115 Amendments of Dan NICA related to 2020/0359(COD)
Amendment 95 #
Proposal for a directive
Recital 7
Recital 7
(7) With the repeal of Directive (EU) 2016/1148, the scope of application by sectors should be extended to a larger part of the economy in light of the considerations set out in recitals (4) to (6). The sectors covered by Directive (EU) 2016/1148 should therefore be extended to provide a comprehensive coverage of the sectors and services of vital importance for key societal and economic activities within the internal market. The ruleisk management requirements and reporting obligations should not be different according to whether the entities are operators of essential services or digital service providers. That differentiation has proven obsolete, since it does not reflect the actual importance of the sectors or services for the societal and economic activities in the internal market.
Amendment 97 #
Proposal for a directive
Recital 11
Recital 11
(11) Depending on the sector in which they operate or the type of service they provide, the entities falling within the scope of this Directive should be classified into two categories: essential and important. That categorisation should take into account the level of criticality of the sector or of the type of service, as well as the level of dependency of other sectors or types of services. Both essential and important entities should be subject to the same risk management requirements and reporting obligations. The supervisory and penalty regimes between these two categories of entities should be differentiated to ensure a fair balance between requirements and obligations on one hand, and the administrative burden stemming from the supervision of compliance on the other hand. The provisions of this Directive apply to entities with complex business models or operating environments, whereby an entity may simultaneously fulfil the criteria assigned to both essential and important entities. In order to enable the effective supervision and enforcement of risk management measures and reporting obligations for entities falling within the scope of this Directive, competent authorities or CSIRTs shall enforce the provisions of this Directive to a function or unit level within an entity, in order to appropriately and sufficiently address the level of criticality.
Amendment 102 #
Proposal for a directive
Recital 12
Recital 12
(12) Sector-specific legislation and instruments can contribute to ensuring high levels of cybersecurity, while taking full account of the specificities and complexities of those sectors. Sector- specific legislation and instruments that require essential or important entities to adopt cybersecurity risk management measures, or impose reporting obligations for significant incidents, shall, where possible, be consistent with the terminology, and refer to the definitions in Article 4 of this Directive. Where a sector–specific Union legal act requires essential or important entities to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats of at least an equivalent effect to the obligations laid down in this Directive, and apply to the entirety of the security aspects of the operations and services provided by essential and important entities, those sector-specific provisions, including on supervision and enforcement, should apply. The Commission may issue guidelines in relation to the implementation of the lex specialis. This Directive does not preclude the adoption of additional sector- specific Union acts addressing cybersecurity risk management measures and incident notifications. This Directive is without prejudice to the existing implementing powers that have been conferred to the Commission in a number of sectors, including transport and energy.
Amendment 108 #
Proposal for a directive
Recital 15
Recital 15
(15) Upholding and preserving a reliable, resilient and secure domain name system (DNS) is a key factor in maintaining the integrity of the Internet and is essential for its continuous and stable operation, on which the digital economy and society depend. Therefore, this Directive should apply to all providers of DNS services along the DNS resolution chain, including operators of root name servers, top-level-domain (TLD) name servers, authoritative nametop-level- domain (TLD) name servers, public and open recursive domain name resolution services, and authoritative domain name resolution services. This Directive should not apply to decentralised servicers for domain names and recursive resolwhich centralised administration does not exist, such as the root name servers.
Amendment 111 #
Proposal for a directive
Recital 17 a (new)
Recital 17 a (new)
(17a) The edge ecosystem is an emerging vector susceptible to cyber threats and a growing trend with attacks targeting devices — such as routers, switches, and firewalls — is having a significant impact to both enterprises and to the connected digital ecosystem in its entirety. Edge computing ecosystems delivered in a highly distributed form are essential for the development of the Internet of Things (IoT), the Industrial Internet of Things (IIoT) and the sectoral ecosystems of connected devices such as connectivity infrastructure and autonomous vehicles. IoT devices may potentially offer additional attack surfaces and allow threats and attacks to trickle from the device to the network or the cloud. Poor security of IoT devices or IoT gateways can potentially hinder the security of the entire connectivity chain and the data flows towards the edge and the cloud, consequentially affecting the overall security of the ecosystem.
Amendment 112 #
Proposal for a directive
Recital 17 b (new)
Recital 17 b (new)
(17b) The continuous increase of computing power combined with the rising levels of maturity of exponential technologies such as machine learning (ML) and artificial intelligence (AI) enable the development of advanced cybersecurity capabilities for real-time detection, analysis, containment and response to cyber threats in a rapidly evolving threat landscape. AI tools and applications are used to develop security controls including, but not limited to, active firewalls, smart antivirus, automated CTI (cyber threat intelligence) operations, AI fuzzing, smart forensics, email scanning, adaptive sandboxing, and automated malware analysis.
Amendment 113 #
Proposal for a directive
Recital 17 c (new)
Recital 17 c (new)
(17c) Data-driven tools and applications powered by AI-enabled systems require the processing of large amounts of data, which may include personal data. Risks persist in the entire lifecycle of AI- enabled systems in cybersecurity- enhancing tools and applications, and in order to mitigate risks of unduly interference with the rights and freedoms of individuals, the requirements of data protection by design and by default laid down in Article 25 of Regulation (EU) 2016/679 shall be applied. Integrating appropriate safeguards such as pseudonymisation, encryption, data accuracy, and data minimisation in the design and use of AI-enabled systems deployed in cybersecurity applications and processes is essential to mitigate the risks that such systems may pose on personal data.
Amendment 114 #
Proposal for a directive
Recital 17 d (new)
Recital 17 d (new)
(17d) Member States should adopt policies on the promotion and integration of AI-enabled systems in the prevention and detection of cybersecurity incidents and threats as part of their national cybersecurity strategies. Such policies should emphasise the technological and operational measures including, but not limited to, workflow automation, streaming analytics, active monitoring, intelligent prediction and advanced network threat detection, in order to accelerate the analysis, validation and prioritisation of threats. ENISA’s National Capabilities Assessment Framework (NCAF) can assist in the evaluation and alignment of Member States’ policies building on available use cases and key performance indicators. Moreover, an assessment of Member States’ capabilities and overall level of maturity as regards the integration of AI- enabled systems in cybersecurity should be factored in the methodological construction of the cybersecurity index within the meaning of ENISA’s report on the state of cybersecurity in the Union under Article 15 of this Directive.
Amendment 115 #
Proposal for a directive
Recital 17 e (new)
Recital 17 e (new)
(17e) Open-source cybersecurity tools contribute to a higher degree of transparency and have a positive impact on the efficiency of industrial innovation. Open standards facilitate interoperability between security tools, benefitting the security of industrial stakeholders, enabling the diversification of reliance from a single supplier or vendor, and leading to a more comprehensive CTI framework. Semi-automation of CTI production is an important tool to reduce the number of manual steps underpinning the analysis of CTI. The use of AI and ML within CTI should be further explored to increase the value of machine learning functions within CTI activities.
