BETA

50 Amendments of Isabella TOVAGLIERI related to 2020/0359(COD)

Amendment 104 #
Proposal for a directive
Recital 46
(46) To further address key supply chain risks and assist entities operating in sectors covered by this Directive to appropriately manage supply chain and supplier related cybersecurity risks, the Cooperation Group involving relevant national authorities, in cooperation with the Commission and, ENISA and the affected essential and important entities, should carry out coordinated sectoral supply chain risk assessments, as was already done for 5G networks following Recommendation (EU) 2019/534 on Cybersecurity of 5G networks21 , with the aim of identifying per sector which are the critical ICT services, systems or products, relevant threats and vulnerabilities. __________________ 21Commission Recommendation (EU) 2019/534 of 26 March 2019 Cybersecurity of 5G networks (OJ L 88, 29.3.2019, p. 42).
2021/06/03
Committee: IMCO
Amendment 105 #
Proposal for a directive
Recital 47
(47) The supply chain risk assessments, in light of the features of the sector concerned, should take into account both technical and, where relevantjustified by the criticality of the sector, non- technical factors including those defined in Recommendation (EU) 2019/534, in the EU wide coordinated risk assessment of 5G networks security and in the EU Toolbox on 5G cybersecurity agreed by the Cooperation Group. These assessments should be evidence-based and their results clearly defined. To identify the supply chains that should be subject to a coordinated risk assessment, the following criteria should be taken into account: (i) the extent to which essential and important entities use and rely on specific critical ICT services, systems or products; (ii) the relevance of specific critical ICT services, systems or products for performing critical or sensitive functions, including the processing of personal data; (iii) the availability of alternative ICT services, systems or products; (iv) the resilience of the overall supply chain of ICT services, systems or products against disruptive events and (v) for emerging ICT services, systems or products, their potential future significance for the entities’ activities.
2021/06/03
Committee: IMCO
Amendment 126 #
Proposal for a directive
Recital 70
(70) In order to strengthen the supervisory powers and actions that help ensure effective compliance and to achieve a common high level of security within the digital sector throughout the Union, this Directive should provide for a minimum list of supervisory actions and means through which competent authorities may supervise essential and important entities. In addition, this Directive should establish a differentiation of supervisory regime between essential and important entities with a view to ensuring a fair balance of obligations for both entities and competent authorities. Thus, essential entities should be subject to a fully-fledged supervisory regime (ex-ante and ex-post), while important entities should be subject to a light supervisory regime, ex-post only. For the latter, this means that important entities should not document systematically compliance with cybersecurity risk management requirements, while competent authorities should implement a reactive ex -post approach to supervision and, hence, not have a general obligation to supervise those entities, except where there is a manifest breach of obligations, in particular where such entities cause risk for users or other services included in the scope of this Directive.
2021/06/03
Committee: IMCO
Amendment 128 #
Proposal for a directive
Recital 76
(76) In order to further strengthen the effectiveness and dissuasiveness of the penalties applicable to infringements of obligations laid down pursuant to this Directive, the competent authorities should be empowered to apply sanctions consisting of the suspension of a certification or authorisation concerning part or all thethe implicated services provided by an essential entity and the imposition of a temporary ban from the exercise of managerial functions by a natural person. Given their severity and impact on the entities’ activities and ultimately on their consumers, such sanctions should only be applied proportionally to the severity of the infringement and taking account of the specific circumstances of each case, including the intentional or negligent character of the infringement, actions taken to prevent or mitigate the damage and/or losses suffered. Such sanctions should only be applied as ultima ratio, meaning only after the other relevant enforcement actions laid down by this Directive have been exhausted, and only for the time until the entities to which they apply take the necessary action to remedy the deficiencies or comply with the requirements of the competent authority for which such sanctions were applied. The imposition of such sanctions shall be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter of Fundamental Rights of the European Union, including effective judicial protection, due process, presumption of innocence and right of defence.
2021/06/03
Committee: IMCO
Amendment 133 #
Proposal for a directive
Article 2 – paragraph 1
1. This Directive applies to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II. Entities and subsectors that fall within the scope of this Directive shall be provided with clear and concise definitions with respect to their designations. This Directive does not apply to entities that Member States unequivocally identify as non-critical, including where they are of types referred to in Annex I and Annex II. This Directive does not apply to entities that qualify as micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC.28, without prejudice to their voluntary involvement. __________________ 28 Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium- sized enterprises (OJ L 124, 20.5.2003, p. 36).
