BETA

Activities of Jürgen CREUTZMANN related to 2013/0027(COD)

Shadow opinions (1)

OPINION on the proposal for a directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union
2016/11/22
Committee: ITRE
Dossiers: 2013/0027(COD)
Documents: PDF(426 KB) DOC(662 KB)

Amendments (33)

Amendment 141 #
Proposal for a directive
Recital 5
(5) To cover all relevant incidents and risks, this Directive should apply to all network and information systems. The obligations on public administrations and market operators should however not apply to undertakings providing public communication networks or publicly available electronic communication services within the meaning of Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive)25 , which are subject to the specific security and integrity requirements laid down in Article 13a of that Directive nor should they apply to trust service providers. __________________ 25 OJ L 108, 24.4.2002, p. 33.
2013/11/19
Committee: ITRE
Amendment 166 #
Proposal for a directive
Recital 15
(15) As most network and information systems are privately operated, cooperation between the public and private sector is essential. Market operators should be encouraged to pursue their own informal cooperation mechanisms to ensure NIS. They should also cooperate with the public sector and share information and best practices in exchange of operational support and relevant information in case of incidents.
2013/11/19
Committee: ITRE
Amendment 188 #
Proposal for a directive
Recital 28
(28) Competent authorities should pay due attention to preserving informal and trusted channels of information-sharing between market operators and between the public and the private sectors. Previously unknown vulnerabilities or incidents reported to competent authorities should be notified to the manufacturers and service providers of affected ICT products and services. Publicity of incidents reported to the competent authorities should duly balance the interest of the public in being informed about threats with possible reputational and commercial damages for the public administrations and market operators reporting incidents. In the implementation of the notification obligations, competent authorities should pay particular attention to the need to maintain information about product vulnerabilities strictly confidential prior to the release of appropriate security fixes.
2013/11/19
Committee: ITRE
Amendment 215 #
Proposal for a directive
Article 3 – paragraph 1 – point 4
(4) ‘incident’ means any reasonably identifiable circumstance or event having an actual adverse effect on security;
2013/11/19
Committee: ITRE
Amendment 216 #
Proposal for a directive
Article 3 – paragraph 1 – point 5
(5) ‘information society service’ mean service within the meaning of point (2) of Article 1 of Directive 98/34/EC;deleted
2013/11/19
Committee: ITRE
Amendment 219 #
Proposal for a directive
Article 3 – paragraph 1 – point 8 – point a
(a) provider of information society services which enable the provision of other information society services, a non- exhaustive list of which is set out in Annex II;deleted
2013/11/19
Committee: ITRE
Amendment 222 #
Proposal for a directive
Article 3 – paragraph 1 – point 8 – point b
(b) operator of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, stock exchanges and health, a non-exhaustive list of which is set out in Annex II.
2013/11/19
Committee: ITRE
Amendment 226 #
Proposal for a directive
Article 4
[...]deleted
2013/11/19
Committee: ITRE
Amendment 239 #
Proposal for a directive
Article 7 – paragraph 1
1. Each Member State shall set up aone or more Computer Emergency Response Teams (hereinafter: ‘CERT’) responsible for handling incidents and risks according to a well-defined process, which shall comply with the requirements set out in point (1) of Annex I. A CERT may be established within the competent authority.
2013/11/19
Committee: ITRE
Amendment 254 #
Proposal for a directive
Article 8 – paragraph 3 – point c a (new)
(c a) jointly discuss and coordinate their measures regarding security requirements and incident notification referred to in article 14 and regarding implementation and enforcement referred to in article 15;
2013/11/19
Committee: ITRE
Amendment 263 #
Proposal for a directive
Article 8 – paragraph 3 a (new)
3a. Where appropriate market operators may be invited to participate in the activities of the cooperation network referred to in points (a), (g), (h) and (i) of paragraph 3.
2013/11/19
Committee: ITRE
Amendment 271 #
Proposal for a directive
Article 10 – paragraph 1 – point a
(a) they grow rapidly or may grow rapidly in scale and affect or may affect more than one Member State;
2013/11/19
Committee: ITRE
Amendment 272 #
Proposal for a directive
Article 10 – paragraph 1 – point c
(c) they affect or may affect more than one Member Stadelete.d
2013/11/19
Committee: ITRE
Amendment 274 #
Proposal for a directive
Article 10 – paragraph 2
2. In the early warnings, the competent authorities and the Commission shall communicate any relevant information in their possession that may be useful for assessing the risk or incident. Information deemed classified or confidential by the concerned public administration or market operator respectively and the identity of the latter shall only be provided to the degree necessary to assess the risk or incident.
2013/11/19
Committee: ITRE
Amendment 277 #
Proposal for a directive
Article 10 – paragraph 4
