BETA

51 Amendments of Ioan-Rareş BOGDAN related to 2023/0109(COD)

Amendment 48 #
Proposal for a regulation
Recital 2
(2) The magnitude, frequency and impact of cybersecurity incidents are increasing, including supply chain attacks aiming at cyberespionage, ransomware or disruption. They represent a major threat to the functioning of network and information systems. In view of the fast-evolving threat landscape, the threat of possible large-scale incidents causing significant disruption or damage to critical infrastructures across the Union demands heightened preparedness at all levels of the Union’s cybersecurity framework. That threat goes beyond Russia’s military aggression on Ukraine, and is likely to persist given the multiplicity of state- aligned, criminal and hacktivist actors involved in current geopolitical tensions. Such incidents can impede the provision of public services and the pursuit of economic activities, including in critical or highly critical sectors, generate substantial financial losses, undermine user confidence, cause major damage to the economy of the Union, and could even have health or life- threatening consequences. Moreover, cybersecurity incidents are unpredictable, as they often emerge and evolve within very short periods of time, not contained within any specific geographical area, and occurring simultaneously or spreading instantly across many countries. Therefore, close and coordinated cooperation between the public sector, the private sector, the Member states, Union institutions or agencies, and acedemia is necessary to improve the Union’s cybersecurity posture. The Union’s response should be in cooperation with trusted and like-minded international partners and international institutions and aligned with international cooperation frameworks and agreements.
2023/09/22
Committee: ITRE
Amendment 50 #
Proposal for a regulation
Recital 3
(3) It is necessary to strengthen the competitive position of industry and services sectors in the Union across the digitised economy and support their digital transformation, by reinforcing the level of cybersecurity in the Digital Single Market. As recommended in three different proposals of the Conference on the Future of Europe16 , it is necessary to increase the resilience of citizens, businesses, including micro-, small and medium-sized enterprises (SMEs), and entities operating critical infrastructures, including local or regional authorities, against the growing cybersecurity threats, which can have devastating societal and economic impacts. Therefore, investment in infrastructures and service, services, and highly-qualified personnel with the needed skills that will support faster detection and response to cybersecurity threats and incidents is needed, and Member States need assistance in better preparing for, as well as responding to significant and large-scale cybersecurity incidents, also through pro- actively gathering intelligence. The Union should also increase its capacities in these areas, notably as regards the collection and analysis of data on cybersecurity threats and incidents. _________________ 16[1] https://futureu.europa.eu/en/
2023/09/22
Committee: ITRE
Amendment 51 #
Proposal for a regulation
Recital 5
(5) The growing cybersecurity risks and an overall complex threat landscape, with a clear risk of rapid spill-over of cyber incidents from one Member State to others and from a third country to the Union requires strengthened solidarity at Union level to better detect, prepare for and, respond to, and recover from cybersecurity threats and incidents. Member States have also invited the Commission to present a proposal on a new Emergency Response Fund for Cybersecurity in the Council Conclusions on an EU Cyber Posture21 . _________________ 21 Council conclusions on the development of the European Union's cyber posture approved by the Council at its meeting on 23 May 2022, (9364/22)
2023/09/22
Committee: ITRE
Amendment 52 #
Proposal for a regulation
Recital 9 a (new)
(9a) In light of the geopolitical developments and increasing cyber threat landscape, the continuity and further development of the measures laid down in this Regulation, particularly the European Cyber Shield and the European Emergency Mechanism, is important. Therefore, it is necessary to ensure a specific budget line in the multiannual financial framework for 2028 to 2034. Member States should also commit to supporting all necessary measures to strengthen solidarity within the Union and to reduce cyber threats and incidents throughout the Union.
