Activities of Izaskun BILBAO BARANDICA related to 2022/0085(COD)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union
Amendments (71)
Amendment 96 #
Proposal for a regulation
Recital 4
Recital 4
(4) The Union institutions, bodies and agencies are attractive targets who face highly skilled and well-resourced threat actors as well as other threats. At the same time, the level and maturity of cyber resilience and the ability to detect and respond to malicious cyber activities varies significantly across those entities. It is thus necessary for the functioning of the European administration that the institutions, bodies and agencies of the Union achieve a high common level of cybersecurity through a cybersecurity baselinmeasure (a set of minimum cybersecurity rules with which network and information systems and their operators and users have to be compliant to minimise cybersecurity risks), information exchange and collaboration.
Amendment 98 #
Proposal for a regulation
Recital 6
Recital 6
(6) To reach a high common level of cybersecurity, it is necessary that each Union institution, body and agency establishes an internal cybersecurity risk management, handling of incident, governance and control framework that ensures an effective and prudent management of all cybersecurity risks, and takes account of business continuity and crisis management.
Amendment 102 #
Proposal for a regulation
Recital 7
Recital 7
(7) The differences between Union institutions, bodies and agencies require flexibility in the implementation since one size will not fit all. The measures for a high common level of cybersecurity should not include any obligations directly interfering with the exercise of the missions of Union institutions, bodies and agencies or encroaching on their institutional autonomy. Thus, those institutions, bodies and agencies should establish their own frameworks for cybersecurity risk management, handling of incident, governance and control, and adopt their own baselines and cybersecurity plans.
Amendment 107 #
Proposal for a regulation
Recital 9
Recital 9
(9) A high common level of cybersecurity requires cybersecurity to come under the oversight of the highest level of management of each Union institution, body and agency, who should approve a cybersecurity baselinmeasure that should address the risks identified under the framework to be established by each institution, body and agency. Addressing the cybersecurity culture, i.e. the daily practice of cybersecurity, is an integral part of a cybersecurity baselinmeasure in all Union institutions, bodies and agencies.
Amendment 109 #
Proposal for a regulation
Recital 10
Recital 10
(10) Union institutions, bodies and agencies should assess risks related to relationships with suppliers and service providers, including providers of data storage and processing services or managed security services, and take appropriate measures to address them. These measures should form part of the cybersecurity baselinmeasure and be further specified in guidance documents or recommendations issued by CERT-EU. When defining measures and guidelines, due account should be taken of relevant EU legislation and policies, including risk assessments and recommendations issued by the NIS Cooperation Group, such as the EU Coordinated risk assessment and EU Toolbox on 5G cybersecurity. In addition, certification of relevant ICT products, services and processes could be required, under specific EU cybersecurity certification schemes adopted pursuant to Article 49 of Regulation EU 2019/881.
Amendment 112 #
Proposal for a regulation
Recital 13
Recital 13
(13) Many cyberattacks are part of wider campaigns that target groups of Union institutions, bodies and agencies or communities of interest that include Union institutions, bodies and agencies. To enable proactive detection, incident response or mitigating measures, Union institutions, bodies and agencies should notify CERT- EU of significant cyber threats, significant vulnerabilities, near misses and significant incidents and share appropriate technical details that enable detection or mitigation of, as well as response to, similar cyber threats, vulnerabilities, near misses and incidents in other Union institutions, bodies and agencies. Following the same approach as the one envisaged in Directive [proposal NIS 2], where entities become aware of a significant incident they should be required to submit an initial notificationearly warning to CERT- EU within 24 hours. Such information exchange should enable CERT-EU to disseminate the information to other Union institutions, bodies and agencies, as well as to appropriate counterparts, to help protect the Union IT environments and the Union’s counterparts’ IT environments against similar incidents, threats and vulnerabilities.
