Activities of Evžen TOŠENOVSKÝ related to 2020/0359(COD)
Plenary speeches (1)
A high common level of cybersecurity across the Union (debate)
Shadow reports (1)
REPORT on the proposal for a directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148
Shadow opinions (1)
OPINION on the proposal for a directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148
Amendments (180)
Amendment 92 #
Proposal for a directive
Title 1
Title 1
Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on measures for a high common level of cybersecurity across the Union (NIS Directive), repealing Directive (EU) 2016/1148 (Text with EEA relevance)
Amendment 94 #
Proposal for a directive
Recital 7
Recital 7
(7) With the repeal of Directive (EU) 2016/1148, the scope of application by sectors should be extended to a larger part of the economy in light of the considerations set out in recitals (4) to (6). The sectors covered by Directive (EU) 2016/1148 should therefore be extended to provide a comprehensive coverage of the sectors and services of vital importance for key societal and economic activities within the internal market. The rules should not be different according to whether the entities are operators of essential services or digital service providers. That differentiation has proven obsolete, since it does not reflect the actual importance of the sectors or services for the societal and economic activities in the internal market.
Amendment 98 #
Proposal for a directive
Recital 11
Recital 11
(11) Depending on the sector in which they operate or the type of service they provide, the entities falling within the scope of this Directive should be classified into two categories: essential and important. That categorisation should take into account the level of criticality of the sector or of the type of service, as well as the level of dependency of other sectors or types of services. Both essential and important entities should be subject to the same risk management requirements and reporting obligations. The cybersecurity risk management measures, reporting obligations and supervisory and penalty regimes between these two categories of entities should be differentiated to ensure a fair balance between requirements and obligations on one hand, and the administrative burden stemming from the supervision of compliance on the other hand.
Amendment 103 #
Proposal for a directive
Recital 12
Recital 12
(12) Sector-specific legislation and instruments can contribute to ensuring high levels of cybersecurity, while taking full account of the specificities and complexities of those sectors. Where aAs a minimum baseline sector–specific Union legal act should requires essential or important entities to adopt cybersecurity risk management measures orand to notify incidents or significant cyber threats of at least an equivalent effect to the obligations laid down inin line with requirements laid down in Articles 18 (1, 2) and 20 of this Directive, thos. Where sector-specific provisions, includinglegislations foresee specific rules on supervision and enforcement, these rules should apply. The Commission may issue guidelines in relation to the implementation of the lex specialis. This Directive does not preclude the adoption of additional sector- specific Union acts addressing cybersecurity risk management measures and incident notifications. Nevertheless, while adopting the additional sector-specific Union acts the need of a comprehensive and consistent cybersecurity framework should be duly taken into account. This Directive is without prejudice to the existing implementing powers that have been conferred to the Commission in a number of sectors, including transport and energy.
Amendment 110 #
Proposal for a directive
Recital 15
Recital 15
(15) Upholding and preserving a reliable, resilient and secure domain name system (DNS) is a key factor in maintaining the integrity of the Internet and is essential for its continuous and stable operation, on which the digital economy and society depend. Therefore, this Directive should apply to all providers of DNS services along the DNS resolution chain, including operators of root name servers, top-level-domain (TLD) name servers, authoritative name servers for domain names and recursive resolvers.
Amendment 118 #
Proposal for a directive
Recital 20
Recital 20
(20) Those growing interdependencies are the result of an increasingly cross- border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. Those interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks.
Amendment 119 #
Proposal for a directive
Recital 20 a (new)
Recital 20 a (new)
(20a) Member States should ensure that the network and information systems used by their public administration entities are subject to their national cybersecurity regulation. Where appropriate, public administration entities should be subject to obligations similar to those for essential and important entities, as appropriate.
Amendment 120 #
Proposal for a directive
Recital 21
Recital 21
(21) In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, Member States should be able to designate more than one national competent authority responsible for fulfilling the tasks linked to the security of the network and information systems of essential and important entities under this Directive, particularly for supervision and enforcement. Member States should be able to assign this role to an existing authority. The competent authorities should have the necessary means to perform their duties, including powers to request the information necessary to assess the level of security of networks or services. They should also have the power to request comprehensive and reliable data about actual security incidents that have had a significant impact on the operation of services. They should, where necessary, be assisted by CSIRTs. In particular, CSIRTs may be required to provide competent authorities with information about risks and security incidents affecting services and recommend ways to address them.
Amendment 125 #
Proposal for a directive
Recital 24
Recital 24
(24) Member States should be adequately equipped, in terms of both technical and organisational capabilities, to prevent, detect, respond to and mitigate network and information system incidents and risks. Member States should therefore ensure that they have well-functioning CSIRTs, also known as computer emergency response teams (‘CERTs’), designate one or more CSIRTs under this Directive and ensure that they are well- functioning, complying with essential requirements in order to guarantee effective and compatible capabilities to deal with incidents and risks and to ensure efficient cooperation at Union level. Member States may as CSIRTs designate also existing computer emergency response teams (‘CERTs’). In view of enhancing the trust relationship between the entities and the CSIRTs, in cases where a CSIRT is part of the competent authority, Member States should consider functional separation between the operational tasks provided by CSIRTs, notably in relation to information sharing and support to the entities, and the supervisory activities of competent authorities.
Amendment 135 #
Proposal for a directive
Article 2 – paragraph 1
Article 2 – paragraph 1
1. This Directive applies to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II. Tin Annex I and Annex II. Without prejudice to paragraph 2 of this Article and Article 27, this Directive does not apply to entities that qualify as micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC.28 __________________ 28 Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium- sized enterprises (OJ L 124, 20.5.2003, p. 36).
Amendment 136 #
Proposal for a directive
Article 2 – paragraph 2 – introductory part
Article 2 – paragraph 2 – introductory part
2. HoweverBy way of derogation from paragraph 1 of this Article, regardless of their size, this Directive also applies to entities of a type referred to in Annexes I and II, where:
Amendment 138 #
Proposal for a directive
Recital 30
Recital 30
(30) Access to correct and timely information on vulnerabilities affecting ICT products and services contributes to an enhanced cybersecurity risk management. In that regard, sources of publicly available information on vulnerabilities are an important tool for entities and their users, but also national competent authorities and CSIRTs. For this reason, ENISA should establish a vulnerability registrydatabase where, essential and important entities and their suppliers, as well as entities which do not fall in the scope of application of this Directive may, on a voluntary basis, disclose the patched vulnerabilities and provide the vulnerability information that allows users to take appropriate mitigating measures.
Amendment 139 #
Proposal for a directive
Article 2 – paragraph 2 a (new)
Article 2 – paragraph 2 a (new)
2a. Member States shall ensure that all entities falling under the scope of this Directive comply with this Directive as important entities. Member States may decide which important entities shall be designated as essential entities, taking into account, in particular, whether the entities had already been identified as the operators of essential services pursuant to Article 5 of NIS Directive (2016/1148) and prioritisation of the sectors and subsectors with higher level of criticality listed in Annex I. Member States shall by [transposition deadline] establish an initial list of essential and important entities that are to comply with this Directive and shall review it, on a regular basis, and, where appropriate, update it. Member States shall set a deadline for initial self-notification or identification by the competent authority and compliance with this Directive for the entities falling under the scope of this Directive not exceeding [6 months after the transposition deadline]. The entities which had been already identified as the operators of essential services pursuant to Article 5 of NIS Directive (2016/1148) shall comply with this Directive by [transposition deadline]. The entities shall submit at least the following information: the name of the entity, address and up-to-date contact details, including email addresses and telephone numbers, and relevant sector(s) and subsector(s) referred to in Annexes I and II; The entities shall without undue delay notify any changes to the details they submitted, and in any event, within two weeks from the date on which the change took effect.
Amendment 140 #
Proposal for a directive
Article 2 – paragraph 2 b (new)
Article 2 – paragraph 2 b (new)
2b. The entities referred to in Article 24(1) shall submit the self-notifications in the Member State in which they have their main establishment; In addition to the information referred to in the third subparagraph of paragraph 2a of this Article, they shall notify the address of its main establishment and its other legal establishments in the Union or, if not established in the Union, of its representative designated pursuant to Article 24(3) and the Member States where the entity provides services. Where an entity referred to in paragraph 1 has besides its main establishment in the Union further establishments or provides services in other Member States, the single contact point of the main establishment shall without undue delay forward the information to the single points of contact of those Member States. Where an entity fails to notify or to provide the relevant information on Member States concerned within the deadline set out by the Member State of its main establishment, any Member State where the entity provides services shall be competent to ensure that entity’s compliance with the obligations laid down in this Directive.
