26 Amendments of Eva KAILI related to 2022/0084(COD)
Amendment 20 #
Proposal for a regulation
Recital 1
Recital 1
(1) Union institutions and bod, bodies, offices and agencies currently have their own information security rules, based on their rules of procedure or their founding act, or do not have such rules at all. In that context, each Union institution and body invests significant efforts in adopting different approaches, leading to a situation where exchange of information is not always reliable. The lack of a common approach hinders the deployment of common tools building on an agreed set of rules depending on the security needs of the information to be protected.
Amendment 21 #
Proposal for a regulation
Recital 2
Recital 2
(2) While progress has been made towards more consistent rules for the protection of European Union classified information (‘EUCI’) and non-classified information, the interoperability of the relevant systems remains limited, preventing a seamless transfer of information between the different Union institutions and bodies. Further efforts should therefore be made to enable an interinstitutional approach to the sharing of EUCI and sensitive non-classified information, with common categories of information and, common key handling principles, and where appropriate, common information system infrastructure on which information is handled, stored and transmitted by Union institutions, bodies, offices and agencies. A baseline should also be envisaged to simplify procedures for sharing EUCI and sensitive non-classified information between Union institutions and bodies and with Member States.
Amendment 23 #
Proposal for a regulation
Recital 3 a (new)
Recital 3 a (new)
(3 a) When developing information security rules, Union institutions and bodies should ensure efficiency and choose the best solutions, in particular as regards return on investments, appropriate levels of flexibility, decrease of administrative burdens, minimisation of risks, and higher levels of transparency, and improvement of the work environment;
Amendment 24 #
Proposal for a regulation
Recital 3 b (new)
Recital 3 b (new)
(3 b) In the context of information security, Union institutions and bodies should increase organisational interoperability and act together to ensure the protection of networks and information systems, data and the assets employed to capture, store, process and transmit it, and information as well as information infrastructure.
Amendment 26 #
Proposal for a regulation
Recital 5 a (new)
Recital 5 a (new)
(5 a) This Regulation should ensure that any limitation of the right to the protection of personal data and privacy is necessary and proportionate, in accordance with Article 52 (1) of the EU Charter of Fundamental Rights.
Amendment 27 #
Proposal for a regulation
Recital 5 b (new)
Recital 5 b (new)
(5 b) All information security measures involving processing of personal data should be compliant with the relevant Union data protection and privacy legislation. Union institutions and bodies should take relevant technical and organisational safeguards to ensure compliance in an accountable and transparent manner.
Amendment 28 #
Proposal for a regulation
Recital 6
Recital 6
(6) This Regulation is without prejudice to Regulation (Euratom) No 3/195817 , Regulation No 31 (EEC), 11 (EAEC), laying down the Staff Regulations of Officials and the Conditions of Employment of other servants of the European Economic Community and the European Atomic Energy Community18 , Regulation (EC) 1049/2001 of the European Parliament and of the Council19 , Regulation (EU) 2018/1725 of the European Parliament and of the Council20 , including the rules on international transfers, Council Regulation (EEC, EURATOM) No 354/8321 , Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council22 , Regulation (EU) 2021/697 of the European Parliament and of the Council23 , Regulation (EU) [...] of the European Parliament and of the Council24 laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union. _________________ 17 Regulation (Euratom) No 3/1958 implementing Article 24 of the Treaty establishing the European Atomic Energy Community (OJ 17, 6.10.1958, p. 406). 18 OJ 45, 14.6.1962, p. 1385. 19 Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43). 20 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39). 21 Council Regulation (EEC, EURATOM) No 354/83 of 1 February 1983 concerning the opening to the public of the historical archives of the European Economic Community and the European Atomic Energy Community (OJ L 43, 15.2.1983, p. 1). 22 Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012 (OJ L 193, 30.7.2018, p. 1). 23 Regulation (EU) 2021/697 of the European Parliament and of the Council of 29 April 2021 establishing the European Defence Fund and repealing Regulation (EU) 2018/1092 (OJ L 170, 12.5.2021, p. 149). 24 Regulation […] of the European Parliament and of the Council laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union, to be adopted
Amendment 30 #
(14) With the purpose of adjusting to the new teleworking practices, the networks, information systems, digital infrastructure and terminal devices used for connecting to the Union institution’s or body’s remote access services should be protected by adequate security measures.
Amendment 31 #
Proposal for a regulation
Recital 15
Recital 15
(15) Since Union institutions and bodies frequently make use of contractors and outsourcing, it is important to establish common provisions relating to contractors’ personnel carrying out tasks related to information security. Union institutions, bodies, offices and agencies should establish formal procedures underpinning the tendering process for contractors and outsourcing partners, taking into account the specificities of their operational technology environments and the complexities of their supply chains.
Amendment 32 #
Proposal for a regulation
Recital 17 a (new)
Recital 17 a (new)
(17 a) All Union institutions, bodies, offices and agencies should integrate procedures for dealing with personal data breaches in their procedures for information security incident management. Union institutions, bodies, offices and agencies should adopt a personal data breach handling procedure which also includes notification to the European Data Protection Supervisor (EDPS) and communication to the people affected, where necessary. The procedure for dealing with personal data breaches does not replace or supersede any other incident handling process or procedure.
