28 Amendments of Klemen GROŠELJ related to 2020/0359(COD)
Amendment 104 #
Proposal for a directive
Recital 12
Recital 12
(12) Sector-specific legislation and instruments can contribute to ensuring high levels of cybersecurity, while taking full account of the specificities and complexities of those sectors. Where a sector–specific Union legal act requires essential or important entities to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats of at least an equivalent effect to the obligations laid down in this Directive, those sector-specific provisions, including on supervision and enforcement, should apply. The Commission mayshould issue guidelines in relation to the implementation of the lex specialis, taking relevant opinions, expertise and best practices of ENISA and the Cooperation Group into account. This Directive does not preclude the adoption of additional sector- specific Union acts addressing cybersecurity risk management measures and incident notifications. This Directive is without prejudice to the existing implementing powers that have been conferred to the Commission in a number of sectors, including transport and energy.
Amendment 109 #
Proposal for a directive
Recital 15
Recital 15
(15) Upholding and preserving a reliable, resilient and secure domain name system (DNS) is a key factor in maintaining the integrity of the Internet and is essential for its continuous and stable operation, on which the digital economy and society depend. Therefore, this Directive should apply to all providers of DNS services along the DNS resolution chain, including operators of root name servers, top-level-domain (TLD) name servers, authoritative name servers for domain names and recursive resolpublicly available recursive domain name resolution services and authoritative domain name resolution services. This Directive does not apply to root name servers.
Amendment 129 #
Proposal for a directive
Recital 26
Recital 26
(26) Given the importance of international cooperation on cybersecurity, CSIRTs should be able to participate in international cooperation networks, including with CSIRTs outside the Union, in addition to the CSIRTs network established by this Directive.
Amendment 146 #
Proposal for a directive
Recital 40
Recital 40
(40) Risk-management measures should include measures to identify any risks of incidents, to prevent, detect and handle incidents and to mitigate their impact. The security of network and information systems should comprise the security of stored, transmitted and processed data. It must be approached using systemic analysis that break down the various processes and the interactions between the subsystems, in order to have a complete picture of the security of the information system. The human factor should be fully taken into account in the analysis.
Amendment 155 #
Proposal for a directive
Recital 45
Recital 45
(45) Entities should also address cybersecurity risks stemming from their interactions and relationships with other stakeholders within a broader ecosystem, including to counter industrial espionage and to protect trade secrets. In particular, entities should take appropriate measures to ensure that their cooperation with academic and research institutions takes place in line with their cybersecurity policies and follows good practices as regards secure access and dissemination of information in general and the protection of intellectual property in particular. Similarly, given the importance and value of data for the activities of the entities, when relying on data transformation and data analytics services from third parties, the entities should take all appropriate cybersecurity measures.
Amendment 158 #
Proposal for a directive
Recital 47
Recital 47
(47) The supply chain risk assessments, in light of the features of the sector concerned, should take into account both technical and, where relevant, non- technical factors including those defined in Recommendation (EU) 2019/534, in the EU wide coordinated risk assessment of 5G networks security and in the EU Toolbox on 5G cybersecurity agreed by the Cooperation Group. To identify the supply chains that should be subject to a coordinated risk assessment, the following criteria should be taken into account: (i) the extent to which essential and important entities use and rely on specific critical ICT services, systems or products; (ii) the relevance of specific critical ICT services, systems or products for performing critical or sensitive functions, including the processing of personal data; (iii) the availability of alternative ICT services, systems or products; (iv) the resilience of the overall supply chain of ICT services, systems or products against disruptive events and (v) for emerging ICT services, systems or products, their potential future significance for the entities’ activities.
Amendment 188 #
Proposal for a directive
Recital 63
Recital 63
(63) All essential and important entities under this Directive should fall under the jurisdiction of the Member State where they provide their services or carry out their activities. If the entity provides services in more than one Member State, it should fall under the separate and concurrent jurisdiction of each of these Member States. The competent authorities of these Member States should cooperate, provide mutual assistance to each other and where appropriate, carry out joint supervisory actions.
Amendment 215 #
Proposal for a directive
Article 2 – paragraph 1
Article 2 – paragraph 1
1. This Directive applies to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II that provide their services or carry out their activities within the Union. This Directive does not apply to entities that qualify as micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC.28 _________________ 28 Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium- sized enterprises (OJ L 124, 20.5.2003, p. 36).
Amendment 237 #
Proposal for a directive
Article 2 – paragraph 6
Article 2 – paragraph 6
6. Where provisions of sector–specific acts of Union law require essential or important entities either to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats, and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, the relevant provisions of this Directive, including the provision on supervision and enforcement laid down in Chapter VI, shall not apply. The Commission shall issue guidelines in relation to the implementation of the sector–specific acts of Union law in order to ensure that security requirements established by this Directive are met by those acts. When preparing those guidelines, the Commission shall take into account ENISA and the Cooperation Group best practices and expertise.
Amendment 251 #
Proposal for a directive
Article 4 – paragraph 1 – point 13
Article 4 – paragraph 1 – point 13
(13) ‘domain name system (DNS)’ means a hierarchical, distributed naming system which allows end-is usersd to reach identify Internet services and resources on the internet;, allowing end user devices to make use of Internet routing and connectivity services to reach those services and resources.
