102 Amendments of Marina KALJURAND related to 2022/0085(COD)
Amendment 95 #
Proposal for a regulation
Recital 4
Recital 4
(4) The Union institutions, bodies and agencies are attractive targets who face highly skilled and well-resourced threat actors as well as other threats. At the same time, the level and maturity of cyber resilience and the ability to detect and respond to malicious cyber activities varies significantly across those entities. It is thus necessary for the functioning of the European administration that the institutions, bodies and agencies of the Union achieve a high common level of cybersecurity through a cybersecurity baseline (a set of minimum cybersecurity rules with which network and information systems and their operators and users have to be compliant to minimise cybersecurity risks)the implementation of cybersecurity risk management measures commensurate to the respective risks posed, information exchange and collaboration.
Amendment 97 #
Proposal for a regulation
Recital 6
Recital 6
(6) To reach a high common level of cybersecurity, it is necessary that each Union institution, body and agency establishes an internal cybersecurity risk management, governance and control framework that ensures an effective and prudent management of all cybersecurity risks, and takes account of business continuity and crisis management. The framework should lay down cybersecurity policies and priorities for the security of network and information systems encompassing the entirety of the ICT environment. The framework should be reviewed on a regular basis and at least every three years on the basis of key performance indicators to ensure that strategic objectives are met.
Amendment 99 #
Proposal for a regulation
Recital 7
Recital 7
(7) The differences between Union institutions, bodies and agencies require flexibility in the implementation since one size will not fit all. The measures for a high common level of cybersecurity should not include any obligations directly interfering with the exercise of the missions of Union institutions, bodies and agencies or encroaching on their institutional autonomy. Thus, those institutions, bodies and agencies should establish their own frameworks for cybersecurity risk management, governance and control, and adopt their own baselines and cybersecurity plans. cybersecurity risk management measures and cybersecurity plans. Union institutions, bodies, offices and agencies should continuously evaluate the effectiveness of the adopted risk management measures and their proportionality relative to the identified risks, and where necessary, adjust and revise accordingly their frameworks and plans on the basis of the results of the cybersecurity maturity assessments.
Amendment 105 #
Proposal for a regulation
Recital 9
Recital 9
(9) A high common level of cybersecurity requires cybersecurity to come under the oversight of the highest level of management of each Union institution, body and agency, who should approve a cybersecurity baseline that shouldoversee the implementation of the provisions of this Regulation and approve the establishment, and any subsequent revisions thereof, of the risk management and control framework, the corresponding cybersecurity risk management measures addressing the risks identified underin the framework to be established by eachand the cybersecurity plans of each Union institution, body, office and agency. Addressing the cybersecurity culture, i.e. the daily practice of cybersecurity, is an integral part of a cybersecurity baselinerisk management, governance and control framework and the corresponding cybersecurity risk management measures in all Union institutions, bodies, offices and agencies.
Amendment 110 #
Proposal for a regulation
Recital 11
Recital 11
(11) In May 2011, the Secretaries- General of the Union institutions and bodies decided to establish a pre- configuration team for a computer emergency response team for the Union’s institutions, bodies and agencies (CERT- EU) supervised by an inter-institutional Steering Board. In July 2012, the Secretaries-General confirmed the practical arrangements and agreed to maintain CERT-EU as a permanent entity to continue to help improve the overall level of information technology security of the Union’s institutions, bodies and agencies as an example of visible inter-institutional cooperation in cybersecurity. In September 2012, CERT-EU was established as a Taskforce of the European Commission with an interinstitutional mandate. In December 2017, the Union institutions and bodies concluded an interinstitutional arrangement on the organisation and operation of CERT-EU3 . This arrangement should continue to evolve to support the implementation of this Regulation and be evaluated on a regular basis in light of future negotiations of long-term budget frameworks allowing for further decisions to be made with respect to the functioning and institutional role of CERT-EU, including the possible establishment of CERT-EU as a Union office. _________________ 3 OJ C 12, 13.1.2018, p. 1–11.
Amendment 113 #
Proposal for a regulation
Recital 13
Recital 13
(13) Many cyberattacks are part of wider campaigns that target groups of Union institutions, bodies and agencies or communities of interest that include Union institutions, bodies and agencies. To enable proactive detection, incident response or mitigating measures, and recovery from significant incidents, Union institutions, bodies and agencies should notify CERT- EU of significant cyber threats, significant vulnerabilities and significant incidents and share appropriate technical details that enable detection or mitigation of, as well as response to, similar cyber threats, vulnerabilities and and recovery from similar incidents in other Union institutions, bodies and agencies. Following the same approach as the one envisaged in Directive [proposal NIS 2], where entitUnion institutions, bodies, offices and agencies become aware of a significant incident they should be required to submit an initial notificationearly warning to CERT- EU within 24 hours. Such information exchange should enable CERT-EU to disseminate the information to other Union institutions, bodies and agencies, as well as to appropriate counterparts, to help protect the Union IT environments and the Union’s counterparts’ IT environments against similar incidents, threats and vulnerabilities.
