BETA

9 Amendments of Fabio Massimo CASTALDO related to 2020/0359(COD)

Amendment 23 #
Proposal for a directive
Recital 2
(2) Since the entry into force of Directive (EU) 2016/1148 significant progress has been made in increasing the Union’s level of cybersecurity resilience. The review of that Directive has shown that it has served as a catalyst for the institutional and regulatory approach to cybersecurity in the Union, paving the way for a significant change in mind-set. That Directive has ensured the completion of national frameworks by defining national cybersecurity strategies, establishing national capabilities, and implementing regulatory measures covering essential infrastructures and actors identified by each Member State. It has also contributed to cooperation at Union level through the establishment of the Cooperation Group12 and a network of national Computer Security Incident Response Teams (‘CSIRTs network’)13 . Directive (EU) 2016/1148 was the first Union-wide legislative act on cybersecurity, providing legal measures to boost the overall level of cyber resilience also in the security and defence domain in the Union by ensuring Member States' cooperation and a culture of security across sectors. Notwithstanding those achievements, the review of Directive (EU) 2016/1148 has revealed inherent shortcomings that prevent it from addressing effectively contemporaneous and emerging cybersecurity challenges, which very often originate from outside the Union, posing a serious threat to internal and external security at Union level. _________________ 12 Article 11 of Directive (EU) 2016/1148. 13 Article 12 of Directive (EU) 2016/1148.
2021/06/01
Committee: AFET
Amendment 24 #
Proposal for a directive
Recital 3 a (new)
(3 a) The Union understands hybrid campaigns to be ‘multidimensional, combining coercive and subversive measures, using both conventional and unconventional tools and tactics (diplomatic, military, economic, and technological) to destabilise the adversary. They are designed to be difficult to detect or attribute, and can be used by state and non-state actors’1a. Due to the nature of the cyber domain, a proper defence is often at a structural disadvantage in comparison with attacks, especially those of a global or cross border nature and especially in case of fragmentation of strategies and capabilities. The internet and online networks allow State and non- State actors to conduct aggressive action in new ways. They can be used to hack critical infrastructure and democratic processes, launch persuasive disinformation and propaganda campaigns, steal information and unload sensitive data into the public domain. In the worst cases, cyber attacks allow an adversary to take control of assets such as military systems and command structures1b. Such large-scale cybersecurity incidents and crises at Union level have the potential to invoke Article 222 TFEU (the 'solidarity clause'). At the same time, thorough cooperation with the private sector and civilian stakeholders, including industries and entities involved in the management of critical infrastructures, is crucial and should be reinforced due to the intrinsic characteristics of the cyber domain, in which technological innovation is mainly driven by private companies that often do not operate in the military field. _________________ 1aEuropean Commission/High Representative of the Union for Foreign Affairs and Security Policy, "Joint Communication on Increasing Resilience and Bolstering Capabilities to Address Hybrid Threats", JOIN(2018) 16 final, Brussels, June 13, 2018, p. 1. 1bhttps://www.iss.europa.eu/sites/default/fi les/EUISSFiles/CP_151.pdf
2021/06/01
Committee: AFET
Amendment 27 #
Proposal for a directive
Recital 3 b (new)
(3 b) During large-scale cyber security incidents and crises at Union level, the high degree of interdependence between sectors and countries require a coordinated action to ensure a rapid and effective response, as well as better prevention and preparedness for similar situations in the future. The availability of cyber-resilient networks and information systems and the availability, confidentiality and integrity of data are vital for the security of the Union within as well as beyond its borders. Union’s ambition to acquire a more prominent geopolitical role by becoming ‘strategically autonomous’ and ‘technologically sovereign’ also rests on credible cyber defence and deterrence, including the capacity to identify malicious actions in a timely effective manner and to respond adequately. Given the blurring of lines between the realms of civilian and military matters and the dual- use nature of cyber tools and technologies, there is a need for a comprehensive and holistic approach to the digital domain. This also applies to Common Security and Defence Policy operations and missions conducted by the Union to ensure peace and stability in its neighbourhood and beyond.
2021/06/01
Committee: AFET
Amendment 28 #
Proposal for a directive
Recital 6
(6) This Directive leaves unaffected the ability of Member States to take the necessary measures to ensure the protection of the essential interests of their security, to safeguard public policy and public security, and to allow for the investigation, detection and prosecution of criminal offences, in compliance with Union law. Independently of the technological environment of the day, it is essential to always fully respect due process and other safeguards, as well as fundamental rights, in particular the right to the respect for private life and communications and the right to the protection of personal data. Similarly, in order to ensure an all-encompassing resilience, it is necessary not only to strengthen technological infrastructures and to possess response capabilities, but also to spread a cybersecurity culture among the population according to Article 7 and 8 of the Cybersecurity Act. In accordance with Article 346 TFEU, no Member State is to be obliged to supply information the disclosure of which would be contrary to the essential interests of its public security. In this context, national and Union rules for protecting classified information, non-disclosure agreements, and informal non-disclosure agreements such as the Traffic Light Protocol14 , are of relevance. _________________ 14 The Traffic Light Protocol (TLP) is a means for someone sharing information to inform their audience about any limitations in further spreading this information. It is used in almost all CSIRT communities and some Information Analysis and Sharing Centres (ISACs).
