105 Amendments of Maria GRAPINI related to 2020/0359(COD)
Amendment 12 #
Proposal for a directive
Recital 8
Recital 8
(8) In accordance with Directive (EU) 2016/1148, Member States were responsible for determining which entities meet the criteria to qualify as operators of essential services (‘identification process’). In order to eliminate the wide divergences among Member States in that regard and ensure legal certainty for the risk management requirements and reporting obligations for all relevant entities, a uniform criterion should be established that determines the entities falling within the scope of application of this Directive. That criterion should consist of the application of the size-cap rule, whereby all medium and large enterprises, as defined by Commission Recommendation 2003/361/EC15 , that operate within the sectors or provide the type of services covered by this Directive, fall within its scope. Member States should not be required to establish a list of the entities that meet this generally applicable size- related criterionThe Commission, together with the Member States and stakeholders, should develop guidelines that enable Member States to identify in a harmonised way which entities in selected sectors should be designated as essential or important entities and which entities would be considered smaller entities with a high security risk profile. Those guidelines should take into account the diverse nature of the entities, as they vary in size and in activities performed, and as their strategic importance may vary. _________________ 15 Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium- sized enterprises (OJ L 124, 20.5.2003, p. 36).
Amendment 13 #
Proposal for a directive
Recital 8 a (new)
Recital 8 a (new)
(8 a) Guidelines should serve as a basis to define which ports in a given Member State should be designated as essential entities. Those guidelines should be developed by the Commission in close cooperation with the Member States and the stakeholders and should take into account the diverse nature of European ports, as they vary in size and in activities performed, and as their strategic importance in a given Member State may vary.
Amendment 16 #
Proposal for a directive
Recital 10
Recital 10
(10) The Commission, in cooperation with the Cooperation Group and industry stakeholders, may issue guidelines on the implementation of the criteria applicable to micro and small enterprises.
Amendment 17 #
Proposal for a directive
Recital 11 a (new)
Recital 11 a (new)
(11 a) Some entities, such as ports, are complex ecosystems with many different stakeholders. The Commission, in close cooperation with the Member States and stakeholders, should therefore develop guidelines that enable Member States to define in a harmonized way which aspects of an entity should be protected and therefore subjected to the obligations set out in this Directive.
Amendment 21 #
Proposal for a directive
Recital 18 a (new)
Recital 18 a (new)
(18 a) Given that the roll-out of autonomous mobility will bring considerable benefits, but also entails a variety of new risks, namely regarding road traffic safety, cybersecurity, intellectual property rights, data protection and data access issues, technical infrastructure, standardisation, and employment, it is of crucial importance to ensure that the EU legal framework adequately responds to those challenges and effectively manages all risks posed to the security of network and information systems.
Amendment 22 #
Proposal for a directive
Recital 18 b (new)
Recital 18 b (new)
Amendment 27 #
Proposal for a directive
Recital 34
Recital 34
(34) The Cooperation Group should remain a flexible forum and be able to react to changing and new policy priorities and challenges while taking into account the availability of resources. It should organize regular joint meetings with relevant private stakeholders from across the Union to discuss activities carried out by the Group and gather input on emerging policy challenges. In order to enhance cooperation at Union level, the Group should consider inviting, where relevant, Union bodies and agencies involved in cybersecurity policy, such as the European Cybercrime Centre (EC3), the European Union Aviation Safety Agency (EASA) and the European Union Agency for Space Programme (EUS, the European Union Agency for Space Programme (EUSPA), the European Defence Agency (EDA), the European Data Protection Supervisor (EDPS),the European Union Agency for Law Enforcement Training (CEPOL), the European Institute of Innovation and Technology (EIT), the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), the European Securities and Markets Authority(ESMA), the European Banking Authority (EBA), the European Foundation for the Improvement of Living and Working Conditions (Eurofound) and the European Insurance and Occupational Pensions Authority (EIOPA) to participate in its work.
Amendment 30 #
Proposal for a directive
Recital 46 a (new)
Recital 46 a (new)
(46 a) In order to preserve and protect critical supply chains, the focus should also lay on the protection of the entire transport and logistics chain. The transport and logistics chains is made up of a large number of interlinked actors and systems, where goods are being transported in an intermodal fashion using road, rail, inland waterways and maritime transport. This process requires swift and reliable exchange of data between the various links of the transport and logistics chain through various interfaces. Due to the interconnected nature of the various links in the chain, insufficient cybersecurity risks to endanger the functioning of the entire chain through domino effects created by a cyber incident in one or several parts of the transport and logistics chain.
Amendment 31 #
Proposal for a directive
Recital 46 b (new)
Recital 46 b (new)
(46 b) The transport envelope of the Connecting Europe Facility, both the modernisation pillar (actions relating to smart, interoperable, sustainable, multimodal, inclusive, accessible, safe and secure mobility), as well as the military mobility pillar, should be used to enhance the resilience of Europe’s port infrastructure to cybersecurity threats. Member States should also strengthen the cyber resilience of the port sector in their national Recovery and Resilience Plans as part of the EU’s digital transition objective.
Amendment 34 #
Proposal for a directive
Article 2 – paragraph 2 – subparagraph 1
Article 2 – paragraph 2 – subparagraph 1
Member States, in close cooperation with relevant industry stakeholders, shall establish a list of entities identified pursuant to points (b) to (f) and submit it to the Commission by [6 months after the transposition deadline]. Member States shall review the list, on a regular basis, and at least every two years thereafter and, where appropriate, update it.
Amendment 35 #
Proposal for a directive
Article 2 – paragraph 6
Article 2 – paragraph 6
6. Where provisions of sector–specific acts of Union law require essential or important entities either to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats, and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, including as to the power, mandate and functions of the respective supervisory authorities, the relevant provisions of this Directive, including the provision on supervision and enforcement laid down in Chapter VI, shall not apply.
