Activities of Maria-Manuel LEITÃO-MARQUES related to 2020/0359(COD)
Shadow opinions (1)
OPINION on the proposal for a directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148
Amendments (181)
Amendment 73 #
Proposal for a directive
Recital 5
Recital 5
(5) All those divergences entail a fragmentation of the internal market and are liable to have a prejudicial effect on its functioning, affecting in particular the cross-border provision of services and level of cybersecurity resilience due to the application of different standards. This Directive aims to remove such wide divergences among Member States and strengthen the internal market, in particular by setting out minimum rules regarding the functioning of a coordinated regulatory framework, by laying down mechanisms for the effective cooperation among the responsible authorities in each Member State, by updating the list of sectors and activities subject to cybersecurity obligations and by providing effective remedies and sanctions which are instrumental to the effective enforcement of those obligations. Therefore, Directive (EU) 2016/1148 should be repealed and replaced by this Directive.
Amendment 77 #
Proposal for a directive
Recital 10
Recital 10
(10) The Commission, in cooperation with the Cooperation Group, mayshould issue guidelines on the implementation of the criteria applicable to micro and small enterprises.
Amendment 78 #
Proposal for a directive
Recital 11
Recital 11
(11) Depending on the sector in which they operate or the type of service they provide, the entities falling within the scope of this Directive should be classified into two categories: essential and important. That categorisation should take into account the level of criticality of the sector or of the type of service, as well as the level of dependency of other sectors or types of services. Both essential and important entities should be subject to the same risk management requirements and reporting obligations. The supervisory and penalty regimes between these two categories of entities should be differentiated to ensure a fair balance between requirements and obligations on one hand, and the administrative burden stemming from the supervision of compliance on the other hand. This balance also helps national competent authorities to focus on those operators whose cybersecurity represents the highest societal risk.
Amendment 79 #
Proposal for a directive
Recital 12
Recital 12
(12) Sector-specific legislation and instruments can contribute to ensuring high levels of cybersecurity, while taking full account of the specificities and complexities of those sectors. Where a sector–specific Union legal act requires essential or important entities to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats of at least an equivalent effect to the obligations laid down in this Directive, those sector-specific provisions, including on supervision and enforcement, should apply. In order to reduce unnecessary administrative burden, sector-specific legislation and instruments should, whenever possible, align their notification procedures with those present in this Directive, according to the once-only principle. The Commission may issue guidelines in relation to the implementation of the lex specialis. This Directive does not preclude the adoption of additional sector- specific Union acts addressing cybersecurity risk management measures and incident notifications. This Directive is without prejudice to the existing implementing powers that have been conferred to the Commission in a number of sectors, including transport and energy.
Amendment 82 #
Proposal for a directive
Recital 14
Recital 14
(14) In view of the interlinkages between cybersecurity and the physical security of entities, a coherent approach should be ensured between Directive (EU) XXX/XXX of the European Parliament and of the Council17 and this Directive. To achieve this, Member States should ensure that critical entities, and equivalent entities, pursuant to Directive (EU) XXX/XXX are considered to be essential entities under this Directive. Member States should also ensure that their national cybersecurity strategies provide for a policy framework for enhanced coordination between the competent authority under this Directive and the one under Directive (EU) XXX/XXX in the context of incident reporting, information sharing on incidents and cyber threats and the exercise of supervisory tasks. Authorities under both Directives should cooperate and exchange information, particularly in relation to the identification of critical entities, cyber threats, cybersecurity risks, incidents affecting critical entities as well as on the cybersecurity measures taken by critical entities. Upon request of competent authorities under Directive (EU) XXX/XXX, competent authorities under this Directive should be allowed to exercise their supervisory and enforcement powers on an essential entity identified as critical. Both authorities should cooperate and exchange information for this purpose. __________________ 17[insert the full title and OJ publication reference when known]
Amendment 84 #
Proposal for a directive
Recital 15
Recital 15
(15) Upholding and preserving a reliable, resilient and secure domain name system (DNS) is a key factor in maintaining the integrity of the Internet and is essential for its continuous and stable operation, on which the digital economy, the internal market and society depend. Therefore, this Directive should apply to all providers of DNS services along the DNS resolution chain, including operators of root name servers, top-level- domain (TLD) name servers, authoritative name servers for domain names and recursive resolvers.
Amendment 85 #
Proposal for a directive
Recital 20
Recital 20
(20) Those growing interdependencies are the result of an increasingly cross- border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. Those interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks and the need to protect the internal market through joint strategies and actions at Union level.
Amendment 88 #
Proposal for a directive
Recital 23
Recital 23
(23) Competent authorities or the CSIRTs should receive notifications of incidents from entities in an standardised, effective and efficient way. The single points of contact should be tasked with forwarding incident notifications to the single points of contact of other affected Member States. At the level of Member States’ authorities, to ensure one single entry point in every Member States, the single points of contacts should also be the addressees of relevant information on incidents concerning financial sector entities from the competent authorities under Regulation XXXX/XXXX which they should be able to forward, as appropriate, to the relevant national competent authorities or CSIRTs under this Directive.
Amendment 90 #
Proposal for a directive
Recital 26 a (new)
Recital 26 a (new)
(26a) Member States should, in accordance with their national cybersecurity strategies, put in place policies directed at cybersecurity awareness, cyber literacy and cyber- hygiene of citizens, with a view of strengthening the human element of network and information systems and protecting consumers from harm.
Amendment 91 #
Proposal for a directive
Recital 26 b (new)
Recital 26 b (new)
(26b) In order to use resources with efficiency and effectiveness, and to be able to manage the increased amount of risks and incidents, Member States should adopt policies on the promotion and integration of AI-enabled and intelligent systems in the prevention and detection of cybersecurity incidents and threats as part of their national cybersecurity strategies, as well as make full use of them within their national competent authorities.
Amendment 92 #
Proposal for a directive
Recital 27
Recital 27
(27) In accordance with the Annex to Commission Recommendation (EU) 2017/1548 on Coordinated Response to Large Scale Cybersecurity Incidents and Crises (‘Blueprint’)20 , a large-scale incident should mean an incident with a significant impact on at least two Member States or whose disruption exceeds a Member State’s capacity to respond to it, thus endangering the internal market. Depending on their cause and impact, large-scale incidents may escalate and turn into fully-fledged crises not allowing the proper functioning of the internal market. Given the wide-ranging scope and, in most cases, the cross-border nature of such incidents, Member States and relevant Union institutions, bodies and agencies should cooperate at technical, operational and political level to properly coordinate the response across the Union. __________________ 20Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises (OJ L 239, 19.9.2017, p. 36).
Amendment 93 #
Proposal for a directive
Recital 28
Recital 28
(28) Since the exploitation of vulnerabilities in network and information systems may cause significant disruption and harm to businesses and consumers, swiftly identifying and remedying those vulnerabilities is an important factor in reducing cybersecurity risk. Entities that develop such systems should therefore establish appropriate procedures to handle vulnerabilities when they are discovered. Since vulnerabilities are often discovered and reported (disclosed) by third parties (reporting entities), the manufacturer or provider of ICT products or services should also put in place the necessary procedures to receive vulnerability information from third parties. In this regard, international standards ISO/IEC 30111 and ISO/IEC 29417 provide guidance on vulnerability handling and vulnerability disclosure respectively. As regards vulnerability disclosure, coordination between reporting entities and manufacturers or providers of ICT products or services is particularly important. Coordinated vulnerability disclosure specifies a structured process through which vulnerabilities are reported to organisations in a manner allowing the organisation to diagnose and remedy the vulnerability before detailed vulnerability information is disclosed to third parties or to the public. Coordinated vulnerability disclosure should also comprise coordination between the reporting entity and the organisation as regards the timing of remediation and publication of vulnerabilities.
Amendment 95 #
Proposal for a directive
Recital 7
Recital 7
(7) With the repeal of Directive (EU) 2016/1148, the scope of application by sectors should be extended to a larger part of the economy in light of the considerations set out in recitals (4) to (6). The sectors covered by Directive (EU) 2016/1148 should therefore be extended to provide a comprehensive coverage of the sectors and services of vital importance for key societal and economic activities within the internal market. The ruleisk management requirements and reporting obligations should not be different according to whether the entities are operators of essential services or digital service providers. That differentiation has proven obsolete, since it does not reflect the actual importance of the sectors or services for the societal and economic activities in the internal market.
Amendment 97 #
Proposal for a directive
Recital 11
Recital 11
(11) Depending on the sector in which they operate or the type of service they provide, the entities falling within the scope of this Directive should be classified into two categories: essential and important. That categorisation should take into account the level of criticality of the sector or of the type of service, as well as the level of dependency of other sectors or types of services. Both essential and important entities should be subject to the same risk management requirements and reporting obligations. The supervisory and penalty regimes between these two categories of entities should be differentiated to ensure a fair balance between requirements and obligations on one hand, and the administrative burden stemming from the supervision of compliance on the other hand. The provisions of this Directive apply to entities with complex business models or operating environments, whereby an entity may simultaneously fulfil the criteria assigned to both essential and important entities. In order to enable the effective supervision and enforcement of risk management measures and reporting obligations for entities falling within the scope of this Directive, competent authorities or CSIRTs shall enforce the provisions of this Directive to a function or unit level within an entity, in order to appropriately and sufficiently address the level of criticality.
Amendment 99 #
Proposal for a directive
Recital 34
Recital 34
(34) The Cooperation Group should remain a flexible forum and be able to react to changing and new policy priorities and challenges while taking into account the availability of resources. It should organize regular joint meetings with relevant private stakeholders from across the Union to discuss activities carried out by the Group and gather input on emerging policy challenges. In order to enhance cooperation at Union level, the Group should consider inviting Union bodies and agencies involved in cybersecurity policy, such as the European Cybercrime Centre (EC3), the European Union Aviation Safety Agency (EASA) and the European Union Agency for Space Programme (EUSPA) to participate in its work, as well as other Union bodies and agencies and supervisory authorities related to the Digital Single Market.
Amendment 100 #
Proposal for a directive
Recital 35
Recital 35
(35) The competent authorities and CSIRTs should be empowered to participate in exchange schemes for officials from other Member States in order to improve cooperation and strengthen confidence inside the networks. The competent authorities should take the necessary measures to enable officials from other Member States to play an effective role in the activities of the host competent authority or CSIRT.