Amendment 116 #
Proposal for a directive
Recital 17 f (new)
Recital 17 f (new)
(17f) Member States should develop a policy for the integration of open-source tools in public administration, and further explore measures to incentivise the wider adoption of open-source software by developing strategies to address and minimise the legal and technical risks that entities are faced with, as regards licensing and the necessary levels of technical support. Such policies are of particular importance for small and medium-sized enterprises (SMEs) facing significant costs for implementation, which can be minimised by reducing the need for specific applications or tools.
Amendment 121 #
Proposal for a directive
Recital 21 a (new)
Recital 21 a (new)
(21a) Public-Private Partnerships (PPPs) in the field of cybersecurity can provide the right framework for knowledge exchange, sharing of best practices and the establishment of a common level of understanding amongst all stakeholders. Goal-oriented and service outsourcing PPPs foster a culture of cybersecurity at the Member State level, and leverage the exchange and transfer of expertise, thus raising cybersecurity awareness and the overall level of reciprocal support between public and private entities. Hybrid PPPs enable governments to assign either the operation, or the delivery of service- specific functions, of a CSIRT to an experienced entity facilitating the access of public administrations to private sector resources, and increasing the levels of trust between stakeholders by establishing a proactive attitude in case of incidents or crises.
Amendment 122 #
Proposal for a directive
Recital 21 b (new)
Recital 21 b (new)
(21b) Member States should adopt policies underpinning the establishment of cybersecurity-specific PPPs as part of their national cybersecurity strategies. These policies should clarify, among others, the scope and stakeholders involved, the governance model, the available funding options, and the interaction among participating stakeholders. PPPs can leverage the expertise of private sector entities to support Member States’ competent authorities in developing state-of-the art services and processes including, but not limited to, information exchange, early warnings, cyber threat and incident exercises, crisis management, and resilience planning.
Amendment 130 #
Proposal for a directive
Recital 26 a (new)
Recital 26 a (new)
(26a) Cyber hygiene policies provide the foundations for protecting network and information system infrastructures, hardware, software and online application security, and business or end-user data which entities rely on. Cyber hygiene policies comprising a common baseline set of practices including, but not limited to, software and hardware updates, password changes, management of new installs, limitation of administrator-level access accounts, and backing up of data, enable a proactive framework of preparedness and overall safety and security in the event of incidents or threats.
Amendment 131 #
Proposal for a directive
Recital 26 b (new)
Recital 26 b (new)
(26b) Member States should adopt policies to promote cyber hygiene as part of their national cybersecurity strategies. Such policies should build on cyber hygiene controls and programmes that are affordable and accreditable in order to minimise the cost of implementation, especially for SMEs, and encourage wider compliance thereto by both public and private entities. ENISA should monitor and assess Member States’ cyber hygiene policies, and explore EU wide schemes to enable cross-border checks ensuring equivalence independent of Member State requirements.
Amendment 132 #
Proposal for a directive
Recital 28
Recital 28
(28) Since the exploitation of vulnerabilities in network and information systems may cause significant disruption and harm, swiftly identifying and remedying those vulnerabilities is an important factor in reducing cybersecurity risk. Entities that develop such systems should therefore establish appropriate procedures to handle vulnerabilities when they are discovered. Since vulnerabilities are often discovered and reported (disclosed) by third parties (reporting entities), the manufacturer or provider of ICT products or services should also put in place the necessary procedures to receive vulnerability information from third parties. In this regard, international standards ISO/IEC 30111 and ISO/IEC 29417 provide guidance on vulnerability handling and vulnerability disclosure respectively. As regards vulnerability disclosure, coordination between reporting entities and manufacturers or providers of ICT products or services is particularly important. CVoluntary coordinated vulnerability disclosure specifies a structured process through which vulnerabilities are reported to organisations in a manner allowing the organisation to diagnose and remedy the vulnerability before detailed vulnerability information is disclosed to third parties or to the public. Coordinated vulnerability disclosure should also comprise coordination between the reporting entity and the organisation as regards the timing of remediation and publication of vulnerabilities. Strengthening the coordination and timely exchange of relevant information between the manufacturer or provider of ICT products or services and the reporting entities is essential to facilitate the voluntary framework of vulnerability disclosure.
Amendment 133 #
Proposal for a directive
Recital 29
Recital 29
(29) Member States should therefore take measures to facilitate coordinated vulnerability disclosure by establishing a relevant national policy. In this regard, Member States should designate a CSIRT to take the role of ‘coordinator’, acting as an intermediary between the reporting entities and the manufacturers or providers of ICT products or services, where necessarythe reporting entity, or the manufacturer or the provider of ICT products or services, engages a third-party coordinator to assist with the disclosure process. The tasks of the CSIRT coordinator should, in particular, include identifying and contacting concerned entities, supporting reporting entities, negotiating disclosure timelines, and managing vulnerabilities that affect multiple organisations (multi- party vulnerability disclosure). Where vulnerabilities affect multiple manufacturers or providers of ICT products or services established in more than one Member State, the designated CSIRTs from each of the affected Member States should cooperate within the CSIRTs Network.
Amendment 139 #
Proposal for a directive
Recital 31
Recital 31
(31) Although similar vulnerability registries or databases do exist, these are hosted and maintained by entities which are not established in the Union. A European vulnerability registry maintained by ENISA would provide improved transparency regarding the publication process before the vulnerability is officially disclosed, and resilience in cases of disruptions or interruptions on the provision of similar services. To avoid duplication of efforts and seek complementarity to the extent possible, ENISA should explore the possibility of entering into structured cooperation agreements with similar registries in third country jurisdictions. ENISA could play a more central management role either by exploring the option of becoming a “Root CVE Numbering Authority” in the global Common Vulnerabilities and Exposures (CVE) registry, or setting up a database to leverage the existing CVE programme for vulnerability identification and registration to enable interoperability and reference between the European and third country jurisdiction registries.
Amendment 142 #
Proposal for a directive
Recital 35
Recital 35
(35) The competent authorities and CSIRTs should be empowered to participate in exchange schemes for officials from other Member States, within structured rules and mechanisms underpinning the scope and, where applicable, the required security clearance of officials participating in such exchange schemes, in order to improve cooperation. The competent authorities should take the necessary measures to enable officials from other Member States to play an effective role in the activities of the host competent authority or CSIRT.
Amendment 144 #
Proposal for a directive
Recital 38
Recital 38
Amendment 145 #
Proposal for a directive
Recital 39
Recital 39
Amendment 147 #
Proposal for a directive
Recital 40
Recital 40
(40) Risk-management measures should include measures to identify any risks of incidents, to prevent, detect and handle, respond to, attribute, and recover from incidents, and to mitigate their impact. The security of network and information systems should comprise the security of stored, transmitted and processed data.
Amendment 149 #
Proposal for a directive
Recital 43
Recital 43
(43) Addressing cybersecurity risks stemming from an entity’s supply chain and its relationship with its suppliers is particularly important given the prevalence of incidents where entities have fallen victim to cyber-attacks and where malicious actors were able to compromise the security of an entity’s network and information systems by exploiting vulnerabilities affecting third party products and services. Entities should thereforeevaluate their own cybersecurity capabilities and pursue the integration of cybersecurity enhancing technologies driven by AI or machine learning systems to automate their capabilities and the protection of network architectures. Entities should also assess and take into account the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures.