2023/09/22
Committee: ITRE
Amendment 53 #
Proposal for a regulation
Recital 12
(12) To more effectively prevent, assess and, respond to, and recover from cyber threats and incidents, it is necessary to develop more comprehensive knowledge about the threats to critical assets and infrastructures on the territory of the Union, including their geographical distribution, interconnection and potential effects in case of cyber-attacks affecting those infrastructures, including by gathering pro-active intelligence. A large-scale Union infrastructure of SOCs should be deployed (‘the European Cyber Shield’), comprising of several interoperating cross- border platforms, each grouping together several National SOCs. A national SOC is a centralized capacity repsonsible for continuously gathering threat intelligence information and improving the cybersecurity posture of entities under national jurisdiction by preventing, detecting, and analyzing cybersecurity threats. That infrastructure should serve national and Union cybersecurity interests and needs, leveraging state of the art technology for advanced data collection and analytics tools, enhancing cyber detection and management capabilities and providing real-time situational awareness. That infrastructure should serve to increase detection of cybersecurity threats and incidents and thus complement and support Union entities and networks responsible for crisis management in the Union, notably the EU Cyber Crises Liaison Organisation Network (‘EU-CyCLONe’), as defined in Directive (EU) 2022/2555 of the European Parliament and of the Council24 . _________________ 24 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80).
2023/09/22
Committee: ITRE
Amendment 54 #
Proposal for a regulation
Recital 13
(13) EIn order to participate in the European Cyber Shield, each Member State should designate a public body at national level tasked with coordinating cyber threat detection and information sharing activities in that Member State. Member States are strongly encouraged to incorporate the National SOC capacity into their already existing cyber structure and governance to not create additional governance layers and to align the Cyber Solidarity Act with already existing legislation, including Directive 2022/2555. These National SOCs should act as a reference point and gateway at national level for participation of private and public entities, particularly their SOCs, in the European Cyber Shield and should ensure that cyber threat information from public and private entities is shared and collected at national level in an effective and streamlined manner. National SOCs should strengthen the cooperation and information sharing between public and private entities to break up currently existing communication siloes. In doing so, they may support the creation of data exchange models and should facilitate and encourage the sharing of information in a trusted and secure environment. Close and coordinated cooperation between public and private entities is central for strengthening the Union’s resilience in the cybersecurity sphere.
2023/09/22
Committee: ITRE
Amendment 55 #
Proposal for a regulation
Recital 14
(14) As part of the European Cyber Shield, a number of Cross-border Cybersecurity Operations Centres (‘Cross- border SOCs’) should be established. These should bring together National SOCs from at least three Member States, so that the benefits of cross-border threat detection and information sharing and management can be fully achieved. The general objective of Cross-border SOCs should be to strengthen capacities to analyse, prevent and detect cybersecurity threats and to support the production of high-quality and pro-active intelligence on cybersecurity threats, notably through the sharing of data from various sources, public or private, as well as through the sharing and joint use of state-of-the-art tools, and jointly developing detection, analysis and prevention capabilities in a trusted environment. They should provide new additional capacity, building upon and complementing exist cross-border SOCs should facilitate and encourage the sharing of information in a trusted and secure environment. ENISA should support Cross-border SOCs in matters related to operational cooperation. They should provide new additional capacity, while being incorporated in the already existing cybersecurity infrastructure, including SOCs and computer incident response teams (‘CSIRTs’) and other relevant actors.
2023/09/22
Committee: ITRE
Amendment 56 #
Proposal for a regulation
Recital 15
(15) At national level, the monitoring, detection and analysis of cyber threats is typically ensured by SOCs of public and private entities, in combination with CSIRTs. In addition, CSIRTs exchange information in the context of the CSIRT network, in accordance with Directive (EU) 2022/2555. The Cross-border SOCs should constitute a new capabilcity that is complementary toincorporated into the already existing cybersecurity infrastructure, particularly the CSIRTs network, by pooling and sharing data on cybersecurity threats from public and private entities, in particular their SOCs, enhancing the value of such data through expert analysis and jointly acquired infrastructures and state of the art tools, and contributing to the development of Union capabilities and technological sovereignty, to strengthen the Union's resilience.
2023/09/22
Committee: ITRE
Amendment 58 #
Proposal for a regulation
Recital 16
(16) The Cross-border SOCs should act as a central point allowing for a broad pooling of relevant data and cyber threat intelligence, enable the spreading of threat information among a large and diverse set of actors (e.g., Computer Emergency Response Teams (‘CERTs’), CSIRTs, Information Sharing and Analysis Centers (‘ISACs’), operators of critical infrastructures). to facilitate the break-up of currently existing communication siloes. In doings so, cross-border SOCs could also support the creation of data exchange models across the Union.The information exchanged among participants in a Cross- border SOC could include data from networks and sensors, threat intelligence feeds, including the gathering of pro-active intelligence, indicators of compromise, and contextualised information about incidents, threats and vulnerabilities. In addition, Cross-border SOCs should also enter into cooperation agreements with other Cross- border SOCs.