Amendment 36 #
Proposal for a directive
Article 3 – paragraph 1 a (new)
Article 3 – paragraph 1 a (new)
The Commission, together with the Member States and stakeholders, shall develop guidelines that enable Member States to identify in a harmonised way which entities in selected sectors should be designated as essential or important entities and which entities would be considered smaller entities with a high security risk profile. Those guidelines should take into account the diverse nature of the entities, as they vary in size and in activities performed, and as their strategic importance may vary.
Amendment 37 #
Proposal for a directive
Article 3 – paragraph 1 b (new)
Article 3 – paragraph 1 b (new)
The Commission, in close cooperation with the Member States and stakeholders, shall develop guidelines that enable Member States to define in a harmonized way which aspects of an essential or important entity should be protected and therefore subjected to the obligations set out in this Directive.
Amendment 46 #
Proposal for a directive
Article 18 – paragraph 5
Article 18 – paragraph 5
5. The Commission may adopt implementingdelegated acts in order to lay down the technical and the methodological specifications of the elements referred to in paragraph 2. WThere preparing those acts, the Commission shall proceed in accordance with the examination procedure referred to in delegated act shall be adopted in accordance with Article 37(2)6 and follow, to the greatest extent possible, international and European standards, as well as relevant technical specifications.
Amendment 55 #
Proposal for a directive
Article 20 – paragraph 11
Article 20 – paragraph 11
11. The Commission, may adopt implementingdelegated acts further specifying the type of information, the format and the procedure of a notification submitted pursuant to paragraphs 1 and 2. The Commission may also adopt implementing acts to further specify the cases in which an incident shall be considered significant as referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 37(2).
Amendment 59 #
Proposal for a directive
Article 21 – paragraph 1 a (new)
Article 21 – paragraph 1 a (new)
1 a. The requirements of this Directive regarding cybersecurity certification shall be without prejudice to Article 56 (2) and (3) of Regulation (EU) 2019/881.
Amendment 62 #
Proposal for a directive
Article 21 – paragraph 3
Article 21 – paragraph 3
3. TIn order to elevate the overall level of cybersecurity resilience, the Commission may request ENISA to prepare a candidate scheme pursuant to Article 48(2)7 and Article 48 of Regulation (EU) 2019/881 in cases where no appropriate European cybersecurity certification scheme for the purposes of paragraph 2 is availableis available. Such candidate schemes shall comply with the requirements laid down in Article 56(2)and Article 56(3) of Regulation (EU) 2019/881.
Amendment 73 #
Proposal for a directive
Recital 5
Recital 5
(5) All those divergences entail a fragmentation of the internal market and are liable to have a prejudicial effect on its functioning, affecting in particular the cross-border provision of services and level of cybersecurity resilience due to the application of different standards. This Directive aims to remove such wide divergences among Member States and strengthen the internal market, in particular by setting out minimum rules regarding the functioning of a coordinated regulatory framework, by laying down mechanisms for the effective cooperation among the responsible authorities in each Member State, by updating the list of sectors and activities subject to cybersecurity obligations and by providing effective remedies and sanctions which are instrumental to the effective enforcement of those obligations. Therefore, Directive (EU) 2016/1148 should be repealed and replaced by this Directive.
Amendment 77 #
Proposal for a directive
Recital 10
Recital 10
(10) The Commission, in cooperation with the Cooperation Group, mayshould issue guidelines on the implementation of the criteria applicable to micro and small enterprises.
Amendment 78 #
Proposal for a directive
Recital 11
Recital 11
(11) Depending on the sector in which they operate or the type of service they provide, the entities falling within the scope of this Directive should be classified into two categories: essential and important. That categorisation should take into account the level of criticality of the sector or of the type of service, as well as the level of dependency of other sectors or types of services. Both essential and important entities should be subject to the same risk management requirements and reporting obligations. The supervisory and penalty regimes between these two categories of entities should be differentiated to ensure a fair balance between requirements and obligations on one hand, and the administrative burden stemming from the supervision of compliance on the other hand. This balance also helps national competent authorities to focus on those operators whose cybersecurity represents the highest societal risk.
Amendment 79 #
Proposal for a directive
Recital 12
Recital 12
(12) Sector-specific legislation and instruments can contribute to ensuring high levels of cybersecurity, while taking full account of the specificities and complexities of those sectors. Where a sector–specific Union legal act requires essential or important entities to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats of at least an equivalent effect to the obligations laid down in this Directive, those sector-specific provisions, including on supervision and enforcement, should apply. In order to reduce unnecessary administrative burden, sector-specific legislation and instruments should, whenever possible, align their notification procedures with those present in this Directive, according to the once-only principle. The Commission may issue guidelines in relation to the implementation of the lex specialis. This Directive does not preclude the adoption of additional sector- specific Union acts addressing cybersecurity risk management measures and incident notifications. This Directive is without prejudice to the existing implementing powers that have been conferred to the Commission in a number of sectors, including transport and energy.
Amendment 82 #
Proposal for a directive
Recital 14
Recital 14
(14) In view of the interlinkages between cybersecurity and the physical security of entities, a coherent approach should be ensured between Directive (EU) XXX/XXX of the European Parliament and of the Council17 and this Directive. To achieve this, Member States should ensure that critical entities, and equivalent entities, pursuant to Directive (EU) XXX/XXX are considered to be essential entities under this Directive. Member States should also ensure that their national cybersecurity strategies provide for a policy framework for enhanced coordination between the competent authority under this Directive and the one under Directive (EU) XXX/XXX in the context of incident reporting, information sharing on incidents and cyber threats and the exercise of supervisory tasks. Authorities under both Directives should cooperate and exchange information, particularly in relation to the identification of critical entities, cyber threats, cybersecurity risks, incidents affecting critical entities as well as on the cybersecurity measures taken by critical entities. Upon request of competent authorities under Directive (EU) XXX/XXX, competent authorities under this Directive should be allowed to exercise their supervisory and enforcement powers on an essential entity identified as critical. Both authorities should cooperate and exchange information for this purpose. __________________ 17[insert the full title and OJ publication reference when known]
Amendment 84 #
Proposal for a directive
Recital 15
Recital 15
(15) Upholding and preserving a reliable, resilient and secure domain name system (DNS) is a key factor in maintaining the integrity of the Internet and is essential for its continuous and stable operation, on which the digital economy, the internal market and society depend. Therefore, this Directive should apply to all providers of DNS services along the DNS resolution chain, including operators of root name servers, top-level- domain (TLD) name servers, authoritative name servers for domain names and recursive resolvers.