Amendment 140 #
Proposal for a directive
Recital 31
Recital 31
(31) Although similar vulnerability registries or databases do exist, these are hosted and maintained by entities which are not established in the Union. AThe European vulnerability registrydatabase maintained by ENISA wshould provide improved transparency regarding the publication process before the vulnerability is officially disclosed, and resilience in cases of disruptions or interruptions on the provision of similar servicesleverage the global Common Vulnerabilities and Exposures (CVE) registry. To avoid duplication of efforts and seek complementarity to the extent possible, ENISA should explore the possibility of entering into structured cooperation agreements with the CVE, including by membership in its Board and by becoming a Root CVE Numbering Authority, and with other similar registries in third country jurisdictions.
Amendment 141 #
Proposal for a directive
Article 2 – paragraph 2 c (new)
Article 2 – paragraph 2 c (new)
2c. By [6 months after the transposition deadline] and every 12 months thereafter, Member States shall submit to the Cooperation Group and, for the purpose of the review referred to in Article 35, to the Commission, the information necessary to enable to assess the consistency of Member States' approaches to the identification of essential and important services. That information shall include at least the number of all essential and important entities identified for each sector and subsector referred to in Annexes I and II, including number of small and micro enterprises in each category;
Amendment 142 #
Proposal for a directive
Article 2 – paragraph 3 a (new)
Article 2 – paragraph 3 a (new)
3a. Member States shall ensure that the network and information systems used by their public administration entities are subject to their national cybersecurity regulation.
Amendment 147 #
Proposal for a directive
Article 4 – paragraph 1 – point 23
Article 4 – paragraph 1 – point 23
Amendment 148 #
Proposal for a directive
Recital 43
Recital 43
(43) Addressing cybersecurity risks stemming from an entity’s supply chain and its relationship with its suppliers is particularly important given the prevalence of incidents where entities have fallen victim to cyber-attacks and where malicious actors were able to compromise the security of an entity’s network and information systems by exploiting vulnerabilities affecting third party products and services. Entities should therefore assess and take into account the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures. Entities should be in particular encouraged to incorporate the cybersecurity safeguards into the contractual arrangements with the tier-1 suppliers and service providers, including responsibility of the tier-1 suppliers for other tiers of suppliers and service providers.
Amendment 157 #
Proposal for a directive
Recital 46
Recital 46
(46) To further address key supply chain risks and assist entities operating in sectors covered by this Directive to appropriately manage supply chain and supplier related cybersecurity risks, the Cooperation Group involving relevant national authorities, in cooperation with the Commission and ENISA, should carry out coordinated sectoral supply chain risk assessments, as was already done for 5G networks following Recommendation (EU) 2019/534 on Cybersecurity of 5G networks21 , with the aim of identifying per sector which are the critical ICT services, systems or products, relevant threats and vulnerabilities. Where appropriate, the Cooperation Group should monitor the supply chain risk assessment activities of other democratic countries. _________________ 21Commission Recommendation (EU) 2019/534 of 26 March 2019 Cybersecurity of 5G networks (OJ L 88, 29.3.2019, p. 42).
Amendment 159 #
Proposal for a directive
Recital 47
Recital 47
(47) The supply chain risk assessments, in light of the features of the sector concerned, should take into account both technical and, where relevant, non- technical factors including those defined in Recommendation (EU) 2019/534, in the EU wide coordinated risk assessment of 5G networks security and in the EU Toolbox on 5G cybersecurity agreed by the Cooperation Group. To identify the supply chains that should be subject to a coordinated risk assessment, the following criteria should be taken into account: (i) the extent to which essential and important entities use and rely on specific critical ICT services, systems or products; (ii) the relevance of specific critical ICT services, systems or products for performing critical or sensitive functions, including the processing of personal data; (iii) the availability of alternative ICT services, systems or products; (iv) the resilience of the overall supply chain of ICT services, systems or products against disruptive events and (v) for emerging ICT services, systems or products, their potential future significance for the entities’ activities.
Amendment 163 #
Proposal for a directive
Recital 48 a (new)
Recital 48 a (new)
(48a) The national regulatory authorities or other competent authorities responsible for public electronic communications networks or of publicly available electronic communications services pursuant to Directive (EU) 2018/1972 should be informed of significant incidents, cyber threats and near misses notified by providers of public electronic communications networks or publicly available electronic communications services and the measures taken in response to those risks and incidents.
Amendment 166 #
Proposal for a directive
Recital 50
Recital 50
(50) Given the growing importance of number-independent interpersonal communications services, it is necessary to ensure that such services are also subject to appropriate security requirements in view of their specific nature and economic importance. Providers of such services should thus also ensure a level of security of network and information systems appropriate to the risk posed. Given that providers of number-independent interpersonal communications services normally do not exercise actual control over the transmission of signals over networks, the degree of risk for such services can be considered in some respects to be lower than for traditional electronic communications services. The same applies to number-based interpersonal communications services which make use of numbers and which do not exercise actual control over signal transmission.
Amendment 167 #
Proposal for a directive
Recital 51
Recital 51
(51) The internal market is more reliant on the functioning of the internet than ever before. The services of virtually all essential and important entities are dependent on services provided over the internet. The competent authorities should thus ensure that the integrity and availability of public electronic communications networks are maintained. In order to ensure the smooth provision of services provided by essential and important entities, it is important that all public electronic communications networks, such as, for example, internet backbones or submarine communications cables, have appropriate cybersecurity measures in place and report significant incidents in relation thereto.
Amendment 174 #
Proposal for a directive
Recital 54
Recital 54
(54) In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, shcould be promoted and, where necessary, should be mandatory forimplemented by providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18. The use of end-to-end encryption should be reconciled with the Member State’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences in compliance with Union law. Solutions for lawful access to information in end-to-end encrypted communications should maintain the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crime.
Amendment 176 #
Proposal for a directive
Recital 54 a (new)
Recital 54 a (new)
(54a) An incident should be typically considered significant by the competent authorities or the CSIRT if the incident has caused substantial operational disruption or financial losses for the entity concerned and the incident has affected other natural or legal persons by causing considerable material or non- material losses.
Amendment 179 #
Proposal for a directive
Recital 55
Recital 55
(55) This Directive lays down a two- stage approach to incident reporting in order to strike the right balance between, on the one hand, swift reporting that helps mitigate the potential spread of incidents and allows entities to seek support, and, on the other hand, in-depth reporting that draws valuable lessons from individual incidents and improves over time the resilience to cyber threats of individual companies and entire sectors. Where entities become aware of an significant incident, they should be required to submit an initial notification within 24 hoursout undue delay, followed by a final report not later than one month after. The initial notification should only include the information strictly necessary to make the competent authorities aware of the incident and allow the entity to seek assistance, if required. Such notification, where applicable, should indicate whether the incident is presumably caused by unlawful or malicious action. Member States should ensure that the requirement to submit this initial notification does not divert the reporting entity’s resources from activities related to incident handling that should be prioritised. To further prevent that incident reporting obligations either divert resources from incident response handling or may otherwise compromise the entities efforts in that respect, Member States should also provide that, in duly justified cases and in agreement with the competent authorities or the CSIRT, the entity concerned can deviate from the deadlines of 24 hours for the initial notification and one month for the final reportreporting deadlines.
