46 Amendments of Konstantinos ARVANITIS related to 2022/0084(COD)
Amendment 36 #
Proposal for a regulation
Recital 1
Recital 1
Amendment 37 #
Proposal for a regulation
Recital 1 a (new)
Recital 1 a (new)
(1a) Given that Union institutions are obliged to apply Article 15(3) TFEU in line with democratic principles, in particular those laid down in Article 10(3) TEU and Article 42 of the Charter of Fundamental Rights of the European Union (‘the Charter’), the European Union classified information (‘EUCI’) system should adhere to the principles of data classification minimisation and time limitation for any such classification.
Amendment 44 #
Proposal for a regulation
Recital 3 a (new)
Recital 3 a (new)
(3a) Article 15 TFEU states that the Unions’ institutions, bodies, offices and agencies shall conduct their work as openly as possible, and that every citizen of the Union shall have a right of access to documents. Accordingly, every classification of documents shall take place in the light of these overarching principles.
Amendment 49 #
Proposal for a regulation
Recital 3 b (new)
Recital 3 b (new)
(3b) In the context of information security, Union institutions and bodies should increase organisational interoperability and take joint action to ensure that networks, information systems, data, and all material assets employed to capture, store, process and transmit the information are duly protected.
Amendment 51 #
(4) The recent pandemic caused a significant changeexpedited the significant underlying transformation in working practices, with remote communication tools becoming the rule. Therefore, many procedures that were still at least partly paper-based were rapidly adjusted to enable electronic processing and exchanges of information. These developments require changes in the handling and protection of information. This Regulation takes account of the new working practices.
Amendment 54 #
Proposal for a regulation
Recital 5 a (new)
Recital 5 a (new)
Amendment 59 #
Proposal for a regulation
Recital 8
Recital 8
(8) With a view to establishing a formal common and uniform structure for cooperation between Union institutions and bodies in the field of information security, it is necessary to set up an Interinstitutional Coordination Group (the ‘Coordination Group’) in which all Union institutions’ and bodies’ Security Authorities are represented. Without having decision- making powers, the Cordination Group should enhance the coherence of policies in the field of information security and should contribute to the harmonisation of the information security procedures and tools across the Union institutions and bodies.
Amendment 62 #
Proposal for a regulation
Recital 10
Recital 10
(10) The Coordination Group should closely cooperate with the National SecurityClassification Authoritiesy of the Member States with a view to enhancing information security in the Union. An Information Security Committee of the Member States should therefore be set up to provide advice to the Coordination Group.
Amendment 65 #
Proposal for a regulation
Recital 14
Recital 14
(14) With the purpose of adjusting to the new teleworking practices, the network information systems, digital infrastructure, and terminal devices used for connecting to the Union institution’s or body’s remote access services should be protected by adequatestate of the art security measures.
Amendment 70 #
Proposal for a regulation
Recital 18
Recital 18
(18) The protection of EUCI is also ensured by technical and organisational measures which apply to the premises, buildings, rooms, offices or facilities of the Union institutions and bodies where EUCI is discussed, handled or stored. This Regulation provides for the implementation of an information security management process in the area of physical security which would allow Union institutions and bodies to select the appropriate security measures for their sites. A thorough evaluation of security infrastructure, including services, should be carried out, encompassing all aspects of the operational chain and environment.
Amendment 72 #
Proposal for a regulation
Recital 21
Recital 21
(21) Union institutions and bodies have been traditionally developed their communication and information systems autonomously, with insufficient attention to their interoperability across all Union institutions and bodies. It is therefore necessary to establish minimum security requirements concerning the Communication and Information Systems (CISs) handling and stor, storing, and transmitting both EUCI and non-classified information with the aim to guarantee a seamless exchange of information with the relevant stakeholders.
