Activities of Elżbieta Katarzyna ŁUKACIJEWSKA related to 2020/0359(COD)
Shadow opinions (1)
OPINION on the proposal for a directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148
Amendments (19)
Amendment 10 #
Proposal for a directive
Recital 3
Recital 3
(3) Network and information systems have developed into a central feature of everyday life with the speedy digital transformation and interconnectedness of society, contributing to growth of new models of economy, such as gig, on- demand and platform economy, including in cross-border exchanges and aaS (as-a- service) approach. That development has led to an expansion of the cybersecurity threat landscape, bringing about new challenges, which require adapted, coordinated and innovative responses in all Member States. The number, magnitude, sophistication, frequency and impact of cybersecurity incidents are increasing, and present a major threat to the functioning of network and information systems. As a result, cyber incidents can impede the pursuit of economic activities in the internal market, social activities, generate financial losses, undermine user and worker confidence and, cause major damage to the Union economy and society or constitute a terrorist threat. Cybersecurity preparedness and effectiveness are therefore now more essential than ever to the proper functioning of the internal market.
Amendment 14 #
Proposal for a directive
Recital 9
Recital 9
(9) However, small or micro entities fulfilling certain criteria that indicate a key role for the economies or societies of Member States or for particular sectors or types of services, should also be covered by this Directive. Member States should be responsible for establishing a list of such entities, and submit it to the Commission. This exercise shall be carried out with full understanding of the specificity of SME business activity, and shall not place excessive administrative burden on them.
Amendment 15 #
Proposal for a directive
Recital 10
Recital 10
(10) The Commission, in cooperation with the Cooperation Group, may issue guidelines on the implementation of the criteria applicable to micro and small enterprises. Relevant information materials shall be prepared and distributed by the Commission with the support of Member States, as well as appropriate guidance should be given to all micro, small and medium enterprises falling within the scope of this Directive.
Amendment 19 #
Proposal for a directive
Recital 17
Recital 17
(17) Given the emergence of innovative technologies and, new business models and new models of flexible and remote work, new cloud computing deployment and service models are expected to appear on the market in response to evolving customer and business needs. In that context, cloud computing services may be delivered in a highly distributed form, even closer to where data are being generated or collected, thus moving from the traditional model to a highly distributed one (‘edge computing’).
Amendment 23 #
Proposal for a directive
Recital 19
Recital 19
(19) Postal service providers within the meaning of Directive 97/67/EC of the European Parliament and of the Council18 , as well as express and courier delivery service providers, should be subject to this Directive if they provide at least one of the steps in the postal delivery chain and in particular clearance, sorting or distribution, including pick-up services. Transport or delivery services that are not undertaken in conjunction with one of those steps should fall outside of the scope of postal services. _________________ 18Directive 97/67/EC of the European Parliament and of the Council of 15 December 1997 on common rules for the development of the internal market of Community postal services and the improvement of quality of service (OJ L 15, 21.1.1998, p. 14).
Amendment 24 #
Proposal for a directive
Recital 27 a (new)
Recital 27 a (new)
(27 a) Member States should, in their national cybersecurity strategies, address specific cybersecurity needs of small and medium-sized enterprises (SMEs), namely low cyber-awareness, a lack of remote IT security, high cost of cybersecurity solutions and an increased level of threat. Member States should have a cybersecurity point of contact for SMEs to provide relevant information, service and guidance.
Amendment 26 #
Proposal for a directive
Recital 33
Recital 33
(33) When developing guidance documents, the Cooperation Group should consistently: map national solutions and experiences, assess the impact of Cooperation Group deliverables on national approaches, discuss implementation challenges and formulate specific recommendations, also on the proper alignment in the transposition of the Directive, to be addressed through better implementation of existing rules.
