks in the designating Member State.\n\n2.   Each Member State shall inform the Commission of the identity of the designated national cybersecurity certification authorities. Where a Member State designates more than one authority, it shall also inform the Commission about the tasks assigned to each of those authorities.\n\n3.   Without prejudice to point (a) of Article 56(5) and Article 56(6), each national cybersecurity certification authority shall be independent of the entities it supervises in its organisation, funding decisions, legal structure and decision-making.\n\n4.   Member States shall ensure that the activities of the national cybersecurity certification authorities that relate to the issuance of European cybersecurity certificates referred to in point (a) of Article 56(5) and in Article 56(6) are strictly separated from their supervisory activities set out in this Article and that those activities are carried out independently from each other.\n\n5.   Member States shall ensure that national cybersecurity certification authorities have adequate resources to exercise their powers and to carry out their tasks in an effective and efficient manner.\n\n6.   For the effective implementation of this Regulation, it is appropriate that national cybersecurity certification authorities participate in the ECCG in an active, effective, efficient and secure manner.\n\n7.   National cybersecurity certification authorities shall:\n\n(a)\n\nsupervise and enforce rules included in European cybersecurity certification schemes pursuant to point (j) of Article 54(1) for the monitoring of the compliance of ICT products, ICT services and ICT processes with the requirements of the European cybersecurity certificates that have been issued in their respective territories, in cooperation with other relevant market surveillance authorities;\n\n(b)\n\nmonitor compliance with and enforce the obligations of the manufacturers or providers of ICT products, ICT services or ICT processes that are established in their respective territories and that carry out conformity self-assessment, and shall, in particular, monitor compliance with and enforce the obligations of such manufacturers or providers set out in Article 53(2) and (3) and in the corresponding European cybersecurity certification scheme;\n\n(c)\n\nwithout prejudice to Article 60(3), actively assist and support the national accreditation bodies in the monitoring and supervision of the activities of conformity assessment bodies, for the purposes of this Regulation;\n\n(d)\n\nmonitor and supervise the activities of the public bodies referred to in Article 56(5);\n\n(e)\n\nwhere applicable, authorise conformity assessment bodies in accordance with Article 60(3) and restrict, suspend or withdraw existing authorisation where conformity assessment bodies infringe the requirements of this Regulation;\n\n(f)\n\nhandle complaints by natural or legal persons in relation to European cybersecurity certificates issued by national cybersecurity certification authorities or to European cybersecurity certificates issued by conformity assessment bodies in accordance with Article 56(6) or in relation to EU statements of conformity issued under Article 53, and shall investigate the subject matter of such complaints to the extent appropriate, and shall inform the complainant of the progress and the outcome of the investigation within a reasonable period;\n\n(g)\n\nprovide an annual summary report on the activities conducted under points (b), (c) and (d) of this paragraph or under paragraph 8 to ENISA and the ECCG;\n\n(h)\n\ncooperate with other national cybersecurity certification authorities or other public authorities, including by sharing information on the possible non-compliance of ICT products, ICT services and ICT processes with the requirements of this Regulation or with the requirements of specific European cybersecurity certification schemes; and\n\n(i)\n\nmonitor relevant developments in the field of cybersecurity certification.\n\n8.   Each national cybersecurity certification authority shall have at least the following powers:\n\n(a)\n\nto request conformity assessment bodies, European cybersecurity certificates’ holders and issuers of EU statements of conformity to provide any information it requires for the performance of its tasks;\n\n(b)\n\nto carry out investigations, in the form of audits, of conformity assessment bodies, European cybersecurity certificates’ holders and issuers of EU statements of conformity, for the purpose of verifying their compliance with this Title;\n\n(c)\n\nto take appropriate measures, in accordance with national law, to ensure that conformity assessment bodies, European cybersecurity certificates’ holders and issuers of EU statements of conformity comply with this Regulation or with a European cybersecurity