Activities of Ágnes HANKISS related to 2013/0027(COD)
Plenary speeches (1)
High common level of network and information security (debate)
Shadow opinions (1)
OPINION on the proposal for a directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union
Amendments (28)
Amendment 21 #
Proposal for a directive
Recital 2
Recital 2
(2) The magnitude and frequency of deliberate or accidental security incidents is increasing and represents a major threat to the functioning of networks and information systems. Such incidents can impede the pursuit of economic activities, generate substantial financial losses, undermine user confidence and cause major damage to the economy of the Union. There has been a growing recognition that control systems are vulnerable to cyber-attacks from numerous sources, including hostile governments, terrorist groups and other malicious intruders. Smart attacks and coordinated attacks could have severe impacts to the stability, performance, and economics of the infrastructure.
Amendment 23 #
Proposal for a directive
Recital 4 a (new)
Recital 4 a (new)
(4a) Member States shall commit sufficient resources to domestic counter- radicalisation and counter-terrorism as it extends quickly to critical infrastructure protection; they shall commit for closer cooperation between the EU and NATO in counter-terrorism policy. HR/VP and EU Counter-terrorism Coordinator shall be actively engaged in discussions with NATO.
Amendment 25 #
Proposal for a directive
Recital 4 a (new)
Recital 4 a (new)
(4a) This Directive should focus on the truly critical component of critical infrastructure : (1) that is critical due to its structural position in the whole system of infrastructures and reinforces interdependencies between other infrastructures and sectors; (2) that is inherently critical because of its role or function in society.
Amendment 28 #
Proposal for a directive
Recital 6 a (new)
Recital 6 a (new)
(6a) It is vital to acknowledge the uncertainty inherent in the complex systems that sustain us. This requires better shared understanding of what is critical between those who protect an organization and those who set its strategic direction.
Amendment 31 #
Proposal for a directive
Article 5 – paragraph 1 – point a
Article 5 – paragraph 1 – point a
(a) The definition of the objectives and priorities of the strategy based on an up- to-date risk and incident analysisregulatory measures, that can serve as a basis for comprehensive risk management and incident analyses, should be defined according to each national NIS strategy; accordingly calls on each Member State to ensure a solid policy-making and regulatory environment;
Amendment 31 #
Proposal for a directive
Recital 10
Recital 10
(10) To allow for the effective implementation of the provisions adopted pursuant to this Directive, a bodynational competent authority under civilian control with full democratic oversight and transparency in their operations being responsible for coordinating NIS issues and acting as a focal point for cross-border cooperation at Union level should be established or identified in each Member State. These bodies national competent authority and the national single point of contact should be given the adequate technical, financial and human resources to ensure that they can carry out in an effective and efficient manner the tasks assigned to them and thus achieve the objectives of this Directive.
Amendment 32 #
Proposal for a directive
Recital 12 a (new)
Recital 12 a (new)
(12a) This cooperation network should also allow for the competent national authorities and the Commission, in consultation with ENISA, Europol's Cybercrime Centre and relevant public administrations and market operators, to share experience, discuss any questions and agree on all aspects related to the consistent interpretation and the smooth and harmonious implementation of this Directive and in particular of its Chapter IV across all Member States.
Amendment 33 #
Proposal for a directive
Article 7 – paragraph 1
Article 7 – paragraph 1
1. Each Member State shall set up at least one Computer Emergency Response Team (hereinafter: ‘CERT’) responsible for handling incidents and risks according to a well-defined process, which shall comply with the requirements set out in point (1) of Annex I. A CERT may be established within the competent authority.
Amendment 33 #
Proposal for a directive
Recital 14 a (new)
Recital 14 a (new)
(14a) More sectors adopt cloud services in their computing environment such as IT services operating critical infrastructure. Sufficient security measures need to ensure the confidentiality, integrity and availability of the data in the cloud. Hosting infrastructure services, and storing sensitive data in the cloud environment brings with it security and resilience requirements that existing cloud services are not well placed to address. Therefore, there needs to be an assurance that the cloud computing environment can provide proficient protection of the sensitive critical infrastructure data, through the development of innovative techniques for detecting intrusions.
Amendment 34 #
Proposal for a directive
Recital 15
Recital 15
(15) As most network and information systems are privately operated, cooperation between the public and private sector is essential. Market operators should be encouraged to pursue their own informal cooperation mechanisms to ensure NIS. They should also cooperate with the public sector and mutually share information and best practices in exchange ofas well as reciprocal operational support as needed in case of incidents.
Amendment 39 #
Proposal for a directive
Recital 16 a (new)
Recital 16 a (new)
(16a) The threshold which triggers the notification requirement should be defined in such a way so that it builds on the ENISA technical guidelines on reporting incidents for Directive 2009/140/EC and focusses the notification requirement on those breaches which do or may affect the continuity or integrity of networks and services concerned. This will promote conditions and criteria for the consistent application and harmonized enforcement of the provisions of this Directive.
Amendment 41 #
Proposal for a directive
Recital 18 a (new)
Recital 18 a (new)
(18a) In order to avoid duplication among the on-going activities performed by various international and EU institutions, bodies and agencies and already existing CERTs, the opportunity to engage in the cooperation network to the most feasible extent should be provided to ENISA, the national CERTs and Europol's Cybercrime Centre.