Amendment 73 #
Proposal for a regulation
Recital 21 a (new)
Recital 21 a (new)
(21a) Information held by the Union entities is also exchanged through the ICT environment, on-premises or through virtual assets, ICT products, ICT services and ICT processes, as well as networks and information systems whether owned and operated by a Union entity or hosted or operated by a third party, including mobile devices, corporate networks, and business networks not connected to the internet and any devices connected to the ICT environment.
Amendment 74 #
Proposal for a regulation
Article 1 – paragraph 1
Article 1 – paragraph 1
1. This Regulation lays down a minimum set of common and uniform information security rules for all Union institutions and bodies.
Amendment 78 #
Proposal for a regulation
Article 2 – paragraph 1 a (new)
Article 2 – paragraph 1 a (new)
1a. This Regulation is without prejudice to Regulation (Euratom) No 3/1958[1], Regulation No 31 (EEC), 11 (EAEC), laying down the Staff Regulations of Officials and the Conditions of Employment of other servants of the European Economic Community and the European Atomic Energy Community[2], Regulation (EC) 1049/2001 of the European Parliament and of the Council[3], Regulation (EU) 2018/1725 of the European Parliament and of the Council[4], Council Regulation (EEC, EURATOM) No 354/83[5], Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council[6], Regulation (EU) 2021/697 of the European Parliament and of the Council[7], Regulation (EU) [...] of the European Parliament and of the Council[8] laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union.[KL1] [1] Regulation (Euratom) No 3/1958 implementing Article 24 of the Treaty establishing the European Atomic Energy Community (OJ 17, 6.10.1958, p. 406). [2] OJ 45, 14.6.1962, p. 1385. [3] Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43). [4] Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39). [5] Council Regulation (EEC, EURATOM) No 354/83 of 1 February 1983 concerning the opening to the public of the historical archives of the European Economic Community and the European Atomic Energy Community (OJ L 43, 15.2.1983, p. 1). [6] Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012 (OJ L 193, 30.7.2018, p. 1). [7] Regulation (EU) 2021/697 of the European Parliament and of the Council of 29 April 2021 establishing the European Defence Fund and repealing Regulation (EU) 2018/1092 (OJ L 170, 12.5.2021, p. 149). [8] Regulation […] of the European Parliament and of the Council laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union.
Amendment 82 #
Proposal for a regulation
Article 2 – paragraph 3
Article 2 – paragraph 3
3. These levels are based on the damage that unauthorised disclosure may cause to the legitimate private and public interests, including those of the Union, Union institutions and bodies and Member States or other stakeholders, so that the appropriate protective measures can be applied.
Amendment 85 #
Proposal for a regulation
Article 4 – paragraph 3
Article 4 – paragraph 3
3. Whithout prejudice to Article 15 TFEU, Union institutions and bodies shall assess all information they handle and store in order to categorise it in accordance with the confidentiality levels referred to in Article 2(2).
Amendment 87 #
Proposal for a regulation
Article 4 – paragraph 6 – subparagraph 2
Article 4 – paragraph 6 – subparagraph 2
Union institutions and bodies handling and storing EUCI shall organise mandatory training at least once every 5 years for all individuals authorised to access EUCI. The Union institutions and bodies concerned shall organise specific training for the specific functions entrusted with information security tasks. Union entities shall, not later than six months after the date of entry into force of this Regulation, design and implement effective and appropriate training courses for all individuals authorised to access EUCI, commensurate to the risks identified in accordance with Article 5.
