68 Amendments of Marc ANGEL related to 2020/0359(COD)
Amendment 73 #
Proposal for a directive
Recital 5
Recital 5
(5) All those divergences entail a fragmentation of the internal market and are liable to have a prejudicial effect on its functioning, affecting in particular the cross-border provision of services and level of cybersecurity resilience due to the application of different standards. This Directive aims to remove such wide divergences among Member States and strengthen the internal market, in particular by setting out minimum rules regarding the functioning of a coordinated regulatory framework, by laying down mechanisms for the effective cooperation among the responsible authorities in each Member State, by updating the list of sectors and activities subject to cybersecurity obligations and by providing effective remedies and sanctions which are instrumental to the effective enforcement of those obligations. Therefore, Directive (EU) 2016/1148 should be repealed and replaced by this Directive.
Amendment 77 #
Proposal for a directive
Recital 10
Recital 10
(10) The Commission, in cooperation with the Cooperation Group, mayshould issue guidelines on the implementation of the criteria applicable to micro and small enterprises.
Amendment 78 #
Proposal for a directive
Recital 11
Recital 11
(11) Depending on the sector in which they operate or the type of service they provide, the entities falling within the scope of this Directive should be classified into two categories: essential and important. That categorisation should take into account the level of criticality of the sector or of the type of service, as well as the level of dependency of other sectors or types of services. Both essential and important entities should be subject to the same risk management requirements and reporting obligations. The supervisory and penalty regimes between these two categories of entities should be differentiated to ensure a fair balance between requirements and obligations on one hand, and the administrative burden stemming from the supervision of compliance on the other hand. This balance also helps national competent authorities to focus on those operators whose cybersecurity represents the highest societal risk.
Amendment 79 #
Proposal for a directive
Recital 12
Recital 12
(12) Sector-specific legislation and instruments can contribute to ensuring high levels of cybersecurity, while taking full account of the specificities and complexities of those sectors. Where a sector–specific Union legal act requires essential or important entities to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats of at least an equivalent effect to the obligations laid down in this Directive, those sector-specific provisions, including on supervision and enforcement, should apply. In order to reduce unnecessary administrative burden, sector-specific legislation and instruments should, whenever possible, align their notification procedures with those present in this Directive, according to the once-only principle. The Commission may issue guidelines in relation to the implementation of the lex specialis. This Directive does not preclude the adoption of additional sector- specific Union acts addressing cybersecurity risk management measures and incident notifications. This Directive is without prejudice to the existing implementing powers that have been conferred to the Commission in a number of sectors, including transport and energy.
Amendment 82 #
Proposal for a directive
Recital 14
Recital 14
(14) In view of the interlinkages between cybersecurity and the physical security of entities, a coherent approach should be ensured between Directive (EU) XXX/XXX of the European Parliament and of the Council17 and this Directive. To achieve this, Member States should ensure that critical entities, and equivalent entities, pursuant to Directive (EU) XXX/XXX are considered to be essential entities under this Directive. Member States should also ensure that their national cybersecurity strategies provide for a policy framework for enhanced coordination between the competent authority under this Directive and the one under Directive (EU) XXX/XXX in the context of incident reporting, information sharing on incidents and cyber threats and the exercise of supervisory tasks. Authorities under both Directives should cooperate and exchange information, particularly in relation to the identification of critical entities, cyber threats, cybersecurity risks, incidents affecting critical entities as well as on the cybersecurity measures taken by critical entities. Upon request of competent authorities under Directive (EU) XXX/XXX, competent authorities under this Directive should be allowed to exercise their supervisory and enforcement powers on an essential entity identified as critical. Both authorities should cooperate and exchange information for this purpose. __________________ 17[insert the full title and OJ publication reference when known]
Amendment 84 #
Proposal for a directive
Recital 15
Recital 15
(15) Upholding and preserving a reliable, resilient and secure domain name system (DNS) is a key factor in maintaining the integrity of the Internet and is essential for its continuous and stable operation, on which the digital economy, the internal market and society depend. Therefore, this Directive should apply to all providers of DNS services along the DNS resolution chain, including operators of root name servers, top-level- domain (TLD) name servers, authoritative name servers for domain names and recursive resolvers.