Amendment 134 #
Proposal for a regulation
Article 1 – paragraph 1 – point a
Article 1 – paragraph 1 – point a
(a) obligations on Union institutions, bodies and agencies to establish an internal cybersecurity risk management, handling of incidents, governance and control framework;
Amendment 146 #
Proposal for a regulation
Article 3 – paragraph 1 – point 5
Article 3 – paragraph 1 – point 5
(5) ‘highest level of management’ means a manager, management or coordination and oversight body at the most senior administrative level, taking account of the high-level governance arrangements in each Union institution, body or agency responsible of the functioning of the Union institution, body or agency;
Amendment 153 #
Proposal for a regulation
Article 3 – paragraph 1 – point 8
Article 3 – paragraph 1 – point 8
(8) ‘major attackincident’ means any incident affecting two or more Union institution, body or agency, or requiring more resources than are available at the affected Union institution, body or agency and at CERT-EU;
Amendment 157 #
Proposal for a regulation
Article 3 – paragraph 1 – point 11
Article 3 – paragraph 1 – point 11
(11) ‘significant cyber threat’ means a cyber threat within the intention, opportunity and capability to cause a significant incidentmeaning of Article 4(7a) of Directive [proposal NIS 2];
Amendment 158 #
Proposal for a regulation
Article 3 – paragraph 1 – point 13 a (new)
Article 3 – paragraph 1 – point 13 a (new)
(13 a) "near miss" means a near miss within the meaning of Article 4 (4a) of Directive [proposal NIS 2];
Amendment 161 #
Proposal for a regulation
Article 3 – paragraph 1 – point 14
Article 3 – paragraph 1 – point 14
(14) ‘risk’ means cybersecurity risk’ means any reasonably identifiable circumstance or event having a potential adverse effect on the security of network and information systems within the meaning of Article 4(7b) of Directive [proposal NIS 2];
Amendment 173 #
Proposal for a regulation
Article 3 – paragraph 1 – point 16
Article 3 – paragraph 1 – point 16
(16) ‘cybersecurity baselinemeasures’ means a set of minimum cybersecurity rules and measures with which network and information systems and their operators and users must be compliant, to minimise cybersecurity risks.
Amendment 175 #
Proposal for a regulation
Article 4 – title
Article 4 – title
Risk management, handling, governance and control
Amendment 177 #
Proposal for a regulation
Article 4 – paragraph 1
Article 4 – paragraph 1
1. Each Union institution, body and agency shall establish its own internal cybersecurity risk management, handling of incidents, governance and control framework (‘the framework’) in support of the entity’s mission and exercising its institutional autonomy. This work shall be overseen by the entity’s highest level of management to ensure an effective and prudent management of all cybersecurity risks. The framework shall be in place by …. at the latest [15 months after the entry into force of this Regulation].
Amendment 184 #
Proposal for a regulation
Article 4 – paragraph 3
Article 4 – paragraph 3
3. The highest level of management of each Union institution, body and agency shall provide oversight over the compliance and functioning of their organisation with the obligations related to cybersecurity risk management, handling, governance, and control, without prejudice to the formal responsibilities of other levels of management for compliance and risk management in their respective areas of responsibility.
Amendment 192 #
Proposal for a regulation
Article 5 – title
Article 5 – title
5 Cybersecurity baselinemeasures
Amendment 196 #
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
1. The highest level of management of each Union institution, body and agency shall approve the entity’s own cybersecurity baselinemeasures to address the risks identified under the framework referred to in Article 4(1). It shall do so in support of its mission and exercising its institutional autonomy. The cybersecurity baselinemeasures shall be in place by …. at the latest [18 months after the entry into force of this Regulation] and shall address the domains listed in Annex I and the measures listed in Annex II.
Amendment 204 #
Proposal for a regulation
Article 6 – paragraph 1
Article 6 – paragraph 1
Each Union institution, body and agency shall carry out a cybersecurity maturity assessment at least every three yearsby at the latest [6 months after the entry into force of this Regulation], and at least every two years thereafter, incorporating all the elements of their IT environment as described in Article 4, taking account of the relevant guidance documents and recommendations adopted in accordance with Article 13.
Amendment 212 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
1. Following the conclusions derived from the maturity assessment and considering the assets and risks identified pursuant to Article 4, the highest level of management of each Union institution, body and agency shall approve a cybersecurity plan without undue delay after the establishment of the risk management, handling, governance and control framework and the cybersecurity baselinemeasures. The plan shall aim at increasing the overall cybersecurity of the concerned entity and shall thereby contribute to the achievement or enhancement of a high common level of cybersecurity among all Union institutions, bodies and agencies. To support the entity’s mission on the basis of its institutional autonomy, the plan shall at least include the domains listed in Annex I, the measures listed in Annex II, as well as measures related to incident preparedness, response, handling and recovery, such as security monitoring and logging. The plan shall be revised at least every threewo years, following the maturity assessments carried out pursuant to Article 6.