2021/06/03
Committee: IMCO
Amendment 137 #
Proposal for a directive
Recital 30
(30) Access to correct and timely information on vulnerabilities affecting ICT products and services and industrial control systems (ICS) contributes to an enhanced cybersecurity risk management. In that regard, sources of publicly available information on vulnerabilities are an important tool for entities and their users, but also national competent authorities and CSIRTs. For this reason, ENISA should establish a vulnerability registry where, essential and important entities and their suppliers, as well as entities which do not fall in the scope of application of this Directive may, on a voluntary basis, disclose vulnerabilities and provide the vulnerability information that allows users to take appropriate mitigating measures.
2021/06/03
Committee: ITRE
Amendment 148 #
Proposal for a directive
Article 4 – paragraph 1 – point 26 a (new)
(26a) 'non-critical entity' means any entity of a type referred to in Annex I and Annex II which, regardless of its size and resources, has no critical function within a specific sector or type of service provided and has a low level of dependency from other sectors or types of services.
2021/06/03
Committee: IMCO
Amendment 149 #
Proposal for a directive
Article 5 – paragraph 1 – point b
(b) a governance framework to achieve those objectives and priorities, including the policies referred to in paragraph 2 and the roles and responsibilities of public bodies and entities as well as other relevant actors, in particular those entrusted with specific SMEs support. The governance framework shall clearly outline how cooperation and coordination is organised between relevant national authorities designated under this Directive;
2021/06/03
Committee: IMCO
Amendment 161 #
Proposal for a directive
Article 5 – paragraph 2 – point h
(h) a policy addressing specific needs of SMEs in fulfilling the provisions laid down by this Directive, in particular those excluded from the scope of this Directive, in relation to guidance and support in improving their resilience to cybersecurity threats. and encouraging, through dedicated support, their proactive adoption of suitable cybersecurity measures;
2021/06/03
Committee: IMCO
Amendment 172 #
Proposal for a directive
Article 6 – paragraph 1
1. Each Member State shall designate one of its CSIRTs as referred to in Article 9 as a coordinator for the purpose of coordinated vulnerability disclosure. The process of coordinated vulnerability disclosure shall be coherent with internationally recognised standards on vulnerability handling and disclosure. The designated CSIRT shall act as a trusted intermediary, facilitating, where necessary, the interaction between the reporting entity and the manufacturer or provider of ICT products or ICT services. Where the reported vulnerability concerns multiple manufacturers or providers of ICT products or ICT services across the Union, the designated CSIRT of each Member State concerned shall cooperate with the CSIRT network.
2021/06/03
Committee: IMCO
Amendment 174 #
Proposal for a directive
Article 6 – paragraph 2
2. ENISA shall develop and maintain a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures, as well as the necessary technical and organisational measures for the security of the registry, with a view in particular to enabling important and essential entities and their suppliers of network and information systems to disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties. ENISA shall clarify the terms of work and use of registry, including procedures for reporting, use and storage of the vulnerability information. The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, the availability of related patches and, in the absence of available patches, guidance addressed to users of vulnerable products and services as to how the risks resulting from disclosed vulnerabilities may be mitigated.
2021/06/03
Committee: IMCO
Amendment 177 #
Proposal for a directive
Article 7 – paragraph 1
1. Each Member State shall designate one or more competent authorities responsible for the management of large- scale incidents and crises. Where a Member State designates more than one competent authority, it should clearly indicate which of these competent authorities would serve as the main point of contact during a large-scale incident or crisis. Member States shall ensure that competent authorities have adequate resources to perform, in an effective and efficient manner, the tasks assigned to them.
2021/06/03
Committee: IMCO
Amendment 186 #
Proposal for a directive
Article 10 – paragraph 2 – point f a (new)
(fa) providing practical and operational guidance to essential and important entities in cybersecurity response and prevention activities, including in particular dedicated technical support to SMEs;
2021/06/03
Committee: IMCO
Amendment 206 #
Proposal for a directive
Article 18 – paragraph 1
1. Member States shall ensure that essential and important entities shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which those entities use in the provision of their services. These measures shall be adopted following a risk-based assessment that takes the utmost account of the level of criticality of the concerned entities. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk presented and shall not undermine valid security offering mechanisms already in place.
