84 Amendments of Zdzisław KRASNODĘBSKI related to 2020/0359(COD)
Amendment 98 #
Proposal for a directive
Recital 11
Recital 11
(11) Depending on the sector in which they operate or the type of service they provide, the entities falling within the scope of this Directive should be classified into two categories: essential and important. That categorisation should take into account the level of criticality of the sector or of the type of service, as well as the level of dependency of other sectors or types of services. Both essential and important entities should be subject to the same risk management requirements and reporting obligations. The cybersecurity risk management measures, reporting obligations and supervisory and penalty regimes between these two categories of entities should be differentiated to ensure a fair balance between requirements and obligations on one hand, and the administrative burden stemming from the supervision of compliance on the other hand.
Amendment 103 #
Proposal for a directive
Recital 12
Recital 12
(12) Sector-specific legislation and instruments can contribute to ensuring high levels of cybersecurity, while taking full account of the specificities and complexities of those sectors. Where aAs a minimum baseline sector–specific Union legal act should requires essential or important entities to adopt cybersecurity risk management measures orand to notify incidents or significant cyber threats of at least an equivalent effect to the obligations laid down inin line with requirements laid down in Articles 18 (1, 2) and 20 of this Directive, thos. Where sector-specific provisions, includinglegislations foresee specific rules on supervision and enforcement, these rules should apply. The Commission may issue guidelines in relation to the implementation of the lex specialis. This Directive does not preclude the adoption of additional sector- specific Union acts addressing cybersecurity risk management measures and incident notifications. Nevertheless, while adopting the additional sector-specific Union acts the need of a comprehensive and consistent cybersecurity framework should be duly taken into account. This Directive is without prejudice to the existing implementing powers that have been conferred to the Commission in a number of sectors, including transport and energy.
Amendment 119 #
Proposal for a directive
Recital 20 a (new)
Recital 20 a (new)
(20a) Member States should ensure that the network and information systems used by their public administration entities are subject to their national cybersecurity regulation. Where appropriate, public administration entities should be subject to obligations similar to those for essential and important entities, as appropriate.
Amendment 120 #
Proposal for a directive
Recital 21
Recital 21
(21) In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, Member States should be able to designate more than one national competent authority responsible for fulfilling the tasks linked to the security of the network and information systems of essential and important entities under this Directive, particularly for supervision and enforcement. Member States should be able to assign this role to an existing authority. The competent authorities should have the necessary means to perform their duties, including powers to request the information necessary to assess the level of security of networks or services. They should also have the power to request comprehensive and reliable data about actual security incidents that have had a significant impact on the operation of services. They should, where necessary, be assisted by CSIRTs. In particular, CSIRTs may be required to provide competent authorities with information about risks and security incidents affecting services and recommend ways to address them.
Amendment 148 #
Proposal for a directive
Recital 43
Recital 43
(43) Addressing cybersecurity risks stemming from an entity’s supply chain and its relationship with its suppliers is particularly important given the prevalence of incidents where entities have fallen victim to cyber-attacks and where malicious actors were able to compromise the security of an entity’s network and information systems by exploiting vulnerabilities affecting third party products and services. Entities should therefore assess and take into account the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures. Entities should be in particular encouraged to incorporate the cybersecurity safeguards into the contractual arrangements with the tier-1 suppliers and service providers, including responsibility of the tier-1 suppliers for other tiers of suppliers and service providers.
Amendment 163 #
Proposal for a directive
Recital 48 a (new)
Recital 48 a (new)
(48a) The national regulatory authorities or other competent authorities responsible for public electronic communications networks or of publicly available electronic communications services pursuant to Directive (EU) 2018/1972 should be informed of significant incidents, cyber threats and near misses notified by providers of public electronic communications networks or publicly available electronic communications services and the measures taken in response to those risks and incidents.
