Activities of Deirdre CLUNE related to 2020/0359(COD)
Plenary speeches (1)
A high common level of cybersecurity across the Union (debate)
Shadow opinions (1)
OPINION on the proposal for a directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148
Amendments (23)
Amendment 75 #
Proposal for a directive
Recital 9
Recital 9
(9) However, small or micro entities fulfilling certain criteria that indicate a key role for the economies or societies of Member States or for particular sectors or types of services, should also be covered by this Directive. Member States should be responsible for establishing a list of such entities, and submit it to the Commission. The Commission should provide clear guidance on the criteria establishing which SMEs would be critical or important, especially for SME's who provide services in multiple Member States.
Amendment 80 #
Proposal for a directive
Recital 12 a (new)
Recital 12 a (new)
(12a) The extension of the scope of this directive will mean the inclusion of entities subject to parallel regulation which may entail additional reporting requirements. In order to ensure coherence with all regulatory requirements, the Commission should ensure that where there are sector-specific acts that require essential or important entities either to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats, that they should be consistent with the definitions and requirements of this Directive so that horizontal and sectoral legal instruments are sufficiently aligned in order to avoid any regulatory duplication or burden.
Amendment 81 #
Proposal for a directive
Recital 12 b (new)
Recital 12 b (new)
(12b) The Commission should publish clear guidance accompanying this Directive to help ensure harmonisation in implementation across Member States and avoid fragmentation.
Amendment 94 #
Proposal for a directive
Recital 28 a (new)
Recital 28 a (new)
(28a) The Commission, ENISA and the Member States should continue to foster international alignment with standards and existing industry best practices in the area of risk management, for example in the areas of supply chain security assessments, information sharing and vulnerability disclosure.
Amendment 124 #
Proposal for a directive
Recital 68
Recital 68
(68) Entities should be encouraged and supported by Member States to collectively leverage their individual knowledge and practical experience at strategic, tactical and operational levels with a view to enhance their capabilities to adequately assess, monitor, defend against, and respond to, cyber threats. It is thus necessary to enable the emergence at Union level of mechanisms for voluntary information sharing arrangements that are based on already established internationally recognised standards. To this end, Member States should actively support and encourage also relevant entities not covered by the scope of this Directive to participate in such information-sharing mechanisms. Those mechanisms should be conducted in full compliance with the competition rules of the Union as well as the data protection Union law rules.
Amendment 127 #
Proposal for a directive
Recital 70
Recital 70
(70) In order to strengthen the supervisory powers and actions that help ensure effective compliance and to achieve a common high level of security throughout the digital sector including by preventing risks for users or other networks, information systems and services, this Directive should provide for a minimum list of supervisory actions and means through which competent authorities may supervise essential and important entities. In addition, this Directive should establish a differentiation of supervisory regime between essential and important entities with a view to ensuring a fair balance of obligations for both entities and competent authorities. Thus, essential entities should be subject to a fully-fledged supervisory regime (ex-ante and ex-post), while important entities should be subject to a light supervisory regime, ex-post only. For the latter, this means that important entities should not document systematically compliance with cybersecurity risk management requirements, while competent authorities should implement a reactive ex -post approach to supervision and, hence, not have a general obligation to supervise those entities except where there is a demonstrable breach of obligations.
Amendment 131 #
Proposal for a directive
Article 1 – paragraph 1
Article 1 – paragraph 1
1. This Directive lays down measures with a view to ensuring a high common level of cybersecurity within the Union to ensure a trustworthy digital environment for consumers and business and to improve and remove barriers to the functioning of the internal market.
Amendment 146 #
Proposal for a directive
Article 4 – paragraph 1 – point 15 a (new)
Article 4 – paragraph 1 – point 15 a (new)
(15a) ‘domain name registration services’ means services provided by domain name registries and registrars, privacy or proxy registration service providers, domain brokers or resellers, and any other services which are related to the registration of domain names;
Amendment 157 #
Proposal for a directive
Article 5 – paragraph 2 – point c
Article 5 – paragraph 2 – point c
(c) a policy to promote and facilitate coordinated vulnerability disclosure within the meaning of Article 6 including by laying down guidelines and best practices based on already established internationally recognised standards on vulnerability handling and disclosure;
Amendment 162 #
Proposal for a directive
Article 5 – paragraph 2 – point h
Article 5 – paragraph 2 – point h
(h) a policy promoting cybersecurity and addressing the specific needs of SMEs, in particular those excluded from the scope of this Directive, in relation to guidance and support in improving their resilience to cybersecurity threats. including, for example funding and education to support the uptake of cybersecurity measures;
Amendment 166 #
Proposal for a directive
Article 5 – paragraph 2 – point h a (new)
Article 5 – paragraph 2 – point h a (new)
(ha) a policy to raise awareness and increase education about cybersecurity threats among consumers in the EU;
Amendment 178 #
Proposal for a directive
Article 7 – paragraph 1 a (new)
Article 7 – paragraph 1 a (new)
1a. Where a Member State designates more than one competent authority referred to in paragraph 1, it shall clearly indicate which of these competent authorities will serve as the main point of contact during a large-scale incident or crisis.
