39 Amendments of Andreas SCHWAB related to 2013/0027(COD)
Amendment 115 #
Proposal for a directive
Recital 8
Recital 8
(8) The provisions of this Directive should be without prejudice to the possibility for each Member State to take the necessary measures to ensure the protection of its essential security interests, to safeguard public policy and public security, and to permit the investigation, detection and prosecution of criminal offences. In accordance with Article 346 TFEU, no Member State is to be obliged to supply information the disclosure of which it considers contrary to the essential interests of its security. No Member States is obliged to disclose EU classified information according to Council Decision of 31 March 2011 on the security rules for protecting EU classified information (2011/292/EU), information subject to Non-Disclosure Agreements or informal Non-Disclosure Agreements, such as the Traffic Light Protocol.
Amendment 116 #
Proposal for a directive
Recital 10 a (new)
Recital 10 a (new)
(10 a) In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one national competent authority in charge of fulfilling the tasks linked to the security of the networks and information systems of market operators under this Directive. However, in order to ensure smooth cross- border cooperation and communication, it is necessary that each Member State, without prejudice to sectoral regulatory arrangements, designate only one national single point of contact in charge of cross-border cooperation at Union level. Where its constitutional structure or other arrangements so require, a Member State should be able to designate only one authority to carry out the tasks of the competent authority and the single point of contact.
Amendment 133 #
Proposal for a directive
Recital 34
Recital 34
(34) In order to allow for the proper functioning of the cooperation network, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of the definition of the criteria to be fulfilled for a Member State to be authorized to participate to the secure information-sharing system, of the further specification of the triggering events for early warning, and of the definition of the circumstances in which market operators and public administrations are required to notify incidents.
Amendment 134 #
Proposal for a directive
Recital 36
Recital 36
(36) In order to ensure uniform conditions for the implementation of this Directive, implementing powers should be conferred on the Commission as regards the cooperation between competent authoritiessingle points of contact and the Commission within the cooperation network, the access towithout prejudice to existing cooperation mechanisms at national level, the common set of interconnection and security standards for the secure information-sharing infrastructure, the Union NIS cooperation plan, and the formats and procedures applicable to informing the public about incidents, and the standards and/or technical specifications relevant to NISthe notification of incidents having a significant impact. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission's exercise of implementing powers.
Amendment 140 #
Proposal for a directive
Article 1 – paragraph 2 – point c
Article 1 – paragraph 2 – point c
(c) establishes security requirements for market operators and public administrations.
Amendment 146 #
Proposal for a directive
Article 3 – point 3
Article 3 – point 3
(3) ‘risk’ means any reasonably identifiable circumstance or event having a potential adverse effect on security;
Amendment 152 #
Proposal for a directive
Article 4
Article 4
Amendment 156 #
Proposal for a directive
Article 5 – paragraph 2 – point a
Article 5 – paragraph 2 – point a
(a) A risk assessment plan to identifymanagement framework to establish a methodology for the identification, prioritisation, evaluation and treatment of risks and, the assessment of the impacts of potential incidents, prevention and control options, and to define criteria for the choice of possible countermeasures;
Amendment 162 #
Proposal for a directive
Article 6 – paragraph 1
Article 6 – paragraph 1
1. Each Member State shall designate aone or more civilian national competent authorityies on the security of network and information systems (thereinafter referred to as ‘competent authority/ies’).
Amendment 164 #
Proposal for a directive
Article 6 – paragraph 2 a (new)
Article 6 – paragraph 2 a (new)
2a. Where a Member State designates more than one competent authority, it shall designate a civilian national authority, for instance a competent authority, as national single point of contact on the security of network and information systems (hereinafter referred to as "single point of contact"). Where a Member State designates only one competent authority, that competent authority shall also be the single point of contact.
Amendment 165 #
Proposal for a directive
Article 6 – paragraph 4
Article 6 – paragraph 4
4. Member States shall ensure that the competent authorities and single points of contact, where applicable according to paragraph 2a of this Article, receive the notifications of incidents from public administrations and market operators as specified under Article 14(2) and are granted the implementation and enforcement powers referred to under Article 15.
Amendment 166 #
Proposal for a directive
Article 6 – paragraph 4 a (new)
Article 6 – paragraph 4 a (new)
4a. Where Union legislation provides for a sector-specific Union supervisory or regulatory body, inter alia on the security of network and information systems, this body shall receive the notifications of incidents according to Article 14(2) from the market operators concerned in this sector and be granted the implementation and enforcement powers referred to under Article 15. This Union body shall cooperate closely with the competent authorities and the single point of contact of the host Member State with regard to these obligations. The single point of contact of the host Member State shall represent the Union body with regard to the obligations of Chapter III.