Amendment 33 #
Proposal for a directive
Recital 55
Recital 55
(55) This Directive lays down a two- stage approach to incident reporting in order to strike the right balance between, on the one hand, swift reporting that helps mitigate the potential spread of incidents and allows entities to seek support, and, on the other hand, in-depth reporting that draws valuable lessons from individual incidents and improves over time the resilience to cyber threats of individual companies and entire sectors. Where entities become aware of an incident, they should be required to submit an initial notification within 724 hours, followed by a final report not later than one month after. The initial notification should only include the information strictly necessary to make the competent authorities aware of the incident and allow the entity to seek assistance, if required. Such notification, where applicable, should indicate whether the incident is presumably caused by unlawful or malicious action. Member States should ensure that the requirement to submit this initial notification does not divert the reporting entity’s resources from activities related to incident handling that should be prioritised. To further prevent that incident reporting obligations either divert resources from incident response handling or may otherwise compromise the entities efforts in that respect, Member States should also provide that, in duly justified cases and in agreement with the competent authorities or the CSIRT, the entity concerned can deviate from the deadlines of 724 hours for the initial notification and one month for the final report.
Amendment 38 #
Proposal for a directive
Article 5 – paragraph 2 – point h
Article 5 – paragraph 2 – point h
(h) a policy addressing specific needs of SMEs, in particular those excluded from the scope of this Directive, in relation to guidance, providing necessary and comprehensive information and support in improving their resilience to cybersecurity threats.
Amendment 40 #
Proposal for a directive
Article 12 – paragraph 4 – point a
Article 12 – paragraph 4 – point a
(a) providing guidance to competent authorities in relation to the transposition and implementation of this Directive, so as to minimise existing disparities between cybersecurity risk management practices and standards among the Member States;
Amendment 45 #
Proposal for a directive
Article 18 – paragraph 5
Article 18 – paragraph 5
Amendment 47 #
Proposal for a directive
Article 20 – paragraph 2 – introductory part
Article 20 – paragraph 2 – introductory part
2. Member States shall ensurcourage that essential and important entities notify, without undue delay, the competent authorities or the CSIRT of any significant cyber threat that those entities identify that could have potentially resulted in a significant incident.
Amendment 48 #
Proposal for a directive
Article 20 – paragraph 2 – subparagraph 1
Article 20 – paragraph 2 – subparagraph 1
Where applicable, those entities shallmay notify, without undue delay, the recipients of their services that are potentially affected by a significant cyber threat of any measures or remedies that those recipients can take in response to that threat. Where appropriate, the entities shall also notify those recipients of the threat itself. The notification shall not make the notifying entity subject to increased liability.
Amendment 49 #
Proposal for a directive
Article 20 – paragraph 3 – point a
Article 20 – paragraph 3 – point a
(a) the incident has caused or has the potential to cause substantial operational disruption or financial losses for the entity concerned, or would have caused such, had it not been prevented;
Amendment 50 #
Proposal for a directive
Article 20 – paragraph 3 – point b
Article 20 – paragraph 3 – point b
(b) the incident has affected or has the potential to affect other natural or legal persons by causing considerable material or non-material losses. , or would have caused such, had it not been prevented.
Amendment 51 #
Proposal for a directive
Article 20 – paragraph 4 – point a
Article 20 – paragraph 4 – point a
(a) without undue delay and in any event within 724 hours after having become aware of the incident, an initial notification, which, where applicable, shall indicate whether the incident is presumably caused by unlawful or malicious action;
Amendment 53 #
Proposal for a directive
Article 20 – paragraph 4 – point c – point iii
Article 20 – paragraph 4 – point c – point iii
(iii) applied and ongoing mitigation measures and results thereof.
Amendment 58 #
Proposal for a directive
Article 21 – paragraph 1
Article 21 – paragraph 1
1. In order to demonstrate compliance with certain requirements of Article 18, Member States may requirshall encourage essential and important entities to certify certain ICT products, ICT services and ICT processes under specific, either developed by the essential or important entity or procured from third parties, under European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881. The products, services and processes subject to certification may be developed by an essential or important entity or procured from third parti or under similar internationally recognised certification schemes.
Amendment 60 #
Proposal for a directive
Article 21 – paragraph 2
Article 21 – paragraph 2