Amendment 180 #
Proposal for a directive
Article 9 – paragraph 5
Article 9 – paragraph 5
Amendment 189 #
Proposal for a directive
Recital 64
Recital 64
(64) In order to take account of the cross-border nature of the services and operations of DNS service providers, TLD name registries, content delivery network providers, cloud computing service providers, data centre service providers and, digital providers and providers of number- independent interpersonal communications services, only one Member State should have jurisdiction over these entities. Jurisdiction should be attributed to the Member State in which the respective entity has its main establishment in the Union. The criterion of establishment for the purposes of this Directive implies the effective exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect. Whether this criterion is fulfilled should not depend on whether the network and information systems are physically located in a given place; the presence and use of such systems do not, in themselves, constitute such main establishment and are therefore not decisive criteria for determining the main establishment. The main establishment should be the place where the decisions related to the cybersecurity risk management measures are taken in the Union. This will typically correspond to the place of the companies’ central administration in the Union. If such decisions are not taken in the Union, the main establishment should be deemed to be in the Member States where the entity has an establishment with the highest number of employeimplementing the main cybersecurity risk management measures in the Union. Where the services are carried out by a group of undertakings, the main establishment of the controlling undertaking should be considered to be the main establishment of the group of undertakings.
Amendment 190 #
Proposal for a directive
Article 12 – paragraph 4 – point d
Article 12 – paragraph 4 – point d
(d) exchanging advice and cooperating with the Commission on draft Commission implementing or delegated acts adopted pursuant to this Directive;
Amendment 190 #
Proposal for a directive
Recital 65
Recital 65
(65) In cases where a DNS service provider, TLD name registry, content delivery network provider, cloud computing service provider, data centre service provider and, digital provider and provider of number-independent interpersonal communications services not established in the Union offers services within the Union, it should designate a representative. In order to determine whether such an entity is offering services within the Union, it should be ascertained whether it is apparent that the entity is planning to offer services to persons in one or more Member States. The mere accessibility in the Union of the entity’s or an intermediary's website or of an email address and of other contact details, or the use of a language generally used in the third country where the entity is established, is as such insufficient to ascertain such an intention. However, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the entity is planning to offer services within the Union. The representative should act on behalf of the entity and it should be possible for competent authorities or the CSIRTs to contact the representative. The representative should be explicitly designated by a written mandate of the entity to act on the latter's behalf with regard to the latter's obligations under this Directive, including incident reporting.
Amendment 191 #
Proposal for a directive
Article 12 – paragraph 4 – point f
Article 12 – paragraph 4 – point f
Amendment 192 #
Proposal for a directive
Recital 68
Recital 68
(68) Entities should be encouraged to collectively leverage their individual knowledge and practical experience at strategic, tactical and operational levels with a view to enhance their capabilities to adequately assess, monitor, defend against, and respond to, cyber threats. It is thus necessary to enable the emergence at Union level of mechanisms for voluntary information sharing arrangements. To this end, Member States should actively support and encourage also relevant entities not covered by the scope of this Directive, such as entities focusing on cybersecurity services and research, to participate in such information-sharing mechanisms. Those mechanisms should be conducted in full compliance with the competition rules of the Union as well as the data protection Union law rules.
Amendment 194 #
Proposal for a directive
Article 13 – paragraph 3 – point l
Article 13 – paragraph 3 – point l
Amendment 194 #
Proposal for a directive
Recital 69
Recital 69
(69) The processing of personal data, to the extent strictly necessary and proportionate for the purposes of ensuring network and information security by entities, public authorities, CERTs, CSIRTs, and providers of security technologies and services should constitute a legitimate interestCERTs should constitute a legitimate interest of the data controller concerned, as referred to in Regulation (EU) 2016/679 and by public authorities, namely competent authorities, Single Points Of Contact (SPOCs), CSIRTs, NIS CG, CSIRT Network, CERTs and CYCLONe should constitute a legal obligation or the public interest or the exercise of official authority of the data controller concerned, as referred to in Regulation (EU) 2016/679. That should include measures related to the prevention, detection, analysis and response to incidents, measures to raise awareness in relation to specific cyber threats, exchange of information in the context of vulnerability remediation and coordinated disclosure, as well as the voluntary exchange of information on those incidents, as well as cyber threats and vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools. Such measures may require the processing of the following types of personal data: IP addresses, telephone numbers, bank account numbers, geolocation data, payment data, uniform resources locators (URLs), domain names, and email addresses.
Amendment 195 #
Proposal for a directive
Article 13 – paragraph 4
Article 13 – paragraph 4
4. For the purpose of the review referred to in Article 35 and by [24 months after the date of entry into force of this Directive], and every two years thereafter, the CSIRTs network shall assess the progress made with the operational cooperation and produce a report. The report shall, in particular, draw conclusions on the outcomes of the peer reviews referred to in Article 16 carried out in relation to national CSIRTs, including conclusions and recommendations, pursued under this Article. That report shall also be submitted to the Cooperation Group.
Amendment 199 #
Proposal for a directive
Article 15 – paragraph 1 – point b
Article 15 – paragraph 1 – point b
(b) the technical, financial and human resources available to competent authorities and cybersecurity policies, and the implementation of supervisory measures and enforcement actions in light of the outcomes of peer reviews referred to in Article 16;
Amendment 201 #
Proposal for a directive
Article 16
Article 16
Amendment 202 #
Proposal for a directive
Recital 76
Recital 76
(76) In order to further strengthen the effectiveness and dissuasiveness of the penalties applicable to infringements of obligations laid down pursuant to this Directive, the competent authorities should be empowered to apply sanctions consisting of the suspension of a certification or authorisation concerning part or all the services provided by an essential entity and the imposition of a temporary ban from the exercise of managerial functions by a natural person. Given their severity and impact on the entities’ activities and ultimately on their consumers, such sanctions should only be applied proportionally to the severity of the infringement and taking account of the specific circumstances of each case, including the intentional or negligent character of the infringement, actions taken to prevent or mitigate the damage and/or losses suffered. Such sanctions should only be applied as ultima ratio, meaning only after the other relevant enforcement actions laid down by this Directive have been exhausted, and only for the time until the entities to which they apply take the necessary action to remedy the deficiencies or comply with the requirements of the competent authority for which such sanctions were applied. The imposition of such sanctions shall be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter of Fundamental Rights of the European Union, including effective judicial protection, due process, presumption of innocence and right of defence.
Amendment 204 #
Proposal for a directive
Recital 79
Recital 79
Amendment 205 #
Proposal for a directive
Article 18 – paragraph 1
Article 18 – paragraph 1
1. Member States shall ensure that essential and important entities shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which those entities use in the provision of their services and to prevent or minimise the impact of incidents on recipients of their services and on other services. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk presented, and differentiate between the essential and important entities and between the sectors and subsectors with higher or lower level of criticality referred to in Annexes I and II.
Amendment 207 #
Proposal for a directive
Recital 80
Recital 80
Amendment 209 #
Proposal for a directive
Article 1 – paragraph 2 – point a a (new)
Article 1 – paragraph 2 – point a a (new)
(aa) establishes framework for cooperation among Member States;
Amendment 210 #
Proposal for a directive
Article 1 – paragraph 2 – point b
Article 1 – paragraph 2 – point b
(b) lays down obligation on Member States to introduce cybersecurity risk management and reporting obligations for entities of a type referred to as essential entities in Annex I and important entities in Annex II;
Amendment 211 #
Proposal for a directive
Article 18 – paragraph 2 – point g
Article 18 – paragraph 2 – point g
(g) the use of cryptography and encryption where appropriate.
Amendment 211 #
Proposal for a directive
Article 1 – paragraph 2 – point c
Article 1 – paragraph 2 – point c
(c) lays down obligations on Member States to facilitate the cybersecurity information sharing.;
Amendment 212 #
Proposal for a directive
Article 1 – paragraph 2 – point c a (new)
Article 1 – paragraph 2 – point c a (new)
(ca) lays down supervision and enforcement obligations on Member States.
Amendment 218 #
Proposal for a directive
Article 2 – paragraph 1
Article 2 – paragraph 1
1. This Directive applies to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II. Tin Annex I and Annex II. Without prejudice to paragraph 2 of this Article and Article 27, this Directive does not apply to entities that qualify as micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC.28 _________________ 28 Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium- sized enterprises (OJ L 124, 20.5.2003, p. 36).
