30 Amendments of Paolo BORCHIA related to 2020/0359(COD)
Amendment 137 #
Proposal for a directive
Recital 30
Recital 30
(30) Access to correct and timely information on vulnerabilities affecting ICT products and services and industrial control systems (ICS) contributes to an enhanced cybersecurity risk management. In that regard, sources of publicly available information on vulnerabilities are an important tool for entities and their users, but also national competent authorities and CSIRTs. For this reason, ENISA should establish a vulnerability registry where, essential and important entities and their suppliers, as well as entities which do not fall in the scope of application of this Directive may, on a voluntary basis, disclose vulnerabilities and provide the vulnerability information that allows users to take appropriate mitigating measures.
Amendment 213 #
Proposal for a directive
Article 2 – paragraph 1
Article 2 – paragraph 1
1. This Directive applies to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II, including ICT suppliers providing products and services for critical functions performed by essential or important entities. This Directive does not apply to entities regarded by Member States as non- critical. This Directive does not apply to entities that qualify as micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC.28 _________________ 28 Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium- sized enterprises (OJ L 124, 20.5.2003, p. 36).
Amendment 268 #
Proposal for a directive
Article 4 – paragraph 1 – point 26 a (new)
Article 4 – paragraph 1 – point 26 a (new)
(26a) ‘non-critical entity’ means any entity of a type referred to in Annex I and Annex II which, regardless of its size and resources, has no critical function within a specific sector or type of service and is not highly dependent on other sectors or types of service;
Amendment 270 #
Proposal for a directive
Article 4 – paragraph 1 – point 26 b (new)
Article 4 – paragraph 1 – point 26 b (new)
(26b) ‘critical function' means a network and information system function of an essential or important entity in connection with which disruption to availability, integrity, authenticity and confidentiality will result in a significant failure or deterioration of the functionality of the services provided by the critical or important entity concerned;
Amendment 276 #
Proposal for a directive
Article 5 – paragraph 1 – point b
Article 5 – paragraph 1 – point b
(b) a governance framework to achieve those objectives and priorities, including the policies referred to in paragraph 2 and the roles and responsibilities of public bodies and entities as well as other relevant actors, in particular those with responsibility for specific support for SMEs. The governance framework shall clearly lay down the organisational arrangements for cooperation and coordination between the national competent authorities designated under this Directive, taking account of their specific national circumstances;
Amendment 281 #
Proposal for a directive
Article 5 – paragraph 1 – point e
Article 5 – paragraph 1 – point e
(e) a list of the various authorities and actors involved in the implementation of the national cybersecurity strategy, taking steps to establish a single cybersecurity point of contact for SMEs in order to support them in implementing specific cybersecurity measures;
Amendment 307 #
Proposal for a directive
Article 6 – paragraph 2
Article 6 – paragraph 2
Amendment 333 #
Proposal for a directive
Article 10 – paragraph 2 – point f a (new)
Article 10 – paragraph 2 – point f a (new)
(fa) providing practical and operational guidance for essential and important entities in connection with cybersecurity response and prevention activities, including, in particular, dedicated technical support for SMEs;
Amendment 344 #
Proposal for a directive
Article 12 – paragraph 3 – subparagraph 2
Article 12 – paragraph 3 – subparagraph 2
Amendment 385 #
Proposal for a directive
Article 18 – paragraph 1
Article 18 – paragraph 1
1. Member States shall ensure that essential and important entities, including ICT suppliers providing products and services for critical functions performed by essential or important entities, shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which those entities use in the provision of their services. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk presented. ICT suppliers shall bear sole liability for non-compliance by providers of essential or important functions with the obligations under this article unless such non-compliance was known to and disregarded by the commissioning authority concerned.
Amendment 390 #
Proposal for a directive
Article 18 – paragraph 2 – point a
Article 18 – paragraph 2 – point a
(a) risk analysis and information system security policies in connection with critical network and information system functions;
Amendment 403 #
Proposal for a directive
Article 18 – paragraph 2 – point g
Article 18 – paragraph 2 – point g
(g) the use, where appropriate, of cryptography and encryption.
Amendment 408 #
Proposal for a directive
Article 18 – paragraph 4
Article 18 – paragraph 4
4. Member States shall ensure that where an entity finds that respectively its services or tasks are not in compliance with the requirements laid down in paragraph 2, it shall, without undue delay, take all necessary corrective measures to bring the service concerned into compliance within a reasonable period and in line with their own interests.
Amendment 415 #
Proposal for a directive
Article 18 – paragraph 5
Article 18 – paragraph 5
5. The Commission may adopt implementingdelegated acts in order to lay down the technical and the methodological specifications of the elements referred to in paragraph 2. Where preparing those acts, the Commission shall proceed in accordance with the examination procedure referred to in Article 37(2) and follow, to the greatest extent possible, international and European standards, as well as relevant technical specifications.
Amendment 428 #
Proposal for a directive
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT in accordance with paragraphs 3 and 4 of any incident having a significant impact on the provision of their services. Where appropriate, those entities shall notify, without undue delay, the recipients of their services of incidents that are likely to adversely affect the provision of that servicewith a confirmed substantial impact. Member States shall ensure that those entities report, among others, the relevanyt information enabling the competent authorities or the CSIRT to determine any cross-border impact of the incident.