Amendment 85 #
Proposal for a directive
Recital 20
Recital 20
(20) Those growing interdependencies are the result of an increasingly cross- border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. Those interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks and the need to protect the internal market through joint strategies and actions at Union level.
Amendment 88 #
Proposal for a directive
Recital 23
Recital 23
(23) Competent authorities or the CSIRTs should receive notifications of incidents from entities in an standardised, effective and efficient way. The single points of contact should be tasked with forwarding incident notifications to the single points of contact of other affected Member States. At the level of Member States’ authorities, to ensure one single entry point in every Member States, the single points of contacts should also be the addressees of relevant information on incidents concerning financial sector entities from the competent authorities under Regulation XXXX/XXXX which they should be able to forward, as appropriate, to the relevant national competent authorities or CSIRTs under this Directive.
Amendment 90 #
Proposal for a directive
Recital 26 a (new)
Recital 26 a (new)
(26a) Member States should, in accordance with their national cybersecurity strategies, put in place policies directed at cybersecurity awareness, cyber literacy and cyber- hygiene of citizens, with a view of strengthening the human element of network and information systems and protecting consumers from harm.
Amendment 92 #
Proposal for a directive
Recital 27
Recital 27
(27) In accordance with the Annex to Commission Recommendation (EU) 2017/1548 on Coordinated Response to Large Scale Cybersecurity Incidents and Crises (‘Blueprint’)20 , a large-scale incident should mean an incident with a significant impact on at least two Member States or whose disruption exceeds a Member State’s capacity to respond to it, thus endangering the internal market. Depending on their cause and impact, large-scale incidents may escalate and turn into fully-fledged crises not allowing the proper functioning of the internal market. Given the wide-ranging scope and, in most cases, the cross-border nature of such incidents, Member States and relevant Union institutions, bodies and agencies should cooperate at technical, operational and political level to properly coordinate the response across the Union. __________________ 20Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises (OJ L 239, 19.9.2017, p. 36).
Amendment 93 #
Proposal for a directive
Recital 28
Recital 28
(28) Since the exploitation of vulnerabilities in network and information systems may cause significant disruption and harm to businesses and consumers, swiftly identifying and remedying those vulnerabilities is an important factor in reducing cybersecurity risk. Entities that develop such systems should therefore establish appropriate procedures to handle vulnerabilities when they are discovered. Since vulnerabilities are often discovered and reported (disclosed) by third parties (reporting entities), the manufacturer or provider of ICT products or services should also put in place the necessary procedures to receive vulnerability information from third parties. In this regard, international standards ISO/IEC 30111 and ISO/IEC 29417 provide guidance on vulnerability handling and vulnerability disclosure respectively. As regards vulnerability disclosure, coordination between reporting entities and manufacturers or providers of ICT products or services is particularly important. Coordinated vulnerability disclosure specifies a structured process through which vulnerabilities are reported to organisations in a manner allowing the organisation to diagnose and remedy the vulnerability before detailed vulnerability information is disclosed to third parties or to the public. Coordinated vulnerability disclosure should also comprise coordination between the reporting entity and the organisation as regards the timing of remediation and publication of vulnerabilities.
Amendment 99 #
Proposal for a directive
Recital 34
Recital 34
(34) The Cooperation Group should remain a flexible forum and be able to react to changing and new policy priorities and challenges while taking into account the availability of resources. It should organize regular joint meetings with relevant private stakeholders from across the Union to discuss activities carried out by the Group and gather input on emerging policy challenges. In order to enhance cooperation at Union level, the Group should consider inviting Union bodies and agencies involved in cybersecurity policy, such as the European Cybercrime Centre (EC3), the European Union Aviation Safety Agency (EASA) and the European Union Agency for Space Programme (EUSPA) to participate in its work, as well as other Union bodies and agencies and supervisory authorities related to the Digital Single Market.
