21 Amendments of Antonio Maria RINALDI related to 2020/0359(COD)
Amendment 104 #
Proposal for a directive
Recital 46
Recital 46
(46) To further address key supply chain risks and assist entities operating in sectors covered by this Directive to appropriately manage supply chain and supplier related cybersecurity risks, the Cooperation Group involving relevant national authorities, in cooperation with the Commission and, ENISA and the affected essential and important entities, should carry out coordinated sectoral supply chain risk assessments, as was already done for 5G networks following Recommendation (EU) 2019/534 on Cybersecurity of 5G networks21 , with the aim of identifying per sector which are the critical ICT services, systems or products, relevant threats and vulnerabilities. __________________ 21Commission Recommendation (EU) 2019/534 of 26 March 2019 Cybersecurity of 5G networks (OJ L 88, 29.3.2019, p. 42).
Amendment 105 #
Proposal for a directive
Recital 47
Recital 47
(47) The supply chain risk assessments, in light of the features of the sector concerned, should take into account both technical and, where relevantjustified by the criticality of the sector, non- technical factors including those defined in Recommendation (EU) 2019/534, in the EU wide coordinated risk assessment of 5G networks security and in the EU Toolbox on 5G cybersecurity agreed by the Cooperation Group. These assessments should be evidence-based and their results clearly defined. To identify the supply chains that should be subject to a coordinated risk assessment, the following criteria should be taken into account: (i) the extent to which essential and important entities use and rely on specific critical ICT services, systems or products; (ii) the relevance of specific critical ICT services, systems or products for performing critical or sensitive functions, including the processing of personal data; (iii) the availability of alternative ICT services, systems or products; (iv) the resilience of the overall supply chain of ICT services, systems or products against disruptive events and (v) for emerging ICT services, systems or products, their potential future significance for the entities’ activities.
Amendment 114 #
Proposal for a directive
Recital 55
Recital 55
(55) This Directive lays down a two- stage approach to incident reporting in order to strike the right balance between, on the one hand, swift reporting that helps mitigate the potential spread of incidents and allows entities to seek support, and, on the other hand, in-depth reporting that draws valuable lessons from individual incidents and improves over time the resilience to cyber threats of individual companies and entire sectors. Where entities become aware of an incident, they should be required to submit an initial notification within 24out undue delay and not later than 72 hours, followed by a final report not later than one2 months after. The initial notification should only include the information strictly necessary to make the competent authorities aware of the incident and allow the entity to seek assistance, if required. Such notification, where applicable, should indicate whether the incident is presumably caused by unlawful or malicious action. Member States should ensure that the requirement to submit this initial notification does not divert the reporting entity’s resources from activities related to incident handling that should be prioritised. To further prevent that incident reporting obligations either divert resources from incident response handling or may otherwise compromise the entities efforts in that respect, Member States should also provide that, in duly justified cases and in agreement with the competent authorities or the CSIRT, the entity concerned can deviate from the deadlines of 724 hours for the initial notification and one2 months for the final report.
Amendment 126 #
Proposal for a directive
Recital 70
Recital 70
(70) In order to strengthen the supervisory powers and actions that help ensure effective compliance and to achieve a common high level of security within the digital sector throughout the Union, this Directive should provide for a minimum list of supervisory actions and means through which competent authorities may supervise essential and important entities. In addition, this Directive should establish a differentiation of supervisory regime between essential and important entities with a view to ensuring a fair balance of obligations for both entities and competent authorities. Thus, essential entities should be subject to a fully-fledged supervisory regime (ex-ante and ex-post), while important entities should be subject to a light supervisory regime, ex-post only. For the latter, this means that important entities should not document systematically compliance with cybersecurity risk management requirements, while competent authorities should implement a reactive ex -post approach to supervision and, hence, not have a general obligation to supervise those entities, except where there is a manifest breach of obligations, in particular where such entities cause risk for users or other services included in the scope of this Directive.
