Activities of Pilar del CASTILLO VERA related to 2020/0359(COD)
Plenary speeches (1)
A high common level of cybersecurity across the Union (debate)
Amendments (88)
Amendment 93 #
Proposal for a directive
Recital 3
Recital 3
(3) Network and information systems have developed into a central feature of everyday life with the speedy digital transformation and interconnectedness of society, including in cross-border exchanges. That development has led to an expansion of the cybersecurity threat landscape, bringing about new challenges, which require adapted, coordinated and innovative responses in all Member States. The number, magnitude, sophistication, frequency and impact of cybersecurity incidents are increasing, and present a major threat to the functioning of network and information systems. As a result, cyber incidents can impede the pursuit of economic activities in the internal market, generate financial losses, undermine user confidence and cause major damage to the Union economy and society. Cybersecurity preparedness and effectiveness are therefore now more essential than ever to the proper functioning of the internal market. The use of artificial intelligence in cybersecurity has the potential of improving the detection and to stop unsophisticated attacks, enabling resources to be diverted towards more sophisticated attacks. Member States should therefore encourage in their national strategies the use of automated tools in cybersecurity and the sharing of data needed to train and improve automated tools in cybersecurity.
Amendment 99 #
Proposal for a directive
Recital 11
Recital 11
(11) Depending on the sector in which they operate or the type of service they provide, the entities falling within the scope of this Directive should be classified into two categories: essential and important. That categorisation should take into account the level of criticality of the sector or of the type of service, as well as the level of dependency of other sectors or types of services. Both essential and iImportant entities should be subject to the same risk management requirements and reporting obligationlighter reporting obligations, and longer timelines to reflect the complexity of forensics. The supervisory and penalty regimes between these two categories of entities should be differentiated to ensure a fair balance between requirements and obligations on one hand, and the administrative burden stemming from the supervision of compliance on the other hand.
Amendment 106 #
Proposal for a directive
Recital 14
Recital 14
(14) In view of the interlinkages between cybersecurity and the physical security of entities, a coherent approach should be ensured between Directive (EU) XXX/XXX of the European Parliament and of the Council17 and this Directive. To achieve this, Member States should ensure that critical entities, and equivalent entities, pursuant to Directive (EU) XXX/XXX are considered to be essential entities under this Directive. Member States should also ensure that their cybersecurity strategies provide for a policy framework for enhanced coordination between the competent authority under this Directive and the one under Directive (EU) XXX/XXX in the context of information sharing on incidents and cyber threats and the exercise of supervisory tasks. Authorities under both Directives should cooperate and exchange information on a regular basis, particularly in relation to the identification of critical entities, cyber threats, cybersecurity risks, incidents affecting critical entities as well as on the cybersecurity measures taken by critical entities. Upon request of competent authorities under Directive (EU) XXX/XXX, competent authorities under this Directive should be allowed to exercise their supervisory and enforcement powers on an essential entity identified as critical. Both authorities should cooperate and exchange information for this purpose. _________________ 17[insert the full title and OJ publication reference when known]
Amendment 117 #
Proposal for a directive
Recital 19
Recital 19
(19) Postal service providers within the meaning of Directive 97/67/EC of the European Parliament and of the Council18 , as well as express and courier delivery service providers, should be subject to this Directive if they provide at least one of the steps in the postal delivery chain and in particular clearance, sorting or distribution, including pick-up services while taking into account the degree of their dependence on network and information systems. Transport services that are not undertaken in conjunction with one of those steps should fall outside of the scope of postal services. _________________ 18Directive 97/67/EC of the European Parliament and of the Council of 15 December 1997 on common rules for the development of the internal market of Community postal services and the improvement of quality of service (OJ L 15, 21.1.1998, p. 14).
Amendment 124 #
Proposal for a directive
Recital 24
Recital 24
(24) Member States should be adequately equipped, in terms of both technical and organisational capabilities, to prevent, detect, respond to and mitigate network and information system incidents and risks. Member States should ensure that CSIRTs have at their disposal an appropriate, secure, and resilient communication and information infrastructure to exchange information between CSIRTs and with essential and important entities and other relevant parties. Member States should therefore ensure that they have well-functioning CSIRTs, also known as computer emergency response teams (‘CERTs’), complying with essential requirements in order to guarantee effective and compatible capabilities to deal with incidents and risks and to ensure efficient cooperation at Union level. In view of enhancing the trust relationship between the entities and the CSIRTs, in cases where a CSIRT is part of the competent authority, Member States should consider functional separation between the operational tasks provided by CSIRTs, notably in relation to information sharing and support to the entities, and the supervisory activities of competent authorities.