Amendment 226 #
Proposal for a regulation
Article 9 – paragraph 3 – subparagraph 1 a (new)
Article 9 – paragraph 3 – subparagraph 1 a (new)
A gender balance shall be maintained among the appointed representatives.
Amendment 235 #
Proposal for a regulation
Article 9 – paragraph 9
Article 9 – paragraph 9
9. The Head of CERT-EU, or his or her alternate, shall participate in IICB meetings. In except where otherwise decided by the IICBional cases, and in accordance with the internal rules of procedure of the IICB, the IICB may decide otherwise.
Amendment 236 #
Proposal for a regulation
Article 9 – paragraph 10
Article 9 – paragraph 10
10. The secretariat of the IICB shall be provided by the CommissionENISA.
Amendment 238 #
Proposal for a regulation
Article 9 – paragraph 11
Article 9 – paragraph 11
11. The representatives nominated by the EUAN upon a proposal of the ICT Advisory Committee shall relay the IICB’s decisions to the Union agencies and joint undertakings. Any Union agency and body shall be entitled to raise with the representatives or the chair of the IICB any matter which it considers should be brought to the IICB’s attention.
Amendment 239 #
Proposal for a regulation
Article 9 – paragraph 12
Article 9 – paragraph 12
Amendment 244 #
Proposal for a regulation
Article 10 – paragraph 1 – point a a (new)
Article 10 – paragraph 1 – point a a (new)
(a a) provide strategic direction to the head of CERT-EU;
Amendment 245 #
Proposal for a regulation
Article 10 – paragraph 1 – point h a (new)
Article 10 – paragraph 1 – point h a (new)
Amendment 246 #
Proposal for a regulation
Article 10 – paragraph 1 – point h b (new)
Article 10 – paragraph 1 – point h b (new)
(h b) where necessary, instruct CERT- EU to issue, withdraw or modify a proposal for guidance documents or recommendations, or a call for action.
Amendment 247 #
Proposal for a regulation
Article 10 – paragraph 1 – point i
Article 10 – paragraph 1 – point i
(i) establish as many technical advisory groups as necessary, with concrete tasks to assist the IICB’s work, approve their terms of reference and designate their respective chairs.
Amendment 268 #
Proposal for a regulation
Article 11 – paragraph 1 a (new)
Article 11 – paragraph 1 a (new)
These warnings and recommendations shall be directed to the highest level of management of the concerned entity.
Amendment 271 #
Proposal for a regulation
Article 12 – paragraph 1
Article 12 – paragraph 1
1. The mission of CERT-EU, the autonomous interinstitutional Cybersecurity Centre for all Union institutions, bodies and agencies, shall be to contribute to the security of the unclassified IT environment of all Union institutions, bodies and agencies by advising them on cybersecurity, by helping them to prevent, detect, handle, mitigate and respond to incidents and by acting as their cybersecurity information exchange and incident response coordination hub.
Amendment 276 #
Proposal for a regulation
Article 12 – paragraph 2 – point d
Article 12 – paragraph 2 – point d
(d) raise to the attention of the IICB any issue relating to the implementation of this Regulation and of the implementation of the guidance documents, recommendations and calls for actionArticle 13;
Amendment 277 #
Proposal for a regulation
Article 12 – paragraph 2 – point e
Article 12 – paragraph 2 – point e
(e) report oncollect the cyber threats faced by the Union institutions, bodies and agencies andin order to contribute to the EU cyber situational awareness.
Amendment 280 #
Proposal for a regulation
Article 12 – paragraph 3 – point b a (new)
Article 12 – paragraph 3 – point b a (new)
(b a) coordinated management of major incidents and crises at operational level and to regularly exchange relevant information among Member States and Union institutions, bodies and agencies within the European cyber crises liaison organisation network (EU-CyCLONe);
Amendment 281 #
Proposal for a regulation
Article 12 – paragraph 3 – point c a (new)
Article 12 – paragraph 3 – point c a (new)
(c a) proactive scanning of network and information systems;
Amendment 282 #
Proposal for a regulation
Article 12 – paragraph 4
Article 12 – paragraph 4
4. CERT-EU shall engage in structured cooperation with the European Union Agency for Cybersecurity on capacity building, operational cooperation and long-term strategic analyses of cyber threats in accordance with Regulation (EU) 2019/881 of the European Parliament and of the Council. Furthermore, CERT-EU may cooperate and exchange information with Europol’s Cybercrime Centre.