Amendment 85 #
Proposal for a directive
Recital 20
Recital 20
(20) Those growing interdependencies are the result of an increasingly cross- border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. Those interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks and the need to protect the internal market through joint strategies and actions at Union level.
Amendment 86 #
Proposal for a directive
Recital 2
Recital 2
(2) Since the entry into force of Directive (EU) 2016/1148 significant progress has been made in increasing the Union’s level of cybersecurity resilience. The review of that Directive has shown that it has served as a catalyst for the institutional and regulatory approach to cybersecurity in the Union, paving the way for a significant change in mind-set. That Directive has ensured the completion of national frameworks by defining national cybersecurity strategies, establishing national capabilities, and implementing regulatory measures covering essential infrastructures and actors identified by each Member State. It has also contributed to cooperation at Union level through the establishment of the Cooperation Group12 and a network of national Computer Security Incident Response Teams (‘CSIRTs network’)13. Notwithstanding those achievements, the review of Directive (EU) 2016/1148 has revealed inherent shortcomings that prevent it from addressing effectively contemporaneous and emerging cybersecurity challenges. The expansion of online activities in the context of the COVID-19 pandemic has highlighted the importance not only of cybersecurity issues, but also of providing relevant education and training on a large scale, practically to the entire population of the planet. _________________ 12 Article 11 of Directive (EU) 2016/1148. 13 Article 12 of Directive (EU) 2016/1148.
Amendment 87 #
Proposal for a directive
Recital 3
Recital 3
(3) Network and information systems have developed into a central feature of everyday life with the speedy digital transformation and interconnectedness of society, including in cross-border exchanges. That development has led to an expansion of the cybersecurity threat landscape, bringing about new challenges, which require adapted, coordinated and innovative responses in all Member States. The number, magnitude, sophistication, frequency and impact of cybersecurity incidents are increasing, and present a major threat to the functioning of network and information systems. As a result, cyber incidents can impede the pursuit of economic activities in the internal market, generate financial losses, undermine user confidence and cause major damage to the Union economy and society. Cybersecurity preparedness and effectiveness are therefore now more essential than ever to the proper functioning of the internal market. Malicious cyber activities threaten not only our economies, but also the functioning of our democracies, our freedom and our values. Our future security depends on transforming our capacity to protect the EU against cybersecurity threats both within the civilian infrastructure, as well as the military capacity.
Amendment 88 #
Proposal for a directive
Recital 23
Recital 23
(23) Competent authorities or the CSIRTs should receive notifications of incidents from entities in an standardised, effective and efficient way. The single points of contact should be tasked with forwarding incident notifications to the single points of contact of other affected Member States. At the level of Member States’ authorities, to ensure one single entry point in every Member States, the single points of contacts should also be the addressees of relevant information on incidents concerning financial sector entities from the competent authorities under Regulation XXXX/XXXX which they should be able to forward, as appropriate, to the relevant national competent authorities or CSIRTs under this Directive.
Amendment 88 #
Proposal for a directive
Recital 5
Recital 5
(5) All those divergences entail a fragmentation of the internal market and are liable to have a prejudicial effect on its functioning, affecting in particular the cross-border provision of services and level of cybersecurity resilience due to the application of different standards. Cybersecurity must form the basis for the digital transformation of daily activities within the entire European Union and must consolidate cooperation between the EU bodies and the authorities of the Member States that are responsible for preventing and discouraging cyber attacks. This Directive aims to remove such wide divergences among Member States, in particular by setting out minimum rules regarding the functioning of a coordinated regulatory framework, by laying down mechanisms for the effective cooperation among the responsible authorities in each Member State, by updating the list of sectors and activities subject to cybersecurity obligations and by providing effective remedies and sanctions which are instrumental to the effective enforcement of those obligations. Therefore, Directive (EU) 2016/1148 should be repealed and replaced by this Directive.
Amendment 90 #
Proposal for a directive
Recital 26 a (new)
Recital 26 a (new)
(26a) Member States should, in accordance with their national cybersecurity strategies, put in place policies directed at cybersecurity awareness, cyber literacy and cyber- hygiene of citizens, with a view of strengthening the human element of network and information systems and protecting consumers from harm.
Amendment 91 #
Proposal for a directive
Recital 26 b (new)
Recital 26 b (new)
(26b) In order to use resources with efficiency and effectiveness, and to be able to manage the increased amount of risks and incidents, Member States should adopt policies on the promotion and integration of AI-enabled and intelligent systems in the prevention and detection of cybersecurity incidents and threats as part of their national cybersecurity strategies, as well as make full use of them within their national competent authorities.
Amendment 92 #
Proposal for a directive
Recital 27
Recital 27
(27) In accordance with the Annex to Commission Recommendation (EU) 2017/1548 on Coordinated Response to Large Scale Cybersecurity Incidents and Crises (‘Blueprint’)20 , a large-scale incident should mean an incident with a significant impact on at least two Member States or whose disruption exceeds a Member State’s capacity to respond to it, thus endangering the internal market. Depending on their cause and impact, large-scale incidents may escalate and turn into fully-fledged crises not allowing the proper functioning of the internal market. Given the wide-ranging scope and, in most cases, the cross-border nature of such incidents, Member States and relevant Union institutions, bodies and agencies should cooperate at technical, operational and political level to properly coordinate the response across the Union. __________________ 20Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises (OJ L 239, 19.9.2017, p. 36).
