Activities of Maite PAGAZAURTUNDÚA related to 2020/0359(COD)
Plenary speeches (1)
A high common level of cybersecurity across the Union (debate)
Shadow opinions (1)
OPINION on the proposal for a directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148
Amendments (21)
Amendment 104 #
Proposal for a directive
Recital 36
Recital 36
(36) The Union should, where appropriate, conclude international agreements, in accordance with Article 218 TFEU, with third countries or international organisations, allowing and organising their participation in some activities of the Cooperation Group and the CSIRTs network. Such agreements should ensure adequate protection of dataWhen personal data is transferred to a third country or international organisation, Chapter V of Regulation (EU) 2016/679 shall apply.
Amendment 105 #
Proposal for a directive
Recital 37
Recital 37
(37) Member States should contribute to the establishment of the EU Cybersecurity Crisis Response Framework set out in Recommendation (EU) 2017/1584 through the existing cooperation networks, notably the Cyber Crisis Liaison Organisation Network (EU-CyCLONe), CSIRTs network and the Cooperation Group. EU- CyCLONe and the CSIRTs network should cooperate on the basis of procedural arrangements defining the modalities of that cooperation. The EU-CyCLONe’s rules of procedures should further specify the modalities through which the network should function, including but not limited to roles, cooperation modes, interactions with other relevant actors and templates for information sharing, as well as means of communication. For crisis management at Union level, relevant parties should rely on the Integrated Political Crisis Response (IPCR) arrangements. The Commission should use the ARGUS high-level cross- sectoral crisis coordination process for this purpose. If the crisis concerns two or more Member States and is, or may be, suspected to be of criminal nature, the activation of the EU Law Enforcement Emergency Response Protocol should be considered. If the crisis entails an important external or Common Security and Defence Policy (CSDP) dimension, the European External Action Service (EEAS) Crisis Response Mechanism (CRM) should be activated.
Amendment 124 #
Proposal for a directive
Recital 57
Recital 57
(57) Where it is suspected that an incident is related to serious criminal activities under Union or national law, Member States should encourage essential and important entities, on the basis of applicable criminal proceedings rules in compliance with Union law, toshould report incidents of a suspected serious criminal nature to the relevant law enforcement authorities. Where appropriate, and without prejudice to the personal data protection rules applying to Europol, it is desirable that coordination between competent authorities and law enforcement authorities of different Member States be facilitated by the EC3 and ENISA.
Amendment 134 #
Proposal for a directive
Recital 78 a (new)
Recital 78 a (new)
(78a) The European Commission should support Member States to design educational programmes on cybersecurity, to enable members of the management body of entities falling within the scope of this Directive to receive or recruit cybersecurity specialists and technicians in order to comply with the obligations arising from this Directive.
Amendment 138 #
Proposal for a directive
Article 1 a (new)
Article 1 a (new)
Article 1 a Protection and processing of personal data 1. Any processing of personal data in the Member States pursuant to this Directive shall be carried out in accordance with Regulation (EU) 2016/679and Directive 2002/58/EC.2. Any processing of personal data by the Commission and ENISA pursuant to this Directive shall be carried out in accordance with Regulation (EC) No 2018/1725.
Amendment 155 #
Proposal for a directive
Article 2 – paragraph 6 a (new)
Article 2 – paragraph 6 a (new)
6 a. Before 31 December 2021, the Commission shall publish a legislative proposal to include Union institutions, offices, bodies and agencies (EUIs) in the overall EU-wide cybersecurity framework, with a view to achieving a uniform level of protection through consistent and homogeneous rules.
Amendment 174 #
Proposal for a directive
Article 5 – paragraph 2 – point e a (new)
Article 5 – paragraph 2 – point e a (new)
(ea) a policy on education to develop training programmes on cybersecurity to provide entities with specialists and technicians;
Amendment 190 #
Proposal for a directive
Article 12 – paragraph 3 – introductory part
Article 12 – paragraph 3 – introductory part
3. The Cooperation Group shall be composed of representatives of Member States, the Commission and ENISA. The European External Action Service and the European Cybercrime Centre at Europol shall participate in the activities of the Cooperation Group as an observer. The European Supervisory Authorities (ESAs) in accordance with Article 17(5)(c) of Regulation (EU) XXXX/XXXX [the DORA Regulation] may participate in the activities of the Cooperation Group.
Amendment 191 #
Proposal for a directive
Article 12 – paragraph 3 – introductory part
Article 12 – paragraph 3 – introductory part
3. The Cooperation Group shall be composed of representatives of Member States, the Commission and, ENISA and the EDPB. The European External Action Service shall participate in the activities of the Cooperation Group as an observer. The European Supervisory Authorities (ESAs) in accordance with Article 17(5)(c) of Regulation (EU) XXXX/XXXX [the DORA Regulation] may participate in the activities of the Cooperation Group.
Amendment 194 #
Proposal for a directive
Article 13 – paragraph 2
Article 13 – paragraph 2
2. The CSIRTs network shall be composed of representatives of the Member States’ CSIRTs and CERT–EU. The Commission and the European Cybercrime Centre at Europol shall participate in the CSIRTs network as an observer. ENISA shall provide the secretariat and shall actively support cooperation among the CSIRTs.
