Activities of Dragoş TUDORACHE related to 2020/0359(COD)
Shadow opinions (1)
OPINION on the proposal for a directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148
Amendments (31)
Amendment 44 #
Proposal for a directive
Recital 43
Recital 43
(43) Addressing cybersecurity risks stemming from an entity’s supply chain and its relationship with its suppliers is particularly important given the prevalence of incidents where entities have fallen victim to cyber-attacks and where malicious actors were able to compromise the security of an entity’s network and information systems by exploiting vulnerabilities affecting third party products and services. Entities should therefore assess and take into account the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures in accordance with Union cybersecurity standards and laws and potential non- technical risk factors, such as undue influence by a third country on suppliers and service providers, especially in the case of alternative models of governance. Such risks include concealed vulnerabilities or backdoors and potential systemic supply disruptions, especially in case of technological lock-in or provider dependency.
Amendment 47 #
Proposal for a directive
Recital 46
Recital 46
(46) To further address key supply chain risks and assist entities operating in sectors covered by this Directive to appropriately manage supply chain and supplier related cybersecurity risks, the Cooperation Group involving relevant national authorities, in cooperation with the Commission and ENISA,, ENISA and the European Defense Agency should carry out coordinated sectoral supply chain risk assessments, as was already done for 5G networks following Recommendation (EU) 2019/534 on Cybersecurity of 5G networks21 , with the aim of identifying per sector which are the critical ICT services, systems or products, relevant threats and vulnerabilities. and proposing adequate remedies. _________________ 21Commission Recommendation (EU) 2019/534 of 26 March 2019 Cybersecurity of 5G networks (OJ L 88, 29.3.2019, p. 42).
Amendment 48 #
Proposal for a directive
Recital 68
Recital 68
(68) Entities should be encouraged to collectively leverage their individual knowledge and practical experience at strategic, tactical and operational levels with a view to enhance their capabilities to adequately assess, monitor, defend against, and respond to, cyber threats. It is thus necessary to enable the emergence at Union level of mechanisms for voluntary information sharing arrangements. To this end, Member States should actively support and encourage also relevant entities not covered by the scope of this Directive to participate in such information-sharing mechanisms. Those mechanisms should be conducted in full compliance with the competition rules of the Union as well as the data protection Union law rules. To the same end, Member States should support competent authorities and CSIRTs to establish free- of-charge or accessible cybersecurity assistance, education, and audit programs for entities that fall outside the scope of this Directive, in particular start-ups, SMEs and non-governmental organisations.
Amendment 51 #
Proposal for a directive
Recital 73
Recital 73
(73) Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes. Where administrative fines are imposed on persons that are not an undertaking, the supervisory authority should take account of the general level of income in the Member State as well as the economic situation of the person in considering the appropriate amount of the fine, without prejudice to the objectives of this Directive. It should be for the Member States to determine whether and to what extent public authorities should be subject to administrative fines. Imposing an administrative fine does not affect the application of other powers by the competent authorities or of other penalties laid down in the national rules transposing this Directive.
Amendment 52 #
Proposal for a directive
Article 5 – paragraph 2 – point a
Article 5 – paragraph 2 – point a
(a) a policy addressing cybersecurity in the supply chain for ICT products and services used by essential and important entities for the provision of their services, based on a comprehensive assessment of potential threats to supply chains;
Amendment 53 #
Proposal for a directive
Article 5 – paragraph 2 – point b a (new)
Article 5 – paragraph 2 – point b a (new)
(b a) a policy for promoting interoperability and adherence to common European Union standards in cybersecurity;
Amendment 54 #
Proposal for a directive
Article 5 – paragraph 2 – point d
Article 5 – paragraph 2 – point d
(d) a policy related to sustaining the general availability and integrity of the public core of the open internet, including the cybersecurity of internet backbones and, where applicable, of undersea communications cables;
Amendment 55 #
Proposal for a directive
Article 5 – paragraph 2 – point e
Article 5 – paragraph 2 – point e
(e) a policy on promoting and developing cyber hygiene and cybersecurity skills, awareness raising and research and development initiatives;
Amendment 56 #
Proposal for a directive
Article 5 – paragraph 2 – point f
Article 5 – paragraph 2 – point f
(f) a policy on supporting academic and research institutions toin cybersecurity research and in the development of cybersecurity tools and secure network infrastructure;
Amendment 57 #
Proposal for a directive
Article 5 – paragraph 2 – point h
Article 5 – paragraph 2 – point h
(h) a policy addressing specific needs of SMEstart-ups, SMEs, and non- governmental organizations, in particular those excluded from the scope of this Directive, in relation to guidance and support in improving their resilience to cybersecurity threats. , responding to cybersecurity incidents, and seeking cybersecurity assistance;
Amendment 58 #
Proposal for a directive
Article 6 – paragraph 2
Article 6 – paragraph 2
2. ENISA shall develop and maintain a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures with a view in particular to enabling important and essential entities and their suppliers of network and information systems to disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties. In accordance with Article 10 (2), CSIRTs should facilitate access to information on vulnerabilities registered in the European vulnerability registry, alongside risk mitigation assistance, to entities that do not fall under the scope of this directive, in particular start-ups, SMEs, and non- governmental organizations. The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, the availability of related patches and, in the absence of available patches, guidance addressed to users of vulnerable products and services as to how the risks resulting from disclosed vulnerabilities may be mitigated.