Amendment 176 #
Proposal for a directive
Recital 54 a (new)
Recital 54 a (new)
(54a) An incident should be typically considered significant by the competent authorities or the CSIRT if the incident has caused substantial operational disruption or financial losses for the entity concerned and the incident has affected other natural or legal persons by causing considerable material or non- material losses.
Amendment 192 #
Proposal for a directive
Recital 68
Recital 68
(68) Entities should be encouraged to collectively leverage their individual knowledge and practical experience at strategic, tactical and operational levels with a view to enhance their capabilities to adequately assess, monitor, defend against, and respond to, cyber threats. It is thus necessary to enable the emergence at Union level of mechanisms for voluntary information sharing arrangements. To this end, Member States should actively support and encourage also relevant entities not covered by the scope of this Directive, such as entities focusing on cybersecurity services and research, to participate in such information-sharing mechanisms. Those mechanisms should be conducted in full compliance with the competition rules of the Union as well as the data protection Union law rules.
Amendment 194 #
Proposal for a directive
Recital 69
Recital 69
(69) The processing of personal data, to the extent strictly necessary and proportionate for the purposes of ensuring network and information security by entities, public authorities, CERTs, CSIRTs, and providers of security technologies and services should constitute a legitimate interestCERTs should constitute a legitimate interest of the data controller concerned, as referred to in Regulation (EU) 2016/679 and by public authorities, namely competent authorities, Single Points Of Contact (SPOCs), CSIRTs, NIS CG, CSIRT Network, CERTs and CYCLONe should constitute a legal obligation or the public interest or the exercise of official authority of the data controller concerned, as referred to in Regulation (EU) 2016/679. That should include measures related to the prevention, detection, analysis and response to incidents, measures to raise awareness in relation to specific cyber threats, exchange of information in the context of vulnerability remediation and coordinated disclosure, as well as the voluntary exchange of information on those incidents, as well as cyber threats and vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools. Such measures may require the processing of the following types of personal data: IP addresses, telephone numbers, bank account numbers, geolocation data, payment data, uniform resources locators (URLs), domain names, and email addresses.
Amendment 204 #
Proposal for a directive
Recital 79
Recital 79
Amendment 207 #
Proposal for a directive
Recital 80
Recital 80
Amendment 219 #
Proposal for a directive
Article 2 – paragraph 2 – introductory part
Article 2 – paragraph 2 – introductory part
2. HoweverBy way of derogation from paragraph 1 of this Article, regardless of their size, this Directive also applies to entities of a type referred to in Annexes I and II, where:
Amendment 225 #
Proposal for a directive
Article 2 – paragraph 2 a (new)
Article 2 – paragraph 2 a (new)
2a. Member States shall ensure that all entities falling under the scope of this Directive comply with this Directive as important entities. Member States may decide which important entities shall be designated as essential entities, taking into account particularly whether the entities had already been identified as the operators of essential services pursuant to Article 5 of NIS Directive (2016/1148) and prioritisation of the sectors and subsectors with higher level of criticality listed in Annex I. Member States shall by [transposition deadline] establish an initial list of essential and important entities, which should comply with this Directive and review it, on a regular basis, and, where appropriate, update it. Member States shall set a deadline for initial self-notification or identification by the competent authority and compliance with this Directive for the entities falling under the scope of this Directive not exceeding [6 months after the transposition deadline]. The entities which had been already identified as the operators of essential services pursuant to Article 5 of NIS Directive (2016/1148) shall comply with this Directive by [transposition deadline]. The entities shall submit at least the following information: the name of the entity, address and up-to-date contact details, including email addresses and telephone numbers, and relevant sector(s) and subsector(s) referred to in Annexes I and II. The entities shall without undue delay notify any changes to the details they submitted, and in any event, within two weeks from the date on which the change took effect.
