24 Amendments of Ioannis A. TSOUKALAS related to 2013/0027(COD)
Amendment 131 #
Proposal for a directive
Recital 2
Recital 2
(2) The magnitude and, frequency and impact of deliberate or accidental security incidents is increasing and represents a major threat to the functioning of networks and information systems. Such incidents can impede the pursuit of economic activities, generate substantial financial losses, undermine user confidence and cause major damage to the economy of the Union.
Amendment 135 #
Proposal for a directive
Recital 4
Recital 4
(4) A cooperation mechanism should be established at Union level to allow for information exchange and coordinated prevention, detection and response regarding network and information security (‘NIS’). For that mechanism to be effective and inclusive, it is essential that all Member States have minimum capabilities and a strategy ensuring a high level of NIS in their territory. Minimum security requirements should also apply to public administrations and operators of critical information infrastructure to promote a culture of risk management and ensure that the most serious incidents are reported.
Amendment 143 #
Proposal for a directive
Recital 6
Recital 6
(6) The existing capabilities are not sufficient enough to ensure a high level of NIS within the Union. Member States have very different levels of preparedness leading to fragmented approaches across the Union. This leads to an unequal level of protection of consumers and businesses, and undermines the overall level of NIS within the Union. Lack of common minimum requirements on public administrations and market operators in turn makes it impossible to set up a global and effective mechanism for cooperation at Union level and undermines the Union's leading position internationally in safeguarding and promoting a free, efficient and secure internet.
Amendment 145 #
Proposal for a directive
Recital 7
Recital 7
(7) Responding effectively to the challenges of the security of network and information systems therefore requires a global approach at Union level covering common minimum capacity building and planning requirements, developing sufficient cybersecurity skills, exchange of information and coordination of actions, and common minimum security requirements for all market operators concerned and public administrations.
Amendment 149 #
Proposal for a directive
Recital 9
Recital 9
(9) To achieve and maintain a common high level of security of network and information systems, each Member State should have a national NIS strategy defining the strategic objectives and concrete policy actions to be implemented. NIS cooperation plans complying with essential requirements need to be developed at national level in order to reach capacity response levels allowing for effective and efficient cooperation at national and Union level in case of incidents. Member States may ask for the assistance of the European Network and Information Security Agency ('ENISA') in developing their national NIS strategies, based on a common minimum NIS strategy blueprint.
Amendment 159 #
Proposal for a directive
Recital 12
Recital 12
(12) Building upon the significant progress within the European Forum of Member States (‘EFMS’) in fostering discussions and exchanges on good policy practices including the development of principles for European cyber crisis cooperation, the Member States and the Commission should form a network, under the coordination of ENISA, to bring them into permanent communication and support their cooperation. This secure and effective cooperation mechanism should enable structured and coordinated information exchange, detection and response at Union level.
Amendment 164 #
Proposal for a directive
Recital 14
Recital 14
(14) A secure information-sharing infrastructure should be put in place, under the supervision of ENISA, to allow for the exchange of sensitive and confidential information within the cooperation network. Without prejudice to their obligation to notify incidents and risks of Union dimension to the cooperation network, access to confidential information from other Member States should only be granted to Members States upon demonstration that their technical, financial and human resources and processes, as well as their communication infrastructure, guarantee their effective, efficient and secure participation in the network.
Amendment 168 #
Proposal for a directive
Recital 16
Recital 16
(16) To ensure transparency and properly inform EU citizens and market operators, thea competent authoritiesmon website should be set up a common website to publishby ENISA and the competent authorities where non confidential information on the incidents and risks is to be published.
Amendment 174 #
Proposal for a directive
Recital 18
Recital 18
(18) On the basis in particular of national crisis management experiences and in cooperation with ENISA, the Commission and the Member States should develop a Union NIS cooperation plan defining cooperation mechanisms, best practices and operation patterns to counter risks and incidents. That plan should be duly taken into account in the operation of early warnings within the cooperation network.
Amendment 177 #
Proposal for a directive
Recital 20
Recital 20
(20) Upon receipt of an early warning and its assessment, the competent authorities should agree on a coordinated response under the Union NIS cooperation plan. Competent authorities, ENISA, as well as the Commission should be informed about the measures adopted at national level as a result of the coordinated response.
Amendment 178 #
Proposal for a directive
Recital 22
Recital 22
(22) Responsibilities in ensuring NIS lie to a great extent on public administrations and market operators. A culture of risk management and close cooperation, involving risk assessment, and the implementation of security measures appropriate to the risks faced should be promoted and developed through appropriate regulatory requirements and voluntary industry practices. Establishing a level playing field is also essential to the effective functioning of the cooperation network to ensure effective cooperation from all Member States.