Amendment 114 #
Proposal for a regulation
Recital 13 a (new)
Recital 13 a (new)
(13 a) This Regulation lays down a multiple-stages approach to reporting of significant incidents in order to strike the right balance between, on the one hand, swift reporting hat helps mitigate the potential spread of incidents and allows entities to seek support, and, on the other hand, in-depth reporting that draws valuable lessons from individual incidents and improves over time the resilience of individual Union institutions, bodies, offices and agencies and contributes to increasing the overall cybersecurity posture of European administration. In this regard, the Regulation should also include reporting of incidents that, based on an initial assessment performed by the Union institution, body, office or agency, may be assumed to lead to severe operational disruption or financial losses or affect other natural or legal persons by causing considerable material or non- material losses. Such initial assessment should take into account, amongst other, the affected network and information systems and in particular their importance for the functioning and operations of the Union institution, body, office or agency, the severity and technical characteristics of a cyber threat and any underlying vulnerabilities that are being exploited as well as the Union institution, body, office or agency’s experience with similar incidents. Indicators such as the extent to which the functioning of Union institution, body, office or agency is affected, the duration of an incident or the number of affected users could play an important role in defining whether the operational disruption of the service is of severe nature.
Amendment 116 #
Proposal for a regulation
Recital 14 a (new)
Recital 14 a (new)
(14 a) The IICB’s function is aimed at supporting Union institutions, bodies, offices and agencies in elevating their respective cybersecurity postures by implementing the provisions of this Regulation. In order to support Union institutions, bodies, office and agencies, the IICB could adopt guidance and recommendations towards Union institutions, bodies, offices and agencies’ cybersecurity maturity assessments and cybersecurity plans, review possible interconnections between Union institutions, bodies, offices and agencies’ ICT environments and support the establishment of a Cybersecurity Officers Group under ENISA, gathering the Local Cybersecurity Officers of all Union institutions, bodies, offices and agencies with an aim to facilitate the sharing of best practices and experiences gained from the implementation of this Regulation.
Amendment 117 #
Proposal for a regulation
Recital 14 b (new)
Recital 14 b (new)
(14 b) In order to ensure alignment with Directive [proposal NIS 2], the IICB could adopt recommendations based on the results of EU coordinated risk assessments of critical supply chains referred to in Article19 of Directive [proposal NIS 2] to support Union institutions, bodies, offices and agencies in adopting effective and proportionate risk management measures relating to supply chain security and develop guidelines for information sharing arrangements of Union institutions, bodies, offices and agencies relating to the voluntary notification of cyber threats, near misses and incidents to CERT-EU.
Amendment 119 #
Proposal for a regulation
Recital 16 a (new)
Recital 16 a (new)
(16 a) Where the IICB finds that Union institutions, bodies, offices or agencies have not effectively applied or implemented this Regulation it could, without prejudice to the internal procedures of the relevant Union institution, body, office or agency, request relevant and available documentation relating to the effective implementation of the provisions of this Regulation, communicate a reasoned opinion with observed gaps in the implementation of this Regulation, invite the Union institution, body, office or agency concerned to provide a self-assessment on its reasoned and issue, in cooperation with CERT-EU, guidance to bring its respective risk management, governance and control framework, cybersecurity risk management measures, cybersecurity plans and reporting obligations incompliance with this Regulation.
Amendment 123 #
Proposal for a regulation
Recital 20
Recital 20
(20) In supporting operational cybersecurity, CERT-EU should make use of the available expertise of the European Union Agency for Cybersecurity (ENISA) through structured cooperation as provided for in Regulation (EU) 2019/881 of the European Parliament and of the Council5 . Where appropriate, dedicated arrangements between the two entities should be established to define the practical implementation of such cooperation and to avoid the duplication of activities. CERT- EU should cooperate with the European Union Agency for CybersecurityENISA on threat analysis and share its threat landscape report with the Agency on a regular basis. _________________ 5 Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15).
Amendment 132 #
Proposal for a regulation
Article 1 – paragraph -1 (new)
Article 1 – paragraph -1 (new)
-1 This Regulation lays down measures aiming to achieve a high common level of cybersecurity within Union institutions, bodies, offices and agencies;
Amendment 133 #
Proposal for a regulation
Article 1 – paragraph 1 – introductory part
Article 1 – paragraph 1 – introductory part
Amendment 136 #
Proposal for a regulation
Article 1 – paragraph 1 – point a
Article 1 – paragraph 1 – point a
(a) obligations on Union institutions, bodies, offices and agencies to establish an internal cybersecurity risk management, governance and control framework;
Amendment 137 #
Proposal for a regulation
Article 1 – paragraph 1 – point b a (new)
Article 1 – paragraph 1 – point b a (new)
(b a) rules underpinning information sharing obligations and the facilitation of voluntary information sharing arrangements for Union institutions, bodies, offices and agencies;
Amendment 138 #
Proposal for a regulation
Article 1 – paragraph 1 – point c
Article 1 – paragraph 1 – point c
(c) rules on the organisation, tasks and operation of the Cybersecurity Centre for the Union institutions, bodies, offices and agencies (CERT-EU) and on the functioning, organisation and operation of the Interinstitutional Cybersecurity Board (IICB).