Amendment 93 #
Proposal for a directive
Recital 28
Recital 28
(28) Since the exploitation of vulnerabilities in network and information systems may cause significant disruption and harm to businesses and consumers, swiftly identifying and remedying those vulnerabilities is an important factor in reducing cybersecurity risk. Entities that develop such systems should therefore establish appropriate procedures to handle vulnerabilities when they are discovered. Since vulnerabilities are often discovered and reported (disclosed) by third parties (reporting entities), the manufacturer or provider of ICT products or services should also put in place the necessary procedures to receive vulnerability information from third parties. In this regard, international standards ISO/IEC 30111 and ISO/IEC 29417 provide guidance on vulnerability handling and vulnerability disclosure respectively. As regards vulnerability disclosure, coordination between reporting entities and manufacturers or providers of ICT products or services is particularly important. Coordinated vulnerability disclosure specifies a structured process through which vulnerabilities are reported to organisations in a manner allowing the organisation to diagnose and remedy the vulnerability before detailed vulnerability information is disclosed to third parties or to the public. Coordinated vulnerability disclosure should also comprise coordination between the reporting entity and the organisation as regards the timing of remediation and publication of vulnerabilities.
Amendment 95 #
Proposal for a directive
Recital 20
Recital 20
(20) Those growing interdependencies are the result of an increasingly cross- border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. Those interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks. Cybersecurity must be one of the EU priorities in responding to the COVID-19 pandemic, during which cyber attacks have intensified, which will have to lead to further investment in this field.
Amendment 97 #
Proposal for a directive
Recital 21
Recital 21
(21) In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, Member States should be able to designate more than one national competent authority responsible for fulfilling the tasks linked to the security of the network and information systems of essential and important entities under this Directive. Member States should be able to assign this role to an existing authority and make sure that this authority has adequate resources to fulfil its duties in an efficient and effective way.
Amendment 99 #
Proposal for a directive
Recital 34
Recital 34
(34) The Cooperation Group should remain a flexible forum and be able to react to changing and new policy priorities and challenges while taking into account the availability of resources. It should organize regular joint meetings with relevant private stakeholders from across the Union to discuss activities carried out by the Group and gather input on emerging policy challenges. In order to enhance cooperation at Union level, the Group should consider inviting Union bodies and agencies involved in cybersecurity policy, such as the European Cybercrime Centre (EC3), the European Union Aviation Safety Agency (EASA) and the European Union Agency for Space Programme (EUSPA) to participate in its work, as well as other Union bodies and agencies and supervisory authorities related to the Digital Single Market.
Amendment 100 #
Proposal for a directive
Recital 35
Recital 35
(35) The competent authorities and CSIRTs should be empowered to participate in exchange schemes for officials from other Member States in order to improve cooperation and strengthen confidence inside the networks. The competent authorities should take the necessary measures to enable officials from other Member States to play an effective role in the activities of the host competent authority or CSIRT.
Amendment 100 #
Proposal for a directive
Recital 25
Recital 25
(25) As regards personal data, CSIRTs should be able to provide, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council19 as regards personal data, on behalf of and upon request by an entity under this Directive, a proactive scanning of the network and information systems used for the provision of their services. Member States should aim at ensuring an equal level of technical capabilities for all sectorial CSIRTs. Member States may request the assistance of the European Union Agency for Cybersecurity (ENISA) in developing national CSIRTs. Also, cybersecurity risks should never be used as a pretext for breaching human rights. _________________ 19 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
Amendment 101 #
Proposal for a directive
Recital 35 a (new)
Recital 35 a (new)
Amendment 101 #
Proposal for a directive
Recital 27
Recital 27
(27) In accordance with the Annex to Commission Recommendation (EU) 2017/1548 on Coordinated Response to Large Scale Cybersecurity Incidents and Crises (‘Blueprint’)20 , a large-scale incident should mean an incident with a significant impact on at least two Member States or whose disruption exceeds a Member State’s capacity to respond to it. Depending on their cause and impact, large-scale incidents may escalate and turn into fully-fledged crises not allowing the proper functioning of the internal market. Given the wide-ranging scope and, in most cases, the cross-border nature of such incidents, Member States and relevant Union institutions, bodies and agencies should cooperate at technical, operational and political level to properly coordinate the response across the Union. Cybersecurity is indispensable for network and global internet connectivity, therefore improving cybersecurity is essential for EU citizens to be able to trust innovation and connectivity, given the expansion of online activities in the context of the COVID-19 pandemic. _________________ 20Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises (OJ L 239, 19.9.2017, p. 36).
Amendment 102 #
Proposal for a directive
Recital 29
Recital 29
(29) Member States should therefore take measures to facilitate coordinated vulnerability disclosure by establishing a relevant national policy. In this regard, Member States should designate a CSIRT to take the role of ‘coordinator’, acting as an intermediary between the reporting entities and the manufacturers or providers of ICT products or services where necessary. The tasks of the CSIRT coordinator should in particular include identifying and contacting concerned entities, supporting reporting entities, negotiating disclosure timelines, and managing vulnerabilities that affect multiple organisations (multi-party vulnerability disclosure). Where vulnerabilities affect multiple manufacturers or providers of ICT products or services established in more than one Member State, the designated CSIRTs from each of the affected Member States should cooperate within the CSIRTs Network. Member States should jointly monitor the way in which EU rules are implemented, support each other in the event of any cross-border problems, establish a more structured dialogue with the private sector and cooperate on security risks and the threats associated with new technologies, as was the case with 5G technology.
Amendment 103 #
Proposal for a directive
Recital 45 a (new)
Recital 45 a (new)
(45a) Additionally, entities should also ensure adequate cybersecurity education and training of their staff at all levels of the organisation.
Amendment 103 #
Proposal for a directive
Recital 30
Recital 30
(30) Access to correct and timely information on vulnerabilities affecting ICT products and services contributes to an enhanced cybersecurity risk management. In that regard, sources of publicly available information on vulnerabilities are an important tool for entities and their users, but also national competent authorities and CSIRTs. For this reason, ENISA should establish a vulnerability registry where, essential and important entities and their suppliers, as well as entities which do not fall in the scope of application of this Directive may, on a voluntary basis, disclose vulnerabilities and provide the vulnerability information that allows users to take appropriate mitigating measures. Member States should support each other in the event of any cross-border problems, establish a more structured dialogue with the private sector and cooperate on security risks and the threats associated with new technologies, as was the case with 5G technology.