certification scheme;\n\n(d)\n\nto obtain access to the premises of any conformity assessment bodies or holders of European cybersecurity certificates, for the purpose of carrying out investigations in accordance with Union or Member State procedural law;\n\n(e)\n\nto withdraw, in accordance with national law, European cybersecurity certificates issued by the national cybersecurity certification authorities or European cybersecurity certificates issued by conformity assessment bodies in accordance with Article 56(6), where such certificates do not comply with this Regulation or with a European cybersecurity certification scheme;\n\n(f)\n\nto impose penalties in accordance with national law, as provided for in Article 65, and to require the immediate cessation of infringements of the obligations set out in this Regulation.\n\n9.   National cybersecurity certification authorities shall cooperate with each other and with the Commission, in particular, by exchanging information, experience and good practices as regards cybersecurity certification and technical issues concerning the cybersecurity of ICT products, ICT services and ICT processes.",
+      "chapter": "VI"
+    },
+    {
+      "number": "59",
+      "title": "Peer review",
+      "text": "1.   With a view to achieving equivalent standards throughout the Union in respect of European cybersecurity certificates and EU statements of conformity, national cybersecurity certification authorities shall be subject to peer review.\n\n2.   Peer review shall be carried out on the basis of sound and transparent evaluation criteria and procedures, in particular concerning structural, human resource and process requirements, confidentiality and complaints.\n\n3.   Peer review shall assess:\n\n(a)\n\nwhere applicable, whether the activities of the national cybersecurity certification authorities that relate to the issuance of European cybersecurity certificates referred to in point (a) of Article 56(5) and in Article 56(6) are strictly separated from their supervisory activities set out in Article 58 and whether those activities are carried out independently from each other;\n\n(b)\n\nthe procedures for supervising and enforcing the rules for monitoring the compliance of ICT products, ICT services and ICT processes with European cybersecurity certificates pursuant to point (a) of Article 58(7);\n\n(c)\n\nthe procedures for monitoring and enforcing the obligations of manufacturers or providers of ICT products, ICT services or ICT processes pursuant to point (b) of Article 58(7);\n\n(d)\n\nthe procedures for monitoring, authorising and supervising the activities of the conformity assessment bodies;\n\n(e)\n\nwhere applicable, whether the staff of authorities or bodies that issue certificates for assurance level ‘high’ pursuant to Article 56(6) have the appropriate expertise.\n\n4.   Peer review shall be carried out by at least two national cybersecurity certification authorities of other Member States and the Commission and shall be carried out at least once every five years. ENISA may participate in the peer review.\n\n5.   The Commission may adopt implementing acts establishing a plan for peer review which covers a period of at least five years, laying down the criteria concerning the composition of the peer review team, the methodology to be used in peer review, and the schedule, the frequency and other tasks related to it. In adopting those implementing acts, the Commission shall take due account of the views of the ECCG. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 66(2).\n\n6.   The outcomes of peer reviews shall be examined by the ECCG, which shall draw up summaries that may be made publicly available and which shall, where necessary, issue guidelines or recommendations on actions or measures to be taken by the entities concerned.",
+      "chapter": "VI"
+    },
+    {
+      "number": "60",
+      "title": "Conformity assessment bodies",
+      "text": "1.   The conformity assessment bodies shall be accredited by national accreditation bodies appointed pursuant to Regulation (EC) No 765/2008. Such accreditation shall be issued only where the conformity assessment body meets the requirements set out in the Annex to this Regulation.\n\n2.   Where a European cybersecurity certificate is issued by a national cybersecurity certification authority pursuant to point (a) of Article 56(5) and Article 56(6), the certification body of the national cybersecurity certification authority shall be accredited as a conformity assessment body pursuant to paragraph 1 of this Article.\n\n3.   Where European cybersecurity certification schemes set out specific or additional requirements pursuant to point (f) of Article 54(1), only conformity assessment bodies that meet those requirements shall be authorised by the national cybersecurity certification authority to carry out tasks under such schemes.\n\n4.   The accreditation referred to in paragraph 1 shall be issued to the conformity assessment bodies for a maximum of five years and may be renewed on the same conditions, provided that the conformity assessment body still meets the requirements set out in this Article. National accreditation bodies shall take all appropriate measures within a reasonable timeframe to restrict, suspend or revoke the accreditation of a conformity assessment body issued pursuant to paragraph 1 where the conditions for the accreditation have not been met or are no longer met, or where the conformity assessment body infringes this Regulation.",
