Activities of Maite PAGAZAURTUNDÚA related to 2022/0085(COD)
Shadow opinions (1)
OPINION on the proposal for a regulation of the European Parliament and of the Council laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union
Amendments (30)
Amendment 42 #
Proposal for a regulation
Recital 7
Recital 7
(7) The differences between Union institutions, bodies and agencies require flexibility in the implementation since one size will not fit all. The measures for a high common level of cybersecurity should not include any obligations directly interfering withsupport the exercise of the missions of Union institutions, bodies and agencies or encroaching onand take into account their institutional autonomy. Thus, those institutions, bodies and agencies should establish their own frameworks for cybersecurity risk management, governance and control, and adopt their own baselines and cybersecurity plans, while safeguarding the coherence and interoperability of their respective frameworks.
Amendment 43 #
Proposal for a regulation
Recital 8
Recital 8
(8) In order to avoid imposing a disproportionate financial and administrative burden on Union institutions, bodies and agencies, the cCybersecurity risk management requirements should be proportionatecorrespond to the risk presented by the network and information system concerned, taking into account the state of the art of such measures. Each Union institution, body and agency should aim to allocate an adequate percentage of its IT budget to improve its level of cybersecurity; in the longermedium term a target in the order of 10% should be pursued.
Amendment 45 #
Proposal for a regulation
Recital 10
Recital 10
(10) Union institutions, bodies and agencies should assess risks related to relationships with suppliers and service providers, including providers of data storage and processing services or managed security services, and take appropriate measures to address them. These suppliers and service providers should be vetted thoroughly, taking into account the full range of the supply chain and economic and political environment in which they operate. Where these relationships pose a risk to the integrity of democratic processes in the EU, these should be terminated without undue delay. These measures should form part of the cybersecurity baseline and be further specified in guidance documents or recommendations issued by CERT-EU. When defining measures and guidelines, due account should be taken of relevant EU legislation and policies, including risk assessments and recommendations issued by the NIS Cooperation Group, such as the EU Coordinated risk assessment and EU Toolbox on 5G cybersecurity. In addition, certification of relevant ICT products, services and processes could be required, under specific EU cybersecurity certification schemes adopted pursuant to Article 49 of Regulation EU 2019/881.
Amendment 46 #
Proposal for a regulation
Recital 13
Recital 13
(13) Many cyberattacks are part of wider campaigns that target groups of Union institutions, bodies and agencies or communities of interest that include Union institutions, bodies and agencies. To enable proactive detection, incident response or mitigating measures, Union institutions, bodies and agencies should notify CERT- EU of significant cyber threats, significant vulnerabilities and significant incidents and share appropriate technical details that enable detection or mitigation of, as well as response to, similar cyber threats, vulnerabilities and incidents in other Union institutions, bodies and agencies. Following the same approach as the one envisaged in Directive [proposal NIS 2], where entities become aware of a significant incident they should be required to submit an initial notification to CERT- EU within 24 hoursearly warning to CERT-EU without undue delay and in any event no later than within 24 hours. The Union institutions, bodies and agencies should be allocated sufficient resources to fulfil their reporting obligations quickly and efficiently to ensure that the system designed works correctly. Such information exchange should enable CERT-EU to disseminate the information to other Union institutions, bodies and agencies, as well as to appropriate counterparts, to help protect the Union IT environments and the Union’s counterparts’ IT environments against similar incidents, threats and vulnerabilities.
Amendment 51 #
Proposal for a regulation
Recital 24
Recital 24
(24) As the services and tasks of CERT- EU are in the interest of all Union institutions, bodies and agencies, each Union institution, body and agency with IT expenditure should contribute a fair share to those services and tasks. Those contributions are without prejudicshould be proportionate to the budgetary autonomcapacity of the Union institutions, bodies and agencies.
Amendment 54 #
Proposal for a regulation
Recital 25
Recital 25
(25) The IICB, with the assistance of CERT-EU, should review and evaluate the implementation of this Regulation and should report its findings to the Commission. Building on this input, the Commission should report to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions at least every three years.