Amendment 106 #
Proposal for a directive
Recital 51
Recital 51
(51) The internal market is more reliant on the functioning of the internet than ever before. The services of virtually all essential and important entities are dependent on services provided over the internet, and consumers rely on it for essential parts of their daily lives. In order to ensure the smooth provision of services provided by essential and important entities, it is important that public electronic communications networks, such as, for example, internet backbones or submarine communications cables, have appropriate cybersecurity measures in place and report incidents in relation thereto.
Amendment 107 #
Proposal for a directive
Recital 45
Recital 45
(45) Entities should also address cybersecurity risks stemming from their interactions and relationships with other stakeholders within a broader ecosystem. In particular, entities should take appropriate measures to ensure that their cooperation with academic and research institutions takes place in line with their cybersecurity policies and follows good practices as regards secure access and dissemination of information in general and the protection of intellectual property in particular. Similarly, given the importance and value of data for the activities of the entities, when relying on data transformation and data analytics services from third parties, the entities should take all appropriate cybersecurity measures and report any potential cyber attacks that they identify.
Amendment 108 #
Proposal for a directive
Recital 52
Recital 52
(52) Where appropriate, eEntities should inform their service recipients of particular and significant threats and of measures they can take to mitigate the resulting risk to themselves, in particular when such measures may increase consumer protection. The requirement to inform those recipients of such threats should not discharge entities from the obligation to take, at their own expense, appropriate and immediate measures to prevent or remedy any cyber threats and restore the normal security level of the service. The provision of such information about security threats to the recipients should be free of charge and in language easy to understand and to follow.
Amendment 112 #
Proposal for a directive
Recital 54
Recital 54
(54) In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, should be promoted and, where necessary, should be mandatory for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18. The use of end-to-end encryption should be reconciled with the Member State’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences in compliance with Union law. Solutions for lawful access to information in end-to-end encrypted communications should maintain tThe effectiveness of encryption in protecting privacy and security of communications, while provid must not be undermined ing an effective response to crimey circumstance, as any loophole in encryption is open to be explored by all actors, regardless of their legitimacy or intent.
Amendment 116 #
Proposal for a directive
Recital 56
Recital 56
(56) Essential and important entities are often in a situation where a particular incident, because of its features, needs to be reported to various authorities as a result of notification obligations included in various legal instruments. Such cases create additional burdens and may also lead to uncertainties with regard to the format and procedures of such notifications. In view of this and, for the purposes of simplifying the reporting of security incidents and upholding the once- only principle, Member States should establish a single entry point for all notifications required under this Directive and also under other Union law such as Regulation (EU) 2016/679 and Directive 2002/58/EC. ENISA, in cooperation with the Cooperation Group should develop common notification templates by means of guidelines that would simplify and streamline the reporting information requested by Union law and decrease the burdens for companies.
Amendment 119 #
Proposal for a directive
Recital 54
Recital 54
(54) In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, should be promoted and, where necessary, should be mandatory for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18. The use of end-to-end encryption should be reconciled with the Member State’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences in compliance with Union law. Solutions for lawful access to information within end-to-end encrypted communications should maintain the effectiveness of encryption in protecting privacy and the security of communications, whilst providingand this should not be undermined under any circumstances, as any effective response to crimencryption shortfall is open for exploration or exploitation by actors, regardless of their legitimacy or intention.
Amendment 120 #
Proposal for a directive
Recital 54 a (new)
Recital 54 a (new)
(54a) any measure aimed at weakening encryption or circumventing the technology’s architecture may incur significant risks to the effective protection capabilities it entails, thus inevitably compromising the protection of personal data and privacy, resulting in an overall loss of trust in security controls. Any unauthorised decryption, reverse engineering of encryption codes or monitoring of electronic communications other than by legal authorities should be prohibited to ensure the effectiveness of the technology and its wider use. The cases in which encryption can be used to mitigate the risks related to non-compliant data transfers, as presented in EDPB Recommendations 01/2020, may enable a stronger encryption, whether in transit or at rest, for the providers of such services and networks for the purposes of Article 18.
Amendment 121 #
Proposal for a directive
Recital 55
Recital 55
(55) This Directive lays down a two- stage approach to incident reporting in order to strike the right balance between, on the one hand, swift reporting that helps mitigate the potential spread of incidents and allows entities to seek support, and, on the other hand, in-depth reporting that draws valuable lessons from individual incidents and improves over time the resilience to cyber threats of individual companies and entire sectors. Where entities become aware of an incident, they should be required to submit an initial notification within a maximum of 24 hours, followed by a final report not later than one month after. The initial notification should only include the information strictly necessary to make the competent authorities aware of the incident and allow the entity to seek assistance, if required. Such notification, where applicable, should indicate whether the incident is presumably caused by unlawful or malicious action. Member States should ensure that the requirement to submit this initial notification does not divert the reporting entity’s resources from activities related to incident handling that should be prioritised. To further prevent that incident reporting obligations either divert resources from incident response handling or may otherwise compromise the entities efforts in that respect, Member States should also provide that, in duly justified cases and in agreement with the competent authorities or the CSIRT, the entity concerned can deviate from the deadlines of a maximum of 24 hours for the initial notification and one month for the final report.
Amendment 130 #
Proposal for a directive
Recital 79
Recital 79
(79) A peer-review mechanism should be introduced, allowing the assessment by experts designated by the Member States and ENISA of the implementation of cybersecurity policies, including the level of Member States’ capabilities and available resources, and the exchange of experiences and best practices related to procedures and instruments.
Amendment 132 #
Proposal for a directive
Article 1 – paragraph 1
Article 1 – paragraph 1
1. This Directive lays down measures with a view to ensuring a high common level of cybersecurity within the Union and strengthening the Digital Single Market.
