Activities of Christian ENGSTRÖM related to 2013/0027(COD)
Plenary speeches (1)
High common level of network and information security (debate)
Shadow reports (1)
REPORT on the proposal for a directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union PDF (894 KB) DOC (1 MB)
Amendments (24)
Amendment 110 #
Proposal for a directive
Recital 3 a (new)
Recital 3 a (new)
(3a) Since the more common causes of system failure, such as natural causes or human error, continue to be unintentional, infrastructure should be resilient both to intentional and unintentional disruptions, and operators of critical infrastructure should design resilience based systems that remain operational even when other systems beyond their control fail.
Amendment 117 #
Proposal for a directive
Recital 13 a (new)
Recital 13 a (new)
(13a) Where possible, Member States may use or adapt existing organisational structures when applying the provisions of this Directive. An inventory and assessment should be made of existing plans and processes by Member States when elaborating the national NIS strategies.
Amendment 118 #
Proposal for a directive
Recital 14
Recital 14
(14) A secure information-sharing infrastructure should be put in place to allow for the exchange of sensitive and confidential information within the cooperation network. The Secure Trans European Services for Telematics between Administrations (STESTA) could be used for this purpose. Without prejudice to their obligation to notify incidents and risks of Union dimension to the cooperation network, access to confidential information from other Member States should only be granted to Members States upon demonstration that their technical, financial and human resources and processes, as well as their communication infrastructure, guarantee their effective, efficient and secure participation in the network.
Amendment 120 #
Proposal for a directive
Recital 16
Recital 16
(16) To ensure transparency and properly inform EU citizens and market operators, the competent authorities should set up a common website to publish non confidential information on the incidents and risks. Any personal data published on this website should be limited to only what is necessary and as anonymous as possible.
Amendment 124 #
Proposal for a directive
Recital 21
Recital 21
(21) Given the global nature of NIS problems, there is a need for closer international cooperation to improve security standards and information exchange, and promote a common global approach to NIS issues. Any framework for such international cooperation should be subject to the provisions of Directive 95/46/EC and Regulation (EC) No 45/2001.
Amendment 130 #
Proposal for a directive
Recital 30 a (new)
Recital 30 a (new)
(30a) This Directive is without prejudice to the Union acquis relating to data protection. Any personal data used according to the provisions of this Directive should be limited to what is strictly necessary and only transmitted to the actors strictly necessary, and be as anonymous as possible, if not completely anonymous.
Amendment 131 #
Proposal for a directive
Recital 30 b (new)
Recital 30 b (new)
(30b) Adopting at EU level general data protection legislation should precede the adoption of cybersecurity legislation at EU level. Therefore, this Directive should be adopted only after the General Data Protection Regulation has been adopted.
Amendment 132 #
Proposal for a directive
Recital 31
Recital 31
(31) Personal data are in many cases compromised as a result of incidents. In this context, competent authorities and data protection authorities should cooperate and exchange information on all relevant matters, where appropriate with market operators, in order to tackle the personal data breaches resulting from incidents in line with applicable data protection rules. Member states shall implement the obligation to notify security incidents in a way that minimises the administrative burden in case the security incident is also a personal data breach in line with the Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Liaising with the competent authorities and the data protection authorities, ENISA could assist by developing information exchange mechanisms and templates avoiding the need for two notification templates. This single notification template would facilitate the reporting of incidents compromising personal data thereby easing the administrative burden on businesses and public administrations.
Amendment 142 #
Proposal for a directive
Article 1 – paragraph 5
Article 1 – paragraph 5
5. This Directive shall also be without prejudice to Directive 95/46/CE of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, ,and to Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector and to the Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. by the Community institutions and bodies and on the free movement of such data. Any use of the personal data should be limited to what is strictly necessary for the purposes of this Directive, and this data should be as anonymous as possible, if not completely anonymous.
Amendment 145 #
Proposal for a directive
Article 3 – point 2 a (new)
Article 3 – point 2 a (new)
(2a) "cyber resilience" means the ability of a network and information system to resist and recover to full operational capacity after incidents, including but not limited to, technical malfunction, power failure or security incidents;
Amendment 149 #
Proposal for a directive
Article 3 – point 8 – point b
Article 3 – point 8 – point b
(b) operator of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, stock exchanges and healthstability and resilience, public health, public safety or any combination thereof, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions, a non -exhaustive list of which is set out in Annex II.