Amendment 88 #
Proposal for a regulation
Article 5 – paragraph 3 – point a a (new)
Article 5 – paragraph 3 – point a a (new)
(aa) the risks to the rights and freedoms of natural persons;
Amendment 89 #
Proposal for a regulation
Article 5 – paragraph 3 – point f
Article 5 – paragraph 3 – point f
(f) business continuity, crisis management and disaster recovery;
Amendment 93 #
Proposal for a regulation
Article 6 – paragraph 2 – point e a (new)
Article 6 – paragraph 2 – point e a (new)
(ea) monitor compliance by Union institutions and bodies with this Regulation, as well as with the guidance documents established pursuant to point (c) through the adoption of a yearly evaluation report;
Amendment 99 #
Proposal for a regulation
Article 11 – paragraph 4 – point d
Article 11 – paragraph 4 – point d
(d) end-to-end encryption of information at rest and in transitall stages of the relevant processes;
Amendment 100 #
Proposal for a regulation
Article 12 – paragraph 2
Article 12 – paragraph 2
2. Union institutions and bodies may mark with ‘PUBLIC USE’ the information referred to in paragraph 1. The absence of such marking shall not give rise to a presumption that the information could be classified.
Amendment 102 #
Proposal for a regulation
Article 12 – paragraph 3
Article 12 – paragraph 3
3. All Union institutions and bodies shall ensure the integrity and availability of information for public use by appropriate measures based on itstheir security needs and accounting for the right to information.
Amendment 103 #
Proposal for a regulation
Article 13 – paragraph 2
Article 13 – paragraph 2
2. Normal information may be marked visually or in metadata where necessary to ensure its protection, particularly where shared outside Union institutions and bodies. The marking ‘EU NORMAL’ or the ‘name or acronym of the Union institution or body NORMAL’ (adjusted on a case-by-case basis) shall be used in that case. The absence of such marking shall not give rise to a presumption that the information could be classified.
Amendment 105 #
Proposal for a regulation
Article 13 – paragraph 4
Article 13 – paragraph 4
Amendment 106 #
Proposal for a regulation
Article 14 – paragraph 1
Article 14 – paragraph 1
1. Union institutions and bodies shall categorise, handle and stored as sensitive non-classified all information that is not classified but which they must protect due to legal obligations or because of the harm that may be caused to the legitimate private and public interests, including those of the Union institutions and bodies, or Member States or individuals by its unauthorised disclosure.
Amendment 107 #
Proposal for a regulation
Article 14 – paragraph 4
Article 14 – paragraph 4
4. Sensitive non-classified information shall be exchanged outside Union institutions and bodies only with natural and legal persons that have a need- to-know while respecting the handling instructions accompanying the information and the requirements stemming from legal protections that might apply as per paragraph 1 . All parties involved shall be made aware of the appropriate handling instructions.
Amendment 108 #
Proposal for a regulation
Article 15 – paragraph 1
Article 15 – paragraph 1
1. Union institutions and bodies shall establish uniform procedures for the reporting and management of any incident or suspected incident that could lead to a compromise of the security of non- classified information.
Amendment 112 #
Proposal for a regulation
Article 18 – paragraph 2
Article 18 – paragraph 2
2. The Coordination Group shall adopt guidance documents on EUCI creation and classification. Such documents shall take into account both the principle of minimisation of the use of classified information and the risk of overclassification of certain documents, and shall include rules on assessing and justifying information and material classification, aimed at increasing transparency and avoiding unjustified lock-in effects.
Amendment 114 #
Proposal for a regulation
Article 20 – paragraph 3 a (new)
Article 20 – paragraph 3 a (new)
3a. This Article is without prejudice to Regulation (EC) No 1049/2001.
Amendment 115 #
Proposal for a regulation
Article 22 – paragraph 1
Article 22 – paragraph 1
1. Any act or omission of a Union institution or body or an individual, which is in breach of this Regulation, shall be considered as a breach of security.
Amendment 116 #
Proposal for a regulation
Article 22 – paragraph 3 – point a
Article 22 – paragraph 3 – point a
(a) inform the originator without undue delay, and in any event no later than three days after the Security Authority has been informed of the breach;
Amendment 117 #
Proposal for a regulation
Article 22 – paragraph 3 – point b
Article 22 – paragraph 3 – point b
(b) ensure that the case is throughly investigated by personnel not immediately concerned with the breach in order to establish the facts;
Amendment 118 #
Proposal for a regulation
Article 22 – paragraph 3 – point e
Article 22 – paragraph 3 – point e
(e) notify the competent authorities about the actual or potential compromise and the action taken without undue delay, and in any event no later than three days after the Security Authority has been informed of the breach.
