Activities of Pernando BARRENA ARZA related to 2020/0359(COD)
Shadow opinions (1)
OPINION on the proposal for a directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148
Amendments (20)
Amendment 108 #
Proposal for a directive
Recital 46
Recital 46
(46) To further address key supply chain risks and assist entities operating in sectors covered by this Directive to appropriately manage supply chain and supplier related cybersecurity risks, the Cooperation Group involving relevant national authorities, in cooperation with the Commission and ENISA, should carry out coordinated sectoral supply chain risk assessments, as was already done for 5G networks following Recommendation (EU) 2019/534 on Cybersecurity of 5G networks21 , with the aim of identifying per sector which are the critical ICT services, systems or products, relevant threats and vulnerabilities. Particular consideration should be given to the fact that ICT services, systems or products subject to specific requirements in the country of origin that might represent an obstacle to compliance with EU privacy and data protection law. Where appropriate, the EDPB should be consulted in the framework of such risk assessments. _________________ 21Commission Recommendation (EU) 2019/534 of 26 March 2019 Cybersecurity of 5G networks (OJ L 88, 29.3.2019, p. 42).
Amendment 110 #
Proposal for a directive
Recital 46 a (new)
Recital 46 a (new)
(46a) Free and open source software as well as open source hardware could bring huge benefits in terms of cybersecurity, in particular as regards transparency and verifiability of features. As this could help address and mitigate specific supply chain risks, their use should be preferred where feasible.
Amendment 116 #
Proposal for a directive
Recital 54
Recital 54
(54) In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, should be promoted and, where necessary, should be mandatory for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18. The use of end-to-end encryptionNo provision in this Directive should be reconciled with the Member State’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences in compliance with Union law. Solutions for lawful access to information in end-to-end encrypted communications should maintain the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crimestrued as an endorsement of or obligation to weakening end-to-end encryption, whether through “backdoors” or other solutions.
Amendment 136 #
Proposal for a directive
Recital 82 a (new)
Recital 82 a (new)
(82a) This Directive does not apply to Union bodies, however, Union bodies could be considered essential or important entities under this Directive. By [6 months after entry into force], the Commission should evaluate the need to apply the provisions of this Directive to Union bodies and present, where appropriate, legislative proposals to this effect.
Amendment 140 #
Proposal for a directive
Article 2 – paragraph 1
Article 2 – paragraph 1
1. This Directive applies to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II. This Directive does not apply to entities that qualify as micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC.28 _________________ 28 Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium- sized enterprises (OJ L 124, 20.5.2003, p. 36).
Amendment 145 #
Proposal for a directive
Article 2 – paragraph 2 – point c
Article 2 – paragraph 2 – point c
(c) the entity is the sole provider of a service in a Member State or region;
Amendment 149 #
Proposal for a directive
Article 2 – paragraph 4
Article 2 – paragraph 4
4. This Directive applies without prejudice to Council Directive 2008/114/EC30 and Directives 2011/93/EU31 and 2013/40/EU32 of the European Parliament and of the Council. _________________ 30Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p. 75). 31Directive 2011/93/EU of the European Parliament and of the Council of 13 December 2011 on combating the sexual abuse and sexual exploitation of children and child pornography, and replacing Council Framework Decision 2004/68/JHA (OJ L 335, 17.12.2011, p. 1). 32Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA (OJ L 218, 14.8.2013, p. 8).
Amendment 150 #
Proposal for a directive
Article 2 – paragraph 4 a (new)
Article 2 – paragraph 4 a (new)
Amendment 152 #
Proposal for a directive
Article 2 – paragraph 5
Article 2 – paragraph 5
5. Without prejudice to Article 346 TFEU, information that is confidential pursuant to Union and national rules, such as rules on business confidentiality, shall be exchanged with the Commission and other relevant authorities only where that exchange is necessary for the application of this Directive. The information exchanged shall be limited to that which is relevant and proportionatenecessary to the purpose of that exchange. The exchange of information shall preserve the confidentiality of that information and protect the security and commercial interests of essential or important entities.
Amendment 159 #
Proposal for a directive
Article 4 – paragraph 1 – point 12
Article 4 – paragraph 1 – point 12
Amendment 162 #
Amendment 181 #
Proposal for a directive
Article 6 – paragraph 2
Article 6 – paragraph 2
2. ENISA shall develop and maintain a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures with a view in particular to enabling important and essential entities and their suppliers of network and information systems to disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registry to all interested partiesthe public. The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, the availability of related patches and, in the absence of available patches, guidance addressed to users of vulnerable products and services as to how the risks resulting from disclosed vulnerabilities may be mitigated.
Amendment 182 #
Proposal for a directive
Article 7 – paragraph 3 – point a
Article 7 – paragraph 3 – point a
(a) objectives of national, regional and cross-border preparedness measures and activities;
Amendment 187 #
Proposal for a directive
Article 10 – paragraph 2 – point e
Article 10 – paragraph 2 – point e
(e) providing, upon request of an entity, a proactive scanning of the network and information systems used for the provision of their services; the processing of personal data in the context of such scanning shall be limited to what is strictly necessary, and in any case to IP addresses and URLs.
Amendment 189 #
Proposal for a directive
Article 12 – paragraph 3 – introductory part
Article 12 – paragraph 3 – introductory part
3. The Cooperation Group shall be composed of representatives of Member States, the Commission and ENISA. The European External Action Service shall participate in the activities of the Cooperation Group as an observer. The European Supervisory Authorities (ESAs) in accordance with Article 17(5)(c) of Regulation (EU) XXXX/XXXX [the DORA Regulation] may participate in the activities of the Cooperation Group.
Amendment 192 #
Proposal for a directive
Article 12 – paragraph 3 – subparagraph 1
Article 12 – paragraph 3 – subparagraph 1
Where appropriate, the Cooperation Group mayshall invite representatives of relevant stakeholders, academia and civil society to participate in its work.
Amendment 193 #
Proposal for a directive
Article 12 – paragraph 8
Article 12 – paragraph 8
8. The Cooperation Group shall meet regularly and at least once a year with the Critical Entities Resilience Group established under Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive] to promote strategic cooperatione and exchange of information.
Amendment 224 #
Proposal for a directive
Article 23 – paragraph 1
Article 23 – paragraph 1
1. For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall ensure that TLD registries and the entities providing domain name registration services for the TLD shall collect and maintain accurate and complete domain name registration data in a dedicated database facility with due diligence subject toin accordance with Union data protection law as regards data which are personal data.
Amendment 225 #
Proposal for a directive
Article 23 – paragraph 2
Article 23 – paragraph 2
2. Member States shall ensure that the databases of domain name registration data referred to in paragraph 1 contain relevant information to identify and contact the holders of the domain names, such as name and electronic mail address, and the points of contact administering the domain names under the TLDs.
Amendment 226 #
Proposal for a directive
Article 23 – paragraph 5
Article 23 – paragraph 5
5. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD provide access to specific domain name registration data upon lawful and duly justified requests of legitimate access seeker, necessary within the competences of CERTs, CSIRTs and competent authorities under Union or national law for the prevention, investigation or prosecution of criminal offences, in compliance with Union data protection law. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD reply without undue delay to all sufficiently substantiated requests for access. Member States shall ensure that policies and procedures to disclose such data are made publicly available.