Amendment 153 #
Proposal for a directive
Recital 44
Recital 44
(44) Among service providers, managed security services providers (MSSPs) in areas such as incident response, penetration testing, security audits and consultancy play a particularly important role in assisting entities in their efforts to prevent, detect and respond to incidents. Those MSSPs have however also been the targets of cyberattacks themselves and through their close integration in the operations of operators pose a particular cybersecurity risk. Entities should therefore exercise increased diligence in selecting an MSSP, not only in terms of the close operational integration but also as regards the need for such outsourced activities involving personal data by a controller to be in full compliance with Regulation (EU) 2016/679, in particular the processing by a processor on behalf of a controller.
Amendment 156 #
Proposal for a directive
Recital 46
Recital 46
(46) To further address key supply chain risks and assist entities operating in sectors covered by this Directive to appropriately manage supply chain and supplier related cybersecurity risks, the Cooperation Group involving relevant national authorities, in cooperation with the Commission and ENISA, and in consultation with the European Data Protection Board (EDPB), should carry out coordinated sectoral supply chain risk assessments, as was already done for 5G networks following Recommendation (EU) 2019/534 on Cybersecurity of 5G networks21 , with the aim of identifying per sector which are the critical ICT services, systems or products, relevant threats and vulnerabilities. Particular emphasis should be placed on ICT services, systems or products subject to specific requirements, in particular in third country jurisdictions serving as the country of origin. _________________ 21Commission Recommendation (EU) 2019/534 of 26 March 2019 Cybersecurity of 5G networks (OJ L 88, 29.3.2019, p. 42).
Amendment 160 #
Proposal for a directive
Recital 47
Recital 47
(47) The supply chain risk assessments, in light of the features of the sector concerned, should take into account both technical and, where relevant, non- technical factors including those defined in Recommendation (EU) 2019/534, in the EU wide coordinated risk assessment of 5G networks security and in the EU Toolbox on 5G cybersecurity agreed by the Cooperation Group. To identify the supply chains that should be subject to a coordinated risk assessment, the following criteria should be taken into account: (i) the extent to which essential and important entities use and rely on specific critical ICT services, systems or products; (ii) the relevance of specific critical ICT services, systems or products for performing critical or sensitive functions, including the processing of personal data; (iii) the availability of alternative ICT services, systems or products; (iv) the resilience of the overall supply chain of ICT services, systems or products against disruptive events across the entire lifecycle of the service, system or product and (v) for emerging ICT services, systems or products, their potential future significance for the entities’ activities. Such risk assessments should identify best practices for managing risks associated with risks in the ICT supply chain and explore ways to further incentivise their wider adoption by entities within each sector under examination.
Amendment 164 #
Proposal for a directive
Recital 50
Recital 50
(50) Given the growing importance of number-independent interpersonal communications services, it is necessary to ensure that such services are also subject to appropriate security requirements in view of their specific nature and economic importance. Providers of such services should thus also ensure a level of security of network and information systems appropriate to the risk posed. Given that providers of number-independent interpersonal communications services normally do not exercise actual control over the transmission of signals over networks, the degree of risk to network security for such services can be considered in some respects to be lower than for traditional electronic communications services. The same applies to interpersonal communications services which make use of numbers and which do not exercise actual control over signal transmission. However, as the attack surface continues to expand, number-independent interpersonal communications services including, but not limited to, social media messengers, are becoming popular attack vectors. Malicious actors use platforms to communicate and attract victims to open compromised web pages, therefore increasing the likelihood of incidents involving the exploitation of personal data, and by extension, the security of information systems.
Amendment 173 #
Proposal for a directive
Recital 54
Recital 54
(54) In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, should be promoted and, where necessary, should be mandatory for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18. The use of end-to-end encryption should be reconciled with the Member State’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences in compliance with Union law. Solutions for lawful access to information in end-to-end encrypted communications should maintain tThe effectiveness of encryption in protecting the privacy and security of communications, while provid must not be undermined ing an effective response to crimey circumstance, as any loophole in encryption is open to be explored or exploited by actors, regardless of their legitimacy or intent.
Amendment 175 #
Proposal for a directive
Recital 54 a (new)
Recital 54 a (new)
(54a) Any measures aimed at weakening encryption or circumventing the technology’s architecture may incur significant risks to the effective protection capabilities it entails, thus inevitably compromising the protection of personal data and privacy, resulting in an overall loss of trust in security controls. Any unauthorised decryption, reverse engineering of encryption code, or monitoring of electronic communications outside clear legal authorities should be prohibited to ensure the effectiveness of the technology and its wider use. The cases where encryption can be used to mitigate risks related to non-compliant data transfers as presented in EDPB Recommendations 01/2020 may enable stronger encryption, whether in transit or at rest, for providers of such services and networks for the purposes of Article 18.
Amendment 177 #
Proposal for a directive
Recital 55
Recital 55
(55) This Directive lays down a twohree- stage approach to incident reporting in order to strike the right balance between, on the one hand, swift reporting that helps mitigate the potential spread of incidents and allows entities to seek support, and, on the other hand, in-depth reporting that draws valuable lessons from individual incidents and improves over time the resilience to cyber threats of individual companies and entire sectors. Where entities become aware of an incident, theycompanies and entire sectors. In this regard, the Directive should also include reporting of incidents that, based on an initial assessment performed by the entity, may be assumed to lead to substantial operational disruption or financial losses or affect other natural or legal persons by causing considerable material or non- material losses. The initial assessment should take into account amongst others, the affected network and information systems and, in particular, their importance in the provision of the entity’s services, the severity and technical characteristics of the cyber threat, and any underlying vulnerabilities that are being exploited, as well as the entity’s experience with similar incidents. Where entities become aware of an incident, they should provide an early warning within 24 hours, without any obligation to disclose additional information. Entities should be required to submit an initial notification within 724 hours, followed by a finalcomprehensive report not later than one month after the incident has been handled. The initial incident notification should only include the information strictly necessary to make the competent authorities aware of the incident antimeline of 72 hours should not preclude entities from reporting incidents earlier, therefore allowing entities to seek support from competent authorities or CSIRTs swiftly, and enabling competent authorities or CSIRTs to mitigate the potential spread of the reported incident. Where an incident requires a longer period to be handled, an entity should be required to submit regular reports on the mitigation measures in place to contain, respond to, attribute and recover from the incident, and a comprehensive report not later than one month after the incident has been handled. The initial notification should allow the entity to seek assistance, if required. Such notification, where applicable, should indicate whether the incident is presumably caused by unlawful or malicious action. Member States should ensure that the requirement to submit this initial notification does not divert the reporting entity’s resources from activities related to incident handling that should be prioritised. To further prevent that incident reporting obligations either divert resources from incident response handling or may otherwise compromise the entities efforts in that respect, Member States should also provide that, in duly justified cases and in agreement with the competent authorities or the CSIRT, the entity concerned can deviate from the deadlines of 724 hours for the initial notification and one month for the finalcomprehensive report.
