13 Amendments of Elżbieta KRUK related to 2020/0359(COD)
Amendment 103 #
Proposal for a directive
Recital 12
Recital 12
(12) Sector-specific legislation and instruments can contribute to ensuring high levels of cybersecurity, while taking full account of the specificities and complexities of those sectors. Where aAs a minimum baseline sector–specific Union legal act should requires essential or important entities to adopt cybersecurity risk management measures orand to notify incidents or significant cyber threats of at least an equivalent effect to the obligations laid down inin line with requirements laid down in Articles 18 (1, 2) and 20 of this Directive, thos. Where sector-specific provisions, includinglegislations foresee specific rules on supervision and enforcement, these rules should apply. The Commission may issue guidelines in relation to the implementation of the lex specialis. This Directive does not preclude the adoption of additional sector- specific Union acts addressing cybersecurity risk management measures and incident notifications. Nevertheless, while adopting the additional sector-specific Union acts the need of a comprehensive and consistent cybersecurity framework should be duly taken into account. This Directive is without prejudice to the existing implementing powers that have been conferred to the Commission in a number of sectors, including transport and energy.
Amendment 194 #
Proposal for a directive
Recital 69
Recital 69
(69) The processing of personal data, to the extent strictly necessary and proportionate for the purposes of ensuring network and information security by entities, public authorities, CERTs, CSIRTs, and providers of security technologies and services should constitute a legitimate interestCERTs should constitute a legitimate interest of the data controller concerned, as referred to in Regulation (EU) 2016/679 and by public authorities, namely competent authorities, Single Points Of Contact (SPOCs), CSIRTs, NIS CG, CSIRT Network, CERTs and CYCLONe should constitute a legal obligation or the public interest or the exercise of official authority of the data controller concerned, as referred to in Regulation (EU) 2016/679. That should include measures related to the prevention, detection, analysis and response to incidents, measures to raise awareness in relation to specific cyber threats, exchange of information in the context of vulnerability remediation and coordinated disclosure, as well as the voluntary exchange of information on those incidents, as well as cyber threats and vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools. Such measures may require the processing of the following types of personal data: IP addresses, telephone numbers, bank account numbers, geolocation data, payment data, uniform resources locators (URLs), domain names, and email addresses.
Amendment 232 #
Proposal for a directive
Article 2 – paragraph 5 a (new)
Article 2 – paragraph 5 a (new)
5a. To fulfil the tasks set out in this Directive, competent authorities and CSIRTs shall process personal data, including the data referred to in Article 9 of the Regulation (EU) 2016/679, and shall process information that is confidential pursuant to Union and national rules, for the purposes and to the extent strictly necessary to fulfil these tasks.
Amendment 234 #
Proposal for a directive
Article 2 – paragraph 5 b (new)
Article 2 – paragraph 5 b (new)
5b. To fulfil the tasks set out in this Directive, SPOCs, the Cooperation Group, the CSIRT Network and CyCLONe shall process personal data and information that is confidential pursuant to Union and national rules, for the purposes and to the extent strictly necessary to fulfil these tasks.
Amendment 236 #
Proposal for a directive
Article 2 – paragraph 5 c (new)
Article 2 – paragraph 5 c (new)
5c. When processing the personal data referred to in Article 9 of the Regulation (EU) 2016/679, competent authorities and CSIRTs shall conduct the risk analyses, introduce proper safeguards and procedures to exchange information.
Amendment 240 #
Proposal for a directive
Article 2 – paragraph 6
Article 2 – paragraph 6
6. Where provisions of sector–specific acts of Union law require essential or important entities either to adopt cybersecurity risk management measures orand to notify incidents or significant cyber threats, and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, the relevant provisions of this Directive, including the provision on supervision and enforcement laid down in Chapter VI, shall not apply.
Amendment 241 #
Proposal for a directive
Article 2 – paragraph 6 a (new)
Article 2 – paragraph 6 a (new)
6a. Sector-specific acts of Union law referred to in paragraph 6 should at minimum include: (a) cybersecurity risk management measures as laid down in Article 18 (1) and (2); and (b) requirements to notify incidents and significant cyber threats as laid down in Article 20 (1- 4)
Amendment 356 #
Proposal for a directive
Article 14 – paragraph 1
Article 14 – paragraph 1
1. In order to support the coordinated management of large-scale cybersecurity incidents and crises at operational level and to ensure the regular exchange of information among Member States and Union institutions, bodies and agencies considering such incidents and crises, the European Cyber Crises Liaison Organisation Network (EU - CyCLONe) is hereby established.
Amendment 358 #
Proposal for a directive
Article 14 – paragraph 3 – introductory part
Article 14 – paragraph 3 – introductory part
3. EU-CyCLONe, while avoiding any duplication of tasks with the CSIRT Network, shall have the following tasks:
Amendment 359 #
Proposal for a directive
Article 14 – paragraph 3 – point b
Article 14 – paragraph 3 – point b
Amendment 360 #
Proposal for a directive
Article 14 – paragraph 3 – point d
Article 14 – paragraph 3 – point d
Amendment 362 #
Proposal for a directive
Article 14 – paragraph 5
Article 14 – paragraph 5
5. EU-CyCLONe shall regularly report to the Cooperation Group on cyber threats,large scale incidents and trendcrises, focusing in particular on their impact on essential and important entities.
Amendment 597 #
Proposal for a directive
Article 42 – paragraph 1
Article 42 – paragraph 1
This Directive shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union, with exception to Article 39 which enters into force on the day following the day when the transposition deadline as laid down in Article 38 expires.