Activities of Mikuláš PEKSA related to 2022/0085(COD)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union
Amendments (64)
Amendment 100 #
Proposal for a regulation
Recital 7
Recital 7
(7) The differences between Union institutions, bodies and agencies require flexibility in the implementation since one size will not fit all. The measures for a high common level of cybersecurity should not include any obligations directly interfering with the exercise of the missions of Union institutions, bodies and agencies or encroaching on their institutional autonomy. Thus, those institutions, bodies and agencies should establish their own frameworks for cybersecurity risk management, governance and control, and adopt their own baselines and cybersecurity plans, based on the common framework set by this regulation.
Amendment 104 #
Proposal for a regulation
Recital 8
Recital 8
(8) In order to avoid imposing a disproportionate financial and administrative burden on Union institutions, bodies and agencies, the cybersecurity risk management requirements should be proportionate to the risk presented by the network and information system concerned, taking into account the state of the art of such measures. Each Union institution, body and agency should aim to allocate an adequate percentage of its IT budget to improve its level of cybersecurity; in the longer term a target in the order ofat least 105% should be pursued.
Amendment 106 #
(9) A high common level of cybersecurity requires cybersecurity to come under the oversight of an EU common board working with the highest level of management of each Union institution, body and agency, who should approve a cybersecurity baseline that should address the risks identified under the framework to be established by each institution, body and agency. Addressing the cybersecurity culture, i.e. the daily practice of cybersecurity, ismust become an integral part of a cybersecurity baseline in all Union institutions, bodies and agencies.
Amendment 108 #
Proposal for a regulation
Recital 10
Recital 10
(10) Union institutions, bodies and agencies should assess risks related to relationships with suppliers and service providers, including providers of data storage and processing services or managed security services, and take appropriate measures to address them. These measures should form part of the cybersecurity baseline and be further specified in guidance documents or recommendations issued by CERT-EU. When defining measures and guidelines, due account should be taken of relevant EU legislation and policies, including risk assessments and recommendations issued by the NIS Cooperation Group, such as the EU Coordinated risk assessment and EU Toolbox on 5G cybersecurity. In addition, considering the threat landscape and the importance of building up resilience for the Union institutions, bodies and agencies certification of relevant ICT products, services and processes couldmust be required, under specific EU cybersecurity certification schemes adopted pursuant to Article 49 of Regulation EU 2019/881.
Amendment 118 #
Proposal for a regulation
Recital 16
Recital 16
(16) The IICB should monitor compliance with this Regulation as well as follow-up of guidance documents and recommendations, and calls for action issued by CERT-EU. The IICB should be supported on technical matters by technical advisory groups composed as the IICB sees fit, including data protection institutions such as EDPS, which should work in close cooperation with CERT-EU, the Union institutions, bodies and agencies and other stakeholders as necessaryappropriate. Where necessary, the IICB should issue non- binding warnings and recommendquests for audits.
Amendment 122 #
Proposal for a regulation
Recital 20
Recital 20
(20) In supporting operational cybersecurity, CERT-EU should make use of the available expertise of the European Union Agency for Cybersecurity through structured cooperation as provided for in Regulation (EU) 2019/881 of the European Parliament and of the Council5 . Where appropriate, dDedicated arrangements between the two entities shouldall be established, within the two first years of entry into force of this Regulation, to define the practical implementation of such cooperation and to avoid the duplication of activities. CERT- EU should cooperate with the European Union Agency for Cybersecurity on threat analysis and share its threat landscape report with the Agency on a regular basis. _________________ 5 Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15).
Amendment 124 #
Proposal for a regulation
Recital 24
Recital 24
(24) As the services and tasks of CERT- EU are in the interest of all Union institutions, bodies and agencies, each Union institution, body and agency with IT expenditure should contribute a fair shareproportionally to those services and tasks. Those contributions are without prejudice to the budgetary autonomy of the Union institutions, bodies and agencies.
Amendment 126 #
Proposal for a regulation
Recital 25
Recital 25
(25) The IICB, with the assistance of CERT-EU, should review and evaluate the implementation of this Regulation and should report its findings to the Commission. Building on this input, the Commission should report to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions every year.
Amendment 128 #
Proposal for a regulation
Recital 25 a (new)
Recital 25 a (new)
(25 a) The European Data Protection Supervisor was consulted in accordance with Article 42 of Regulation (EU) 2018/1725 of the European Parliament and of the Council and delivered an opinion on 17 May 2022.