Amendment 132 #
Proposal for a directive
Recital 69
Recital 69
(69) The processing of personal data, to the extent strictly necessary and proportionate for the purposes of ensuring network and information security by entities, public authorities, CERTs, CSIRTs, and providers of security technologies and services should constitute a legitimate interest of the data controller concerned, as referred to in Regulation (EU) 2016/679. That should include measures related to the prevention, detection, analysis and response to incidents, measures to raise awareness in relation to specific cyber threats, exchange of information in the context of vulnerability remediation and coordinated disclosure, as well as the voluntary exchange of information on those incidents, as well as cyber threats and vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools. In many cases, personal data are compromised following cyber incidents and, therefore, the competent authorities and data protection authorities of EU Member States should cooperate and exchange information on all relevant matters in order to tackle any personal data breaches. Such measures may require the processing of the following types of personal data: IP addresses, uniform resources locators (URLs), domain names, and email addresses.
Amendment 135 #
Proposal for a directive
Recital 79
Recital 79
(79) A peer-review mechanism should be introduced, allowing the assessment by experts designated by the Member States of the implementation of cybersecurity policies, including the level of Member States’ capabilities and available resources. The EU must ensure a coordinated response to large-scale cyber incidents and crises and, also, must offer assistance in order to facilitate recovery following such cyber attacks.
Amendment 143 #
Proposal for a directive
Article 4 – paragraph 1 – point 4
Article 4 – paragraph 1 – point 4
(4) ‘national strategy on cybersecurity’ means a coherent framework of a Member State providing strategic objectives and priorities on the security of network and information systems in that Member State, as well as policies needed to achieve them;
Amendment 144 #
Proposal for a directive
Article 4 – paragraph 1 – point 5 a (new)
Article 4 – paragraph 1 – point 5 a (new)
(5a) 'cross-border incident' means any incident which impacts operators under at least 2 different national competent authorities;
Amendment 145 #
Proposal for a directive
Article 4 – paragraph 1 – point 8 a (new)
Article 4 – paragraph 1 – point 8 a (new)
(8a) "early warning" means the information preceding the initial incident notification warning to third parties, without detailed information obligations, on the onset of an incident or on the discovery moment of an ongoing incident;
Amendment 150 #
Proposal for a directive
Article 5 – paragraph 1 – point b
Article 5 – paragraph 1 – point b
(b) a governance framework to achieve those objectives and priorities, including the policies referred to in paragraph 2 and the roles and responsibilities of public bodies and entities as well as other relevant actors, including those responsible for cyber intelligence and cyber defence;
Amendment 151 #
Proposal for a directive
Article 5 – paragraph 1 – point c
Article 5 – paragraph 1 – point c
(c) an assessment to identify relevant assets and cybersecurity risks in that Member State; , including potential shortages that may negatively impact the Single Market.
Amendment 153 #
Proposal for a directive
Article 2 – paragraph 5 a (new)
Article 2 – paragraph 5 a (new)
5a. As regards the processing of personal data, essential and important entities, as well as competent authorities, CERTs, and CSIRTs, shall process personal data to an extent that is strictly necessary and proportionate for the purposes of ensuring network and information security, in accordance with the obligations set out in this Directive. Where the processing of personal data is required for the purpose of cybersecurity and network and information security in accordance with the provisions set out in Article 18 and Article 20 of the Directive, including the provisions set out in Article 23, this processing shall be considered necessary in order to ensure compliance with a legal obligation in accordance with paragraph 1(c) of Article 6 of Regulation (EU) 2016/679.
Amendment 154 #
Proposal for a directive
Article 2 – paragraph 5 b (new)
Article 2 – paragraph 5 b (new)
5b. As regards the processing of personal data from essential entities providing services of public electronic communication networks or publicly available electronic communications referred to in point 8 of Annex I and point (a)(i) of paragraph (1), such processing of personal data required for the purposes of ensuring network and information security must be in compliance with the provisions set out in Directive 2002/58/EC.
Amendment 155 #
Proposal for a directive
Article 5 – paragraph 2 – point a a (new)
Article 5 – paragraph 2 – point a a (new)
(aa) a policy addressing cybersecurity of consumers, including their awareness of cyber threats, their cyber literacy and cyber-hygiene, as well as the cybersecurity of products available for consumers;
Amendment 158 #
Proposal for a directive
Article 5 – paragraph 2 – point e
Article 5 – paragraph 2 – point e
(e) a policy on promoting and developenhancing cybersecurity skills, awareness raising and research and development initiativend competence across all levels, from the non-experts to the highly skilled professionals;
Amendment 160 #
Proposal for a directive
Article 5 – paragraph 2 – point f
Article 5 – paragraph 2 – point f
(f) a policy on supporting academic and research institutions to develop cybersecurity tools and secure network infrastructure and promoting the coherent and synergic use of available funds;
Amendment 163 #
Proposal for a directive
Article 5 – paragraph 2 – point h
Article 5 – paragraph 2 – point h
(h) a policy addressing specific needs of SMEs, in particular those excluded from the scope of this Directive, in relation to guidance and support in improving their resilience to cybersecurity threats., promotion of cybersecurity skills and competences, and assistance in responding to cyberattacks;
Amendment 164 #
Proposal for a directive
Article 5 – paragraph 2 – point h – point i (new)
Article 5 – paragraph 2 – point h – point i (new)
(i) this policy shall include the establishment of a national single point of contact for SMEs and a framework for the most efficient use of Digital Innovation Hubs and available funds in the achievement of policy objectives;
Amendment 169 #
Proposal for a directive
Article 5 – paragraph 4 – subparagraph 1 a (new)
Article 5 – paragraph 4 – subparagraph 1 a (new)
Key performance indicators shall be chosen taking into account recommendations from ENISA and, whenever possible, shall be comparable at the Union level;
Amendment 175 #
Proposal for a directive
Article 5 – paragraph 2 – point f
Article 5 – paragraph 2 – point f
(f) a policy on supporting academic and research institutions to develop cybersecurity tools and secure network infrastructure, including specific policies that address aspects related to representation and gender balance in the above-mentioned fields;
Amendment 176 #
Proposal for a directive
Article 6 – paragraph 2
Article 6 – paragraph 2
2. ENISA shall develop and maintain a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures with a view in particular to enabling important and essential entities and their suppliers of network and information systems to disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties. The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, the availability of related patches and, in the absence of available patches, guidance addressed to users of vulnerable products and services as to how the risks resulting from disclosed vulnerabilities may be mitigated. ENISA may enter into information sharing agreements and structured cooperation with other vulnerability registries developed and maintained by trusted partners.