Amendment 227 #
Proposal for a directive
Article 2 – paragraph 2 b (new)
Article 2 – paragraph 2 b (new)
2b. The entities referred to in Article 24(1) shall submit the self-notifications in the Member State in which they have their main establishment. Apart from information referred to in the third subparagraph of paragraph 2a of this Article, they shall notify the address of its main establishment and its other legal establishments in the Union or, if not established in the Union, of its representative designated pursuant to Article 24(3) and the Member States where the entity provides services. Where an entity referred to in paragraph 1 has besides its main establishment in the Union further establishments or provides services in other Member States, the single contact point of the main establishment shall without undue delay forward the information to the single points of contact of those Member States. Where an entity fails to notify or to provide the relevant information on Member States concerned within the deadline set out by the Member State of its main establishment, any Member State where the entity provides services shall be competent to ensure that entity’s compliance with the obligations laid down in this Directive.
Amendment 228 #
Proposal for a directive
Article 2 – paragraph 2 c (new)
Article 2 – paragraph 2 c (new)
2c. By [6 months after the transposition deadline] and every 12 months thereafter, Member States shall submit to the Cooperation Group and for the purpose of the review referred to in Article 35 to the Commission the information necessary to enable to assess the consistency of Member States' approaches to the identification of essential and important services. That information shall include at least the number of all essential and important entities identified for each sector and subsector referred to in Annexes I and II, including number of small and micro enterprises in each category;
Amendment 229 #
Proposal for a directive
Article 2 – paragraph 3 a (new)
Article 2 – paragraph 3 a (new)
3a. Member States shall ensure that the network and information systems used by their public administration entities are subject to their national cybersecurity regulation.
Amendment 232 #
Proposal for a directive
Article 2 – paragraph 5 a (new)
Article 2 – paragraph 5 a (new)
5a. To fulfil the tasks set out in this Directive, competent authorities and CSIRTs shall process personal data, including the data referred to in Article 9 of the Regulation (EU) 2016/679, and shall process information that is confidential pursuant to Union and national rules, for the purposes and to the extent strictly necessary to fulfil these tasks.
Amendment 234 #
Proposal for a directive
Article 2 – paragraph 5 b (new)
Article 2 – paragraph 5 b (new)
5b. To fulfil the tasks set out in this Directive, SPOCs, the Cooperation Group, the CSIRT Network and CyCLONe shall process personal data and information that is confidential pursuant to Union and national rules, for the purposes and to the extent strictly necessary to fulfil these tasks.
Amendment 236 #
Proposal for a directive
Article 2 – paragraph 5 c (new)
Article 2 – paragraph 5 c (new)
5c. When processing the personal data referred to in Article 9 of the Regulation (EU) 2016/679, competent authorities and CSIRTs shall conduct the risk analyses, introduce proper safeguards and procedures to exchange information.
Amendment 240 #
Proposal for a directive
Article 2 – paragraph 6
Article 2 – paragraph 6
6. Where provisions of sector–specific acts of Union law require essential or important entities either to adopt cybersecurity risk management measures orand to notify incidents or significant cyber threats, and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, the relevant provisions of this Directive, including the provision on supervision and enforcement laid down in Chapter VI, shall not apply.