Amendment 126 #
Proposal for a directive
Recital 25
Recital 25
(25) As regards personal data, CSIRTs should be able to provide, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council19 as regards personal data, on behalf of and upon request by an entity under this Directive, or in case of a serious threat to national security, a proactive scanning of the network and information systems used for the provision of their services. The knowledge whether an entity runs a privileged management interface, affects the speed of undertaking mitigating actions. It is critical that an entity or a CSIRTs upon an entity's request, have the ability to continuously discover, inventory, manage, and monitor all internet-facing assets, both on premises and in the cloud, to understand their overall organisational risk to newly discovered supply chain compromises or critical vulnerabilities. Member States should aim at ensuring an equal level of technical capabilities for all sectorial CSIRTs. Member States may request the assistance of the European Union Agency for Cybersecurity (ENISA) in developing national CSIRTs. _________________ 19Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
Amendment 135 #
Proposal for a directive
Recital 29
Recital 29
(29) Member States, in cooperation with ENISA, should therefore take measures to facilitate coordinated vulnerability disclosure by establishing a relevant national policy. In this regard, Member States should designate a CSIRT to take the role of ‘coordinator’, acting as an intermediary between the reporting entities and the manufacturers or providers of ICT products or services where necessary. The tasks of the CSIRT coordinator should in particular include identifying and contacting concerned entities, supporting reporting entities, negotiating disclosure timelines, and managing vulnerabilities that affect multiple organisations (multi-party vulnerability disclosure). Where vulnerabilities affect multiple manufacturers or providers of ICT products or services established in more than one Member State, the designated CSIRTs from each of the affected Member States should cooperate within the CSIRTs Network.
Amendment 136 #
Proposal for a directive
Recital 30
Recital 30
(30) Access to correct and timely information on vulnerabilities affecting ICT products and services contributes to an enhanced cybersecurity risk management. In that regard, sources of publicly available information on vulnerabilities are an important tool for entities and their users, but also national competent authorities and CSIRTs. For this reason, ENISA should establish a vulnerability registry where, essential and important entities and their suppliers, as well as entities which do not fall in the scope of application of this Directive may, on a voluntary basis, disclose vulnerabilities and provide the vulnerability information that allows users to take appropriate mitigating measures. In general, to encourage a culture of disclosure of incidents a voluntary disclosure should be without detriment to the reporting entity. Any exchange of information shall preserve the confidentiality of that information and protect the security and commercial interests of essential or important entities
Amendment 162 #
Proposal for a directive
Recital 48
Recital 48
(48) In order to streamline the legal obligations imposed on providers of public electronic communications networks or publicly available electronic communications services, and trust service providers related to the security of their network and information systems, as well as to enable those entities and their respective competent authorities to benefit from the legal framework established by this Directive (including designation of CSIRT responsible for risk and incident handling, participation of competent authorities and bodies in the work of the Cooperation Group and the CSIRT network), they should be included in the scope of application of this Directive. The corresponding provisions laid down in Regulation (EU) No 910/2014 of the European Parliament and of the Council22 and Directive (EU) 2018/1972 of the European Parliament and of the Council23 related to the imposition of security and notification requirement on these types of entities should therefore be repealbe complemented. The rules on reporting obligations should be without prejudice to Regulation (EU) 2016/679 and Directive 2002/58/EC of the European Parliament and of the Council24 . _________________ 22 Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73). 23Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (OJ L 321, 17.12.2018, p. 36). 24Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37).
Amendment 168 #
Proposal for a directive
Recital 51
Recital 51
(51) The internal market is more reliant on the functioning of the internet than ever before. The services of virtually all essential and important entities are dependent on services provided over the internet. In order to ensure the smooth provision of services provided by essential and important entities, it is important that public electronic communications networks, such as, for example, internet backbones or submarine communications cables, have appropriate cybersecurity measures in place and report security incidents in relation theretoas in Article 2 (41) of the European Electronic Communications Code (EECC).
Amendment 170 #
Proposal for a directive
Recital 53
Recital 53
(53) In particular, providers of public electronic communications networks or publicly available electronic communications services, should inform the service recipients of particular and significant cyber threats and of measures they can take to protect the security of their communications, for instance by using specific types of software or encryptiondata-centric security technologiiques.
Amendment 172 #
Proposal for a directive
Recital 54
Recital 54
(54) In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, should be promoted and, where necessarydata-centric security techniques, such as encryption, tokenisation, segmentation, throttle access, marking, tagging, strong identity and access management, and automated access decisions, should be mandatorypromoted for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18. The use of end- to-end encryption should be reconciled with the Member State’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences in compliance with Union law. Solutions for lawful access to information in end-to-end encrypted communications should maintain the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crime.