Amendment 183 #
Proposal for a directive
Recital 60
Recital 60
(60) The availability and timely accessibility of these data to public authorities, domain name registration data to legitimate access seekers is essential to protect the online ecosystem, prevent DNS abuse, detect and prevent crime and fraud, protect minors, protect intellectual property, and protect against hate speech. For the purposes of this Directive, legitimate access seekers are natural or legal persons making a justified request on the basis of a legitimate interest under Union or national law to access DNS data, and they may includinge competent authorities under Union or national law for the prevention, investigation or prosecution of criminal offences, CERTs, (CSIRTs, and as regards the data of their clients to, providers of electronic communications networks and services and providers of cybersecurity technologies and services acting on behalf of those clients, is essential to prevent and combat Domain Name System abuse, in particular to prevent, detect and respond to cybersecurity incidents. Such access should comply with Union data protection law insofar as it is related to personal data.
Amendment 185 #
Proposal for a directive
Recital 61
Recital 61
(61) In order to ensure the availability of accurate and complete domain name registration data, TLD registries and the entities providing domain name registration services for the TLD (so-called registrars) should collect and guarantee the integrity and availability of domain names registration data. In particular, TLD registries and the entities providing domain name registration services for the TLD should establish policies and procedures to collect and maintain accurate and complete registration data, as well as to prevent and correct inaccurate registration data in accordance with Union data protection rules.
Amendment 187 #
Proposal for a directive
Recital 62
Recital 62
(62) TLD registries and the entities providing domain name registration services for them shouldshould be required to make publically available domain name registration data that fall outside the scope of Union data protection rules, such as data that concernof legal persons25 . TLD registries and the entities providing domain name registration services for the TLD should also enable lawful access to specific domain name registration data concerning natural persons to legitimate access seekers, in accordance with Union data protection law. Member States should ensure that TLD registries and the entities providing domain name registration services for them should respond without undue delayin 72 hours to requests from legitimate access seekers for the disclosure of domain name registration data. TLD registries and the entities providing domain name registration services for them should establish policies and procedures for the publication and disclosure of registration data, including service level agreements to deal with requests for access from legitimate access seekers. The access procedure may also include the use of an interface, portal or other technical tool to provide an efficient system for requesting and accessing registration data. With a view to promoting harmonised practices across the internal market, the Commission may adopt guidelines on such procedures without prejudice to the competences of the European Data Protection Board. _________________ 25REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL recital (14) whereby “this Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person”.
Amendment 195 #
Proposal for a directive
Recital 69
Recital 69
(69) The processing of personal data, to the extent strictly necessary and proportionate for the purposes of ensuring network and information security by essential and important entities, public authorities, CERTs, CSIRTs, and providers of security technologies and services shoulis necessary to comply with a legal obligation under this Directive and constitutes a legitimate interest of the data controller concerned, as referred to in point (c) paragraph 1, and point (f) paragraph 1 respectively of Article 6 of Regulation (EU) 2016/679. That should include measures related to the prevention, detection, analysis and response to incidents, measures to raise awareness in relation to specific cyber threats, exchange of information in the context of vulnerability remediation and coordinated disclosure, as well as the voluntary exchange of information on those incidents, as well as cyber threats and vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools. Such measures may require the processing of the following types of personal data: IP addresses, uniform resources locators (URLs), domain names, and email addresses.
Amendment 199 #
Proposal for a directive
Recital 71
Recital 71
(71) In order to make enforcement effective, a minimum list of administrative sanctions for breach of the cybersecurity risk management and reporting obligations provided by this Directive should be laid down, setting up a clear and consistent framework for such sanctions across the Union. Due regard should be given to the nature, gravity and duration of the infringement, the actual damage caused or losses incurred or potential damage or losses that could have been triggered, the intentional or negligent character of the infringement, actions taken to prevent or mitigate the damage and/or losses suffered, the degree of responsibility or any relevant previous infringements, the degree of cooperation with the competent authority and any other aggravating or mitigating factor. The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter of Fundamental Rights of the European Union, including effective judicial protection and due process.
Amendment 201 #
Proposal for a directive
Recital 76
Recital 76
(76) In order to further strengthen the effectiveness and dissuasiveness of the penalties applicable to infringements of obligations laid down pursuant to this Directive, the competent authorities should be empowered to apply sanctions consisting of the, where applicable, the temporary suspension of a certification or authorisation concerning part or all the services provided by an essential entity, and the imposition of a temporary ban from the exercise of managerial functions by a natural personagainst any person discharging managerial responsibilities at chief executive officer or legal representative level in that essential entity from exercising managerial functions in that entity. This provision shall not apply to public administration entities as referred to in this Directive. Given their severity and impact on the entities’ activities and ultimately on their consumers, such sanctions should only be applied proportionally to the severity of the infringement and taking account of the specific circumstances of each case, including the intentional or negligent character of the infringement, actions taken to prevent or mitigate the damage and/or losses suffered. Such sanctions should only be applied as ultima ratio, meaning only after the other relevant enforcement actions laid down by this Directive have been exhausted, and only for the time until the entities to which they apply take the necessary action to remedy the deficiencies or comply with the requirements of the competent authority for which such sanctions were applied. The imposition of such sanctions shall be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter of Fundamental Rights of the European Union, including effective judicial protection, due process, presumption of innocence and right of defence.
Amendment 206 #
Proposal for a directive
Recital 79
Recital 79
(79) A peer-review mechanism should be introduced, allowing the assessment by experts designated by the Member States and ENISA of the implementation of cybersecurity policies, including the level of Member States’ capabilities and available resources, and provide an effective path for the transfer of cybersecurity-enhancing technologies, mechanisms and processes between and among competent authorities or CSIRTs.
Amendment 231 #
Proposal for a directive
Article 2 – paragraph 5 a (new)
Article 2 – paragraph 5 a (new)
5a. As regards the processing of personal data, essential and important entities as well as competent authorities, CERTs, and CSIRTs, shall process personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security in accordance with the obligations set out in this Directive. Where the processing of personal data is required for the purpose of cybersecurity and network and information security in accordance with the provisions set out in Article 18 and Article 20 of the Directive, including the provisions set out in Article 23, that processing is considered necessary for compliance with a legal obligation in accordance with paragraph1(c) of Article 6 of Regulation (EU) 2016/679.
Amendment 233 #
Proposal for a directive
Article 2 – paragraph 5 b (new)
Article 2 – paragraph 5 b (new)
5b. For the purposes of arrangements underpinning cybersecurity information- sharing and voluntary notification of information as set out in Articles 26 and 27 of this Directive, the processing of personal data constitutes a legitimate interest of the data controller concerned in accordance with paragraph 1(f) of Article 6 of Regulation (EU) 2016/679.
Amendment 235 #
Proposal for a directive
Article 2 – paragraph 5 c (new)
Article 2 – paragraph 5 c (new)
5c. As regards the processing of personal data from essential entities providing services of public electronic communications networks or publicly available electronic communications referred to in point 8 of Annex I and point (a)(i) of paragraph2(1), such processing of personal data required for the purposes of ensuring network and information security shall be in compliance with the provisions set out in Directive 2002/58/EC.