Amendment 47 #
Proposal for a directive
Recital 24
Recital 24
(24) Those obligations should be extended beyond the electronic communications sector to key providers of information society services, as defined in Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on Information Society services27 , which underpin downstream information society services or on-line activities, such as e- commerce platforms, Internet payment gateways, social networks, search engines, cloud computing services, application stores. Disruption of these enabling information society services prevents the provision of other information society services which rely on them as key inputsto those cloud computing services that store sensitive critical infrastructure data of the European Union, as defined in Directive 2008/114/EC on critical infrastructure. Software developers and hardware manufacturers are not providers of information society services and are therefore excluded. Those obligations should also be extended to public administrations, and operators of critical infrastructure which rely heavily on information and communications technology and are essential to the maintenance of vital economical or societal functions such as electricity and gas, transport, credit institutions, stock exchange and health, health and agriculture. Disruption of those network and information systems would affect the internal market. __________________ 27 OJ L 204, 21.7.1998, p. 37. OJ L 204, 21.7.1998, p. 37.
Amendment 59 #
Proposal for a directive
Recital 30
Recital 30
(30) Criminal activities are in many cases underlying an incident. The criminal nature of incidents can be suspected even if the evidence to support it may not be sufficiently clear from the start. In this context, appropriate co-operation between competent authorities and law enforcement authorities should form part of an effective and comprehensive response to the threat of security incidents. In particular, promoting a safe, secure and more resilient environment requires a systematic reporting of incidents of a suspected serious criminal nature to law enforcement authorities. The serious criminal nature of incidents such as cyber terrorism - meaning the use of cyber tools to shut down critical national infrastructures for the purpose of coercing or intimidating a government or civilian population - should be assessed in the light of EU laws on cybercrime and the Council of Europe Convention on Cybercrime.
Amendment 61 #
Proposal for a directive
Recital 30 a (new)
Recital 30 a (new)
(30a) Member States should commit sufficient resources to domestic counter- radicalisation and counter-terrorism as it extends quickly to critical infrastructure protection; they should maintain closer cooperation between the EU and NATO in counter-terrorism policy. The EU High Representative for Foreign Affairs and Security Policy, the EU Counter-terrorism Coordinator and Europol's Cybercrime Centre should be fully informed in case risks are perceived to be of terrorist nature.
Amendment 72 #
Proposal for a directive
Article 2
Article 2
Member States shall not be prevented from adopting or maintaining provisions ensuring a higher level of security, without prejudice to their obligations under Union law. However, when transposing the provisions of Chapter IV, Member States shall not maintain or introduce national provisions diverging from or conflicting with those laid down in that Chapter.
Amendment 79 #
Proposal for a directive
Article 3 – point 8 – point b
Article 3 – point 8 – point b
(b) operator of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, stock exchanges and health, health and agriculture, a non- exhaustive list of which is set out in Annex II.
Amendment 81 #
Proposal for a directive
Article 3 – point 11 a (new)
Article 3 – point 11 a (new)
(11a) "threat information" means information that describes an attack that results in an incident or an attempt to cause an incident and includes cyber- attack signatures;
Amendment 96 #
Proposal for a directive
Article 7 – paragraph 1
Article 7 – paragraph 1
1. Each Member State shall set up at least one Computer Emergency Response Team (hereinafter: ‘CERT’) responsible for handling incidents and risks according to a well-defined process, which shall comply with the requirements set out in point (1) of Annex I. A CERT may be established within the competent authority.
Amendment 99 #
Proposal for a directive
Article 8 – paragraph 2
Article 8 – paragraph 2
2. The cooperation network shall bring into permanent communication the Commission and the competent authorities. When requested, the European Network and Information Security Agency (‘ENISA’) shall assist the cooperation network by providing its expertise and advicetechnology neutral guidance with suitable measures for both public and private sectors.
Amendment 108 #
Proposal for a directive
Article 9 – paragraph 3
Article 9 – paragraph 3
Amendment 110 #
Proposal for a directive
Article 10 – paragraph 4a (new)
Article 10 – paragraph 4a (new)
(4a) Concrete threat intelligence on cyber threats to critical national infrastructure shall be disseminated to security-cleared personnel in targeted private sector facilities.
Amendment 119 #
Proposal for a directive
Article 14 – paragraph 2
Article 14 – paragraph 2
2. Member States shall ensure that public administrations and market operators notify to the competent authority incidents having a significantabout both incident and threat information having impact on the security of the core services they provide.
Amendment 136 #
Proposal for a directive
Article 15 – paragraph 2 – point b
Article 15 – paragraph 2 – point b
(b) undergo a security audit carried out by a qualified independent body or national authority and make the results thereof available to the competent authoritydemonstrate the effective implementation of security policies (measured by ongoing application of industry global best-practices) by suitable means, and make available to the competent authority or to the single point of contact the results of a security audit carried out by an authorised internal representative or a qualified external auditor.
Amendment 139 #
Proposal for a directive
Article 15 – paragraph 5
Article 15 – paragraph 5
5. The competent authoritiesWithout prejudice to applicable data protection law, and in full consultation with the relevant data controllers and processors, the competent authorities and the single points of contact shall work in close cooperation with personal data protection authorities when addressing incidents resulting in personal data breaches.
Amendment 141 #
Proposal for a directive
Article 17 – paragraph 1 a (new)
Article 17 – paragraph 1 a (new)
1a. Member States shall guarantee that the penalties in paragraph 1 of this Article are applied only if market operators and public administrations due to gross negligence or intent failed to fulfil their obligations under Chapter IV.
Amendment 146 #
Proposal for a directive
Annex 2
Annex 2
List of market operators Referred to in Article 3(8)a) 15. e-commerce platforms 2. Internet payment gateways 3. Social networks 4. Search engines 5. Cloud computing services 6. Application storesCloud computing services that store critical infrastructure data of the European Union
Amendment 147 #
Proposal for a directive
Annex 2 – paragraph 1 – point 5 a (new)
Annex 2 – paragraph 1 – point 5 a (new)
5a. Agriculture sector: settings of industrial agriculture a) genetic technology b) agricultural machinery