Activities of Ivailo KALFIN related to 2013/0027(COD)
Plenary speeches (1)
High common level of network and information security (debate)
Shadow opinions (1)
OPINION on the proposal for a directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union
Amendments (38)
Amendment 134 #
Proposal for a directive
Recital 4
Recital 4
(4) A cooperation mechanism should be established at Union level to allow for information exchange and coordinated detection and response regarding network and information security (‘NIS’). For that mechanism to be effective and inclusive, it is essential that all Member States have minimum capabilities and a strategy ensuring a high level of NIS in their territory. Minimum security requirements should also apply to public administrations and public and private operators of critical information infrastructure to promote a culture of risk management and ensure that the most serious incidents are reported. The Critical Infrastructure Warning Information Network (CIWIN) should be expanded to these particular operators.
Amendment 140 #
Proposal for a directive
Recital 5
Recital 5
(5) To cover all relevant incidents and risks, this Directive should apply to all network and information systems. The obligations on public administrations and market operator, providing and/ or operating services, as listed in Article (3(8) b) of this Directive. The obligations should however not apply to undertakings providing public communication networks or publicly available electronic communication services within the meaning of Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive)25 , which are subject to the specific security and integrity requirements laid down in Article 13a of that Directive nor should they apply to trust service providers. __________________ 25 OJ L 108, 24.4.2002, p. 33. OJ L 108, 24.4.2002, p. 33.
Amendment 146 #
Proposal for a directive
Recital 7
Recital 7
(7) Responding effectively to the challenges of the security of network and information systems therefore requires a global approach at Union level covering common minimum capacity building and planning requirements, exchange of information and coordination of actions, and common minimum security requirements for all market operators concerned and public administrations.
Amendment 152 #
Proposal for a directive
Recital 10
Recital 10
(10) To allow for the effective implementation of the provisions adopted pursuant to this Directive, a body responsible for coordinating NIS issues and acting as a single focal point for both internal coordination and cross-border cooperation at Union level should be established or identified in each Member State. These single national points of contact should be designated without prejudice for each Member State to designate more than one national competent authority in charge of network information security, according to their constitutional, jurisdictional or administrative requirements, but should nonetheless be assigned with a coordinating mandate at national and Union level. These bodies should be given the adequate technical, financial and human resources to ensure that they can carry out in an continuous, effective and efficient manner the tasks assigned to them and thus achieve the objectives of this Directive.
Amendment 154 #
Proposal for a directive
Recital 11
Recital 11
(11) All Member States should be adequately equipped, both in terms of technical and organisational capabilities, to prevent, detect, respond to and mitigate network and information systems' incidents and risks. Well-functioning Computer Emergency Response Teams complying with essential requirements and continuous (24/7) mitigation and response capabilities should therefore be established in all Member States to guarantee effective and compatible capabilities to deal with incidents and risks and ensure efficient cooperation at Union level. In view of the above, Member States should guarantee that each sectorial service, listed in Annex II of the present Directive, is covered by at least one CERT. Regarding cross border cooperation, Member States should assure that CERTs have sufficient means to participate in the respective international and European cooperation networks. The European Network Information Security Agency should provide the necessary assistance and advice for capacity building in case of need.
Amendment 160 #
Proposal for a directive
Recital 13
Recital 13
(13) The European Network and Information Security Agency (‘ENISA’) should assist the Member States and the Commission by providing its expertise and advice and by facilitating exchange of best practices. In particular, in the application of this Directive, the Commission and Member States should consult ENISA. To ensure effective and timely information to the Member States and the Commission, early warnings on incidents and risks should be notified within the cooperation network. To build capacity and knowledge among Member States, the cooperation network should also serve as an instrument for the exchange of best practices, assisting its members in building capacity, steering the organisation of peer reviews and NIS exercises.
Amendment 165 #
Proposal for a directive
Recital 15
Recital 15
(15) As most network and information systems are privately operated, cooperation between the public and private sector is essential. Market operators should be encouraged to pursue their own informal cooperation mechanisms to ensure NIS. They should also cooperate with the public sector and mutually share information and best practices in exchange of operational support in case of incidents. , including the reciprocal in exchange of relevant information and operational support in case of incidents. To effectively encourage the sharing of information and of best practices, it is essential to ensure that market operators and critical public administrations, referred to in Article (3(8) b), who participate in such exchanges, are not disadvantaged as a result of their cooperation. Adequate safeguards are needed to ensure that such cooperation will not expose these operators to higher compliance risk or new liabilities under, inter alia, competition, intellectual property, data protection or cybercrime law, nor expose them to increase operational or security risks.