Amendment 438 #
Proposal for a directive
Article 20 – paragraph 3 – point b
Article 20 – paragraph 3 – point b
(b) the incident has affected or has the potential to affect other natural or legal persons by causing considerable material or non-material losses. Non-material losses shall include:
Amendment 439 #
Proposal for a directive
Article 20 – paragraph 3 – point b – point i (new)
Article 20 – paragraph 3 – point b – point i (new)
(i) a loss of integrity, authenticity or confidentiality of stored or transmitted or processed data or of the related services offered by an essential or important entity or accessible via a network and an information system;
Amendment 440 #
Proposal for a directive
Article 20 – paragraph 3 – point b – point ii (new)
Article 20 – paragraph 3 – point b – point ii (new)
(ii) a risk to public safety and security or loss of life.
Amendment 443 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – introductory part
Article 20 – paragraph 4 – subparagraph 1 – introductory part
4. Member States shall ensure that, for the purpose of the notification under paragraph 1, the entities concerned shall submit to thea competent authoritiesy or the CSIRT:
Amendment 446 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point a
Article 20 – paragraph 4 – subparagraph 1 – point a
(a) without undue delay and in any event within 724 hours after having become aware of the confirmed impact of the incident, an initial notification, which, where applicable, shall indicate whether the incident is presumably caused by unlawful or malicious action;
Amendment 454 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part
Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part
(c) a final report not later than one monthn exhaustive report after the submission of the report under point (a), including at least the following:
Amendment 455 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point c – point i
Article 20 – paragraph 4 – subparagraph 1 – point c – point i
(i) a detailed description of the confirmed incident, its severity and impact;
Amendment 468 #
7. Where public awareness is necessary to prevent an incident or to deal with an ongoing incident, or where disclosure of the incident is otherwise in the public interest, the competent authority or the CSIRT, and where appropriate the authorities or the CSIRTs of other Member States concerned may, after consulting the entity concerned, inform the public on a mutual basis about the incident or require the entity to do so.
Amendment 491 #
Proposal for a directive
Article 21 – paragraph 1
Article 21 – paragraph 1
1. In order to demonstrate compliance with certain requirements of Article 18, Member States may require essenICT suppliers providing products and services for critical andfunctions performed by essential or important entities to certify certain ICT products, ICT services and ICT processes under specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881. The products, services and processes subject to certification may be developed by an essential or important entity or procured from third parties.
Amendment 496 #
Proposal for a directive
Article 21 – paragraph 2
Article 21 – paragraph 2
2. The Commission shall be empowered to adopt delegated acts specifying which categories of essentialaking account of ENISA’s opinion, the Commission may adopt delegated acts specifying that ICT suppliers providing products and services for critical functions performed by essential or important entities shall be required to obtain a certificate and under whichidentifying the relevant specific European cybersecurity certification schemes pursuant to paragraph 1. The delegated acts shall be adopted in accordance with Article 36.
Amendment 512 #
Proposal for a directive
Article 24 – paragraph 2
Article 24 – paragraph 2
2. For the purposes of this Directive, entities referred to in paragraph 1 shall be deemed to have their main establishment in the Union in the Member State where the decisions related to the cybersecurity risk management measures are taken. If such decisions are not taken in any establishment in the Union, the main establishment shall be deemed to be in the Member State where the entities have the establishment with the highest number of employees in the Union. operational and management capacities to implement cybersecurity measures.
Amendment 555 #
Proposal for a directive
Article 29 – paragraph 5 – subparagraph 1 – introductory part
Article 29 – paragraph 5 – subparagraph 1 – introductory part
5. Where enforcement actions adopted pursuant to points (a) to (d) and (f) of paragraph (4) prove ineffective, Member States shall ensure that competent authorities have the power to establish a deadline within which the essential entity isor suppliers of products or services for critical functions performed by essential or important entities are requested to take the necessary action to remedy the deficiencies or comply with the requirements of those authorities. If the requested action is not taken within the deadline set, Member States shall ensure that the competent authorities have the power to:
Amendment 558 #
Proposal for a directive
Article 29 – paragraph 5 – subparagraph 1 – point a
Article 29 – paragraph 5 – subparagraph 1 – point a
(a) suspend or request a certification or authorisation body to suspend a certification or authorisation concerning part or all the services or activities provided by an essential entity or related ICT suppliers providing products and services for critical functions performed by essential or important entities;
Amendment 563 #
Proposal for a directive
Article 29 – paragraph 5 – subparagraph 1 – point b
Article 29 – paragraph 5 – subparagraph 1 – point b
(b) impose or request the imposition by the relevant bodies or courts according to national laws of a temporary ban against any person discharging managerial responsibilities at chief executive officer or legal representative level in that essential entity, and of or related ICT suppliers providing products and services for critical functions performed by essential or important entities, and against any other natural person held responsible for the breach, from exercising managerial functions in that entity.
Amendment 567 #
Proposal for a directive
Article 29 – paragraph 5 – subparagraph 2
Article 29 – paragraph 5 – subparagraph 2
These sanctions shall be applied only until the entity or related ICT suppliers providing products and services for critical functions performed by essential or important entities takes the necessary action to remedy the deficiencies or comply with the requirements of the competent authority for which such sanctions were applied.