Amendment 178 #
Proposal for a directive
Recital 55
Recital 55
(55) This Directive lays down a two- stage approach to incident reporting in order to strike the right balance between, on the one hand, swift reporting that helps mitigate the potential spread of incidents and allows entities to seek support, and, on the other hand, in-depth reporting that draws valuable lessons from individual incidents and improves over time the resilience to cyber threats of individual companies and entire sectors. In this regard, the Directive should also include reporting of incidents that, based on an initial assessment performed by the entity, may be assumed to lead to substantial operational disruption or financial losses or affect other natural or legal persons by causing considerable material or non- material losses. The initial assessment should take into account amongst other, the affected network and information systems and in particular their importance in the provision of the entity’s services, the severity and technical characteristics of the cyber threat, and any underlying vulnerabilities that are being exploited as well as the entity’s experience with similar incidents. Where entities become aware of an incident, they should be required to submit an initial notification within 724 hours, followed by a final report not later than onthree months after. The initial notification should only include the information strictly necessary to make the competent authorities aware of the incident and allow the entity to seek assistance, if required. Such notification, where applicable, should indicate whether the incident is presumably caused by unlawful or malicious action. Member States should ensure that the requirement to submit this initial notification does not divert the reporting entity’s resources from activities related to incident handling that should be prioritised. To further prevent that incident reporting obligations either divert resources from incident response handling or may otherwise compromise the entities efforts in that respect, Member States should also provide that, in duly justified cases and in agreement with the competent authorities or the CSIRT, the entity concerned can deviate from the deadlines of 724 hours for the initial notification and onthree months for the final report.
Amendment 181 #
Proposal for a directive
Recital 59
Recital 59
(59) Maintaining accurate, verified and complete databases of domain names and registration data (so called ‘“WHOIS data’”) and providing lawful access to such data is essential to ensure the security, stability and resilience of the DNS, so that third- party rights could be protected and which in turn contributes to a high common level of cybersecurity within the Union. Where processing includes personal data such processing shall comply with Union data protection law.
Amendment 196 #
Proposal for a directive
Recital 69
Recital 69
(69) The processing of personal data, to the extent strictly necessary and proportionate for the purposes of ensuring network and information security by entities, public authorities, CERTs, CSIRTs, and providers of security technologies and services should constitute a legitimate interest of the data controller concerned, as referred to in Regulation (EU) 2016/679. That should include measures related to the prevention, detection, identification, containment, analysis and response to incidents, measures to raise awareness in relation to specific cyber threats, exchange of information in the context of vulnerability remediation and coordinated disclosure, as well as the voluntary exchange of information on those incidents, as well as cyber threats and vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools. Such measures may require the processing of the following types of personal data: IP addresses, uniform resources locators (URLs), domain names, and email addressespersonal data.
Amendment 197 #
Proposal for a directive
Recital 70
Recital 70
(70) In order to strengthen the supervisory powers and actions that help ensure effective compliance, this Directive should provide for a minimum list of supervisory actions and means through which competent authorities may supervise essential and important entities. The supervisory regime shall, amongst other issues, verify that essential and important entities take appropriate technical and organisational measures to manage the risks posed to the security of network and information systems by implementing basic computer hygiene practices such as software updates, device configuration, network segmentation, identity and access management or user awareness and training regarding corporate email cyber threats, phishing or social engineering techniques. In addition, this Directive should establish a differentiation of supervisory regime between essential and important entities with a view to ensuring a fair balance of obligations for both entities and competent authorities. Thus, essential entities should be subject to a fully-fledged supervisory regime (ex-ante and ex-post), while important entities should be subject to a light supervisory regime, ex-post only. For the latter, this means that important entities should not document systematically compliance with cybersecurity risk management requirements, while competent authorities should implement a reactive ex -post approach to supervision and, hence, not have a general obligation to supervise those entities.
Amendment 198 #
Proposal for a directive
Recital 71
Recital 71
(71) In order to make enforcement effective, a minimum list of administrative sanctions for breach of the cybersecurity risk management and reporting obligations provided by this Directive should be laid down, setting up a clear and consistent framework for such sanctions across the Union. Due regard should be given to the nature, gravity and duration of the infringement, the actual damage caused or losses incurred or potential damage or losses that could have been triggered, the intentional or negligent character of the infringement, actions taken to prevent or mitigate the damage and/or losses suffered, the degree of responsibility or any relevant previous infringements, the degree of cooperation with the competent authority and any other aggravating or mitigating factor. The imposition of penalties including administrative fines should respect the proportionality of the fines in order to avoid hampering businesses from innovating and be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter of Fundamental Rights of the European Union, including effective judicial protection and due process.
Amendment 200 #
Proposal for a directive
Recital 72
Recital 72
(72) In order to ensure effective enforcement of the obligations laid down in this Directive, each competent authority should have the power to impose or request the imposition of administrative fines if the infringement was intentional, negligent or the entity had had prior notice of the possibility of committing an infringement.
