9 Amendments of Fabio Massimo CASTALDO related to 2020/0359(COD)
Amendment 23 #
Proposal for a directive
Recital 2
Recital 2
(2) Since the entry into force of Directive (EU) 2016/1148 significant progress has been made in increasing the Union’s level of cybersecurity resilience. The review of that Directive has shown that it has served as a catalyst for the institutional and regulatory approach to cybersecurity in the Union, paving the way for a significant change in mind-set. That Directive has ensured the completion of national frameworks by defining national cybersecurity strategies, establishing national capabilities, and implementing regulatory measures covering essential infrastructures and actors identified by each Member State. It has also contributed to cooperation at Union level through the establishment of the Cooperation Group12 and a network of national Computer Security Incident Response Teams (‘CSIRTs network’)13 . Directive (EU) 2016/1148 was the first Union-wide legislative act on cybersecurity, providing legal measures to boost the overall level of cyber resilience also in the security and defence domain in the Union by ensuring Member States' cooperation and a culture of security across sectors. Notwithstanding those achievements, the review of Directive (EU) 2016/1148 has revealed inherent shortcomings that prevent it from addressing effectively contemporaneous and emerging cybersecurity challenges, which very often originate from outside the Union, posing a serious threat to internal and external security at Union level. _________________ 12 Article 11 of Directive (EU) 2016/1148. 13 Article 12 of Directive (EU) 2016/1148.
Amendment 24 #
Proposal for a directive
Recital 3 a (new)
Recital 3 a (new)
Amendment 27 #
Proposal for a directive
Recital 3 b (new)
Recital 3 b (new)
(3 b) During large-scale cyber security incidents and crises at Union level, the high degree of interdependence between sectors and countries require a coordinated action to ensure a rapid and effective response, as well as better prevention and preparedness for similar situations in the future. The availability of cyber-resilient networks and information systems and the availability, confidentiality and integrity of data are vital for the security of the Union within as well as beyond its borders. Union’s ambition to acquire a more prominent geopolitical role by becoming ‘strategically autonomous’ and ‘technologically sovereign’ also rests on credible cyber defence and deterrence, including the capacity to identify malicious actions in a timely effective manner and to respond adequately. Given the blurring of lines between the realms of civilian and military matters and the dual- use nature of cyber tools and technologies, there is a need for a comprehensive and holistic approach to the digital domain. This also applies to Common Security and Defence Policy operations and missions conducted by the Union to ensure peace and stability in its neighbourhood and beyond.
Amendment 28 #
Proposal for a directive
Recital 6
Recital 6
(6) This Directive leaves unaffected the ability of Member States to take the necessary measures to ensure the protection of the essential interests of their security, to safeguard public policy and public security, and to allow for the investigation, detection and prosecution of criminal offences, in compliance with Union law. Independently of the technological environment of the day, it is essential to always fully respect due process and other safeguards, as well as fundamental rights, in particular the right to the respect for private life and communications and the right to the protection of personal data. Similarly, in order to ensure an all-encompassing resilience, it is necessary not only to strengthen technological infrastructures and to possess response capabilities, but also to spread a cybersecurity culture among the population according to Article 7 and 8 of the Cybersecurity Act. In accordance with Article 346 TFEU, no Member State is to be obliged to supply information the disclosure of which would be contrary to the essential interests of its public security. In this context, national and Union rules for protecting classified information, non-disclosure agreements, and informal non-disclosure agreements such as the Traffic Light Protocol14 , are of relevance. _________________ 14 The Traffic Light Protocol (TLP) is a means for someone sharing information to inform their audience about any limitations in further spreading this information. It is used in almost all CSIRT communities and some Information Analysis and Sharing Centres (ISACs).
Amendment 30 #
Proposal for a directive
Recital 14 a (new)
Recital 14 a (new)
(14 a) In view of the development of a secure connectivity system, building on the European quantum communication infrastructure (EuroQCI) and the European Union Governmental Satellite Communication (GOVSATCOM), in particular the implementation of GALILEO GNSS for defence users, any future possible development should take into account the entire electronic communications infrastructure such as space, land and submarine network systems. At the same time, a common vision on Cloud adoption strategy for sensitive sectors with the aim of defining a European approach based on shared standards among like-minded States, in order to protect the digital know-how, sensitive data and information should be established.
Amendment 33 #
Proposal for a directive
Recital 26
Recital 26
(26) Given the importance of international cooperation on cybersecurity, CSIRTs should be able to participate in international cooperation networks in addition to the CSIRTs network established by this Directive, in order to contribute to the development of Union standards that can shape the cybersecurity landscape at international level. On this point, an essential role can be played by the important means of "cyberdiplomacy" in the EU toolbox. Striving to secure multilateral agreements on cyber norms, responsible state and non-state behaviour in cyberspace and effective global digital governance as well as creating an open, free, stable and secure cyberspace anchored in international law through alliances between like-minded countries, organisations, the private sector, civil society and experts, it's an integral part of a more comprehensive cybersecurity strategy.
Amendment 36 #
Proposal for a directive
Recital 36
Recital 36
(36) The Union should, where appropriate, conclude international agreements, in accordance with Article 218 TFEU, with third countries or international organisations, allowing and organising their participation in some activities of the Cooperation Group and the CSIRTs network. Such agreements should ensure adequate protection of dataare to ensure adequate protection of data and should promote market access as well as address security risks while increasing global resilience and raise awareness about cyber threats and malicious cyber activities. Particular emphasis should be placed on building a strong partnership in the cyber domain with like-minded countries and organisations such as the UK, USA and NATO which are leading actors in the cybersecurity domain. Therefore, the Union should investigate the possibility to re-launch processes aiming at concluding formal and structured frameworks for cooperation in this field in the future.
Amendment 39 #
Proposal for a directive
Recital 40 a (new)
Recital 40 a (new)
(40 a) Member States should consider an active cyber defense programme to be part of their national cybersecurity strategy. Such a programme should provide a synchronised, real-time capability to discover, detect, analyse, and mitigate threats. Active cyber defence operates at network speed using sensors, software and intelligence to detect and stop malicious activity ideally before it can affect networks and systems. Moreover, Member States should significantly enhance information sharing method, to define a common communication standard that could be used for classified and non-classified information, in order to enhance the rapid action and secure network to counter cyber-attacks.
Amendment 42 #
(40 b) Member States should come forward with an active cyber defence programme in their national cybersecurity strategies. Active cyber defence is the proactive detection, analysis and mitigation of network security breaches in real-time combined with the use of capabilities deployed outside the victim network. It is based on a defensive strategy that excludes offensive measures against the adversaries critical civilian infrastructure which would constitute a breach of international law (such as of the 1977 Additional Protocol to the Geneva Conventions). The ability to rapidly and automatically share and understand threat information and analysis, cyber activity alerts, and response action is critical to enabling unity of effort in successfully detecting and preventing cyber-attacks. Active cyber defence activities could include email server configurations, website configurations, logging enabling and DNS filtering. At the same time, Member State should adopt policies able to ensure the widest possible access to the most performing cybersecurity tools, supporting companies, SMEs and businesses with low financial capabilities, trough benefits, grants, loans or fiscal advantages dedicated to the acquisition of highest-level cybersecurity products and services, avoiding that their costs represent an element of discrimination. On the same level, Member States should aim to promote partnerships with Academia and other research centres aimed at fostering R&D cybersecurity programme in order to develop new common technologies, tools and skills applicable in both civilian and defence sectors through a multidisciplinary approach. Partnerships should be financed by existing and new funding tools under the auspices of the Commission.