Amendment 157 #
Proposal for a directive
Article 5 – paragraph 2 – point a
Article 5 – paragraph 2 – point a
(a) A risk assessment plan to identify risks and assess the impacts of potential incidents; the plan should be reviewed and updated annually;
Amendment 161 #
Proposal for a directive
Article 5 – paragraph 3
Article 5 – paragraph 3
3. The national NIS strategy and the national NIS cooperation plan shall be communicated to the Commission within onthree months from their adoption.
Amendment 176 #
Proposal for a directive
Article 8 – paragraph 4
Article 8 – paragraph 4
4. The Commission shall establish, by means of implementing acts, the necessary modalities to facilitate the cooperation between competent authorities and the Commission referred to in paragraphs 2 and 3. Those implementing acts shall be adopted in accordance with the consultexamination procedure referred to in Article 19(2).
Amendment 177 #
Proposal for a directive
Article 9 – paragraph 1 a (new)
Article 9 – paragraph 1 a (new)
1a. Personal data shall be only disclosed to recipients who need to process these data for the performance of their tasks in accordance with an appropriate legal basis. The disclosed data shall be limited to what is necessary for the performance of their tasks. Compliance with the purpose limitation principle shall be ensured. The time limit for the retention of these data shall be specified for the purposes set out in this Directive.
Amendment 178 #
Proposal for a directive
Article 9 – paragraph 1 b (new)
Article 9 – paragraph 1 b (new)
1b. the criteria for the participation of Member States in the secure information sharing system to ensure that a high level of security and resilience is guaranteed by all participants at all steps of the processing, including by appropriate confidentiality and security measures in accordance with Articles 16 and 17 of Directive 95/46/EC and Articles 21 and 22 of Regulation (EC) No 45/2001.
Amendment 180 #
Proposal for a directive
Article 9 – paragraph 2 – introductory part
Article 9 – paragraph 2 – introductory part
2. The Commission shall be empowered to adopt delegated acts in accordance with Article 18 concerning the definition of the criteria to be fulfilled for a Member State to be authorized to participate toin the secure information-sharing system, regarding:
Amendment 192 #
Proposal for a directive
Article 11 – paragraph 2 a (new)
Article 11 – paragraph 2 a (new)
2a. Sufficient redundancy shall be built into a coordinated response plan
Amendment 194 #
Proposal for a directive
Article 12 – paragraph 3 a (new)
Article 12 – paragraph 3 a (new)
3a. The Union NIS cooperation plan shall be designed to be coherent with national NIS strategies and cooperation plans as provided by Article 5 of this Directive, including where appropriate, the inventory referred to in Recital 13a.
Amendment 199 #
Proposal for a directive
Article 14 – paragraph 1
Article 14 – paragraph 1
1. Member States shall ensure that public administrations and market operators take appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations. Having regard to the state of the art, tThese measures shall guaranteensure a level of security appropriate to the risk presented. In particular, effective and proportionate measures shall be taken to prevent and minimise the impact of incidents affecting their network and information system on the core services they provide and thus ensure the continuity of the core services underpinned by those networks and information systems. Where necessary, public administrations and market operators must also take, at their own costs, appropriate and immediate measures to remedy any new, unforeseen security risks and restore the normal security level of the service.
Amendment 203 #
Proposal for a directive
Article 14 – paragraph 2 a (new)
Article 14 – paragraph 2 a (new)
2a. Software producers shall be responsible for correcting security breaches, within 24 hours of being informed for serious cases, and 72 hours for cases were the effects are unlikely to result in any significant financial loss or serious breach of privacy.
Amendment 205 #
Proposal for a directive
Article 14 – paragraph 2 b (new)
Article 14 – paragraph 2 b (new)
2b. Commercial software producers shall not be protected from "no-liability" clauses when it can be demonstrated that their products are not properly designed to handle foreseeable security threats.
Amendment 206 #
Proposal for a directive
Article 14 – paragraph 2 c (new)
Article 14 – paragraph 2 c (new)
2c. The supervisory body concerned shall also inform the public or require the trust service provider to do so. Notification and publication shall normally occur without undue delay; however the trust service provider may request a delay in notification and publication so that vulnerabilities can be fixed. If the supervisory body grants such a delay, it shall not exceed 45 days and the responsible entity shall agree to indemnify all relying parties, wherever in the world they are located, against losses directly arising from the delay in notification.
Amendment 224 #
Proposal for a directive
Article 16 – paragraph 1
Article 16 – paragraph 1
1. To ensure convergent implementation of Article 14(1), Member States shall encourage the use of open standards and/or specifications relevant to networks and information security.