Activities of Patryk JAKI related to 2020/0359(COD)
Shadow opinions (1)
OPINION on the proposal for a directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148
Amendments (50)
Amendment 91 #
Proposal for a directive
Recital 8
Recital 8
(8) In accordance with Directive (EU) 2016/1148, Member States were responsible for determining which entities meet the criteria to qualify as operators of essential services (‘identification process’). In order to eliminate the wide divergences among Member States in that regard and ensure legal certainty for the risk management requirements and reporting obligations for all relevant entities, a uniform criterion should be established that determines the entities falling within the scope of application of this Directive. That criterion should consist of the application of the size-cap rule, whereby all medium and large enterprises, as defined by Commission Recommendation 2003/361/EC15 , that operate within the sectors or provide the type of services covered by this Directive, fall within its scope. Member States should not be required to establish a list of the entities that meet this generally applicable size- related criterion. Nevertheless, taking into account the difference in composition of public administration in the Member States, the identification process provided in Directive (EU) 2016/1148 remains an appropriate mechanism to determine which public administration entities should fall under the scope of this Directive. _________________ 15 Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium- sized enterprises (OJ L 124, 20.5.2003, p. 36).
Amendment 92 #
Proposal for a directive
Recital 8 a (new)
Recital 8 a (new)
(8a) Taking into consideration the differences in the national public administration frameworks, Member States retain full decision-making autonomy regarding the question of whether to identify public administration entities and if Member States decided to do so which entities are to be identified. It would also be possible to foresee in the national legislation that particular categories of public administration entities are identified as falling under the scope of this Directive. Member States should also be able to structure the obligations for public administration entities regarding security requirements, incident notification, supervision and sanctions.
Amendment 93 #
Proposal for a directive
Recital 11
Recital 11
(11) Depending on the sector in which they operate or the type of service they provide, the entities falling within the scope of this Directive should be classified into twohree categories: essential and, important, and public administration. That categorisation should take into account the level of criticality of the sector or of the type of service, as well as the level of dependency of other sectors or types of services. Both eEssential and important entities and public administration entities should be subject to the same risk management requirements and reporting obligations. Member States should have right to exclude obligations for public administration entities. The supervisory and penalty regimes between these two categories ofessential and important entities should be differentiated to ensure a fair balance between requirements and obligations on one hand, and the administrative burden stemming from the supervision of compliance on the other hand. The supervisory and penalty regimes for public administration entities should be foreseen in line with the national legislation and legal system.
Amendment 96 #
Proposal for a directive
Recital 20 a (new)
Recital 20 a (new)
(20a) It is crucial to raise the cyber awareness and resilience in public administration entities. At the same time it is also essential to take into account the specificities of the composition of national public administrations. Therefore Member States should be given a flexibility to decide if and which public administration entities should be covered by this Directive and should have right to exclude select obligations for these entities. Identification of public administration entities should be at the individual Member State’s sole discretion.
Amendment 98 #
Proposal for a directive
Recital 21
Recital 21
(21) In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, Member States should be able to designate more than one national competent authority responsible for fulfilling the tasks linked to the security of the network and information systems of essential and important entities and public administration entities under this Directive. Member States should be able to assign this role to an existing authority.
Amendment 106 #
Proposal for a directive
Recital 42
Recital 42
(42) Essential and important entities and public administration entities should ensure the security of the network and information systems which they use in their activities. Those are primarily private network and information systems managed by their internal IT staff or the security of which has been outsourced. The cybersecurity risk management and reporting requirements pursuant to this Directive should apply to the relevant essential and important entities and public administration entities regardless of whether they perform the maintenance of their network and information systems internally or outsource it.
Amendment 109 #
Proposal for a directive
Recital 46
Recital 46
(46) To further address key supply chain risks and assist entities operating in sectors covered by this Directive and public administration entities to appropriately manage supply chain and supplier related cybersecurity risks, the Cooperation Group involving relevant national authorities, in cooperation with the Commission and ENISA, should carry out coordinated sectoral supply chain risk assessments, as was already done for 5G networks following Recommendation (EU) 2019/534 on Cybersecurity of 5G networks21 , with the aim of identifying per sector which are the critical ICT services, systems or products, relevant threats and vulnerabilities. _________________ 21Commission Recommendation (EU) 2019/534 of 26 March 2019 Cybersecurity of 5G networks (OJ L 88, 29.3.2019, p. 42).