Amendment 129 #
Proposal for a regulation
Recital 25 b (new)
Recital 25 b (new)
(25 b) All cybersecurity systems and services involved in the prevention, detection, and response to cyber threats should be compliant with the current data protection and privacy framework, and should take relevant technical and organisational safeguards to ensure this compliance in an accountable way.
Amendment 130 #
Proposal for a regulation
Recital 25 c (new)
Recital 25 c (new)
(25 c) The use of technologies for improving cybersecurity should not unduly interfere with the rights and freedoms of individuals. To avoid or mitigate those risks, data protection by design and by default requirements laid down in Article 27 of Regulation (EU) 2018/1725, should apply. Appropriate safeguards include pseudonymisation, encryption, data accuracy, data minimization, in the design, development and use of cybersecurity technologies and systems.
Amendment 131 #
Proposal for a regulation
Recital 25 d (new)
Recital 25 d (new)
(25 d) A peer-review mechanism should be introduced, allowing the assessment by experts drawn from one institution and one body or agency different from the one being reviewed of the implementation of cybersecurity policies, including the level of institutions, bodies and agencies’ capabilities and available resources.
Amendment 135 #
Proposal for a regulation
Article 1 – paragraph 1 – point a
Article 1 – paragraph 1 – point a
(a) obligations on Union institutions, bodies, offices and agencies to establish an internal cybersecurity risk management, governance and control framework; (This amendment applies across the text, adding the word "offices" and aligning the reference to Union institutions, bodies, offices and agencies with the title whenever the wording "Union institutions, bodies and agencies" is used)
Amendment 145 #
Proposal for a regulation
Article 3 – paragraph 1 – point 5
Article 3 – paragraph 1 – point 5
(5) ‘highest level of management’ means a manager, management or coordination and oversight body at the most senior administrative level, taking account of the high-level governance arrangements in each Union institution, body or agency and without prejudice to the formal responsibilities of other levels of management for compliance and risk management in their respective areas of responsibility;
Amendment 150 #
Proposal for a regulation
Article 3 – paragraph 1 – point 7
Article 3 – paragraph 1 – point 7
(7) ‘significant incident’ means any incident unless it has limited impact and is likely to be, is already well understood in terms of method or technology and has been mitigated;
Amendment 154 #
Proposal for a regulation
Article 3 – paragraph 1 – point 8
Article 3 – paragraph 1 – point 8
(8) ‘major attack’ means any incident requiring more resources than are available at the affected Union institution, body or agency and at CERT-EU;
Amendment 162 #
Proposal for a regulation
Article 3 – paragraph 1 – point 14
Article 3 – paragraph 1 – point 14
(14) ‘cybersecurity risk’ means any reasonably identifiable circumstance or event having a potential adverse effect on the security of network and information systems;
Amendment 170 #
Proposal for a regulation
Article 3 – paragraph 1 – point 15
Article 3 – paragraph 1 – point 15
(15) ‘Joint Cyber Unit’ means a virtual and physical platform for cooperation for the different cybersecurity communities in the Union, with a focus on operational and technical coordination against major cross-border cyber threats and incidents within the meaning of Commission Recommendation of 23 June 2021;
Amendment 176 #
Proposal for a regulation
Article 4 – paragraph 1
Article 4 – paragraph 1
1. EBased on an full cybersecurity audit each Union institution, body and agency shall establish its own internal cybersecurity risk management, governance and control framework (‘the framework’) in support of the entity’s mission and exercising its institutional autonomy. This work shall be overseen by the entity’s highest level of management and be in its responsibility in order to ensure an effective and prudent management of all cybersecurity risks. The framework shall be in place by …. at the latest [15 months after the entry into force of this Regulation].
Amendment 185 #
Proposal for a regulation
Article 4 – paragraph 3
Article 4 – paragraph 3
3. The highest level of management of each Union institution, body and agency shall provide oversight over the compliance of their organisation with the obligations related to cybersecurity risk management, governance, and control, without prejudice to the formal responsibilities of other levels of management for compliance and risk management in their respective areas of responsibility, such as data protection.