Amendment 203 #
Proposal for a directive
Recital 76
Recital 76
(76) In order to further strengthen the effectiveness and dissuasiveness of the penalties applicable to infringements of obligations laid down pursuant to this Directive, the competent authorities should be empowered to apply sanctions consisting of the suspension of a certification or authorisation concerning part or all the services provided by an essential entity and the imposition of a temporary ban from the exercise of managerial functions by a natural person. Given their severity and impact on the entities’ activities and ultimately on their consumers, such sanctions should only be applied proportionally to the severity of the infringement and taking account of the specific circumstances of each case, including the intentional or negligent character of the infringement, actions taken to prevent or mitigate the damage and/or losses suffered. Such sanctions should only be applied as ultima ratio, meaning only after the other relevant enforcement actions laid down by this Directive have been exhausted, and only for the time until the entities to which they apply take the necessary action to remedy the deficiencies or comply with the requirements of the competent authority for which such sanctions were applied. The imposition of such sanctions shall be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter of Fundamental Rights of the European Union, including effective judicial protection, due process, presumption of innocence and right of defence.
Amendment 216 #
Proposal for a directive
Article 2 – paragraph 1
Article 2 – paragraph 1
1. This Directive applies to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II in so far as they carry out in-scope activities within the Union. This Directive does not apply to entities that qualify as micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC.28 _________________ 28 Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium- sized enterprises (OJ L 124, 20.5.2003, p. 36).
Amendment 226 #
Proposal for a directive
Article 2 – paragraph 2 a (new)
Article 2 – paragraph 2 a (new)
2a. This Directive applies only to manufacturing facilities of important and essential entities listed in Annexes I and II that are located within the Union.
Amendment 244 #
Proposal for a directive
Article 4 – paragraph 1 – point 5
Article 4 – paragraph 1 – point 5
(5) ‘incident’ means any unwanted or unexpected event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the related services offered by, or accessible via, network and information systems;
Amendment 245 #
Proposal for a directive
Article 4 – paragraph 1 – point 5 – point i (new)
Article 4 – paragraph 1 – point 5 – point i (new)
(i) by way of derogation 'security incident' as defined in Article 2(41) of Directive (EU) 2018/1972 remains applicable for interpersonal electronic communications service providers.
Amendment 292 #
Proposal for a directive
Article 5 – paragraph 2 – point f
Article 5 – paragraph 2 – point f
(f) a policy on supporting academic and research institutions to develop and enhance cybersecurity tools and secure network infrastructure;
Amendment 294 #
Proposal for a directive
Article 5 – paragraph 2 – point h
Article 5 – paragraph 2 – point h
(h) a policy promoting cybersecurity and addressing specific needs of SMEs, in particular those excluded from the scope of this Directive, in relation tocluding guidance and support in improving their resilience to cybersecurity threats.
Amendment 296 #
Proposal for a directive
Article 5 – paragraph 2 – point h a (new)
Article 5 – paragraph 2 – point h a (new)
(ha) a policy raising awareness for cybersecurity threats and best practices among the general population.
Amendment 308 #
Proposal for a directive
Article 6 – paragraph 2
Article 6 – paragraph 2
2. ENISA shall develop and maintain a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures with a view in particular to enabling important and essential entities and their suppliers of network and information systems to disclose and register only those vulnerabilities present in ICT products or ICT services that have a mitigation available , as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties. The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, the availability of related patches and, in the absence of available patches, guidance addressed to users of vulnerable products and services as to how the risks resulting from disclosed vulnerabilities may be mitigated. When several users are affected by the same vulnerability, ENISA should coordinate the schedule of the installation of the mitigation patches.
Amendment 313 #
Proposal for a directive
Article 6 – paragraph 2 a (new)
Article 6 – paragraph 2 a (new)
2a. ENISA shall establish a structured cooperation agreements with Common Vulnerability and Exposure registry or other similar registries.
Amendment 317 #
Proposal for a directive
Article 8 – paragraph 2 a (new)
Article 8 – paragraph 2 a (new)
2a. Member States shall ensure that the competent authorities designated pursuant to paragraph 1 cooperate with competent authorities designated pursuant to Article 8 of (CER Directive) for the purposes of information sharing on incidents and cyber threats and the exercise of supervisory tasks.
Amendment 331 #
Proposal for a directive
Article 10 – paragraph 2 – point d a (new)
Article 10 – paragraph 2 – point d a (new)
(da) acquiring real time threat intelligence and sharing the information among public and private entities based on interoperable solutions.
Amendment 334 #
Proposal for a directive
Article 10 – paragraph 2 – point f a (new)
Article 10 – paragraph 2 – point f a (new)
(fa) contributing to the deployment of secure information sharing tools pursuant to Article 9(3) of this Directive.