Amendment 111 #
Proposal for a directive
Recital 47
Recital 47
(47) The supply chain risk assessments, in light of the features of the sector concerned, should take into account both technical and, where relevant, non- technical factors including those defined in Recommendation (EU) 2019/534, in the EU wide coordinated risk assessment of 5G networks security and in the EU Toolbox on 5G cybersecurity agreed by the Cooperation Group. To identify the supply chains that should be subject to a coordinated risk assessment, the following criteria should be taken into account: (i) the extent to which essential and important entities and public administration entities use and rely on specific critical ICT services, systems or products; (ii) the relevance of specific critical ICT services, systems or products for performing critical or sensitive functions, including the processing of personal data; (iii) the availability of alternative ICT services, systems or products; (iv) the resilience of the overall supply chain of ICT services, systems or products against disruptive events and (v) for emerging ICT services, systems or products, their potential future significance for the entities’ activities.
Amendment 112 #
Proposal for a directive
Recital 48 a (new)
Recital 48 a (new)
(48a) Small and medium-sized enterprises (SMEs) often lack the scale and resources to fulfil abroad and growing range of cybersecurity needs in an interconnected world with an increase of remote work. Member States should therefore address in their national cybersecurity strategies guidance and support for SMEs.
Amendment 113 #
Proposal for a directive
Recital 51
Recital 51
(51) The internal market is more reliant on the functioning of the internet than ever before. The services of virtually all essential and important entities and public administration entities are dependent on services provided over the internet. In order to ensure the smooth provision of services provided by essential and important entities and public administration entities, it is important that public electronic communications networks, such as, for example, internet backbones or submarine communications cables, have appropriate cybersecurity measures in place and report incidents in relation thereto.
Amendment 122 #
Proposal for a directive
Recital 56
Recital 56
(56) Essential and important entities and public administration entities are often in a situation where a particular incident, because of its features, needs to be reported to various authorities as a result of notification obligations included in various legal instruments. Such cases create additional burdens and may also lead to uncertainties with regard to the format and procedures of such notifications. In view of this and, for the purposes of simplifying the reporting of security incidents, Member States should establish a single entry point for all notifications required under this Directive and also under other Union law such as Regulation (EU) 2016/679 and Directive 2002/58/EC. ENISA, in cooperation with the Cooperation Group should develop common notification templates by means of guidelines that would simplify and streamline the reporting information requested by Union law and decrease the burdens for companies.
Amendment 123 #
Proposal for a directive
Recital 57
Recital 57
(57) Where it is suspected that an incident is related to serious criminal activities under Union or national law, Member States should encourage essential and important entities and public administration entities, on the basis of applicable criminal proceedings rules in compliance with Union law, to report incidents of a suspected serious criminal nature to the relevant law enforcement authorities. Where appropriate, and without prejudice to the personal data protection rules applying to Europol, it is desirable that coordination between competent authorities and law enforcement authorities of different Member States be facilitated by the EC3 and ENISA.
Amendment 129 #
Proposal for a directive
Recital 63
Recital 63
(63) All essential and important entities under this Directive should fall under the jurisdiction of the Member State where they provide their services. If the entity provides services in more than one Member State, it should fall under the separate and concurrent jurisdiction of each of these Member States. The competent authorities of these Member States should cooperate, provide mutual assistance to each other and where appropriate, carry out joint supervisory actions. Public administration entities shall fall under the jurisdiction of the Member State in which they were identified pursuant to Article 2a.
