BETA

Activities of Patrick BREYER related to 2020/0359(COD)

Plenary speeches (1)

2022/11/10
Dossiers: 2020/0359(COD)

Shadow opinions (1)

2021/10/15
Committee: LIBE
Dossiers: 2020/0359(COD)
Documents: PDF(328 KB) DOC(223 KB)
Authors: [{'name': 'Lukas MANDL', 'mepid': 190713}]

Amendments (46)

Proposal for a directive
Recital 15

(15) Upholding and preserving a reliable, resilient and secure domain name system (DNS) is a key factor in maintaining the integrity of the Internet and is essential for its continuous and stable operation, on which the digital economy and society depend. Therefore, this Directive should apply to all providers of DNS services along the DNS resolution chain, including operators of root name servers, top-level-domain (TLD) name servers, authoritative name servers for domain names and recursive resolvers.

2021/07/02
Committee: LIBE

Proposal for a directive
Recital 25

(25) As regards personal data, CSIRTs should be able to provide, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council19 as regards personal data, on behalf of and upon request by an entity under this Directive, a proactive scanning of the network and information systems used for the provision of their services. Member States should aim at ensuring an equal level of technical capabilities for all sectorial CSIRTs. Member States may request the assistance of the European Union Agency for Cybersecurity (ENISA) in developing national CSIRTs. _________________ 19Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

2021/07/02
Committee: LIBE

Proposal for a directive
Recital 51 a (new)

(51a) In order to offer the necessary transparency to mitigate specific supply chain risks, open source cybersecurity products (software and hardware), including open source encryption, should be favoured, in line with Opinion 5/2021 of the European Data Protection Supervisor15a _________________ 15aOpinion 5/2021 of the European Data Protection Supervisor on the Cybersecurity Strategy and the NIS 2.0 Directive, 11 March 2021

2021/07/02
Committee: LIBE

Proposal for a directive
Recital 53

(53) In particular, providers of public electronic communications networks or publicly available electronic communications services, should implement security by design and by default and inform the service recipients of particular and significant cyber threats and of measures they can take to protect the security of their devices and communications, for instance by using specific types of software or encryption technologies. In order to increase the security of hardware and software, providers should be encouraged to use open source and open hardware.

2021/07/02
Committee: LIBE

Proposal for a directive
Recital 54

(54) ~~In order~~Being essential to safeguard the security of electronic communications networks and services as well as the fundamental right to privacy, the use of encryption, and in particular end-to-end encryption, should be promoted and~~, where necessary, should be~~ mandatory for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18. The use of end-to-end encryption should be reconciled with the Member State’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences in compliance with Union law. SolutionAny interferences with the confidentiality of private communications should not lead to creating backdoors for lawful access to information in end-to-end encrypted communications should maintain the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crimeweakening encryption while ensuring that the privacy and security of encrypted data, including in end-to-end encrypted communications, is not compromised.

2021/07/02
Committee: LIBE

Proposal for a directive
Recital 59

(59) Maintaining accurate and complete databases of domain names and registration data (so called ‘WHOIS data’) and providing lawful access to such data is essential to ensure the security, stability and resilience of the DNS, which in turn contributes to a high common level of cybersecurity within the Union. Where processing includes personal data such processing shall comply with Union data protection law.deleted

2021/07/02
Committee: LIBE

Proposal for a directive
Recital 60

(60) The availability and timely accessibility of these data to public authorities, including competent authorities under Union or national law for the prevention, investigation or prosecution of criminal offences, CERTs, (CSIRTs, and as regards the data of their clients to providers of electronic communications networks and services and providers of cybersecurity technologies and services acting on behalf of those clients, is essential to prevent and combat Domain Name System abuse, in particular to prevent, detect and respond to cybersecurity incidents. Such access should comply with Union data protection law insofar as it is related to personal data.deleted

2021/07/02
Committee: LIBE

Proposal for a directive
Recital 61

(61) In order to ensure the availability of accurate and complete domain name registration data, TLD registries and the entities providing domain name registration services for the TLD (so- called registrars) should collect and guarantee the integrity and availability of domain names registration data. In particular, TLD registries and the entities providing domain name registration services for the TLD should establish policies and procedures to collect and maintain accurate and complete registration data, as well as to prevent and correct inaccurate registration data in accordance with Union data protection rules.deleted