Amendment 343 #
Proposal for a directive
Article 12 – paragraph 3 – subparagraph 2
Article 12 – paragraph 3 – subparagraph 2
Where appropriate, the Cooperation Group may invite representatives of relevant industry stakeholders covered by this Directive to participate in its work.
Amendment 366 #
Proposal for a directive
Article 15 – paragraph 1 – point c
Article 15 – paragraph 1 – point c
(c) a cybersecurity index providing for an aggregated assessment of the maturity level of Union's cybersecurity capabilities.
Amendment 373 #
Proposal for a directive
Article 16 – paragraph 1 – introductory part
Article 16 – paragraph 1 – introductory part
1. The Commission shall establish, after consulting the Cooperation Group and ENISA, and at the latest by 18 months following the entry into force of this Directive, the methodology and content of a peer-review system for assessing the effectiveness of the Member States’ cybersecurity policies. The reviews shall be conducted by cybersecurity technical experts drawn from Member States different than the one reviewed, in consultation with ENISA, and shall cover at least the following:
Amendment 377 #
Proposal for a directive
Article 16 – paragraph 5
Article 16 – paragraph 5
5. Once reviewed in a Member State, the same aspects shall not be subject to further peer review within that Member State during the two years following the conclusion of a peer review, unless otherwise decided by the Commission,operation Group upon consultation with ENISA and the Cooperation Groupthe Commission and ENISA.
Amendment 380 #
Proposal for a directive
Article 16 – paragraph 7
Article 16 – paragraph 7
7. Experts participating in peer reviews shall draft reports on the findings and conclusions of the reviews. The reports shall be submitted to the Commission, the Cooperation Group, the CSIRTs network and ENISA. The reports shall be discussed in the Cooperation Group and the CSIRTs network. The reports may be published on the dedicated website of the Cooperation Group.
Amendment 392 #
Proposal for a directive
Article 18 – paragraph 2 – point b
Article 18 – paragraph 2 – point b
(b) incident handling (prevention, detection, and response tocontainment, response to, and mitigation of incidents);
Amendment 398 #
Proposal for a directive
Article 18 – paragraph 2 – point f
Article 18 – paragraph 2 – point f
(f) policies and procedures (training, testing and auditing) to assess the effectiveness of cybersecurity risk management measures;
Amendment 401 #
Proposal for a directive
Article 18 – paragraph 2 – point g
Article 18 – paragraph 2 – point g
(g) support the use of cryptography and encryption, where appropriate.
Amendment 405 #
Proposal for a directive
Article 18 – paragraph 2 – point g a (new)
Article 18 – paragraph 2 – point g a (new)
(ga) wide adoption of basic computer hygiene practices such as software updates, device configuration, network segmentation, identity and access management or user awareness and training regarding corporate email cyber threats, phishing or social engineering techniques.
Amendment 407 #
Proposal for a directive
Article 18 – paragraph 3
Article 18 – paragraph 3
3. Member States shall ensure that, where considering appropriate measures referred to in point (d) of paragraph 2, entities shall take into account the vulnerabilities specific to each first-level supplier and service provider and the overall quality of products and cybersecurity practices of their first-level suppliers and service providers, including their secure development procedures.
Amendment 412 #
Proposal for a directive
Article 18 – paragraph 5
Article 18 – paragraph 5
5. ENISA, in collaboration with Member States shall draw up advice and guidelines regarding the technical and methodological specifications areas to be considered in relation to paragraph 2. The Commission may adopt implementing acts in order to lay down the technical and the methodological specifications of the elements referred to in paragraph 2. Where preparing those acts, the Commission shall proceed in accordance with the examination procedure referred to in Article 37(2) and follow, to the greatest extent possible, European and international and European standards, as well as relevant technical specifications. In developing implementing acts, the Commission shall also consult all relevant stakeholders by means of a formal, open, transparent and inclusive consultation process.
Amendment 413 #
Proposal for a directive
Article 18 – paragraph 5
Article 18 – paragraph 5
5. The Commission may adopt implementingdelegated acts in order to lay down the technical and the methodological specifications of the elements referred to in paragraph 2. Where preparing those acts, the Commission shall proceed in accordance with the examination procedure referred to in Article 37(2)6 and follow, to the greatest extent possible, international and European standards, as well as relevant technical specifications.
Amendment 423 #
Proposal for a directive
Article 19 – paragraph 2 a (new)
Article 19 – paragraph 2 a (new)
2a. The Stakeholder Cybersecurity Certification Group as per pursuant to Article 22 of Regulation (EU) 2019/881 shall issue an opinion on security risk assessments of specific critical ICT services, systems or products supply chains and the opinion shall be taken into account by the Cooperation Group and ENISA when it develops and executes an EU coordinated risk assessment of critical supply chain.