Amendment 59 #
Proposal for a directive
Article 9 – paragraph 4 a (new)
Article 9 – paragraph 4 a (new)
4 a. CSIRTs shall cooperate and exchange relevant information with national institutions responsible for the maintenance of public security, defence, and national security.
Amendment 60 #
Proposal for a directive
Article 9 – paragraph 4 b (new)
Article 9 – paragraph 4 b (new)
4 b. CSIRTs should cooperate and, where appropriate and without prejudice to Regulation(EU) 2016/679 or Union law, exchange relevant information with trusted third countries and international organizations on cyber threats, vulnerabilities, best practices, and standards.
Amendment 61 #
Proposal for a directive
Article 9 – paragraph 4 c (new)
Article 9 – paragraph 4 c (new)
4 c. Without prejudice to Regulation (EU) 2016/679, to Union law, or to carrying out the obligations in the present Directive, CSIRTs should provide cybersecurity assistance to CSIRTs or equivalent structures in EU candidate countries and to countries in the Western Balkans and the Eastern Partnership.
Amendment 62 #
Proposal for a directive
Article 10 – paragraph 1 – point d
Article 10 – paragraph 1 – point d
(d) CSIRTs shall be adequately staffed to properly fulfil the tasks in paragraph 2 of this article and to ensure availability at all times;
Amendment 63 #
Proposal for a directive
Article 10 – paragraph 1 – point e a (new)
Article 10 – paragraph 1 – point e a (new)
(e a) establishing free-of-charge or accessible cybersecurity assistance, education, and audit programs for entities that fall outside the scope of this Directive, in particular start-ups, SMEs, and non-governmental organisations;
Amendment 64 #
Proposal for a directive
Article 11 – paragraph 4
Article 11 – paragraph 4
4. To the extent necessary to effectively carry out the tasks and obligations laid down in this Directive, Member States shall ensure appropriate cooperation between the competent authorities and single points of contact and law enforcement authorities, data protection authorities, national supervisory authorities for artificial intelligence, national competent authorities for data governance, and the authorities responsible for critical infrastructure pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive] and the national financial authorities designated in accordance with Regulation (EU) XXXX/XXXX of the European Parliament and of the Council39 [the DORA Regulation] within that Member State. _________________ 39[insert the full title and OJ publication reference when known]
Amendment 65 #
Proposal for a directive
Article 12 – paragraph 3 – introductory part
Article 12 – paragraph 3 – introductory part
3. The Cooperation Group shall be composed of representatives of Member States, the Commission and ENISA, ENISA, and the European Defence Agency. The European External Action Service shall participate in the activities of the Cooperation Group as an observer. TNational supervisory authorities for artificial intelligence, national competent authorities for data governance, and the European Supervisory Authorities (ESAs) in accordance with Article 17(5)(c) of Regulation (EU) XXXX/XXXX [the DORA Regulation] may participate in the activities of the Cooperation Group.