Amendment 128 #
Proposal for a directive
Recital 76
Recital 76
(76) In order to further strengthen the effectiveness and dissuasiveness of the penalties applicable to infringements of obligations laid down pursuant to this Directive, the competent authorities should be empowered to apply sanctions consisting of the suspension of a certification or authorisation concerning part or all thethe implicated services provided by an essential entity and the imposition of a temporary ban from the exercise of managerial functions by a natural person. Given their severity and impact on the entities’ activities and ultimately on their consumers, such sanctions should only be applied proportionally to the severity of the infringement and taking account of the specific circumstances of each case, including the intentional or negligent character of the infringement, actions taken to prevent or mitigate the damage and/or losses suffered. Such sanctions should only be applied as ultima ratio, meaning only after the other relevant enforcement actions laid down by this Directive have been exhausted, and only for the time until the entities to which they apply take the necessary action to remedy the deficiencies or comply with the requirements of the competent authority for which such sanctions were applied. The imposition of such sanctions shall be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter of Fundamental Rights of the European Union, including effective judicial protection, due process, presumption of innocence and right of defence.
Amendment 133 #
Proposal for a directive
Article 2 – paragraph 1
Article 2 – paragraph 1
1. This Directive applies to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II. Entities and subsectors that fall within the scope of this Directive shall be provided with clear and concise definitions with respect to their designations. This Directive does not apply to entities that Member States unequivocally identify as non-critical, including where they are of types referred to in Annex I and Annex II. This Directive does not apply to entities that qualify as micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC.28, without prejudice to their voluntary involvement. __________________ 28 Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium- sized enterprises (OJ L 124, 20.5.2003, p. 36).
Amendment 148 #
Proposal for a directive
Article 4 – paragraph 1 – point 26 a (new)
Article 4 – paragraph 1 – point 26 a (new)
(26a) 'non-critical entity' means any entity of a type referred to in Annex I and Annex II which, regardless of its size and resources, has no critical function within a specific sector or type of service provided and has a low level of dependency from other sectors or types of services.
Amendment 149 #
Proposal for a directive
Article 5 – paragraph 1 – point b
Article 5 – paragraph 1 – point b
(b) a governance framework to achieve those objectives and priorities, including the policies referred to in paragraph 2 and the roles and responsibilities of public bodies and entities as well as other relevant actors, in particular those entrusted with specific SMEs support. The governance framework shall clearly outline how cooperation and coordination is organised between relevant national authorities designated under this Directive;
Amendment 161 #
Proposal for a directive
Article 5 – paragraph 2 – point h
Article 5 – paragraph 2 – point h
(h) a policy addressing specific needs of SMEs in fulfilling the provisions laid down by this Directive, in particular those excluded from the scope of this Directive, in relation to guidance and support in improving their resilience to cybersecurity threats. and encouraging, through dedicated support, their proactive adoption of suitable cybersecurity measures;
Amendment 172 #
Proposal for a directive
Article 6 – paragraph 1
Article 6 – paragraph 1
1. Each Member State shall designate one of its CSIRTs as referred to in Article 9 as a coordinator for the purpose of coordinated vulnerability disclosure. The process of coordinated vulnerability disclosure shall be coherent with internationally recognised standards on vulnerability handling and disclosure. The designated CSIRT shall act as a trusted intermediary, facilitating, where necessary, the interaction between the reporting entity and the manufacturer or provider of ICT products or ICT services. Where the reported vulnerability concerns multiple manufacturers or providers of ICT products or ICT services across the Union, the designated CSIRT of each Member State concerned shall cooperate with the CSIRT network.
Amendment 174 #
Proposal for a directive
Article 6 – paragraph 2
Article 6 – paragraph 2
2. ENISA shall develop and maintain a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures, as well as the necessary technical and organisational measures for the security of the registry, with a view in particular to enabling important and essential entities and their suppliers of network and information systems to disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties. ENISA shall clarify the terms of work and use of registry, including procedures for reporting, use and storage of the vulnerability information. The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, the availability of related patches and, in the absence of available patches, guidance addressed to users of vulnerable products and services as to how the risks resulting from disclosed vulnerabilities may be mitigated.
