Activities of Seán KELLY related to 2022/0085(COD)
Shadow opinions (1)
OPINION on the proposal for a regulation of the European Parliament and of the Council laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union
Amendments (27)
Amendment 38 #
Proposal for a regulation
Recital 1
Recital 1
(1) In the digital age, information and communication technology is a cornerstone in an open, efficient and independent Union administration. Evolving technology and increased complexity and interconnectedness of digital systems amplify cybersecurity risks making the Union administration more vulnerable to cyber threats and incidents, which ultimately poses threats to the administration’s business continuity and capacity to secure its data. While increased use of cloud services, the ubiquitous use of ITinformation and communication technology ('ICT'), high digitalisation, remote work and evolving technology and connectivity are nowadays core features of all activities of the Union administration entities, digital resilience is not yet sufficiently built in.
Amendment 40 #
Proposal for a regulation
Recital 3
Recital 3
(3) The Union institutions, bodies and agencies’ ICT environments have interdependencies, integrated data flows and their users collaborate closely. This interconnection means that any disruption, even when initially confined to one Union institution, body or agency, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts on the others. In addition, certain institutions, bodies and agencies’ ICT environments are connected with Member States’ ICT environments, causing an incident in one Union entity to pose a risk to the cybersecurity of Member States’ ICT environments and vice versa.
Amendment 44 #
Proposal for a regulation
Recital 8
Recital 8
(8) In order to avoid imposing a disproportionate financial and administrative burden on Union institutions, bodies and agencies, the cybersecurity risk management requirements should be proportionate to the risk presented by the network and information system concerned, taking into account the state of the art of such measures. Each Union institution, body and agency should aim to allocate an adequate percentage of its ICT budget to improve its level of cybersecurity; in the longer term a target in the order of 10% should be pursued.
Amendment 47 #
Proposal for a regulation
Recital 13
Recital 13
(13) Many cyberattacks are part of wider campaigns that target groups of Union institutions, bodies and agencies or communities of interest that include Union institutions, bodies and agencies. To enable proactive detection, incident response or mitigating measures, Union institutions, bodies and agencies should notify CERT- EU of significant cyber threats, significant vulnerabilities and significant incidents and share appropriate technical details that enable detection or mitigation of, as well as response to, similar cyber threats, vulnerabilities and incidents in other Union institutions, bodies and agencies. Following the same approach as the one envisaged in Directive [proposal NIS 2], where entities become aware of a significant incident they should be required to submit an initial notification to CERT- EU within 24 hours. Such information exchange should enable CERT-EU to disseminate the information to other Union institutions, bodies and agencies, as well as to appropriate counterparts, to help protect the Union ICT environments and the Union’s counterparts’ ICT environments against similar incidents, threats and vulnerabilities.
Amendment 48 #
Proposal for a regulation
Recital 17
Recital 17
(17) CERT-EU should have the mission to contribute to the security of the ICT environment of all Union institutions, bodies and agencies. CERT-EU should act as the equivalent of the designated coordinator for the Union institutions, bodies and agencies, for the purpose of coordinated vulnerability disclosure to the European vulnerability registry as referred to in Article 6 of Directive [proposal NIS 2].
Amendment 49 #
Proposal for a regulation
Recital 18
Recital 18
(18) In 2020, CERT-EU’s Steering Board set a new strategic aim for CERT- EU to guarantee a comprehensive level of cyber defence for all Union institutions, bodies and agencies with suitable breadth and depth and continuous adaptation to current or impending threats, including attacks against mobile devices, cloud environments and internet-of-things devices. The strategic aim also includes broad-spectrum Security Operations Centres (SOCs) that monitor networks, and 24/7 monitoring for high-severity threats. For the larger Union institutions, bodies and agencies, CERT-EU should support their ICT security teams, including with first-line 24/7 monitoring. For smaller and some medium-sized Union institutions, bodies and agencies, CERT-EU should provide all the services.
Amendment 52 #
Proposal for a regulation
Recital 24
Recital 24
(24) As the services and tasks of CERT- EU are in the interest of all Union institutions, bodies and agencies, each Union institution, body and agency with ICT expenditure should contribute a fair shareproportionally to those services and tasks. Those contributions are without prejudice to the budgetary autonomy of the Union institutions, bodies and agencies.
Amendment 66 #
Proposal for a regulation
Article 4 – paragraph 1
Article 4 – paragraph 1
1. Each Union institution, body and agency shall establish its own internal cybersecurity risk management, governance and control framework (‘the framework’) in support of the entity’s mission and exercising its institutional autonomy. This work shall be overseen by the entity’s highest level of management to ensure an effective and prudent management of all cybersecurity risks. The framework shall be in place by …. at the latest [15 months after the date of entry into force of this Regulation].
Amendment 67 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
2. The framework shall cover the entirety of the ICT environment of the concerned institution, body or agency, including any on-premise ICT environment, outsourced assets and services in cloud computing environments or hosted by third parties, mobile devices, corporate networks, business networks not connected to the internet and any devices connected to the ICT environment. The framework shall take account of business continuity and crisis management and it shall consider supply chain security as well as the management of human risks that could impact the cybersecurity of the concerned Union institution, body or agency.
Amendment 69 #
Proposal for a regulation
Article 4 – paragraph 4
Article 4 – paragraph 4
4. Each Union institution, body and agency shall have effective mechanisms in place to ensure that an adequate percentaget least 10% of the ICT budget is spent on cybersecurity. The budget should eventually reach 10%.
Amendment 72 #
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
1. The highest level of management of each Union institution, body and agency shall approve the entity’s own cybersecurity baseline to address the risks identified under the framework referred to in Article 4(1). It shall do so in support of its mission and exercising its institutional autonomy. The cybersecurity baseline shall be in place by …. at the latest [18 months after the date of entry into force of this Regulation] and shall address the domains listed in Annex I and the measures listed in Annex II.