2021/07/02
Committee: LIBE

Proposal for a directive
Recital 62

(62) TLD registries and the entities providing domain name registration services for them should make publically available domain name registration data that fall outside the scope of Union data protection rules, such as data that concern legal persons25 . TLD registries and the entities providing domain name registration services for the TLD should also enable lawful access to specific domain name registration data concerning natural persons to legitimate access seekers, in accordance with Union data protection law. Member States should ensure that TLD registries and the entities providing domain name registration services for them should respond without undue delay to requests from legitimate access seekers for the disclosure of domain name registration data. TLD registries and the entities providing domain name registration services for them should establish policies and procedures for the publication and disclosure of registration data, including service level agreements to deal with requests for access from legitimate access seekers. The access procedure may also include the use of an interface, portal or other technical tool to provide an efficient system for requesting and accessing registration data. With a view to promoting harmonised practices across the internal market, the Commission may adopt guidelines on such procedures without prejudice to the competences of the European Data Protection Board. _________________ 25REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL recital (14) whereby “this Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person”.deleted

2021/07/02
Committee: LIBE

Proposal for a directive
Recital 65

(65) In cases where a ~~DNS service provider,~~ TLD name registry, content delivery network provider, cloud computing service provider, data centre service provider and digital provider not established in the Union offers services within the Union, it should designate a representative. In order to determine whether such an entity is offering services within the Union, it should be ascertained whether it is apparent that the entity is planning to offer services to persons in one or more Member States. The mere accessibility in the Union of the entity’s or an intermediary's website or of an email address and of other contact details, or the use of a language generally used in the third country where the entity is established, is as such insufficient to ascertain such an intention. However, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the entity is planning to offer services within the Union. The representative should act on behalf of the entity and it should be possible for competent authorities or the CSIRTs to contact the representative. The representative should be explicitly designated by a written mandate of the entity to act on the latter's behalf with regard to the latter's obligations under this Directive, including incident reporting.

2021/07/02
Committee: LIBE

Proposal for a directive
Recital 69

(69) The processing of personal data, to the extent strictly necessary and proportionate for the purposes of ensuring network and information security by entities, public authorities, CERTs, CSIRTs, and providers of security technologies and services should constitute a legitimate interest of the data controller concerned, as referred to in Regulation (EU) 2016/679. That should include measures related to the prevention, detection, analysis and response to incidents, measures to raise awareness in relation to specific cyber threats, exchange of information in the context of vulnerability remediation and coordinated disclosure, as well as the voluntary exchange of information on those incidents, as well as cyber threats and vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools. Such measures may require the processing of the following types of personal data: IP addresses, uniform resources locators (URLs), domain names, and email addresses.deleted

2021/07/02
Committee: LIBE

Proposal for a directive
Article 2 – paragraph 1

1. This Directive applies to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II. This Directive does not apply to entities that qualify as micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC.28 nor to non-commercial free and open source projects. Article 3 Paragraph 4 of the Annex to Commission Recommendation 2003/361/EC is not applicable. _________________ 28 Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium- sized enterprises (OJ L 124, 20.5.2003, p. 36).

2021/07/02
Committee: LIBE

Proposal for a directive
Article 2 – paragraph 2 – point a – point iii

~~(iii) top–level domain name registries and domain name system (DNS) service providers referred to in point 8 of Annex I;~~deleted

2021/07/02
Committee: LIBE

Proposal for a directive
Article 2 – paragraph 2 – point d

(d) a ~~potential~~ disruption of the service provided by the entity could have an impact on public safety, public security or public health;

2021/07/02
Committee: LIBE

Proposal for a directive
Article 2 – paragraph 2 – point e

(e) a ~~potential~~ disruption of the service provided by the entity could induce systemic risks, in particular for the sectors where such disruption could have a cross- border impact;

2021/07/02
Committee: LIBE

Proposal for a directive
Article 2 – paragraph 6 a (new)

6 a. This Directive is to be applied in full compliance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and is not modifying or adding to its provisions.

2021/07/02
Committee: LIBE

Proposal for a directive
Article 4 – paragraph 1 – point 9

(9) ‘representative’ means any natural or legal person established in the Union explicitly designated to act on behalf of i) ~~a DNS service provider, a top-level domain (TLD) name registry,~~ a cloud computing service provider, a data centre service provider, a content delivery network provider as referred to in point 8 of Annex I or ii) entities referred to in point 6 of Annex II that are not established in the Union, which may be addressed by a national competent authority or a CSIRT instead of the entity with regard to the obligations of that entity under this Directive;

2021/07/02
Committee: LIBE

Proposal for a directive
Article 4 – paragraph 1 – point 14

~~(14) ‘DNS service provider’ means an entity that provides recursive or authoritative domain name resolution services to internet end-users and other DNS service providers;~~deleted

2021/07/02
Committee: LIBE

Proposal for a directive
Article 4 – paragraph 1 – point 15

~~(15) ‘top–level domain name registry’ means an entity which has been~~ delegated a specific TLD and is responsible for administering the TLD including the registration of domain names under the TLD and the technical operation of the TLD, including the operation of its name servers, the maintenance of its databases and the distribution of TLD zone files across name servers;

2021/07/02
Committee: LIBE

Proposal for a directive
Article 5 – paragraph 1 – point d a (new)