2021/06/03
Committee: IMCO
Amendment 213 #
Proposal for a directive
Article 2 – paragraph 1
1. This Directive applies to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II, including ICT suppliers providing products and services for critical functions performed by essential or important entities. This Directive does not apply to entities regarded by Member States as non- critical. This Directive does not apply to entities that qualify as micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC.28 _________________ 28 Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium- sized enterprises (OJ L 124, 20.5.2003, p. 36).
2021/06/03
Committee: ITRE
Amendment 221 #
Proposal for a directive
Article 19 – paragraph 1
1. The Cooperation Group, in cooperation with the Commission and ENISA, and after having consulted the affected essential and important entities, may carry out coordinated security risk assessments of specific critical ICT services, systems or products supply chains, taking into account technical and, where relevant, non-technical risk factorjustified by the level of criticality of the sector, non-technical risk factors. Risk assessments should follow a balanced and non-discriminatory approach to ensure competitive and harmonised internal market, with coordinated Member State approaches.
2021/06/03
Committee: IMCO
Amendment 223 #
Proposal for a directive
Article 19 – paragraph 2
2. The Commission, after consulting with the Cooperation Group and, ENISA and the affected essential and important entities, shall identify the specific critical ICT services, systems or products that may be subject to the coordinated risk assessment referred to in paragraph 1.
2021/06/03
Committee: IMCO
Amendment 224 #
Proposal for a directive
Article 19 a (new)
Article 19a When the Cooperation Group includes non-technical risk factors in its supply chain risk assessments, it shall ensure that those factors are evidence-based, clearly defined and that their interpretation is aligned across the Union to the greatest extent possible. Member States shall ensure that any affected party has clear and lawful means to raise concerns, challenge and object to the final decision taken as a result of the supply chain assessments referred to in paragraph 1 of this Article.
2021/06/03
Committee: IMCO
Amendment 231 #
Proposal for a directive
Article 20 – paragraph 2 – subparagraph 1
Member States shall ensure that essential and important entities may notify, without undue delay where feasible or through periodic threat analysis reports, the competent authorities or the CSIRT of any significant cyber threat that those entities identify that could have potentially resulted in a significant incidentwithin the meaning of Article 2(8) of Regulation (EU) 2019/881.
2021/06/03
Committee: IMCO
Amendment 237 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point a
(a) without undue delay and in any event winot later thian 724 hours after having become aware of the incident, an initial notification, which, where applicable and possible, shall indicate whether the incident is presumably caused by unlawful or malicious action;
2021/06/03
Committee: IMCO
Amendment 242 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part
(c) a final report not later than onetwo months after the submission of the report under point (a), including at least the following:
2021/06/03
Committee: IMCO
Amendment 268 #
Proposal for a directive
Article 4 – paragraph 1 – point 26 a (new)
(26a) ‘non-critical entity’ means any entity of a type referred to in Annex I and Annex II which, regardless of its size and resources, has no critical function within a specific sector or type of service and is not highly dependent on other sectors or types of service;
2021/06/03
Committee: ITRE
Amendment 270 #
Proposal for a directive
Article 4 – paragraph 1 – point 26 b (new)
(26b) ‘critical function' means a network and information system function of an essential or important entity in connection with which disruption to availability, integrity, authenticity and confidentiality will result in a significant failure or deterioration of the functionality of the services provided by the critical or important entity concerned;
2021/06/03
Committee: ITRE
Amendment 276 #
Proposal for a directive
Article 5 – paragraph 1 – point b
(b) a governance framework to achieve those objectives and priorities, including the policies referred to in paragraph 2 and the roles and responsibilities of public bodies and entities as well as other relevant actors, in particular those with responsibility for specific support for SMEs. The governance framework shall clearly lay down the organisational arrangements for cooperation and coordination between the national competent authorities designated under this Directive, taking account of their specific national circumstances;
2021/06/03
Committee: ITRE
Amendment 280 #
Proposal for a directive
Article 26 – paragraph 5
5. In compliance with Union law, ENISA shall support the establishment of cybersecurity information-sharing arrangements referred to in paragraph 2 by providing best practices and guidance with the aim of promoting the cross-border exchange of information at Union level between the relevant entities.