Amendment 101 #
Proposal for a directive
Recital 35 a (new)
Recital 35 a (new)
Amendment 102 #
Proposal for a directive
Recital 12
Recital 12
(12) Sector-specific legislation and instruments can contribute to ensuring high levels of cybersecurity, while taking full account of the specificities and complexities of those sectors. Sector- specific legislation and instruments that require essential or important entities to adopt cybersecurity risk management measures, or impose reporting obligations for significant incidents, shall, where possible, be consistent with the terminology, and refer to the definitions in Article 4 of this Directive. Where a sector–specific Union legal act requires essential or important entities to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats of at least an equivalent effect to the obligations laid down in this Directive, and apply to the entirety of the security aspects of the operations and services provided by essential and important entities, those sector-specific provisions, including on supervision and enforcement, should apply. The Commission may issue guidelines in relation to the implementation of the lex specialis. This Directive does not preclude the adoption of additional sector- specific Union acts addressing cybersecurity risk management measures and incident notifications. This Directive is without prejudice to the existing implementing powers that have been conferred to the Commission in a number of sectors, including transport and energy.
Amendment 103 #
Proposal for a directive
Recital 45 a (new)
Recital 45 a (new)
(45a) Additionally, entities should also ensure adequate cybersecurity education and training of their staff at all levels of the organisation.
Amendment 106 #
Proposal for a directive
Recital 51
Recital 51
(51) The internal market is more reliant on the functioning of the internet than ever before. The services of virtually all essential and important entities are dependent on services provided over the internet, and consumers rely on it for essential parts of their daily lives. In order to ensure the smooth provision of services provided by essential and important entities, it is important that public electronic communications networks, such as, for example, internet backbones or submarine communications cables, have appropriate cybersecurity measures in place and report incidents in relation thereto.
Amendment 108 #
Proposal for a directive
Recital 52
Recital 52
(52) Where appropriate, eEntities should inform their service recipients of particular and significant threats and of measures they can take to mitigate the resulting risk to themselves, in particular when such measures may increase consumer protection. The requirement to inform those recipients of such threats should not discharge entities from the obligation to take, at their own expense, appropriate and immediate measures to prevent or remedy any cyber threats and restore the normal security level of the service. The provision of such information about security threats to the recipients should be free of charge and in language easy to understand and to follow.
Amendment 108 #
Proposal for a directive
Recital 15
Recital 15
(15) Upholding and preserving a reliable, resilient and secure domain name system (DNS) is a key factor in maintaining the integrity of the Internet and is essential for its continuous and stable operation, on which the digital economy and society depend. Therefore, this Directive should apply to all providers of DNS services along the DNS resolution chain, including operators of root name servers, top-level-domain (TLD) name servers, authoritative nametop-level- domain (TLD) name servers, public and open recursive domain name resolution services, and authoritative domain name resolution services. This Directive should not apply to decentralised servicers for domain names and recursive resolwhich centralised administration does not exist, such as the root name servers.
Amendment 111 #
Proposal for a directive
Recital 17 a (new)
Recital 17 a (new)
(17a) The edge ecosystem is an emerging vector susceptible to cyber threats and a growing trend with attacks targeting devices — such as routers, switches, and firewalls — is having a significant impact to both enterprises and to the connected digital ecosystem in its entirety. Edge computing ecosystems delivered in a highly distributed form are essential for the development of the Internet of Things (IoT), the Industrial Internet of Things (IIoT) and the sectoral ecosystems of connected devices such as connectivity infrastructure and autonomous vehicles. IoT devices may potentially offer additional attack surfaces and allow threats and attacks to trickle from the device to the network or the cloud. Poor security of IoT devices or IoT gateways can potentially hinder the security of the entire connectivity chain and the data flows towards the edge and the cloud, consequentially affecting the overall security of the ecosystem.
Amendment 112 #
Proposal for a directive
Recital 54
Recital 54
(54) In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, should be promoted and, where necessary, should be mandatory for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18. The use of end-to-end encryption should be reconciled with the Member State’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences in compliance with Union law. Solutions for lawful access to information in end-to-end encrypted communications should maintain tThe effectiveness of encryption in protecting privacy and security of communications, while provid must not be undermined ing an effective response to crimey circumstance, as any loophole in encryption is open to be explored by all actors, regardless of their legitimacy or intent.
Amendment 112 #
Proposal for a directive
Recital 17 b (new)
Recital 17 b (new)
(17b) The continuous increase of computing power combined with the rising levels of maturity of exponential technologies such as machine learning (ML) and artificial intelligence (AI) enable the development of advanced cybersecurity capabilities for real-time detection, analysis, containment and response to cyber threats in a rapidly evolving threat landscape. AI tools and applications are used to develop security controls including, but not limited to, active firewalls, smart antivirus, automated CTI (cyber threat intelligence) operations, AI fuzzing, smart forensics, email scanning, adaptive sandboxing, and automated malware analysis.
Amendment 113 #
Proposal for a directive
Recital 55
Recital 55
(55) This Directive lays down a twohree- stage approach to incident reporting in order to strike the right balance between, on the one hand, swift reporting that helps mitigate the potential spread of incidents and allows entities to seek support, and, on the other hand, in-depth reporting that draws valuable lessons from individual incidents and improves over time the resilience to cyber threats of individual companies and entire sectors. Where entities become awareIn this regard, this Directive should also include reporting of an incident,s they should be required to submit an initial notification within 24 hours, followeat, based on an initial assessment performed by the entity, could bye a final report not later than one month after. The initial notification should only include the information strictly necessary to make the competent authorities aware of the incident and allow the entity to seek assistance, if required. Such notification, where applicable, should indicate whether the incident is presumably caused by unlawful or malicious action. Member States should ensure that the requirement to submit this initial notification does not divssumed to lead to substantial operational disruption or financial losses or affect other natural or legal persons by causing considerable material or non- material losses. The initial assessment should take into account, amongst othert, the reporting entity’s resources from activities related to incident handling that should be prioritised. To furaffected network and information systems and in particular their prevent that incident reporting obligations either divert resources from incident response handling or may otherwise compromise the entiimportance in the provision of the entity’s services, the severity and technical characteristiecs efforts in that respect, Member States should also provide that, in duly justified cases and inof the cyber threat, and any underlying vulnerabilities that agreement with the competent authorities or the CSIRT, the entity concerned can deviate from the deadlines of 24 hours for the initial notification and one month for the final report being exploited as well as the entity’s experience with similar incidents.
Amendment 113 #
Proposal for a directive
Recital 17 c (new)
Recital 17 c (new)
(17c) Data-driven tools and applications powered by AI-enabled systems require the processing of large amounts of data, which may include personal data. Risks persist in the entire lifecycle of AI- enabled systems in cybersecurity- enhancing tools and applications, and in order to mitigate risks of unduly interference with the rights and freedoms of individuals, the requirements of data protection by design and by default laid down in Article 25 of Regulation (EU) 2016/679 shall be applied. Integrating appropriate safeguards such as pseudonymisation, encryption, data accuracy, and data minimisation in the design and use of AI-enabled systems deployed in cybersecurity applications and processes is essential to mitigate the risks that such systems may pose on personal data.
Amendment 114 #
Proposal for a directive
Recital 17 d (new)
Recital 17 d (new)
(17d) Member States should adopt policies on the promotion and integration of AI-enabled systems in the prevention and detection of cybersecurity incidents and threats as part of their national cybersecurity strategies. Such policies should emphasise the technological and operational measures including, but not limited to, workflow automation, streaming analytics, active monitoring, intelligent prediction and advanced network threat detection, in order to accelerate the analysis, validation and prioritisation of threats. ENISA’s National Capabilities Assessment Framework (NCAF) can assist in the evaluation and alignment of Member States’ policies building on available use cases and key performance indicators. Moreover, an assessment of Member States’ capabilities and overall level of maturity as regards the integration of AI- enabled systems in cybersecurity should be factored in the methodological construction of the cybersecurity index within the meaning of ENISA’s report on the state of cybersecurity in the Union under Article 15 of this Directive.
Amendment 115 #
Proposal for a directive
Recital 55 a (new)
Recital 55 a (new)
(55a) Where entities become aware of an incident, they should be required to submit an initial notification within 72 hours, followed by a comprehensive report not later than one month after. The initial notification should only include the information strictly necessary to make the competent authorities aware of the incident and allow the entity to seek assistance, if required. Such notification, where applicable, should indicate whether the incident is presumably caused by unlawful or malicious action. The initial notification should be preceded by an early warning about an ongoing incident, without any obligation of additional information disclosures within the first 24 hours as of the moment the entity became aware of the incident. This early warning should be submitted as soon as possible, allowing entities to seek support from competent authorities or CSIRTs swiftly, and enabling competent authorities or CSIRTs to mitigate the potential spread of the reported incident, as well as serving as a situational awareness tool for CSIRTs. Member States should ensure that the requirement to submit both the initial notification and the early warning do not divert the reporting entity’s resources from activities related to incident handling that should be prioritised. To further prevent that incident reporting obligations either divert resources from incident response handling or may otherwise compromise the entities efforts in that respect, Member States should also provide that, in duly justified cases and in agreement with the competent authorities or the CSIRT, the entity concerned can deviate from the deadline of one month for the comprehensive report.
Amendment 115 #
Proposal for a directive
Recital 17 e (new)
Recital 17 e (new)
(17e) Open-source cybersecurity tools contribute to a higher degree of transparency and have a positive impact on the efficiency of industrial innovation. Open standards facilitate interoperability between security tools, benefitting the security of industrial stakeholders, enabling the diversification of reliance from a single supplier or vendor, and leading to a more comprehensive CTI framework. Semi-automation of CTI production is an important tool to reduce the number of manual steps underpinning the analysis of CTI. The use of AI and ML within CTI should be further explored to increase the value of machine learning functions within CTI activities.
Amendment 116 #
Proposal for a directive
Recital 56
Recital 56
(56) Essential and important entities are often in a situation where a particular incident, because of its features, needs to be reported to various authorities as a result of notification obligations included in various legal instruments. Such cases create additional burdens and may also lead to uncertainties with regard to the format and procedures of such notifications. In view of this and, for the purposes of simplifying the reporting of security incidents and upholding the once- only principle, Member States should establish a single entry point for all notifications required under this Directive and also under other Union law such as Regulation (EU) 2016/679 and Directive 2002/58/EC. ENISA, in cooperation with the Cooperation Group should develop common notification templates by means of guidelines that would simplify and streamline the reporting information requested by Union law and decrease the burdens for companies.