Amendment 177 #
Proposal for a directive
Article 7 – paragraph 1
Article 7 – paragraph 1
1. Each Member State shall designate one or more competent authorities responsible for the management of large- scale incidents and crises. Where a Member State designates more than one competent authority, it should clearly indicate which of these competent authorities would serve as the main point of contact during a large-scale incident or crisis. Member States shall ensure that competent authorities have adequate resources to perform, in an effective and efficient manner, the tasks assigned to them.
Amendment 186 #
Proposal for a directive
Article 10 – paragraph 2 – point f a (new)
Article 10 – paragraph 2 – point f a (new)
(fa) providing practical and operational guidance to essential and important entities in cybersecurity response and prevention activities, including in particular dedicated technical support to SMEs;
Amendment 206 #
Proposal for a directive
Article 18 – paragraph 1
Article 18 – paragraph 1
1. Member States shall ensure that essential and important entities shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which those entities use in the provision of their services. These measures shall be adopted following a risk-based assessment that takes the utmost account of the level of criticality of the concerned entities. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk presented and shall not undermine valid security offering mechanisms already in place.
Amendment 221 #
Proposal for a directive
Article 19 – paragraph 1
Article 19 – paragraph 1
1. The Cooperation Group, in cooperation with the Commission and ENISA, and after having consulted the affected essential and important entities, may carry out coordinated security risk assessments of specific critical ICT services, systems or products supply chains, taking into account technical and, where relevant, non-technical risk factorjustified by the level of criticality of the sector, non-technical risk factors. Risk assessments should follow a balanced and non-discriminatory approach to ensure competitive and harmonised internal market, with coordinated Member State approaches.
Amendment 223 #
Proposal for a directive
Article 19 – paragraph 2
Article 19 – paragraph 2
2. The Commission, after consulting with the Cooperation Group and, ENISA and the affected essential and important entities, shall identify the specific critical ICT services, systems or products that may be subject to the coordinated risk assessment referred to in paragraph 1.
Amendment 224 #
Proposal for a directive
Article 19 a (new)
Article 19 a (new)
Article 19a When the Cooperation Group includes non-technical risk factors in its supply chain risk assessments, it shall ensure that those factors are evidence-based, clearly defined and that their interpretation is aligned across the Union to the greatest extent possible. Member States shall ensure that any affected party has clear and lawful means to raise concerns, challenge and object to the final decision taken as a result of the supply chain assessments referred to in paragraph 1 of this Article.
Amendment 231 #
Proposal for a directive
Article 20 – paragraph 2 – subparagraph 1
Article 20 – paragraph 2 – subparagraph 1
Member States shall ensure that essential and important entities may notify, without undue delay where feasible or through periodic threat analysis reports, the competent authorities or the CSIRT of any significant cyber threat that those entities identify that could have potentially resulted in a significant incidentwithin the meaning of Article 2(8) of Regulation (EU) 2019/881.
Amendment 237 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point a
Article 20 – paragraph 4 – subparagraph 1 – point a
(a) without undue delay and in any event winot later thian 724 hours after having become aware of the incident, an initial notification, which, where applicable and possible, shall indicate whether the incident is presumably caused by unlawful or malicious action;
Amendment 242 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part
Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part
(c) a final report not later than onetwo months after the submission of the report under point (a), including at least the following:
Amendment 280 #
Proposal for a directive
Article 26 – paragraph 5
Article 26 – paragraph 5
5. In compliance with Union law, ENISA shall support the establishment of cybersecurity information-sharing arrangements referred to in paragraph 2 by providing best practices and guidance with the aim of promoting the cross-border exchange of information at Union level between the relevant entities.