2023/09/22
Committee: ITRE
Amendment 60 #
Proposal for a regulation
Recital 17
(17) Shared situational awareness among relevant authorities is an indispensable prerequisite for Union-wide preparedness and coordination with regards to significant and large-scale cybersecurity incidents. Directive (EU) 2022/2555 establishes the EU–CyCLONe to support the coordinated management of large-scale cybersecurity incidents and crises at operational level and to ensure the regular exchange of relevant information among Member States and Union institutions, bodies and agencies. Recommendation (EU) 2017/1584 on coordinated response to large-scale cybersecurity incidents and crises addresses the role of all relevant actors. Directive (EU) 2022/2555 also recalls the Commission’s responsibilities in the Union Civil Protection Mechanism (‘UCPM’) established by Decision 1313/2013/EU of the European Parliament and of the Council, as well as for providing analytical reports for the Integrated Political Crisis Response Mechanism (‘IPCR’) arrangements under Implementing Decision (EU) 2018/1993. Therefore, in situations where Cross-border SOCs obtain information related to a potential or ongoing large-scale cybersecurity incident, they should provide relevant information to EU-CyCLONe, the CSIRTs network and the Commission, in line with already existing provisions under Directive (EU) 2022/2555. In particular, depending on the situation, information to be shared could include technical information, information about the nature and motives of the attacker or potential attacker, and higher-level non- technical information about a potential or ongoing large-scale cybersecurity incident. In this context, due regard should be paid to the need-to-know principle and to the potentially sensitive nature of the information shared.
2023/09/22
Committee: ITRE
Amendment 61 #
Proposal for a regulation
Recital 19
(19) In order to enable the exchange of data on cybersecurity threats from various sources, on a large-scale basis, in a trusted environment, entities participating in the European Cyber Shield should be equipped with state-of-the-art and highly-secure tools, equipment and infrastructures and highly-skilled personnel. This should make it possible to improve collective detection capacities and timely warnings to authorities and relevant entities, notably by using the latest artificial intelligence and data analytics technologies.
2023/09/22
Committee: ITRE
Amendment 62 #
Proposal for a regulation
Recital 20
(20) By collecting, sharing and exchanging data, the European Cyber Shield should enhance the Union’s technological sovereignty. The pooling of high-quality curated data should also contribute to the development of advanced artificial intelligence and data analytics technologies. It must be noted, however, that artificial intelligence is the most effective when paired with human analysis. Therefore, highly-skilled staff remains essential for pooling high-quality data and gathering of pro-active threat intelligence. It should be facilitated through the connection of the European Cyber Shield with the pan-European High Performance Computing infrastructure established by Council Regulation (EU) 2021/117325 . _________________ 25 Council Regulation (EU) 2021/1173 of 13 July 2021 on establishing the European High Performance Computing Joint Undertaking and repealing Regulation (EU) 2018/1488 (OJ L 256, 19.7.2021, p. 3).
2023/09/22
Committee: ITRE
Amendment 65 #
Proposal for a regulation
Recital 24
(24) In view of the increasing risks and number of cyber incidents affecting Member States, it is necessary to set up a crisis support instrument to improve the Union’s resilience to significant and large- scale cybersecurity incidents and complement Member States’ actions through emergency financial support for preparedness, response and immediate recovery of essential services. That instrument should enable the rapid and effective deployment of assistance in defined circumstances and under clear conditions and allow for a careful monitoring and evaluation of how resources have been used. Whilst the primary responsibility for preventing, preparing for and responding to cybersecurity incidents and crises lies with the Member States, the Cyber Emergency Mechanism promotes solidarity between Member States in accordance with Article 3(3) of the Treaty on European Union (‘TEU’).
2023/09/22
Committee: ITRE
Amendment 66 #
Proposal for a regulation
Recital 27
(27) Assistance provided under this Regulation should be in support of, and complementary to, the actions taken by Member States at national level. To this end, close cooperation and consultation between the Commission, ENISA and the affected Member State should be ensured. When requesting support under the Cyber Emergency Mechanism, the Member State should provide relevant information justifying the need for support.