Amendment 238 #
Proposal for a directive
Article 2 – paragraph 6
Article 2 – paragraph 6
6. Sector-specific acts that require essential or important entities either to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats, shall, where possible, refer to the definitions in Article 4 of this Directive. Where provisions of sector–specific acts of Union law require essential or important entities either to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats, and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, the relevant provisions of this Directive, including the provision on supervision and enforcement laid down in Chapter VI, shall not apply.
Amendment 243 #
Proposal for a directive
Article 4 – paragraph 1 – point 4 a (new)
Article 4 – paragraph 1 – point 4 a (new)
(4a) ‘near miss’ means an event which could have caused harm, but was successfully prevented from fully transpiring;
Amendment 247 #
Proposal for a directive
Article 4 – paragraph 1 – point 6
Article 4 – paragraph 1 – point 6
(6) ‘incident handling’ means all actions and procedures aiming at prevention, detection, analysis, attribution, and containment of and a response to an incident;
Amendment 248 #
Proposal for a directive
Article 4 – paragraph 1 – point 7 a (new)
Article 4 – paragraph 1 – point 7 a (new)
(7a) ‘risk’ means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of that incident;
Amendment 250 #
Proposal for a directive
Article 4 – paragraph 1 – point 13
Article 4 – paragraph 1 – point 13
(13) ‘domain name system (DNS)’ means a hierarchical distributed naming system which allows end-users to reach services and resources on the internetenables the identification of internet services and resources, allowing end-user devices to utilise internet routing and connectivity services, to reach those services and resources;
Amendment 253 #
Proposal for a directive
Article 4 – paragraph 1 – point 14
Article 4 – paragraph 1 – point 14
(14) ‘DNS service provider’ means an entity that provides recursive or authoritative domain name resolution services to internet end-users and other DNS service provider: a) open and public recursive domain name resolution services; or b) authoritative domain name resolution services as a service procurable by third-party entities;
Amendment 255 #
Proposal for a directive
Article 4 – paragraph 1 – point 15
Article 4 – paragraph 1 – point 15
(15) ‘top–level domain name registry’ means an entity which has been delegated a specific TLD and is responsible for administering the TLD including the registration of domain names under the TLD and the technical operation of the TLD, including the operation of its name servers, the maintenance of its databases and the distribution of TLD zone files across name servers, irrespective of whether any of those operations are being performed by the entity or are outsourced;
Amendment 256 #
Proposal for a directive
Article 4 – paragraph 1 – point 15 a (new)
Article 4 – paragraph 1 – point 15 a (new)
(15a) ‘legitimate access seekers’ means any natural or legal person, including competent authorities under Union or national law for the prevention, investigation or prosecution of criminal offences, CSIRTs, CERTs, providers of electronic communications networks and services, and providers of cybersecurity technologies and services, seeking DNS data upon a justified request on the basis of Union or national law for the purposes of preventing DNS abuse, detecting and preventing crime and fraud, protecting minors, protecting intellectual property, and protecting against hate speech;
Amendment 257 #
Proposal for a directive
Article 4 – paragraph 1 – point 22
Article 4 – paragraph 1 – point 22
(22) ‘social networking services platform’ means a platform that enables end-users to connect, share, discover and communicate with each other via number- independent interpersonal communications services across multiple devices, and in particular, via chats, posts, videos and recommendations);
Amendment 272 #
Proposal for a directive
Article 5 – paragraph 1 – introductory part
Article 5 – paragraph 1 – introductory part
1. Each Member State shall adopt a national cybersecurity strategy defining the strategic objectives and, the required technical, organisational, and financial resources to achieve those objectives, and the appropriate policy and regulatory measures, with a view to achieving and maintaining a high level of cybersecurity. The national cybersecurity strategy shall include, in particular, the following:
Amendment 277 #
Proposal for a directive
Article 5 – paragraph 1 – point b
Article 5 – paragraph 1 – point b
(b) a governance framework to achieve those objectives and priorities, including the policies referred to in paragraph 2, and an appropriate framework defining the roles and responsibilities of public bodies and entities as well as other relevant actors, underpinning the cooperation and coordination, at the national level, between the competent authorities designated under Articles 7(1) and 8(1), the single point of contact designated under Article 8(3), and the CSIRTs designated under Article 9;
Amendment 284 #
Proposal for a directive
Article 5 – paragraph 2 – point a a (new)
Article 5 – paragraph 2 – point a a (new)
(aa) guidelines addressing cybersecurity in the supply chain for ICT products and services used by entities outside the scope of this Directive, and in particular supply chain challenges faced by SMEs;
Amendment 287 #
Proposal for a directive
Article 5 – paragraph 2 – point d a (new)
Article 5 – paragraph 2 – point d a (new)
(da) a policy on promoting the integration of open-source tools and applications;
Amendment 288 #
Proposal for a directive
Article 5 – paragraph 2 – point d b (new)
Article 5 – paragraph 2 – point d b (new)
(db) a policy to promote and support the development and integration of AI and other emerging technologies in cybersecurity-enhancing tools and applications;
Amendment 289 #
Proposal for a directive
Article 5 – paragraph 2 – point e
Article 5 – paragraph 2 – point e
(e) a policy on promoting and developing cybersecurity skills, awareness raising and research and development initiatives, including targeted policies addressing issues relating to gender representation and balance in the aforementioned areas;
Amendment 290 #
Proposal for a directive
Article 5 – paragraph 2 – point e a (new)
Article 5 – paragraph 2 – point e a (new)
(ea) a policy to promote cyber hygiene programmes comprising a baseline set of practices and controls;
Amendment 293 #
Proposal for a directive
Article 5 – paragraph 2 – point f a (new)
Article 5 – paragraph 2 – point f a (new)
(fa) a policy, including relevant procedures and governance frameworks, to support and promote the establishment of cybersecurity PPPs;
Amendment 301 #
3. Member States shall notify their national cybersecurity strategies to the Commission within three months from their adoption. Member States may exclude specific information from the notification where and to the extent that it is strictly necessary to preserve national security.
Amendment 302 #
Proposal for a directive
Article 5 – paragraph 4
Article 5 – paragraph 4
4. Member States shall assess their national cybersecurity strategies at least every four years on the basis of key performance indicators and, where necessary, amend them. The European Union Agency for Cybersecurity (ENISA) shall assist Member States, upon request, in the development of a national strategy and of key performance indicators for the assessment of the strategy. ENISA shall provide guidance to Member States in order to align their already formulated national cybersecurity strategies with the requirements and obligations set out in this Directive.
Amendment 311 #
Proposal for a directive
Article 6 – paragraph 2
Article 6 – paragraph 2
2. ENISA shall develop and maintain a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures, and the necessary technical and organisational measures to ensure the security and integrity of the registry, with a view in particular to enabling important and essential entities and their suppliers of network and information systems, as well as entities excluded from the scope of this Directive, and their suppliers, to disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties, enabling all parties and in particular, the users of the ICT products or ICT services concerned to adopt appropriate mitigating measures. The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, and the availability of related patches and, in the absence of available patches, guidance addressed to users of vulnerable products and services as to how the risks resulting from disclosed vulnerabilities may be mitigated.