Amendment 33 #
Proposal for a regulation
Recital 21
Recital 21
(21) Union institutions and bodies have been traditionally developed their communication and information systems autonomously, with insufficient attention to their interoperability across all Union institutions and bodies. It is therefore necessary to establish minimum security requirements concerning the Communication and Information Systems (CISs) handling and stor, storing and transmitting both EUCI and non-classified information with the aim to guarantee a seamless exchange of information with the relevant stakeholders.
Amendment 34 #
Proposal for a regulation
Recital 24
Recital 24
(24) The close cooperation between Union institutions and bodies as well as the multitude of synergies developed among them involve the sharing of a large amount of information. For the sake of the classified information security, the trustworthiness of a Union institution or body should be assessed before they handle and store a specified level of EUCI. Such synergies and cooperation is relevant, when dealing with activities such as applying data protection by design and by default to information security measures, selecting security measures that involve personal data, integrated risk management, and integrated security incident handling.
Amendment 35 #
Proposal for a regulation
Recital 24
Recital 24
(24) The close cooperation between Union institutions and bodies as well as the multitude of synergies developed among them involve the sharing of a large amount of information. For the sake of the classified information security, the trustworthinescapabilities of a Union institution or body, body, office or agency to handle, store and transmit EUCI should be assessed before they handle and store a specified level of EUCI.
Amendment 36 #
Proposal for a regulation
Article 1 – paragraph 1
Article 1 – paragraph 1
1. This Regulation lays down information security rules for all Union institutions and bod, bodies, offices and agencies.
Amendment 38 #
Proposal for a regulation
Article 3 – paragraph 1 – point i a (new)
Article 3 – paragraph 1 – point i a (new)
Amendment 39 #
Proposal for a regulation
Article 3 – paragraph 1 – point i b (new)
Article 3 – paragraph 1 – point i b (new)
(i b) ‘classified ICT environment’ means any component of a Union institution, body, office or agency's ICT environment that is used for the processing, storing or transmission of EU classified information (EUCI);
Amendment 41 #
Proposal for a regulation
Article 3 – paragraph 1 – point ae a (new)
Article 3 – paragraph 1 – point ae a (new)
(ae a) ‘standard’ means a standard as defined in point (1) of Article 2 of Regulation (EU) No 1025/2012;
Amendment 42 #
Proposal for a regulation
Article 4 – paragraph 6 – subparagraph 2
Article 4 – paragraph 6 – subparagraph 2
Union institutions and bod, bodies, offices and agencies handling and storing EUCI shall organise mandatory training at least once every 53 years for all individuals authorised to access EUCI. The Union institutions and bodies concerned shall organise specific training for the specific functions entrusted with information security tasks. Union institutions, bodies, offices and agencies shall design and implement effective and appropriate trainings commensurate to the risks identified in accordance with Article 5 of this Regulation for all individuals authorised to access EUCI no later than 6 months after the entry into force of this Regulation.
Amendment 43 #
Proposal for a regulation
Article 5 – paragraph 2 – point e a (new)
Article 5 – paragraph 2 – point e a (new)
(e a) integrity, availability and resilience of processing systems and services.
Amendment 44 #
Proposal for a regulation
Article 5 – paragraph 2 a (new)
Article 5 – paragraph 2 a (new)
2 a. Each Union institution, body, office and agency shall ensure compliance with Regulation (EU) 2018/1725. Personal data processing activities allowed for the purposes of this Regulation shall include: a) the purposes of data processing; b) categories of personal data; c) categories of data subjects; d) definition of roles as applicable (controller, processor, joint controllers); e) retention periods; f) recipients, in case of transmission to entities not subject to the Regulation (EU) 2018/1725.
Amendment 45 #
Proposal for a regulation
Article 5 – paragraph 3 – point -a (new)
Article 5 – paragraph 3 – point -a (new)
(-a) the risks for the rights and freedom of natural persons;
Amendment 46 #
Proposal for a regulation
Article 5 – paragraph 3 – point c a (new)
Article 5 – paragraph 3 – point c a (new)
(c a) the threats deriving from access based on third country jurisdictions;
Amendment 47 #
Proposal for a regulation
Article 5 – paragraph 3 – point f
Article 5 – paragraph 3 – point f
(f) business continuity and disaster recovery, such as back up management and disaster recovery, and crisis management;
Amendment 50 #
Proposal for a regulation
Article 8 – paragraph 2 a (new)
Article 8 – paragraph 2 a (new)
2 a. The Security Authority shall cooperate closely with the Data Protection Officer designated in accordance with Article 43 of Regulation (EU) 2018/1725.
Amendment 53 #
Proposal for a regulation
Article 11 – paragraph 4 – point d a (new)
Article 11 – paragraph 4 – point d a (new)
(d a) end-to-end encryption, in particular when exchanging sensitive non-classified information;
Amendment 68 #
Proposal for a regulation
Article 52 – paragraph 2
Article 52 – paragraph 2
2. The sub-group on EUCI sharing and exchange of classified information shall be composed of representatives from the Commission, the European Parliament, the Council and the European External Action Service and shall work by consensus.