Amendment 116 #
Proposal for a directive
Recital 17 f (new)
Recital 17 f (new)
(17f) Member States should develop a policy for the integration of open-source tools in public administration, and further explore measures to incentivise the wider adoption of open-source software by developing strategies to address and minimise the legal and technical risks that entities are faced with, as regards licensing and the necessary levels of technical support. Such policies are of particular importance for small and medium-sized enterprises (SMEs) facing significant costs for implementation, which can be minimised by reducing the need for specific applications or tools.
Amendment 121 #
Proposal for a directive
Recital 21 a (new)
Recital 21 a (new)
(21a) Public-Private Partnerships (PPPs) in the field of cybersecurity can provide the right framework for knowledge exchange, sharing of best practices and the establishment of a common level of understanding amongst all stakeholders. Goal-oriented and service outsourcing PPPs foster a culture of cybersecurity at the Member State level, and leverage the exchange and transfer of expertise, thus raising cybersecurity awareness and the overall level of reciprocal support between public and private entities. Hybrid PPPs enable governments to assign either the operation, or the delivery of service- specific functions, of a CSIRT to an experienced entity facilitating the access of public administrations to private sector resources, and increasing the levels of trust between stakeholders by establishing a proactive attitude in case of incidents or crises.
Amendment 122 #
Proposal for a directive
Recital 21 b (new)
Recital 21 b (new)
(21b) Member States should adopt policies underpinning the establishment of cybersecurity-specific PPPs as part of their national cybersecurity strategies. These policies should clarify, among others, the scope and stakeholders involved, the governance model, the available funding options, and the interaction among participating stakeholders. PPPs can leverage the expertise of private sector entities to support Member States’ competent authorities in developing state-of-the art services and processes including, but not limited to, information exchange, early warnings, cyber threat and incident exercises, crisis management, and resilience planning.
Amendment 130 #
Proposal for a directive
Recital 79
Recital 79
(79) A peer-review mechanism should be introduced, allowing the assessment by experts designated by the Member States and ENISA of the implementation of cybersecurity policies, including the level of Member States’ capabilities and available resources, and the exchange of experiences and best practices related to procedures and instruments.
Amendment 130 #
Proposal for a directive
Recital 26 a (new)
Recital 26 a (new)
(26a) Cyber hygiene policies provide the foundations for protecting network and information system infrastructures, hardware, software and online application security, and business or end-user data which entities rely on. Cyber hygiene policies comprising a common baseline set of practices including, but not limited to, software and hardware updates, password changes, management of new installs, limitation of administrator-level access accounts, and backing up of data, enable a proactive framework of preparedness and overall safety and security in the event of incidents or threats.
Amendment 131 #
Proposal for a directive
Recital 26 b (new)
Recital 26 b (new)
(26b) Member States should adopt policies to promote cyber hygiene as part of their national cybersecurity strategies. Such policies should build on cyber hygiene controls and programmes that are affordable and accreditable in order to minimise the cost of implementation, especially for SMEs, and encourage wider compliance thereto by both public and private entities. ENISA should monitor and assess Member States’ cyber hygiene policies, and explore EU wide schemes to enable cross-border checks ensuring equivalence independent of Member State requirements.
Amendment 132 #
Proposal for a directive
Article 1 – paragraph 1
Article 1 – paragraph 1
1. This Directive lays down measures with a view to ensuring a high common level of cybersecurity within the Union and strengthening the Digital Single Market.
Amendment 132 #
Proposal for a directive
Recital 28
Recital 28
(28) Since the exploitation of vulnerabilities in network and information systems may cause significant disruption and harm, swiftly identifying and remedying those vulnerabilities is an important factor in reducing cybersecurity risk. Entities that develop such systems should therefore establish appropriate procedures to handle vulnerabilities when they are discovered. Since vulnerabilities are often discovered and reported (disclosed) by third parties (reporting entities), the manufacturer or provider of ICT products or services should also put in place the necessary procedures to receive vulnerability information from third parties. In this regard, international standards ISO/IEC 30111 and ISO/IEC 29417 provide guidance on vulnerability handling and vulnerability disclosure respectively. As regards vulnerability disclosure, coordination between reporting entities and manufacturers or providers of ICT products or services is particularly important. CVoluntary coordinated vulnerability disclosure specifies a structured process through which vulnerabilities are reported to organisations in a manner allowing the organisation to diagnose and remedy the vulnerability before detailed vulnerability information is disclosed to third parties or to the public. Coordinated vulnerability disclosure should also comprise coordination between the reporting entity and the organisation as regards the timing of remediation and publication of vulnerabilities. Strengthening the coordination and timely exchange of relevant information between the manufacturer or provider of ICT products or services and the reporting entities is essential to facilitate the voluntary framework of vulnerability disclosure.
Amendment 133 #
Proposal for a directive
Recital 29
Recital 29
(29) Member States should therefore take measures to facilitate coordinated vulnerability disclosure by establishing a relevant national policy. In this regard, Member States should designate a CSIRT to take the role of ‘coordinator’, acting as an intermediary between the reporting entities and the manufacturers or providers of ICT products or services, where necessarythe reporting entity, or the manufacturer or the provider of ICT products or services, engages a third-party coordinator to assist with the disclosure process. The tasks of the CSIRT coordinator should, in particular, include identifying and contacting concerned entities, supporting reporting entities, negotiating disclosure timelines, and managing vulnerabilities that affect multiple organisations (multi- party vulnerability disclosure). Where vulnerabilities affect multiple manufacturers or providers of ICT products or services established in more than one Member State, the designated CSIRTs from each of the affected Member States should cooperate within the CSIRTs Network.
Amendment 139 #
Proposal for a directive
Recital 31
Recital 31
(31) Although similar vulnerability registries or databases do exist, these are hosted and maintained by entities which are not established in the Union. A European vulnerability registry maintained by ENISA would provide improved transparency regarding the publication process before the vulnerability is officially disclosed, and resilience in cases of disruptions or interruptions on the provision of similar services. To avoid duplication of efforts and seek complementarity to the extent possible, ENISA should explore the possibility of entering into structured cooperation agreements with similar registries in third country jurisdictions. ENISA could play a more central management role either by exploring the option of becoming a “Root CVE Numbering Authority” in the global Common Vulnerabilities and Exposures (CVE) registry, or setting up a database to leverage the existing CVE programme for vulnerability identification and registration to enable interoperability and reference between the European and third country jurisdiction registries.
Amendment 142 #
Proposal for a directive
Recital 35
Recital 35
(35) The competent authorities and CSIRTs should be empowered to participate in exchange schemes for officials from other Member States, within structured rules and mechanisms underpinning the scope and, where applicable, the required security clearance of officials participating in such exchange schemes, in order to improve cooperation. The competent authorities should take the necessary measures to enable officials from other Member States to play an effective role in the activities of the host competent authority or CSIRT.
Amendment 143 #
Proposal for a directive
Article 4 – paragraph 1 – point 4
Article 4 – paragraph 1 – point 4
(4) ‘national strategy on cybersecurity’ means a coherent framework of a Member State providing strategic objectives and priorities on the security of network and information systems in that Member State, as well as policies needed to achieve them;
Amendment 144 #
Proposal for a directive
Article 4 – paragraph 1 – point 5 a (new)
Article 4 – paragraph 1 – point 5 a (new)
(5a) 'cross-border incident' means any incident which impacts operators under at least 2 different national competent authorities;
Amendment 144 #
Proposal for a directive
Recital 38
Recital 38
Amendment 145 #
Proposal for a directive
Article 4 – paragraph 1 – point 8 a (new)
Article 4 – paragraph 1 – point 8 a (new)
(8a) "early warning" means the information preceding the initial incident notification warning to third parties, without detailed information obligations, on the onset of an incident or on the discovery moment of an ongoing incident;
Amendment 145 #
Proposal for a directive
Recital 39
Recital 39
Amendment 147 #
Proposal for a directive
Recital 40
Recital 40
(40) Risk-management measures should include measures to identify any risks of incidents, to prevent, detect and handle, respond to, attribute, and recover from incidents, and to mitigate their impact. The security of network and information systems should comprise the security of stored, transmitted and processed data.
Amendment 149 #
Proposal for a directive
Recital 43
Recital 43
(43) Addressing cybersecurity risks stemming from an entity’s supply chain and its relationship with its suppliers is particularly important given the prevalence of incidents where entities have fallen victim to cyber-attacks and where malicious actors were able to compromise the security of an entity’s network and information systems by exploiting vulnerabilities affecting third party products and services. Entities should thereforeevaluate their own cybersecurity capabilities and pursue the integration of cybersecurity enhancing technologies driven by AI or machine learning systems to automate their capabilities and the protection of network architectures. Entities should also assess and take into account the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures.
Amendment 150 #
Proposal for a directive
Article 5 – paragraph 1 – point b
Article 5 – paragraph 1 – point b
(b) a governance framework to achieve those objectives and priorities, including the policies referred to in paragraph 2 and the roles and responsibilities of public bodies and entities as well as other relevant actors, including those responsible for cyber intelligence and cyber defence;
Amendment 151 #
Proposal for a directive
Article 5 – paragraph 1 – point c
Article 5 – paragraph 1 – point c
(c) an assessment to identify relevant assets and cybersecurity risks in that Member State; , including potential shortages that may negatively impact the Single Market.
Amendment 153 #
Proposal for a directive
Recital 44
Recital 44
(44) Among service providers, managed security services providers (MSSPs) in areas such as incident response, penetration testing, security audits and consultancy play a particularly important role in assisting entities in their efforts to prevent, detect and respond to incidents. Those MSSPs have however also been the targets of cyberattacks themselves and through their close integration in the operations of operators pose a particular cybersecurity risk. Entities should therefore exercise increased diligence in selecting an MSSP, not only in terms of the close operational integration but also as regards the need for such outsourced activities involving personal data by a controller to be in full compliance with Regulation (EU) 2016/679, in particular the processing by a processor on behalf of a controller.
Amendment 155 #
Proposal for a directive
Article 5 – paragraph 2 – point a a (new)
Article 5 – paragraph 2 – point a a (new)
(aa) a policy addressing cybersecurity of consumers, including their awareness of cyber threats, their cyber literacy and cyber-hygiene, as well as the cybersecurity of products available for consumers;
Amendment 156 #
Proposal for a directive
Recital 46
Recital 46
(46) To further address key supply chain risks and assist entities operating in sectors covered by this Directive to appropriately manage supply chain and supplier related cybersecurity risks, the Cooperation Group involving relevant national authorities, in cooperation with the Commission and ENISA, and in consultation with the European Data Protection Board (EDPB), should carry out coordinated sectoral supply chain risk assessments, as was already done for 5G networks following Recommendation (EU) 2019/534 on Cybersecurity of 5G networks21 , with the aim of identifying per sector which are the critical ICT services, systems or products, relevant threats and vulnerabilities. Particular emphasis should be placed on ICT services, systems or products subject to specific requirements, in particular in third country jurisdictions serving as the country of origin. _________________ 21Commission Recommendation (EU) 2019/534 of 26 March 2019 Cybersecurity of 5G networks (OJ L 88, 29.3.2019, p. 42).