Amendment 208 #
Proposal for a directive
Article 18 – paragraph 1
Article 18 – paragraph 1
1. Member States shall ensure that essential and important entities shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network ands, information systems which those entities use in the provision of theirand services. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk presented.
Amendment 216 #
Proposal for a directive
Article 18 – paragraph 2 a (new)
Article 18 – paragraph 2 a (new)
2a. ENISA may facilitate, in accordance with Regulation (EU) No 526/2013 of the European Parliament and of the Council, the coordination of Member States regarding the measures referred to in paragraph 1, to avoid regulatory fragmentation that may create barriers in the internal market and present additional risks.
Amendment 227 #
Proposal for a directive
Article 20 – paragraph 1 a (new)
Article 20 – paragraph 1 a (new)
1a. For the purpose of simplifying reporting obligations, Member States shall establish a single entry point for all notifications required under this Directive and also under other Union law such as Regulation (EU) 2016/679 and Directive 2002/58/EC.
Amendment 228 #
Proposal for a directive
Article 20 – paragraph 1 b (new)
Article 20 – paragraph 1 b (new)
1b. ENISA, in cooperation with the Cooperation Group shall develop common notification templates by means of guidelines that would simplify and streamline the reporting information requested by Union law and decrease the burden for companies.
Amendment 238 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point a
Article 20 – paragraph 4 – subparagraph 1 – point a
(a) without undue delay and in any event wino later thian 724 hours after having become aware of the incident, an initial notification, which, where applicable, shall indicate whether the incident is presumably caused by unlawful or malicious action;
Amendment 240 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part
Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part
(c) a finalcomprehensive report not later than onthree months after the submission of the report under point (a), including at least the following:
Amendment 243 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point c a (new)
Article 20 – paragraph 4 – subparagraph 1 – point c a (new)
(ca) a final report should be provided one month after the incident has been mitigated
Amendment 264 #
Proposal for a directive
Article 23 – paragraph 3
Article 23 – paragraph 3
3. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD have policies and procedures in place to ensure that the databases infrastructure includes accurate, verified and complete information, and that inaccurate or incomplete data should be corrected or erased by the registrant without delay. Member States shall ensure that such policies and procedures are made publicly available.
Amendment 272 #
Proposal for a directive
Article 24 – paragraph 2
Article 24 – paragraph 2
2. For the purposes of this Directive, entities referred to in paragraph 1 shall be deemed to have their main establishment in the Union in the Member State where the decisions related to the cybersecurity risk management measures are taken. If such decisions are not taken in any establishment in the Union, the main establishment shall be deemed to be in the Member State where the entities have the establishment with the highest number of employees in the Union. This shall be done in a manner that ensures that no disproportionate burden falls on the regulatory body of one, or a small number of, Member States.
Amendment 279 #
Proposal for a directive
Article 26 – paragraph 5
Article 26 – paragraph 5
5. In compliance with Union law, ENISA shall support the establishment of cybersecurity information-sharing arrangements referred to in paragraph 2 by providing best practices and guidance; as well as by facilitating information-sharing at Union level, with the aim of promoting the cross-border exchange of information between relevant trusted communities of essential and important entities as referred to in the second paragraph, taking into account Union law and safeguarding business-sensitive information.
Amendment 282 #
Proposal for a directive
Article 27 – paragraph 1
Article 27 – paragraph 1
Member States shall ensure that, without prejudice to Article 3, entities within the scope and falling outside the scope of this Directive may submit notifications, on a voluntary basis, of significant incidents, cyber threats or near misses. When processing notifications, Member States shall act in accordance with the procedure laid down in Article 20. Member States may prioritise the processing of mandatory notifications over voluntary notifications. Voluntary reporting shall not result in the imposition of any additional obligations upon the reporting entity to which it would not have been subject had it not submitted the notification.