14 Amendments of Jordi CAÑAS related to 2020/0359(COD)
Amendment 95 #
Proposal for a directive
Recital 30
Recital 30
(30) Access to correct and timely information on vulnerabilities affecting ICT products and services contributes to an enhanced cybersecurity risk management. In that regard, sources of publicly available information on vulnerabilities are an important tool for entities and their users, but also national competent authorities and CSIRTs. For this reason, ENISA should establish a vulnerability registrydatabase where, essential and important entities and their suppliers, as well as entities which do not fall in the scope of application of this Directive may, on a voluntary basis, disclose vulnerabilities and provide the vulnerability information that allows users to take appropriate mitigating measures.
Amendment 171 #
Proposal for a directive
Article 6 – title
Article 6 – title
Coordinated vulnerability disclosure and a European vulnerability registrydatabase
Amendment 209 #
Proposal for a directive
Article 18 – paragraph 2 – point d
Article 18 – paragraph 2 – point d
(d) measures for supply chain security risk assessment including on security- related aspects concerning the relationships between each entity and its suppliers or service providers such as providers of data storage and processing services or managed security services;
Amendment 210 #
Proposal for a directive
Article 18 – paragraph 2 – point f
Article 18 – paragraph 2 – point f
(f) policies and procedures (testing and auditing) and regular cybersecurity exercises to assess the effectiveness of cybersecurity risk management measures;
Amendment 215 #
Proposal for a directive
Article 18 – paragraph 2 – point g a (new)
Article 18 – paragraph 2 – point g a (new)
(ga) security training and awareness.
Amendment 220 #
Proposal for a directive
Article 18 – paragraph 6
Article 18 – paragraph 6
6. The Commission, is empowered to adopt delegated actn cooperation with the Cooperation Group and ENISA, shall provide guidance and best practices ion accordance with Article 36 to supplement the elthe compliance by entities in a proportionate manner with the requirements, laid down in paragraph 2 to take account of new cyber threats, technological developments or sectorial specificitie, and in particular to the requirement in point (d) of that paragraph. In developing delegated acts, the Commission shall also consult all relevant stakeholders.
Amendment 225 #
Proposal for a directive
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT in accordance with paragraphs 3 and 4 of any incident having a significant impact on the provision of their services. Where appropriate, those entities shall notify, without undue delay, the recipients of their services of incidents that are likely to adversely affect the provision of that service. Member States shall ensure that those entities report, among others, any information enabling the competent authorities or the CSIRT to determine any cross-border impact of the incident. Member States shall establish a single entry point for all notifications required under this Directive and under other Union law, such as Regulation (EU) 2016/679 and Directive 2002/58/EC. ENISA, in cooperation with the Cooperation Group shall develop common notification templates for the reporting information requested by Union law.
Amendment 249 #
Proposal for a directive
Article 21 – paragraph 1
Article 21 – paragraph 1
1. In order to demonstrate compliance with certain requirements of Article 18, Member States may requirafter having consulted the Cooperation Group, with the aim of ensuring harmonisation at Union level, shall encourage essential and important entities to certify certain ICT products, ICT services and ICT processes under specific, either developed by the essential or important entity or procured from third parties, under European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881. The products, services and processes subject to certification may be developed by an essential or important entity or procured from third parti or under similar internationally recognised certification schemes.
Amendment 252 #
Proposal for a directive
Article 21 – paragraph 2
Article 21 – paragraph 2
2. The Commission shall be empowered to adopt delegated acts specifyingregularly assess the efficiency and use of the adopted European cybersecurity certification schemes under Article 49 of Regulation (EU) 2019/881 and shall identify which categories of essential entities shall be requirencouraged to obtain a certificate and under which specific European cybersecurity certification schemes pursuant to paragraph 1. The delegated acts shall be adopted in accordance with Article 36.
Amendment 255 #
Proposal for a directive
Article 23 – title
Article 23 – title
Databases infrastructure of domain names and registration data
Amendment 258 #
Proposal for a directive
Article 23 – paragraph 1
Article 23 – paragraph 1
1. For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall ensure that TLD registries and the entities providing domain name registration services for the TLD shallare required to collect and maintain accurate, verified and complete domain name registration data in a dedicated database facility with due diligence subject to Union data protection law as regards data which are personal data.
Amendment 260 #
Proposal for a directive
Article 23 – paragraph 2
Article 23 – paragraph 2
2. Member States shall ensure that the databases infrastructure of domain name registration data referred to in paragraph 1 contains relevant information, which shall include at least the registrants’ name, their physical and email address as well as their telephone number, to identify and contact the holders of the domain names and the points of contact administering the domain names under the TLDs.
Amendment 266 #
Proposal for a directive
Article 23 – paragraph 3
Article 23 – paragraph 3
3. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD have policies and procedures in place to ensure that the databases infrastructure includes accurate, verified and complete information. Member States shall ensure that such policies and procedures are made publicly available.
Amendment 278 #
Proposal for a directive
Article 26 – paragraph 3
Article 26 – paragraph 3
3. Member States shall set out rulguidelines specifying the procedure, operational elements (including the use of dedicated ICT platforms), content and conditions of the information sharing arrangements referred to in paragraph 2. Such rulguidelines shall also lay downinclude the details of the involvement, where relevant, of public authorities and independent experts in such arrangements, as well as operational elements, including the use of dedicated IT platforms. Member States shall offer support to the application of such arrangements in accordance with their policies referred to in Article 5(2) (g).