Amendment 158 #
Proposal for a directive
Article 5 – paragraph 2 – point e
Article 5 – paragraph 2 – point e
(e) a policy on promoting and developenhancing cybersecurity skills, awareness raising and research and development initiativend competence across all levels, from the non-experts to the highly skilled professionals;
Amendment 160 #
Proposal for a directive
Article 5 – paragraph 2 – point f
Article 5 – paragraph 2 – point f
(f) a policy on supporting academic and research institutions to develop cybersecurity tools and secure network infrastructure and promoting the coherent and synergic use of available funds;
Amendment 160 #
Proposal for a directive
Recital 47
Recital 47
(47) The supply chain risk assessments, in light of the features of the sector concerned, should take into account both technical and, where relevant, non- technical factors including those defined in Recommendation (EU) 2019/534, in the EU wide coordinated risk assessment of 5G networks security and in the EU Toolbox on 5G cybersecurity agreed by the Cooperation Group. To identify the supply chains that should be subject to a coordinated risk assessment, the following criteria should be taken into account: (i) the extent to which essential and important entities use and rely on specific critical ICT services, systems or products; (ii) the relevance of specific critical ICT services, systems or products for performing critical or sensitive functions, including the processing of personal data; (iii) the availability of alternative ICT services, systems or products; (iv) the resilience of the overall supply chain of ICT services, systems or products against disruptive events across the entire lifecycle of the service, system or product and (v) for emerging ICT services, systems or products, their potential future significance for the entities’ activities. Such risk assessments should identify best practices for managing risks associated with risks in the ICT supply chain and explore ways to further incentivise their wider adoption by entities within each sector under examination.
Amendment 163 #
Proposal for a directive
Article 5 – paragraph 2 – point h
Article 5 – paragraph 2 – point h
(h) a policy addressing specific needs of SMEs, in particular those excluded from the scope of this Directive, in relation to guidance and support in improving their resilience to cybersecurity threats., promotion of cybersecurity skills and competences, and assistance in responding to cyberattacks;
Amendment 164 #
Proposal for a directive
Article 5 – paragraph 2 – point h – point i (new)
Article 5 – paragraph 2 – point h – point i (new)
(i) this policy shall include the establishment of a national single point of contact for SMEs and a framework for the most efficient use of Digital Innovation Hubs and available funds in the achievement of policy objectives;
Amendment 164 #
Proposal for a directive
Recital 50
Recital 50
(50) Given the growing importance of number-independent interpersonal communications services, it is necessary to ensure that such services are also subject to appropriate security requirements in view of their specific nature and economic importance. Providers of such services should thus also ensure a level of security of network and information systems appropriate to the risk posed. Given that providers of number-independent interpersonal communications services normally do not exercise actual control over the transmission of signals over networks, the degree of risk to network security for such services can be considered in some respects to be lower than for traditional electronic communications services. The same applies to interpersonal communications services which make use of numbers and which do not exercise actual control over signal transmission. However, as the attack surface continues to expand, number-independent interpersonal communications services including, but not limited to, social media messengers, are becoming popular attack vectors. Malicious actors use platforms to communicate and attract victims to open compromised web pages, therefore increasing the likelihood of incidents involving the exploitation of personal data, and by extension, the security of information systems.
Amendment 169 #
Proposal for a directive
Article 5 – paragraph 4 – subparagraph 1 a (new)
Article 5 – paragraph 4 – subparagraph 1 a (new)
Key performance indicators shall be chosen taking into account recommendations from ENISA and, whenever possible, shall be comparable at the Union level;
Amendment 173 #
Proposal for a directive
Recital 54
Recital 54
(54) In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, should be promoted and, where necessary, should be mandatory for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18. The use of end-to-end encryption should be reconciled with the Member State’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences in compliance with Union law. Solutions for lawful access to information in end-to-end encrypted communications should maintain tThe effectiveness of encryption in protecting the privacy and security of communications, while provid must not be undermined ing an effective response to crimey circumstance, as any loophole in encryption is open to be explored or exploited by actors, regardless of their legitimacy or intent.
Amendment 175 #
Proposal for a directive
Recital 54 a (new)
Recital 54 a (new)
(54a) Any measures aimed at weakening encryption or circumventing the technology’s architecture may incur significant risks to the effective protection capabilities it entails, thus inevitably compromising the protection of personal data and privacy, resulting in an overall loss of trust in security controls. Any unauthorised decryption, reverse engineering of encryption code, or monitoring of electronic communications outside clear legal authorities should be prohibited to ensure the effectiveness of the technology and its wider use. The cases where encryption can be used to mitigate risks related to non-compliant data transfers as presented in EDPB Recommendations 01/2020 may enable stronger encryption, whether in transit or at rest, for providers of such services and networks for the purposes of Article 18.
Amendment 176 #
Proposal for a directive
Article 6 – paragraph 2
Article 6 – paragraph 2
2. ENISA shall develop and maintain a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures with a view in particular to enabling important and essential entities and their suppliers of network and information systems to disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties. The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, the availability of related patches and, in the absence of available patches, guidance addressed to users of vulnerable products and services as to how the risks resulting from disclosed vulnerabilities may be mitigated. ENISA may enter into information sharing agreements and structured cooperation with other vulnerability registries developed and maintained by trusted partners.
Amendment 177 #
Proposal for a directive
Recital 55
Recital 55
(55) This Directive lays down a twohree- stage approach to incident reporting in order to strike the right balance between, on the one hand, swift reporting that helps mitigate the potential spread of incidents and allows entities to seek support, and, on the other hand, in-depth reporting that draws valuable lessons from individual incidents and improves over time the resilience to cyber threats of individual companies and entire sectors. Where entities become aware of an incident, theycompanies and entire sectors. In this regard, the Directive should also include reporting of incidents that, based on an initial assessment performed by the entity, may be assumed to lead to substantial operational disruption or financial losses or affect other natural or legal persons by causing considerable material or non- material losses. The initial assessment should take into account amongst others, the affected network and information systems and, in particular, their importance in the provision of the entity’s services, the severity and technical characteristics of the cyber threat, and any underlying vulnerabilities that are being exploited, as well as the entity’s experience with similar incidents. Where entities become aware of an incident, they should provide an early warning within 24 hours, without any obligation to disclose additional information. Entities should be required to submit an initial notification within 724 hours, followed by a finalcomprehensive report not later than one month after the incident has been handled. The initial incident notification should only include the information strictly necessary to make the competent authorities aware of the incident antimeline of 72 hours should not preclude entities from reporting incidents earlier, therefore allowing entities to seek support from competent authorities or CSIRTs swiftly, and enabling competent authorities or CSIRTs to mitigate the potential spread of the reported incident. Where an incident requires a longer period to be handled, an entity should be required to submit regular reports on the mitigation measures in place to contain, respond to, attribute and recover from the incident, and a comprehensive report not later than one month after the incident has been handled. The initial notification should allow the entity to seek assistance, if required. Such notification, where applicable, should indicate whether the incident is presumably caused by unlawful or malicious action. Member States should ensure that the requirement to submit this initial notification does not divert the reporting entity’s resources from activities related to incident handling that should be prioritised. To further prevent that incident reporting obligations either divert resources from incident response handling or may otherwise compromise the entities efforts in that respect, Member States should also provide that, in duly justified cases and in agreement with the competent authorities or the CSIRT, the entity concerned can deviate from the deadlines of 724 hours for the initial notification and one month for the finalcomprehensive report.
Amendment 179 #
Proposal for a directive
Article 7 – paragraph 3 – point f a (new)
Article 7 – paragraph 3 – point f a (new)
(fa) coordination with authorities responsible for cyber intelligence and cyber defence
Amendment 182 #
Proposal for a directive
Article 10 – paragraph 2 – point c
Article 10 – paragraph 2 – point c
(c) responding to incidents; and, whenever possible and adequate, providing assistance to entities that may request it;
Amendment 183 #
Proposal for a directive
Article 10 – paragraph 2 – point d
Article 10 – paragraph 2 – point d
(d) providing dynamic risk and incident analysis and situational awareness regarding cybersecurity, namely through the analysis of early warnings and notifications as referred to in Article 20;
Amendment 183 #
Proposal for a directive
Recital 60
Recital 60
(60) The availability and timely accessibility of these data to public authorities, domain name registration data to legitimate access seekers is essential to protect the online ecosystem, prevent DNS abuse, detect and prevent crime and fraud, protect minors, protect intellectual property, and protect against hate speech. For the purposes of this Directive, legitimate access seekers are natural or legal persons making a justified request on the basis of a legitimate interest under Union or national law to access DNS data, and they may includinge competent authorities under Union or national law for the prevention, investigation or prosecution of criminal offences, CERTs, (CSIRTs, and as regards the data of their clients to, providers of electronic communications networks and services and providers of cybersecurity technologies and services acting on behalf of those clients, is essential to prevent and combat Domain Name System abuse, in particular to prevent, detect and respond to cybersecurity incidents. Such access should comply with Union data protection law insofar as it is related to personal data.
Amendment 185 #
Proposal for a directive
Article 10 – paragraph 2 – point f
Article 10 – paragraph 2 – point f
(f) actively participating in the CSIRTs network and providing mutual assistance to other members of the network upon their request.
Amendment 185 #
Proposal for a directive
Recital 61
Recital 61
(61) In order to ensure the availability of accurate and complete domain name registration data, TLD registries and the entities providing domain name registration services for the TLD (so-called registrars) should collect and guarantee the integrity and availability of domain names registration data. In particular, TLD registries and the entities providing domain name registration services for the TLD should establish policies and procedures to collect and maintain accurate and complete registration data, as well as to prevent and correct inaccurate registration data in accordance with Union data protection rules.