Amendment 140 #
Proposal for a regulation
Article 2 – paragraph 1
Article 2 – paragraph 1
This Regulation applies to the management, governance and control of cybersecurity risks by all Union institutions, bodies, offices and agencies and to the functioning, organisation and operation of CERT-EU and the Interinstitutional Cybersecurity BoardICB.
Amendment 141 #
Proposal for a regulation
Article 2 a (new)
Article 2 a (new)
Article 2 a Processing of Personal Data The processing of personal data under this Regulation by CERT-EU, the IICB and all Union institutions, bodies, offices and agencies shall be carried out in compliance with Regulation (EU) 2018/1725 of the European Parliament and of the Council.
Amendment 143 #
Proposal for a regulation
Article 3 – paragraph 1 – point 2
Article 3 – paragraph 1 – point 2
(2) ‘network and information system’ means network and information system within the meaning ofas defined in Article 4(1) of Directive [proposal NIS 2];
Amendment 144 #
Proposal for a regulation
Article 3 – paragraph 1 – point 4
Article 3 – paragraph 1 – point 4
(4) ‘cybersecurity’ means cybersecurity within the meaning of Article 4(3) of Directive [proposal NIS 2]; as defined in Article 2(1) of Regulation (EU) 2019/881 of the European Parliament and of the Council7a; _________________ 7a Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p.15).
Amendment 147 #
Proposal for a regulation
Article 3 – paragraph 1 – point 5
Article 3 – paragraph 1 – point 5
(5) ‘highest level of management’ means a manager, management or coordination and oversight body at the most senior administrative level with a mandate to make or authorise decisions, taking account of the high-level governance arrangements in each Union institution, body or agency;
Amendment 149 #
Proposal for a regulation
Article 3 – paragraph 1 – point 7
Article 3 – paragraph 1 – point 7
Amendment 152 #
Proposal for a regulation
Article 3 – paragraph 1 – point 8
Article 3 – paragraph 1 – point 8
(8) ‘major attack’incident' means any incident requiring more resources than are available at whose disruption exceeds CERT-EU’s or any individual Union institution, body,office or agency’s capacity to respond to it or withe affected significant impact on at least two Union institutions, body or agency and at CERT-EUies, offices and agencies;
Amendment 155 #
Proposal for a regulation
Article 3 – paragraph 1 – point 11
Article 3 – paragraph 1 – point 11
(11) ‘significant cyber threat’ means a cyber threat with the intention, opportunity and capability to cause a significant incidentas defined in Article 4(7a) of Directive [proposal NIS 2];
Amendment 159 #
(14) ‘cybersecurity risk’ means any reasonably identifiable circumstance or event havisk as defined ing a potential adverse effect on the security of network and information systemsrticle 4(7b) of Directive [proposal NIS 2];
Amendment 163 #
Proposal for a regulation
Article 3 – paragraph 1 – point 14 a (new)
Article 3 – paragraph 1 – point 14 a (new)
(14 a) ‘ICT environment’ means any on- premise or virtual ICT product, ICT service and ICT process as defined in Article 2 of Regulation (EU) 2019/881, and any network and information system whether owned and operated by a Union institution, body, office or agency, or hosted or operated by a third party, including mobile devices, corporate networks, and business networks not connected to the internet and any devices connected to the ICT environment;
Amendment 172 #
Proposal for a regulation
Article 3 – paragraph 1 – point 16
Article 3 – paragraph 1 – point 16
Amendment 174 #
Proposal for a regulation
Article 4 – title
Article 4 – title
Risk management, governance and control framework
Amendment 178 #
Proposal for a regulation
Article 4 – paragraph 1
Article 4 – paragraph 1
1. Each Union institution, body and agency shall establish its own internal cybersecurity risk management, governance and control framework (‘the framework’) in support of the entity’s mission and exercising its institutional autonomy. This work shall be overseen by the entity’s highest level of management to ensure an effective and prudent management of all cybersecurity risks. The framework shall be in place by …. at the latest [15 months after the entry into force of this Regulation].
Amendment 180 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
2. The framework shall cover the entirety of the ICT environment of the concerned institution, body or agency, including any on-premise IT environment, outsourced assets and services in cloud computing environments or hosted by third parties, mobile devices, corporate networks, business networks not connected to the internet and any devices connected to the IT environmentUnion institution, body, office or agency. The framework shall take account of business continuity and crisis management and it shall consider supply chain security as well as the management of human risks and all other relevant technical, operational and organisational risks that could impact the cybersecurity of the concerned Union institution, body or agency.
Amendment 181 #
Proposal for a regulation
Article 4 – paragraph 2 a (new)
Article 4 – paragraph 2 a (new)
2 a. The framework shall define strategic objectives to ensure a high level of cybersecurity in the Union institution, body, office or agency, The framework shall lay down cybersecurity policies and priorities for the security of network and information systems encompassing the entirety of the ICT environment, and define the roles and responsibilities of staff tasked with ensuring the effective implementation of the provisions of this Regulation.
