Activities of Miapetra KUMPULA-NATRI related to 2022/0085(COD)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union
Shadow opinions (1)
OPINION on the proposal for a regulation of the European Parliament and of the Council laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union
Amendments (30)
Amendment 55 #
Proposal for a regulation
Article 1 – paragraph 1 – point a
Article 1 – paragraph 1 – point a
(a) obligations on Union institutions, bodies, offices and agencies to establish an internal cybersecurity risk management, governance and control framework;
Amendment 56 #
Proposal for a regulation
Article 1 – paragraph 1 – point c
Article 1 – paragraph 1 – point c
(c) rules on the organisation and operation of the Cybersecurity Centre for the Union institutions, bodies, offices and agencies (CERT-EU) and on the functioning, organisation and operation of the Interinstitutional Cybersecurity Board (IICB).
Amendment 57 #
Proposal for a regulation
Article 2 a (new)
Article 2 a (new)
Article 2a Processing of personal data The processing of personal data under this Regulation by CERT-EU, the IICB and all Union institutions, bodies, offices and agencies shall be carried out in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council.
Amendment 58 #
Proposal for a regulation
Article 3 – paragraph 1 – point 2
Article 3 – paragraph 1 – point 2
(2) ‘network and information system’ means network and information system within the meaning of Article 4as defined in Article 6, point (1), of Directive [proposal NIS 2];
Amendment 59 #
Proposal for a regulation
Article 3 – paragraph 1 – point 4
Article 3 – paragraph 1 – point 4
(4) ‘cybersecurity’ means cybersecurity within the meaning of Article 4(3) of Directive [proposal NIS 2]; as defined in Article 2, point (1), of Regulation (EU) 2019/881 of the European Parliament and of the Council1a _________________ 1a Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p.15).
Amendment 60 #
Proposal for a regulation
Article 3 – paragraph 1 – point 5
Article 3 – paragraph 1 – point 5
(5) ‘highest level of management’ means a manager, management or coordination and oversight body at the most senior administrative level with a mandate to make or authorise decisions, taking account of the high-level governance arrangements in each Union institution, body or agency;
Amendment 61 #
Proposal for a regulation
Article 3 – paragraph 1 – point 8
Article 3 – paragraph 1 – point 8
(8) ‘major attack’incident' means any incident requiring more resources than are available at the affectedwhich causes a level of disruption that exceeds CERT-EU’s or any individual Union institution, body, office or agency’s capacity to respond to it or which has a significant impact on at least two Union institutions, body or agency and at CERT-EUies, offices or agencies;
Amendment 62 #
Proposal for a regulation
Article 3 – paragraph 1 – point 11
Article 3 – paragraph 1 – point 11
(11) ‘significant cyber threat’ means a cyber threat with the intention, opportunity and capability to cause a significant incidentas defined in Article 6, point (11), of Directive [proposal NIS 2];
Amendment 63 #
Proposal for a regulation
Article 3 – paragraph 1 – point 14
Article 3 – paragraph 1 – point 14
(14) ‘cybersecurity risk’ means any reasonably identifiable circumstance or event havisk as defined ing a potential adverse effect on the security of network and information systemsrticle 6(9) of Directive [proposal NIS 2];
Amendment 64 #
Proposal for a regulation
Article 3 – paragraph 1 – point 14 a (new)
Article 3 – paragraph 1 – point 14 a (new)
(14a) ‘ICT environment’ means any on- premise or virtual ICT product, ICT service and ICT process as defined in Article 2 of Regulation (EU) 2019/881, and any network and information system whether owned and operated by a Union institution, body, office or agency, or hosted or operated by a third party, including mobile devices, corporate networks, and business networks not connected to the internet and any devices connected to the ICT environment;
Amendment 74 #
Proposal for a regulation
Article 5 – paragraph 2
Article 5 – paragraph 2
2. The senior management of each Union institution, body and agency shall follow specific trainings on a regular basis to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risk and management practices and their impact on the operations of the organisation with proper resources.
Amendment 75 #
Proposal for a regulation
Article 5 – paragraph 2 a (new)
Article 5 – paragraph 2 a (new)
2a. Regular cybersecurity training of the entire staff pool shall be included in the cybersecurity plan and updated at least every two years. Sufficient resources shall be ensured to provide quality training.
Amendment 99 #
Proposal for a regulation
Article 19 – paragraph -1 (new)
Article 19 – paragraph -1 (new)
-1. Union entities may voluntarily provide CERT-EU with information on cyber threats, incidents, near misses and vulnerabilities affecting them. CERT-EU shall ensure that efficient means of communication are available for the purpose of facilitating information sharing with the Union entities. CERT- EU may prioritise the processing of mandatory notifications over voluntary notifications.
Amendment 100 #
Proposal for a regulation
Article 19 – paragraph 1
Article 19 – paragraph 1
1. To enable CERT-EU to coordinate vulnerabilperform itys management and incident response, it may request Union institutions, bodies and agencies to provide it with information from their respective IT system inventories that is relevant for the CERT-EU support. The requested institution, body or agencission and tasks as defined in Article 12, CERT-EU may request Union entities, to provide it with information from their respective IT system inventories including information relating to cyber threats, near misses, vulnerabilities, indicators of compromise, cybersecurity alerts and recommendations regarding configuration of cybersecurity tools to detect cyber incidents. The requested entity shall transmit the requested information, and any subsequent updates thereto, without undue delay.