Amendment 65 #
Proposal for a regulation
Article 4 – paragraph 1
Article 4 – paragraph 1
1. Each Union institution, body and agency shall establish its own internal cybersecurity risk management, governance and control framework (‘the framework’) in support of the entity’s mission and exercising its institutional autonomytaking into account the coherence and interoperability of their framework with those of other relevant institutions, bodies and agencies. This work shall be overseen by the entity’s highest level of management to ensure an effective and prudent management of all cybersecurity risks. The framework shall be in place by …. at the latest [15 months after the entry into force of this Regulation].
Amendment 68 #
Proposal for a regulation
Article 4 – paragraph 4
Article 4 – paragraph 4
4. Each Union institution, body and agency shall have effective mechanisms in place to ensure that an adequate percentage of the IT budget is spent on cybersecurity. By ... [3 years after the entry into force of this Regulation], each Union institution, body and agency should ensure that at least 10 % of that budget is dedicated to cybersecurity
Amendment 71 #
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
1. The highest level of management of each Union institution, body and agency shall approve the entity’s own cybersecurity baseline to address the risks identified under the framework referred to in Article 4(1). It shall do so in support of its mission and exercising its institutional autonomytake into account the coherence and interoperability of their baseline, with those of other relevant institutions, bodies and agencies. The cybersecurity baseline shall be in place by …. at the latest [18 months after the entry into force of this Regulation] and shall address the domains listed in Annex I and the measures listed in Annex II.
Amendment 76 #
Proposal for a regulation
Article 6 – paragraph 1
Article 6 – paragraph 1
Each Union institution, body and agency shall carry out a cybersecurity maturity assessment by ... [6 months after the entry into force of this Regulation], and at least every threewo years thereafter, incorporating all the elements of their IT environment as described in Article 4, taking account of the relevant guidance documents and recommendations adopted in accordance with Article 13.
Amendment 79 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
1. Following the conclusions derived from the maturity assessment and considering the assets and risks identified pursuant to Article 4, the highest level of management of each Union institution, body and agency shall approve a cybersecurity plan without undue delay after the establishment of the risk management, governance and control framework and the cybersecurity baseline. The plan shall aim at increasing the overall cybersecurity of the concerned entity and shall thereby contribute to the achievement or enhancement of a high common level of cybersecurity among all Union institutions, bodies and agencies. To support the entity’s mission on the basis of its institutional autonomy, the plan shall at least include the domains listed in Annex I, the measures listed in Annex II, as well as measures related to incident preparedness, response and recovery, such as security monitoring and logging. The plan shall be revised at least every threewo years, following the maturity assessments carried out pursuant to Article 6.
Amendment 81 #
Proposal for a regulation
Article 7 – paragraph 3
Article 7 – paragraph 3
3. The cybersecurity plan shall considermply with any applicable guidance documents and recommendations issued by CERT-EU.
Amendment 86 #
Proposal for a regulation
Article 11 – paragraph 1 – point b
Article 11 – paragraph 1 – point b
(b) recommendinstruct a relevant audit service to carry out an audit.
Amendment 89 #
Proposal for a regulation
Article 12 – paragraph 4
Article 12 – paragraph 4
4. CERT-EU shall engage in structured cooperation with the European Union Agency for Cybersecurity on capacity building, operational cooperation and long-term strategic analyses of cyber threats in accordance with Regulation (EU) 2019/881 of the European Parliament and of the Council. Furthermore, CERT-EU may cooperate and exchange information with Europol’s Cybercrime Centre.
Amendment 95 #
Proposal for a regulation
Article 14 – paragraph 1
Article 14 – paragraph 1
The Head of CERT-EU shall regularly, at least once a year, submit reports to the IICB and the IICB Chair on the performance of CERT- EU, financial planning, revenue, implementation of the budget, service level agreements and written agreements entered into, cooperation with counterparts and partners, and missions undertaken by staff, including the reports referred to in Article 10(1).
Amendment 97 #
Proposal for a regulation
Article 17 – paragraph 1
Article 17 – paragraph 1
1. CERT-EU may cooperate with non- Member State counterparts including industry sector-specific counterparts, on tools and methods, such as techniques, tactics, procedures and best practices, and on cyber threats and vulnerabilities. For all cooperation with such counterparts, including in frameworks where non-EU counterparts cooperate with national counterparts of Member States, CERT-EU shall seek prior approval from the IICB. Any such cooperation shall respect the democratic integrity of the EU.
