BETA

10 Amendments of Nathalie LOISEAU related to 2020/0359(COD)

Amendment 104 #
Proposal for a directive
Recital 12
(12) Sector-specific legislation and instruments can contribute to ensuring high levels of cybersecurity, while taking full account of the specificities and complexities of those sectors. Where a sector–specific Union legal act requires essential or important entities to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats of at least an equivalent effect to the obligations laid down in this Directive, those sector-specific provisions, including on supervision and enforcement, should apply. The Commission mayshould issue guidelines in relation to the implementation of the lex specialis, taking relevant opinions, expertise and best practices of ENISA and the Cooperation Group into account. This Directive does not preclude the adoption of additional sector- specific Union acts addressing cybersecurity risk management measures and incident notifications. This Directive is without prejudice to the existing implementing powers that have been conferred to the Commission in a number of sectors, including transport and energy.
2021/06/03
Committee: ITRE
Amendment 158 #
Proposal for a directive
Recital 47
(47) The supply chain risk assessments, in light of the features of the sector concerned, should take into account both technical and, where relevant, non- technical factors including those defined in Recommendation (EU) 2019/534, in the EU wide coordinated risk assessment of 5G networks security and in the EU Toolbox on 5G cybersecurity agreed by the Cooperation Group. To identify the supply chains that should be subject to a coordinated risk assessment, the following criteria should be taken into account: (i) the extent to which essential and important entities use and rely on specific critical ICT services, systems or products; (ii) the relevance of specific critical ICT services, systems or products for performing critical or sensitive functions, including the processing of personal data; (iii) the availability of alternative ICT services, systems or products; (iv) the resilience of the overall supply chain of ICT services, systems or products against disruptive events and (v) for emerging ICT services, systems or products, their potential future significance for the entities’ activities.
2021/06/03
Committee: ITRE
Amendment 237 #
Proposal for a directive
Article 2 – paragraph 6
6. Where provisions of sector–specific acts of Union law require essential or important entities either to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats, and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, the relevant provisions of this Directive, including the provision on supervision and enforcement laid down in Chapter VI, shall not apply. The Commission shall issue guidelines in relation to the implementation of the sector–specific acts of Union law in order to ensure that security requirements established by this Directive are met by those acts. When preparing those guidelines, the Commission shall take into account ENISA and the Cooperation Group best practices and expertise.
2021/06/03
Committee: ITRE
Amendment 279 #
Proposal for a directive
Article 5 – paragraph 1 – point b a (new)
(ba) a framework for allocating the roles and responsibilities of public bodies and entities as well as other relevant actors, including the organisation of the cooperation at the national level, between the competent authorities designated under Article 7(1) and Article 8(1), the single point of contact designated under Article 8(3), and CSIRTs designated under Article 9;
2021/06/03
Committee: ITRE
Amendment 347 #
Proposal for a directive
Article 12 – paragraph 4 – point d a (new)
(da) provide advice on the overall consistency of sector-specific cybersecurity requirements;
2021/06/03
Committee: ITRE
Amendment 395 #
Proposal for a directive
Article 18 – paragraph 2 – point c
(c) backup management, business continuity and crisis management;
2021/06/03
Committee: ITRE
Amendment 419 #
Proposal for a directive
Article 19 – paragraph 1 a (new)
1a. To identify the specific critical ICT services, systems or products supply chains that are subject to a coordinated risk assessment, the following criteria shall be taken into account: (a) the extent to which essential and important entities use and rely on specific critical ICT services, systems or products; (b) the relevance of specific critical ICT services, systems or products for performing critical or sensitive functions, including the processing of personal data; (c) the availability of alternative ICT services, systems or products; (d) the resilience of the overall supply chain of ICT services, systems or products against disruptive events; and (e) the potential significance to entities' activities of emerging ICT services, systems or products.
2021/06/03
Committee: ITRE
Amendment 489 #
Proposal for a directive
Article 21 – paragraph 1
1. In order to demonstrate compliance with certain requirements of Article 18, Member States may require essential and important entities to use certifyain certainified ICT products, ICT services and ICT processes, whether procured from third parties or developed by the essential or important entity, certified under specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881. The products, services and processes subject to certification may be developed by an essential or important entity or procured from third parti, or, in the absence of such a scheme, under equivalent internationally recognised certification schemes.
2021/06/03
Committee: ITRE
Amendment 497 #
Proposal for a directive
Article 21 – paragraph 2 a (new)
2a. In order to demonstrate compliance with certain requirements of Article 18 of this Directive, Member States may require essential and important entities to use qualified trust services pursuant to Regulation (EU) No 910/2014.
2021/06/03
Committee: ITRE
Amendment 498 #
Proposal for a directive
Article 21 – paragraph 2 b (new)
2b. Member States may rely on certified cybersecurity services providers, which could be certified under specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881, to enforce the supervision activities provided for in Articles 29 and 30 of this Directive.
2021/06/03
Committee: ITRE