Amendment 430 #
Proposal for a directive
Article 20 – paragraph 2 – subparagraph 1
Article 20 – paragraph 2 – subparagraph 1
Amendment 434 #
Proposal for a directive
Article 20 – paragraph 2 – subparagraph 2
Article 20 – paragraph 2 – subparagraph 2
Amendment 447 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point a
Article 20 – paragraph 4 – subparagraph 1 – point a
(a) without undue delay and in any event wino later thian 724 hours after having become aware of the incident, an initial notification, which, where applicable, shall indicate whether the incident is presumably caused by unlawful or malicious action;
Amendment 451 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part
Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part
(c) a finalstatus report not later than one monththree months for an essential entity and no later than four months for an important entity after the submission of the report initial notification under point (a), including at least the following:
Amendment 456 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point c a (new)
Article 20 – paragraph 4 – subparagraph 1 – point c a (new)
(ca) a final report should be drawn up one month after the incident had been mitigated.
Amendment 457 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 a (new)
Article 20 – paragraph 4 – subparagraph 1 a (new)
Member States may establish a single entry point for all notifications required under this Directive, the Regulation (EU) 2016/679, Directive2002/58/EC and sector specific legislation.
Amendment 458 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 b (new)
Article 20 – paragraph 4 – subparagraph 1 b (new)
ENISA, in cooperation with the Cooperation Group, should develop common notification templates by means of guidelines to streamline the reporting information requested by this Directive and decrease the burdens for reporting entities.
Amendment 459 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 c (new)
Article 20 – paragraph 4 – subparagraph 1 c (new)
Member States shall ensure confidentiality and appropriate protections around sensitive information about incidents shared with competent authorities, and enact parameters around how incident information is further shared and reused.
Amendment 461 #
Proposal for a directive
Article 20 – paragraph 5
Article 20 – paragraph 5
5. The competent national authorities or the CSIRT shall provide, within 24 hours after receiving the initial notification referred to in point (a) of paragraph 4, a response to the notifying entity, including initial feedback on the incident and, upon request of the entity, guidance and actionable advice on the implementation of possible mitigation measures. Where the CSIRT did not receive the notification referred to in paragraph 1 , the guidance and actionable advice shall be provided by the competent authority in collaboration with the CSIRT. The CSIRT shall provide additional technical support if the concerned entity so requests. Where the incident is suspected to be of criminal nature, the competent national authorities or the CSIRT shall also provide guidance on reporting the incident to law enforcement authorities.
Amendment 467 #
Proposal for a directive
Article 20 – paragraph 7
Article 20 – paragraph 7
7. Where public awareness is necessary to prevent an incident or to deal with an ongoing incident, or where disclosure of the incident is otherwise in the public interest, the competent authority or the CSIRT, and where appropriate the authorities or the CSIRTs of other Member States concerned may, after consulting require the entity concerned,to inform the public about the incident or require the entity to do so.
Amendment 473 #
Proposal for a directive
Article 20 – paragraph 8
Article 20 – paragraph 8
8. At the request of the competent authority or the CSIRT, the single point of contact shall forward notifications received pursuant to paragraphs 1 and 2 to the single points of contact of other affected Member States.
Amendment 476 #
Proposal for a directive
Article 20 – paragraph 9
Article 20 – paragraph 9
9. The single point of contact shall submit to ENISA on a monthly basis a summary report including anonymised and aggregated data on incidents, significant cyber threats and near misses notified in accordance with paragraphs 1 and 2 and in accordance with Article 27. In order to contribute to the provision of comparable information, ENISA may issue technical guidance on the parameters of the information included in the summary report.
Amendment 479 #
Proposal for a directive
Article 20 – paragraph 10
Article 20 – paragraph 10
10. Competent authorities shall provide to the competent authorities designated pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive] information on incidents and cyber threats notified in accordance with paragraphs 1 and 2 by essential entities identified as critical entities, or as entities equivalent to critical entities, pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive].
Amendment 482 #
Proposal for a directive
Article 20 – paragraph 11
Article 20 – paragraph 11
11. The Commission, may adopt implementing actsENISA shall develop a common EU-wide template further specifying the type of information, the format and the procedure of a notification submitted pursuant to paragraphs 1 and 2. The Commission may also adopt implementing acts to further specify the cases in which an incident shall be considered significant as referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 37(2).
Amendment 492 #
Proposal for a directive
Article 21 – paragraph 1
Article 21 – paragraph 1
1. In order to demonstrate compliance with certain requirements of Article 18, Member States may requirshall encourage essential and important entities to certify certain ICT products, ICT services and ICT processes under specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881. The products, services and processes subject to certification may be developed by an essential or important entity or procured from third parties.