Amendment 98 #
Proposal for a regulation
Article 17 – paragraph 2
Article 17 – paragraph 2
2. CERT-EU may cooperate with other partners, such as commercial entities, international organisations, non-European Union national entities or individual experts, to gather information on general and specific cyber threats, vulnerabilities and possible countermeasures. For wider cooperation with such partners, CERT-EU shall seek prior approval from the IICB. Any such cooperation shall respect the democratic integrity of the EU.
Amendment 108 #
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 1
Article 20 – paragraph 1 – subparagraph 1
All Union institutions, bodies and agencies shall make an initial notificationprovide an early warning to CERT- EU of significant cyber threats, significant vulnerabilities and significant incidents without undue delay and in any event no later than 24 hours after becoming aware of them.
Amendment 114 #
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 2
Article 20 – paragraph 1 – subparagraph 2
Amendment 116 #
Proposal for a regulation
Article 20 – paragraph 2 – introductory part
Article 20 – paragraph 2 – introductory part
2. The Union institutions, bodies and agencies shall further notifysend a notification to CERT-EU without undue delay, and in any event within 72 hours after having become aware of the incident, update the early warning and provide an initial assessment with the appropriate technical details of cyber threats, vulnerabilities and incidents that enable detection, incident response or mitigating measures. The notification shall include if available:
Amendment 117 #
Proposal for a regulation
Article 20 – paragraph 2 a (new)
Article 20 – paragraph 2 a (new)
2a. No later than one month after submitting the incident notification, the Union institutions, bodies and agencies shall submit a final report to CERT-EU, including at least the following: (a) a detailed description of the incident, its severity and impact; (b) the type of threat or root cause that likely triggered the incident; (c) applied and ongoing mitigation measures; (d) where applicable, the cross-border impact of the incident;
Amendment 119 #
Proposal for a regulation
Article 20 – paragraph 2 b (new)
Article 20 – paragraph 2 b (new)
2b. In duly justified cases, and in agreement with CERT-EU, the Union institution, body or agency concerned can deviate from the deadline laid down in paragraph 2a.
Amendment 122 #
Proposal for a regulation
Article 20 – paragraph 4
Article 20 – paragraph 4
Amendment 124 #
Proposal for a regulation
Article 24 – paragraph 1
Article 24 – paragraph 1
1. The IICB, with the assistance of CERT-EU, shall periodicallyat least once a year report to the Commission on the implementation of this Regulation. The IICB may also make recommendations to the Commission to propose amendments to this Regulation.
Amendment 125 #
Proposal for a regulation
Article 24 – paragraph 2
Article 24 – paragraph 2
2. The Commission shall report on the implementation of this Regulation to the European Parliament and the Council at the latest 4836 months after the entry into force of this Regulation and every threewo years thereafter.
Amendment 127 #
Proposal for a regulation
Annex I – paragraph 1 – introductory part
Annex I – paragraph 1 – introductory part
Amendment 128 #
Proposal for a regulation
Annex I – paragraph 1 – point 1 a (new)
Annex I – paragraph 1 – point 1 a (new)
(1a) cybersecurity training of staff members;
Amendment 129 #
Proposal for a regulation
Annex I – paragraph 1 – point 3
Annex I – paragraph 1 – point 3
(3) asset acquisition and management, including IT asset inventory and IT network cartography;
Amendment 131 #
Proposal for a regulation
Annex I – paragraph 1 – point 9
Annex I – paragraph 1 – point 9
(9) incident management, including approaches to improve the preparedness, response to, compliance with and shortening timescales for reporting obligations and recovery from incidents and cooperation with CERT-EU, such as the maintenance of security monitoring and logging;
Amendment 132 #
Proposal for a regulation
Annex II – paragraph 1 – point 1 a (new)
Annex II – paragraph 1 – point 1 a (new)
(1a) The set up of a regular cybersecurity training of staff members