(da) an assessment of the general level of cybersecurity awareness amongst citizens as well as on the general level of security of consumer connected devices;

2021/07/02
Committee: LIBE

Proposal for a directive
Article 5 – paragraph 2 – point b

(b) guidelines regarding the inclusion and specification of cybersecurity-related requirements for ICT products and service in public procurement, , including but not limited to encryption requirements and the promotion of the use of open source cybersecurity products;

2021/07/02
Committee: LIBE

Proposal for a directive
Article 5 – paragraph 2 – point d a (new)

(da) a policy related to sustaining the use of open data and open source as part of security through transparency;

2021/07/02
Committee: LIBE

Proposal for a directive
Article 5 – paragraph 2 – point f

(f) a policy on supporting education establishments, in particular academic and research institutions to develop and deploy cybersecurity tools and secure network infrastructure;

2021/07/02
Committee: LIBE

Proposal for a directive
Article 6 – paragraph 2

2. ENISA shall develop and maintain a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures with a view in particular to enabling important and essential entities and their suppliers of network and information systems to disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties. The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, the availability of related patches and, in the absence of available patches, guidance addressed to users of vulnerable products and services as to how the risks resulting from disclosed vulnerabilities may be mitigated. For ensuring security and accessibility of information, state of the art cybersecurity measures shall be accompanied by machine-readable datasets and corresponding interfaces (APIs).

2021/07/02
Committee: LIBE

Proposal for a directive
Article 10 – paragraph 2 – point e

~~(e) providing, upon request of an entity, a proactive scanning of the network and information systems used for the provision of their services;~~deleted

2021/07/02
Committee: LIBE

Proposal for a directive
Article 15 – paragraph 1 – introductory part

1. ENISA shall issue, in cooperation with the Commission, a biennial report on the state of cybersecurity in the Union. The report shall be delivered in machine- readable format and in particular include an assessment of the following:

2021/07/02
Committee: LIBE

Proposal for a directive
Article 15 – paragraph 1 – point c a (new)

(ca) an overview of the general level of cybersecurity awareness and use amongst citizens as well as on the general level of security of consumer-oriented connected devices put on the market in the Union.

2021/07/02
Committee: LIBE

Proposal for a directive
Article 18 – paragraph 2 – point g

(g) the use of cryptography and strong encryption.

2021/07/02
Committee: LIBE

Proposal for a directive
Article 18 – paragraph 6 a (new)

6 a. Member States shall give the user of a network and information system provided by an essential or important entity the right to obtain from the entity information on the technical and organisational measures in place to manage the risks posed to the security of network and information systems. Member States shall define the limitations to that right.

2021/07/02
Committee: LIBE

Proposal for a directive
Article 19 – paragraph 1

1. The Cooperation Group, in cooperation with the Commission and ENISA, ~~may~~shall carry out coordinated security risk assessments of specific critical ICT services, systems or products supply chains, taking into account technical and, where relevant, non-technical risk factors.

2021/07/02
Committee: LIBE

Proposal for a directive
Article 19 – paragraph 2

2. The Commission, after consulting with the Cooperation Group and ENISA, shall identify the specific critical ICT services, systems or products that ~~may b~~are subject to the coordinated risk assessment referred to in paragraph 1.

2021/07/02
Committee: LIBE

Proposal for a directive
Article 20 – paragraph 1

1. Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT in accordance with paragraphs 3 and 4 of any incident having a significant impact on the provision of their services. ~~Where appropriate, t~~Those entities shall notify, without undue delay, the recipients of their services of incidents that are likely to adversely affect the provision of that service and provide information that would enable them to mitigate the adverse effects of the cyberattacks. By exception, where public disclosure could trigger further cyberattacks, essential and important entities, could delay the notification. Member States shall ensure that those entities report, among others, any information enabling the competent authorities or the CSIRT to determine any cross- border impact of the incident.

2021/07/02
Committee: LIBE

Proposal for a directive
Article 20 – paragraph 2 – subparagraph 1

~~Where applicable, t~~Those entities shall notify, without undue delay, the recipients of their services that are potentially affected by a significant cyber threat of any measures or remedies that those recipients can take in response to that threat. Where appropriate, the entities shall also notify those recipients of the threat itself. By exception, where public disclosure could trigger further cyberattacks, essential and important entities, could delay the notification. The notification shall not make the notifying entity subject to increased liability.

2021/07/02
Committee: LIBE

Proposal for a directive
Article 20 – paragraph 7

7. Where public awareness is necessary to prevent an incident or to deal with an ongoing incident, or where disclosure of the incident is otherwise in the public interest, the competent authority or the CSIRT, and where appropriate the authorities or the CSIRTs of other Member States concerned ~~may~~shall, after consulting the entity concerned, inform the public about the incident or require the entity to do so.