2021/06/01
Committee: AFET
Amendment 30 #
Proposal for a directive
Recital 14 a (new)
(14 a) In view of the development of a secure connectivity system, building on the European quantum communication infrastructure (EuroQCI) and the European Union Governmental Satellite Communication (GOVSATCOM), in particular the implementation of GALILEO GNSS for defence users, any future possible development should take into account the entire electronic communications infrastructure such as space, land and submarine network systems. At the same time, a common vision on Cloud adoption strategy for sensitive sectors with the aim of defining a European approach based on shared standards among like-minded States, in order to protect the digital know-how, sensitive data and information should be established.
2021/06/01
Committee: AFET
Amendment 33 #
Proposal for a directive
Recital 26
(26) Given the importance of international cooperation on cybersecurity, CSIRTs should be able to participate in international cooperation networks in addition to the CSIRTs network established by this Directive, in order to contribute to the development of Union standards that can shape the cybersecurity landscape at international level. On this point, an essential role can be played by the important means of "cyberdiplomacy" in the EU toolbox. Striving to secure multilateral agreements on cyber norms, responsible state and non-state behaviour in cyberspace and effective global digital governance as well as creating an open, free, stable and secure cyberspace anchored in international law through alliances between like-minded countries, organisations, the private sector, civil society and experts, it's an integral part of a more comprehensive cybersecurity strategy.
2021/06/01
Committee: AFET
Amendment 36 #
Proposal for a directive
Recital 36
(36) The Union should, where appropriate, conclude international agreements, in accordance with Article 218 TFEU, with third countries or international organisations, allowing and organising their participation in some activities of the Cooperation Group and the CSIRTs network. Such agreements should ensure adequate protection of dataare to ensure adequate protection of data and should promote market access as well as address security risks while increasing global resilience and raise awareness about cyber threats and malicious cyber activities. Particular emphasis should be placed on building a strong partnership in the cyber domain with like-minded countries and organisations such as the UK, USA and NATO which are leading actors in the cybersecurity domain. Therefore, the Union should investigate the possibility to re-launch processes aiming at concluding formal and structured frameworks for cooperation in this field in the future.
2021/06/01
Committee: AFET
Amendment 39 #
Proposal for a directive
Recital 40 a (new)
(40 a) Member States should consider an active cyber defense programme to be part of their national cybersecurity strategy. Such a programme should provide a synchronised, real-time capability to discover, detect, analyse, and mitigate threats. Active cyber defence operates at network speed using sensors, software and intelligence to detect and stop malicious activity ideally before it can affect networks and systems. Moreover, Member States should significantly enhance information sharing method, to define a common communication standard that could be used for classified and non-classified information, in order to enhance the rapid action and secure network to counter cyber-attacks.
2021/06/01
Committee: AFET
Amendment 42 #
(40 b) Member States should come forward with an active cyber defence programme in their national cybersecurity strategies. Active cyber defence is the proactive detection, analysis and mitigation of network security breaches in real-time combined with the use of capabilities deployed outside the victim network. It is based on a defensive strategy that excludes offensive measures against the adversaries critical civilian infrastructure which would constitute a breach of international law (such as of the 1977 Additional Protocol to the Geneva Conventions). The ability to rapidly and automatically share and understand threat information and analysis, cyber activity alerts, and response action is critical to enabling unity of effort in successfully detecting and preventing cyber-attacks. Active cyber defence activities could include email server configurations, website configurations, logging enabling and DNS filtering. At the same time, Member State should adopt policies able to ensure the widest possible access to the most performing cybersecurity tools, supporting companies, SMEs and businesses with low financial capabilities, trough benefits, grants, loans or fiscal advantages dedicated to the acquisition of highest-level cybersecurity products and services, avoiding that their costs represent an element of discrimination. On the same level, Member States should aim to promote partnerships with Academia and other research centres aimed at fostering R&D cybersecurity programme in order to develop new common technologies, tools and skills applicable in both civilian and defence sectors through a multidisciplinary approach. Partnerships should be financed by existing and new funding tools under the auspices of the Commission.
2021/06/01
Committee: AFET