Amendment 100 #
Proposal for a directive
Recital 35
Recital 35
(35) The competent authorities and CSIRTs should be empowered to participate in exchange schemes for officials from other Member States in order to improve cooperation and strengthen confidence inside the networks. The competent authorities should take the necessary measures to enable officials from other Member States to play an effective role in the activities of the host competent authority or CSIRT.
Amendment 101 #
Proposal for a directive
Recital 35 a (new)
Recital 35 a (new)
Amendment 103 #
Proposal for a directive
Recital 45 a (new)
Recital 45 a (new)
(45a) Additionally, entities should also ensure adequate cybersecurity education and training of their staff at all levels of the organisation.
Amendment 106 #
Proposal for a directive
Recital 51
Recital 51
(51) The internal market is more reliant on the functioning of the internet than ever before. The services of virtually all essential and important entities are dependent on services provided over the internet, and consumers rely on it for essential parts of their daily lives. In order to ensure the smooth provision of services provided by essential and important entities, it is important that public electronic communications networks, such as, for example, internet backbones or submarine communications cables, have appropriate cybersecurity measures in place and report incidents in relation thereto.
Amendment 108 #
Proposal for a directive
Recital 52
Recital 52
(52) Where appropriate, eEntities should inform their service recipients of particular and significant threats and of measures they can take to mitigate the resulting risk to themselves, in particular when such measures may increase consumer protection. The requirement to inform those recipients of such threats should not discharge entities from the obligation to take, at their own expense, appropriate and immediate measures to prevent or remedy any cyber threats and restore the normal security level of the service. The provision of such information about security threats to the recipients should be free of charge and in language easy to understand and to follow.
Amendment 112 #
Proposal for a directive
Recital 54
Recital 54
(54) In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, should be promoted and, where necessary, should be mandatory for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18. The use of end-to-end encryption should be reconciled with the Member State’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences in compliance with Union law. Solutions for lawful access to information in end-to-end encrypted communications should maintain tThe effectiveness of encryption in protecting privacy and security of communications, while provid must not be undermined ing an effective response to crimey circumstance, as any loophole in encryption is open to be explored by all actors, regardless of their legitimacy or intent.
Amendment 113 #
Proposal for a directive
Recital 55
Recital 55
(55) This Directive lays down a twohree- stage approach to incident reporting in order to strike the right balance between, on the one hand, swift reporting that helps mitigate the potential spread of incidents and allows entities to seek support, and, on the other hand, in-depth reporting that draws valuable lessons from individual incidents and improves over time the resilience to cyber threats of individual companies and entire sectors. Where entities become awareIn this regard, this Directive should also include reporting of an incident,s they should be required to submit an initial notification within 24 hours, followeat, based on an initial assessment performed by the entity, could bye a final report not later than one month after. The initial notification should only include the information strictly necessary to make the competent authorities aware of the incident and allow the entity to seek assistance, if required. Such notification, where applicable, should indicate whether the incident is presumably caused by unlawful or malicious action. Member States should ensure that the requirement to submit this initial notification does not divssumed to lead to substantial operational disruption or financial losses or affect other natural or legal persons by causing considerable material or non- material losses. The initial assessment should take into account, amongst othert, the reporting entity’s resources from activities related to incident handling that should be prioritised. To furaffected network and information systems and in particular their prevent that incident reporting obligations either divert resources from incident response handling or may otherwise compromise the entiimportance in the provision of the entity’s services, the severity and technical characteristiecs efforts in that respect, Member States should also provide that, in duly justified cases and inof the cyber threat, and any underlying vulnerabilities that agreement with the competent authorities or the CSIRT, the entity concerned can deviate from the deadlines of 24 hours for the initial notification and one month for the final report being exploited as well as the entity’s experience with similar incidents.