Amendment 183 #
Proposal for a directive
Recital 25
Recital 25
(25) Technical and organisational measures imposed to public administrations and market operators should not require that a particular commercial information and communications technology product be designed, developed or manufactured in a particular manner. On the other hand, the use of international standards pertaining to cybersecurity should be required.
Amendment 190 #
Proposal for a directive
Recital 29
Recital 29
(29) Competent authorities should have the necessary means to perform their duties, including powers to obtain sufficient information from market operators and public administrations in order to assess the level of security of network and information systems, measure the number, scale and scope of incidents, as well as reliable and comprehensive data about actual incidents that have had an impact on the operation of network and information systems.
Amendment 194 #
Proposal for a directive
Recital 30
Recital 30
(30) Criminal or cyberwar activities are in many cases underlying an incident. The criminal nature of incidents can be suspected even if the evidence to support it may not be sufficiently clear from the start. In this context, appropriate co-operation between competent authorities and, law enforcement authorities and defence institutions should form part of an effective and comprehensive response to the threat of security incidents. In particular, promoting a safe, secure and more resilient environment requires a systematic reporting of incidents of a suspected serious criminal nature to law enforcement authorities and of possible cyberwar incidents to defence institutions. The serious criminal nature of incidents should be assessed in the light of EU laws on cybercrime.
Amendment 196 #
Proposal for a directive
Recital 32
Recital 32
(32) Standardisation of security requirements is a market-driven process. To ensure a convergent application of security standards, Member States should encourage compliance or conformity with specified standards to ensure a high level of security at Union level. To this end, it might be necessary to draft harmonised standards, which should be done in accordance with Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council29 . International standards pertaining to cybersecurity should be carefully vetted in order to ensure that they have not been compromised and that they provide adequate levels of security, thus safeguarding that the mandated compliance with cybersecurity standards enhances the overall level of cybersecurity of the Union and not the contrary. __________________ 29 OJ L 316, 14.11.2012, p. 12.
Amendment 201 #
Proposal for a directive
Recital 37
Recital 37
(37) In the application of this Directive, the Commission should liaise as appropriate with relevant sectorial committees and relevant bodies set up at EU level in particular in the field of e-Government, energy, transport and health.
Amendment 233 #
Proposal for a directive
Article 5 – paragraph 1 – point e a (new)
Article 5 – paragraph 1 – point e a (new)
(ea) Member States may ask for the assistance of the European Network and Information Security Agency ('ENISA') in developing their national NIS strategies and national NIS cooperation plans, based on a common minimum NIS strategy and cooperation blueprint.
Amendment 243 #
Proposal for a directive
Article 7 – paragraph 5 a (new)
Article 7 – paragraph 5 a (new)
5 a. Member States may ask for the assistance of the European Network and Information Security Agency ('ENISA') or of other Member States in developing their national CERT.
Amendment 245 #
Proposal for a directive
Article 8 – paragraph 1
Article 8 – paragraph 1
1. The competent authorities and the Commission shall form a network (‘cooperation network’), under the coordination of ENISA, to cooperate against risks and incidents affecting network and information systems.
Amendment 250 #
Proposal for a directive
Article 8 – paragraph 2
Article 8 – paragraph 2
2. The cooperation network shall bring into permanent communication the Commission and the competent authorities. When requested, tThe European Network and Information Security Agency (‘ENISA’) shall assist the cooperation network by providing its expertise and advice.
Amendment 267 #
Proposal for a directive
Article 9 – paragraph 1
Article 9 – paragraph 1
1. The exchange of sensitive and confidential information within the cooperation network shall take place through a secure infrastructure operated under the supervision of ENISA.
Amendment 269 #
Proposal for a directive
Article 10 – paragraph 1 – introductory part
Article 10 – paragraph 1 – introductory part
1. The competent authorities or the Commission, under the coordination of ENISA, shall provide early warnings within the cooperation network on those risks and incidents that fulfil at least one of the following conditions:
Amendment 356 #
Proposal for a directive
Annex 2 – paragraph 1 – point 5
Annex 2 – paragraph 1 – point 5
5. Cloud computing and storage services
Amendment 362 #
Proposal for a directive
Annex 2 – paragraph 1 – point 6 a (new)
Annex 2 – paragraph 1 – point 6 a (new)
6a. High Performance Computing infrastructures