2021/06/03
Committee: IMCO
Amendment 281 #
Proposal for a directive
Article 5 – paragraph 1 – point e
(e) a list of the various authorities and actors involved in the implementation of the national cybersecurity strategy, taking steps to establish a single cybersecurity point of contact for SMEs in order to support them in implementing specific cybersecurity measures;
2021/06/03
Committee: ITRE
Amendment 307 #
Proposal for a directive
Article 6 – paragraph 2
2. ENISA shall develop and maintain 2. a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures with a view in particular to enabling important and essential entities and their suppliers of network and information systems to disclose and register only those vulnerabilities present in ICT products or ICT services which can be mitigated, as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties. The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and, the severity of the vulnerability in terms of the circumstances under which it may be exploited, the availability ofand related patches and, i. In the absence of available patches, guidance addressed to users of vulnerableENISA should not disclose the vulnerability and should set manufacturers or suppliers of ICT products andor services as to how the risks resulting from disclosed vulnerabilities may be mitigated deadline for providing reliable mitigation. Where several actors are affected by the same vulnerability, ENISA should coordinate the mitigation patch installation schedule.
2021/06/03
Committee: ITRE
Amendment 333 #
Proposal for a directive
Article 10 – paragraph 2 – point f a (new)
(fa) providing practical and operational guidance for essential and important entities in connection with cybersecurity response and prevention activities, including, in particular, dedicated technical support for SMEs;
2021/06/03
Committee: ITRE
Amendment 344 #
Proposal for a directive
Article 12 – paragraph 3 – subparagraph 2
Where appropriate, tThe Cooperation Group mayshall invite representatives of relevant industrial stakeholders, including SMEs, to participate in its work.
2021/06/03
Committee: ITRE
Amendment 385 #
Proposal for a directive
Article 18 – paragraph 1
1. Member States shall ensure that essential and important entities, including ICT suppliers providing products and services for critical functions performed by essential or important entities, shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which those entities use in the provision of their services. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk presented. ICT suppliers shall bear sole liability for non-compliance by providers of essential or important functions with the obligations under this article unless such non-compliance was known to and disregarded by the commissioning authority concerned.
2021/06/03
Committee: ITRE
Amendment 390 #
Proposal for a directive
Article 18 – paragraph 2 – point a
(a) risk analysis and information system security policies in connection with critical network and information system functions;
2021/06/03
Committee: ITRE
Amendment 403 #
Proposal for a directive
Article 18 – paragraph 2 – point g
(g) the use, where appropriate, of cryptography and encryption.
2021/06/03
Committee: ITRE
Amendment 408 #
Proposal for a directive
Article 18 – paragraph 4
4. Member States shall ensure that where an entity finds that respectively its services or tasks are not in compliance with the requirements laid down in paragraph 2, it shall, without undue delay, take all necessary corrective measures to bring the service concerned into compliance within a reasonable period and in line with their own interests.
2021/06/03
Committee: ITRE
Amendment 415 #
Proposal for a directive
Article 18 – paragraph 5
5. The Commission may adopt implementingdelegated acts in order to lay down the technical and the methodological specifications of the elements referred to in paragraph 2. Where preparing those acts, the Commission shall proceed in accordance with the examination procedure referred to in Article 37(2) and follow, to the greatest extent possible, international and European standards, as well as relevant technical specifications.
2021/06/03
Committee: ITRE
Amendment 428 #
Proposal for a directive
Article 20 – paragraph 1
1. Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT in accordance with paragraphs 3 and 4 of any incident having a significant impact on the provision of their services. Where appropriate, those entities shall notify, without undue delay, the recipients of their services of incidents that are likely to adversely affect the provision of that servicewith a confirmed substantial impact. Member States shall ensure that those entities report, among others, the relevanyt information enabling the competent authorities or the CSIRT to determine any cross-border impact of the incident.
2021/06/03
Committee: ITRE
Amendment 438 #
Proposal for a directive
Article 20 – paragraph 3 – point b
(b) the incident has affected or has the potential to affect other natural or legal persons by causing considerable material or non-material losses. Non-material losses shall include:
2021/06/03
Committee: ITRE
Amendment 439 #
Proposal for a directive
Article 20 – paragraph 3 – point b – point i (new)
(i) a loss of integrity, authenticity or confidentiality of stored or transmitted or processed data or of the related services offered by an essential or important entity or accessible via a network and an information system;
2021/06/03
Committee: ITRE
Amendment 440 #
Proposal for a directive
Article 20 – paragraph 3 – point b – point ii (new)
(ii) a risk to public safety and security or loss of life.