Amendment 116 #
Proposal for a directive
Recital 56
Recital 56
(56) Essential and important entities are often in a situation where a particular incident, because of its features, needs to be reported to various authorities as a result of notification obligations included in various legal instruments. Such cases create additional burdens and may also lead to uncertainties with regard to the format and procedures of such notifications. In view of this and, for the purposes of simplifying the reporting of security incidents and upholding the once- only principle, Member States should establish a single entry point for all notifications required under this Directive and also under other Union law such as Regulation (EU) 2016/679 and Directive 2002/58/EC. ENISA, in cooperation with the Cooperation Group should develop common notification templates by means of guidelines that would simplify and streamline the reporting information requested by Union law and decrease the burdens for companies.
Amendment 130 #
Proposal for a directive
Recital 79
Recital 79
(79) A peer-review mechanism should be introduced, allowing the assessment by experts designated by the Member States and ENISA of the implementation of cybersecurity policies, including the level of Member States’ capabilities and available resources, and the exchange of experiences and best practices related to procedures and instruments.
Amendment 132 #
Proposal for a directive
Article 1 – paragraph 1
Article 1 – paragraph 1
1. This Directive lays down measures with a view to ensuring a high common level of cybersecurity within the Union and strengthening the Digital Single Market.
Amendment 143 #
Proposal for a directive
Article 4 – paragraph 1 – point 4
Article 4 – paragraph 1 – point 4
(4) ‘national strategy on cybersecurity’ means a coherent framework of a Member State providing strategic objectives and priorities on the security of network and information systems in that Member State, as well as policies needed to achieve them;
Amendment 144 #
Proposal for a directive
Article 4 – paragraph 1 – point 5 a (new)
Article 4 – paragraph 1 – point 5 a (new)
(5a) 'cross-border incident' means any incident which impacts operators under at least 2 different national competent authorities;
Amendment 145 #
Proposal for a directive
Article 4 – paragraph 1 – point 8 a (new)
Article 4 – paragraph 1 – point 8 a (new)
(8a) "early warning" means the information preceding the initial incident notification warning to third parties, without detailed information obligations, on the onset of an incident or on the discovery moment of an ongoing incident;
Amendment 150 #
Proposal for a directive
Article 5 – paragraph 1 – point b
Article 5 – paragraph 1 – point b
(b) a governance framework to achieve those objectives and priorities, including the policies referred to in paragraph 2 and the roles and responsibilities of public bodies and entities as well as other relevant actors, including those responsible for cyber intelligence and cyber defence;
Amendment 151 #
Proposal for a directive
Article 5 – paragraph 1 – point c
Article 5 – paragraph 1 – point c
(c) an assessment to identify relevant assets and cybersecurity risks in that Member State; , including potential shortages that may negatively impact the Single Market.
Amendment 155 #
Proposal for a directive
Article 5 – paragraph 2 – point a a (new)
Article 5 – paragraph 2 – point a a (new)
(aa) a policy addressing cybersecurity of consumers, including their awareness of cyber threats, their cyber literacy and cyber-hygiene, as well as the cybersecurity of products available for consumers;
Amendment 158 #
Proposal for a directive
Article 5 – paragraph 2 – point e
Article 5 – paragraph 2 – point e
(e) a policy on promoting and developenhancing cybersecurity skills, awareness raising and research and development initiativend competence across all levels, from the non-experts to the highly skilled professionals;
Amendment 160 #
Proposal for a directive
Article 5 – paragraph 2 – point f
Article 5 – paragraph 2 – point f
(f) a policy on supporting academic and research institutions to develop cybersecurity tools and secure network infrastructure and promoting the coherent and synergic use of available funds;
Amendment 163 #
Proposal for a directive
Article 5 – paragraph 2 – point h
Article 5 – paragraph 2 – point h
(h) a policy addressing specific needs of SMEs, in particular those excluded from the scope of this Directive, in relation to guidance and support in improving their resilience to cybersecurity threats., promotion of cybersecurity skills and competences, and assistance in responding to cyberattacks;
Amendment 164 #
Proposal for a directive
Article 5 – paragraph 2 – point h – point i (new)