Amendment 278 #
Proposal for a directive
Article 5 – paragraph 1 – point b
Article 5 – paragraph 1 – point b
(b) a governance framework to achieve those objectives and priorities, including the policies referred to in paragraph 2 and the roles and responsibilities of public bodies and entities as well as other relevant actors;
Amendment 279 #
Proposal for a directive
Article 5 – paragraph 1 – point b a (new)
Article 5 – paragraph 1 – point b a (new)
(ba) a framework for allocating the roles and responsibilities of public bodies and entities as well as other relevant actors, including the organisation of the cooperation at the national level, between the competent authorities designated under Article 7(1) and Article 8(1), the single point of contact designated under Article 8(3), and CSIRTs designated under Article 9;
Amendment 299 #
Proposal for a directive
Article 5 – paragraph 2 a (new)
Article 5 – paragraph 2 a (new)
2a. A policy to help authorities build awareness and understanding of the security considerations needed to design, build, and manage connected places.
Amendment 300 #
Proposal for a directive
Article 5 – paragraph 2 b (new)
Article 5 – paragraph 2 b (new)
2b. A policy specifically addressing the ransomware threat and disrupting the ransomware business model.
Amendment 347 #
Proposal for a directive
Article 12 – paragraph 4 – point d a (new)
Article 12 – paragraph 4 – point d a (new)
(da) provide advice on the overall consistency of sector-specific cybersecurity requirements;
Amendment 351 #
Proposal for a directive
Article 12 – paragraph 4 – point k a (new)
Article 12 – paragraph 4 – point k a (new)
(ka) providing a yearly assessment in cooperation with ENISA on which Nation States are harbouring ransomware criminals.
Amendment 395 #
Proposal for a directive
Article 18 – paragraph 2 – point c
Article 18 – paragraph 2 – point c
(c) backup management, business continuity and crisis management;
Amendment 397 #
Proposal for a directive
Article 18 – paragraph 2 – point d
Article 18 – paragraph 2 – point d
(d) supply chain security including security-related aspects concerning the relationships between each entity and its suppliers or service providers such as providers of data storage and processing services or managed security services;
Amendment 419 #
Proposal for a directive
Article 19 – paragraph 1 a (new)
Article 19 – paragraph 1 a (new)
1a. To identify the specific critical ICT services, systems or products supply chains that are subject to a coordinated risk assessment, the following criteria shall be taken into account: (a) the extent to which essential and important entities use and rely on specific critical ICT services, systems or products; (b) the relevance of specific critical ICT services, systems or products for performing critical or sensitive functions, including the processing of personal data; (c) the availability of alternative ICT services, systems or products; (d) the resilience of the overall supply chain of ICT services, systems or products against disruptive events; and (e) the potential significance to entities' activities of emerging ICT services, systems or products.
Amendment 426 #
Proposal for a directive
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT in accordance with paragraphs 3 and 4 of any incident having a significant impact on the provision of their services. Where appropriate, those entities shall notify, without undue delay, the recipients of their services of incidents that are likely to adversely affect the provision of that service. Member States shall ensure that those entities report, among others, any information enabling the competent authorities or the CSIRT to determine any cross-border impact of the incident. Where the competent authorities or the CSIRT consider that it is necessary, essential and important entities may notify other essential and important entities of any significant incident occurring in their sector.
Amendment 464 #
Proposal for a directive
Article 20 – paragraph 5 a (new)
Article 20 – paragraph 5 a (new)
5a. Member States shall establish a single entry point for all notifications required under this Directive.
Amendment 465 #
Proposal for a directive
Article 20 – paragraph 5 b (new)
Article 20 – paragraph 5 b (new)
5b. ENISA, in cooperation with the Cooperation Group, shall develop common notification templates by means of guidelines that would simplify and streamline the reporting information requested by Union law.
Amendment 489 #
Proposal for a directive
Article 21 – paragraph 1
Article 21 – paragraph 1
1. In order to demonstrate compliance with certain requirements of Article 18, Member States may require essential and important entities to use certifyain certainified ICT products, ICT services and ICT processes, whether procured from third parties or developed by the essential or important entity, certified under specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881. The products, services and processes subject to certification may be developed by an essential or important entity or procured from third parti, or, in the absence of such a scheme, under equivalent internationally recognised certification schemes.
Amendment 497 #
Proposal for a directive
Article 21 – paragraph 2 a (new)
Article 21 – paragraph 2 a (new)
2a. In order to demonstrate compliance with certain requirements of Article 18 of this Directive, Member States may require essential and important entities to use qualified trust services pursuant to Regulation (EU) No 910/2014.
Amendment 498 #
Proposal for a directive
Article 21 – paragraph 2 b (new)
Article 21 – paragraph 2 b (new)
2b. Member States may rely on certified cybersecurity services providers, which could be certified under specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881, to enforce the supervision activities provided for in Articles 29 and 30 of this Directive.
Amendment 588 #
Proposal for a directive
Article 37 – paragraph 3 – subparagraph 1 a (new)
Article 37 – paragraph 3 – subparagraph 1 a (new)
Where no opinion is delivered, the draft implementing act may not be adopted.
Amendment 591 #
Proposal for a directive
Article 39
Article 39
Amendment 595 #
Proposal for a directive
Article 40 – paragraph 1
Article 40 – paragraph 1
Articles 40 and 41 of Directive (EU) 2018/1972 are deleted 18 months after the date of entry into force of this Directive.