Amendment 314 #
Proposal for a directive
Article 7 – paragraph 1 a (new)
Article 7 – paragraph 1 a (new)
1a. Where a Member State designates more than one competent authorities referred to in paragraph1, it should clearly indicate which of these competent authorities shall serve as the main point of contact for the management of large- scale incidents and crises.
Amendment 320 #
Proposal for a directive
Article 9 – paragraph 2
Article 9 – paragraph 2
2. Member States shall ensure that each CSIRT has adequate resources and the technical capabilities necessary to carry out effectively their tasks as set out in Article 10(23).
Amendment 325 #
Proposal for a directive
Article 10 – paragraph 1 – point c
Article 10 – paragraph 1 – point c
(c) CSIRTs shall be equipped with an appropriate system for managclassifying, routing, and routtracking requests, in particular, to facilitate effective and efficient handovers;
Amendment 326 #
(ca) CSIRTs shall have appropriate codes of conduct in place to ensure the confidentiality and trustworthiness of their operations;
Amendment 327 #
Proposal for a directive
Article 10 – paragraph 1 – point e
Article 10 – paragraph 1 – point e
(e) CSIRTs shall be equipped with redundant systems and backup working space to ensure continuity of its services, including full-spectrum connectivity across networks, information systems and services, and devices;
Amendment 328 #
Proposal for a directive
Article 10 – paragraph 1 – point e a (new)
Article 10 – paragraph 1 – point e a (new)
(ea) CSIRTs shall have appropriate descriptions of the skillsets required by staff to meet the technical capabilities necessary to perform assigned tasks;
Amendment 329 #
Proposal for a directive
Article 10 – paragraph 1 – point e b (new)
Article 10 – paragraph 1 – point e b (new)
(eb) CSIRTs shall have appropriate internal training frameworks and, where suitable, relevant policies to support external technical training of staff in order to reinforce a culture of continuous improvement;
Amendment 330 #
Proposal for a directive
Article 10 – paragraph 1 a (new)
Article 10 – paragraph 1 a (new)
1a. CSIRTs shall develop the following technical capabilities to perform their tasks: (a) The ability to conduct real-time monitoring of networks and information systems, and anomaly detection; (b) The ability to support penetration prevention operations including, in particular, the detection and analysis of sophisticated cyber threats; (c) The ability to collect and conduct complex forensic data analysis, and reverse engineering of cyber threats; (d) The ability to filter harmful communication content including, but not limited to, malicious e-mails; (e) The ability to protect data, including personal and sensitive data, from unauthorised exfiltration; (f) The ability to enforce strong authentication and access privileges; (g) The ability to analyse and attribute cyber threats.
Amendment 352 #
Proposal for a directive
Article 13 – paragraph 3 – point a a (new)
Article 13 – paragraph 3 – point a a (new)
(aa) facilitating the transfer of technology and relevant measures, policies and frameworks among the CSIRTs;
Amendment 353 #
Proposal for a directive
Article 13 – paragraph 3 – point g – point v
Article 13 – paragraph 3 – point g – point v
(v) contribution to the national cybersecurity incident and crisis response plan referred to in Article 7 (34);
Amendment 364 #
Proposal for a directive
Article 15 – paragraph 1 – point a a (new)
Article 15 – paragraph 1 – point a a (new)
(aa) the general level of cybersecurity awareness amongst citizens and consumers, the security of consumer- facing connected devices, and the security of digital public services and the respective digital infrastructures through which such services are offered to citizens;
Amendment 368 #
Proposal for a directive
Article 15 – paragraph 1 – point c b (new)
Article 15 – paragraph 1 – point c b (new)
(cb) the alignment of Member States’ national cybersecurity strategies referred to in Article 5, including the level of convergence of key performance indicators for the assessment of the strategies.
Amendment 369 #
Proposal for a directive
Article 15 – paragraph 2
Article 15 – paragraph 2
2. The report shall include the obstacles identified at the national level, particular policy recommendations for increasing the level of cybersecurity across the Union, and a summary of the findings for the particular period from the Agency’s EU Cybersecurity Technical Situation Reports issued by ENISA in accordance with Article 7(6) of Regulation (EU) 2019/881.
Amendment 370 #
Proposal for a directive
Article 15 – paragraph 2 a (new)
Article 15 – paragraph 2 a (new)
2a. ENISA, in cooperation with the Commission and with guidance from the Cooperation Group and the CSIRTs network, shall prepare the methodological specifications, including the relevant variables underpinning the scoring and validation of the cybersecurity index referred to in paragraph 1(e).
Amendment 372 #
Proposal for a directive
Article 16 – paragraph 1 – introductory part
Article 16 – paragraph 1 – introductory part
1. The Commission shall establish, after consulting the Cooperation Group and ENISA, and at the latest by 18 months following the entry into force of this Directive, the methodology and content of a peer-review system for assessing the effectiveness of the Member States’ cybersecurity policies. ENISA shall develop templates for the self-assessment of the reviewed aspects, which Member States being reviewed shall complete and provide to designated experts prior to the commencement of the peer-review process. The reviews shall be conducted by cybersecurity technical experts drawn from ENISA and at least two Member States different than the one reviewed and shall cover at least the following:
Amendment 374 #
Proposal for a directive
Article 16 – paragraph 1 – point iii
Article 16 – paragraph 1 – point iii
(iii) the operationtechnical capabilities and effectiveness of CSIRTs; in executing their tasks;
Amendment 375 #
Proposal for a directive
Article 16 – paragraph 2
Article 16 – paragraph 2
2. The methodology shall include objective, non-discriminatory, fair and transparent criteria on the basis of which the Member States shall designate experts eligible to carry out the peer reviews. The Commission, supported by ENISA, shall develop appropriate codes of conduct underpinning the work methods of designated experts participating in peer- reviews to safeguard the confidentiality of information obtained through the peer- review process, and the non-disclosure of such information to any third parties. ENISA and the Commission shall designate experts to participate as observers in the peer-reviews. The Commission, supported by ENISA, shall establish within the methodology as referred to in paragraph 1 an objective, non-discriminatory, fair and transparent system for the selection and the random allocation of experts for each peer review.
Amendment 376 #
Proposal for a directive
Article 16 – paragraph 4
Article 16 – paragraph 4
4. Peer reviews shall entail actual or virtual on-site visits and off-site exchanges. In view of the principle of good cooperation, the designated experts tasked with carrying out the peer-review shall communicate the aspects under review as referred to in paragraph 1, including any additional targeted issues specific to the Member State or sectors referred to in paragraph 3, and request a corresponding self-assessment report from the Member States being reviewed. The Member States being reviewed shall provide the designated experts with the requested information necessary for the assessment of the reviewed aspects. Any information obtained through the peer review process shall be used solely for that purpose. The experts participating in the peer review shall not disclose any sensitive or confidential information obtained in the course of that review to any third parties.