+      "chapter": "VI"
+    },
+    {
+      "number": "61",
+      "title": "Notification",
+      "text": "1.   For each European cybersecurity certification scheme, the national cybersecurity certification authorities shall notify the Commission of the conformity assessment bodies that have been accredited and, where applicable, authorised pursuant to Article 60(3) to issue European cybersecurity certificates at specified assurance levels as referred to in Article 52. The national cybersecurity certification authorities shall notify the Commission of any subsequent changes thereto without undue delay.\n\n2.   One year after the entry into force of a European cybersecurity certification scheme, the Commission shall publish a list of the conformity assessment bodies notified under that scheme in the Official Journal of the European Union.\n\n3.   If the Commission receives a notification after the expiry of the period referred to in paragraph 2, it shall publish the amendments to the list of notified conformity assessment bodies in the Official Journal of the European Union within two months of the date of receipt of that notification.\n\n4.   A national cybersecurity certification authority may submit to the Commission a request to remove a conformity assessment body notified by that authority from the list referred to in paragraph 2. The Commission shall publish the corresponding amendments to that list in the Official Journal of the European Union within one month of the date of receipt of the national cybersecurity certification authority’s request.\n\n5.   The Commission may adopt implementing acts to establish the circumstances, formats and procedures for notifications referred to in paragraph 1 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 66(2).",
+      "chapter": "VI"
+    },
+    {
+      "number": "62",
+      "title": "European Cybersecurity Certification Group",
+      "text": "1.   The European Cybersecurity Certification Group (the ‘ECCG’) shall be established.\n\n2.   The ECCG shall be composed of representatives of national cybersecurity certification authorities or representatives of other relevant national authorities. A member of the ECCG shall not represent more than two Member States.\n\n3.   Stakeholders and relevant third parties may be invited to attend meetings of the ECCG and to participate in its work.\n\n4.   The ECCG shall have the following tasks:\n\n(a)\n\nto advise and assist the Commission in its work to ensure the consistent implementation and application of this Title, in particular regarding the Union rolling work programme, cybersecurity certification policy issues, the coordination of policy approaches, and the preparation of European cybersecurity certification schemes;\n\n(b)\n\nto assist, advise and cooperate with ENISA in relation to the preparation of a candidate scheme pursuant to Article 49;\n\n(c)\n\nto adopt an opinion on candidate schemes prepared by ENISA pursuant to Article 49;\n\n(d)\n\nto request ENISA to prepare candidate schemes pursuant to Article 48(2);\n\n(e)\n\nto adopt opinions addressed to the Commission relating to the maintenance and review of existing European cybersecurity certifications schemes;\n\n(f)\n\nto examine relevant developments in the field of cybersecurity certification and to exchange information and good practices on cybersecurity certification schemes;\n\n(g)\n\nto facilitate the cooperation between national cybersecurity certification authorities under this Title through capacity-building and the exchange of information, in particular by establishing methods for the efficient exchange of information relating to issues concerning cybersecurity certification;\n\n(h)\n\nto support the implementation of peer assessment mechanisms in accordance with the rules established in a European cybersecurity certification scheme pursuant to point (u) of Article 54(1);\n\n(i)\n\nto facilitate the alignment of European cybersecurity certification schemes with internationally recognised standards, including by reviewing existing European cybersecurity certification schemes and, where appropriate, making recommendations to ENISA to engage with relevant international standardisation organisations to address insufficiencies or gaps in available internationally recognised standards.\n\n5.   With the assistance of ENISA, the Commission shall chair the ECCG, and the Commission shall provide the ECCG with a secretariat in accordance with point (e) of Article 8(1).",