2023/09/22
Committee: ITRE
Amendment 67 #
Proposal for a regulation
Recital 33
(33) A Union-level Cybersecurity Reserve should gradually be set up, consisting of services from private providers of managed security services to support response and immediate recovery actions in cases of significant or large-scale cybersecurity incidents. The EU Cybersecurity Reserve should ensure the availability and readiness of services. The services from the EU Cybersecurity Reserve should serve to support national authorities in providing assistance to affected entities operating in critical or highly critical sectors as a complement to their own actions at national level, while reinforcing the Union’s resilience and competitiveness, including the participation of European managed security service providers that are SMEs. Trusted providers, including SMEs, should be able to cooperate with one another to fulfil the criteria above. The services from the EU Cybersecurity Reserve should serve to support national authorities in providing assistance to affected entities operating in critical or highly critical sectors as a complement to their own actions at national level. Where possible, the services should be based on state-of-the-art technologies, including cloud and artificial intelligence. Therefore, the Cybersecurity Reserve should incentivize investment in research and innovation to boost the development of these technologies. Where appropriate, common exercises with the trusted providers and potential users of the Cybersecurity Reserve could be conducted to ensure efficient functioning of the Reserve when needed. When requesting support from the EU Cybersecurity Reserve, Member States should specify the support provided to the affected entity at the national level, which should be taken into account when assessing the Member State request. The services from the EU Cybersecurity Reserve may also serve to support Union institutions, bodies and agencies, under similar conditions.
2023/09/22
Committee: ITRE
Amendment 69 #
Proposal for a regulation
Recital 35
(35) To support the establishment of the EU Cybersecurity Reserve, the Commission cshould consider requesting ENISA to prepare a candidate certification scheme pursuant to Regulation (EU) 2019/881 for managed security services in the areas covered by the Cyber Emergency Mechanism.
2023/09/22
Committee: ITRE
Amendment 71 #
Proposal for a regulation
Recital 37 a (new)
(37a) Incident response service providers from third countries, including third countries associated to the DEP or NATO members or other like-minded international partner countries, may be needed for the provision of specific services in the EU Cybersecurity Reserve. To strengthen the Union’s resilience and sovereignty and to safeguard the Union’s strategic assets, interests or security, it may be necessary to restrict or exclude the participation of legal entities established in or controlled by non-associated countries.
2023/09/22
Committee: ITRE
Amendment 72 #
Proposal for a regulation
Recital 38 a (new)
(38a) Highly-skilled personnel, that is able to reliably deliver the relevant cybersecurity services at highest standards, is imperative for the effective implementation of the European Cyber Shield and the Cyber Emergency Mechanism. It is therefore concerning that the Union is faced with a talent gap, characterized by a shortage of skilled professionals, while facing a rapidly evolving threat landscape as acknowledged in the Commission communication of 18 April 2023 on the Cyber Skills Academy. It is important to bridge this talent gap by strengthening cooperation and coordination among the different stakeholders, including the private sector, academia, Member States, the Commission and ENISA to scale up and create synergies for the investment in education and training, the development of public-private partnerships, support of research and innovation initiatives, the development and mutual recognition of common standards and certification of cybersecurity skills, including through the European Cyber Security Skills Framework. This should also facilitate the mobility of cybersecurity professionals within the Union. This Regulation should aim to promote a more diverse cybersecurity workforce.
2023/09/22
Committee: ITRE
Amendment 73 #
Proposal for a regulation
Recital 38 b (new)
(38b) Member States’ capacity building is essential for a Union-wide coordinated approach to strengthening the resilience of the Union's cybersecurity posture. As emphasized in the Commission communication of 18 April 2023 on the Cyber Skills Academy, the security of the Union cannot be guaranteed without the Union’s most valuable asset: its people. The European Cyber Security Skills Framework can help to better understand the composition of the Union's workforce, including the current and required competences within participating entities.
2023/09/22
Committee: ITRE
Amendment 74 #
Proposal for a regulation
Recital 39
(39) The objective of this Regulation, namely to break up communication silos and reinforce the Union’s cyber threat prevention, detection, response and recover capacities, can be better achieved at Union level than by the Member States. Hence, the Union may adopt measures, in accordance with the principles of subsidiarity and proportionality as set out in Article 5 of the Treaty on European Union. This Regulation does not go beyond what is necessary in order to achieve that objective.
