Activities of Marcel KOLAJA related to 2020/0359(COD)
Shadow opinions (1)
OPINION on the proposal for a directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148
Amendments (45)
Amendment 74 #
Proposal for a directive
Recital 6 a (new)
Recital 6 a (new)
Amendment 76 #
Proposal for a directive
Recital 9
Recital 9
(9) However, small or micro entities, unless fulfilling certain criteria that indicate a key role for the economies or societies of Member States or for particular sectors or types of services, should alsonot be covered by this Directive. Member States should be responsible for establishing a list of such entities, and submit it to the Commission. In order not to jeopardise collaborative innovation, non- commercial, free and open source projects should not be covered by this Directive.
Amendment 86 #
Proposal for a directive
Recital 20 a (new)
Recital 20 a (new)
(20a) When adopting national cybersecurity strategies, Member States should ensure that policy frameworks are available in order to address cybersecurity and the lawful access to information. In particular they should make sure that lawful access to information does not directly or indirectly lead to encryption being undermined and includes oversight, independent from the government.
Amendment 87 #
Proposal for a directive
Recital 20 b (new)
Recital 20 b (new)
(20b) A policy addressing cybersecurity in the supply chain should favour open source cybersecurity products, in line with Opinion 5/2021 of the European Data Protection Supervisor1a __________________ 1aOpinion 5/2021 of the European Data Protection Supervisor on the Cybersecurity Strategy and the NIS 2.0 Directive, 11 March 2021
Amendment 89 #
Proposal for a directive
Recital 25
Recital 25
(25) As regards personal data, CSIRTs should be able to provide, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council19 as regards personal data, on behalf of and upon specific request by an entity under this Directive, a proactive scanning of the network and information systems used for the provision of their services in order to identify, mitigate or prevent specific network and information security threats. Member States should aim at ensuring an equal level of technical capabilities for all sectorial CSIRTs. Member States may request the assistance of the European Union Agency for Cybersecurity (ENISA) in developing national CSIRTs. __________________ 19Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
Amendment 96 #
Proposal for a directive
Recital 30
Recital 30
(30) Access to correct and timely information on vulnerabilities affecting ICT products and services contributes to an enhanced cybersecurity risk management. In that regard, sources of publicly available information on vulnerabilities are an important tool for entities and their users, but also national competent authorities and CSIRTs. For this reason, ENISA should establish a vulnerability registry where,nsure that essential and important entities and their suppliers, as well as entities which do not fall in the scope of application of this Directive may, on a voluntary basis, disclose vulnerabilities and provide the vulnerability information that allows users to take appropriate mitigating measures.
Amendment 97 #
Proposal for a directive
Recital 31
Recital 31
(31) Although similar vVulnerability registries or databases do exist, these are hosted and maintained by entities which are not established in the Union. A European vulnerability registry maintained byTo avoid duplication of efforts and seek complementarity to the extent possible, ENISA wshould provide improved transparency regarding the publication process before enter into structured cooperation agreements withe vulnerability is officially disclosed, and resilience in cases of disruptions or interruptions on the provision of similar services. To avoid duplication of efforts and seek complementarity to the extent possible, ENISA should explore the possibility of entering into structured cooperation agreements with similar registrregistries in third country jurisdictions and it should ensure that reports are transmitted to appropriate registries internationally. ENISA should support European companies in theird country jurisdiction use of such registries.
Amendment 98 #
Proposal for a directive
Recital 32 a (new)
Recital 32 a (new)
(32a) The Cooperation Group should be composed of representatives of Member States, the Commission and ENISA.
Amendment 102 #
Proposal for a directive
Recital 44
Recital 44
(44) Among service providers, managed security services providers (MSSPs) in areas such as incident response, penetration testing, security audits and consultancy play a particularly important role in assisting entities in their efforts to detect and respond to incidents. Those MSSPs have however also been the targets of cyberattacks themselves and through their close integration in the operations of operators pose a particular cybersecurity risk. Entities should therefore exercise increased diligence in selecting an MSSP and should favour open source cybersecurity products for both software and hardware, as well as open source implementation of open and state-of-the- art, strong cryptography standards.
Amendment 107 #
Proposal for a directive
Recital 51 a (new)
Recital 51 a (new)
(51a) In order to offer the necessary transparency to mitigate supply chain risks, open source cybersecurity products (software and hardware), including open source encryption, should be favoured, in line with Opinion 5/2021 of the European Data Protection Supervisor1a. __________________ 1aOpinion 5/2021 of the European Data Protection Supervisor on the Cybersecurity Strategy and the NIS 2.0 Directive, 11 March 2021.