Amendment 182 #
Proposal for a regulation
Article 4 – paragraph 2 b (new)
Article 4 – paragraph 2 b (new)
2 b. The framework shall be reviewed on a regular basis and at least every three years on the basis of key performance indicators. Where appropriate and upon request of the IICB, a Union institution, body, office or agency’s framework shall be updated following guidance from CERT-EU on observed incidents or possible gaps in the implementation of the provisions of this Regulation.
Amendment 186 #
3. The highest level of management of each Union institution, body, office and agency shall provide oversight oversee the compliance of theirits organisation with the obligations related to cybersecurity risk management, governance, and control, without prejudice to the formal responsibilities of other levels of management for compliance and risk management in their respective areas of responsibility.
Amendment 187 #
Proposal for a regulation
Article 4 – paragraph 4
Article 4 – paragraph 4
4. Each Union institution, body and agency shall have effective mechanisms in place to ensure that an adequate percentage of the ICT budget is spent on cybersecurity.
Amendment 190 #
Proposal for a regulation
Article 5 – title
Article 5 – title
Cybersecurity baselinerisk management measures
Amendment 194 #
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
1. The highest level of management of each Union institution, body and agency shall approve the entity’s own cybersecurity baselinerisk management measures to address the risks identified under the framework referred to in Article 4(1). It shall do so in support of its mission and exercising its institutional autonomy. The cybersecurity baseline shall be in place by …. at the latest [18 months after the entry into force of this Regulation] and shall address the domains listed in Annex I and the measures listed in Annex IIHaving regard to the state of the art and, where applicable, relevant European and international standards, or available European cybersecurity certificates as defined in Article 2 of Regulation (EU) 2019/881, those risk management measures shall ensure a level of security of network and information systems across the entirety of the ICT environment commensurate to the risks identified under the framework referred to in Article 4(1). When assessing the proportionality of those measures, due account shall be taken of the degree of the Union institution, body, office or agency’s exposure to risks, its size, the likelihood of occurrence of incidents and their severity, including their societal, economic and interinstitutional impact.
Amendment 197 #
Proposal for a regulation
Article 5 – paragraph 1 a (new)
Article 5 – paragraph 1 a (new)
1 a. Union institutions, bodies, offices and agencies shall include at least the following domains in the implementation of the cybersecurity risk management measures: (a) cybersecurity policy, including specification on the measures needed to reach objectives and priorities referred to in Article 4 and Article 5(2a); (b) policy objectives and priorities regarding the use of cloud computing services as defined in Article 4(19) of Directive [proposal NIS 2]) and technical arrangements to enable and sustain teleworking; (c) organisation of cybersecurity, including definition of roles and responsibilities; (d) management of the ICT environment, including ICT inventory and network cartography; (e) access control, identity management and privileged access management; (f) operations security and human resources security; (g) communications security; (h) system acquisition, development and maintenance; (i) supply chain security and supplier relationships between each Union institution, body, office and agency with its direct suppliers and service providers; (j) incident handling, including approaches to improve the prevention, detection, analysis, and containment of, response to, and recovery from an incident and cooperation with CERT-EU, such as the maintenance of security monitoring and logging; (k) business continuity management and crisis management; (l) cybersecurity skills, education, awareness-raising, training programmes and exercises.
Amendment 199 #
Proposal for a regulation
Article 5 – paragraph 2
Article 5 – paragraph 2
2. The senior management of each Union institution, body, office and agency as well as all relevant staff tasked with implementing the cybersecurity risks management measures and obligations of this Regulation shall follow specific trainings on a regular basis to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risk and management practices and their impact on the operations of the organisation.
Amendment 201 #
Proposal for a regulation
Article 5 – paragraph 2 a (new)
Article 5 – paragraph 2 a (new)
Amendment 202 #
Proposal for a regulation
Article 5 – paragraph 2 b (new)
Article 5 – paragraph 2 b (new)
2 b. The IICB may recommend technical and methodological requirements of the domains and risk management measures referred to in paragraphs 1(a) and 2(a) of this Article and, where necessary, recommend adaptations to reflect developments in attack methods, cyber threats and advances in technology, for the purposes of the review of this Regulation in accordance with Article 24.
Amendment 203 #
Proposal for a regulation
Article 6 – title
Article 6 – title
6 MCybersecurity maturity assessments
Amendment 207 #
Proposal for a regulation
Article 6 – paragraph 1 a (new)
Article 6 – paragraph 1 a (new)
The IICB, after consulting the European Union Agency for Cybersecurity (ENISA) and upon receiving guidance from CERT- EU, shall recommend guidelines to Union institutions, bodies, offices and agencies for the carrying out of cybersecurity maturity assessments.