Amendment 187 #
Proposal for a directive
Article 10 – paragraph 2 – point f a (new)
Article 10 – paragraph 2 – point f a (new)
(fa) participating in joint cybersecurity exercises at Union level;
Amendment 187 #
Proposal for a directive
Recital 62
Recital 62
(62) TLD registries and the entities providing domain name registration services for them shouldshould be required to make publically available domain name registration data that fall outside the scope of Union data protection rules, such as data that concernof legal persons25 . TLD registries and the entities providing domain name registration services for the TLD should also enable lawful access to specific domain name registration data concerning natural persons to legitimate access seekers, in accordance with Union data protection law. Member States should ensure that TLD registries and the entities providing domain name registration services for them should respond without undue delayin 72 hours to requests from legitimate access seekers for the disclosure of domain name registration data. TLD registries and the entities providing domain name registration services for them should establish policies and procedures for the publication and disclosure of registration data, including service level agreements to deal with requests for access from legitimate access seekers. The access procedure may also include the use of an interface, portal or other technical tool to provide an efficient system for requesting and accessing registration data. With a view to promoting harmonised practices across the internal market, the Commission may adopt guidelines on such procedures without prejudice to the competences of the European Data Protection Board. _________________ 25REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL recital (14) whereby “this Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person”.
Amendment 188 #
Proposal for a directive
Article 11 – paragraph 2
Article 11 – paragraph 2
2. Member States shall ensure that either their competent authorities or their CSIRTs receive notifications on incidents, and significant cyber threats and near misses submitted pursuant to this Directive. Where a Member State decides that its CSIRTs shall not receive those notifications, the CSIRTs shall, to the extent necessary to effectively carry out their tasks, be granted adequate access to data on incidents notified by the essential or important entities, pursuant to Article 20.
Amendment 189 #
Proposal for a directive
Article 11 – paragraph 4
Article 11 – paragraph 4
4. To the extent necessary to effectively carry out the tasks and obligations laid down in this Directive, Member States shall ensure appropriate cooperation between the competent authorities and single points of contact and law enforcement authorities, data protection authorities, and the authorities responsible for critical infrastructure pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive] and the national financial authorities designated in accordance with Regulation (EU) XXXX/XXXX of the European Parliament and of the Council39 [the DORA Regulation] within that Member State, as well as with cyber defence and cyber intelligence authorities. __________________ 39[insert the full title and OJ publication reference when known]
Amendment 192 #
Proposal for a directive
Article 12 – paragraph 4 – point f a (new)
Article 12 – paragraph 4 – point f a (new)
(fa) assessing the functioning of the peer review system and drawing up recommendations for its improvement;
Amendment 193 #
Proposal for a directive
Article 12 – paragraph 4 – point k a (new)
Article 12 – paragraph 4 – point k a (new)
(ka) supporting ENISA in organising joint training of national competent authorities at the EU level.
Amendment 195 #
Proposal for a directive
Recital 69
Recital 69
(69) The processing of personal data, to the extent strictly necessary and proportionate for the purposes of ensuring network and information security by essential and important entities, public authorities, CERTs, CSIRTs, and providers of security technologies and services shoulis necessary to comply with a legal obligation under this Directive and constitutes a legitimate interest of the data controller concerned, as referred to in point (c) paragraph 1, and point (f) paragraph 1 respectively of Article 6 of Regulation (EU) 2016/679. That should include measures related to the prevention, detection, analysis and response to incidents, measures to raise awareness in relation to specific cyber threats, exchange of information in the context of vulnerability remediation and coordinated disclosure, as well as the voluntary exchange of information on those incidents, as well as cyber threats and vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools. Such measures may require the processing of the following types of personal data: IP addresses, uniform resources locators (URLs), domain names, and email addresses.
Amendment 196 #
Proposal for a directive
Article 14 – paragraph 3 – point a
Article 14 – paragraph 3 – point a
(a) increasing the level of preparedness of the management of large scale incidents and crises, including cross-border cyber threats;
Amendment 197 #
Proposal for a directive
Article 15 – paragraph 1 – introductory part
Article 15 – paragraph 1 – introductory part
1. ENISA shall issue, in cooperation with the Commission, a biennial report on the state of cybersecurity in the Union and present it to the European Parliament. The report shall in particular include an assessment of the following:
Amendment 198 #
Proposal for a directive
Article 15 – paragraph 1 – point a
Article 15 – paragraph 1 – point a
(a) the development of cybersecurity capabilities across the Union, including the general level of skills and competences in cybersecurity in the Digital Single Market;
Amendment 199 #
Proposal for a directive
Recital 71
Recital 71
(71) In order to make enforcement effective, a minimum list of administrative sanctions for breach of the cybersecurity risk management and reporting obligations provided by this Directive should be laid down, setting up a clear and consistent framework for such sanctions across the Union. Due regard should be given to the nature, gravity and duration of the infringement, the actual damage caused or losses incurred or potential damage or losses that could have been triggered, the intentional or negligent character of the infringement, actions taken to prevent or mitigate the damage and/or losses suffered, the degree of responsibility or any relevant previous infringements, the degree of cooperation with the competent authority and any other aggravating or mitigating factor. The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter of Fundamental Rights of the European Union, including effective judicial protection and due process.
Amendment 200 #
Proposal for a directive
Article 15 – paragraph 1 – point c a (new)
Article 15 – paragraph 1 – point c a (new)
(ca) an aggregated index providing an assessment of the cybersecurity of European consumers.
Amendment 201 #
Proposal for a directive
Recital 76
Recital 76
(76) In order to further strengthen the effectiveness and dissuasiveness of the penalties applicable to infringements of obligations laid down pursuant to this Directive, the competent authorities should be empowered to apply sanctions consisting of the, where applicable, the temporary suspension of a certification or authorisation concerning part or all the services provided by an essential entity, and the imposition of a temporary ban from the exercise of managerial functions by a natural personagainst any person discharging managerial responsibilities at chief executive officer or legal representative level in that essential entity from exercising managerial functions in that entity. This provision shall not apply to public administration entities as referred to in this Directive. Given their severity and impact on the entities’ activities and ultimately on their consumers, such sanctions should only be applied proportionally to the severity of the infringement and taking account of the specific circumstances of each case, including the intentional or negligent character of the infringement, actions taken to prevent or mitigate the damage and/or losses suffered. Such sanctions should only be applied as ultima ratio, meaning only after the other relevant enforcement actions laid down by this Directive have been exhausted, and only for the time until the entities to which they apply take the necessary action to remedy the deficiencies or comply with the requirements of the competent authority for which such sanctions were applied. The imposition of such sanctions shall be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter of Fundamental Rights of the European Union, including effective judicial protection, due process, presumption of innocence and right of defence.
Amendment 202 #
Proposal for a directive
Article 16 – paragraph 1 – introductory part
Article 16 – paragraph 1 – introductory part
1. The Commission shall establish, after consulting the Cooperation Group and ENISA, and at the latest by 18 months following the entry into force of this Directive, the methodology and content of a peer-review system for assessing the effectiveness of the Member States’ cybersecurity policies. The reviews shall be conducted by cybersecurity technical experts drawn from ENISA and several Member States different than the one reviewed, and shall cover at least the following:
Amendment 204 #
Proposal for a directive
Article 16 – paragraph 7
Article 16 – paragraph 7
7. Experts participating in peer reviews shall draft reports on the findings and conclusions of the reviews. The reports shall be submitted to the Commission, the Cooperation Group, the CSIRTs network and ENISA. The reports shall be discussed in the Cooperation Group and the CSIRTs network. The reports may be published on the dedicated website of the Cooperation Group.
Amendment 206 #
Proposal for a directive
Recital 79
Recital 79
(79) A peer-review mechanism should be introduced, allowing the assessment by experts designated by the Member States and ENISA of the implementation of cybersecurity policies, including the level of Member States’ capabilities and available resources, and provide an effective path for the transfer of cybersecurity-enhancing technologies, mechanisms and processes between and among competent authorities or CSIRTs.
Amendment 207 #
Proposal for a directive
Article 18 – paragraph 1
Article 18 – paragraph 1
1. Member States shall ensure that essential and important entities shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which those entities use in the provision of their services. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk presented. In particular, measures shall be taken to prevent and minimise the impact of security incidents on consumers.
Amendment 213 #
Proposal for a directive
Article 18 – paragraph 2 – point g a (new)
Article 18 – paragraph 2 – point g a (new)
(ga) policies to ensure adequate education and training in cybersecurity at all levels of the organisation for essential and important entities.
Amendment 217 #
Proposal for a directive
Article 18 – paragraph 2 a (new)
Article 18 – paragraph 2 a (new)
2a. ENISA shall create and maintain an updated list of state of the art measures, as referred to in paragraph 1.
Amendment 222 #
Proposal for a directive
Article 19 – paragraph 1
Article 19 – paragraph 1
1. The Cooperation Group, in cooperation with the Commission and ENISA, mayshall carry out coordinated security risk assessments of specific critical ICT services, systems or products supply chains, taking into account technical and, where relevant, non-technical risk factors.
Amendment 226 #
Proposal for a directive
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT in accordance with paragraphs 3 and 4 of any incident having a significant impact on the provision of their services. Where appropriate, tThose entities shall notify, without undue delay, the recipients of their services of incidents that are likely to adversely affect the provision of that service. Member States shall ensure that those entities report, among others, any information enabling the competent authorities or the CSIRT to determine any cross-border impact of the incident.
Amendment 231 #
Proposal for a directive
Article 2 – paragraph 5 a (new)
Article 2 – paragraph 5 a (new)
5a. As regards the processing of personal data, essential and important entities as well as competent authorities, CERTs, and CSIRTs, shall process personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security in accordance with the obligations set out in this Directive. Where the processing of personal data is required for the purpose of cybersecurity and network and information security in accordance with the provisions set out in Article 18 and Article 20 of the Directive, including the provisions set out in Article 23, that processing is considered necessary for compliance with a legal obligation in accordance with paragraph1(c) of Article 6 of Regulation (EU) 2016/679.
Amendment 233 #
Proposal for a directive
Article 20 – paragraph 3 – point a
Article 20 – paragraph 3 – point a
(a) the incident has caused or has the potentialit can be assumed to cause substantial operational disruption or financial losses for the entity concerned;
Amendment 233 #
Proposal for a directive
Article 2 – paragraph 5 b (new)
Article 2 – paragraph 5 b (new)
5b. For the purposes of arrangements underpinning cybersecurity information- sharing and voluntary notification of information as set out in Articles 26 and 27 of this Directive, the processing of personal data constitutes a legitimate interest of the data controller concerned in accordance with paragraph 1(f) of Article 6 of Regulation (EU) 2016/679.