+      "chapter": "VI"
+    },
+    {
+      "number": "63",
+      "title": "Right to lodge a complaint",
+      "text": "1.   Natural and legal persons shall have the right to lodge a complaint with the issuer of a European cybersecurity certificate or, where the complaint relates to a European cybersecurity certificate issued by a conformity assessment body when acting in accordance with Article 56(6), with the relevant national cybersecurity certification authority.\n\n2.   The authority or body with which the complaint has been lodged shall inform the complainant of the progress of the proceedings and of the decision taken, and shall inform the complainant of the right to an effective judicial remedy referred to in Article 64.",
+      "chapter": "VI"
+    },
+    {
+      "number": "64",
+      "title": "Right to an effective judicial remedy",
+      "text": "1.   Notwithstanding any administrative or other non-judicial remedies, natural and legal persons shall have the right to an effective judicial remedy with regard to:\n\n(a)\n\ndecisions taken by the authority or body referred to in Article 63(1) including, where applicable, in relation to the improper issuing, failure to issue or recognition of a European cybersecurity certificate held by those natural and legal persons;\n\n(b)\n\na failure to act on a complaint lodged with the authority or body referred to in Article 63(1).\n\n2.   Proceedings pursuant to this Article shall be brought before the courts of the Member State in which the authority or body against which the judicial remedy is sought is located.",
+      "chapter": "VI"
+    },
+    {
+      "number": "65",
+      "title": "Penalties",
+      "text": "Member States shall lay down the rules on penalties applicable to infringements of this Title and to infringements of European cybersecurity certification schemes, and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive. Member States shall without delay notify the Commission of those rules and of those measures and shall notify it of any subsequent amendment affecting them.\n\nTITLE IV\n\nFINAL PROVISIONS",
+      "chapter": "VI"
+    },
+    {
+      "number": "66",
+      "title": "Committee procedure",
+      "text": "1.   The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.\n\n2.   Where reference is made to this paragraph, point (b) of Article 5(4) of Regulation (EU) No 182/2011 shall apply.",
+      "chapter": "VI"
+    },
+    {
+      "number": "67",
+      "title": "Evaluation and review",
+      "text": "1.   By 28 June 2024, and every five years thereafter, the Commission shall evaluate the impact, effectiveness and efficiency of ENISA and of its working practices, the possible need to modify ENISA’s mandate and the financial implications of any such modification. The evaluation shall take into account any feedback provided to ENISA in response to its activities. Where the Commission considers that the continued operation of ENISA is no longer justified in light of the objectives, mandate and tasks assigned to it, the Commission may propose that this Regulation be amended with regard to the provisions related to ENISA.\n\n2.   The evaluation shall also assess the impact, effectiveness and efficiency of the provisions of Title III of this Regulation with regard to the objectives of ensuring an adequate level of cybersecurity of ICT products, ICT services and ICT processes in the Union and improving the functioning of the internal market.\n\n3.   The evaluation shall assess whether essential cybersecurity requirements for access to the internal market are necessary in order to prevent ICT products, ICT services and ICT processes which do not meet basic cybersecurity requirements from entering the Union market.\n\n4.   By 28 June 2024, and every five years thereafter, the Commission shall transmit a report on the evaluation together with its conclusions to the European Parliament, to the Council and to the Management Board. The findings of that report shall be made public.",
+      "chapter": "VI"
+    },
+    {
+      "number": "68",
+      "title": "Repeal and succession",