Amendment 177 #
Proposal for a directive
Article 5 – paragraph 2 – point g a (new)
Article 5 – paragraph 2 – point g a (new)
(ga) carrying out research projects that contribute to the national cybersecurity strategy, in order to maintain the highest level of cybersecurity possible.
Amendment 179 #
Proposal for a directive
Article 7 – paragraph 3 – point f a (new)
Article 7 – paragraph 3 – point f a (new)
(fa) coordination with authorities responsible for cyber intelligence and cyber defence
Amendment 182 #
Proposal for a directive
Article 10 – paragraph 2 – point c
Article 10 – paragraph 2 – point c
(c) responding to incidents; and, whenever possible and adequate, providing assistance to entities that may request it;
Amendment 183 #
Proposal for a directive
Article 10 – paragraph 2 – point d
Article 10 – paragraph 2 – point d
(d) providing dynamic risk and incident analysis and situational awareness regarding cybersecurity, namely through the analysis of early warnings and notifications as referred to in Article 20;
Amendment 185 #
Proposal for a directive
Article 10 – paragraph 2 – point f
Article 10 – paragraph 2 – point f
(f) actively participating in the CSIRTs network and providing mutual assistance to other members of the network upon their request.
Amendment 187 #
Proposal for a directive
Article 10 – paragraph 2 – point f a (new)
Article 10 – paragraph 2 – point f a (new)
(fa) participating in joint cybersecurity exercises at Union level;
Amendment 188 #
Proposal for a directive
Article 11 – paragraph 2
Article 11 – paragraph 2
2. Member States shall ensure that either their competent authorities or their CSIRTs receive notifications on incidents, and significant cyber threats and near misses submitted pursuant to this Directive. Where a Member State decides that its CSIRTs shall not receive those notifications, the CSIRTs shall, to the extent necessary to effectively carry out their tasks, be granted adequate access to data on incidents notified by the essential or important entities, pursuant to Article 20.
Amendment 189 #
Proposal for a directive
Article 11 – paragraph 4
Article 11 – paragraph 4
4. To the extent necessary to effectively carry out the tasks and obligations laid down in this Directive, Member States shall ensure appropriate cooperation between the competent authorities and single points of contact and law enforcement authorities, data protection authorities, and the authorities responsible for critical infrastructure pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive] and the national financial authorities designated in accordance with Regulation (EU) XXXX/XXXX of the European Parliament and of the Council39 [the DORA Regulation] within that Member State, as well as with cyber defence and cyber intelligence authorities. __________________ 39[insert the full title and OJ publication reference when known]
Amendment 192 #
Proposal for a directive
Article 12 – paragraph 4 – point f a (new)
Article 12 – paragraph 4 – point f a (new)
(fa) assessing the functioning of the peer review system and drawing up recommendations for its improvement;
Amendment 193 #
Proposal for a directive
Article 12 – paragraph 4 – point k a (new)
Article 12 – paragraph 4 – point k a (new)
(ka) supporting ENISA in organising joint training of national competent authorities at the EU level.
Amendment 196 #
Proposal for a directive
Article 14 – paragraph 3 – point a
Article 14 – paragraph 3 – point a
(a) increasing the level of preparedness of the management of large scale incidents and crises, including cross-border cyber threats;
Amendment 197 #
Proposal for a directive
Article 15 – paragraph 1 – introductory part
Article 15 – paragraph 1 – introductory part
1. ENISA shall issue, in cooperation with the Commission, a biennial report on the state of cybersecurity in the Union and present it to the European Parliament. The report shall in particular include an assessment of the following:
Amendment 198 #
Proposal for a directive
Article 15 – paragraph 1 – point a
Article 15 – paragraph 1 – point a
(a) the development of cybersecurity capabilities across the Union, including the general level of skills and competences in cybersecurity in the Digital Single Market;
Amendment 200 #
Proposal for a directive
Article 15 – paragraph 1 – point c a (new)
Article 15 – paragraph 1 – point c a (new)
(ca) an aggregated index providing an assessment of the cybersecurity of European consumers.
Amendment 202 #
Proposal for a directive
Article 16 – paragraph 1 – introductory part
Article 16 – paragraph 1 – introductory part
1. The Commission shall establish, after consulting the Cooperation Group and ENISA, and at the latest by 18 months following the entry into force of this Directive, the methodology and content of a peer-review system for assessing the effectiveness of the Member States’ cybersecurity policies. The reviews shall be conducted by cybersecurity technical experts drawn from ENISA and several Member States different than the one reviewed, and shall cover at least the following:
Amendment 207 #
Proposal for a directive
Article 18 – paragraph 1
Article 18 – paragraph 1
1. Member States shall ensure that essential and important entities shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which those entities use in the provision of their services. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk presented. In particular, measures shall be taken to prevent and minimise the impact of security incidents on consumers.
Amendment 213 #
Proposal for a directive
Article 18 – paragraph 2 – point g a (new)
Article 18 – paragraph 2 – point g a (new)
(ga) policies to ensure adequate education and training in cybersecurity at all levels of the organisation for essential and important entities.
Amendment 217 #
Proposal for a directive
Article 18 – paragraph 2 a (new)
Article 18 – paragraph 2 a (new)
2a. ENISA shall create and maintain an updated list of state of the art measures, as referred to in paragraph 1.
Amendment 222 #
Proposal for a directive
Article 19 – paragraph 1
Article 19 – paragraph 1
1. The Cooperation Group, in cooperation with the Commission and ENISA, mayshall carry out coordinated security risk assessments of specific critical ICT services, systems or products supply chains, taking into account technical and, where relevant, non-technical risk factors.