Amendment 188 #
Proposal for a regulation
Article 4 – paragraph 5
Article 4 – paragraph 5
5. Each Union institution, body and agency shall appoint a Local Cybersecurity Officer or an equivalent function who shall act as its single point of contact regarding all aspects of cybersecurity. The Local Cybersecurity Officer shall cooperate with the data protection officer in accordance with Article 43of Regulation (EU) 2018/1725, when dealing with overlapping activities applying data protection by design and by default to cybersecurity measures, selecting cybersecurity measures that involve protection of personal data, integrated risk management, and integrated security incident handling;
Amendment 195 #
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
1. The highest level of management of each Union institution, body and agency shall approve the entity’s own cybersecurity baseline to address the risks identified under the framework referred to in Article 4(1). It shall do so in support of its mission and exercising its institutional autonomy in full compliance with the requirements of this regulation, following the guidance and recommendations of IICB and CERT-EU and implementing the applicable EU cybersecurity schemes. The cybersecurity baseline shall be in place by …. at the latest [18 months after the entry into force of this Regulation] and shall address the domains listed in Annex I and the measures listed in Annex II.
Amendment 200 #
Proposal for a regulation
Article 5 – paragraph 2
Article 5 – paragraph 2
2. The senior management and staff of each Union institution, body and agency shall follow specific trainings on a regular basis to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risk and management practices and their impact on the operations of the organisation.
Amendment 205 #
Proposal for a regulation
Article 6 – paragraph 1
Article 6 – paragraph 1
Each Union institution, body and agency shall carry out a cybersecurity maturity assessment at least every threewo years, incorporating all the elements of their IT environment as described in Article 4, taking account of the relevant guidance documents and recommendations adopted in accordance with Article 13. The maturity assessment must be based on cybersecurity audits.
Amendment 211 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
1. Following the conclusions derived from the maturity assessment and considering the assets and risks identified pursuant to Article 4, the highest level of management of each Union institution, body and agency shall approve a cybersecurity plan without undue delay after the establishment of the risk management, governance and control framework and the cybersecurity baseline. The plan shall aim at increasing the overall cybersecurity of the concerned entity and shall thereby contribute to the achievement or enhancement of a high common level of cybersecurity among all Union institutions, bodies and agencies. To support the entity’s mission on the basis of its institutional autonomy, the plan shall at least include the domains listed in Annex I, the measures listed in Annex II, as well as measures related to incident preparedness, response and recovery, such as security assessment of the suppliers and services, monitoring and logging. The plan shall be revised at least every threewo years, following the maturity assessments carried out pursuant to Article 6.
Amendment 214 #
Proposal for a regulation
Article 7 – paragraph 2
Article 7 – paragraph 2
2. The cybersecurity plan shall include staff members’ roles, preparedness and responsibilities for its implementation.
Amendment 217 #
Proposal for a regulation
Article 7 – paragraph 3
Article 7 – paragraph 3
3. The cybersecurity plan shall consider anyinclude the measures foreseen in all applicable guidance documents and recommendations issued by CERT-EU.
Amendment 219 #
Proposal for a regulation
Article 9 – paragraph 2 – point a
Article 9 – paragraph 2 – point a
(a) monitoring the implementation of this Regulation by the Union institutions, bodies and agencies and making recommendations for achieving a common high level of cybersecurity;
Amendment 224 #
Proposal for a regulation
Article 9 – paragraph 3 – subparagraph 1 – point k a (new)
Article 9 – paragraph 3 – subparagraph 1 – point k a (new)
(k a) the European Data Protection Supervisor (EDPS).
Amendment 228 #
Proposal for a regulation
Article 9 – paragraph 3 – subparagraph 2
Article 9 – paragraph 3 – subparagraph 2
Members shall be nominated on a gender balance principle and may be assisted by an alternate. Other representatives of the organisations listed above or of other Union institutions, bodies and agencies may be invited by the chair to attend IICB meetings without voting power.
Amendment 243 #
Proposal for a regulation
Article 10 – paragraph 1 – point a a (new)
Article 10 – paragraph 1 – point a a (new)
(a a) approve, on the basis of a proposal from the Head of CERT-EU, recommendations for achieving a common high level of cybersecurity, aimed at one or all Union institutions, bodies, offices and agencies;
Amendment 248 #
Proposal for a regulation
Article 10 – paragraph 1 – point i
Article 10 – paragraph 1 – point i
(i) establish as many technical advisory groups as necessary to assist the IICB’s work, approve their terms of reference and designate their respective chairs.