Amendment 219 #
Proposal for a directive
Article 18 – paragraph 6
Article 18 – paragraph 6
Amendment 219 #
Proposal for a directive
Article 2 – paragraph 2 – introductory part
Article 2 – paragraph 2 – introductory part
2. HoweverBy way of derogation from paragraph 1 of this Article, regardless of their size, this Directive also applies to entities of a type referred to in Annexes I and II, where:
Amendment 225 #
Proposal for a directive
Article 2 – paragraph 2 a (new)
Article 2 – paragraph 2 a (new)
2a. Member States shall ensure that all entities falling under the scope of this Directive comply with this Directive as important entities. Member States may decide which important entities shall be designated as essential entities, taking into account particularly whether the entities had already been identified as the operators of essential services pursuant to Article 5 of NIS Directive (2016/1148) and prioritisation of the sectors and subsectors with higher level of criticality listed in Annex I. Member States shall by [transposition deadline] establish an initial list of essential and important entities, which should comply with this Directive and review it, on a regular basis, and, where appropriate, update it. Member States shall set a deadline for initial self-notification or identification by the competent authority and compliance with this Directive for the entities falling under the scope of this Directive not exceeding [6 months after the transposition deadline]. The entities which had been already identified as the operators of essential services pursuant to Article 5 of NIS Directive (2016/1148) shall comply with this Directive by [transposition deadline]. The entities shall submit at least the following information: the name of the entity, address and up-to-date contact details, including email addresses and telephone numbers, and relevant sector(s) and subsector(s) referred to in Annexes I and II. The entities shall without undue delay notify any changes to the details they submitted, and in any event, within two weeks from the date on which the change took effect.
Amendment 227 #
Proposal for a directive
Article 2 – paragraph 2 b (new)
Article 2 – paragraph 2 b (new)
2b. The entities referred to in Article 24(1) shall submit the self-notifications in the Member State in which they have their main establishment. Apart from information referred to in the third subparagraph of paragraph 2a of this Article, they shall notify the address of its main establishment and its other legal establishments in the Union or, if not established in the Union, of its representative designated pursuant to Article 24(3) and the Member States where the entity provides services. Where an entity referred to in paragraph 1 has besides its main establishment in the Union further establishments or provides services in other Member States, the single contact point of the main establishment shall without undue delay forward the information to the single points of contact of those Member States. Where an entity fails to notify or to provide the relevant information on Member States concerned within the deadline set out by the Member State of its main establishment, any Member State where the entity provides services shall be competent to ensure that entity’s compliance with the obligations laid down in this Directive.
Amendment 228 #
Proposal for a directive
Article 2 – paragraph 2 c (new)
Article 2 – paragraph 2 c (new)
2c. By [6 months after the transposition deadline] and every 12 months thereafter, Member States shall submit to the Cooperation Group and for the purpose of the review referred to in Article 35 to the Commission the information necessary to enable to assess the consistency of Member States' approaches to the identification of essential and important services. That information shall include at least the number of all essential and important entities identified for each sector and subsector referred to in Annexes I and II, including number of small and micro enterprises in each category;
Amendment 229 #
Proposal for a directive
Article 20 – paragraph 2
Article 20 – paragraph 2
Amendment 229 #
Proposal for a directive
Article 2 – paragraph 3 a (new)
Article 2 – paragraph 3 a (new)
3a. Member States shall ensure that the network and information systems used by their public administration entities are subject to their national cybersecurity regulation.
Amendment 232 #
Proposal for a directive
Article 20 – paragraph 3
Article 20 – paragraph 3
Amendment 232 #
Proposal for a directive
Article 2 – paragraph 5 a (new)
Article 2 – paragraph 5 a (new)
5a. To fulfil the tasks set out in this Directive, competent authorities and CSIRTs shall process personal data, including the data referred to in Article 9 of the Regulation (EU) 2016/679, and shall process information that is confidential pursuant to Union and national rules, for the purposes and to the extent strictly necessary to fulfil these tasks.
Amendment 234 #
Proposal for a directive
Article 2 – paragraph 5 b (new)
Article 2 – paragraph 5 b (new)
5b. To fulfil the tasks set out in this Directive, SPOCs, the Cooperation Group, the CSIRT Network and CyCLONe shall process personal data and information that is confidential pursuant to Union and national rules, for the purposes and to the extent strictly necessary to fulfil these tasks.
Amendment 235 #
Proposal for a directive
Article 20 – paragraph 3 a (new)
Article 20 – paragraph 3 a (new)
3a. Member States shall ensure that in order to determine the significance of the individual incident, where available, the following parameters shall, in particular, be taken into account: (a) the number of the recipients of the services affected by the incident; (b) the duration of the incident; (c) the geographical spread of the area affected by the incident; (d) the extent to which the functioning and continuity of the service is affected; (e) the extent of impact, including financial, on economic and societal activities of the entity directly concerned, of other entities or on national security.
Amendment 236 #
Proposal for a directive
Article 2 – paragraph 5 c (new)
Article 2 – paragraph 5 c (new)
5c. When processing the personal data referred to in Article 9 of the Regulation (EU) 2016/679, competent authorities and CSIRTs shall conduct the risk analyses, introduce proper safeguards and procedures to exchange information.
Amendment 239 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point a
Article 20 – paragraph 4 – subparagraph 1 – point a
(a) without undue delay and in any event within 24 hours after having become aware of the incident, an initial notification, which, where applicable, shall indicate whether the incident is presumably caused by unlawful or malicious action;
Amendment 240 #
Proposal for a directive
Article 2 – paragraph 6
Article 2 – paragraph 6
6. Where provisions of sector–specific acts of Union law require essential or important entities either to adopt cybersecurity risk management measures orand to notify incidents or significant cyber threats, and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, the relevant provisions of this Directive, including the provision on supervision and enforcement laid down in Chapter VI, shall not apply.
Amendment 241 #
Proposal for a directive
Article 2 – paragraph 6 a (new)
Article 2 – paragraph 6 a (new)
6a. Sector-specific acts of Union law referred to in paragraph 6 should at minimum include: (a) cybersecurity risk management measures as laid down in Article 18 (1) and (2); and (b) requirements to notify incidents and significant cyber threats as laid down in Article 20 (1- 4)
Amendment 242 #
Proposal for a directive
Article 4 – paragraph 1 – point 4
Article 4 – paragraph 1 – point 4
Amendment 246 #
Proposal for a directive
Article 4 – paragraph 1 – point 5 a (new)
Article 4 – paragraph 1 – point 5 a (new)
(5a) ‘near miss’ means any event which could have compromised the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the related services offered by, or accessible via, network and information systems, but was successfully prevented from fully transpiring;
Amendment 247 #
Proposal for a directive
Article 21 – title
Article 21 – title
Use of European cybersecurity certification schemes and standardisation
Amendment 250 #
Proposal for a directive
Article 21 – paragraph 1
Article 21 – paragraph 1
1. In order to demonstrate compliance with certain requirements of Article 18increase the level of cybersecurity, Member States may requirecommend essential and important entities to certify certain ICT products, ICT services and ICT processes under specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881. The products, services and processes subject to certification may be developed by an or other international cybersecurity certification schemes. Member States shall also encourage essential orand important entity or procured from third partieies to comply with European and internationally accepted standards.