Amendment 226 #
Proposal for a directive
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT in accordance with paragraphs 3 and 4 of any incident having a significant impact on the provision of their services. Where appropriate, tThose entities shall notify, without undue delay, the recipients of their services of incidents that are likely to adversely affect the provision of that service. Member States shall ensure that those entities report, among others, any information enabling the competent authorities or the CSIRT to determine any cross-border impact of the incident.
Amendment 233 #
Proposal for a directive
Article 20 – paragraph 3 – point a
Article 20 – paragraph 3 – point a
(a) the incident has caused or has the potentialit can be assumed to cause substantial operational disruption or financial losses for the entity concerned;
Amendment 234 #
Proposal for a directive
Article 20 – paragraph 3 – point b
Article 20 – paragraph 3 – point b
(b) the incident has affected or has the potentialit can be assumed to affect other natural or legal persons by causing considerable material or non-material losses.
Amendment 236 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point -a (new)
Article 20 – paragraph 4 – subparagraph 1 – point -a (new)
(-a) an early warning within 24 hours after having become aware of an incident, without any obligations on the entity concerned to disclose additional information regarding the incident;
Amendment 241 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part
Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part
(c) a finalcomprehensive report not later than one month after the submission of the report under point (ab), including at least the following:
Amendment 244 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 2
Article 20 – paragraph 4 – subparagraph 2
Member States shall provide that in duly justified cases and in agreement with the competent authorities or the CSIRT, the entity concerned can deviate from the deadlines laid down in points (a), (b) and (cd).
Amendment 245 #
Proposal for a directive
Article 20 – paragraph 5
Article 20 – paragraph 5
5. The competent national authorities or the CSIRT shall provide, within 24 hours after receiving the initial notification referred to in point (ab) of paragraph 4, a response to the notifying entity, including initial feedback on the incident and, upon request of the entity, guidance on the implementation of possible mitigation measures. Where the CSIRT did not receive the notification referred to in paragraph 1 , the guidance shall be provided by the competent authority in collaboration with the CSIRT. The CSIRT shall provide additional technical support if the concerned entity so requests. Where the incident is suspected to be of criminal nature, the competent national authorities or the CSIRT shall also provide guidance on reporting the incident to law enforcement authorities.
Amendment 248 #
Proposal for a directive
Article 21 – paragraph 1
Article 21 – paragraph 1
1. In order to demonstrate compliance with certain requirements of Article 18, Member States may requireand following guidance from ENISA, the Commission, and the Cooperation Group, Member States shall call for essential and important entities to certify certain ICT products, ICT services and ICT processes, developed either by the essential and important entities or procured from third parties, under specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881. The products, services and processes subject to, or under equivalent and internationally accepted certification schemes. Whenever possible, the call for certification may be develshall be adopted by an essential or important entity or procured from third partiesll Member States in a harmonised way.
Amendment 254 #
Proposal for a directive
Article 22 – paragraph 1
Article 22 – paragraph 1
1. In order to promote the convergent implementation of Article 18(1) and (2), Member States shall, without imposing or discriminating in favour of the use of a particular type of technology, and according to guidance from ENISA and the Cooperation Group, encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems.
Amendment 274 #
Proposal for a directive
Article 25 – paragraph 1 – introductory part
Article 25 – paragraph 1 – introductory part
1. ENISA shall create and maintain a registry for essential and important entities referred to in Article 24(1). TFor that purpose the entities shall submit the following information to ENISAthe national competent authority by [12 months after entering into force of the Directive at the latest]:
Amendment 275 #
Proposal for a directive
Article 25 – paragraph 2
Article 25 – paragraph 2
2. The entities referred to in paragraph 1 shall notify ENISAthe national competent authority about any changes to the details they submitted under paragraph 1 without delay, and in any event, within three months from the date on which the change took effect.
Amendment 276 #
Proposal for a directive
Article 25 – paragraph 3
Article 25 – paragraph 3
3. Upon receipt of the information under paragraph 1, ENISA shall forward it to the single points of contact depending on the indicated location of each entity’s main establishment or, if it is not established in the Union, of its designated representativethe national competent authorities shall forward it to ENISA. Where an entity referred to in paragraph 1 has besides its main establishment in the Union further establishments in other Member States, ENISA shall also inform the single points of contact of those Member States.
Amendment 281 #
Proposal for a directive
Article 27 – paragraph 1
Article 27 – paragraph 1
Member States shall ensure that, without prejudice to Article 3, entities falling outside the scope of this Directive may submit notifications, on a voluntary basis, of significant incidents, cyber threats or near misses. When processing notifications, Member States shall act in accordance with the procedure laid down in Article 20. Member States mayshall prioritise the processing of mandatory notifications over voluntary notifications. Voluntary reporting shall not result in the imposition of any additional obligations upon the reporting entity to which it would not have been subject had it not submitted the notification, but it may grant it assistance from CSIRTs.
Amendment 283 #
Proposal for a directive
Article 28 – paragraph 1
Article 28 – paragraph 1
1. Member States shall ensure that competent authorities effectively monitor and take the measures necessary to ensure compliance with this Directive, in particular the obligations laid down in Articles 18 and 20, and are provided with the adequate means to perform their function.
Amendment 285 #
Proposal for a directive
Article 28 – paragraph 2
Article 28 – paragraph 2
2. Competent authorities shall work in close cooperation with data protection authorities when addressing incidents resulting in personal data breaches, including data protection authorities from other Member States whenever relevant.
Amendment 294 #
Proposal for a directive
Article 32 – paragraph 1
Article 32 – paragraph 1
1. Where the competent authorities have indications that the infringement by an essential or important entity of the obligations laid down in Articles 18 and 20 entails a personal data breach, as defined by Article 4(12) of Regulation (EU) 2016/679 which shall be notified pursuant to Article 33 of that Regulation, they shall inform the supervisory authorities competent pursuant to Articles 55 and 56 of that Regulation within a reasonable period of timeout undue delay.
Amendment 296 #
Proposal for a directive
Article 32 – paragraph 3
Article 32 – paragraph 3
3. Where the supervisory authority competent pursuant to Regulation (EU) 2016/679 is established in another Member State than the competent authority, the competent authority mayshall also inform the supervisory authority established in the same Member State.