2021/07/02
Committee: LIBE

Proposal for a directive
Article 22 – paragraph 2

2. ENISA, in collaboration with Member States and in consultation with the EDPB, shall draw up advice and guidelines regarding the technical areas to be considered in relation to paragraph 1 as well as regarding already existing standards, including Member States' national standards, which would allow for those areas to be covered.

2021/07/02
Committee: LIBE

Proposal for a directive
Article 23

1. For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall ensure that TLD registries and the entities providing domain name registration services for the TLD shall collect and maintain accurate and complete domain name registration data in a dedicated database facility with due diligence subject to Union data protection law as regards data which are personal data. 2. Member States shall ensure that the databases of domain name registration data referred to in paragraph 1 contain relevant information to identify and contact the holders of the domain names and the points of contact administering the domain names under the TLDs. 3. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD have policies and procedures in place to ensure that the databases include accurate and complete information. Member States shall ensure that such policies and procedures are made publicly available. 4. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD publish, without undue delay after the registration of a domain name, domain registration data which are not personal data. 5. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD provide access to specific domain name registration data upon lawful and duly justified requests of legitimate access seekers, in compliance with Union data protection law. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD reply without undue delay to all requests for access. Member States shall ensure that policies and procedures to disclose such data are made publicly available.Article 23 deleted Databases of domain names and registration data

2021/07/02
Committee: LIBE

Proposal for a directive
Article 24 – paragraph 1

1. ~~DNS service providers, TLD name registries, c~~Cloud computing service providers, data centre service providers and content delivery network providers referred to in point 8 of Annex I, as well as digital providers referred to in point 6 of Annex II shall be deemed to be under the jurisdiction of the Member State in which they have their main establishment in the Union.

2021/07/02
Committee: LIBE

Proposal for a directive
Article 25 – paragraph 1 – introductory part

1. ENISA shall create and maintain a secure registry for essential and important entities referred to in Article 24(1). The entities shall submit the following information to ENISA by [12 months after entering into force of the Directive at the latest]:

2021/07/02
Committee: LIBE

Proposal for a directive
Article 28 – paragraph 2

2. Competent authorities shall work in close cooperation with data protection authorities when addressing incidents resulting in personal data breaches without prejudice to the competences, tasks and powers of data protection authorities pursuant to Regulation (EU) 2016/679.

2021/07/02
Committee: LIBE

Proposal for a directive
Article 32 – paragraph 1

1. Where the competent authorities have indications that the infringement by an essential or important entity of the obligations laid down in Articles 18 and 20 entails a personal data breach, as defined by Article 4(12) of Regulation (EU) 2016/679 which shall be notified pursuant to Article 33 of that Regulation, they shall inform the supervisory authorities competent pursuant to Articles 55 and 56 of that Regulation within ~~a reasonable period of time~~72 hours.

2021/07/02
Committee: LIBE

Proposal for a directive
Article 32 – paragraph 3

3. Where the supervisory authority competent pursuant to Regulation (EU) 2016/679 is established in another Member State than the competent authority, the competent authority ~~may~~shall inform the supervisory authority established in the same Member State.

2021/07/02
Committee: LIBE

Proposal for a directive
Article 34 a (new)

Article 34 a Liability for non-compliance Without prejudice to any available administrative or non-judicial remedy, the recipients of services provided by essential and important entities, having incurred damages as a result of the providers' non- compliance with this Directive, shall have the right to an effective judicial remedy.

2021/07/02
Committee: LIBE

Proposal for a directive
Article 35 – paragraph 1

The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the relevance of sectors, subsectors, size and type of entities referred to in Annexes I and II for the functioning of the economy and society in relation to cybersecurity. For this purpose and with a view to further advancing the strategic and operational cooperation, the Commission shall take into account the reports of the Cooperation Group and the CSIRTs network on the experience gained at a strategic and operational level. The first report shall be submitted by… ~~54~~[36 months after the date of entry into force of this Directive].

2021/07/02
Committee: LIBE

Proposal for a directive
Article 40 – paragraph 1

Articles 40 and 41 of Directive (EU) 2018/1972 are ~~deleted~~to be applied insofar as they are not in contradiction with this Directive.

2021/07/02
Committee: LIBE

Proposal for a directive
Article 40 a (new)

Article 40 a Amendments to Directive 2020/1828/EC on Representative Actions for the Protection of the Collective Interests of Consumers The following is added to Annex I:“(X) Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive(EU) 2016/1148”

2021/07/02
Committee: LIBE

Proposal for a directive
Annex I – Point 8 (Digital infrastructure) – indent 2 and 3

8. Digital – ~~DNS service providers~~deleted infrastructure – ~~TLD name registries~~ deleted

2021/06/30
Committee: LIBE