Amendment 251 #
Proposal for a directive
Article 21 – paragraph 2
Article 21 – paragraph 2
Amendment 253 #
Proposal for a directive
Article 21 – paragraph 3
Article 21 – paragraph 3
Amendment 259 #
Proposal for a directive
Article 4 – paragraph 1 – point 23
Article 4 – paragraph 1 – point 23
Amendment 262 #
Proposal for a directive
Article 4 – paragraph 1 – point 23 a (new)
Article 4 – paragraph 1 – point 23 a (new)
(23a) ‘public electronic communications network’ means a public electronic communications network as defined in point (8) of Article 2 of Directive (EU) 2018/1972;
Amendment 263 #
Proposal for a directive
Article 4 – paragraph 1 – point 23 b (new)
Article 4 – paragraph 1 – point 23 b (new)
(23b) ‘electronic communications service’ means an electronic communications service as defined in point (4) of Article 2 of Directive (EU) 2018/1972;
Amendment 264 #
Proposal for a directive
Article 4 – paragraph 1 – point 23 c (new)
Article 4 – paragraph 1 – point 23 c (new)
(23c) ‘number-based interpersonal communications service’ means a number-based interpersonal communications service as defined in point (6) of Article 2 of Directive (EU) 2018/1972;
Amendment 265 #
Proposal for a directive
Article 4 – paragraph 1 – point 23 d (new)
Article 4 – paragraph 1 – point 23 d (new)
(23d) ‘number-independent interpersonal communications service’ means a number-independent interpersonal communications service as defined in point (7) of Article 2 of Directive (EU) 2018/1972;
Amendment 266 #
Proposal for a directive
Article 4 – paragraph 1 – point 25
Article 4 – paragraph 1 – point 25
(25) ‘essential entity’ means any entity of a type referred to in Annex I and II, designated by the Member State as an essential entity in Annex I;
Amendment 267 #
Proposal for a directive
Article 4 – paragraph 1 – point 26
Article 4 – paragraph 1 – point 26
(26) ‘important entity’ means any entity of a type referred to as an important entity in Annex II.in Annex I and II, unless exempted from the scope of this Directive or designated by the Member State as an essential entity;
Amendment 269 #
Proposal for a directive
Article 4 – paragraph 1 – point 26 a (new)
Article 4 – paragraph 1 – point 26 a (new)
(26a) 'service' means any activity referred to in Annexes I and II provided for essential, important or other public or private entities or consumers, including provision of electronic communication networks and manufacture;
Amendment 273 #
Proposal for a directive
Article 25
Article 25
Amendment 273 #
Proposal for a directive
Article 5 – paragraph 1 – introductory part
Article 5 – paragraph 1 – introductory part
1. Each Member State shall adopt a national cybersecurity strategy, a coherent framework defining the strategic objectives and appropriate policy and regulatory measures, with a view to achieving and maintaining a high level of cybersecurity of network and information systems in that Member State. The national cybersecurity strategy shall include, in particular, the following:
Amendment 283 #
Proposal for a directive
Article 5 – paragraph 2 – introductory part
Article 5 – paragraph 2 – introductory part
2. As partIn the framework of the national cybersecurity strategy, Member States shall in particular adoptdress the following policies:
Amendment 288 #
Proposal for a directive
Article 29 – paragraph 5 – subparagraph 1 – point b
Article 29 – paragraph 5 – subparagraph 1 – point b
Amendment 289 #
Proposal for a directive
Article 29 – paragraph 6
Article 29 – paragraph 6
6. Member States shall ensure that any natural person responsible for or acting as a representative of an essential entity on the basis of the power to represent it, the authority to take decisions on its behalf or the authority to exercise control of it has the powers to ensure its compliance with the obligations laid down in this Directive. Member States shall ensure that those natural persons may be held liable for breach of their duties to ensure compliance with the obligations laid down in this Directive.
Amendment 293 #
Proposal for a directive
Article 31 – paragraph 6
Article 31 – paragraph 6
Amendment 298 #
Proposal for a directive
Article 36
Article 36
Amendment 299 #
Proposal for a directive
Annex I – subheading 1
Annex I – subheading 1
Amendment 300 #
Proposal for a directive
Annex II – subheading 1
Annex II – subheading 1
Amendment 305 #
Proposal for a directive
Article 6 – title
Article 6 – title
Coordinated vulnerability disclosure and a European vulnerability registrydatabase
Amendment 306 #
Proposal for a directive
Article 6 – paragraph 1
Article 6 – paragraph 1
1. Each Member State shall designate one of its CSIRTs as referred to in Article 9 as a coordinator for the purpose of coordinated vulnerability disclosure. The designated CSIRTWhere requested, the CVD CSIRT coordinator referred to in Article 9(1a) shall act as a trusted intermediary, facilitating, where necessary, the interaction between the reporting entity and the manufacturer or provider of ICT products or ICT services. Where the reported vulnerability concerns multiple manufacturers or providers of ICT products or ICT services across the Union, the designated CSIRTCVD CSIRT coordinator of each Member State concerned shall cooperate with the CSIRT network.
Amendment 312 #
Proposal for a directive
Article 6 – paragraph 2
Article 6 – paragraph 2
2. ENISA shall develop and maintain a European vulnerability database leveraging the global Common Vulnerabilities and Exposures (CVE) registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures with a view in particular to enabling important and essential entities and their suppliers of network and information systems to voluntarily disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registrydatabase to all interested parties. The registrydatabase shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, the availability of related patches and, in the absence of available patches, guidance addressed to users of vulnerable products and services as to how the risks resulting from disclosed vulnerabilities may be mitigated.
Amendment 315 #
Proposal for a directive
Article 7 – paragraph 3 – introductory part
Article 7 – paragraph 3 – introductory part
Amendment 316 #
Proposal for a directive
Article 7 – paragraph 4
Article 7 – paragraph 4
4. Member States shall communicate to the EU-CyCLONe and the Commission the designation of their competent authorities referred to in paragraph 1 and submit their national cybersecurity incident and crisis response plans as referred to in paragraph 3 within three months from that designation and the adoption of those plans to the EU-CyCLONe. Member States may exclude specific information from the plan where and to the extent that it is strictly necessary for their national security.
Amendment 318 #
Proposal for a directive
Article 8 – paragraph 3
Article 8 – paragraph 3
3. Each Member State shall designate one of the competent authorities referred to in paragraph 1 as a national single point of contact on cybersecurity (‘single point of contact’). Where a Member State designates only one competent authority, that competent authority shall also be the single point of contact for that Member State.
Amendment 319 #
Proposal for a directive
Article 9 – paragraph 1 a (new)
Article 9 – paragraph 1 a (new)
1a. Each Member State shall designate one of its CSIRTs referred to in paragraph 1 as a coordinator for the purpose of coordinated vulnerability disclosure pursuant to Article 6(1) (‘CVD CSIRT coordinator’). Where a Member State designates only one CSIRT, that CSIRT shall also be the CVD CSIRT coordinator for that Member State.
Amendment 321 #
Proposal for a directive
Article 9 – paragraph 5
Article 9 – paragraph 5
Amendment 324 #
Proposal for a directive
Article 9 – paragraph 7
Article 9 – paragraph 7
7. Member States shall communicate to the Commission without undue delay the CSIRTs designated in accordance with paragraph 1, the CSIRT coordinator designated in accordance with Article 6(1) and their respective tasks provided in relation to the entities referred to in Annexes I and II, and the CVD CSIRT coordinator designated in accordance with paragraph 1a of this Article.
Amendment 335 #
Proposal for a directive
Article 10 – paragraph 3
Article 10 – paragraph 3
3. CSIRTs shall establish cooperation relationships with relevant entities, industry and other relevant actors in the private sector, with a view to better achieving the objectives of the Directive.
Amendment 336 #
Proposal for a directive
Article 11 – paragraph 2
Article 11 – paragraph 2
2. Member States shall ensure that either their competent authorities orand their CSIRTs receive notifications on significant incidents, and significant cyber threats and significant near misses submitted pursuant to this Directive. Where a Member State decides that its CSIRTs shall not Articles 20 and 27 of this Direcetive those notifications, the CSIRTs shall, to the extent necessary to carry out their tasks, be granted access to data on incidents notified by the essential or important entities, pursuant tovia the single entry point referred to in Article 20(3a).
Amendment 337 #
Proposal for a directive
Article 11 – paragraph 3
Article 11 – paragraph 3
3. Each Member State shall ensure that its competent authorities or CSIRTs inform its single point of contact and other relevant authorities in accordance with Article 20 of notifications on significant incidents, significant cyber threats and near misses submitted pursuant to this Directivesignificant near misses.
Amendment 338 #
Proposal for a directive
Article 11 – paragraph 4
Article 11 – paragraph 4
4. To the extent necessary to effectively carry out the tasks and obligations laid down in this Directive, including supervision and enforcement, Member States shall ensure appropriate cooperation between the competent authorities and, single points of contact, CSIRTs and law enforcement authorities, national regulatory authorities or other competent authorities responsible for public electronic communications networks or for publicly available electronic communications services pursuant to Directive (EU) 2018/1972, data protection authorities, and the authorities responsible for critical infrastructure pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive] and the national financial authorities designated in accordance with Regulation (EU) XXXX/XXXX of the European Parliament and of the Council39 [the DORA Regulation] within that Member State. _________________ 39[insert the full title and OJ publication reference when known]
Amendment 339 #
Proposal for a directive
Article 11 – paragraph 4 a (new)
Article 11 – paragraph 4 a (new)
4a. Where relevant to the extent necessary to effectively carry out the tasks and obligations laid down in this Directive, Member States shall ensure appropriate cooperation with other relevant stakeholders, such as CSIRTs other than those referred to in Article 9(1), CERTs and SOCs.