Amendment 195 #
Proposal for a directive
Article 14 – paragraph 2
Article 14 – paragraph 2
2. EU-CyCLONe shall be composed of the representatives of Member States’ crisis management authorities designated in accordance with Article 7, the Commission and ENISA. The European Cybercrime Centre at Europol shall participate in the activities of EU- CyCLONe as an observer. ENISA shall provide the secretariat of the network and support the secure exchange of information.
Amendment 197 #
Proposal for a directive
Article 14 – paragraph 6
Article 14 – paragraph 6
6. EU-CyCLONe shall cooperate with the CSIRTs network on the basis of agreed procedural arrangements, and with law enforcement in the framework of the EU Law Enforcement Emergency Response Protocol.
Amendment 202 #
Proposal for a directive
Article 17 – paragraph 2
Article 17 – paragraph 2
2. Member States shall ensure that members of the management body and cybersecurity specialists in charge, follow specific trainings, on a regular basis, to gain sufficient knowledge and skills, in order to apprehend and assess cybersecurity risks and management practices and their impact on the operations of the entity.
Amendment 203 #
Proposal for a directive
Article 18 – paragraph 1
Article 18 – paragraph 1
1. Member States shall ensure that essential and important entities shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the cybersecurity of network and information systems which those entities use in the provision of their servicesused for the provision of their services, and in view of assuring continuity of these services and to manage the risks posed to the rights of individuals when their personal data are processed. Having regard to the state of the art, those measures shall ensure a level of cybersecurity of network and information systems appropriate to the risk presented.
Amendment 209 #
Proposal for a directive
Article 19 – paragraph 2
Article 19 – paragraph 2
2. The Commission, after consulting with the Cooperation Group, The European Data Protection Board and ENISA, shall identify the specific critical ICT services, systems or products that may be subject to the coordinated risk assessment referred to in paragraph 1.
Amendment 212 #
Proposal for a directive
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT in accordance with paragraphs 3 and 4 of any incident having a significant impact on the provision of their services, and to the competent law enforcement authorities if the incident is of a suspected or known malicious nature. Where appropriate, those entities shall notify, without undue delay, the recipients of their services of incidents that are likely to adversely affect the provision of that service. Member States shall ensure that those entities report, among others, any information enabling the competent authorities or the CSIRT to determine any cross-border impact of the incident.
Amendment 217 #
Proposal for a directive
Article 20 – paragraph 6
Article 20 – paragraph 6
6. Where appropriate, and in particular where the incident referred to in paragraph 1 concerns two or more Member States, the competent authority or the CSIRT shall inform the other affected Member States and ENISA of the incident. If the incident concerns two or more Member States and is, or may be, suspected to be of criminal nature, the competent authority or the CSIRT shall inform EUROPOL. In so doing, the competent authorities, CSIRTs and single points of contact shall, in accordance with Union law or national legislation that complies with Union law, preserve the entity’s security and commercial interests as well as the confidentiality of the information provided.
Amendment 222 #
Proposal for a directive
Article 22 – paragraph 2
Article 22 – paragraph 2
2. ENISA, after having consulted the EDPB, in collaboration with Member States, shall draw up advice and guidelines regarding the technical areas to be considered in relation to paragraph 1 as well as regarding already existing standards, including Member States' national standards, which would allow for those areas to be covered.
Amendment 227 #
Proposal for a directive
Article 23 – paragraph 5
Article 23 – paragraph 5
5. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD provide access to specific domain name registration data upon lawful and duly justified requests of legitimate access seekerspublic authorities, including competent authorities under this Directive or supervisory authorities under Regulation(EU) 2016/679, in compliance with Union data protection law. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD reply without undue delay to all lawful and duly notified requests for access. Member States shall ensure that policies and procedures to disclose such data are made publicly available.
Amendment 240 #
Proposal for a directive
Article 32 – paragraph 1
Article 32 – paragraph 1
1. Where the competent authorities have indications that the infringement by an essential or important entity of the obligations laid down in Articles 18 and 20 entails a personal data breach, as defined by Article 4(12) of Regulation (EU) 2016/679 which shall be notified pursuant to Article 33 of that Regulation, they shall inform the supervisory authorities competent pursuant to Articles 55 and 56 of that Regulation within a reasonable period of timeout undue delay.
Amendment 244 #
Proposal for a directive
Article 35 – paragraph 1
Article 35 – paragraph 1
The Commission shall periodically review the functioning of this Directive every 3 years, and report to the European Parliament and to the Council. The report shall in particular assess to what extent the Directive has contributed to achieve the highest level of security and integrity of networks and information, while giving an optimal protection to private life and personal data, and the relevance of sectors, subsectors, size and type of entities referred to in Annexes I and II for the functioning of the economy and society in relation to cybersecurity. For this purpose and with a view to further advancing the strategic and operational cooperation, the Commission shall take into account the reports of the Cooperation Group and the CSIRTs network on the experience gained at a strategic and operational level. The first report shall be submitted by… [54 months after the date of entry into force of this Directive].