Amendment 170 #
Proposal for a directive
Article 8 – paragraph 3 – point d
Article 8 – paragraph 3 – point d
(d) jointly discuss and assess, at the request of one Member State or of the Commission, one or more national NIS strategies and national NIS cooperation plans referred to in Article 5, within the scope of this Directive.
Amendment 171 #
Proposal for a directive
Article 8 – paragraph 3 – point e
Article 8 – paragraph 3 – point e
(e) jointly discuss and assess, at the request of a Member State or the Commission, the effectiveness of the CERTs, in particular when NIS exercises are performed at Union level;
Amendment 172 #
Proposal for a directive
Article 8 – paragraph 3 – point f
Article 8 – paragraph 3 – point f
(f) cooperate and exchange information on all relevant matters with the European Cybercrime Centre within Europol, and with other relevant European bodies in particular in the fields of data protection, energy, transport, banking, stock exchanges and healthexpertise on relevant matters on network and information security, in particular in the fields of data protection, energy, transport, banking, financial markets and health with the European Cybercrime Centre within Europol, and with other relevant European bodies;
Amendment 173 #
Proposal for a directive
Article 8 – paragraph 3 – point h
Article 8 – paragraph 3 – point h
Amendment 174 #
Proposal for a directive
Article 8 – paragraph 3 – point i a (new)
Article 8 – paragraph 3 – point i a (new)
(ia) develop, in cooperation with ENISA, guidelines for sector-specific criteria for the notification of significant incidents, in addition to the parameters laid down in Article 14(2).
Amendment 179 #
Proposal for a directive
Article 9 – paragraph 2
Article 9 – paragraph 2
Amendment 181 #
Proposal for a directive
Article 9 – paragraph 3
Article 9 – paragraph 3
3. The Commission shall adopt, by means of implementing acts, decisions on the access of the Member States to this secure infrastructure, pursuant to the criteria referred to in paragraph 2 and 3a common set of interconnection and security standards that single points of contact shall meet before exchanging sensitive and confidential information across the cooperation network. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 19 (3).
Amendment 183 #
Proposal for a directive
Article 10 – paragraph 1 – point a
Article 10 – paragraph 1 – point a
Amendment 184 #
Proposal for a directive
Article 10 – paragraph 1 – point b
Article 10 – paragraph 1 – point b
(b) they exceed or ma single point of contact assesses that the risk or incident potentially exceeds national response capacity;
Amendment 185 #
Proposal for a directive
Article 10 – paragraph 1 – point c
Article 10 – paragraph 1 – point c
(c) they affect or may single points of contact or the Commission assess that the risk or incident affects more than one Member State.
Amendment 188 #
Proposal for a directive
Article 10 – paragraph 3
Article 10 – paragraph 3
Amendment 189 #
Proposal for a directive
Article 10 – paragraph 4
Article 10 – paragraph 4
4. Where the risk or incident subject to an early warning is of a suspected serious criminal nature, the competent authorities or the Commission shall inform and where the concerned market operator has reported incidents of a suspected serious criminal nature as referred to in Article 15(4), the Member States shall ensure that the European Cybercrime Centre within Europol is informed, where appropriate.
Amendment 190 #
Proposal for a directive
Article 10 – paragraph 4 a (new)
Article 10 – paragraph 4 a (new)
4a. Members of the cooperation network shall not make public any information received on risks and incidents according to paragraph 1 without having received the prior approval of the notifying single point of contact.
Amendment 197 #
Proposal for a directive
Article 13 a (new)
Article 13 a (new)
Article 13a Level of criticality of market operators Member States may determine the level of criticality of market operators, taking into account the specificities of sectors, parameters including the importance of the particular market operator for maintaining a sufficient level of the sectoral service, the number of parties supplied by the market operator, and the time period until the discontinuity of the core services of the market operator has a negative impact on the maintenance of vital economic and societal activities.
Amendment 198 #
Proposal for a directive
Chapter 4 – title
Chapter 4 – title
SECURITY OF THE NETWORKS AND INFORMATION SYSTEMS OF PUBLIC ADMINISTRATIONS AND MARKET OPERATORS
Amendment 200 #
Proposal for a directive
Article 14 – paragraph 1
Article 14 – paragraph 1
1. Member States shall ensure that public administrations and market operators take approprimarket operators listed in Annex II take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations. Having regard to the state of the art, theose measures shall guarantee a level of security appropriate to the risk presented. In particular, measures shall be taken to prevent and minimise the impact of incidents affecting their network and information system on the core services they provide and thus ensure the continuity of the services underpinned by those networks and information systems.