Amendment 241 #
Proposal for a directive
Article 2 – paragraph 6 a (new)
Article 2 – paragraph 6 a (new)
6a. Sector-specific acts of Union law referred to in paragraph 6 should at minimum include: (a) cybersecurity risk management measures as laid down in Article 18 (1) and (2); and (b) requirements to notify incidents and significant cyber threats as laid down in Article 20 (1- 4)
Amendment 246 #
Proposal for a directive
Article 4 – paragraph 1 – point 5 a (new)
Article 4 – paragraph 1 – point 5 a (new)
(5a) ‘near miss’ means any event which could have compromised the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the related services offered by, or accessible via, network and information systems, but was successfully prevented from fully transpiring;
Amendment 259 #
Proposal for a directive
Article 4 – paragraph 1 – point 23
Article 4 – paragraph 1 – point 23
Amendment 262 #
Proposal for a directive
Article 4 – paragraph 1 – point 23 a (new)
Article 4 – paragraph 1 – point 23 a (new)
(23a) ‘public electronic communications network’ means a public electronic communications network as defined in point (8) of Article 2 of Directive (EU) 2018/1972;
Amendment 263 #
Proposal for a directive
Article 4 – paragraph 1 – point 23 b (new)
Article 4 – paragraph 1 – point 23 b (new)
(23b) ‘electronic communications service’ means an electronic communications service as defined in point (4) of Article 2 of Directive (EU) 2018/1972;
Amendment 264 #
Proposal for a directive
Article 4 – paragraph 1 – point 23 c (new)
Article 4 – paragraph 1 – point 23 c (new)
(23c) ‘number-based interpersonal communications service’ means a number-based interpersonal communications service as defined in point (6) of Article 2 of Directive (EU) 2018/1972;
Amendment 265 #
Proposal for a directive
Article 4 – paragraph 1 – point 23 d (new)
Article 4 – paragraph 1 – point 23 d (new)
(23d) ‘number-independent interpersonal communications service’ means a number-independent interpersonal communications service as defined in point (7) of Article 2 of Directive (EU) 2018/1972;
Amendment 266 #
Proposal for a directive
Article 4 – paragraph 1 – point 25
Article 4 – paragraph 1 – point 25
(25) ‘essential entity’ means any entity of a type referred to in Annex I and II, designated by the Member State as an essential entity in Annex I;
Amendment 267 #
Proposal for a directive
Article 4 – paragraph 1 – point 26
Article 4 – paragraph 1 – point 26
(26) ‘important entity’ means any entity of a type referred to as an important entity in Annex II.in Annex I and II, unless exempted from the scope of this Directive or designated by the Member State as an essential entity;
Amendment 273 #
Proposal for a directive
Article 5 – paragraph 1 – introductory part
Article 5 – paragraph 1 – introductory part
1. Each Member State shall adopt a national cybersecurity strategy, a coherent framework defining the strategic objectives and appropriate policy and regulatory measures, with a view to achieving and maintaining a high level of cybersecurity of network and information systems in that Member State. The national cybersecurity strategy shall include, in particular, the following:
Amendment 321 #
Proposal for a directive
Article 9 – paragraph 5
Article 9 – paragraph 5
Amendment 338 #
Proposal for a directive
Article 11 – paragraph 4
Article 11 – paragraph 4
4. To the extent necessary to effectively carry out the tasks and obligations laid down in this Directive, including supervision and enforcement, Member States shall ensure appropriate cooperation between the competent authorities and, single points of contact, CSIRTs and law enforcement authorities, national regulatory authorities or other competent authorities responsible for public electronic communications networks or for publicly available electronic communications services pursuant to Directive (EU) 2018/1972, data protection authorities, and the authorities responsible for critical infrastructure pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive] and the national financial authorities designated in accordance with Regulation (EU) XXXX/XXXX of the European Parliament and of the Council39 [the DORA Regulation] within that Member State. _________________ 39[insert the full title and OJ publication reference when known]
Amendment 345 #
Proposal for a directive
Article 12 – paragraph 4 – point b
Article 12 – paragraph 4 – point b
(b) exchanging best practices and information in relation to the implementation of this Directive, including in relation to identification of essential and important entities, cyber threats, incidents, vulnerabilities, near misses, awareness- raising initiatives, trainings, exercises and skills, building capacitycapacity building as well as standards and technical specifications;
Amendment 346 #
Proposal for a directive
Article 12 – paragraph 4 – point d
Article 12 – paragraph 4 – point d
(d) exchanging advice and cooperating with the Commission on draft Commission implementing or delegated acts adopted pursuant to this Directive;
Amendment 348 #
Proposal for a directive
Article 12 – paragraph 4 – point f
Article 12 – paragraph 4 – point f
Amendment 349 #
Proposal for a directive
Article 12 – paragraph 4 – point f a (new)
Article 12 – paragraph 4 – point f a (new)
(fa) carrying out coordinated security risk assessments pursuant to Article 19(1), where applicable;
Amendment 350 #
Proposal for a directive
Article 12 – paragraph 4 – point k a (new)
Article 12 – paragraph 4 – point k a (new)
(ka) submitting to the Commission for the purpose of review referred to in Article 35 the reports on the experience gained at a strategic and operational level;
Amendment 354 #
Proposal for a directive
Article 13 – paragraph 3 – point l
Article 13 – paragraph 3 – point l
Amendment 355 #
Proposal for a directive
Article 13 – paragraph 4
Article 13 – paragraph 4
4. For the purpose of the review referred to in Article 35 and by 24 months after the date of entry into force of this Directive, and every two years thereafter, the CSIRTs network shall assess the progress made with the operational cooperation and produce a report. The report shall, in particular, draw conclusions on the outcomes of the peer reviews referred to in Article 16 carried out in relation to national CSIRTs, including conclusions and recommendations, pursued under this Article. That report shall also be submitted to the Cooperation Group.