Amendment 495 #
Proposal for a directive
Article 21 – paragraph 2
Article 21 – paragraph 2
Amendment 500 #
Proposal for a directive
Article 21 – paragraph 3
Article 21 – paragraph 3
3. The Commission, after consulting the Cooperation Group and the European Cybersecurity Certification Group, may request ENISA to prepare a candidate scheme pursuant to Article 48(2) of Regulation (EU) 2019/881 in cases where no appropriate European cybersecurity certification scheme for the purposes of paragraph 2 is available.
Amendment 503 #
Proposal for a directive
Article 23 – paragraph 1
Article 23 – paragraph 1
1. For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall ensure that TLD registries and the entities providing domain name registration services for the TLDregistrars shall collect and maintain accurate, verified and complete domain name registration data in a dedicated database facility with due diligence subject to Union data protection law as regards data which are personal data.
Amendment 504 #
Proposal for a directive
Article 23 – paragraph 3
Article 23 – paragraph 3
3. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLDregistrars have policies and procedures in place to ensure that the databases include accurate and complete information. Member States shall ensure that such policies and procedures are made publicly available.
Amendment 506 #
Proposal for a directive
Article 23 – paragraph 4
Article 23 – paragraph 4
4. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLDand the registrars publish, without undue delay but no later than 24 hours after the registration of a domain name, fees, domain registration data, which are not personal data.
Amendment 508 #
Proposal for a directive
Article 23 – paragraph 5
Article 23 – paragraph 5
5. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLDregistrars provide access to specific domain name registration data upon lawful and duly justified requests of legitimate access seekers, in compliance with Union data protection law. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLDregistrars reply without undue delay to all requests for access. Member States shall ensure that policies and procedures to disclose such data are made publicly available.
Amendment 515 #
Proposal for a directive
Article 24 – paragraph 2
Article 24 – paragraph 2
2. For the purposes of this Directive, entities providing activities referred to in paragraph 1 shall be deemed to have their main establishment in the Union in the Member State where the decisions related to the cybersecurity risk management measures are taken. If such decisions are not taken in any establishment in the Union, the main establishment shall be deemed to be in the Member State where the entities have the establishment with the highest number of employeesthe place of its central administration in the Union.
Amendment 516 #
Proposal for a directive
Article 24 – paragraph 2 a (new)
Article 24 – paragraph 2 a (new)
2a. Essential and important entities should be subject to this Directive only in those Member States where they perform activities relevant to their designation as essential or important entities.
Amendment 519 #
Proposal for a directive
Article 25 – paragraph 1 – introductory part
Article 25 – paragraph 1 – introductory part
1. ENISA shall create and maintain a registry for essential and important entities referred to in Article 24(1). The entities shall submit the following information to ENISA by [12 months after entering into force of the Directive at the latest], including the following information:
Amendment 521 #
Proposal for a directive
Article 25 – paragraph 3
Article 25 – paragraph 3
Amendment 524 #
Proposal for a directive
Article 26 – paragraph 1 – introductory part
Article 26 – paragraph 1 – introductory part
1. Without prejudice to Regulation (EU) 2016/679, Member States shall ensure that essential and important entities may exchange relevant cybersecurity information among themselves including information relating to cyber threats, vulnerabilities, indicators of compromise, industrial espionage tactics, techniques and procedures, cybersecurity alerts, metadata and configuration tools, where such information sharing:
Amendment 525 #
Proposal for a directive
Article 26 – paragraph 1 – point b
Article 26 – paragraph 1 – point b
(b) enhances the level of cybersecurity, in particular through raising awareness in relation to cyber threats, limiting or impeding such threats ‘ability to spread, supporting a range of defensive capabilities, vulnerability remediation and disclosure, threat detection, containment and prevention techniques, mitigation strategies, or response and recovery stages, facilitating collaboration in cyber threat research among public entities, private entities and research bodies.
Amendment 526 #
Proposal for a directive
Article 26 – paragraph 2
Article 26 – paragraph 2
2. Member States shall ensure that the exchange of information takes place within trusted communities of essential and important entities. Such exchange shall be implemented through information sharing arrangements in respect of the potentially sensitive nature of the information shared and in compliance with the rules of Union law referred to in paragraph 1.
Amendment 530 #
Proposal for a directive
Article 26 – paragraph 3
Article 26 – paragraph 3
3. Member States, pursuant to paragraph 5, shall set out rules specifying the procedure, operational elements (including the use of dedicated ICT platforms and tools), content and conditions of the information sharing arrangements referred to in paragraph 2. Such rules shall also lay down the details of the involvement of public authorities in such arrangements, as well as operational elements, including the use of dedicated IT platforms. Member States shall offer support to the application of such arrangements in accordance with their policies referred to in Article 5(2) (g).