Amendment 202 #
Proposal for a directive
Article 14 – paragraph 2 – subparagraph 1 a (new)
Article 14 – paragraph 2 – subparagraph 1 a (new)
Those parameters shall be further specified in accordance with point (ib) of Article 8(3).
Amendment 209 #
Proposal for a directive
Article 14 – paragraph 4
Article 14 – paragraph 4
4. The competent authority may inform the public, or require the public administrations and market operators to do so, where it determines thatAfter consultation with the notified competent authority and the market operator concerned, the single point of contact may inform the public about individual incidents, where public awareness is necessary to prevent an incident or deal with an on-going incident, or where that market operator, subject to an incident, has refused to address a serious structural vulnerability related to that incident without undue delay. Before any public disclosure of, the incident is in the public interest. Once a year, the competent authoritynotified competent authority shall ensure that the market operator concerned has the possibility to be heard. Once a year, the single point of contact shall submit a summary report to the cooperation network on the notifications received and the action taken in accordance with this paragraph.
Amendment 213 #
Proposal for a directive
Article 14 – paragraph 8 a (new)
Article 14 – paragraph 8 a (new)
8a. Member States may decide to apply this Article and Article 15 to public administrations mutatis mutandis.
Amendment 215 #
Proposal for a directive
Article 15 – paragraph 2 – point b
Article 15 – paragraph 2 – point b
(b) undergoprovide evidence of effective implementation of security policies, such as the results of a security audit carried out by a qualified independent body or national authority, and make the results thereofevidence available to the competent authority or to the single point of contact.
Amendment 218 #
Proposal for a directive
Article 15 – paragraph 3 a (new)
Article 15 – paragraph 3 a (new)
3a. By way of derogation from point (b) of paragraph 2 of this Article, Member States may decide that the competent authorities or the single points of contact, as applicable, are to apply a different procedure to particular market operators, based on their level of criticality determined in accordance with Article 13a. In the event that Member States so decide: (a) competent authorities or the single points of contact, as applicable, shall have the power to submit a sufficiently specific request to market operators requiring them to provide evidence of effective implementation of security policies, such as the results of a security audit carried out by a qualified internal auditor, and make the evidence available to the competent authority or to the single point of contact; (b) where necessary, following the submission by the market operator of the request referred to in point (a), the competent authority or the single point of contact may require additional evidence or an additional audit to be carried out by a qualified independent body or national authority.
Amendment 219 #
Proposal for a directive
Article 15 – paragraph 4
Article 15 – paragraph 4
4. The competent authorities shall notifyand the single point of contact shall inform the market operators concerned about the possibility of reporting incidents of a suspected serious criminal nature to the law enforcement authorities.
Amendment 222 #
Proposal for a directive
Article 15 – paragraph 6 a (new)
Article 15 – paragraph 6 a (new)
6a. Member States may decide to apply Article 14 and this Article to public administrations mutatis mutandis.
Amendment 225 #
Proposal for a directive
Article 17 – paragraph 1 a (new)
Article 17 – paragraph 1 a (new)
1a. Member States shall ensure that the penalties referred to in paragraph 1 of this Article only apply where the market operator has failed to fulfil its obligations under Chapter IV with intent or as a result of gross negligence.
Amendment 227 #
Proposal for a directive
Article 18 – paragraph 2
Article 18 – paragraph 2
2. The power to adopt delegated acts referred to in Articles 9(2), 10(5) and 14 10(5) shall be conferred on the Commission for a period of five years from the date of transposition referred to in Article 21. The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the five-year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period.
Amendment 230 #
Proposal for a directive
Annex 2 – paragraph 1 – point 2 – indent 1 a (new)
Annex 2 – paragraph 1 – point 2 – indent 1 a (new)
(d) Maritime transport (i) Maritime carriers (inland, sea and coastal passenger water transport companies and inland, sea and coastal freight water transport companies) (ii) Ports (iii) Traffic management control operators (iv) Auxiliary logistics services: - warehousing and storage, - cargo handling, and - other transportation support activities
Amendment 231 #
Proposal for a directive
Annex 2 – paragraph 1 – point 2 a (new)
Annex 2 – paragraph 1 – point 2 a (new)
2a. Water services