Amendment 234 #
Proposal for a directive
Article 20 – paragraph 3 – point b
Article 20 – paragraph 3 – point b
(b) the incident has affected or has the potentialit can be assumed to affect other natural or legal persons by causing considerable material or non-material losses.
Amendment 235 #
Proposal for a directive
Article 2 – paragraph 5 c (new)
Article 2 – paragraph 5 c (new)
5c. As regards the processing of personal data from essential entities providing services of public electronic communications networks or publicly available electronic communications referred to in point 8 of Annex I and point (a)(i) of paragraph2(1), such processing of personal data required for the purposes of ensuring network and information security shall be in compliance with the provisions set out in Directive 2002/58/EC.
Amendment 236 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point -a (new)
Article 20 – paragraph 4 – subparagraph 1 – point -a (new)
(-a) an early warning within 24 hours after having become aware of an incident, without any obligations on the entity concerned to disclose additional information regarding the incident;
Amendment 238 #
Proposal for a directive
Article 2 – paragraph 6
Article 2 – paragraph 6
6. Sector-specific acts that require essential or important entities either to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats, shall, where possible, refer to the definitions in Article 4 of this Directive. Where provisions of sector–specific acts of Union law require essential or important entities either to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats, and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, the relevant provisions of this Directive, including the provision on supervision and enforcement laid down in Chapter VI, shall not apply.
Amendment 241 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part
Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part
(c) a finalcomprehensive report not later than one month after the submission of the report under point (ab), including at least the following:
Amendment 243 #
Proposal for a directive
Article 4 – paragraph 1 – point 4 a (new)
Article 4 – paragraph 1 – point 4 a (new)
(4a) ‘near miss’ means an event which could have caused harm, but was successfully prevented from fully transpiring;
Amendment 244 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 2
Article 20 – paragraph 4 – subparagraph 2
Member States shall provide that in duly justified cases and in agreement with the competent authorities or the CSIRT, the entity concerned can deviate from the deadlines laid down in points (a), (b) and (cd).
Amendment 245 #
Proposal for a directive
Article 20 – paragraph 5
Article 20 – paragraph 5
5. The competent national authorities or the CSIRT shall provide, within 24 hours after receiving the initial notification referred to in point (ab) of paragraph 4, a response to the notifying entity, including initial feedback on the incident and, upon request of the entity, guidance on the implementation of possible mitigation measures. Where the CSIRT did not receive the notification referred to in paragraph 1 , the guidance shall be provided by the competent authority in collaboration with the CSIRT. The CSIRT shall provide additional technical support if the concerned entity so requests. Where the incident is suspected to be of criminal nature, the competent national authorities or the CSIRT shall also provide guidance on reporting the incident to law enforcement authorities.
Amendment 247 #
Proposal for a directive
Article 4 – paragraph 1 – point 6
Article 4 – paragraph 1 – point 6
(6) ‘incident handling’ means all actions and procedures aiming at prevention, detection, analysis, attribution, and containment of and a response to an incident;
Amendment 248 #
Proposal for a directive
Article 21 – paragraph 1
Article 21 – paragraph 1
1. In order to demonstrate compliance with certain requirements of Article 18, Member States may requireand following guidance from ENISA, the Commission, and the Cooperation Group, Member States shall call for essential and important entities to certify certain ICT products, ICT services and ICT processes, developed either by the essential and important entities or procured from third parties, under specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881. The products, services and processes subject to, or under equivalent and internationally accepted certification schemes. Whenever possible, the call for certification may be develshall be adopted by an essential or important entity or procured from third partiesll Member States in a harmonised way.
Amendment 248 #
Proposal for a directive
Article 4 – paragraph 1 – point 7 a (new)
Article 4 – paragraph 1 – point 7 a (new)
(7a) ‘risk’ means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of that incident;
Amendment 250 #
Proposal for a directive
Article 4 – paragraph 1 – point 13
Article 4 – paragraph 1 – point 13
(13) ‘domain name system (DNS)’ means a hierarchical distributed naming system which allows end-users to reach services and resources on the internetenables the identification of internet services and resources, allowing end-user devices to utilise internet routing and connectivity services, to reach those services and resources;
Amendment 253 #
Proposal for a directive
Article 4 – paragraph 1 – point 14
Article 4 – paragraph 1 – point 14
(14) ‘DNS service provider’ means an entity that provides recursive or authoritative domain name resolution services to internet end-users and other DNS service provider: a) open and public recursive domain name resolution services; or b) authoritative domain name resolution services as a service procurable by third-party entities;
Amendment 254 #
Proposal for a directive
Article 22 – paragraph 1
Article 22 – paragraph 1
1. In order to promote the convergent implementation of Article 18(1) and (2), Member States shall, without imposing or discriminating in favour of the use of a particular type of technology, and according to guidance from ENISA and the Cooperation Group, encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems.
Amendment 255 #
Proposal for a directive
Article 4 – paragraph 1 – point 15
Article 4 – paragraph 1 – point 15
(15) ‘top–level domain name registry’ means an entity which has been delegated a specific TLD and is responsible for administering the TLD including the registration of domain names under the TLD and the technical operation of the TLD, including the operation of its name servers, the maintenance of its databases and the distribution of TLD zone files across name servers, irrespective of whether any of those operations are being performed by the entity or are outsourced;
Amendment 256 #
Proposal for a directive
Article 4 – paragraph 1 – point 15 a (new)
Article 4 – paragraph 1 – point 15 a (new)
(15a) ‘legitimate access seekers’ means any natural or legal person, including competent authorities under Union or national law for the prevention, investigation or prosecution of criminal offences, CSIRTs, CERTs, providers of electronic communications networks and services, and providers of cybersecurity technologies and services, seeking DNS data upon a justified request on the basis of Union or national law for the purposes of preventing DNS abuse, detecting and preventing crime and fraud, protecting minors, protecting intellectual property, and protecting against hate speech;
Amendment 257 #
Proposal for a directive
Article 4 – paragraph 1 – point 22
Article 4 – paragraph 1 – point 22
(22) ‘social networking services platform’ means a platform that enables end-users to connect, share, discover and communicate with each other via number- independent interpersonal communications services across multiple devices, and in particular, via chats, posts, videos and recommendations);
Amendment 272 #
Proposal for a directive
Article 5 – paragraph 1 – introductory part
Article 5 – paragraph 1 – introductory part
1. Each Member State shall adopt a national cybersecurity strategy defining the strategic objectives and, the required technical, organisational, and financial resources to achieve those objectives, and the appropriate policy and regulatory measures, with a view to achieving and maintaining a high level of cybersecurity. The national cybersecurity strategy shall include, in particular, the following:
Amendment 274 #
Proposal for a directive
Article 25 – paragraph 1 – introductory part
Article 25 – paragraph 1 – introductory part
1. ENISA shall create and maintain a registry for essential and important entities referred to in Article 24(1). TFor that purpose the entities shall submit the following information to ENISAthe national competent authority by [12 months after entering into force of the Directive at the latest]:
Amendment 275 #
Proposal for a directive
Article 25 – paragraph 2
Article 25 – paragraph 2
2. The entities referred to in paragraph 1 shall notify ENISAthe national competent authority about any changes to the details they submitted under paragraph 1 without delay, and in any event, within three months from the date on which the change took effect.
Amendment 276 #
Proposal for a directive
Article 25 – paragraph 3
Article 25 – paragraph 3
3. Upon receipt of the information under paragraph 1, ENISA shall forward it to the single points of contact depending on the indicated location of each entity’s main establishment or, if it is not established in the Union, of its designated representativethe national competent authorities shall forward it to ENISA. Where an entity referred to in paragraph 1 has besides its main establishment in the Union further establishments in other Member States, ENISA shall also inform the single points of contact of those Member States.
Amendment 277 #
Proposal for a directive
Article 5 – paragraph 1 – point b
Article 5 – paragraph 1 – point b
(b) a governance framework to achieve those objectives and priorities, including the policies referred to in paragraph 2, and an appropriate framework defining the roles and responsibilities of public bodies and entities as well as other relevant actors, underpinning the cooperation and coordination, at the national level, between the competent authorities designated under Articles 7(1) and 8(1), the single point of contact designated under Article 8(3), and the CSIRTs designated under Article 9;
Amendment 281 #
Proposal for a directive
Article 27 – paragraph 1
Article 27 – paragraph 1
Member States shall ensure that, without prejudice to Article 3, entities falling outside the scope of this Directive may submit notifications, on a voluntary basis, of significant incidents, cyber threats or near misses. When processing notifications, Member States shall act in accordance with the procedure laid down in Article 20. Member States mayshall prioritise the processing of mandatory notifications over voluntary notifications. Voluntary reporting shall not result in the imposition of any additional obligations upon the reporting entity to which it would not have been subject had it not submitted the notification, but it may grant it assistance from CSIRTs.
Amendment 283 #
Proposal for a directive
Article 28 – paragraph 1
Article 28 – paragraph 1
1. Member States shall ensure that competent authorities effectively monitor and take the measures necessary to ensure compliance with this Directive, in particular the obligations laid down in Articles 18 and 20, and are provided with the adequate means to perform their function.
Amendment 284 #
Proposal for a directive
Article 5 – paragraph 2 – point a a (new)
Article 5 – paragraph 2 – point a a (new)
(aa) guidelines addressing cybersecurity in the supply chain for ICT products and services used by entities outside the scope of this Directive, and in particular supply chain challenges faced by SMEs;
Amendment 285 #
Proposal for a directive
Article 28 – paragraph 2
Article 28 – paragraph 2
2. Competent authorities shall work in close cooperation with data protection authorities when addressing incidents resulting in personal data breaches, including data protection authorities from other Member States whenever relevant.
Amendment 287 #
Proposal for a directive
Article 5 – paragraph 2 – point d a (new)
Article 5 – paragraph 2 – point d a (new)
(da) a policy on promoting the integration of open-source tools and applications;
Amendment 288 #
Proposal for a directive
Article 5 – paragraph 2 – point d b (new)
Article 5 – paragraph 2 – point d b (new)
(db) a policy to promote and support the development and integration of AI and other emerging technologies in cybersecurity-enhancing tools and applications;
Amendment 289 #
Proposal for a directive
Article 5 – paragraph 2 – point e
Article 5 – paragraph 2 – point e
(e) a policy on promoting and developing cybersecurity skills, awareness raising and research and development initiatives, including targeted policies addressing issues relating to gender representation and balance in the aforementioned areas;
Amendment 290 #
Proposal for a directive
Article 5 – paragraph 2 – point e a (new)
Article 5 – paragraph 2 – point e a (new)
(ea) a policy to promote cyber hygiene programmes comprising a baseline set of practices and controls;
Amendment 293 #
Proposal for a directive
Article 5 – paragraph 2 – point f a (new)
Article 5 – paragraph 2 – point f a (new)
(fa) a policy, including relevant procedures and governance frameworks, to support and promote the establishment of cybersecurity PPPs;
Amendment 294 #
Proposal for a directive
Article 32 – paragraph 1
Article 32 – paragraph 1
1. Where the competent authorities have indications that the infringement by an essential or important entity of the obligations laid down in Articles 18 and 20 entails a personal data breach, as defined by Article 4(12) of Regulation (EU) 2016/679 which shall be notified pursuant to Article 33 of that Regulation, they shall inform the supervisory authorities competent pursuant to Articles 55 and 56 of that Regulation within a reasonable period of timeout undue delay.