+      "text": "1.   Regulation (EU) No 526/2013 is repealed with effect from 27 June 2019.\n\n2.   References to Regulation (EU) No 526/2013 and to the ENISA as established by that Regulation shall be construed as references to this Regulation and to ENISA as established by this Regulation.\n\n3.   ENISA as established by this Regulation shall succeed ENISA as established by Regulation (EU) No 526/2013 as regards all ownership, agreements, legal obligations, employment contracts, financial commitments and liabilities. All decisions of the Management Board and the Executive Board adopted in accordance with Regulation (EU) No 526/2013 shall remain valid, provided that they comply with this Regulation.\n\n4.   ENISA shall be established for an indefinite period as of 27 June 2019.\n\n5.   The Executive Director appointed pursuant to Article 24(4) of Regulation (EU) No 526/2013 shall remain in office and exercise the duties of the Executive Director as referred to in Article 20 of this Regulation for the remaining part of the Executive Director’s term of office. The other conditions of his or her contract shall remain unchanged.\n\n6.   The members of the Management Board and their alternates appointed pursuant to Article 6 of Regulation (EU) No 526/2013 shall remain in office and exercise the functions of the Management Board as referred to in Article 15 of this Regulation for the remaining part of their term of office.",
+      "chapter": "VI"
+    },
+    {
+      "number": "69",
+      "title": "Entry into force",
+      "text": "1.   This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.\n\n2.   Articles 58, 60, 61, 63, 64 and 65 shall apply from 28 June 2021.\n\nThis Regulation shall be binding in its entirety and directly applicable in all Member States.\n\nDone at Strasbourg, 17 April 2019.\n\nFor the European Parliament\n\nThe President\n\nA. TAJANI\n\nFor the Council\n\nThe President\n\nG. CIAMBA\n\n(1)\n\nOJ C 227, 28.6.2018, p. 86.\n\n(2)\n\nOJ C 176, 23.5.2018, p. 29.\n\n(3)  Position of the European Parliament of 12 March 2019 (not yet published in the Official Journal) and decision of the Council of 9 April 2019.\n\n(4)  Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36).\n\n(5)  Regulation (EU) No 526/2013 of the European Parliament and of the Council of 21 May 2013 concerning the European Union Agency for Network and Information Security (ENISA) and repealing Regulation (EC) No 460/2004 (OJ L 165, 18.6.2013, p. 41).\n\n(6)  Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency (OJ L 77, 13.3.2004, p. 1).\n\n(7)  Regulation (EC) No 1007/2008 of the European Parliament and of the Council of 24 September 2008 amending Regulation (EC) No 460/2004 establishing the European Network and Information Security Agency as regards its duration (OJ L 293, 31.10.2008, p. 1).\n\n(8)  Regulation (EU) No 580/2011 of the European Parliament and of the Council of 8 June 2011 amending Regulation (EC) No 460/2004 establishing the European Network and Information Security Agency as regards its duration (OJ L 165, 24.6.2011, p. 3).\n\n(9)  Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, p. 1).\n\n(10)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).\n\n(11)  Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37).\n\n(12)  Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (OJ L 321, 17.12.2018, p. 36).\n\n(13)  Decision 2004/97/EC, Euratom taken by common agreement between the Representatives of the Member States, meeting at Head of State or Government level, of 13 December 2003 on the location of the seats of certain offices and agencies of the European Union (OJ L 29, 3.2.2004, p. 15).\n\n(14)\n\nOJ C 12, 13.1.2018, p. 1.\n\n(15)  Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises (OJ L 239, 19.9.2017, p. 36).\n\n(16)  Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93 (OJ L 218, 13.8.2008, p. 30).\n\n(17)  Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).\n\n(18)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).\n\n(19)  Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).\n\n(20)  Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (OJ L 241, 17.9.2015, p. 1).\n\n(21)  Directive 2014/24/EU of the European Parliament and of the Council of 26 February 2014 on public procurement and repealing Directive 2004/18/EC (OJ L 94, 28.3.2014, p. 65).\n\n(22)  Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).\n\n(23)  Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73).\n\n(24)\n\nOJ L 56, 4.3.1968, p. 1.\n\n(25)  Commission Delegated Regulation (EU) No 1271/2013 of 30 September 2013 on the framework financial regulation for the bodies referred to in Article 208 of Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council (OJ L 328, 7.12.2013, p. 42).\n\n(26)  Commission Decision (EU, Euratom) 2015/443 of 13 March 2015 on Security in the Commission (OJ L 72, 17.3.2015, p. 41).\n\n(27)  Commission Decision (EU, Euratom) 2015/444 of 13 March 2015 on the security rules for protecting EU classified information (OJ L 72, 17.3.2015, p. 53).\n\n(28)  Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012 (OJ L 193, 30.7.2018, p. 1).