Amendment 297 #
Proposal for a regulation
Article 13 – paragraph 2 – point a
Article 13 – paragraph 2 – point a
(a) modalities for or improvements to cybersecurity risk management and the cybersecurity baselinmeasure;
Amendment 300 #
Proposal for a regulation
Article 13 – paragraph 2 – point c a (new)
Article 13 – paragraph 2 – point c a (new)
(c a) where appropriate, facilitate the common purchasing of relevant services and equipments.
Amendment 301 #
Proposal for a regulation
Article 13 – paragraph 3
Article 13 – paragraph 3
Amendment 302 #
Proposal for a regulation
Article 13 – paragraph 4
Article 13 – paragraph 4
Amendment 305 #
Proposal for a regulation
Article 14 – paragraph 1
Article 14 – paragraph 1
The Head of CERT-EU shall regularly, at least once a year, submit reports to the IICB and the IICB Chair on the performance of CERT- EU, financial planning, revenue, implementation of the budget, service level agreements and written agreements entered into, cooperation with counterparts and partners, and missions undertaken by staff, including the reports referred to in Article 10(1).
Amendment 311 #
Proposal for a regulation
Article 15 – paragraph 1
Article 15 – paragraph 1
1. The Commission, after having obtained the unanimous approval of the IICB by qualified majority, shall appoint the Head of CERT-EU. The IICB shall be consulted at all stages of the procedure prior to the appointment of the Head of CERT-EU, in particular in drafting vacancy notices, examining applications and appointing selection boards in relation to this post.
Amendment 314 #
Proposal for a regulation
Article 15 – paragraph 2
Article 15 – paragraph 2
2. For the application of administrative and financial procedures, the Head of CERT-EU shall act under the authority of the Commission, after the approval of IICB.
Amendment 315 #
Proposal for a regulation
Article 16 – paragraph 1
Article 16 – paragraph 1
1. CERT-EU shall cooperate and exchange information with national counterparts in the Member States, including CERTs, National Cybersecurity Centres, CSIRTs, and single points of contact referred to in Article 8 of Directive [proposal NIS 2], on cyber threats, vulnerabilities and, incidents, and near misses on possible countermeasures as well as best practices and on all matters relevant for improving the protection of the IT environments of Union institutions, bodies and agencies, including through the CSIRTs network referred to in Article 13 of Directive [proposal NIS 2]. The CERT- EU shall support the Commission in the EU-CyCLONe referred to in Article 14 of Directive [proposal NIS 2] on coordinated management of major incidents and crises.
Amendment 317 #
Proposal for a regulation
Article 17 – paragraph 1
Article 17 – paragraph 1
1. CERT-EU may cooperate with non- Member State counterparts that are subject to European cybersecurity requeriments or requeriments of similar nature, including industry sector-specific counterparts, on tools and methods, such as techniques, tactics, procedures and best practices, and on cyber threats and vulnerabilities. For all cooperation with such counterparts, including in frameworks where non-EU counterparts cooperate with national counterparts of Member States, CERT-EU shall seek prior approval from the IICB.
Amendment 320 #
Proposal for a regulation
Article 17 – paragraph 2
Article 17 – paragraph 2
2. CERT-EU may cooperate with other partners, such as commercial entities, international organisations, non-European Union national entities or individual experts, to gather information on general and specific cyber threats, vulnerabilities, near misses and possible countermeasures. For wider cooperation with such partners, CERT-EU shall seek prior approval from the IICB.
Amendment 323 #
Proposal for a regulation
Article 18 – paragraph 4
Article 18 – paragraph 4
4. The handling of information by CERT-EU and its Union institutions, bodies and agencies shall be in line with the rules laid down in [proposed Regulation on information security]. When cooperating with other counterparts similar information handling should be used by the CERT-EU.
Amendment 329 #
Proposal for a regulation
Article 19 – paragraph 1
Article 19 – paragraph 1
1. To enable CERT-EU to coordinate vulnerability managemincident hand lincidentg response, it may request Union institutions, bodies and agencies to provide it with information from their respective IT system inventories that is relevant for the CERT-EU support. The requested institution, body or agency shall transmit the requested information, and any subsequent updates thereto, without undue delay.