4. Where the risk or incident subject to an early warning is of a suspected serious criminal nature, the competent authorities or the Commission shall inform the European Cybercrime Centre within Europol where appropriate.
2013/11/19
Committee: ITRE
Amendment 280 #
Proposal for a directive
Article 10 – paragraph 5
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 18, concerning the further specification of the risks and incidents triggering early warning referred to in paragraph 1.
2013/11/19
Committee: ITRE
Amendment 293 #
Proposal for a directive
Article 14 – paragraph 1
1. Member States shall ensure that public administrations and market operators take appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations. Having regard to the state of the artechnological development, these measures shall guaranteensure a level of security appropriate to the risk presented. In particular, appropriate measures shall be taken to prevent and minimise the impact of incidents affecting their network and information system on the core services they provide and thus ensure the continuity of the services underpinned by those networks and information systems.
2013/11/19
Committee: ITRE
Amendment 297 #
Proposal for a directive
Article 14 – paragraph 2
2. Member States shall ensure that public administrations and market operators notify to the competent authority, in the Member State where the core services are affected, incidents having a significant impact on the security and/or continuity of the core services they provide.
2013/11/19
Committee: ITRE
Amendment 307 #
Proposal for a directive
Article 14 – paragraph 4
4. The competent authority, after consultation with the concerned public administration or market operator, may inform the public, or require the public administrations and market operators to do so, where it determines that disclosure of the incident is in the public interest and where the latter outweighs any conflicting interests of the public administration or market operator concerned. Once a year, the competent authority shall submit a summary report to the cooperation network on the notifications received and the action taken in accordance with this paragraph.
2013/11/19
Committee: ITRE
Amendment 313 #
Proposal for a directive
Article 14 – paragraph 6
6. Subject to any delegated act adopted under paragraph 5, the competent authorities may adopt guidelines and, where necessary, issue instructions concerning the circumstances in which public administrations and market operators are required to notify incidents.deleted
2013/11/19
Committee: ITRE
Amendment 321 #
Proposal for a directive
Article 15 – paragraph 1
1. Member States shall ensure that the competent authorities have all the powers necessary to investigate cases of non-ensure compliance of public administrations or market operators with their obligations under Article 14 and the effects thereof on the security of networks and information systems.
2013/11/19
Committee: ITRE
Amendment 324 #
Proposal for a directive
Article 15 – paragraph 2 – point b
(b) undergo, where the information provided according to point (a) of this paragraph is not conclusive, a security audit carried out by a qualified independent body or national authority and make the results thereof available to the competent authority.
2013/11/19
Committee: ITRE
Amendment 325 #
Proposal for a directive
Article 15 – paragraph 3
3. Member States shall ensure that competent authorities have the power to issue binding instructions to market operators and public administrations.deleted
2013/11/19
Committee: ITRE
Amendment 328 #
Proposal for a directive
Article 15 – paragraph 4
4. The competent authorities shallmay, subsequent to informing the concerned public administration or market operator, notify incidents of a suspected serious criminal nature to law enforcement authorities.
2013/11/19
Committee: ITRE
Amendment 333 #
Proposal for a directive
Article 16 – paragraph 1
1. To ensure convergent implementation of Article 14(1), Member States shall encourage the use of European and international standards and/or specifications relevant to networks and information security.
2013/11/19
Committee: ITRE
Amendment 336 #
Proposal for a directive
Article 17 – paragraph 1
1. Member States shall lay down rules on sanctions applicable to negligent and intentional infringements of the national provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The sanctions provided for must be effective, proportionate and dissuasive. The Member States shall notify those provisions to the Commission by the date of transposition of this Directive at the latest and shall notify it without delay of any subsequent amendment affecting them.
2013/11/19
Committee: ITRE
Amendment 348 #
Proposal for a directive
Annex 2 – paragraph 1 – point 1
1. e-commerce platformsdeleted
2013/11/19
Committee: ITRE
Amendment 350 #
Proposal for a directive
Annex 2 – paragraph 1 – point 2
2. Internet payment gatewaysdeleted
2013/11/19
Committee: ITRE
Amendment 351 #
Proposal for a directive
Annex 2 – paragraph 1 – point 3
3. Social networksdeleted
2013/11/19
Committee: ITRE
Amendment 352 #
Proposal for a directive
Annex 2 – paragraph 1 – point 4
4. Search enginesdeleted
2013/11/19
Committee: ITRE
Amendment 354 #
Proposal for a directive
Annex 2 – paragraph 1 – point 5
5. Cloud computing servicesdeleted
2013/11/19
Committee: ITRE
Amendment 358 #
Proposal for a directive
Annex 2 – paragraph 1 – point 5 a (new)
5a. Water services.
2013/11/19
Committee: ITRE
Amendment 361 #
Proposal for a directive
Annex 2 – paragraph 1 – point 6
6. Application storesdeleted
2013/11/19
Committee: ITRE