Amendment 109 #
Proposal for a directive
Recital 53
Recital 53
(53) In particular,Strong and state of the art encryption is critical and irreplaceable for effective consistent protection of consumer and business security in the Single Market. Strong and state of the art encryption must be available to be used for mitigation of risks to network and information security. To protect their consumers providers of public electronic communications networks or publicly available electronic communications services, should implement security by design and by default, and inform the service recipients of particular and significant cyber threats and of additional measures they can take to protect the security of their devices and communications, for instance by using specific types of software or encryption technologies.
Amendment 111 #
Proposal for a directive
Recital 54
Recital 54
(54) In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, should be promoted and, where necessary, should be mandatory for providers of such services and networks, in accordance with the principles of security and privacy by default and by design, for the purposes of Article 18. The usecurity of end-to-end encryption should be reconciled with thenot be weakened by Member State’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and, policies or procedures for ensuring the prostecution of criminal offences in compliance with Union law. Solutions for lawful access to information in end-to-end encrypted communications should maintain the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crimetheir essential security interests and public security.
Amendment 117 #
Proposal for a directive
Recital 59
Recital 59
(59) Maintaining accurate and complete databases of domain names and registration data (so called ‘WHOIS data’) and providing lawful access to such data is essential to ensure the security, stability and resilience of the DNS, which in turncompetent authorities for network and information security to such data may contributes to a high common level of cybersecurity within the Unionincreased cybersecurity. Where processing includes personal data such processing shall comply with Union data protection law.
Amendment 119 #
Proposal for a directive
Recital 60
Recital 60
(60) The availability and timely accessibility of these data to public authorities, including competent authorities under Union or national law for the prevention, investigation or prosecution of criminal offences, CERTs, (CSIRTs, and as regards the data of their clients to providers of electronic communications networks and services and providers of cybersecurity technologies and services acting on behalf of those clients, is essentiaCERTs and CSIRTs can sometimes be useful to prevent and combat Domain Name System abuse, in particular to prevent, detect and respond to cybersecurity incidents. Such access should comply with Union data protection law insofar as it is related to personal data.
Amendment 120 #
Proposal for a directive
Recital 61
Recital 61
(61) In order to ensure the availability of accurate and complete domain name registration data, TLD registries and the entities providing domain name registration services for the TLD (so-called registrars) should collect and guarantee the integrity and availability ofshould collect the domain names registration data. In particular, TLD registries and the entities providing domain name registration services for the TLD should establish policies and procedures to collect and maintain accurate and complete registration data, as well a necessary for the provision of their services. They should also take steps to prevent and correct inaccurate registration data in accordance with Union data protection rules.
Amendment 122 #
Proposal for a directive
Recital 62
Recital 62
(62) TLD registries and the entities providing domain name registration services for them should make publically available domain name registration data that fall outside the scope of Union data protection rules, such as data that concern legal persons25 . TLD registries and the entities providing domain name registration services for the TLD should also enable lawful access to specific domain name registration data concerning natural persons to legitimate access seekers, in accordance with Union data protection law. Member States should ensure that TLD registries and the entities providing domain name registration services for them should respond without undue delay to requests from legitimate access seekers for the disclosure of domain name registration data. TLD registries and the entities providing domain name registration services for them should establish policies and procedures for the publication and disclosure of registration data, including service level agreements to deal with requests for access from legitimate access seekers. The access procedure may also include the use of an interface, portal or other technical tool to provide an efficient system for requesting and accessing registration data. With a view to promoting harmonised practices across the internal market, the Commission may adopt guidelines on such procedures without prejudice to the competences of the European Data Protection Board. __________________ 25REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL recital (14) whereby “this Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person”should also enable lawful access, without undue delay, to competent national authorities, as designated by Member States under their national cybersecurity strategies, to specific domain name registration data concerning natural persons, in accordance with Union data protection law.
Amendment 125 #
Proposal for a directive
Recital 69
Recital 69
(69) The processing of personal data, to the extentwhich should be limited to what is strictly necessary and proportionate, for the purposes of ensuring network and information security by entities, public authorities, CERTs, CSIRTs, and providers of security technologies and services should constitute a legitimate interest of the data controller concerned, as referred to in Regulation (EU) 2016/679. That should include measures related to the prevention, detection, analysis and response to incidents, measures to raise awareness in relation to specific cyber threats, exchange of information in the context of vulnerability remediation and coordinated disclosure, as well as the voluntary exchange of information on those incidents, as well as cyber threats and vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools. Such measures may require the processing of the following types of personal data: IP addresses, uniform resources locators (URLs), domain names, and email addresses.