2023/09/22
Committee: ITRE
Amendment 79 #
Proposal for a regulation
Article 1 – paragraph 2 – point a
(a) to strengthen common Union detection and situational awareness of cyber threats and incidents thus allowing to reinforce the competitive position of industry, including SMEs, and services sectors in the Union across the digital economy and contribute to the Union’s technological sovereignty in the area of cybersecurity;
2023/09/22
Committee: ITRE
Amendment 83 #
Proposal for a regulation
Article 1 – paragraph 2 – point c a (new)
(ca) to develop and improve skills and competences of the workforce in the cybersecurity sector in a coordinated way, by cooperating with the Cyber Skills Academy to provide training and opportunities with the goal of closing the talent gap in the cybersecurity sector.
2023/09/22
Committee: ITRE
Amendment 90 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 a (new)
(1a) “Security Operations Centre” (“SOC”) means a centralized capacity, which can be in-house or outsourced, responsible for continuously monitoring and improving the cybersecurity posture of an entity to prevent, detect, analyse, and respond to cybersecurity threats.
2023/09/22
Committee: ITRE
Amendment 92 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 b (new)
(1b) ‘National Security Operations Centre’ (“National SOC”) means a centralized capacity responsible for continuously gathering threat intelligence and improving the cybersecurity posture of entities under national jurisdiction by preventing, detecting and analyzing, cybersecurity threats to be able to better respond to cybersecurity threats. This capacity shall, where applicable, be incorporated in already existing national structures such as CSIRTs as established under Directive 2022/2555.
2023/09/22
Committee: ITRE
Amendment 104 #
Proposal for a regulation
Article 3 – paragraph 2 – subparagraph 1 – point c
(c) contribute to better protection and response to cyber threats, including by providing concrete recommendations to entities;
2023/09/22
Committee: ITRE
Amendment 105 #
Proposal for a regulation
Article 3 – paragraph 2 – subparagraph 1 – point d
(d) contribute to faster detection of cyber threats and situational awareness across the Union, including by gathering pro-active intelligence;
2023/09/22
Committee: ITRE
Amendment 112 #
Proposal for a regulation
Article 4 – paragraph 1 – subparagraph 2
It shall have the capacity to act as a reference point and gateway to other public and private organisations at national level, particularly their SOCs, for collecting and analysing information on cybersecurity threats and incidents and contributing to a Cross-border SOC. It shall be equipped with state-of-the-art technologies capable of detecting, aggregating, and analysing data relevant to cybersecurity threats and incidents.
2023/09/22
Committee: ITRE
Amendment 132 #
Proposal for a regulation
Article 6 – paragraph 3
3. To encourage exchange of information between Cross-border SOCs, Cross-border SOCs shall ensure a high level of interoperability between themselves. To facilitate the interoperability betweenJoint procurement of cyber infrastructures, services and tools may facilitate the interoperability between the Cross-border SOCs. To specify the conditions for interoperability of the Cross-border SOCs, the Commission, may, by means of implementing acts, after consulting the ECCC and ENISA, specify the conditions for this interoperability. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 21(2) of this Regulation.
2023/09/22
Committee: ITRE
Amendment 134 #
Proposal for a regulation
Article 6 – paragraph 4
4. Cross-border SOCs shall conclude cooperation agreements with one another, specifying information sharing principles among the cross-border platforms, taking into consideration already existing relevant information sharing mechanisms under the Directive (EU) 2022/2555. In the context of a potential or ongoing large-scale cybersecurity incident, information sharing mechanisms shall comply with the relevant provisions under the Directive (EU) 2022/2555.
2023/09/22
Committee: ITRE
Amendment 138 #
Proposal for a regulation
Article 7 – paragraph 1
1. Where the Cross-border SOCs obtain information relating to a potential or ongoing large-scale cybersecurity incident, they shall provide relevant information to EU=CyCLONe, the CSIRTs network and the Commission, in view of and ENISA, in line with their respective crisis management roles in accordance with Directive (EU) 2022/2555 without undue delay.
2023/09/22
Committee: ITRE
Amendment 142 #
Proposal for a regulation
Article 7 – paragraph 2
2. The Commission may, after consulting ENISA, by means of implementing acts, determine the procedural arrangements for the information sharing provided for in paragraphs 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 21(2) of this Regulation.