Amendment 66 #
Proposal for a directive
Article 12 – paragraph 4 – point e a (new)
Article 12 – paragraph 4 – point e a (new)
(e a) without prejudice to Union law, engaging in cooperation, mutual assistance, and exchanging best practices and information with trusted third countries and international organizations;
Amendment 68 #
Proposal for a directive
Article 13 – paragraph 3 – point k a (new)
Article 13 – paragraph 3 – point k a (new)
(k a) without prejudice to Union law, cooperating and exchanging information with equivalent structures or institutions in trusted third countries and international organization, such as the United States and NATO, for the purpose of increasing trust, promoting swift and effective operational coordination, harmonising cybersecurity standards, and ensuring interoperability;
Amendment 70 #
Proposal for a directive
Article 14 – paragraph 3 – point a
Article 14 – paragraph 3 – point a
(a) increasing the level of preparedness of the management of large scale incidents and crises and liaising with Member State institutions in charge of state security and territorial defence;
Amendment 71 #
Proposal for a directive
Article 17 – paragraph 2
Article 17 – paragraph 2
2. Member States shall ensure that members of the management body follow specific trainings, on a regular basis, to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risks and management practices and their impact on the operations of the entity. Member States should encourage essential and important entities to evaluate, on a regular basis, members of the management bodies referenced in paragraph 1 on the adequacy of their skills for ensuring compliance with Article 18.
Amendment 72 #
Proposal for a directive
Article 18 – paragraph 3
Article 18 – paragraph 3
3. Member States shall ensure that, where considering appropriate measures referred to in point (d) of paragraph 2, entities shall take into account the vulnerabilities specific to each supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures in accordance to Union cybersecurity standards and laws and potential non-technical risk factors, such as concealed vulnerabilities or backdoors and potential systemic supply disruptions.
Amendment 73 #
Proposal for a directive
Article 19 – paragraph 1
Article 19 – paragraph 1
1. The Cooperation Group, in cooperation with the Commission and ENISA, ENISA and the European Defence Agency, may carry out coordinated security risk assessments of specific critical ICT services, systems or products supply chains, taking into account technical and, where relevant, non-technical risk factors.
Amendment 74 #
Proposal for a directive
Article 19 – paragraph 2
Article 19 – paragraph 2
2. The Commission, after consulting with the Cooperation Group and ENISA, ENISA and the European Defence Agency, shall identify the specific critical ICT services, systems or products that may be subject to the coordinated risk assessment referred to in paragraph 1.
Amendment 75 #
Proposal for a directive
Article 19 – paragraph 2 a (new)
Article 19 – paragraph 2 a (new)
2 a. Upon identifying risks to specific critical ICT services, systems or production supply chains, the Commission, after consulting with the Cooperation Group, ENISA, and the European Defence Agency, shall issue recommendations to Member States and the national competent authorities defined in this Regulation for remedying and increasing resilience to the identified risks.
Amendment 76 #
Proposal for a directive
Article 25 – paragraph 1 – point c a (new)
Article 25 – paragraph 1 – point c a (new)
(c a) information on the management body responsible for the cybersecurity risk management measures defined in Article 18, as defined by Article 17;
Amendment 77 #
Proposal for a directive
Article 29 – paragraph 2 – point c
Article 29 – paragraph 2 – point c
(c) targeted security audits based on risk assessments or risk-related available information, including on risks related to supply chains as defined in Article 18 (3);
Amendment 78 #
Proposal for a directive
Article 30 – paragraph 2 – point b
Article 30 – paragraph 2 – point b
(b) targeted security audits based on risk assessments or risk-related available information, including on risks related to supply chains as defined in Article 18 (3);
Amendment 79 #
Proposal for a directive
Annex I – ESSENTIAL ENTITIES: SECTORS, SUBSECTORS AND TYPES OF ENTITIES – Sector 6 a (new)
Annex I – ESSENTIAL ENTITIES: SECTORS, SUBSECTORS AND TYPES OF ENTITIES – Sector 6 a (new)
6a. Education and research — Higher education institutions and research institutions
Amendment 80 #
Proposal for a directive
Annex I – ESSENTIAL ENTITIES: SECTORS, SUBSECTORS AND TYPES OF ENTITIES – Sector 9 Public administration – Type of entities
Annex I – ESSENTIAL ENTITIES: SECTORS, SUBSECTORS AND TYPES OF ENTITIES – Sector 9 Public administration – Type of entities
Public administration entities of central governments Public administration entities of NUTS level 1 regions listed in Annex I of Regulation (EC) No 1059/2003 (27, 27 a (new)) Public administration entities of NUTS level 2 regions listed in Annex I of Regulation (EC) No 1059/2003 (27 b (new)) __________________ 27 Regulation (EC) No 1059/2003 of the European Parliament and of the Council of 26 May 2003 on the establishment of a common classification of territorial units for statistics (NUTS) (OJ L 154, 21.6.2003, p. 1). 27 a (new) Or the equivalent administrative units, in Member States where the NUTS classification is not yet reflected in the administration institutional setup. 27 b (new) Or the equivalent administrative units, in Member States where the NUTS classification is not yet reflected in the administration institutional setup.