Amendment 77 #
Proposal for a regulation
Article 6 – paragraph 1
Article 6 – paragraph 1
Each Union institution, body and agency shall carry out a cybersecurity maturity assessment at least every three years, incorporating all the elements of their ICT environment as described in Article 4, taking account of the relevant guidance documents and recommendations adopted in accordance with Article 13.
Amendment 80 #
Proposal for a regulation
Article 7 – paragraph 3
Article 7 – paragraph 3
3. The cybersecurity plan shall consider anytake into consideration all proposed measures expressed in applicable guidance documents and recommendations issued by CERT-EU.
Amendment 82 #
Proposal for a regulation
Article 7 – paragraph 3 a (new)
Article 7 – paragraph 3 a (new)
3a. The Union institutions, bodies and agencies shall submit their cybersecurity plans to the Interinstitutional Cybersecurity Board (IICB).
Amendment 83 #
Proposal for a regulation
Article 8 – paragraph 1
Article 8 – paragraph 1
1. Upon completion of maturity assessments, the Union institutions, bodies and agencies shall submit thesem to the Interinstitutional Cybersecurity Board. Upon completion of security plans, the Union institutions, bodies and agencies shall notify the Interinstitutional Cybersecurity Board of the completion. Upon request of the Board, they shall report on specific aspects of this Chapter.
Amendment 84 #
Proposal for a regulation
Article 9 – paragraph 3 – subparagraph 1 – introductory part
Article 9 – paragraph 3 – subparagraph 1 – introductory part
The IICB shall consist of three representatives nominated by the Union Agencies Network (EUAN) upon a proposal of its ICT Advisory Committee to represent the interests of the agencies and bodies that run their own ICT environment and one representative designated by each of the following:
Amendment 87 #
Proposal for a regulation
Article 12 – paragraph 1
Article 12 – paragraph 1
1. The mission of CERT-EU, the autonomous interinstitutional Cybersecurity Centre for all Union institutions, bodies and agencies, shall be to contribute to the security of the unclassified ICT environment of all Union institutions, bodies and agencies by advising them on cybersecurity, by helping them to prevent, detect, mitigate and respond to incidents and by acting as their cybersecurity information exchange and incident response coordination hub.
Amendment 88 #
Proposal for a regulation
Article 12 – paragraph 2 – point d
Article 12 – paragraph 2 – point d
(d) raise to the attention of the IICB any issue relating to the implementation of this Regulation and of the implementation of the guidance documents, recommendations and calls for action and make proposals for redress;
Amendment 90 #
Proposal for a regulation
Article 12 – paragraph 5 – point a
Article 12 – paragraph 5 – point a
(a) services that support the cybersecurity of Union institutions, bodies and agencies’ ICT environment, other than those referred to in paragraph 2, on the basis of service level agreements and subject to available resources;
Amendment 91 #
Proposal for a regulation
Article 12 – paragraph 5 – point b
Article 12 – paragraph 5 – point b
(b) services that support cybersecurity operations or projects of Union institutions, bodies and agencies, other than those to protect their ICT environment, on the basis of written agreements and with the prior approval of the IICB;
Amendment 92 #
Proposal for a regulation
Article 12 – paragraph 5 – point c
Article 12 – paragraph 5 – point c
(c) services that support the security of their ICT environment to organisations other than the Union institutions, bodies and agencies that cooperate closely with Union institutions, bodies and agencies, for instance by having assigned tasks or responsibilities under Union law, on the basis of written agreements and with the prior approval of the IICB.
Amendment 94 #
Proposal for a regulation
Article 12 – paragraph 7
Article 12 – paragraph 7
7. CERT-EU may provide assistance to Union institutions, bodies and agencies regarding incidents in classified ICT environments if it is explicitly requested to do so by the constituent concerned.
Amendment 96 #
Proposal for a regulation
Article 16 – paragraph 1
Article 16 – paragraph 1
1. CERT-EU shall cooperate and exchange information with national counterparts in the Member States, including CERTs, National Cybersecurity Centres, CSIRTs, and single points of contact referred to in Article 8 of Directive [proposal NIS 2], on cyber threats, vulnerabilities and incidents, on possible countermeasures and on all matters relevant for improving the protection of the ICT environments of Union institutions, bodies and agencies, including through the CSIRTs network referred to in Article 13 of Directive [proposal NIS 2].
Amendment 101 #
Proposal for a regulation
Article 19 – paragraph 1
Article 19 – paragraph 1
1. To enable CERT-EU to coordinate vulnerability management and incident response, it may request Union institutions, bodies and agencies to provide it with information from their respective ICT system inventories that is relevant for the CERT-EU support. The requested institution, body or agency shall transmit the requested information, and any subsequent updates thereto, without undue delay.
Amendment 126 #
Proposal for a regulation
Article 24 – paragraph 3
Article 24 – paragraph 3
3. The Commission shall evaluate the functioning of this Regulation and report to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions no sooner than fivthree years after the date of entry into force, given the rapidly evolving cyber threat landscape.
Amendment 130 #
Proposal for a regulation
Annex I – paragraph 1 – point 3
Annex I – paragraph 1 – point 3
(3) asset management, including ICT asset inventory and ICT network cartography;
Amendment 133 #
Proposal for a regulation
Annex II – paragraph 1 – point 4 – point a
Annex II – paragraph 1 – point 4 – point a
(a) the removal of contractual barriers that limit information sharing from ICT service providers about incidents, vulnerabilities and cyber threats with CERT-EU;