2023/09/22
Committee: ITRE
Amendment 146 #
Proposal for a regulation
Article 8 – paragraph 3
3. The Commission may adopt implementing acts, after consulting ENISA, laying down technical requirements for Member States to comply with their obligation under paragraph 1 and 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 21(2) of this Regulation. In doing so, the Commission, supported by the High Representative, shall take into account relevant defence-level security standards, in order to facilitate cooperation with military actors.
2023/09/22
Committee: ITRE
Amendment 154 #
Proposal for a regulation
Article 11 – paragraph 2
2. The NIS Cooperation Group in cooperation with the Commission, ENISA, and the High Representative, and the entities that may be subject to the preparedness testing, shall develop common risk scenarios and methodologies for the coordinated testing exercises.
2023/09/22
Committee: ITRE
Amendment 156 #
Proposal for a regulation
Article 12 – paragraph 2
2. The EU Cybersecurity Reserve shall consist of incident response services from trusted providers selected in accordance with the criteria laid down in Article 16. The Reserve shall include pre- committed services. The services shall be deployable in all Member States, shall reinforce the Union’s resilience and sovereignty, and improve the Union’s competitiveness. The names of the selected trusted providers and their services shall be kept confidential.
2023/09/22
Committee: ITRE
Amendment 164 #
Proposal for a regulation
Article 12 – paragraph 6
6. The Commission mayshall entrust the operation and administration of the EU Cybersecurity Reserve, in full or in part, to ENISA, by means of contribution agreements.
2023/09/22
Committee: ITRE
Amendment 165 #
Proposal for a regulation
Article 12 – paragraph 7
7. In order to support the Commission in establishing the EU Cybersecurity Reserve, ENISA shall prepare a mapping of the services needed, including the needed skills and capacity of the cybersecurity workforce, after consulting Member States and the Commission. ENISA shall prepare a similar mapping, after consulting the Commission and in partnership with the private sector, to identify the needs of third countries eligible for support from the EU Cybersecurity Reserve pursuant to Article 17. The Commission, where relevant, shall consult the High Representative.
2023/09/22
Committee: ITRE
Amendment 168 #
Proposal for a regulation
Article 12 – paragraph 8
8. The Commission may, by means of implementing acts, adopt a Delegated Act in accordance with Article 20a of this Regulation to specify the types and the number of response services required for the EU Cybersecurity Reserve. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 21(2).
2023/09/22
Committee: ITRE
Amendment 173 #
Proposal for a regulation
Article 13 – paragraph 7
7. The Commission may, by means of implementing acts, adopt delegated acts in accordance with Article 20a of this Regulation to specify further the detailed arrangements for allocating the EU Cybersecurity Reserve support services. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 21(2).
2023/09/22
Committee: ITRE
Amendment 176 #
Proposal for a regulation
Article 14 – paragraph 3
3. The EU Cybersecurity Reserve services shall be provided in accordance with specific agreements between the service provider and the user to which the support under the EU Cybersecurity Reserve is provided. Those agreements shall include liability conditions and any other provisions the parties to the agreement deem necessary for the provision of the respective service.
2023/09/22
Committee: ITRE
Amendment 178 #
Proposal for a regulation
Article 14 – paragraph 4
4. The agreements referred to in paragraph 3 mayshall be based on templates prepared by ENISA, after consulting Member States and other users of the reserve.
2023/09/22
Committee: ITRE
Amendment 181 #
Proposal for a regulation
Article 14 – paragraph 5
5. The Commission and ENISA shall bear no contractual liability for damages caused to third parties by the services provided in the framework of the implementation of the EU Cybersecurity Reserve, except for cases where the Commission or ENISA are users of the Reserve according to Article 14 (3).
2023/09/22
Committee: ITRE
Amendment 191 #
Proposal for a regulation
Article 16 – paragraph 1 – point c
(c) ensure that the EU Cybersecurity Reserve brings EU added value, by contributing to the objectives set out in Article 3 of Regulation (EU) 2021/694, including promoting the development of cybersecurity skills in the EU, reinforcing the Union’s resilience and sovereignty, and improving the Union’s competitiveness.