Amendment 209 #
Proposal for a regulation
Article 6 – paragraph 1 b (new)
Article 6 – paragraph 1 b (new)
Upon request of the IICB, and with the explicit consent of the Union institution, body, office or agency concerned, the results of a cybersecurity maturity assessment may be discussed within the IICB configuration or within the established network of Local Cybersecurity Officers with a view to learning from experiences in the implementation of this Regulation and sharing best practices and results of use cases.
Amendment 210 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
1. Following the conclusions derived from the maturity cybersecurity assessment and considering the assets and risks identified pursuant to Article 4, the highest level of management of each Union institution, body, office and agency shall approve a cybersecurity plan without undue delay after the establishment of the risk management, governance and control framework, and the cybersecurity baseline. Therisk management measures. The cybersecurity plan shall aim at increasing the overall cybersecurity of the concerned entity Union institution, body, office or agency and shall thereby contribute to the achievement or enhancement of a high common level of cybersecurity among all Union institutions, bodies, offices and agencies. To support the entity’Union institution, body, office or agency's mission on the basis of its institutional autonomy, the plan shall at least include the domains listed in Annex I, the measures listed in Annex II, as well ascybersecurity risk management measures relatferred to incident preparedness, response and recovery, such as security monitoring and logging. The plan shall be revised at least every three years, following the Article 5 (1a) and 5(2a). The cybersecurity plan shall be revised at least every three years, or where necessary, with any substantial revision of the framework referred to in Article 4, following the cybersecurity maturity assessments carried out pursuant to Article 6.
Amendment 213 #
Proposal for a regulation
Article 7 – paragraph 2
Article 7 – paragraph 2
2. The cybersecurity plan shall include relevant staff members’ roles and responsibilities for its implementation, including detailed job descriptions for technical and operational staff as well as all relevant processes underpinning performance evaluation.
Amendment 215 #
Proposal for a regulation
Article 7 – paragraph 2 a (new)
Article 7 – paragraph 2 a (new)
Amendment 216 #
Proposal for a regulation
Article 7 – paragraph 3
Article 7 – paragraph 3
3. The cybersecurity plan shall consider any applicable guidance documents and recommendations issued by CERT-EU in accordance with Article 13 and another applicable or targeted recommendations issued by the IICB and CERT-EU.
Amendment 218 #
1. Upon completion of maturity assessments, the Union institutions, bodies and agencies shall submit these to the Interinstitutional Cybersecurity Board. Upon completion of security planstheir respective cybersecurity maturity assessments referred to in Article 6 and cybersecurity plans referred to in Article 7, the Union institutions, bodies, offices and agencies shall notify the Interinstitutional Cybersecurity Board of the completion. Upon request of the Board, they shall report on specific aspects of this Chaptersubmit these to the IICB.
Amendment 222 #
Proposal for a regulation
Article 9 – paragraph 3 – subparagraph 1 – point k
Article 9 – paragraph 3 – subparagraph 1 – point k
(k) the European Union Agency for Cybersecurity (ENISA).
Amendment 233 #
Proposal for a regulation
Article 9 – paragraph 6
Article 9 – paragraph 6
6. The IICB shall meet at the initiative of its chair, and at least two times a year, at the request of CERT-EU or at the request of any of its members.
Amendment 240 #
Proposal for a regulation
Article 10 – paragraph 1 – point -a (new)
Article 10 – paragraph 1 – point -a (new)
(-a) support Union institutions, bodies, offices and agencies in implementing this Regulation with the aim to raise their respective levels of cybersecurity;
Amendment 241 #
Proposal for a regulation
Article 10 – paragraph 1 – point -a a (new)
Article 10 – paragraph 1 – point -a a (new)
(-a a) effectively monitor the implemenationof the obligations of this Regulation in Union institutions, bodies, offices and agencies without prejudice to their institutional autonomy and the overall institutional balance;
Amendment 242 #
Proposal for a regulation
Article 10 – paragraph 1 – point a
Article 10 – paragraph 1 – point a
(a) review any reports requestedquest reports from CERT-EU on the state of implementation of this Regulation by the Union institutions, bodies and agencies;
Amendment 250 #
Proposal for a regulation
Article 10 – paragraph 1 – point i a (new)
Article 10 – paragraph 1 – point i a (new)
(i a) review and where requested, following relevant guidance from CERT- EU. provide feedback to Union institutions, bodies, offices and agencies’ cybersecurity maturity assessments referred to in Article 6 and cybersecurity plans referred to in Article 7;
Amendment 252 #
Proposal for a regulation
Article 10 – paragraph 1 – point i b (new)
Article 10 – paragraph 1 – point i b (new)
(i b) review possible interconnections between Union institutions, bodies, offices and agencies’ ICT environments and maintain an inventory of shared components of ICT products, ICT services andic processes;
Amendment 253 #
Proposal for a regulation
Article 10 – paragraph 1 – point i c (new)
Article 10 – paragraph 1 – point i c (new)