Article 5 – paragraph 2 – point h – point i (new)
(i) this policy shall include the establishment of a national single point of contact for SMEs and a framework for the most efficient use of Digital Innovation Hubs and available funds in the achievement of policy objectives;
Amendment 169 #
Proposal for a directive
Article 5 – paragraph 4 – subparagraph 1 a (new)
Article 5 – paragraph 4 – subparagraph 1 a (new)
Key performance indicators shall be chosen taking into account recommendations from ENISA and, whenever possible, shall be comparable at the Union level;
Amendment 179 #
Proposal for a directive
Article 7 – paragraph 3 – point f a (new)
Article 7 – paragraph 3 – point f a (new)
(fa) coordination with authorities responsible for cyber intelligence and cyber defence
Amendment 182 #
Proposal for a directive
Article 10 – paragraph 2 – point c
Article 10 – paragraph 2 – point c
(c) responding to incidents; and, whenever possible and adequate, providing assistance to entities that may request it;
Amendment 183 #
Proposal for a directive
Article 10 – paragraph 2 – point d
Article 10 – paragraph 2 – point d
(d) providing dynamic risk and incident analysis and situational awareness regarding cybersecurity, namely through the analysis of early warnings and notifications as referred to in Article 20;
Amendment 185 #
Proposal for a directive
Article 10 – paragraph 2 – point f
Article 10 – paragraph 2 – point f
(f) actively participating in the CSIRTs network and providing mutual assistance to other members of the network upon their request.
Amendment 187 #
Proposal for a directive
Article 10 – paragraph 2 – point f a (new)
Article 10 – paragraph 2 – point f a (new)
(fa) participating in joint cybersecurity exercises at Union level;
Amendment 188 #
Proposal for a directive
Article 11 – paragraph 2
Article 11 – paragraph 2
2. Member States shall ensure that either their competent authorities or their CSIRTs receive notifications on incidents, and significant cyber threats and near misses submitted pursuant to this Directive. Where a Member State decides that its CSIRTs shall not receive those notifications, the CSIRTs shall, to the extent necessary to effectively carry out their tasks, be granted adequate access to data on incidents notified by the essential or important entities, pursuant to Article 20.
Amendment 189 #
Proposal for a directive
Article 11 – paragraph 4
Article 11 – paragraph 4
4. To the extent necessary to effectively carry out the tasks and obligations laid down in this Directive, Member States shall ensure appropriate cooperation between the competent authorities and single points of contact and law enforcement authorities, data protection authorities, and the authorities responsible for critical infrastructure pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive] and the national financial authorities designated in accordance with Regulation (EU) XXXX/XXXX of the European Parliament and of the Council39 [the DORA Regulation] within that Member State, as well as with cyber defence and cyber intelligence authorities. __________________ 39[insert the full title and OJ publication reference when known]
Amendment 192 #
Proposal for a directive
Article 12 – paragraph 4 – point f a (new)
Article 12 – paragraph 4 – point f a (new)
(fa) assessing the functioning of the peer review system and drawing up recommendations for its improvement;
Amendment 193 #
Proposal for a directive
Article 12 – paragraph 4 – point k a (new)
Article 12 – paragraph 4 – point k a (new)
(ka) supporting ENISA in organising joint training of national competent authorities at the EU level.
Amendment 196 #
Proposal for a directive
Article 14 – paragraph 3 – point a
Article 14 – paragraph 3 – point a
(a) increasing the level of preparedness of the management of large scale incidents and crises, including cross-border cyber threats;
Amendment 197 #
Proposal for a directive
Article 15 – paragraph 1 – introductory part
Article 15 – paragraph 1 – introductory part
1. ENISA shall issue, in cooperation with the Commission, a biennial report on the state of cybersecurity in the Union and present it to the European Parliament. The report shall in particular include an assessment of the following:
Amendment 198 #
Proposal for a directive
Article 15 – paragraph 1 – point a
Article 15 – paragraph 1 – point a
(a) the development of cybersecurity capabilities across the Union, including the general level of skills and competences in cybersecurity in the Digital Single Market;
Amendment 200 #
Proposal for a directive
Article 15 – paragraph 1 – point c a (new)
Article 15 – paragraph 1 – point c a (new)
(ca) an aggregated index providing an assessment of the cybersecurity of European consumers.
