Activities of Jürgen CREUTZMANN related to 2013/0027(COD)
Shadow opinions (1)
OPINION on the proposal for a directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union
Amendments (33)
Amendment 141 #
Proposal for a directive
Recital 5
Recital 5
(5) To cover all relevant incidents and risks, this Directive should apply to all network and information systems. The obligations on public administrations and market operators should however not apply to undertakings providing public communication networks or publicly available electronic communication services within the meaning of Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive)25 , which are subject to the specific security and integrity requirements laid down in Article 13a of that Directive nor should they apply to trust service providers. __________________ 25 OJ L 108, 24.4.2002, p. 33.
Amendment 166 #
Proposal for a directive
Recital 15
Recital 15
(15) As most network and information systems are privately operated, cooperation between the public and private sector is essential. Market operators should be encouraged to pursue their own informal cooperation mechanisms to ensure NIS. They should also cooperate with the public sector and share information and best practices in exchange of operational support and relevant information in case of incidents.
Amendment 188 #
Proposal for a directive
Recital 28
Recital 28
(28) Competent authorities should pay due attention to preserving informal and trusted channels of information-sharing between market operators and between the public and the private sectors. Previously unknown vulnerabilities or incidents reported to competent authorities should be notified to the manufacturers and service providers of affected ICT products and services. Publicity of incidents reported to the competent authorities should duly balance the interest of the public in being informed about threats with possible reputational and commercial damages for the public administrations and market operators reporting incidents. In the implementation of the notification obligations, competent authorities should pay particular attention to the need to maintain information about product vulnerabilities strictly confidential prior to the release of appropriate security fixes.
Amendment 215 #
Proposal for a directive
Article 3 – paragraph 1 – point 4
Article 3 – paragraph 1 – point 4
(4) ‘incident’ means any reasonably identifiable circumstance or event having an actual adverse effect on security;
Amendment 216 #
Proposal for a directive
Article 3 – paragraph 1 – point 5
Article 3 – paragraph 1 – point 5
Amendment 219 #
Proposal for a directive
Article 3 – paragraph 1 – point 8 – point a
Article 3 – paragraph 1 – point 8 – point a
Amendment 222 #
Proposal for a directive
Article 3 – paragraph 1 – point 8 – point b
Article 3 – paragraph 1 – point 8 – point b
(b) operator of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, stock exchanges and health, a non-exhaustive list of which is set out in Annex II.
Amendment 226 #
Proposal for a directive
Article 4
Article 4
Amendment 239 #
Proposal for a directive
Article 7 – paragraph 1
Article 7 – paragraph 1
1. Each Member State shall set up aone or more Computer Emergency Response Teams (hereinafter: ‘CERT’) responsible for handling incidents and risks according to a well-defined process, which shall comply with the requirements set out in point (1) of Annex I. A CERT may be established within the competent authority.
Amendment 254 #
Proposal for a directive
Article 8 – paragraph 3 – point c a (new)
Article 8 – paragraph 3 – point c a (new)
(c a) jointly discuss and coordinate their measures regarding security requirements and incident notification referred to in article 14 and regarding implementation and enforcement referred to in article 15;
Amendment 263 #
Proposal for a directive
Article 8 – paragraph 3 a (new)
Article 8 – paragraph 3 a (new)
3a. Where appropriate market operators may be invited to participate in the activities of the cooperation network referred to in points (a), (g), (h) and (i) of paragraph 3.
Amendment 271 #
Proposal for a directive
Article 10 – paragraph 1 – point a
Article 10 – paragraph 1 – point a
(a) they grow rapidly or may grow rapidly in scale and affect or may affect more than one Member State;
Amendment 272 #
Proposal for a directive
Article 10 – paragraph 1 – point c
Article 10 – paragraph 1 – point c
Amendment 274 #
Proposal for a directive
Article 10 – paragraph 2
Article 10 – paragraph 2
2. In the early warnings, the competent authorities and the Commission shall communicate any relevant information in their possession that may be useful for assessing the risk or incident. Information deemed classified or confidential by the concerned public administration or market operator respectively and the identity of the latter shall only be provided to the degree necessary to assess the risk or incident.