(i c) where appropriate, adopt recommendations on the interoperability of Union institutions, bodies, offices and agencies’ ICT environments or components thereof;
Amendment 254 #
Proposal for a regulation
Article 10 – paragraph 1 – point i d (new)
Article 10 – paragraph 1 – point i d (new)
(i d) support the establishment of a Cybersecurity Officers Group under ENISA, gathering the Local Cybersecurity Officers of all Union institutions, bodies, offices and agencies with an aim to facilitate the sharing of best practices and experiences gained from the implementation of this Regulation;
Amendment 255 #
Proposal for a regulation
Article 10 – paragraph 1 – point i e (new)
Article 10 – paragraph 1 – point i e (new)
(i e) develop an incident and response plan for major incidents at Union level referred to in Article 3(8) and coordinate the adoption of individual Union institutions, bodies, offices and agencies’ cyber crisis management plans referred to in Article 7(2a);
Amendment 256 #
Proposal for a regulation
Article 10 – paragraph 1 – point i f (new)
Article 10 – paragraph 1 – point i f (new)
(i f) adopt recommendations based on the results of EU coordinated risk assessments of critical supply chains referred to in Article 19 of Directive [proposal NIS 2] to support Union institutions, bodies, offices and agencies in adopting effective and proportionate risk management measures relating to supply chain security referred to in Article5(1ai);
Amendment 257 #
Proposal for a regulation
Article 10 – paragraph 1 – point i g (new)
Article 10 – paragraph 1 – point i g (new)
(i g) develop guidelines for information sharing arrangements referred to in Article 19;
Amendment 258 #
Proposal for a regulation
Article 11 – paragraph -1 (new)
Article 11 – paragraph -1 (new)
-1 The IICB shall monitor the implementation of this Regulation and of adopted guidance documents, recommendations and calls for action by the Union institutions, bodies, offices and agencies.
Amendment 259 #
Proposal for a regulation
Article 11 – paragraph 1 – introductory part
Article 11 – paragraph 1 – introductory part
Amendment 261 #
Proposal for a regulation
Article 11 – paragraph 1 – point -a (new)
Article 11 – paragraph 1 – point -a (new)
(-a) request relevant and available documentation of the Union institution, body, office or agency concerned relating to the effective implementation of the provisions of this Regulation or the application of guidance documents, recommendations and calls for action issued in accordance with Article 13;
Amendment 262 #
Proposal for a regulation
Article 11 – paragraph 1 – point -a a (new)
Article 11 – paragraph 1 – point -a a (new)
(-a a) communicate a reasoned opinion to the Union institution, body, office or agency concerned with observed gaps in the implementation of this Regulation;
Amendment 263 #
Proposal for a regulation
Article 11 – paragraph 1 – point -a b (new)
Article 11 – paragraph 1 – point -a b (new)
(-a b) invite the Union institution, body, office or agency concerned to provide a self-assessment on its reasoned opinion within a specified timeframe;
Amendment 264 #
Proposal for a regulation
Article 11 – paragraph 1 – point -a c (new)
Article 11 – paragraph 1 – point -a c (new)
(-a c) issue, in cooperation with CERT- EU, guidance to the individual Union institution, body, office or agency to bring its respective risk management, governance and control framework, cybersecurity risk management measures, cybersecurity plans and reporting obligations in compliance with the provisions laid down in this Regulation in a specified manner and within a specified period;
Amendment 270 #
Proposal for a regulation
Article 12 – paragraph 1
Article 12 – paragraph 1
1. The mission of CERT-EU, the autonomous interinstitutional Cybersecurity Centre for all Union institutions, bodies and agencies, shall be to contribute to the security of the unclassified ICT environment of all Union institutions, bodies and agencies by advising them on cybersecurity, by helping them to prevent, detect, mitigate and respond to and recover from incidents and by acting as their cybersecurity information exchange and incident response coordination hub.
Amendment 274 #
Proposal for a regulation
Article 12 – paragraph 2 – point c a (new)
Article 12 – paragraph 2 – point c a (new)
(c a) act as the designated coordinator for all Union institutions, bodies, offices and agencies for the purposes of coordinated vulnerability disclosure to the European vulnerability registry referred to in Article 6 of Directive [proposal NIS2];
Amendment 286 #
Proposal for a regulation
Article 12 – paragraph 6
Article 12 – paragraph 6
6. CERT-EU may organise cybersecurity exercises or recommend participation in existing exercises, in close cooperation with the European Union Agency for CybersecurityENISA whenever applicable, to test the level of cybersecurity of the Union institutions, bodies and agencies.
Amendment 287 #
Proposal for a regulation
Article 12 – paragraph 7
Article 12 – paragraph 7
7. CERT-EU may provide assistance to Union institutions, bodies and agencies regarding incidents in classified ICT environments if it is explicitly requested to do so by the constituent concerned. The provisions and obligations on all Union institutions, bodies, offices and agencies set out in Chapter V of this Regulation shall not apply to incidents in classified ICT environments unless an individual Union institution, body office or agency explicitly and voluntarily apply them in order to seek actionable assistance from CERT-EU or otherwise contribute to situational awareness at the Union level.