Amendment 129 #
Proposal for a directive
Recital 79
Recital 79
(79) A peer-review mechanism should be introduced, allowing the assessment by independent experts designated by the Member States, of the implementation of cybersecurity policies, including the level of Member States’ capabilities and available resources. When deciding on the methodology, the Commission, supported by ENISA, should establish an objective, non-discriminatory, technology neutral, fair and transparent system for the selection of such experts.
Amendment 134 #
Proposal for a directive
Article 2 – paragraph 1
Article 2 – paragraph 1
1. This Directive applies to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II. This Directive does not apply to entities that qualify as micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC.28 nor to non-commercial free and open source projects. __________________ 28Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium- sized enterprises (OJ L 124, 20.5.2003, p. 36).
Amendment 137 #
Proposal for a directive
Article 2 – paragraph 2 – point d
Article 2 – paragraph 2 – point d
(d) a potential disruption of the service provided by the entity could have an impact on public safety, public security or public health;
Amendment 138 #
Proposal for a directive
Article 2 – paragraph 2 – point e
Article 2 – paragraph 2 – point e
(e) a potential disruption of the service provided by the entity could induce systemic risks, in particular for the sectors where such disruption could have a cross- border impact;
Amendment 152 #
Proposal for a directive
Article 5 – paragraph 1 – point f a (new)
Article 5 – paragraph 1 – point f a (new)
(fa) a policy framework for enhanced coordination between the competent authorities under this Directive and the independent body responsible for oversight of data collection, in line with Union law.
Amendment 153 #
Proposal for a directive
Article 5 – paragraph 2 – point a
Article 5 – paragraph 2 – point a
(a) a policy addressing cybersecurity in the supply chain for ICT products and services used by essential and important entities for the provision of their services, which should favour open source cybersecurity products for both software and hardware, as well as open source implementation of open and state-of-the- art, strong cryptography standards;
Amendment 154 #
Proposal for a directive
Article 5 – paragraph 2 – point a a (new)
Article 5 – paragraph 2 – point a a (new)
(aa) a policy framework addressing cybersecurity and the lawful access to information, which does not undermine the effectiveness of encryption in protecting privacy and security of communications and which includes independent oversight;
Amendment 156 #
Proposal for a directive
Article 5 – paragraph 2 – point b
Article 5 – paragraph 2 – point b
(b) guidelines regarding the inclusion and specification of cybersecurity-related requirements for ICT products and service in public procurement, including the promotion of the use of open source cybersecurity products;
Amendment 159 #
Proposal for a directive
Article 5 – paragraph 2 – point e
Article 5 – paragraph 2 – point e
(e) a policy on promoting and developing technology neutral cybersecurity skills, awareness raising and research and development initiatives;
Amendment 170 #
Proposal for a directive
Article 6 – title
Article 6 – title
Coordinated vulnerability disclosure and a European vulnerability registry
Amendment 173 #
Proposal for a directive
Article 6 – paragraph 2
Article 6 – paragraph 2
2. ENISA shall develop and maintain a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures with a view in particular to enabling important and essential entities and their suppliers of network and information systems to disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties. The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, the availability of related patches and, in the absence of available patches, guidance addressed to users of vulnerable products and services as to how the risks resulting from disclosed vulnerabilities may be mitigated in relevant international registries.
Amendment 184 #
Proposal for a directive
Article 10 – paragraph 2 – point e
Article 10 – paragraph 2 – point e
(e) providing, upon a specific request of an entity, a proactive scanning of the network and information systems used for the provision of their services in order to identify, mitigate or prevent specific and exceptional network and information security threats, in compliance with Union law;
Amendment 203 #
Proposal for a directive
Article 16 – paragraph 2
Article 16 – paragraph 2
2. The methodology shall include objective, non-discriminatory, technology- neutral, fair and transparent criteria on the basis of which the Member States shall designate experts eligible to carry out the peer reviews. ENISA and the Commission shall designate experts to participate as observers in the peer-reviews. The Commission, supported by ENISA, shall establish within the methodology as referred to in paragraph 1 an objective, non-discriminatory, fair and transparent system for the selection and the random allocation of experts for each peer review.