Amendment 102 #
Proposal for a regulation
Article 19 – paragraph 2
Article 19 – paragraph 2
2. The Union institutions, bodies and agencentities, upon request from CERT-EU and without undue delay, shall provide it with digital information created by the use of electronic devices involved in their respective incidents. CERT-EU may further clarify which types of such digital information it requires for situational awareness and incident response.
Amendment 103 #
Proposal for a regulation
Article 19 – paragraph 3
Article 19 – paragraph 3
3. CERT-EU may only exchange incident-specific information which reveals the identity of the Union institution, body or agencyentities affected by the incident with the consent of that entity. CERT-EU may only exchange incident-specific information which revealsWhere consent is withheld, the identity of the target of the cybersecurity incident with the consent of the entity affected by the incidentconcerned shall provide duly justified reasons to CERT-EU.
Amendment 104 #
Proposal for a regulation
Article 19 – paragraph 4
Article 19 – paragraph 4
4. The sharing obligations shall not extend to EU Classified Information (EUCI) and to information that a Union institution, body or agency has received from a Member State Security or Intelligence Service or law enforcement agency under the explicit condition that it will note distribution of which beyond the recipient Union entity has been excluded by the source of the information by means of a visible marking, unless the source of the information explicitly allows this information to be shared with CERT-EU.
Amendment 105 #
Proposal for a regulation
Article 20 – title
Article 20 – title
Amendment 106 #
Proposal for a regulation
Article 20 – paragraph -1 (new)
Article 20 – paragraph -1 (new)
-1. An incident shall be considered to be significant if: (a) it has caused or is capable of causing severe operational disruption to the functioning of the Union entity or financial loss for the Union entity concerned; (b) it has affected or is capable of affecting other natural or legal persons by causing considerable material or non- material damage.
Amendment 107 #
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 1
Article 20 – paragraph 1 – subparagraph 1
All Union institutions, bodies and agencies shall make an initial notificationentities shall submit to CERT- EU of significant cyber threats, significant vulnerabilities and significant incidents without undue delay and in any event no later than 24 hours after becoming aware of them.:
Amendment 109 #
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 1 – point a (new)
Article 20 – paragraph 1 – subparagraph 1 – point a (new)
(a) without undue delay and in any event within 24 hours after having become aware of the significant incident, an early warning, which, where applicable, shall indicate whether the significant incident is presumably caused by unlawful or malicious action and has or could have a cross-border impact;
Amendment 110 #
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 1 – point b (new)
Article 20 – paragraph 1 – subparagraph 1 – point b (new)
(b) without undue delay and in any event within 72 hours after having become aware of the significant incident, an incident notification, which, where applicable, shall update the information referred to in subparagraph (a) and indicate an initial assessment of the significant incident, its severity and impact, as well as where available, the indicators of compromise;
Amendment 111 #
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 1 – point c (new)
Article 20 – paragraph 1 – subparagraph 1 – point c (new)
(c) upon the request of CERT-EU, an intermediate report on relevant status updates;
Amendment 112 #
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 1 – point d (new)
Article 20 – paragraph 1 – subparagraph 1 – point d (new)
(d) a final report not later than one month after submitting the significant incident notification under point (b), including at least the following: (i) a detailed description of the significant incident, its severity and impact; (ii) the type of threat or root cause that likely triggered the significant incident; (iii) applied and ongoing mitigation measures; (iv) where applicable, the cross-border impact of the significant incident;
Amendment 113 #
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 1 – point e (new)
Article 20 – paragraph 1 – subparagraph 1 – point e (new)
(e) in cases of ongoing significant incidents at the time of the submission of the final report referred to in point (d), a progress report at that time and a final report within one month after the incident has been handled.
Amendment 115 #
Proposal for a regulation
Article 20 – paragraph 2
Article 20 – paragraph 2
Amendment 118 #
Proposal for a regulation
Article 20 – paragraph 2 a (new)
Article 20 – paragraph 2 a (new)
2a. All Union entities shall share the information reported in accordance with paragraph 1 within the same timeline with any relevant national counterparts referred to in Article 16(1) where it is located.
Amendment 120 #
Proposal for a regulation
Article 20 – paragraph 3
Article 20 – paragraph 3
3. CERT-EU shall submit to ENISA on a monthly basithe IICB, , the EU INTCEN and the CSIRTs Network every three months a summary report including anonymised and aggregated data on significant cyber threats, significant vulnerabilities and significant incidents notified in accordance with paragraph 1. vulnerabilities in accordance with Article 19, Union entities’ replies to calls for action in accordance with Article 13(1), point (a), and significant incidents notified in accordance with paragraph 1. That report shall constitute an input to the biennial report on the state of cybersecurity in the Union under Article 18 of (NIS 2) Directive.
Amendment 121 #
Proposal for a regulation
Article 20 – paragraph 4
Article 20 – paragraph 4
4. The IICB mayshall by ... [6 months after the date of entry into force of this Regulation] issue guidance documents or recommendations concernfurther specifying the modalities, format and content of the notificationreporting. The guidance documents or recommendations shall duly take into account the provisions being implemented by any implementing acts according to Article 23(11) of Directive [proposal NIS 2]. CERT-EU shall disseminate the appropriate technical details to enable proactive detection, incident response or mitigating measures by Union institutions, bodies and agencentities.
Amendment 123 #
Proposal for a regulation
Article 20 – paragraph 5
Article 20 – paragraph 5
5. The notificationreporting obligations shall not extend to EUCI and to information that a Union institution, body or agency has received from a Member State Security or Intelligence Service or law enforcement agency under the explicit condition that it will note distribution of which beyond the recipient Union entity has been excluded by the source of the information by means of a visible marking, unless the source of the information explicitly allows this information to be shared with CERT-EU.