Amendment 356 #
Proposal for a directive
Article 14 – paragraph 1
Article 14 – paragraph 1
1. In order to support the coordinated management of large-scale cybersecurity incidents and crises at operational level and to ensure the regular exchange of information among Member States and Union institutions, bodies and agencies considering such incidents and crises, the European Cyber Crises Liaison Organisation Network (EU - CyCLONe) is hereby established.
Amendment 357 #
Proposal for a directive
Article 14 – paragraph 2
Article 14 – paragraph 2
2. EU-CyCLONe shall be composed of the representatives of Member States’ crisis management authorities designated in accordance with Article 7, the and ENISA. Commission and ENISAshall participate in the EU- CyCLONe as an observer. ENISA shall provide the secretariat of the network and support the secure exchange of information.
Amendment 358 #
Proposal for a directive
Article 14 – paragraph 3 – introductory part
Article 14 – paragraph 3 – introductory part
3. EU-CyCLONe, while avoiding any duplication of tasks with the CSIRT Network, shall have the following tasks:
Amendment 359 #
Proposal for a directive
Article 14 – paragraph 3 – point b
Article 14 – paragraph 3 – point b
Amendment 360 #
Proposal for a directive
Article 14 – paragraph 3 – point d
Article 14 – paragraph 3 – point d
Amendment 362 #
Proposal for a directive
Article 14 – paragraph 5
Article 14 – paragraph 5
5. EU-CyCLONe shall regularly report to the Cooperation Group on cyber threats,large scale incidents and trendcrises, focusing in particular on their impact on essential and important entities.
Amendment 365 #
Proposal for a directive
Article 15 – paragraph 1 – point b
Article 15 – paragraph 1 – point b
(b) the technical, financial and human resources available to competent authorities and cybersecurity policies, and the implementation of supervisory measures and enforcement actions in light of the outcomes of peer reviews referred to in Article 16;
Amendment 371 #
Proposal for a directive
Article 16
Article 16
Amendment 384 #
Proposal for a directive
Article 17 – paragraph 2
Article 17 – paragraph 2
2. Member States shall ensure that members of the management body of essential and important entities follow specific trainings, where possible on a regular basis, to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risks and management practices and their impact on the operations ofservices provided by the entity.
Amendment 386 #
Proposal for a directive
Article 18 – paragraph 1
Article 18 – paragraph 1
1. Member States shall ensure that essential and important entities shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which those entities use in the provision of their services and to prevent or minimise the impact of incidents on recipients of their services and on other services. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk presented, and differentiate between the essential and important entities and between the sectors and subsectors with higher or lower level of criticality referred to in Annexes I and II.