Amendment 202 #
Proposal for a directive
Article 16 – paragraph 1 – introductory part
Article 16 – paragraph 1 – introductory part
1. The Commission shall establish, after consulting the Cooperation Group and ENISA, and at the latest by 18 months following the entry into force of this Directive, the methodology and content of a peer-review system for assessing the effectiveness of the Member States’ cybersecurity policies. The reviews shall be conducted by cybersecurity technical experts drawn from ENISA and several Member States different than the one reviewed, and shall cover at least the following:
Amendment 207 #
Proposal for a directive
Article 18 – paragraph 1
Article 18 – paragraph 1
1. Member States shall ensure that essential and important entities shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which those entities use in the provision of their services. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk presented. In particular, measures shall be taken to prevent and minimise the impact of security incidents on consumers.
Amendment 213 #
Proposal for a directive
Article 18 – paragraph 2 – point g a (new)
Article 18 – paragraph 2 – point g a (new)
(ga) policies to ensure adequate education and training in cybersecurity at all levels of the organisation for essential and important entities.
Amendment 217 #
Proposal for a directive
Article 18 – paragraph 2 a (new)
Article 18 – paragraph 2 a (new)
2a. ENISA shall create and maintain an updated list of state of the art measures, as referred to in paragraph 1.
Amendment 222 #
Proposal for a directive
Article 19 – paragraph 1
Article 19 – paragraph 1
1. The Cooperation Group, in cooperation with the Commission and ENISA, mayshall carry out coordinated security risk assessments of specific critical ICT services, systems or products supply chains, taking into account technical and, where relevant, non-technical risk factors.
Amendment 226 #
Proposal for a directive
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT in accordance with paragraphs 3 and 4 of any incident having a significant impact on the provision of their services. Where appropriate, tThose entities shall notify, without undue delay, the recipients of their services of incidents that are likely to adversely affect the provision of that service. Member States shall ensure that those entities report, among others, any information enabling the competent authorities or the CSIRT to determine any cross-border impact of the incident.
Amendment 233 #
Proposal for a directive
Article 20 – paragraph 3 – point a
Article 20 – paragraph 3 – point a
(a) the incident has caused or has the potentialit can be assumed to cause substantial operational disruption or financial losses for the entity concerned;
Amendment 234 #
Proposal for a directive
Article 20 – paragraph 3 – point b
Article 20 – paragraph 3 – point b
(b) the incident has affected or has the potentialit can be assumed to affect other natural or legal persons by causing considerable material or non-material losses.
Amendment 236 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point -a (new)
Article 20 – paragraph 4 – subparagraph 1 – point -a (new)
(-a) an early warning within 24 hours after having become aware of an incident, without any obligations on the entity concerned to disclose additional information regarding the incident;
Amendment 241 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part
Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part
(c) a finalcomprehensive report not later than one month after the submission of the report under point (ab), including at least the following:
Amendment 244 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 2
Article 20 – paragraph 4 – subparagraph 2
Member States shall provide that in duly justified cases and in agreement with the competent authorities or the CSIRT, the entity concerned can deviate from the deadlines laid down in points (a), (b) and (cd).
Amendment 245 #
Proposal for a directive
Article 20 – paragraph 5
Article 20 – paragraph 5
5. The competent national authorities or the CSIRT shall provide, within 24 hours after receiving the initial notification referred to in point (ab) of paragraph 4, a response to the notifying entity, including initial feedback on the incident and, upon request of the entity, guidance on the implementation of possible mitigation measures. Where the CSIRT did not receive the notification referred to in paragraph 1 , the guidance shall be provided by the competent authority in collaboration with the CSIRT. The CSIRT shall provide additional technical support if the concerned entity so requests. Where the incident is suspected to be of criminal nature, the competent national authorities or the CSIRT shall also provide guidance on reporting the incident to law enforcement authorities.