Amendment 133 #
Proposal for a directive
Recital 70
Recital 70
(70) In order to strengthen the supervisory powers and actions that help ensure effective compliance, this Directive should provide for a minimum list of supervisory actions and means through which competent authorities may supervise essential and important entities. In addition, this Directive should establish a differentiation of supervisory regime between essential and important entities with a view to ensuring a fair balance of obligations for both entities and competent authorities. Thus, essential entities should be subject to a fully-fledged supervisory regime (ex-ante and ex-post), while important entities should be subject to a light supervisory regime, ex-post only. For the latter, this means that important entities should not document systematically compliance with cybersecurity risk management requirements, while competent authorities should implement a reactive ex -post approach to supervision and, hence, not have a general obligation to supervise those entities. When it comes to public administration entities the supervisory powers should be executed in line with the national frameworks and it should be up to Member States discretion to impose suitable measures of supervision and enforcement.
Amendment 137 #
Proposal for a directive
Article 1 – paragraph 2 – point b
Article 1 – paragraph 2 – point b
(b) lays down cybersecurity risk management and reporting obligations for entities of a type referred to as essential entities in Annex I and, important entities in Annex II and public administration entities;
Amendment 141 #
Proposal for a directive
Article 2 – paragraph 1 a (new)
Article 2 – paragraph 1 a (new)
1 a. This Directive also applies to public administration entities identified by the Member States in accordance with art. 2a, notwithstanding para 1b.
Amendment 142 #
Proposal for a directive
Article 2 – paragraph 1 b (new)
Article 2 – paragraph 1 b (new)
1b. This directive does not apply to public administration entities that carry out activities in the areas of public security, defence or national security.
Amendment 144 #
Proposal for a directive
Article 2 – paragraph 2 – point b
Article 2 – paragraph 2 – point b
Amendment 148 #
Proposal for a directive
Article 2 – paragraph 2 – subparagraph 1
Article 2 – paragraph 2 – subparagraph 1
Member States shall establish a list of entities identified pursuant to points (b) to (fe) and submit it to the Commission by [6 months after the transposition deadline]. Member States shall review the list, on a regular basis, and at least every two years thereafter and, where appropriate, update it.
Amendment 151 #
Proposal for a directive
Article 2 – paragraph 5
Article 2 – paragraph 5
5. Without prejudice to Article 346 TFEU, information that is confidential pursuant to Union and national rules, such as rules on business confidentiality, shall be exchanged with the Commission and other relevant authorities only where that exchange is necessary for the application of this Directive. The information exchanged shall be limited to that which is relevant and proportionate to the purpose of that exchange. The exchange of information shall preserve the confidentiality of that information and protect the security and commercial interests of essential or important entities or public administration entities.
Amendment 157 #
Proposal for a directive
Article 2 a (new)
Article 2 a (new)
Article 2 a Identification of Public Administration Entities 1. By [date] Member States may identify public administration entities established on their territory. 2. The criteria for the progressive identification of public administration entities shall be as follows: (a) it is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character; (b) it is financed, for the most part, by the State, regional authority, or by other bodies governed by public law; or it is subject to management supervision by those authorities or bodies; or it has an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional authorities, or by other bodies governed by public law; (c) it has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital. 3. The public administration entities identified in line with this Article shall be reviewed and where appropriate updated by Member States when necessary. 4. Member States shall inform the Commission about the result of the process of identification of public administration entities in accordance with this Article.
Amendment 163 #
Proposal for a directive
Article 4 – paragraph 1 – point 23 – introductory part
Article 4 – paragraph 1 – point 23 – introductory part
(23) ‘public administration entity’ means an entity in a Member State that complies with the following criteria:was identified by the Member State in accordance with Article 2a.