Amendment 169 #
Proposal for a directive
Recital 16
Recital 16
(16) To ensure transparency and properly inform EU citizens and market operators, the national competent authorities, functioning as single points of contact, should set up a common website at EU level to publish non confidential information on the incidents and risks.
Amendment 172 #
Proposal for a directive
Recital 17
Recital 17
(17) The information classification policy referred to in Recital 14 should follow the ENISA recommended Information Sharing Traffic Light Protocol. Any information exchanged shall be classified and handled according to its level of sensitivity as determined by the source of the information. Where information is considered confidential in accordance with Union and national rules on business confidentiality, such confidentiality shall be ensured when carrying out the activities and fulfilling the objectives set by this Directive.
Amendment 180 #
Proposal for a directive
Recital 24
Recital 24
(24) Those obligations should be extended beyond the electronic communications sector to key providers of information society services, as defined in Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on Information Society services27 , which underpin dpublic and private key providers and operators of critical infrastructure which rely heavily on information and communications technology and are essential to the maintenance of vital economical or societal functions such as electricity and gas, transport, financial institutions, stock exchange and health. Disruption of those network and information systems would affect the internal market and the physical or financial integrity of the beneficiaries of the services they provide. Downstream information society services or on-line activities, such as e- commerce platforms, Internet payment gateways, social networks, search engines, cloud computing services, application stores. Disruption of these enabling information society services prevents the provision of other information society services which rely on them as key inputs. Sapplication stores, as well as software developers and hardware manufacturers, are not providers of information society services and are therefore excluded. Those obligations should also be extended to public administrations, and operators of critical infrastructure which rely heavily on information and communications technology and are essential to the maintenance of vital economical or societal functions such as electricity and gas, transport, credit institutions, stock exchange and health. Disruption of those network and information systems would affect the internal marketto be bound to any of the compulsory reporting within this Directive. Nonetheless, their voluntary reporting and information sharing with the competent authorities following the mechanisms, laid down in this Directive, is strongly recommended, particularly in the advent of severe incidents or disruptions. __________________ 27 OJ L 204, 21.7.1998, p. 37.
Amendment 187 #
Proposal for a directive
Recital 28
Recital 28
(28) Competent authorities, including the single points of contact, should pay due attention to preserving informal and trusted channels of information-sharing between market operators and between the public and the private sectors and should handle all information exchanged in accordance with the security classification, as indicated by its source. Publicity of incidents reported to the competent authorities should duly balance the interest of the public in being informed about threats with possible reputational and commercial damages for the public administrations and market operators reporting incidents. In the implementation of the notification obligations, competent authorities should pay particular attention to the need to maintain information about product vulnerabilities strictly confidential prior to the release of appropriate security fixes.
Amendment 197 #
Proposal for a directive
Recital 32
Recital 32
(32) Standardisation of security requirements is a market-driven process. To ensure a convergent application of security standards, Member States should encourage compliance or conformity with specified standards to ensure a high level of security at Union level. To this end, ithe application of open international standards on network information security or the design of such tools need to be considered. Another step forward might be necessary to draft harmonised standards, which should be done in accordance with Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council29 . __________________ 29. In particular, ETSI, CEN and CENELEC should be mandated to suggest effective and efficient EU open security standards, where technological preferences are avoided as much as possible, and which should be made easily manageable by small and medium-size market operators and smaller public administrations. __________________ 29 OJ L 316, 14.11.2012, p. 12. OJ L 316, 14.11.2012, p. 12.
Amendment 198 #
Proposal for a directive
Recital 33
Recital 33
(33) The Commission should periodically review this Directive, in consultation with all interested stakeholders, in particular with a view to determining the need for modification in the light of changing technological or market conditions.
Amendment 202 #
Proposal for a directive
Recital 38
Recital 38
(38) Information that is considered confidential by a competent authority, in accordance with Union and national rules on business confidentiality, should be exchanged with the Commission and other, its relevant agencies and/ or other national competent authorities only where such exchange is strictly necessary for the application of this Directive. The information exchanged should be limited to that which is relevant and proportionate to the purpose of such exchange, while respecting pre-defined criteria for confidentiality and security and classification protocols, governing the information sharing procedure.