Amendment 537 #
Proposal for a directive
Article 27 – paragraph 1
Article 27 – paragraph 1
Member States shall ensure that, without prejudice to Article 3, entities within the scope and those falling outside the scope of this Directive may submit notifications, on a voluntary basis, of significant incidents, cyber threats or near misses. When processing notifications, Member States shall act in accordance with the procedure laid down in Article 20. Member States may prioritise the processing of mandatory notifications over voluntary notifications. Voluntary reporting shall not result in the imposition of any additional obligations upon the reporting entity to which it would not have been subject had it not submitted the notification.
Amendment 541 #
Proposal for a directive
Article 29 – paragraph 1
Article 29 – paragraph 1
1. Member States shall ensure that the measures of supervision or enforcement imposed on essential entities in respect of the obligations set out in this Directive are effective, proportionate and dissuasive, taking into account the circumstances of each individual case of each individual case as well as the need to promote the exchange of information between competent authorities and essential entities.
Amendment 542 #
Proposal for a directive
Article 29 – paragraph 2 – point a
Article 29 – paragraph 2 – point a
(a) on-site inspections and off-site supervision, including random checks, carried out by certified professionals;
Amendment 543 #
Proposal for a directive
Article 29 – paragraph 2 – point b
Article 29 – paragraph 2 – point b
(b) regularannual audits;
Amendment 544 #
Proposal for a directive
Article 29 – paragraph 2 – point b – point i (new)
Article 29 – paragraph 2 – point b – point i (new)
(i) an ad hoc audit can be carried out in cases justified on the ground of a significant incident or non-compliance by the essential entity;
Amendment 548 #
Proposal for a directive
Article 29 – paragraph 2 a (new)
Article 29 – paragraph 2 a (new)
2a. where exercising their power under points (a) to (d) in paragraph 2, the competent authorities shall follow a due process in order to minimise the impact on business processes for the entity;
Amendment 551 #
Proposal for a directive
Article 29 – paragraph 4 – point h
Article 29 – paragraph 4 – point h
(h) order, where necessary for risk management purposes, those entities to make public aspects of non-compliance with the obligations laid down in this Directive in a specified manner;
Amendment 553 #
Proposal for a directive
Article 29 – paragraph 4 – point i
Article 29 – paragraph 4 – point i
(i) make a public statement, where necessary for risk management purposes, which identifies the legal and natural person(s) responsible for the infringement of an obligation laid down in this Directive and the nature of that infringement;
Amendment 554 #
Proposal for a directive
Article 29 – paragraph 4 – point j
Article 29 – paragraph 4 – point j
(j) impose or request the imposition by the relevant bodies or courts according to national laws of an administrative fine pursuant to Article 31 in addition to, or instead of, the measures referred to in points (a) to (i) of this paragraph, depending on the circumstances of each individual case.
Amendment 561 #
Proposal for a directive
Article 29 – paragraph 5 – subparagraph 1 – point b
Article 29 – paragraph 5 – subparagraph 1 – point b
Amendment 571 #
Proposal for a directive
Article 29 – paragraph 7 – point c
Article 29 – paragraph 7 – point c
(c) the actual damage caused or losses incurred or potential damage or losses that could have been triggered, insofar as they can be determined. Where evaluating this aspect, account shall be taken, amongst others, of actual or potential financial or economic losses, effects on other services, number of users affected or potentially affected;
Amendment 576 #
Proposal for a directive
Article 30 – paragraph 4 – point g
Article 30 – paragraph 4 – point g
(g) order, where necessary for risk management purposes, those entities to make public aspects of non-compliance with their obligations laid down in this Directive in a specified manner;
Amendment 578 #
Proposal for a directive
Article 30 – paragraph 4 – point h
Article 30 – paragraph 4 – point h
(h) make a public statement, where necessary for risk management purposes, which identifies the legal and natural person(s) responsible for the infringement of an obligation laid down in this Directive and the nature of that infringement;
Amendment 579 #
Proposal for a directive
Article 31 – paragraph 1
Article 31 – paragraph 1
1. Member States shall ensure that the imposition of administrative fines on essential and important entities pursuant to this Article in respect of infringements of the obligations laid down in this Directive are, in each individual case, effective, proportionate and dissuasive and only imposed if the infringement was intentional, negligent or the entity had had prior notice of the possibility of committing an infringement.
Amendment 589 #
Proposal for a directive
Article 38 – paragraph 1
Article 38 – paragraph 1
1. Member States shall adopt and publish, by … [1824 months after the date of entry into force of this Directive], the laws, regulations and administrative provisions necessary to comply with this Directive. They shall immediately inform the Commission thereof. They shall apply those measures from … [one day after the date referred to in the first subparagraph].