Amendment 340 #
Proposal for a directive
Article 11 – paragraph 5
Article 11 – paragraph 5
Amendment 341 #
Proposal for a directive
Article 12 – paragraph 3 – subparagraph 1
Article 12 – paragraph 3 – subparagraph 1
The Cooperation Group shall be composed of representatives of Member States nominated by the single point of contact, the Commission and ENISA. The European External Action Service shall participate in the activities of the Cooperation Group as an observer. The European Supervisory Authorities (ESAs) in accordance with Article 17(5)(c) of Regulation (EU) XXXX/XXXX [the DORA Regulation] may participate in the activities of the Cooperation Group. Where appropriate, the Cooperation Group may invite representatives of relevant stakeholders, particularly representatives of industry, to participate in its work.
Amendment 345 #
Proposal for a directive
Article 12 – paragraph 4 – point b
Article 12 – paragraph 4 – point b
(b) exchanging best practices and information in relation to the implementation of this Directive, including in relation to identification of essential and important entities, cyber threats, incidents, vulnerabilities, near misses, awareness- raising initiatives, trainings, exercises and skills, building capacitycapacity building as well as standards and technical specifications;
Amendment 346 #
Proposal for a directive
Article 12 – paragraph 4 – point d
Article 12 – paragraph 4 – point d
(d) exchanging advice and cooperating with the Commission on draft Commission implementing or delegated acts adopted pursuant to this Directive;
Amendment 348 #
Proposal for a directive
Article 12 – paragraph 4 – point f
Article 12 – paragraph 4 – point f
Amendment 349 #
Proposal for a directive
Article 12 – paragraph 4 – point f a (new)
Article 12 – paragraph 4 – point f a (new)
(fa) carrying out coordinated security risk assessments pursuant to Article 19(1), where applicable;
Amendment 350 #
Proposal for a directive
Article 12 – paragraph 4 – point k a (new)
Article 12 – paragraph 4 – point k a (new)
(ka) submitting to the Commission for the purpose of review referred to in Article 35 the reports on the experience gained at a strategic and operational level;
Amendment 354 #
Proposal for a directive
Article 13 – paragraph 3 – point l
Article 13 – paragraph 3 – point l
Amendment 355 #
Proposal for a directive
Article 13 – paragraph 4
Article 13 – paragraph 4
4. For the purpose of the review referred to in Article 35 and by 24 months after the date of entry into force of this Directive, and every two years thereafter, the CSIRTs network shall assess the progress made with the operational cooperation and produce a report. The report shall, in particular, draw conclusions on the outcomes of the peer reviews referred to in Article 16 carried out in relation to national CSIRTs, including conclusions and recommendations, pursued under this Article. That report shall also be submitted to the Cooperation Group.
Amendment 356 #
Proposal for a directive
Article 14 – paragraph 1
Article 14 – paragraph 1
1. In order to support the coordinated management of large-scale cybersecurity incidents and crises at operational level and to ensure the regular exchange of information among Member States and Union institutions, bodies and agencies considering such incidents and crises, the European Cyber Crises Liaison Organisation Network (EU - CyCLONe) is hereby established.
Amendment 357 #
Proposal for a directive
Article 14 – paragraph 2
Article 14 – paragraph 2
2. EU-CyCLONe shall be composed of the representatives of Member States’ crisis management authorities designated in accordance with Article 7, the and ENISA. Commission and ENISAshall participate in the EU- CyCLONe as an observer. ENISA shall provide the secretariat of the network and support the secure exchange of information.
Amendment 358 #
Proposal for a directive
Article 14 – paragraph 3 – introductory part
Article 14 – paragraph 3 – introductory part
3. EU-CyCLONe, while avoiding any duplication of tasks with the CSIRT Network, shall have the following tasks:
Amendment 359 #
Proposal for a directive
Article 14 – paragraph 3 – point b
Article 14 – paragraph 3 – point b
Amendment 360 #
Proposal for a directive
Article 14 – paragraph 3 – point d
Article 14 – paragraph 3 – point d
Amendment 361 #
Proposal for a directive
Article 14 – paragraph 3 – point d
Article 14 – paragraph 3 – point d
Amendment 362 #
Proposal for a directive
Article 14 – paragraph 5
Article 14 – paragraph 5
5. EU-CyCLONe shall regularly report to the Cooperation Group on cyber threats,large scale incidents and trendcrises, focusing in particular on their impact on essential and important entities.
Amendment 365 #
Proposal for a directive
Article 15 – paragraph 1 – point b
Article 15 – paragraph 1 – point b
(b) the technical, financial and human resources available to competent authorities and cybersecurity policies, and the implementation of supervisory measures and enforcement actions in light of the outcomes of peer reviews referred to in Article 16;
Amendment 371 #
Proposal for a directive
Article 16
Article 16
Amendment 384 #
Proposal for a directive
Article 17 – paragraph 2
Article 17 – paragraph 2
2. Member States shall ensure that members of the management body of essential and important entities follow specific trainings, where possible on a regular basis, to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risks and management practices and their impact on the operations ofservices provided by the entity.
Amendment 386 #
Proposal for a directive
Article 18 – paragraph 1
Article 18 – paragraph 1
1. Member States shall ensure that essential and important entities shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which those entities use in the provision of their services and to prevent or minimise the impact of incidents on recipients of their services and on other services. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk presented, and differentiate between the essential and important entities and between the sectors and subsectors with higher or lower level of criticality referred to in Annexes I and II.
Amendment 393 #
Proposal for a directive
Article 18 – paragraph 2 – point b
Article 18 – paragraph 2 – point b
(b) incident hmanagement (includling (prevention, detection, and response to incidents);
Amendment 402 #
Proposal for a directive
Article 18 – paragraph 2 – point g
Article 18 – paragraph 2 – point g
(g) the use of cryptography and encryption where appropriate.
Amendment 409 #
Proposal for a directive
Article 18 – paragraph 4 a (new)
Article 18 – paragraph 4 a (new)
4a. In order to promote the convergent implementation of paragraph 1 and 2, Member States shall be in accordance with Article 12(4) assisted by the Cooperation Group, and shall, without imposing or discriminating in favour of the use of a particular type of technology, encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems.
Amendment 410 #
Proposal for a directive
Article 18 – paragraph 4 b (new)
Article 18 – paragraph 4 b (new)
4b. ENISA, in collaboration with Member States and industry, shall draw up advice and guidelines regarding the technical areas to be considered in relation to paragraphs 1 and 2 as well as regarding already existing standards, including Member States' national standards, which would allow for those areas to be covered.
Amendment 411 #
Proposal for a directive
Article 18 – paragraph 5
Article 18 – paragraph 5
Amendment 416 #
Proposal for a directive
Article 18 – paragraph 6
Article 18 – paragraph 6
Amendment 420 #
Proposal for a directive
Article 19 – paragraph 2
Article 19 – paragraph 2
2. The Commission, after consulting with the Cooperation Group and, ENISA and the industry, shall identify the specific critical ICT services, systems or products that may be subject to the coordinated risk assessment referred to in paragraph 1.
Amendment 422 #
Proposal for a directive
Article 19 – paragraph 2 a (new)
Article 19 – paragraph 2 a (new)
2a. To identify the supply chains that should be subject to a coordinated risk assessment, the following criteria shall be taken into account: (a) the extent to which essential and important entities use and rely on specific critical ICT services, systems or products; (b) the relevance of specific critical ICT services, systems or products for performing critical or sensitive functions, including the processing of personal data; (c) the availability of alternative ICT services, systems or products; (d) the resilience of the overall supply chain of ICT services, systems or products against disruptive events; (e) for emerging ICT services, systems or products, their potential future significance for the entities’ activities.
Amendment 427 #
Proposal for a directive
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Member States shall ensure that essential and important entities notify, without undu the drelay, theevant competent authorities orand the CSIRT in accordance with paragraphs 3 and 4 of any incident having a significant impact on the provision of their services (‘significant incident’). Where appropriate, those entities shall notify, without undue delay, the recipients of their services of incidents that are likely to adversely affect the provision of that service. Member States shall ensure that those entities report, among others, any information enabling the competent authorities or the CSIRT to determine any cross-border impact of the incident.