Amendment 409 #
Proposal for a directive
Article 18 – paragraph 4 a (new)
Article 18 – paragraph 4 a (new)
4a. In order to promote the convergent implementation of paragraph 1 and 2, Member States shall be in accordance with Article 12(4) assisted by the Cooperation Group, and shall, without imposing or discriminating in favour of the use of a particular type of technology, encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems.
Amendment 410 #
Proposal for a directive
Article 18 – paragraph 4 b (new)
Article 18 – paragraph 4 b (new)
4b. ENISA, in collaboration with Member States and industry, shall draw up advice and guidelines regarding the technical areas to be considered in relation to paragraphs 1 and 2 as well as regarding already existing standards, including Member States' national standards, which would allow for those areas to be covered.
Amendment 411 #
Proposal for a directive
Article 18 – paragraph 5
Article 18 – paragraph 5
Amendment 416 #
Proposal for a directive
Article 18 – paragraph 6
Article 18 – paragraph 6
Amendment 420 #
Proposal for a directive
Article 19 – paragraph 2
Article 19 – paragraph 2
2. The Commission, after consulting with the Cooperation Group and, ENISA and the industry, shall identify the specific critical ICT services, systems or products that may be subject to the coordinated risk assessment referred to in paragraph 1.
Amendment 422 #
Proposal for a directive
Article 19 – paragraph 2 a (new)
Article 19 – paragraph 2 a (new)
2a. To identify the supply chains that should be subject to a coordinated risk assessment, the following criteria shall be taken into account: (a) the extent to which essential and important entities use and rely on specific critical ICT services, systems or products; (b) the relevance of specific critical ICT services, systems or products for performing critical or sensitive functions, including the processing of personal data; (c) the availability of alternative ICT services, systems or products; (d) the resilience of the overall supply chain of ICT services, systems or products against disruptive events; (e) for emerging ICT services, systems or products, their potential future significance for the entities’ activities.
Amendment 444 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – introductory part
Article 20 – paragraph 4 – subparagraph 1 – introductory part
4. Member States shall ensure that, for the purpose of the notification under paragraph 1, the entities concerned shall submit to the competent authorities orand the CSIRT:
Amendment 460 #
Proposal for a directive
Article 20 – paragraph 4 a (new)
Article 20 – paragraph 4 a (new)
4a. When processing notifications, the competent authorities and the CSIRT shall, taking into account their available capacity, prioritise the processing of notifications from essential entities over those from important entities and processing of mandatory notifications from essential and important entities over the voluntary notifications pursuant to Article 27.
Amendment 470 #
Proposal for a directive
Article 20 – paragraph 7 a (new)
Article 20 – paragraph 7 a (new)
7a. Competent authorities or the CSIRTs shall provide without undue delay to the single point of contact information on significant incidents notified in accordance with paragraph 1.
Amendment 472 #
Proposal for a directive
Article 20 – paragraph 8
Article 20 – paragraph 8
8. At the request of the competent authority or the CSIRT, the single point of contact shall forward without undue delay notifications received pursuant to paragraphs 1 and 2 to the single points of contact of other affected Member States.
Amendment 474 #
Proposal for a directive
Article 20 – paragraph 9
Article 20 – paragraph 9
9. The single point of contact shall submit to ENISA on a monthly basis a summary report including anonymised and aggregated data on significant incidents, significant cyber threats and significant near misses notified in accordance with paragraphs 1 and 2 and in accordance with Article 27. In order to contribute to the provision of comparable information, ENISA may issue technical guidance on the parameters of the information included in the summary report.
Amendment 477 #
Proposal for a directive
Article 20 – paragraph 10
Article 20 – paragraph 10
10. Competent authorities shall provideor the CSIRTs shall provide without undue delay to the competent authorities designated pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive] information on incidents and cyber threasignificant incidents, notified in accordance with paragraphs 1 and 2 by essential entities identified as critical entities, or as entities equivalent to critical entities, pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive], as well as on the measures taken by competent authorities or CSIRTs in response to those incidents.