Amendment 249 #
Proposal for a regulation
Article 10 – paragraph 1 – point i a (new)
Article 10 – paragraph 1 – point i a (new)
(i a) Approve the methodology and content of a peer-review system for assessing the effectiveness of the institutions, bodies and agencies’ cybersecurity policies. The reviews shall be conducted by cybersecurity technical experts drawn from one institution and one body or agency different from the one being reviewed. The results of the peer- reviews shall be used in fulfilling the obligations foreseen in articles 7 and 8.
Amendment 265 #
Proposal for a regulation
Article 11 – paragraph 1 – point b
Article 11 – paragraph 1 – point b
(b) recommendquest a relevant audit service to carry out an audit.;
Amendment 266 #
Proposal for a regulation
Article 11 – paragraph 1 – point b a (new)
Article 11 – paragraph 1 – point b a (new)
(b a) inform the European Court of Auditors about the lack of compliance.
Amendment 275 #
Proposal for a regulation
Article 12 – paragraph 2 – point d
Article 12 – paragraph 2 – point d
(d) raise to the attention of the IICB any issue relating to the implementation of this Regulation and of the implementation of the guidance documents, recommendations and calls for action and make proposals for recommendations;
Amendment 278 #
Proposal for a regulation
Article 12 – paragraph 2 – point e a (new)
Article 12 – paragraph 2 – point e a (new)
(e a) conduct regular risk analysis of the interconnectivity among the Union institutions, bodies, offices and agencies.
Amendment 283 #
Proposal for a regulation
Article 12 – paragraph 5 – introductory part
Article 12 – paragraph 5 – introductory part
5. CERT-EU may provide to the Union institutions, bodies, offices and agencies the following services not described in its service catalogue (‘chargeable services’):
Amendment 285 #
Proposal for a regulation
Article 12 – paragraph 6
Article 12 – paragraph 6
6. CERT-EU mayshall organise cybersecurity exercises or recommend participation in existing exercises, in close cooperation with the European Union Agency for Cybersecurity whenever applicable, to test the level of cybersecurity of the Union institutions, bodies, offices and agencies on a regular basis.
Amendment 288 #
Proposal for a regulation
Article 12 – paragraph 7
Article 12 – paragraph 7
7. CERT-EU mayshall provide assistance to Union institutions, bodies, offices and agencies regarding incidents in classified IT environments if it is explicitly requested to do so by the constituent concerned.
Amendment 291 #
Proposal for a regulation
Article 12 – paragraph 7 a (new)
Article 12 – paragraph 7 a (new)
7 a. The processing of personal data carried out by CERT-EU under this Regulation shall be subject to Regulation (EU) 2018/1725 of the European Parliament and of the Council.
Amendment 293 #
Proposal for a regulation
Article 12 – paragraph 7 b (new)
Article 12 – paragraph 7 b (new)
7 b. CERT-EU shall inform the EDPS when addressing significant vulnerabilities, significant incidents or major attacks that have the potential to result in personal data breaches and/or in the breach of confidentiality of electronic communications.
Amendment 294 #
Proposal for a regulation
Article 12 – paragraph 7 c (new)
Article 12 – paragraph 7 c (new)
7 c. CERT-EU shall inform the EDPS about preventive cybersecurity activities that would result in the collection of personal data.
Amendment 295 #
Proposal for a regulation
Article 13 – paragraph 1 – point c
Article 13 – paragraph 1 – point c
(c) proposals to the IICB for recommendations addressed to individual or all Union institutions, bodies, offices and agencies.
Amendment 299 #
Proposal for a regulation
Article 13 – paragraph 2 – point c
Article 13 – paragraph 2 – point c
(c) where appropriate, the use of common technology, open-source architecture and associated best practices with the aim of achieving control, interoperability and common standards within the meaning of Article 4(10) of Directive [proposal NIS 2].
Amendment 310 #
Proposal for a regulation
Article 15 – paragraph 1
Article 15 – paragraph 1
1. The Commission, after having obtained the unanimous approval of the IICB, shall appoint the Head of CERT-EU. The IICB shall be consulted at all stages of the procedure prior to the appointment of the Head of CERT-EU, in particular in drafting vacancy notices, examining applications and appointing selection boards in relation to this post. The final list of candidates shall include at least one men and one woman.
Amendment 316 #
Proposal for a regulation
Article 16 – paragraph 2
Article 16 – paragraph 2
2. CERT-EU may exchange incident- specific information with national counterparts in the Member States to facilitate detection of similar cyber threats or incidents without the consentauthorization of the affected constituent, as long as personal data is protected according to applicable GDPR provisions.. CERT-EU may only exchange incident-specific information which reveals the identity of the target of the cybersecurity incident with the consentauthorization of the affected constituent and in full compliance with applicable GDPR provisions.