Amendment 205 #
Proposal for a directive
Article 1 – paragraph 3
Article 1 – paragraph 3
3. The security requirements provided for in Article 14 shall apply neither to undertakings providing public communication networks or publicly available electronic communication services within the meaning of Directive 2002/21/EC, which shall comply with the specific security and integrity requirements laid down in Articles 13a and 13b of that Directive, noeither to trust service providers nor to information society services whose confidentiality, integrity, availability and authenticity are not essential to the maintenance of vital economical or societal functions.
Amendment 208 #
Proposal for a directive
Article 1 – paragraph 6
Article 1 – paragraph 6
6. The sharing of information within the cooperation network under Chapter III and the notifications of NIS incidents under Article 14 may require the communication to trusted third parties and the processing of personal data. Such processing, which is necessary to meet the objectives of public interest pursued by this Directive, shall be authorised by the Member State pursuant to Article 7 of Directive 95/46/EC and Directive 2002/58/EC, as implemented in national law. Member States shall adopt legislative measures in accordance with Article 13 of Directive 95/46/EC to ensure that public administrations, market operators and competent authorities are not held liable for processing personal data, necessary for the sharing of information within the cooperation network and incident notification.
Amendment 218 #
Proposal for a directive
Article 3 – paragraph 1 – point 8 – introductory part
Article 3 – paragraph 1 – point 8 – introductory part
(8) ‘market operator’ means:
Amendment 221 #
Proposal for a directive
Article 3 – paragraph 1 – point 8 – point b
Article 3 – paragraph 1 – point 8 – point b
(b) public or private operator of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, stock exchang and financial services, stock exchanges, information and communication technologies and health, a non-exhaustive list of which is set out in Annex II.
Amendment 224 #
Proposal for a directive
Article 3 – paragraph 1 – point 8 a (new)
Article 3 – paragraph 1 – point 8 a (new)
(8a) "incident having a significant impact" means an incident affecting the security and continuity of an information network or system that leads to the major disruption of vital economic or societal functions;
Amendment 225 #
Proposal for a directive
Article 3 – paragraph 1 – point 8 b (new)
Article 3 – paragraph 1 – point 8 b (new)
(8b) "service" means the service provided by a public administration or market operator, to the exclusion of any other services of the same entity.
Amendment 237 #
Proposal for a directive
Article 7 – paragraph 1
Article 7 – paragraph 1
1. Each Member State shall set up a Computer Emergency Response Team (hereinafter: ‘CERT’) responsible for handling incidents and risks according to a well-defined process, which shall comply with the requirements set out in point (1) of Annex I. A CERT may be established within thea competent authority on network information security or could be designated as the national single point of contact.
Amendment 248 #
Proposal for a directive
Article 8 – paragraph 2
Article 8 – paragraph 2
2. The cooperation network shall bring into permanent communication the Commission and the competent authorities and, as appropriate, relevant public administrations and market operators. When requested, the European Network and Information Security Agency (‘ENISA’) shall assist the cooperation network by providing its expertise and advice.
Amendment 251 #
Proposal for a directive
Article 8 – paragraph 3 – point a a (new)
Article 8 – paragraph 3 – point a a (new)
(aa) Where information, early warnings or best practices originating from market operators or public administrations are shared within, or disclosed by the cooperation network, such sharing or disclosure shall be in accordance with the information classification as determined by the original source in accordance with Article 9(1). It shall be ensured that the original source is informed of the sharing or disclosure, including which relevant authorities or operators are to be informed of the incident, and that and that such sharing or disclosure does not harm the legitimate interests of the source.
Amendment 260 #
Proposal for a directive
Article 8 – paragraph 3 – point f a (new)
Article 8 – paragraph 3 – point f a (new)
(fa) jointly discuss and agree on the common interpretation, consistent application and harmonious implementation within the Union of the provisions of Chapter IV;
Amendment 279 #
Proposal for a directive
Article 10 – paragraph 4 a (new)
Article 10 – paragraph 4 a (new)
4a. Where the risk or incident subject to an early warning is of a suspected severe cross-border technical nature, the competent authorities or the Commission shall inform the European Network Information Security Agency;
Amendment 290 #
Proposal for a directive
Article 14 – paragraph 1
Article 14 – paragraph 1
1. Member States shall ensure that public administrations and market operators, providing or operating services, referred to in Article (3)(8)(b) of this Directive, take appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations. Having regard to the state of the art, these measures shall guarantee a level of security appropriate to the risk presented. In particular, measures shall be taken to prevent and minimise the impact of incidents affecting their network and information system on the core services they provide and thus ensure the continuity of the services underpinned by those networks and information systems.