Amendment 296 #
Proposal for a directive
Article 32 – paragraph 3
Article 32 – paragraph 3
3. Where the supervisory authority competent pursuant to Regulation (EU) 2016/679 is established in another Member State than the competent authority, the competent authority mayshall also inform the supervisory authority established in the same Member State.
Amendment 301 #
3. Member States shall notify their national cybersecurity strategies to the Commission within three months from their adoption. Member States may exclude specific information from the notification where and to the extent that it is strictly necessary to preserve national security.
Amendment 302 #
Proposal for a directive
Article 5 – paragraph 4
Article 5 – paragraph 4
4. Member States shall assess their national cybersecurity strategies at least every four years on the basis of key performance indicators and, where necessary, amend them. The European Union Agency for Cybersecurity (ENISA) shall assist Member States, upon request, in the development of a national strategy and of key performance indicators for the assessment of the strategy. ENISA shall provide guidance to Member States in order to align their already formulated national cybersecurity strategies with the requirements and obligations set out in this Directive.
Amendment 311 #
Proposal for a directive
Article 6 – paragraph 2
Article 6 – paragraph 2
2. ENISA shall develop and maintain a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures, and the necessary technical and organisational measures to ensure the security and integrity of the registry, with a view in particular to enabling important and essential entities and their suppliers of network and information systems, as well as entities excluded from the scope of this Directive, and their suppliers, to disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties, enabling all parties and in particular, the users of the ICT products or ICT services concerned to adopt appropriate mitigating measures. The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, and the availability of related patches and, in the absence of available patches, guidance addressed to users of vulnerable products and services as to how the risks resulting from disclosed vulnerabilities may be mitigated.
Amendment 314 #
Proposal for a directive
Article 7 – paragraph 1 a (new)
Article 7 – paragraph 1 a (new)
1a. Where a Member State designates more than one competent authorities referred to in paragraph1, it should clearly indicate which of these competent authorities shall serve as the main point of contact for the management of large- scale incidents and crises.
Amendment 320 #
Proposal for a directive
Article 9 – paragraph 2
Article 9 – paragraph 2
2. Member States shall ensure that each CSIRT has adequate resources and the technical capabilities necessary to carry out effectively their tasks as set out in Article 10(23).
Amendment 325 #
Proposal for a directive
Article 10 – paragraph 1 – point c
Article 10 – paragraph 1 – point c
(c) CSIRTs shall be equipped with an appropriate system for managclassifying, routing, and routtracking requests, in particular, to facilitate effective and efficient handovers;
Amendment 326 #
(ca) CSIRTs shall have appropriate codes of conduct in place to ensure the confidentiality and trustworthiness of their operations;
Amendment 327 #
Proposal for a directive
Article 10 – paragraph 1 – point e
Article 10 – paragraph 1 – point e
(e) CSIRTs shall be equipped with redundant systems and backup working space to ensure continuity of its services, including full-spectrum connectivity across networks, information systems and services, and devices;
Amendment 328 #
Proposal for a directive
Article 10 – paragraph 1 – point e a (new)
Article 10 – paragraph 1 – point e a (new)
(ea) CSIRTs shall have appropriate descriptions of the skillsets required by staff to meet the technical capabilities necessary to perform assigned tasks;
Amendment 329 #
Proposal for a directive
Article 10 – paragraph 1 – point e b (new)
Article 10 – paragraph 1 – point e b (new)
(eb) CSIRTs shall have appropriate internal training frameworks and, where suitable, relevant policies to support external technical training of staff in order to reinforce a culture of continuous improvement;
Amendment 330 #
Proposal for a directive
Article 10 – paragraph 1 a (new)
Article 10 – paragraph 1 a (new)
1a. CSIRTs shall develop the following technical capabilities to perform their tasks: (a) The ability to conduct real-time monitoring of networks and information systems, and anomaly detection; (b) The ability to support penetration prevention operations including, in particular, the detection and analysis of sophisticated cyber threats; (c) The ability to collect and conduct complex forensic data analysis, and reverse engineering of cyber threats; (d) The ability to filter harmful communication content including, but not limited to, malicious e-mails; (e) The ability to protect data, including personal and sensitive data, from unauthorised exfiltration; (f) The ability to enforce strong authentication and access privileges; (g) The ability to analyse and attribute cyber threats.
Amendment 352 #
Proposal for a directive
Article 13 – paragraph 3 – point a a (new)
Article 13 – paragraph 3 – point a a (new)
(aa) facilitating the transfer of technology and relevant measures, policies and frameworks among the CSIRTs;
Amendment 353 #
Proposal for a directive
Article 13 – paragraph 3 – point g – point v
Article 13 – paragraph 3 – point g – point v
(v) contribution to the national cybersecurity incident and crisis response plan referred to in Article 7 (34);
Amendment 364 #
Proposal for a directive
Article 15 – paragraph 1 – point a a (new)
Article 15 – paragraph 1 – point a a (new)
(aa) the general level of cybersecurity awareness amongst citizens and consumers, the security of consumer- facing connected devices, and the security of digital public services and the respective digital infrastructures through which such services are offered to citizens;
Amendment 368 #
Proposal for a directive
Article 15 – paragraph 1 – point c b (new)
Article 15 – paragraph 1 – point c b (new)
(cb) the alignment of Member States’ national cybersecurity strategies referred to in Article 5, including the level of convergence of key performance indicators for the assessment of the strategies.
Amendment 370 #
Proposal for a directive
Article 15 – paragraph 2 a (new)
Article 15 – paragraph 2 a (new)
2a. ENISA, in cooperation with the Commission and with guidance from the Cooperation Group and the CSIRTs network, shall prepare the methodological specifications, including the relevant variables underpinning the scoring and validation of the cybersecurity index referred to in paragraph 1(e).
Amendment 372 #
Proposal for a directive
Article 16 – paragraph 1 – introductory part
Article 16 – paragraph 1 – introductory part
1. The Commission shall establish, after consulting the Cooperation Group and ENISA, and at the latest by 18 months following the entry into force of this Directive, the methodology and content of a peer-review system for assessing the effectiveness of the Member States’ cybersecurity policies. ENISA shall develop templates for the self-assessment of the reviewed aspects, which Member States being reviewed shall complete and provide to designated experts prior to the commencement of the peer-review process. The reviews shall be conducted by cybersecurity technical experts drawn from ENISA and at least two Member States different than the one reviewed and shall cover at least the following:
Amendment 374 #
Proposal for a directive
Article 16 – paragraph 1 – point iii
Article 16 – paragraph 1 – point iii
(iii) the operationtechnical capabilities and effectiveness of CSIRTs; in executing their tasks;
Amendment 375 #
Proposal for a directive
Article 16 – paragraph 2
Article 16 – paragraph 2
2. The methodology shall include objective, non-discriminatory, fair and transparent criteria on the basis of which the Member States shall designate experts eligible to carry out the peer reviews. The Commission, supported by ENISA, shall develop appropriate codes of conduct underpinning the work methods of designated experts participating in peer- reviews to safeguard the confidentiality of information obtained through the peer- review process, and the non-disclosure of such information to any third parties. ENISA and the Commission shall designate experts to participate as observers in the peer-reviews. The Commission, supported by ENISA, shall establish within the methodology as referred to in paragraph 1 an objective, non-discriminatory, fair and transparent system for the selection and the random allocation of experts for each peer review.
Amendment 376 #
Proposal for a directive
Article 16 – paragraph 4
Article 16 – paragraph 4
4. Peer reviews shall entail actual or virtual on-site visits and off-site exchanges. In view of the principle of good cooperation, the designated experts tasked with carrying out the peer-review shall communicate the aspects under review as referred to in paragraph 1, including any additional targeted issues specific to the Member State or sectors referred to in paragraph 3, and request a corresponding self-assessment report from the Member States being reviewed. The Member States being reviewed shall provide the designated experts with the requested information necessary for the assessment of the reviewed aspects. Any information obtained through the peer review process shall be used solely for that purpose. The experts participating in the peer review shall not disclose any sensitive or confidential information obtained in the course of that review to any third parties.
Amendment 378 #
Proposal for a directive
Article 16 – paragraph 6
Article 16 – paragraph 6
6. Member States shall ensure that any risk of conflict of interests concerning the designated experts are revealed to the other Member States, the Commission and ENISA without undue delay, before the designation of experts referred to in paragraphs 1 and 2.
Amendment 379 #
Proposal for a directive
Article 16 – paragraph 7
Article 16 – paragraph 7
7. Experts participating in peer reviews shall draft reports on the findings and conclusions of the reviews. The reports shall include recommendations to enable improvement on the aspects covered by the peer-review process, including recommendations on the transfer of technologies, tools, measures, and processes from Member States carrying out the peer-review to the Member State being reviewed. The reports shall be submitted to the Commission, the Cooperation Group, the CSIRTs network and ENISA. The reports shall be discussed in the Cooperation Group and the CSIRTs network. The reports may be published on the dedicated website of the Cooperation Group.
Amendment 389 #
Proposal for a directive
Article 18 – paragraph 1
Article 18 – paragraph 1
1. Member States shall ensure that essential and important entities shall take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use infor their operations or for the provision of their services. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk presented.