Amendment 212 #
Proposal for a directive
Article 18 – paragraph 2 – point g
Article 18 – paragraph 2 – point g
(g) the use of cryptography and strong encryption.
Amendment 214 #
Proposal for a directive
Article 18 – paragraph 2 – point g a (new)
Article 18 – paragraph 2 – point g a (new)
(ga) policies that ensure reproducible- builds and code auditability.
Amendment 218 #
Proposal for a directive
Article 18 – paragraph 3
Article 18 – paragraph 3
3. Member States shall ensure that, where considering appropriate measures referred to in point (d) of paragraph 2, entities shall take into account the vulnerabilities specific to each supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures. For this purpose they should also favour open source cybersecurity products for both software and hardware, as well as open source implementation of open and state-of-the-art, strong cryptography standards.
Amendment 230 #
Proposal for a directive
Article 20 – paragraph 2 – subparagraph 1
Article 20 – paragraph 2 – subparagraph 1
Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT of any significant cyber threat that those entities identify that could have potentially, if steps to mitigate the risk had not been taken or are not taken in the future, would have resulted or are likely in the future to resulted, in a significant incident.
Amendment 246 #
Proposal for a directive
Article 20 – paragraph 7
Article 20 – paragraph 7
7. Where public awareness is necessary to prevent an incident or to deal with an ongoing incident, or where disclosure of the incident is otherwise in the public interest, the competent authority or the CSIRT, and where appropriate the authorities or the CSIRTs of other Member States concerned mayshall, after consulting the entity concerned, inform the public about the incident or require the entity to do so.
Amendment 257 #
Proposal for a directive
Article 23 – paragraph 1
Article 23 – paragraph 1
1. For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall ensure that TLD registries and the entities providing domain name registration services for the TLD shall collect and maintain the accurate and complete domain name registration data in a dedicated database facility with due diligence subject to Union data protection law as regards data which are personal datanecessary for the provision of their services, in compliance with Union data protection law.
Amendment 259 #
Proposal for a directive
Article 23 – paragraph 2
Article 23 – paragraph 2
Amendment 263 #
Proposal for a directive
Article 23 – paragraph 3
Article 23 – paragraph 3
Amendment 267 #
Proposal for a directive
Article 23 – paragraph 4
Article 23 – paragraph 4
Amendment 270 #
Proposal for a directive
Article 23 – paragraph 5
Article 23 – paragraph 5
5. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD provide access to specific domain name registration data upon lawful and duly justified requests of legitimate access seekercompetent national authorities, in compliance with Union data protection law. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD reply without undue delay to all requests for access. Member States shall ensure that policies and procedures to disclose such data are made publicly availableply without undue delay to lawful and duly justified requests for access from competent national authorities.
Amendment 284 #
Proposal for a directive
Article 28 – paragraph 2
Article 28 – paragraph 2
2. Competent authorities shall work in close cooperation with data protection authorities when addressing incidents resulting in personal data breaches without prejudice to the competences, tasks, and powers of data protection authorities pursuant to Regulation (EU) 2016/679.
Amendment 286 #
Proposal for a directive
Article 29 – paragraph 2 – point c
Article 29 – paragraph 2 – point c
(c) targeted security audits based on risk assessments or risk-related available information; , carried out by a qualified independent body or a competent authority or independent experts and make the results thereof available to the competent authority; the cost of the audit shall be paid by the provider;
Amendment 290 #
Proposal for a directive
Article 30 – paragraph 2 – point b
Article 30 – paragraph 2 – point b
(b) targeted security audits based on risk assessments or risk-related available information carried out by a qualified independent body or a competent authority and make the results thereof available to the competent authority; the cost of the audit shall be paid by the provider;
Amendment 295 #
Proposal for a directive
Article 32 – paragraph 1
Article 32 – paragraph 1
1. Where the competent authorities have indications that the infringement by an essential or important entity of the obligations laid down in Articles 18 and 20 entails a personal data breach, as defined by Article 4(12) of Regulation (EU) 2016/679 which shall be notified pursuant to Article 33 of that Regulation, they shall inform the supervisory authorities competent pursuant to Articles 55 and 56 of that Regulation within a reasonable period of time72 hours.
Amendment 297 #
Proposal for a directive
Article 32 – paragraph 3
Article 32 – paragraph 3
3. Where the supervisory authority competent pursuant to Regulation (EU) 2016/679 is established in another Member State than the competent authority, the competent authority mayshall inform the supervisory authority established in the same Member State.