Amendment 429 #
Proposal for a directive
Article 20 – paragraph 2
Article 20 – paragraph 2
Amendment 437 #
Proposal for a directive
Article 20 – paragraph 3
Article 20 – paragraph 3
Amendment 441 #
Proposal for a directive
Article 20 – paragraph 3 a (new)
Article 20 – paragraph 3 a (new)
3a. Member States shall ensure that in order to determine the significance of the individual incident, where available, the following parameters shall, in particular, be taken into account: (a) the number of the recipients of the services affected by the incident; (b) the duration of the incident; (c) the geographical spread of the area affected by the incident; (d) the extent to which the functioning and continuity of the service is affected; (e) the extent of impact, including financial, on economic and societal activities of the entity directly concerned, of other entities or on national security.
Amendment 442 #
Proposal for a directive
Article 20 – paragraph 3 b (new)
Article 20 – paragraph 3 b (new)
3b. Member States shall establish a single entry point for notifications required from essential and important entities under paragraph 1, and where relevant also for other notifications under this Directive and under other relevant Union law, and decide on which authorities shall receive the notifications and the scope of the information provided for each authority, including for the purpose of information sharing pursuant to paragraphs 7a, 8a and 8b of this Article.
Amendment 444 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – introductory part
Article 20 – paragraph 4 – subparagraph 1 – introductory part
4. Member States shall ensure that, for the purpose of the notification under paragraph 1, the entities concerned shall submit to the competent authorities orand the CSIRT:
Amendment 449 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point a
Article 20 – paragraph 4 – subparagraph 1 – point a
(a) without undue delay and in any event within 24 hours after having become aware of the incident, an initial notification, which, where applicable, shall indicate whether the incident is presumably caused by unlawful or malicious action;
Amendment 450 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point b
Article 20 – paragraph 4 – subparagraph 1 – point b
(b) upon the request of a competent authority or a CSIRT, without undue delay an intermediate reportinformation on relevant status updates;
Amendment 452 #
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part
Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part
(c) a finaldetailed incident report not later than one month after the submission of the report under point (a), including at least the following:
Amendment 460 #
Proposal for a directive
Article 20 – paragraph 4 a (new)
Article 20 – paragraph 4 a (new)
4a. When processing notifications, the competent authorities and the CSIRT shall, taking into account their available capacity, prioritise the processing of notifications from essential entities over those from important entities and processing of mandatory notifications from essential and important entities over the voluntary notifications pursuant to Article 27.
Amendment 462 #
Proposal for a directive
Article 20 – paragraph 5
Article 20 – paragraph 5
5. The competent national authorities or the CSIRT shall provide, within 24 hours after receiving the initial notification referred to in point (a) of paragraph 4, a response to the notifying entity, including initial feedback on the incident, particularly whether they deem it significant, and, upon request of the entity, guidance on the implementation of possible mitigation measures. Where the CSIRT did not receive the notification referred to in paragraph 1, the guidance shall be provided by the competent authority in collaboration with the CSIRT. The CSIRT shall provide additional technical support if the concerned entity so requests. Where the incident is suspected to be of criminal nature, the competent national authorities or the CSIRT shall also provide guidance on reporting the incident to law enforcement authorities. Where the incident is suspected to be of nature breaching the national security, the competent authorities or the CSIRT shall without undue delay inform relevant national authorities.
Amendment 466 #
Proposal for a directive
Article 20 – paragraph 6
Article 20 – paragraph 6
6. Where appropriate, and in particular where the incident referred to in paragraph 1 concerns two or more Member States, the competent authority or the CSIRT shall inform without undue delay the other affected Member States and ENISA of the incident. In so doing, the competent authorities, CSIRTs and single points of contact shall, in accordance with Union law or national legislation that complies with Union law, preserve the entity’s security and commercial interests as well as the confidentiality of the information provided.
Amendment 470 #
Proposal for a directive
Article 20 – paragraph 7 a (new)
Article 20 – paragraph 7 a (new)
7a. Competent authorities or the CSIRTs shall provide without undue delay to the single point of contact information on significant incidents notified in accordance with paragraph 1.
Amendment 472 #
Proposal for a directive
Article 20 – paragraph 8
Article 20 – paragraph 8
8. At the request of the competent authority or the CSIRT, the single point of contact shall forward without undue delay notifications received pursuant to paragraphs 1 and 2 to the single points of contact of other affected Member States.
Amendment 474 #
Proposal for a directive
Article 20 – paragraph 9
Article 20 – paragraph 9
9. The single point of contact shall submit to ENISA on a monthly basis a summary report including anonymised and aggregated data on significant incidents, significant cyber threats and significant near misses notified in accordance with paragraphs 1 and 2 and in accordance with Article 27. In order to contribute to the provision of comparable information, ENISA may issue technical guidance on the parameters of the information included in the summary report.
Amendment 477 #
Proposal for a directive
Article 20 – paragraph 10
Article 20 – paragraph 10
10. Competent authorities shall provideor the CSIRTs shall provide without undue delay to the competent authorities designated pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive] information on incidents and cyber threasignificant incidents, notified in accordance with paragraphs 1 and 2 by essential entities identified as critical entities, or as entities equivalent to critical entities, pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive], as well as on the measures taken by competent authorities or CSIRTs in response to those incidents.
Amendment 480 #
Proposal for a directive
Article 20 – paragraph 10 a (new)
Article 20 – paragraph 10 a (new)
10a. Competent authorities or the CSIRTs shall provide without undue delay to the national regulatory authorities or other competent authorities responsible for public electronic communications networks or for publicly available electronic communications services pursuant to Directive (EU) 2018/1972, information on significant incidents notified in accordance with paragraph 1 by providers of public electronic communications networks or publicly available electronic communications services referred to in point 8 of Annex I, as well as on the measures taken by competent authorities or CSIRTs in response to those incidents.
Amendment 484 #
Proposal for a directive
Article 20 – paragraph 11
Article 20 – paragraph 11
11. The Commission, after it has consulted the industry and taking utmost account of ENISA’s opinion, may adopt implementing acts further specifying the type of information, the format and the procedure of a notification submitted pursuant to paragraphs 1 and 2. The Commission may also adopt implementing acts to further specify the cases in which. They shall be based on European and incident shall be considered significant as referred to in paragraph 3ternational standards to the greatest extent possible. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 37(2).
Amendment 486 #
Proposal for a directive
Article 21 – title
Article 21 – title
Use of European cybersecurity certification schemes and standardisation
Amendment 490 #
Proposal for a directive
Article 21 – paragraph 1
Article 21 – paragraph 1
1. In order to demonstrate compliance with certain requirements of Article 18increase the level of cybersecurity, Member States may requirecommend essential and important entities to certify certain ICT products, ICT services and ICT processes under specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881. The products, services and processes subject to certification may be developed by an or other international cybersecurity certification schemes. Member States shall also encourage essential orand important entity or procured from third partieies to comply with European and internationally accepted standards.
Amendment 493 #
Proposal for a directive
Article 21 – paragraph 2
Article 21 – paragraph 2
Amendment 499 #
Proposal for a directive
Article 21 – paragraph 3
Article 21 – paragraph 3
Amendment 509 #
Proposal for a directive
Article 24 – paragraph 1
Article 24 – paragraph 1
1. DNS service providers, TLD name registries, cloud computing service providers, data centre service providers and, content delivery network providers and providers of number-independent interpersonal communications services referred to in point 8 of Annex I, as well as digital providers referred to in point 6 of Annex II shall be deemed to be under the jurisdiction of the Member State in which they have their main establishment in the Union.
Amendment 511 #
Proposal for a directive
Article 24 – paragraph 1 a (new)
Article 24 – paragraph 1 a (new)
1a. All essential and important entities referred to in Annexes I and II, with the exception of entities referred to in paragraph 1 of this Article, shall fall under the jurisdiction of the Member State where they provide their services. If the entity provides services in more than one Member State, it shall fall under the separate and concurrent jurisdiction of each of these Member States. The competent authorities of these Member States shall cooperate, provide mutual assistance to each other and where appropriate, carry out joint supervisory actions.