Amendment 164 #
Proposal for a directive
Article 4 – paragraph 1 – point 23 – point a
Article 4 – paragraph 1 – point 23 – point a
Amendment 165 #
Proposal for a directive
Article 4 – paragraph 1 – point 23 – point b
Article 4 – paragraph 1 – point 23 – point b
Amendment 166 #
Proposal for a directive
Article 4 – paragraph 1 – point 23 – point c
Article 4 – paragraph 1 – point 23 – point c
Amendment 167 #
Proposal for a directive
Article 4 – paragraph 1 – point 23 – point d
Article 4 – paragraph 1 – point 23 – point d
Amendment 168 #
Proposal for a directive
Article 4 – paragraph 1 – point 23 – paragraph 1
Article 4 – paragraph 1 – point 23 – paragraph 1
Amendment 170 #
Proposal for a directive
Article 5 – paragraph 2 – point a
Article 5 – paragraph 2 – point a
(a) a policy addressing cybersecurity in the supply chain for ICT products and services used by essential and important entities and public administration entities for the provision of their services;
Amendment 173 #
Proposal for a directive
Article 5 – paragraph 2 – point d a (new)
Article 5 – paragraph 2 – point d a (new)
(da) a policy promoting the privacy and security of personal data of users of online services;
Amendment 180 #
Proposal for a directive
Article 6 – paragraph 2
Article 6 – paragraph 2
2. ENISA shall develop and maintain a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures with a view in particular to enabling important and essential entities and public administration entities and their suppliers of network and information systems to disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties. The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, the availability of related patches and, in the absence of available patches, guidance addressed to users of vulnerable products and services as to how the risks resulting from disclosed vulnerabilities may be mitigated.
Amendment 183 #
Proposal for a directive
Article 9 – paragraph 3
Article 9 – paragraph 3
3. Member States shall ensure that each CSIRT has at its disposal an appropriate, secure, and resilient communication and information infrastructure to exchange information with essential and important entities and public administration entities and other relevant interested parties. To this end, Member States shall ensure that the CSIRTs contribute to the deployment of secure information sharing tools.
Amendment 184 #
Proposal for a directive
Article 9 – paragraph 4
Article 9 – paragraph 4
4. CSIRTs shall cooperate and, where appropriate, exchange relevant information in accordance with Article 26 with trusted sectorial or cross-sectorial communities of essential and important entities and public administration entities.
Amendment 185 #
Proposal for a directive
Article 10 – paragraph 2 – point b
Article 10 – paragraph 2 – point b
(b) providing early warning, alerts, announcements and dissemination of information to essential and important entities and public administration entities as well as to other relevant interested parties on cyber threats, vulnerabilities and incidents;
Amendment 188 #
Proposal for a directive
Article 11 – paragraph 2
Article 11 – paragraph 2
2. Member States shall ensure that either their competent authorities or their CSIRTs receive notifications on incidents, and significant cyber threats and near misses submitted pursuant to this Directive. Where a Member State decides that its CSIRTs shall not receive those notifications, the CSIRTs shall, to the extent necessary to carry out their tasks, be granted access to data on incidents notified by the essential or important entities, or public administration entities, pursuant to Article 20.
Amendment 196 #
Proposal for a directive
Article 14 – paragraph 5
Article 14 – paragraph 5
5. EU-CyCLONe shall regularly report to the Cooperation Group on cyber threats, incidents and trendlarge scale incidents, focusing in particular on their impact on essential and important entities and public administration entities.
Amendment 201 #
Proposal for a directive
Article 17 – paragraph 1
Article 17 – paragraph 1
1. Member States shall ensure that the management bodies of essential and important entities and public administration entities approve the cybersecurity risk management measures taken by those entities in order to comply with Article 18, supervise its implementation and be accountable for the non-compliance by the entities with the obligations under this Article.
Amendment 204 #
Proposal for a directive
Article 18 – paragraph 1
Article 18 – paragraph 1
1. Member States shall ensure that essential and important entities and public administration entities shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which those entities use in the provision of their services. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk presented.
Amendment 213 #
Proposal for a directive
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Member States shall ensure that essential and important entities and public administration entities notify, without undue delay, but within 24 hours, the competent authorities or the CSIRT in accordance with paragraphs 3 and 4 of any incident having a significant impact on the provision of their services. Where appropriate, those entities shall notify, without undue delay, the recipients of their services of incidents that are likely to adversely affect the provision of that service. Member States shall ensure that those entities report, among others, any information enabling the competent authorities or the CSIRT to determine any cross-border impact of the incident.