Amendment 290 #
Proposal for a regulation
Article 12 – paragraph 7 a (new)
Article 12 – paragraph 7 a (new)
7 a. CERT-EU shall cooperate with the European Data Protection Supervisor (EDPS) to support Union institutions, bodies, office and agencies in incidents entailing a personal data breach as defined in Article 3(16) of Regulation (EU) 2018/1725.
Amendment 296 #
Proposal for a regulation
Article 13 – paragraph 2 – point a
Article 13 – paragraph 2 – point a
(a) modalities for or improvements to cybersecurity risk management and the cybersecurity baselinerisk management measures;
Amendment 298 #
Proposal for a regulation
Article 13 – paragraph 2 – point b
Article 13 – paragraph 2 – point b
(b) modalities for cybersecurity maturity assessments and cybersecurity plans; and
Amendment 303 #
Proposal for a regulation
Article 14 – paragraph -1 (new)
Article 14 – paragraph -1 (new)
-1 The Commission, after having obtained the unanimous approval of the IICB, shall appoint the Head of CERT- EU. The IICB shall be consulted at all stages of the procedure prior to the appointment of the Head of CERT-EU, in particular in drafting vacancy notices, examining applications and appointing selection boards in relation to this post.
Amendment 304 #
Proposal for a regulation
Article 14 – paragraph 1
Article 14 – paragraph 1
The Head of CERT-EU shall regularly submit reports to the IICB and the IICB Chair, and submit ad-hoc reports to the IICB upon its request, on the performance of CERT-EU, financial planning, revenue, implementation of the budget, service level agreements and written agreements entered into, cooperation with counterparts and partners, and missions undertaken by staff, including the reports referred to in Article 10(1).
Amendment 306 #
Proposal for a regulation
Article 14 – paragraph 1 a (new)
Article 14 – paragraph 1 a (new)
The Head of CERT-EU shall compose and submit to the IICB an annual report encompassing CERT-EU’s work programme, the financial planning of revenue and expenditure, including staffing, for CERT-EU activities, any updates of CERT-EU’s service catalogue and an assessment of the expected impact that such updates may have on its financial planning of revenue and expenditure, staffing and management of funds.
Amendment 308 #
Proposal for a regulation
Article 15 – paragraph 1
Article 15 – paragraph 1
Amendment 322 #
Proposal for a regulation
Article 18 – paragraph 3
Article 18 – paragraph 3
Amendment 326 #
Proposal for a regulation
Article 19 – title
Article 19 – title
19 SharingCybersecurity information sharing arrangements and obligations
Amendment 327 #
Proposal for a regulation
Article 19 – paragraph -1 (new)
Article 19 – paragraph -1 (new)
-1. Union institutions, bodies, offices and agencies may voluntarily notify CERT-EU on cyber threats, incidents, near misses and vulnerabilities that affect them. CERT-EU shall ensure that effective measures are adopted to ensure the confidentiality and appropriate protection of the information provided by the reporting Union institution, body, office or agency. When processing notifications, CERT-EU may prioritise the processing of mandatory notifications over voluntary notifications. Voluntary notification shall not result in the imposition of any additional obligations upon the reporting Union institution, body, office or agency to which it would not have been subject had it not submitted the notification.
Amendment 328 #
Proposal for a regulation
Article 19 – paragraph 1
Article 19 – paragraph 1
1. To enable CERT-EU to coordinate vulnerabileffectively perform itys management and incident responseission tasks in accordance with Article 12 of this Regulation, it may request Union institutions, bodies and agencies to provide it with information from their respective ICT system inventories that is relevant for the CERT- EU support. The requested institution, body or agency shall transmit the requested information, and any subsequent updates thereto, without undue delay.
Amendment 334 #
Proposal for a regulation
Article 19 – paragraph 4
Article 19 – paragraph 4
4. The sharingcybersecurity information sharing arrangements and obligations obligations shall not extend to EU Classified Information (EUCI) and to information that a Union institution, body or agency has received from a Member State Security or Intelligence Service or law enforcement agency under the explicit condition that it will not be shared with CERT-EU.
Amendment 336 #
Proposal for a regulation
Article 20 – title
Article 20 – title
20 NotificationReporting obligations
Amendment 337 #
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 1
Article 20 – paragraph 1 – subparagraph 1
Amendment 338 #
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 1
Article 20 – paragraph 1 – subparagraph 1
All Union institutions, bodies, offices and agencies shall make an initial notification to CERT-EU of significant cyber threats, significant vulnerabilities and significreport, without undue delay to CERT-EU in accordance with paragraph 2(b) of anty incidents without undue delay and having any event no later than 24 hours after becoming aware of them significant impact.
Amendment 340 #
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 1 a (new)
Article 20 – paragraph 1 – subparagraph 1 a (new)
Amendment 341 #
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 1 b (new)
Article 20 – paragraph 1 – subparagraph 1 b (new)
Where a significant incident or significant cyber threat referred to in paragraph 1(a) is affecting a network and information system, or a component of a Union institution, body, office or agency's ICT environment that is knowingly connected with another Union institution, body, office and agency's ICT environment, CERT-EU shall notify, without undue delay, the affected Union institution, body, office or agency.