Amendment 121 #
Proposal for a regulation
Article 23 – paragraph 3
Article 23 – paragraph 3
3. Union institutions and bodies may accept security clearances from third countries and international organisations with which the Union has a security of information agreement. They shall, in any event, ensure that the principles under paragraphs 1 and 2 are observed.
Amendment 125 #
Proposal for a regulation
Article 25 – paragraph 3
Article 25 – paragraph 3
3. Where the holder of an authorisation to access EUCI takes up employment in another Union institution or body, that Union institution or body shall, without undue delay, notify the relevant NSA of a change of employer, through the competent Security Authority.
Amendment 128 #
Proposal for a regulation
Article 31 – paragraph 1 – point a
Article 31 – paragraph 1 – point a
(a) each page shall be marked clearly with the classification level and the duration of classification ;
Amendment 130 #
Proposal for a regulation
Article 32 – paragraph 1 – introductory part
Article 32 – paragraph 1 – introductory part
1. The Union institution or body under whose authority an EUCI document is created shall have originator control over that document. The originator shall determine the classification level of the document and shall be responsible for its initial dissemination. The originator may consult intended recipients regarding the classification level of an EUCI document, in particular in the event of any doubt as to the confidential nature of an item of information and its appropriate level of classification, and to prevent over- classification of such documents. For the purposes of the initial dissemination of an EUCI document, the originator shall take into account the rights and obligations of information recipients arising from the Treaties. Without prejudice to Regulation 1049/2001, the originator’s prior written consent shall be obtained before the information is:
Amendment 132 #
Proposal for a regulation
Article 32 – paragraph 1 – point d
Article 32 – paragraph 1 – point d
Amendment 135 #
Proposal for a regulation
Article 35 – paragraph 2
Article 35 – paragraph 2
2. At the time of creation of EUCI, the originator shall indicate, where possible, and in particular for information classified RESTREINT UE/EU RESTRICTED, whether the EUCI can be downgraded or declassified on a given date or following a specific event.
Amendment 139 #
Proposal for a regulation
Article 39 – paragraph 1
Article 39 – paragraph 1
1. Union institutions and bodies shall decide whether and when to archive EUCI, and the corresponding uniform practical measures, in accordance with their policy on document management.
Amendment 140 #
Proposal for a regulation
Article 39 – paragraph 2
Article 39 – paragraph 2
Amendment 143 #
Proposal for a regulation
Article 41 – paragraph 1 – point b
Article 41 – paragraph 1 – point b
(b) keycrucial security principles for the design of CIS handling and storing EUCI shall apply at the inception of the project, as part of the information security risk management process and taking into account need-to-know, minimal functionality, defence in depth, least privilege, segregation of duties and four eyes;
Amendment 144 #
Proposal for a regulation
Article 41 – paragraph 1 – point f a (new)
Article 41 – paragraph 1 – point f a (new)
(fa) the system owner or the Information Assurance Operational Authority shall ensure that a process of identifying and reporting vulnerabilities is in place; that process shall be complemented by regular audits and penetration tests where appropriate.
Amendment 149 #
Proposal for a regulation
Article 52 – paragraph 2
Article 52 – paragraph 2
2. The sub-group on EUCI sharing and exchange of classified information shall be composed of representatives from the European Parliament, the Commission, the Council and the European External Action Service and shall work by consensus. That subgroup shall seek a fair balance between the need to protect EUCI and Regulation (EC) No 1049/2001, and shall ensure that the classification does not in itself prevent disclosure.
Amendment 152 #
Proposal for a regulation
Article 54 – paragraph 1 – point a
Article 54 – paragraph 1 – point a
(a) there is a legal obligation under Union law or under an agreement concluded between Union institutions;or (a) there is a proven need for the exchange;