Amendment 324 #
Proposal for a regulation
Article 18 – paragraph 5 a (new)
Article 18 – paragraph 5 a (new)
5 a. Information on the completion of security plans by the Union institutions, bodies, offices and agencies shall be shared with the discharge authorities;
Amendment 325 #
Proposal for a regulation
Article 18 – paragraph 5 b (new)
Article 18 – paragraph 5 b (new)
Amendment 333 #
Proposal for a regulation
Article 19 – paragraph 3
Article 19 – paragraph 3
3. CERT-EU may only exchange incident-specific information which reveals the identity of the Union institution, body or agency affected by the incident with the consent of that entity. CERT-EU may only exchange incident-specific information which reveals the identity of the target of the cybersecurity incident with the consent of the entity affected by the incident. In all cases, personal data shall be treated in accordance with applicable GDPR provisions.
Amendment 344 #
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 2
Article 20 – paragraph 1 – subparagraph 2
Amendment 362 #
Proposal for a regulation
Article 20 – paragraph 5
Article 20 – paragraph 5
Amendment 372 #
Proposal for a regulation
Article 22 – paragraph 2
Article 22 – paragraph 2
2. The Union institutions, bodies and agencies shall contribute to the inventory of available technical expertise by providing an annually updated list of experts available within their respective organisations detailing their specific technical skills.
Amendment 373 #
Proposal for a regulation
Article 22 – paragraph 3
Article 22 – paragraph 3
3. With the approval of the concerned Union institutions, bodies and agencies, CERT-EU may also call on experts from the list referred to in paragraph 2 for contributing to the response to a major attack in a Member State, in line with the Joint Cyber Unit’s operating procedures. Specific rules on access to and use of technical experts from Union institutions, bodies, offices and agencies shall be approved by IICB at the proposal of CERT EU.
Amendment 379 #
Proposal for a regulation
Article 23 – paragraph 1
Article 23 – paragraph 1
The Commission shall propose the reallocation of staff and financial resources from relevant Union institutions, bodies, offices and agencies to the Commission budget for the use of CERT-EU operations. The reallocation shall be effective at the same time as the first budget adopted following the entry into force of this Regulation.
Amendment 390 #
Proposal for a regulation
Annex I – paragraph 1 – point 7
Annex I – paragraph 1 – point 7
(7) system acquisition, development and, maintenance and transparency of the source code;
Amendment 391 #
Proposal for a regulation
Annex I – paragraph 1 – point 7 a (new)
Annex I – paragraph 1 – point 7 a (new)
(7 a) cybersecurity audits;
Amendment 392 #
Proposal for a regulation
Annex I – paragraph 1 – point 7 b (new)
Annex I – paragraph 1 – point 7 b (new)
(7 b) IT staff workload and overall satisfaction;
Amendment 397 #
Proposal for a regulation
Annex II – paragraph 1 – point 2 a (new)
Annex II – paragraph 1 – point 2 a (new)
(2 a) the large scale deployment of end to end encrypted communications, including mandatory end to end encrypted messaging services, email encryption and secure digital signing;
Amendment 398 #
Proposal for a regulation
Annex II – paragraph 1 – point 2 b (new)
Annex II – paragraph 1 – point 2 b (new)
(2 b) ensuring privacy by design and the enhanced security of all personal data;
Amendment 399 #
Proposal for a regulation
Annex II – paragraph 1 – point 2 c (new)
Annex II – paragraph 1 – point 2 c (new)
(2 c) the large scale deployment and development of open source software, including inter-institutional software re- use and migrating from software solutions and service based on non-auditable source code;
Amendment 400 #
Proposal for a regulation
Annex II – paragraph 1 – point 3 a (new)
Annex II – paragraph 1 – point 3 a (new)
(3 a) regular cybersecurity training of staff members;
Amendment 401 #
Proposal for a regulation
Annex II – paragraph 1 – point 3 b (new)
Annex II – paragraph 1 – point 3 b (new)
(3 b) the deployment of mandatory penetration tests, based on the recommendation of CERT-EU;
Amendment 402 #
Proposal for a regulation
Annex II – paragraph 1 – point 3 c (new)
Annex II – paragraph 1 – point 3 c (new)
(3 c) participation in interconnectivity risk analyses between the Union institutions, bodies and agencies;