Amendment 215 #
Proposal for a directive
Article 20 – paragraph 2 – introductory part
Article 20 – paragraph 2 – introductory part
2. Member States shall ensure that essential and important entities and public administration entities notify, without undue delay, but within 24 hours, the competent authorities or the CSIRT of any significant cyber threat that those entities identify that could have potentially resulted in a significant incident.
Amendment 219 #
Proposal for a directive
Article 20 a (new)
Article 20 a (new)
Article 20 a Divergence for Public Administration Entities Member States may lay down the rules on whether and to what extent public administration entities are excluded from the obligations provided in Article 17, Article 18 and Article 20.
Amendment 220 #
Proposal for a directive
Article 21 – paragraph 1
Article 21 – paragraph 1
1. In order to demonstrate compliance with certain requirements of Article 18, Member States may require essential and important entities and public administration entities to certify certain ICT products, ICT services and ICT processes under specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881. The products, services and processes subject to certification may be developed by an essential or important entity or public administration entities or procured from third parties.
Amendment 231 #
Proposal for a directive
Article 26 – paragraph 1 – introductory part
Article 26 – paragraph 1 – introductory part
1. Without prejudice to Regulation (EU) 2016/679, Member States shall ensure that essential and important entities and public administration entities may exchange relevant cybersecurity information among themselves including information relating to cyber threats, vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools, where such information sharing:
Amendment 232 #
Proposal for a directive
Article 26 – paragraph 2
Article 26 – paragraph 2
2. Member States shall ensure that the exchange of information takes place within trusted communities of essential and important entities and public administration entities. Such exchange shall be implemented through information sharing arrangements in respect of the potentially sensitive nature of the information shared and in compliance with the rules of Union law referred to in paragraph 1.
Amendment 233 #
Proposal for a directive
Article 26 – paragraph 4
Article 26 – paragraph 4
4. Essential and important entities and public administration entities shall notify the competent authorities of their participation in the information- sharing arrangements referred to in paragraph 2, upon entering into such arrangements, or, as applicable, of their withdrawal from such arrangements, once the withdrawal takes effect.
Amendment 235 #
Proposal for a directive
Article 30 a (new)
Article 30 a (new)
Article 30 a Supervision and enforcement for public administration entities 1. Member States shall ensure that the measures of supervision or enforcement imposed on public administration entities in respect of the obligations set out in this Directive are effective, proportionate and dissuasive, taking into account the circumstances of each individual case. 2. Member States shall ensure that competent authorities, where exercising their supervisory tasks and enforcement powers in relation to public administration entities have the appropriate powers in accordance with national legislation.
Amendment 236 #
Proposal for a directive
Article 31 – title
Article 31 – title
General conditions for imposing administrative fines on essential and important entities and public administration entities
Amendment 237 #
Proposal for a directive
Article 31 – paragraph 1
Article 31 – paragraph 1
1. Member States shall ensure that the imposition of administrative fines on essential and important entities and public administration entities pursuant to this Article in respect of infringements of the obligations laid down in this Directive are, in each individual case, effective, proportionate and dissuasive.
Amendment 238 #
Proposal for a directive
Article 31 – paragraph 6
Article 31 – paragraph 6
6. Without prejudice to the powers of competent authorities pursuant to Articles 29 and 30, each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public administration entities referred to inidentified in accordance with Article 4(23)2a subject to the obligations provided for by this Directive.
Amendment 239 #
Proposal for a directive
Article 32 – paragraph 1
Article 32 – paragraph 1
1. Where the competent authorities have indications that the infringement by an essential or important entity or public administration entity of the obligations laid down in Articles 18 and 20 entails a personal data breach, as defined by Article 4(12) of Regulation (EU) 2016/679 which shall be notified pursuant to Article 33 of that Regulation, they shall inform the supervisory authorities competent pursuant to Articles 55 and 56 of that Regulation within a reasonable period of time.
Amendment 250 #
Proposal for a directive
Annex I – Point 9 (Public administration)
Annex I – Point 9 (Public administration)