Amendment 378 #
Proposal for a directive
Article 16 – paragraph 6
Article 16 – paragraph 6
6. Member States shall ensure that any risk of conflict of interests concerning the designated experts are revealed to the other Member States, the Commission and ENISA without undue delay, before the designation of experts referred to in paragraphs 1 and 2.
Amendment 379 #
Proposal for a directive
Article 16 – paragraph 7
Article 16 – paragraph 7
7. Experts participating in peer reviews shall draft reports on the findings and conclusions of the reviews. The reports shall include recommendations to enable improvement on the aspects covered by the peer-review process, including recommendations on the transfer of technologies, tools, measures, and processes from Member States carrying out the peer-review to the Member State being reviewed. The reports shall be submitted to the Commission, the Cooperation Group, the CSIRTs network and ENISA. The reports shall be discussed in the Cooperation Group and the CSIRTs network. The reports may be published on the dedicated website of the Cooperation Group.
Amendment 383 #
Proposal for a directive
Article 17 – paragraph 2
Article 17 – paragraph 2
2. Member States shall ensure that members of the management body follow specific trainingof essential and important entities follow specific trainings, and shall encourage essential and important entities to offer similar trainings to all employees, on a regular basis, to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risks and management practices and their impact on the operations of the entity.
Amendment 389 #
Proposal for a directive
Article 18 – paragraph 1
Article 18 – paragraph 1
1. Member States shall ensure that essential and important entities shall take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use infor their operations or for the provision of their services. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk presented.
Amendment 391 #
Proposal for a directive
Article 18 – paragraph 2 – point b
Article 18 – paragraph 2 – point b
(b) incident handling (prevention, detection, andmitigation, response to, recovery from, and attribution of incidents);
Amendment 394 #
Proposal for a directive
Article 18 – paragraph 2 – point c
Article 18 – paragraph 2 – point c
(c) business continuity, disaster recovery and crisis management;
Amendment 399 #
Proposal for a directive
Article 18 – paragraph 2 – point f a (new)
Article 18 – paragraph 2 – point f a (new)
(fa) deployment of secured voice, video and text communications, and of secured emergency communications systems within the entity;
Amendment 424 #
Proposal for a directive
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT in accordance with paragraphs 32 and 43 of any incident having a significant impact on. Where the incident concerns the provisions of their services. Where appropriate, those entities shall notify, without undue delay, the recipientsentities’ services, those entities shall notify affected users about the unavailability or underlying risks of use of their services of incidents that are likely to adversely affect the provision of that service in order to mitigate the adverse effects of the incident. Essential and important entities may deviate from notifying affected users in case of overriding reasons inducing, but not limited to, that notification worsening the impact of an ongoing incident. Member States shall ensure that those entities report, among others, any information enabling the competent authorities or the CSIRT to determine any cross-border impact of the incident. The notification shall not make the notifying entity subject to increased liability.
Amendment 431 #
Proposal for a directive
Article 20 – paragraph 2 – subparagraph 1
Article 20 – paragraph 2 – subparagraph 1
Amendment 433 #
Proposal for a directive
Article 20 – paragraph 2 – subparagraph 2
Article 20 – paragraph 2 – subparagraph 2
Amendment 445 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point -a (new)
Article 20 – paragraph 4 – subparagraph 1 – point -a (new)
(-a) an early warning within 24 hours after having become aware of an incident, without any obligations on the entity concerned to disclose additional information regarding the incident;
Amendment 448 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point a
Article 20 – paragraph 4 – subparagraph 1 – point a
(a) without undue delay and in any event within 724 hours after having become aware of the incident, an initial notification, which, where applicable, shall indicate whether the incident is presumably caused by unlawful or malicious action;
Amendment 453 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part
Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part
(c) a finalcomprehensive report not later than one month after the submission of the report under point (a), including at least the following:
Amendment 463 #
Proposal for a directive
Article 20 – paragraph 5
Article 20 – paragraph 5
5. The competent national authorities or the CSIRT shall provide, within 24 hours after receiving the initial notification referred to in point (ab) of paragraph 43, a response to the notifying entity, including initial feedback on the incident and, upon request of the entity, guidance on the implementation of possible mitigation measures. Where the CSIRT did not receive the notification referred to in paragraph 1 , the guidance shall be provided by the competent authority in collaboration with the CSIRT. The CSIRT shall provide additional technical support if the concerned entity so requests. Where the incident is suspected to be of criminal nature, the competent national authorities or the CSIRT shall also provide guidance on reporting the incident to law enforcement authorities.
Amendment 471 #
Proposal for a directive
Article 20 – paragraph 8
Article 20 – paragraph 8
8. At the request of the competent authority or the CSIRT, the single point of contact shall forward notifications received pursuant to paragraphs 1 and 2 1 to the single points of contact of other affected Member States. In compliance with Union law, or in accordance with Member State legislation compliant with Union law, the single point of contact shall preserve the security and commercial interests of the essential or important entity reporting the incident, including the confidentiality of the information provided by the reporting entity in the notification of the incident, when forwarding the notification to the single points of contact of other affected Member States.
Amendment 475 #
Proposal for a directive
Article 20 – paragraph 9
Article 20 – paragraph 9
9. The single point of contact shall submit to ENISA on a monthly basis a summary report including anonymised and aggregated data on incidents, significant cyber threats and near misses notified in accordance with paragraphs 1 and 2 and in accordance withof this Article, and Article 27. In order to contribute to the provision of comparable information, ENISA may issue technical guidance on the parameters of the information included in the summary report.
Amendment 478 #
Proposal for a directive
Article 20 – paragraph 10
Article 20 – paragraph 10
10. Competent authorities shall provide to the competent authorities designated pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive] information on incidents and cyber threats notified in accordance with paragraphs 1 and 2 by essential entities identified as critical entities, or as entities equivalent to critical entities, pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive].
Amendment 481 #
Proposal for a directive
Article 20 – paragraph 10 a (new)
Article 20 – paragraph 10 a (new)
10a. ENISA, in cooperation with the Cooperation Group, shall develop common incident notification templates by [date of transposition deadline of the Directive], to streamline the reporting obligations of essential and important entities, and simplify the sharing of relevant information referred to in point (b) of paragraph 1 of this Article.
Amendment 483 #
Proposal for a directive
Article 20 – paragraph 11
Article 20 – paragraph 11
11. The Commission, may adopt implementing acts further specifying the type of information, the format and the procedure of a notification submitted pursuant to paragraphs 1 and 2. The Commission may also adopt implementing shall be empowered to adopt delegated acts to further specifying the cases in which an incident shall be considered significant as referred to in paragraph 3. Those implementing acts shall be adopte2, and in accordance with the examination procedureercise of delegation power referred to in Article 37(2)6.