\n\n(29)  Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 concerning investigations conducted by the European Anti-Fraud Office (OLAF) and repealing Regulation (EC) No 1073/1999 of the European Parliament and of the Council and Council Regulation (Euratom) No 1074/1999 (OJ L 248, 18.9.2013, p. 1).\n\n(30)\n\nOJ L 136, 31.5.1999, p. 15.\n\n(31)  Council Regulation (Euratom, EC) No 2185/96 of 11 November 1996 concerning on-the-spot checks and inspections carried out by the Commission in order to protect the European Communities’ financial interests against fraud and other irregularities (OJ L 292, 15.11.1996, p. 2).\n\n(32)  Council Regulation No 1 determining the languages to be used by the European Economic Community (OJ 17, 6.10.1958, p. 385/58).\n\nANNEX\n\nREQUIREMENTS TO BE MET BY CONFORMITY ASSESSMENT BODIES\n\nConformity assessment bodies that wish to be accredited shall meet the following requirements:\n\n1.\n\nA conformity assessment body shall be established under national law and shall have legal personality.\n\n2.\n\nA conformity assessment body shall be a third-party body that is independent of the organisation or the ICT products, ICT services or ICT processes that it assesses.\n\n3.\n\nA body that belongs to a business association or professional federation representing undertakings involved in the design, manufacturing, provision, assembly, use or maintenance of ICT products, ICT services or ICT processes which it assesses may be considered to be a conformity assessment body, provided that its independence and the absence of any conflict of interest are demonstrated.\n\n4.\n\nThe conformity assessment bodies, their top-level management and the persons responsible for carrying out the conformity assessment tasks shall not be the designer, manufacturer, supplier, installer, purchaser, owner, user or maintainer of the ICT product, ICT service or ICT process which is assessed, or the authorised representative of any of those parties. That prohibition shall not preclude the use of the ICT products assessed that are necessary for the operations of the conformity assessment body or the use of such ICT products for personal purposes.\n\n5.\n\nThe conformity assessment bodies, their top-level management and the persons responsible for carrying out the conformity assessment tasks shall not be directly involved in the design, manufacture or construction, the marketing, installation, use or maintenance of the ICT products, ICT services or ICT processes which are assessed, or represent parties engaged in those activities. The conformity assessment bodies, their top-level management and the persons responsible for carrying out the conformity assessment tasks shall not engage in any activity that may conflict with their independence of judgement or integrity in relation to their conformity assessment activities. That prohibition shall apply, in particular, to consultancy services.\n\n6.\n\nIf a conformity assessment body is owned or operated by a public entity or institution, the independence and absence of any conflict of interest shall be ensured between the national cybersecurity certification authority and the conformity assessment body, and shall be documented.\n\n7.\n\nConformity assessment bodies shall ensure that the activities of their subsidiaries and subcontractors do not affect the confidentiality, objectivity or impartiality of their conformity assessment activities.\n\n8.\n\nConformity assessment bodies and their staff shall carry out conformity assessment activities with the highest degree of professional integrity and the requisite technical competence in the specific field, and shall be free from all pressures and inducements which might influence their judgement or the results of their conformity assessment activities, including pressures and inducements of a financial nature, especially as regards persons or groups of persons with an interest in the results of those activities.\n\n9.\n\nA conformity assessment body shall be capable of carrying out all the conformity assessment tasks assigned to it under this Regulation, regardless of whether those tasks are carried out by the conformity assessment body itself or on its behalf and under its responsibility. Any subcontracting to, or consultation of, external staff shall be properly documented, shall not involve any intermediaries and shall be subject to a written agreement covering, among other things, confidentiality and conflicts of interest. The conformity assessment body in question shall take full responsibility for the tasks performed.\n\n10.