Amendment 480 #
Proposal for a directive
Article 20 – paragraph 10 a (new)
Article 20 – paragraph 10 a (new)
10a. Competent authorities or the CSIRTs shall provide without undue delay to the national regulatory authorities or other competent authorities responsible for public electronic communications networks or for publicly available electronic communications services pursuant to Directive (EU) 2018/1972, information on significant incidents notified in accordance with paragraph 1 by providers of public electronic communications networks or publicly available electronic communications services referred to in point 8 of Annex I, as well as on the measures taken by competent authorities or CSIRTs in response to those incidents.
Amendment 484 #
Proposal for a directive
Article 20 – paragraph 11
Article 20 – paragraph 11
11. The Commission, after it has consulted the industry and taking utmost account of ENISA’s opinion, may adopt implementing acts further specifying the type of information, the format and the procedure of a notification submitted pursuant to paragraphs 1 and 2. The Commission may also adopt implementing acts to further specify the cases in which. They shall be based on European and incident shall be considered significant as referred to in paragraph 3ternational standards to the greatest extent possible. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 37(2).
Amendment 486 #
Proposal for a directive
Article 21 – title
Article 21 – title
Use of European cybersecurity certification schemes and standardisation
Amendment 490 #
Proposal for a directive
Article 21 – paragraph 1
Article 21 – paragraph 1
1. In order to demonstrate compliance with certain requirements of Article 18increase the level of cybersecurity, Member States may requirecommend essential and important entities to certify certain ICT products, ICT services and ICT processes under specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881. The products, services and processes subject to certification may be developed by an or other international cybersecurity certification schemes. Member States shall also encourage essential orand important entity or procured from third partieies to comply with European and internationally accepted standards.
Amendment 493 #
Proposal for a directive
Article 21 – paragraph 2
Article 21 – paragraph 2
Amendment 499 #
Proposal for a directive
Article 21 – paragraph 3
Article 21 – paragraph 3
Amendment 511 #
Proposal for a directive
Article 24 – paragraph 1 a (new)
Article 24 – paragraph 1 a (new)
1a. All essential and important entities referred to in Annexes I and II, with the exception of entities referred to in paragraph 1 of this Article, shall fall under the jurisdiction of the Member State where they provide their services. If the entity provides services in more than one Member State, it shall fall under the separate and concurrent jurisdiction of each of these Member States. The competent authorities of these Member States shall cooperate, provide mutual assistance to each other and where appropriate, carry out joint supervisory actions.
Amendment 513 #
Proposal for a directive
Article 24 – paragraph 2
Article 24 – paragraph 2
2. For the purposes of this Directive, entities referred to in paragraph 1 shall be deemed to have their main establishment in the Union in the Member State where the decisions related to the cybersecurity risk management measures are taken. If such decisions are not taken in any establishment in the Union, the main establishment shall be deemed to be in the Member State where the entities have the establishment with the highest number of employeresponsible for the implementation of the main cybersecurity risk management measures in the Union.
Amendment 522 #
Proposal for a directive
Article 26 – paragraph 1 – introductory part
Article 26 – paragraph 1 – introductory part
1. Without prejudice to Regulation (EU) 2016/679, Member States shall ensure that essential and important entities and other relevant entities not covered by the scope of this Directive may exchange relevant cybersecurity information among themselves including information relating to cyber threats, vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools, where such information sharing:
Amendment 534 #
Proposal for a directive
Article 26 – paragraph 5
Article 26 – paragraph 5
5. In compliance with Union law, ENISA shall support the establishment of cybersecurity information-sharing arrangements referred to in paragraphs 2 and 3a by providing best practices and guidance.