Amendment 513 #
Proposal for a directive
Article 24 – paragraph 2
Article 24 – paragraph 2
2. For the purposes of this Directive, entities referred to in paragraph 1 shall be deemed to have their main establishment in the Union in the Member State where the decisions related to the cybersecurity risk management measures are taken. If such decisions are not taken in any establishment in the Union, the main establishment shall be deemed to be in the Member State where the entities have the establishment with the highest number of employeresponsible for the implementation of the main cybersecurity risk management measures in the Union.
Amendment 517 #
Proposal for a directive
Article 25
Article 25
Amendment 522 #
Proposal for a directive
Article 26 – paragraph 1 – introductory part
Article 26 – paragraph 1 – introductory part
1. Without prejudice to Regulation (EU) 2016/679, Member States shall ensure that essential and important entities and other relevant entities not covered by the scope of this Directive may exchange relevant cybersecurity information among themselves including information relating to cyber threats, vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools, where such information sharing:
Amendment 527 #
Proposal for a directive
Article 26 – paragraph 2
Article 26 – paragraph 2
2. Member States shall ensure thfacilitate the exchange of information takes place within trusted communities of essential and important entities and other relevant entities. Such exchange shall be implemented through information sharing arrangements in respect of the potentially sensitive nature of the information shared and in compliance with the rules of Union law referred to in paragraph 1.
Amendment 531 #
Proposal for a directive
Article 26 – paragraph 3
Article 26 – paragraph 3
3. Member States shall set out ruleecommendations specifying the procedure, operational elements (including the use of dedicated ICT platforms), content and conditions of the information sharing arrangements referred to in paragraph 2. Such ruleecommendations shall also lay down the details of the involvement of public authorities in such arrangements, as well as operational elements, including the use of dedicated IT platforms. Member States shall offer support to the application of such arrangements in accordance with their policies referred to in Article 5(2) (g).
Amendment 532 #
Proposal for a directive
Article 26 – paragraph 3 a (new)
Article 26 – paragraph 3 a (new)
3a. Provisions of paragraphs 1, 2 and 3 of this Article shall apply mutatis mutandis for the information-sharing with entities under the jurisdiction of other Member State. The competent authorities of Member States concerned shall cooperate to facilitate the information-sharing.
Amendment 533 #
Proposal for a directive
Article 26 – paragraph 4
Article 26 – paragraph 4
4. Essential and important entities shallmay notify the competent authorities of their participation in the information- sharing arrangements referred to in paragraphs 2 and 3a, upon entering into such arrangements, or, as applicable, of their withdrawal from such arrangements, once the withdrawal takes effect.
Amendment 534 #
Proposal for a directive
Article 26 – paragraph 5
Article 26 – paragraph 5
5. In compliance with Union law, ENISA shall support the establishment of cybersecurity information-sharing arrangements referred to in paragraphs 2 and 3a by providing best practices and guidance.
Amendment 535 #
Proposal for a directive
Article 27 – title
Article 27 – title
Voluntary notification of relevant informationreporting
Amendment 536 #
Proposal for a directive
Article 27 – paragraph 1
Article 27 – paragraph 1
Member States shall ensure that, without prejudice to Article 3, entities falling outside the scope of this Directive may submit notifications to competent authorities or the CSIRT, on a voluntary basis, of significant incidents, cyber threats or near misses. When processing notifications, Member States shall act in accordance with the procedure laid down in Article 20. Member States may prioritise the processing of mandatory notifications over voluntary notifications. Voluntary reporting shall not result in the imposition of any additional obligations upon the reporting entity to which it would not have been subject had it not submitted the notificationsignificant cyber threats or significant near misses.
Amendment 538 #
Proposal for a directive
Article 27 – paragraph 1 a (new)
Article 27 – paragraph 1 a (new)
Member States shall ensure that Article 20 applies mutatis mutandis for the submission and processing of the voluntary notifications referred to in paragraph 1 and 1a of this Article. Voluntary reporting shall not result in the imposition of any additional obligations upon the reporting entity to which it would not have been subject had it not submitted the notification.
Amendment 539 #
Proposal for a directive
Article 27 – paragraph 1 b (new)
Article 27 – paragraph 1 b (new)
Member States shall ensure that Article 20 applies mutatis mutandis for the submission and processing of the voluntary notifications referred to in paragraphs 1 and 1a of this Article. Where applicable, the voluntarily reporting entities shall be encouraged to notify simultaneously the recipients of their services that are potentially affected of any measures or remedies that those recipients can take in response to the threat. The notification shall not make the notifying entity subject to increased liability. Voluntary reporting shall not result in the imposition of any additional obligations upon the reporting entity to which it would not have been subject had it not submitted the notification.
Amendment 547 #
Proposal for a directive
Article 29 – paragraph 2 – point g
Article 29 – paragraph 2 – point g
(g) requests for evidence of implementation of cybersecurity policies, such as the results of security audits carried out by a qualified auditor and the respective underlying evidence.; the cost of the audit shall be paid by the essential entity;
Amendment 549 #
Proposal for a directive
Article 29 – paragraph 4 – point a a (new)
Article 29 – paragraph 4 – point a a (new)
(aa) investigate cases of non- compliance and the effects thereof on the security of the services;
Amendment 550 #
Proposal for a directive
Article 29 – paragraph 4 – point b
Article 29 – paragraph 4 – point b
(b) issue binding instructions, including those regarding the measures required to remedy an incident or prevent one from occurring when a significant threat has been identified, time-limits for implementation and reporting obligations, or an order requiring those entities to remedy the deficiencies identified or the infringements of the obligations laid down in this Directive;
Amendment 560 #
Proposal for a directive
Article 29 – paragraph 5 – subparagraph 1 – point a
Article 29 – paragraph 5 – subparagraph 1 – point a
(a) suspend or request a certification or authorisation body to suspendconsider suspension of a certification or authorisation concerning part or all therelevant services or activities provided by an essential entity;
Amendment 562 #
Proposal for a directive
Article 29 – paragraph 5 – subparagraph 1 – point b
Article 29 – paragraph 5 – subparagraph 1 – point b
Amendment 569 #
Proposal for a directive
Article 29 – paragraph 6
Article 29 – paragraph 6
6. Member States shall ensure that any natural person responsible for or acting as a representative of an essential entity on the basis of the power to represent it, the authority to take decisions on its behalf or the authority to exercise control of it has the powers to ensure its compliance with the obligations laid down in this Directive. Member States shall ensure that those natural persons may be held liable for breach of their duties to ensure compliance with the obligations laid down in this Directive.
Amendment 572 #
Proposal for a directive
Article 30 – paragraph 2 – point a a (new)
Article 30 – paragraph 2 – point a a (new)
(aa) investigate cases of non- compliance and the effects thereof on the security of the services;
Amendment 580 #
Proposal for a directive
Article 31 – paragraph 6
Article 31 – paragraph 6
Amendment 587 #
Proposal for a directive
Article 36
Article 36
Amendment 590 #
Proposal for a directive
Article 38 – paragraph 1
Article 38 – paragraph 1
1. Member States shall adopt and publish, by … [1824 months after the date of entry into force of this Directive], the laws, regulations and administrative provisions necessary to comply with this Directive. They shall immediately inform the Commission thereof. They shall apply those measures from … [one day after the date referred to in the first subparagraph].
Amendment 592 #
Proposal for a directive
Article 39 – paragraph 1
Article 39 – paragraph 1
Article 19 of Regulation (EU) No 910/2014 is deleted with effect from [date of transposition deadline of the Directive].
Amendment 593 #
Proposal for a directive
Article 40 – paragraph 1
Article 40 – paragraph 1
Amendment 597 #
Proposal for a directive
Article 42 – paragraph 1
Article 42 – paragraph 1
This Directive shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union, with exception to Article 39 which enters into force on the day following the day when the transposition deadline as laid down in Article 38 expires.
Amendment 598 #
Proposal for a directive
Annex I – subheading 1
Annex I – subheading 1
ESSENNTITIES WITH HIGHER LEVEL OF CRITICAL ENTITIESITY:
Amendment 599 #
Proposal for a directive
Annex I – table – point 9
Annex I – table – point 9
Amendment 600 #
Proposal for a directive
Annex II – subheading 1
Annex II – subheading 1