\n\nAt all times and for each conformity assessment procedure and each type, category or sub-category of ICT products, ICT services or ICT processes, a conformity assessment body shall have at its disposal the necessary:\n\n(a)\n\nstaff with technical knowledge and sufficient and appropriate experience to perform the conformity assessment tasks;\n\n(b)\n\ndescriptions of procedures in accordance with which conformity assessment is to be carried out, to ensure the transparency of those procedures and the possibility of reproducing them. It shall have in place appropriate policies and procedures that distinguish between tasks that it carries out as a body notified pursuant to Article 61 and its other activities;\n\n(c)\n\nprocedures for the performance of activities which take due account of the size of an undertaking, the sector in which it operates, its structure, the degree of complexity of the technology of the ICT product, ICT service or ICT process in question and the mass or serial nature of the production process.\n\n11.\n\nA conformity assessment body shall have the means necessary to perform the technical and administrative tasks connected with the conformity assessment activities in an appropriate manner, and shall have access to all necessary equipment and facilities.\n\n12.\n\nThe persons responsible for carrying out conformity assessment activities shall have the following:\n\n(a)\n\nsound technical and vocational training covering all conformity assessment activities;\n\n(b)\n\nsatisfactory knowledge of the requirements of the conformity assessments they carry out and adequate authority to carry out those assessments;\n\n(c)\n\nappropriate knowledge and understanding of the applicable requirements and testing standards;\n\n(d)\n\nthe ability to draw up certificates, records and reports demonstrating that conformity assessments have been carried out.\n\n13.\n\nThe impartiality of the conformity assessment bodies, of their top-level management, of the persons responsible for carrying out conformity assessment activities, and of any subcontractors shall be guaranteed.\n\n14.\n\nThe remuneration of the top-level management and of the persons responsible for carrying out conformity assessment activities shall not depend on the number of conformity assessments carried out or on the results of those assessments.\n\n15.\n\nConformity assessment bodies shall take out liability insurance unless liability is assumed by the Member State in accordance with its national law, or the Member State itself is directly responsible for the conformity assessment.\n\n16.\n\nThe conformity assessment body and its staff, its committees, its subsidiaries, its subcontractors, and any associated body or the staff of external bodies of a conformity assessment body shall maintain confidentiality and observe professional secrecy with regard to all information obtained in carrying out their conformity assessment tasks under this Regulation or pursuant to any provision of national law giving effect to this Regulation, except where disclosure is required by Union or Member State law to which such persons are subject, and except in relation to the competent authorities of the Member States in which its activities are carried out. Intellectual property rights shall be protected. The conformity assessment body shall have documented procedures in place in respect of the requirements of this point.\n\n17.\n\nWith the exception of point 16, the requirements of this Annex shall not preclude exchanges of technical information and regulatory guidance between a conformity assessment body and a person who applies for certification or who is considering whether to apply for certification.\n\n18.\n\nConformity assessment bodies shall operate in accordance with a set of consistent, fair and reasonable terms and conditions, taking into account the interests of SMEs in relation to fees.\n\n19.\n\nConformity assessment bodies shall meet the requirements of the relevant standard that is harmonised under Regulation (EC) No 765/2008 for the accreditation of conformity assessment bodies performing certification of ICT products, ICT services or ICT processes.\n\n20.\n\nConformity assessment bodies shall ensure that testing laboratories used for conformity assessment purposes meet the requirements of the relevant standard that is harmonised under Regulation (EC) No 765/2008 for the accreditation of laboratories performing testing.\n\n////////////////////////$(document).ready(function(){generateTOC(true,'', 'Top','false');scrollToCurrentUrlAnchor();});",
+      "chapter": "VI"
+    }
+  ],
+  "definitions": [
+    {
+      "term": "cybersecurity",
+      "definition": "the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats;",
+      "article": "2"
+    },
+    {
+      "term": "network and information system",
+      "definition": "a network and information system as defined in point (1) of Article 4 of Directive (EU) 2016/1148;",
+      "article": "2"
+    },
+    {
+      "term": "national strategy on the security of network and information systems",