Amendment 295 #
Proposal for a directive
Article 14 – paragraph 2
Article 14 – paragraph 2
2. Member States shall ensure that public administrations and market operators, providing or operating services, referred to in Article (3)(8)(b) of this Directive, notify to the competent authority incidents having a significant impact on the security and continuity of the core services they provide. Member States shall ensure that compliance with this requirement does not alter the provisions of Article 9(1) of this Directive, nor that it exposes the notifying party to increased liability or unnecessary operational or security risk.
Amendment 300 #
Proposal for a directive
Article 14 – paragraph 2 a (new)
Article 14 – paragraph 2 a (new)
2a. Public administrations and market operators, referred to in Article (3)(8)(a) of this Directive, should report incidents on a voluntary basis and in the event of severe incident, disruption or threat within their network or system.
Amendment 301 #
Proposal for a directive
Article 14 – paragraph 2 b (new)
Article 14 – paragraph 2 b (new)
2b. The single points of contact or national competent authorities shall, as soon as possible, report back to the relevant public administration or market operator which has reported an incident the undertaken actions, decisions or recommendations, as well as of any third party informed, and the security and confidentiality protocols governing the information sharing.
Amendment 302 #
Proposal for a directive
Article 14 – paragraph 3
Article 14 – paragraph 3
3. The requirements under paragraphs 1 and 2 apply to all public and market operators providing services within the European Union. , referred to in Article (3(8) b, and which provide services within the European Union. These operators shall notify the incidents referred to in paragraphs 1 and 2 to the single point of contact in the Member State where the core service is affected. Where core services in more than one Member State are affected, the single point of contact which has received the notification shall, based on the information provided by the originating source, alert the other single points of contact concerned, throughout mutual pre-defined confidentiality and security protocols. The originating source should be informed, as soon as possible, which other single points of contact have been informed of the incident, as well as of any undertaken steps, results or any information with relevance to the incident.
Amendment 304 #
Proposal for a directive
Article 14 – paragraph 4
Article 14 – paragraph 4
4. The competent authority may inform the public, or require the public administrations and market operators to do so, where it determines that public interest in the disclosure of the incident is in the public interest. Once a year, the competent authoritoutweighs possible reputational and commercial damages for the public administration or market operator in question. Administrations and operators shall have the right to make the case to the competent authority as to whether disclosure is appropriate prior to determinations being made. In any case, the Member States should avoid disclosure of business confidential information. Once a year, they shall submit a summary report to the cooperation network on the notifications received and the action taken in accordance with this paragraph.
Amendment 322 #
Proposal for a directive
Article 15 – paragraph 2 – point b
Article 15 – paragraph 2 – point b
Amendment 331 #
Proposal for a directive
Article 16 – paragraph 1
Article 16 – paragraph 1
1. To ensure convergent implementation of Article 14(1), Member States shall encourage the use of, without prescribing the use of any particular technology, shall encourage the use of open and interoperable international standards and/or specifications relevant to networks and information security.
Amendment 344 #
Proposal for a directive
Annex 1 – paragraph 1 – point 1 – point c
Annex 1 – paragraph 1 – point 1 – point c
(c) The offices of the CERT and the supporting information systems shall be located in secure sites with secured network information systems.
Amendment 347 #
Proposal for a directive
Annex 2 – heading 1
Annex 2 – heading 1
List of marketpublic and private operators
Amendment 349 #
Proposal for a directive
Annex 2 – paragraph 1 – point 2
Annex 2 – paragraph 1 – point 2
Amendment 355 #
Proposal for a directive
Annex 2 – paragraph 1 – point 5
Annex 2 – paragraph 1 – point 5
5. Business-to-users Cloud computing services
Amendment 357 #
Proposal for a directive
Annex 2 – paragraph 1 – point 5 a (new)
Annex 2 – paragraph 1 – point 5 a (new)
5a. Information and Communication Technologies: Business-to-business Cloud computing services, Internet payment gateways.