Amendment 488 #
Proposal for a directive
Article 21 – paragraph 1
Article 21 – paragraph 1
1. In order to demonstrate compliance with certain requirements of Article 18, Member States may requirand following guidance from ENISA, the Commission, and the Cooperation Group, Member States shall encourage essential and important entities to certify certain ICT products, ICT services and ICT processes, developed either by the essential and important entities or procured from third parties, under specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881. The products, services and processes subject to certification may be developed by an essential or important entity or procured from third parti, or under equivalent and internationally accepted certification schemes.
Amendment 502 #
Proposal for a directive
Article 23 – paragraph 1
Article 23 – paragraph 1
1. For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall ensure that TLD registries and the entities providing domain name registration services for the TLD shall collect and maintain accurate and complete domain name registration data in a dedicated database facility with due diligence subject to Union data protection law as regards data which are personal data.
Amendment 505 #
Proposal for a directive
Article 23 – paragraph 4
Article 23 – paragraph 4
4. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD publish, without undue delaymake publicly available, within 72 hours after the registration of a domain name, domain registration data which are not personal dataof legal persons as registrants.
Amendment 507 #
Proposal for a directive
Article 23 – paragraph 5
Article 23 – paragraph 5
5. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD provide access to specific domain name registration data upon lawful and, including personal data, upon duly justified requests of legitimate access seekers, in compliance with Union data protection law. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD reply without undue delayreply within 72 hours to all requests for access. Member States shall ensure that policies and procedures to disclose such data are made publicly available. The Commission may adopt implementing acts laying out the requirements to be demonstrated by legitimate access seekers to TLD registries and entities providing domain name registration services before access to specific domain name registration data is granted. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 37(2).
Amendment 518 #
Proposal for a directive
Article 25 – paragraph 1 – introductory part
Article 25 – paragraph 1 – introductory part
1. ENISA shall create and maintain a registry for essential and important entities referred to in Article 24(1). ENISA shall establish appropriate information classification and management protocols to ensure the security and confidentiality of disclosed information, and restrict the access, storage, and transmission of such information to intended users. The entities shall submit the following information to ENISA by [12 months after entering into force of the Directive at the latest]:
Amendment 523 #
Proposal for a directive
Article 26 – paragraph 1 – introductory part
Article 26 – paragraph 1 – introductory part
1. Without prejudice to Regulation (EU) 2016/679, Member States shall ensure that essential and important entities may exchange relevant cybersecurity information among themselves including information relating to cyber threats, near misses, vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools, where such information sharing:
Amendment 528 #
Proposal for a directive
Article 26 – paragraph 2
Article 26 – paragraph 2
2. Member States shall ensure thfacilitate the exchange of information takes place withinby enabling the establishment of trusted communities of essential and important entities. Such exchange shall be implemented through information sharing arrangements in respect of the potentially sensitive nature of the information shared and in compliance with the rules of Union law referred to in paragraph 1.
Amendment 529 #
Proposal for a directive
Article 26 – paragraph 3
Article 26 – paragraph 3
3. Member States shall set out rules specifying the procedure,facilitate information sharing by making operational elements (including the use of dedicated ICT platforms), and content and conditionsvailable of the information sharing arrangements referred to in paragraph 2. Such rul, and may impose certain conditions on the information made available by competent authorities or CSIRTs. Member States shall also lay down the details of the involvement of public authorities in such arrangements, as well as operational elements, including the use of dedicated IT platforms. Member States shall offer support to the application of such arrangements in accordance with their policies referred to in Article 5(2) (g(l).
Amendment 546 #
Proposal for a directive
Article 29 – paragraph 2 – point c
Article 29 – paragraph 2 – point c
(c) targeted security audits based on risk assessments orperformed by the competent authorities, risk assessments performed by the audited entity, or in the absence thereof, risk-related available information;
Amendment 552 #
Proposal for a directive
Article 29 – paragraph 4 – point i
Article 29 – paragraph 4 – point i
Amendment 557 #
Proposal for a directive
Article 29 – paragraph 5 – subparagraph 1 – point a
Article 29 – paragraph 5 – subparagraph 1 – point a
(a) where applicable, temporarily suspend or request a certification or authorisation body to temporarily suspend a certification or authorisation concerning part or all the services or activities provided by an essential entity until the entity takes the necessary action to remedy the deficiencies or comply with the requirements of the competent authority for which such sanctions were applied;
Amendment 565 #
Proposal for a directive
Article 29 – paragraph 5 – subparagraph 1 – point b
Article 29 – paragraph 5 – subparagraph 1 – point b
(b) impose or request the imposition by the relevant bodies or courts according to national laws of a temporary ban against any person discharging managerial responsibilities at chief executive officer or legal representative level in that essential entity, and of any other natural person held responsible for the breach, from exercising managerial functions in that entity from exercising managerial functions in that entity. This provision shall not apply to public administration entities as referred to in point (23) of Article 4.
Amendment 566 #
Proposal for a directive
Article 29 – paragraph 5 – subparagraph 2
Article 29 – paragraph 5 – subparagraph 2
Amendment 570 #
Proposal for a directive
Article 29 – paragraph 7 – point c
Article 29 – paragraph 7 – point c
(c) the actual damage caused or losses incurred or potential damage or losses that could have been triggered, insofar as they can be determined. Where evaluating this aspect, account shall be taken, amongst others, of actual or potentialincluding financial or economic losses, effects on other services, and the number of users affected or potentially affected;
Amendment 574 #
Proposal for a directive
Article 30 – paragraph 2 – point b
Article 30 – paragraph 2 – point b
(b) targeted security audits based on risk assessments orperformed by the competent authority, risk assessments performed by the audited entity, or in the absence thereof, risk-related available information;
Amendment 575 #
Proposal for a directive
Article 30 – paragraph 2 – point c
Article 30 – paragraph 2 – point c
(c) security scans based on objective, non-discriminatory, fair and transparent risk assessment criteria;
Amendment 577 #
Proposal for a directive
Article 30 – paragraph 4 – point h
Article 30 – paragraph 4 – point h
Amendment 582 #
Proposal for a directive
Article 32 – paragraph 1
Article 32 – paragraph 1
1. Where the competent authorities have indications that the infringement by an essential or important entity of the obligations laid down in Articles 18 and 20 entails a personal data breach, as defined by Article 4(12) of Regulation (EU) 2016/679 which shall be notified pursuant to Article 33 of that Regulation, they shall inform the supervisory authorities competent pursuant to Articles 55 and 56 of that Regulation within a reasonable period of timeout undue delay.
Amendment 586 #
Proposal for a directive
Article 35 – paragraph 1 a (new)
Article 35 – paragraph 1 a (new)
As regards Digital Providers referred to in point (6) of Annex II, where platforms operated by such important entities are classified as very large online platforms within the meaning of Article 25 of Regulation (EU) XXXX/XXXX [Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC], or where the providers of core platform services are designated as gatekeepers within the meaning of Article 3 of Regulation (EU) XXXX/XXXX [Contestable and fair markets in the digital sector (Digital Markets Act)], these providers shall be designated as essential entities within the meaning of this Directive to adequately address the functioning of the economy and society in relation to cybersecurity, given the systemic risk stemming from the functioning and use made of their services in the Union, or the important gateway function that their core platform services serve for business users to reach end users.