Amendment 248 #
Proposal for a directive
Article 21 – paragraph 1
Article 21 – paragraph 1
1. In order to demonstrate compliance with certain requirements of Article 18, Member States may requireand following guidance from ENISA, the Commission, and the Cooperation Group, Member States shall call for essential and important entities to certify certain ICT products, ICT services and ICT processes, developed either by the essential and important entities or procured from third parties, under specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881. The products, services and processes subject to, or under equivalent and internationally accepted certification schemes. Whenever possible, the call for certification may be develshall be adopted by an essential or important entity or procured from third partiesll Member States in a harmonised way.
Amendment 254 #
Proposal for a directive
Article 22 – paragraph 1
Article 22 – paragraph 1
1. In order to promote the convergent implementation of Article 18(1) and (2), Member States shall, without imposing or discriminating in favour of the use of a particular type of technology, and according to guidance from ENISA and the Cooperation Group, encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems.
Amendment 274 #
Proposal for a directive
Article 25 – paragraph 1 – introductory part
Article 25 – paragraph 1 – introductory part
1. ENISA shall create and maintain a registry for essential and important entities referred to in Article 24(1). TFor that purpose the entities shall submit the following information to ENISAthe national competent authority by [12 months after entering into force of the Directive at the latest]:
Amendment 275 #
Proposal for a directive
Article 25 – paragraph 2
Article 25 – paragraph 2
2. The entities referred to in paragraph 1 shall notify ENISAthe national competent authority about any changes to the details they submitted under paragraph 1 without delay, and in any event, within three months from the date on which the change took effect.
Amendment 276 #
Proposal for a directive
Article 25 – paragraph 3
Article 25 – paragraph 3
3. Upon receipt of the information under paragraph 1, ENISA shall forward it to the single points of contact depending on the indicated location of each entity’s main establishment or, if it is not established in the Union, of its designated representativethe national competent authorities shall forward it to ENISA. Where an entity referred to in paragraph 1 has besides its main establishment in the Union further establishments in other Member States, ENISA shall also inform the single points of contact of those Member States.
Amendment 281 #
Proposal for a directive
Article 27 – paragraph 1
Article 27 – paragraph 1
Member States shall ensure that, without prejudice to Article 3, entities falling outside the scope of this Directive may submit notifications, on a voluntary basis, of significant incidents, cyber threats or near misses. When processing notifications, Member States shall act in accordance with the procedure laid down in Article 20. Member States mayshall prioritise the processing of mandatory notifications over voluntary notifications. Voluntary reporting shall not result in the imposition of any additional obligations upon the reporting entity to which it would not have been subject had it not submitted the notification, but it may grant it assistance from CSIRTs.
Amendment 283 #
Proposal for a directive
Article 28 – paragraph 1
Article 28 – paragraph 1
1. Member States shall ensure that competent authorities effectively monitor and take the measures necessary to ensure compliance with this Directive, in particular the obligations laid down in Articles 18 and 20, and are provided with the adequate means to perform their function.
Amendment 285 #
Proposal for a directive
Article 28 – paragraph 2
Article 28 – paragraph 2
2. Competent authorities shall work in close cooperation with data protection authorities when addressing incidents resulting in personal data breaches, including data protection authorities from other Member States whenever relevant.
Amendment 294 #
Proposal for a directive
Article 32 – paragraph 1
Article 32 – paragraph 1
1. Where the competent authorities have indications that the infringement by an essential or important entity of the obligations laid down in Articles 18 and 20 entails a personal data breach, as defined by Article 4(12) of Regulation (EU) 2016/679 which shall be notified pursuant to Article 33 of that Regulation, they shall inform the supervisory authorities competent pursuant to Articles 55 and 56 of that Regulation within a reasonable period of timeout undue delay.
Amendment 296 #
Proposal for a directive
Article 32 – paragraph 3
Article 32 – paragraph 3
3. Where the supervisory authority competent pursuant to Regulation (EU) 2016/679 is established in another Member State than the competent authority, the competent authority mayshall also inform the supervisory authority established in the same Member State.