Amendment 536 #
Proposal for a directive
Article 27 – paragraph 1
Article 27 – paragraph 1
Member States shall ensure that, without prejudice to Article 3, entities falling outside the scope of this Directive may submit notifications to competent authorities or the CSIRT, on a voluntary basis, of significant incidents, cyber threats or near misses. When processing notifications, Member States shall act in accordance with the procedure laid down in Article 20. Member States may prioritise the processing of mandatory notifications over voluntary notifications. Voluntary reporting shall not result in the imposition of any additional obligations upon the reporting entity to which it would not have been subject had it not submitted the notificationsignificant cyber threats or significant near misses.
Amendment 538 #
Proposal for a directive
Article 27 – paragraph 1 a (new)
Article 27 – paragraph 1 a (new)
Member States shall ensure that Article 20 applies mutatis mutandis for the submission and processing of the voluntary notifications referred to in paragraph 1 and 1a of this Article. Voluntary reporting shall not result in the imposition of any additional obligations upon the reporting entity to which it would not have been subject had it not submitted the notification.
Amendment 539 #
Proposal for a directive
Article 27 – paragraph 1 b (new)
Article 27 – paragraph 1 b (new)
Member States shall ensure that Article 20 applies mutatis mutandis for the submission and processing of the voluntary notifications referred to in paragraphs 1 and 1a of this Article. Where applicable, the voluntarily reporting entities shall be encouraged to notify simultaneously the recipients of their services that are potentially affected of any measures or remedies that those recipients can take in response to the threat. The notification shall not make the notifying entity subject to increased liability. Voluntary reporting shall not result in the imposition of any additional obligations upon the reporting entity to which it would not have been subject had it not submitted the notification.
Amendment 547 #
Proposal for a directive
Article 29 – paragraph 2 – point g
Article 29 – paragraph 2 – point g
(g) requests for evidence of implementation of cybersecurity policies, such as the results of security audits carried out by a qualified auditor and the respective underlying evidence.; the cost of the audit shall be paid by the essential entity;
Amendment 550 #
Proposal for a directive
Article 29 – paragraph 4 – point b
Article 29 – paragraph 4 – point b
(b) issue binding instructions, including those regarding the measures required to remedy an incident or prevent one from occurring when a significant threat has been identified, time-limits for implementation and reporting obligations, or an order requiring those entities to remedy the deficiencies identified or the infringements of the obligations laid down in this Directive;
Amendment 560 #
Proposal for a directive
Article 29 – paragraph 5 – subparagraph 1 – point a
Article 29 – paragraph 5 – subparagraph 1 – point a
(a) suspend or request a certification or authorisation body to suspendconsider suspension of a certification or authorisation concerning part or all therelevant services or activities provided by an essential entity;
Amendment 572 #
Proposal for a directive
Article 30 – paragraph 2 – point a a (new)
Article 30 – paragraph 2 – point a a (new)
(aa) investigate cases of non- compliance and the effects thereof on the security of the services;
Amendment 580 #
Proposal for a directive
Article 31 – paragraph 6
Article 31 – paragraph 6
Amendment 590 #
Proposal for a directive
Article 38 – paragraph 1
Article 38 – paragraph 1
1. Member States shall adopt and publish, by … [1824 months after the date of entry into force of this Directive], the laws, regulations and administrative provisions necessary to comply with this Directive. They shall immediately inform the Commission thereof. They shall apply those measures from … [one day after the date referred to in the first subparagraph].
Amendment 592 #
Proposal for a directive
Article 39 – paragraph 1
Article 39 – paragraph 1
Article 19 of Regulation (EU) No 910/2014 is deleted with effect from [date of transposition deadline of the Directive].
Amendment 597 #
Proposal for a directive
Article 42 – paragraph 1
Article 42 – paragraph 1
This Directive shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union, with exception to Article 39 which enters into force on the day following the day when the transposition deadline as laid down in Article 38 expires.
Amendment 598 #
Proposal for a directive
Annex I – subheading 1
Annex I – subheading 1
ESSENNTITIES WITH HIGHER LEVEL OF CRITICAL ENTITIESITY:
Amendment 600 #
Proposal for a directive
Annex II – subheading 1
Annex II – subheading 1