Amendment 391 #
Proposal for a directive
Article 18 – paragraph 2 – point b
Article 18 – paragraph 2 – point b
(b) incident handling (prevention, detection, andmitigation, response to, recovery from, and attribution of incidents);
Amendment 394 #
Proposal for a directive
Article 18 – paragraph 2 – point c
Article 18 – paragraph 2 – point c
(c) business continuity, disaster recovery and crisis management;
Amendment 399 #
Proposal for a directive
Article 18 – paragraph 2 – point f a (new)
Article 18 – paragraph 2 – point f a (new)
(fa) deployment of secured voice, video and text communications, and of secured emergency communications systems within the entity;
Amendment 424 #
Proposal for a directive
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT in accordance with paragraphs 32 and 43 of any incident having a significant impact on. Where the incident concerns the provisions of their services. Where appropriate, those entities shall notify, without undue delay, the recipientsentities’ services, those entities shall notify affected users about the unavailability or underlying risks of use of their services of incidents that are likely to adversely affect the provision of that service in order to mitigate the adverse effects of the incident. Essential and important entities may deviate from notifying affected users in case of overriding reasons inducing, but not limited to, that notification worsening the impact of an ongoing incident. Member States shall ensure that those entities report, among others, any information enabling the competent authorities or the CSIRT to determine any cross-border impact of the incident. The notification shall not make the notifying entity subject to increased liability.
Amendment 433 #
Proposal for a directive
Article 20 – paragraph 2 – subparagraph 2
Article 20 – paragraph 2 – subparagraph 2
Amendment 445 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point -a (new)
Article 20 – paragraph 4 – subparagraph 1 – point -a (new)
(-a) an early warning within 24 hours after having become aware of an incident, without any obligations on the entity concerned to disclose additional information regarding the incident;
Amendment 448 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point a
Article 20 – paragraph 4 – subparagraph 1 – point a
(a) without undue delay and in any event within 724 hours after having become aware of the incident, an initial notification, which, where applicable, shall indicate whether the incident is presumably caused by unlawful or malicious action;
Amendment 453 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part
Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part
(c) a finalcomprehensive report not later than one month after the submission of the report under point (a), including at least the following:
Amendment 463 #
Proposal for a directive
Article 20 – paragraph 5
Article 20 – paragraph 5
5. The competent national authorities or the CSIRT shall provide, within 24 hours after receiving the initial notification referred to in point (ab) of paragraph 43, a response to the notifying entity, including initial feedback on the incident and, upon request of the entity, guidance on the implementation of possible mitigation measures. Where the CSIRT did not receive the notification referred to in paragraph 1 , the guidance shall be provided by the competent authority in collaboration with the CSIRT. The CSIRT shall provide additional technical support if the concerned entity so requests. Where the incident is suspected to be of criminal nature, the competent national authorities or the CSIRT shall also provide guidance on reporting the incident to law enforcement authorities.
Amendment 471 #
Proposal for a directive
Article 20 – paragraph 8
Article 20 – paragraph 8
8. At the request of the competent authority or the CSIRT, the single point of contact shall forward notifications received pursuant to paragraphs 1 and 2 1 to the single points of contact of other affected Member States. In compliance with Union law, or in accordance with Member State legislation compliant with Union law, the single point of contact shall preserve the security and commercial interests of the essential or important entity reporting the incident, including the confidentiality of the information provided by the reporting entity in the notification of the incident, when forwarding the notification to the single points of contact of other affected Member States.
Amendment 481 #
Proposal for a directive
Article 20 – paragraph 10 a (new)
Article 20 – paragraph 10 a (new)
10a. ENISA, in cooperation with the Cooperation Group, shall develop common incident notification templates by [date of transposition deadline of the Directive], to streamline the reporting obligations of essential and important entities, and simplify the sharing of relevant information referred to in point (b) of paragraph 1 of this Article.
Amendment 488 #
Proposal for a directive
Article 21 – paragraph 1
Article 21 – paragraph 1
1. In order to demonstrate compliance with certain requirements of Article 18, Member States may requirand following guidance from ENISA, the Commission, and the Cooperation Group, Member States shall encourage essential and important entities to certify certain ICT products, ICT services and ICT processes, developed either by the essential and important entities or procured from third parties, under specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881. The products, services and processes subject to certification may be developed by an essential or important entity or procured from third parti, or under equivalent and internationally accepted certification schemes.
Amendment 502 #
Proposal for a directive
Article 23 – paragraph 1
Article 23 – paragraph 1
1. For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall ensure that TLD registries and the entities providing domain name registration services for the TLD shall collect and maintain accurate and complete domain name registration data in a dedicated database facility with due diligence subject to Union data protection law as regards data which are personal data.
Amendment 505 #
Proposal for a directive
Article 23 – paragraph 4
Article 23 – paragraph 4
4. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD publish, without undue delaymake publicly available, within 72 hours after the registration of a domain name, domain registration data which are not personal dataof legal persons as registrants.
Amendment 507 #
Proposal for a directive
Article 23 – paragraph 5
Article 23 – paragraph 5
5. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD provide access to specific domain name registration data upon lawful and, including personal data, upon duly justified requests of legitimate access seekers, in compliance with Union data protection law. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD reply without undue delayreply within 72 hours to all requests for access. Member States shall ensure that policies and procedures to disclose such data are made publicly available. The Commission may adopt implementing acts laying out the requirements to be demonstrated by legitimate access seekers to TLD registries and entities providing domain name registration services before access to specific domain name registration data is granted. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 37(2).
Amendment 518 #
Proposal for a directive
Article 25 – paragraph 1 – introductory part
Article 25 – paragraph 1 – introductory part
1. ENISA shall create and maintain a registry for essential and important entities referred to in Article 24(1). ENISA shall establish appropriate information classification and management protocols to ensure the security and confidentiality of disclosed information, and restrict the access, storage, and transmission of such information to intended users. The entities shall submit the following information to ENISA by [12 months after entering into force of the Directive at the latest]:
Amendment 523 #
Proposal for a directive
Article 26 – paragraph 1 – introductory part
Article 26 – paragraph 1 – introductory part
1. Without prejudice to Regulation (EU) 2016/679, Member States shall ensure that essential and important entities may exchange relevant cybersecurity information among themselves including information relating to cyber threats, near misses, vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools, where such information sharing:
Amendment 528 #
Proposal for a directive
Article 26 – paragraph 2
Article 26 – paragraph 2
2. Member States shall ensure thfacilitate the exchange of information takes place withinby enabling the establishment of trusted communities of essential and important entities. Such exchange shall be implemented through information sharing arrangements in respect of the potentially sensitive nature of the information shared and in compliance with the rules of Union law referred to in paragraph 1.
Amendment 529 #
Proposal for a directive
Article 26 – paragraph 3
Article 26 – paragraph 3
3. Member States shall set out rules specifying the procedure,facilitate information sharing by making operational elements (including the use of dedicated ICT platforms), and content and conditionsvailable of the information sharing arrangements referred to in paragraph 2. Such rul, and may impose certain conditions on the information made available by competent authorities or CSIRTs. Member States shall also lay down the details of the involvement of public authorities in such arrangements, as well as operational elements, including the use of dedicated IT platforms. Member States shall offer support to the application of such arrangements in accordance with their policies referred to in Article 5(2) (g(l).
Amendment 546 #
Proposal for a directive
Article 29 – paragraph 2 – point c
Article 29 – paragraph 2 – point c
(c) targeted security audits based on risk assessments orperformed by the competent authorities, risk assessments performed by the audited entity, or in the absence thereof, risk-related available information;
Amendment 552 #
Proposal for a directive
Article 29 – paragraph 4 – point i
Article 29 – paragraph 4 – point i
Amendment 557 #
Proposal for a directive
Article 29 – paragraph 5 – subparagraph 1 – point a
Article 29 – paragraph 5 – subparagraph 1 – point a
(a) where applicable, temporarily suspend or request a certification or authorisation body to temporarily suspend a certification or authorisation concerning part or all the services or activities provided by an essential entity until the entity takes the necessary action to remedy the deficiencies or comply with the requirements of the competent authority for which such sanctions were applied;
Amendment 565 #
Proposal for a directive
Article 29 – paragraph 5 – subparagraph 1 – point b
Article 29 – paragraph 5 – subparagraph 1 – point b
(b) impose or request the imposition by the relevant bodies or courts according to national laws of a temporary ban against any person discharging managerial responsibilities at chief executive officer or legal representative level in that essential entity, and of any other natural person held responsible for the breach, from exercising managerial functions in that entity from exercising managerial functions in that entity. This provision shall not apply to public administration entities as referred to in point (23) of Article 4.
Amendment 566 #
Proposal for a directive
Article 29 – paragraph 5 – subparagraph 2
Article 29 – paragraph 5 – subparagraph 2
Amendment 570 #
Proposal for a directive
Article 29 – paragraph 7 – point c
Article 29 – paragraph 7 – point c
(c) the actual damage caused or losses incurred or potential damage or losses that could have been triggered, insofar as they can be determined. Where evaluating this aspect, account shall be taken, amongst others, of actual or potentialincluding financial or economic losses, effects on other services, and the number of users affected or potentially affected;
Amendment 574 #
Proposal for a directive
Article 30 – paragraph 2 – point b
Article 30 – paragraph 2 – point b
(b) targeted security audits based on risk assessments orperformed by the competent authority, risk assessments performed by the audited entity, or in the absence thereof, risk-related available information;
Amendment 575 #
Proposal for a directive
Article 30 – paragraph 2 – point c
Article 30 – paragraph 2 – point c
(c) security scans based on objective, non-discriminatory, fair and transparent risk assessment criteria;
Amendment 577 #
Proposal for a directive
Article 30 – paragraph 4 – point h
Article 30 – paragraph 4 – point h
Amendment 582 #
Proposal for a directive
Article 32 – paragraph 1
Article 32 – paragraph 1
1. Where the competent authorities have indications that the infringement by an essential or important entity of the obligations laid down in Articles 18 and 20 entails a personal data breach, as defined by Article 4(12) of Regulation (EU) 2016/679 which shall be notified pursuant to Article 33 of that Regulation, they shall inform the supervisory authorities competent pursuant to Articles 55 and 56 of that Regulation within a reasonable period of timeout undue delay.
Amendment 586 #
Proposal for a directive
Article 35 – paragraph 1 a (new)
Article 35 – paragraph 1 a (new)
As regards Digital Providers referred to in point (6) of Annex II, where platforms operated by such important entities are classified as very large online platforms within the meaning of Article 25 of Regulation (EU) XXXX/XXXX [Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC], or where the providers of core platform services are designated as gatekeepers within the meaning of Article 3 of Regulation (EU) XXXX/XXXX [Contestable and fair markets in the digital sector (Digital Markets Act)], these providers shall be designated as essential entities within the meaning of this Directive to adequately address the functioning of the economy and society in relation to cybersecurity, given the systemic risk stemming from the functioning and use made of their services in the Union, or the important gateway function that their core platform services serve for business users to reach end users.