+      "definition": "a national strategy on the security of network and information systems as defined in point (3) of Article 4 of Directive (EU) 2016/1148;",
+      "article": "2"
+    },
+    {
+      "term": "operator of essential services",
+      "definition": "an operator of essential services as defined in point (4) of Article 4 of Directive (EU) 2016/1148;",
+      "article": "2"
+    },
+    {
+      "term": "digital service provider",
+      "definition": "a digital service provider as defined in point (6) of Article 4 of Directive (EU) 2016/1148;",
+      "article": "2"
+    },
+    {
+      "term": "incident",
+      "definition": "an incident as defined in point (7) of Article 4 of Directive (EU) 2016/1148;",
+      "article": "2"
+    },
+    {
+      "term": "incident handling",
+      "definition": "incident handling as defined in point (8) of Article 4 of Directive (EU) 2016/1148;",
+      "article": "2"
+    },
+    {
+      "term": "cyber threat",
+      "definition": "any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons;",
+      "article": "2"
+    },
+    {
+      "term": "european cybersecurity certification scheme",
+      "definition": "a comprehensive set of rules, technical requirements, standards and procedures that are established at Union level and that apply to the certification or conformity assessment of specific ICT products, ICT services or ICT processes;",
+      "article": "2"
+    },
+    {
+      "term": "national cybersecurity certification scheme",
+      "definition": "a comprehensive set of rules, technical requirements, standards and procedures developed and adopted by a national public authority and that apply to the certification or conformity assessment of ICT products, ICT services and ICT processes falling under the scope of the specific scheme;",
+      "article": "2"
+    },
+    {
+      "term": "european cybersecurity certificate",
+      "definition": "a document issued by a relevant body, attesting that a given ICT product, ICT service or ICT process has been evaluated for compliance with specific security requirements laid down in a European cybersecurity certification scheme;",
+      "article": "2"
+    },
+    {
+      "term": "ict product",
+      "definition": "an element or a group of elements of a network or information system;",
+      "article": "2"
+    },
+    {
+      "term": "ict service",
+      "definition": "a service consisting fully or mainly in the transmission, storing, retrieving or processing of information by means of network and information systems;",
+      "article": "2"
+    },
+    {
+      "term": "ict process",
+      "definition": "a set of activities performed to design, develop, deliver or maintain an ICT product or ICT service;",
+      "article": "2"
+    },
+    {
+      "term": "accreditation",
+      "definition": "accreditation as defined in point (10) of Article 2 of Regulation (EC) No 765/2008;",
+      "article": "2"
+    },
+    {
+      "term": "national accreditation body",
+      "definition": "a national accreditation body as defined in point (11) of Article 2 of Regulation (EC) No 765/2008;",
+      "article": "2"
+    },
+    {
+      "term": "conformity assessment",
+      "definition": "a conformity assessment as defined in point (12) of Article 2 of Regulation (EC) No 765/2008;",
+      "article": "2"
+    },
+    {
+      "term": "conformity assessment body",
+      "definition": "a conformity assessment body as defined in point (13) of Article 2 of Regulation (EC) No 765/2008;",
+      "article": "2"
+    },
+    {
+      "term": "standard",
+      "definition": "a standard as defined in point (1) of Article 2 of Regulation (EU) No 1025/2012;",
+      "article": "2"
+    },
+    {
+      "term": "technical specification",
+      "definition": "a document that prescribes the technical requirements to be met by, or conformity assessment procedures relating to, an ICT product, ICT service or ICT process;",
+      "article": "2"
+    },
+    {
+      "term": "assurance level",
+      "definition": "a basis for confidence that an ICT product, ICT service or ICT process meets the security requirements of a specific European cybersecurity certification scheme, indicates the level at which an ICT product, ICT service or ICT process has been evaluated but as such does not measure the security of the ICT product, ICT service or ICT process concerned;",
+      "article": "2"
+    },
+    {
+      "term": "conformity self-assessment",
+      "definition": "an action carried out by a manufacturer or provider of ICT products, ICT services or ICT processes, which evaluates whether those ICT products, ICT services or ICT processes meet the requirements of a specific European cybersecurity certification scheme. TITLE II ENISA (THE EUROPEAN UNION AGENCY FOR CYBERSECURITY) Mandate and objectives",
+      "article": "2"
+    }
+  ]
+}