Amendment 277 #
Proposal for a directive
Article 10 – paragraph 4
Article 10 – paragraph 4
4. Where the risk or incident subject to an early warning is of a suspected serious criminal nature, the competent authorities or the Commission shall inform the European Cybercrime Centre within Europol where appropriate.
Amendment 280 #
Proposal for a directive
Article 10 – paragraph 5
Article 10 – paragraph 5
Amendment 293 #
Proposal for a directive
Article 14 – paragraph 1
Article 14 – paragraph 1
1. Member States shall ensure that public administrations and market operators take appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations. Having regard to the state of the artechnological development, these measures shall guaranteensure a level of security appropriate to the risk presented. In particular, appropriate measures shall be taken to prevent and minimise the impact of incidents affecting their network and information system on the core services they provide and thus ensure the continuity of the services underpinned by those networks and information systems.
Amendment 297 #
Proposal for a directive
Article 14 – paragraph 2
Article 14 – paragraph 2
2. Member States shall ensure that public administrations and market operators notify to the competent authority, in the Member State where the core services are affected, incidents having a significant impact on the security and/or continuity of the core services they provide.
Amendment 307 #
Proposal for a directive
Article 14 – paragraph 4
Article 14 – paragraph 4
4. The competent authority, after consultation with the concerned public administration or market operator, may inform the public, or require the public administrations and market operators to do so, where it determines that disclosure of the incident is in the public interest and where the latter outweighs any conflicting interests of the public administration or market operator concerned. Once a year, the competent authority shall submit a summary report to the cooperation network on the notifications received and the action taken in accordance with this paragraph.
Amendment 313 #
Proposal for a directive
Article 14 – paragraph 6
Article 14 – paragraph 6
Amendment 321 #
Proposal for a directive
Article 15 – paragraph 1
Article 15 – paragraph 1
1. Member States shall ensure that the competent authorities have all the powers necessary to investigate cases of non-ensure compliance of public administrations or market operators with their obligations under Article 14 and the effects thereof on the security of networks and information systems.
Amendment 324 #
Proposal for a directive
Article 15 – paragraph 2 – point b
Article 15 – paragraph 2 – point b
(b) undergo, where the information provided according to point (a) of this paragraph is not conclusive, a security audit carried out by a qualified independent body or national authority and make the results thereof available to the competent authority.
Amendment 325 #
Proposal for a directive
Article 15 – paragraph 3
Article 15 – paragraph 3
Amendment 328 #
Proposal for a directive
Article 15 – paragraph 4
Article 15 – paragraph 4
4. The competent authorities shallmay, subsequent to informing the concerned public administration or market operator, notify incidents of a suspected serious criminal nature to law enforcement authorities.
Amendment 333 #
Proposal for a directive
Article 16 – paragraph 1
Article 16 – paragraph 1
1. To ensure convergent implementation of Article 14(1), Member States shall encourage the use of European and international standards and/or specifications relevant to networks and information security.
Amendment 336 #
Proposal for a directive
Article 17 – paragraph 1
Article 17 – paragraph 1
1. Member States shall lay down rules on sanctions applicable to negligent and intentional infringements of the national provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The sanctions provided for must be effective, proportionate and dissuasive. The Member States shall notify those provisions to the Commission by the date of transposition of this Directive at the latest and shall notify it without delay of any subsequent amendment affecting them.
Amendment 348 #
Proposal for a directive
Annex 2 – paragraph 1 – point 1
Annex 2 – paragraph 1 – point 1
Amendment 350 #
Proposal for a directive
Annex 2 – paragraph 1 – point 2
Annex 2 – paragraph 1 – point 2
Amendment 351 #
Proposal for a directive
Annex 2 – paragraph 1 – point 3
Annex 2 – paragraph 1 – point 3
Amendment 352 #
Proposal for a directive
Annex 2 – paragraph 1 – point 4
Annex 2 – paragraph 1 – point 4
Amendment 354 #
Proposal for a directive
Annex 2 – paragraph 1 – point 5
Annex 2 – paragraph 1 – point 5
Amendment 358 #
Proposal for a directive
Annex 2 – paragraph 1 – point 5 a (new)
Annex 2 – paragraph 1 – point 5 a (new)
5a. Water services.
Amendment 361 #
Proposal for a directive
Annex 2 – paragraph 1 – point 6
Annex 2 – paragraph 1 – point 6