Amendment 342 #
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 2
Article 20 – paragraph 1 – subparagraph 2
Amendment 348 #
Proposal for a regulation
Article 20 – paragraph 2
Article 20 – paragraph 2
Amendment 352 #
Proposal for a regulation
Article 20 – paragraph 2 a (new)
Article 20 – paragraph 2 a (new)
2 a. An incident shall be considered significant if: (a) the incident has caused or is capable of causing severe operational disruption to the Union institution, body, office or agency or financial losses thereto; (b) the incident has affected or is capable of affecting other natural or legal persons by causing considerable material or non- material losses.
Amendment 353 #
Proposal for a regulation
Article 20 – paragraph 2 b (new)
Article 20 – paragraph 2 b (new)
2 b. All Union institutions, bodies, offices and agencies shall submit to CERT-EU: (a) without undue delay and in any event within 24 hours after having become aware of the significant incident, an early warning, which, where applicable, shall indicate whether the significant incident is presumably caused by unlawful or malicious action and has any or could have a cross-border or cross-institutional impact; (b) without undue delay and in any event within 72 hours after having become aware of the significant incident, an incident notification, which, where applicable, shall update the information referred to in subparagraph (a) and indicate an initial assessment of the significant incident, its severity and impact, as well as where available, the indicators of compromise; (c) upon the request of CERT-EU, an intermediate report on relevant status updates; (d) a final report not later than one month after the submission of the significant incident notification under point (b), including at least the following: (i) a detailed description of the significant incident, its severity and impact; (ii) the type of threat or root cause that likely triggered the significant incident; (iii) applied and ongoing mitigation measures; (iv) where applicable, the cross-border or cross-institutional impact of the significant incident; (e) in cases of ongoing significant incidents at the time of the submission of the final report referred to in point (d), a progress report at that time and a final report within one month after the incident has been handled.
Amendment 356 #
Proposal for a regulation
Article 20 – paragraph 2 c (new)
Article 20 – paragraph 2 c (new)
2 c. In duly justified cases and in agreement with CERT-EU, the Union institution, body, office or agency concerned can deviate from the deadline laid down in paragraph 2(b).
Amendment 358 #
Proposal for a regulation
Article 20 – paragraph 3
Article 20 – paragraph 3
3. CERT-EU shall submit to ENISA on a monthly basis a summary report including anonymised and aggregated data on significant cyber threats, significant vulnerabilities and significant incidentincidents notified in accordance with paragraph 2(b) and cyber threats, incidents, near misses and vulnerabilities notified in accordance with paragraph 1Article 19(1).
Amendment 360 #
4. The IICB may issue guidance documents or recommendations concerning the modalities and content of the notification. When preparing such guidance documents or recommendations, the IICB shall take into account the specifications made by any implementing acts adopted by the Commission specifying the type of information, the format and the procedure of a notification submitted pursuant to Article 20 (11) of Directive [proposal NIS2]. CERT-EU shall disseminate the appropriate technical details to enable proactive detection, incident response or mitigating measures by Union institutions, bodies, offices and agencies.
Amendment 363 #
Proposal for a regulation
Article 20 – paragraph 5
Article 20 – paragraph 5
5. The notificationreporting obligations shall not extend to EUCI and to information that a Union institution, body or agency has received from a Member State Security or Intelligence Service or law enforcement agency under the explicit condition that it will not be shared with CERT-EU.
Amendment 366 #
Proposal for a regulation
Article 21 – paragraph 3
Article 21 – paragraph 3
3. CERT-EU, in cooperation with ENISA, shall support Union institutions, bodies and agencies regarding situational awareness of cyber threats, vulnerabilities and incidents.
Amendment 367 #
Proposal for a regulation
Article 22 – title
Article 22 – title
Major attackincidents
Amendment 370 #
Proposal for a regulation
Article 22 – paragraph 1
Article 22 – paragraph 1
1. CERT-EU shall coordinate among Union institutions, bodies and agencies responses to major attackincidents. It shall maintain an inventory of technical expertise that would be needed for incident response in the event of such attacksmajor incidents and assist the IICB in coordinating Union institutions, bodies, offices and agencies’ cyber crisis management plans for major incidents referred to in Article 10(if).
Amendment 375 #
Proposal for a regulation
Article 22 – paragraph 3
Article 22 – paragraph 3
3. With the approval of the concerned Union institutions, bodies and agencies, CERT-EU may also call on experts from the list referred to in paragraph 2 for contributing to the response to a major attackincident in a Member State, in line with the Joint Cyber Unit’s operating procedures.
Amendment 386 #
Proposal for a regulation
Article 24 – paragraph 3
Article 24 – paragraph 3
3. The Commission shall evaluate the functioning of this Regulation and report to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions no soonlater than five years after the date of entry into force.
Amendment 388 #
Proposal for a regulation
Annex I
Annex I
Amendment 394 #
Proposal for a regulation
Annex II
Annex II