2021/06/03
Committee: ITRE
Amendment 443 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – introductory part
4. Member States shall ensure that, for the purpose of the notification under paragraph 1, the entities concerned shall submit to thea competent authoritiesy or the CSIRT:
2021/06/03
Committee: ITRE
Amendment 446 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point a
(a) without undue delay and in any event within 724 hours after having become aware of the confirmed impact of the incident, an initial notification, which, where applicable, shall indicate whether the incident is presumably caused by unlawful or malicious action;
2021/06/03
Committee: ITRE
Amendment 454 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part
(c) a final report not later than one monthn exhaustive report after the submission of the report under point (a), including at least the following:
2021/06/03
Committee: ITRE
Amendment 455 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point c – point i
(i) a detailed description of the confirmed incident, its severity and impact;
2021/06/03
Committee: ITRE
Amendment 468 #
7. Where public awareness is necessary to prevent an incident or to deal with an ongoing incident, or where disclosure of the incident is otherwise in the public interest, the competent authority or the CSIRT, and where appropriate the authorities or the CSIRTs of other Member States concerned may, after consulting the entity concerned, inform the public on a mutual basis about the incident or require the entity to do so.
2021/06/03
Committee: ITRE
Amendment 491 #
Proposal for a directive
Article 21 – paragraph 1
1. In order to demonstrate compliance with certain requirements of Article 18, Member States may require essenICT suppliers providing products and services for critical andfunctions performed by essential or important entities to certify certain ICT products, ICT services and ICT processes under specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881. The products, services and processes subject to certification may be developed by an essential or important entity or procured from third parties.
2021/06/03
Committee: ITRE
Amendment 496 #
Proposal for a directive
Article 21 – paragraph 2
2. The Commission shall be empowered to adopt delegated acts specifying which categories of essentialaking account of ENISA’s opinion, the Commission may adopt delegated acts specifying that ICT suppliers providing products and services for critical functions performed by essential or important entities shall be required to obtain a certificate and under whichidentifying the relevant specific European cybersecurity certification schemes pursuant to paragraph 1. The delegated acts shall be adopted in accordance with Article 36.
2021/06/03
Committee: ITRE
Amendment 512 #
Proposal for a directive
Article 24 – paragraph 2
2. For the purposes of this Directive, entities referred to in paragraph 1 shall be deemed to have their main establishment in the Union in the Member State where the decisions related to the cybersecurity risk management measures are taken. If such decisions are not taken in any establishment in the Union, the main establishment shall be deemed to be in the Member State where the entities have the establishment with the highest number of employees in the Union. operational and management capacities to implement cybersecurity measures.
2021/06/03
Committee: ITRE
Amendment 555 #
Proposal for a directive
Article 29 – paragraph 5 – subparagraph 1 – introductory part
5. Where enforcement actions adopted pursuant to points (a) to (d) and (f) of paragraph (4) prove ineffective, Member States shall ensure that competent authorities have the power to establish a deadline within which the essential entity isor suppliers of products or services for critical functions performed by essential or important entities are requested to take the necessary action to remedy the deficiencies or comply with the requirements of those authorities. If the requested action is not taken within the deadline set, Member States shall ensure that the competent authorities have the power to:
2021/06/03
Committee: ITRE
Amendment 558 #
Proposal for a directive
Article 29 – paragraph 5 – subparagraph 1 – point a
(a) suspend or request a certification or authorisation body to suspend a certification or authorisation concerning part or all the services or activities provided by an essential entity or related ICT suppliers providing products and services for critical functions performed by essential or important entities;
2021/06/03
Committee: ITRE
Amendment 563 #
Proposal for a directive
Article 29 – paragraph 5 – subparagraph 1 – point b
(b) impose or request the imposition by the relevant bodies or courts according to national laws of a temporary ban against any person discharging managerial responsibilities at chief executive officer or legal representative level in that essential entity, and of or related ICT suppliers providing products and services for critical functions performed by essential or important entities, and against any other natural person held responsible for the breach, from exercising managerial functions in that entity.
2021/06/03
Committee: ITRE
Amendment 567 #
Proposal for a directive
Article 29 – paragraph 5 – subparagraph 2
These sanctions shall be applied only until the entity or related ICT suppliers providing products and services for critical functions performed by essential or important entities takes the necessary action to remedy the deficiencies or comply with the requirements of the competent authority for which such sanctions were applied.
2021/06/03
Committee: ITRE