2023/09/22
Committee: ITRE
Amendment 193 #
Proposal for a regulation
Article 16 – paragraph 2 – point f
(f) the provider shall be equipped with the up-to-date hardware and software technical equipment necessary to support the requested service and shall meet the requirements set out in Regulation XX/XXXX (Cyber Resilience Act), where applicable;
2023/09/22
Committee: ITRE
Amendment 194 #
Proposal for a regulation
Article 16 – paragraph 2 – point f a (new)
(fa) the provider shall demonstrate that its decision and management structures are free from any undue influence by governments of states classified as systemic rivals of the Union;
2023/09/22
Committee: ITRE
Amendment 197 #
Proposal for a regulation
Article 16 – paragraph 2 – point j
(j) once an EU certification scheme for managed security service Regulation (EU) 2019/881 is in place, the provider shall be certified in accordance with that scheme, within a period of two years after the scheme has been adopted.
2023/09/22
Committee: ITRE
Amendment 203 #
Proposal for a regulation
Article 18 – paragraph 2
2. To prepare the incident review report referred to in paragraph 1, ENISA shall collaborate with and gather feedback from all relevant stakeholders, including representatives of Member States, the Commission, other relevant EU institutions, bodies and agencies, managed security services providers and users of cybersecurity services. Where appropriate, ENISA shall also collaborate with entities affected by significant or large-scale cybersecurity incidents. To support the review, ENISA may also consult other types of stakeholders. Consulted representatives shall disclose any potential conflict of interest.
2023/09/22
Committee: ITRE
Amendment 205 #
Proposal for a regulation
Article 18 – paragraph 4
4. Where appropriate, the report shall draw concrete recommendations, including for all relevant stakeholders, to improve the Union’s cyber posture.;
2023/09/22
Committee: ITRE
Amendment 208 #
Proposal for a regulation
Article 19 – paragraph 1 – point 3
Regulation (EU) 2021/694
Article 14 (2)
The Programme may provide funding in any of the forms laid down in the Financial Regulation, including in particular through procurement as a primary form, or grants and prizes. ENISA shall receive additional resources to carry out its additional tasks laid down in Regulation XX/XXX (Cyber Solidarity Act). That additional funding shall not jeopardise the achievements of the objectives of the Programme.
2023/09/22
Committee: ITRE
Amendment 210 #
Proposal for a regulation
Article 20 – title
Evaluation and Review
2023/09/22
Committee: ITRE
Amendment 211 #
Proposal for a regulation
Article 20 – paragraph 1
By [fourtwo years after the date of application of this Regulation], the Commission shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council. and every two years thereafter, the Commission shall carry out an evaluation of the functioning of the measures laid down in this Regulation and submit a report to the European Parliament and the Council. The evaluation shall assess in particular: (a) the participation of Member States in the European Cyber Shield, including the number of National SOCs and cross- border SOCs established as part of the Regulation and the effectiveness of information exchange; (b) the contribution of this Regulation to reinforce the Union’s resilience and sovereignty, to improve the competitiveness of the relevant industry sectors, including SMEs, and the development of cybersecurity skills in the EU; (c) the use of the Cybersecurity Reserve, including whether the scope of the reserve should be broadened to incident preparedness services or common exercises with the trusted providers and potential users of the Cybersecurity Reserve to ensure efficient functioning of the Reserve when needed; (d) the contribution of this Regulation to the development and improvement of the skills and competences of the workforce in the cybersecurity sector, needed to strengthen the Union's capacity to detect, prevent, respond to and recover from cybersecurity threats and incidents; (e) the contribution of this Regulation to the deployment and development of state- of-the-art technologies in the Union; On the basis of that report, the Commission shall, where appropriate, submit a legislative proposal to the Parliament and the Council to amend this Regulation.
2023/09/22
Committee: ITRE
Amendment 214 #
Proposal for a regulation
Article 20 a (new)
Article20a Exercise of the delegation 1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article. 2. The power to adopt delegated acts referred to in Article 12(8) and Article 13(7) shall be conferred on the Commission for a period of 5 years from … [date of entry into force of the basic legislative act or any other date set by the co-legislators]. The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the 5 year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period. 3. The delegation of power referred to in Article 12(8) and Article 13(7) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force 4. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making. 5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council. 6. A delegated act adopted pursuant to Article 12(8) or Article 13(7) shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by [two months] at the initiative of the European Parliament or of the Council.
2023/09/22
Committee: ITRE