Amendment 330 #
Proposal for a regulation
Article 19 – paragraph 1 a (new)
Article 19 – paragraph 1 a (new)
1 a. To enable CERT-EU to coordinate vulnerability management, it may request Union institutions, bodies and agencies to provide it with information from their respective IT system inventories that is relevant for the CERT-EU support. The requested institution, body or agency may transmit the requested information, and any subsequent updates thereto.
Amendment 331 #
Proposal for a regulation
Article 19 – paragraph 2
Article 19 – paragraph 2
Amendment 339 #
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 1
Article 20 – paragraph 1 – subparagraph 1
All Union institutions, bodies and agencies shall make an initial notificationearly warning to CERT- EU of significant cyber threats, significant vulnerabilities and significant incidents without undue delay and in any event no later than 24 hours after becoming aware of them.
Amendment 343 #
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 2
Article 20 – paragraph 1 – subparagraph 2
Amendment 349 #
Proposal for a regulation
Article 20 – paragraph 2 – introductory part
Article 20 – paragraph 2 – introductory part
2. The Union institutions, bodies and agencies shall further notifymake an incident notification to CERT-EU without undue delay appropriate technical details of cyber threats, vulnerabilities and incidentnd in any event within 72 hours after having become aware of the incident update the early warning and indicate an initial assessment of the incident with the appropriate technical details that enable detection, incident response or mitigating measures. The notification shall include if available:
Amendment 350 #
Proposal for a regulation
Article 20 – paragraph 2 – point c
Article 20 – paragraph 2 – point c
(c) potential severity and impact;
Amendment 351 #
Proposal for a regulation
Article 20 – paragraph 2 a (new)
Article 20 – paragraph 2 a (new)
2 a. The Union institutions, bodies and agencies shall make a final report to CERT-EU no later than one month after the submission of the incident notification, including at least the following: (a) a detailed description of the incident, its severity and impact; (b) the type of threat or root cause that likely triggered the incident; (c) applied and ongoing mitigation measures; (d) where applicable, the cross-border impact of the incident;
Amendment 354 #
Proposal for a regulation
Article 20 – paragraph 2 b (new)
Article 20 – paragraph 2 b (new)
2 b. In duly justified cases and in agreement with CERT-EU, the Union institution, body or agency concerned may deviate from the deadline laid down in the previous paragraphs. The Union institution, body or agency concerned shall provide a progress report by the deadline of the submission of a final report, if a deviation is agreed on.
Amendment 355 #
Proposal for a regulation
Article 20 – paragraph 2 c (new)
Article 20 – paragraph 2 c (new)
2 c. The Union institutions, bodies and agencies, upon request from CERT-EU, shall without undue delay provide the digital information created by the use of electronic devices involved in their respective incidents. CERT-EU may further clarify which types of such digital information it requires for situational awareness and incident response
Amendment 357 #
Proposal for a regulation
Article 20 – paragraph 2 d (new)
Article 20 – paragraph 2 d (new)
2 d. The Union institutions, bodies and agencies may on a voluntary basis notify the CERT-EU of significant cyber threats, vulnerabilities and near misses.
Amendment 359 #
Proposal for a regulation
Article 20 – paragraph 3
Article 20 – paragraph 3
3. CERT-EU shall submit to ENISA on a monthly basis a summary report including anonymised and aggregated data on significant cyber threats, significant vulnerabilities, near misses and significant incidents notified in accordance with paragraph 1.
Amendment 361 #
Proposal for a regulation
Article 20 – paragraph 4
Article 20 – paragraph 4
4. The IICBCERT-EU may issue guidance documents or recommendations concerning the modalities and content of the notification. CERT-EU shall disseminate the appropriate technical details to enable proactive detection, incident response or mitigating measures by Union institutions, bodies and agencies.
Amendment 364 #
Proposal for a regulation
Article 21 – paragraph 1 – introductory part
Article 21 – paragraph 1 – introductory part
1. In acting as a cybersecurity information exchange and incident response coordination hub, CERT-EU shall facilitate information exchange with regards to cyber threats, vulnerabilities, near misses and incidents among:
Amendment 365 #
Proposal for a regulation
Article 21 – paragraph 3
Article 21 – paragraph 3
3. CERT-EU shall support Union institutions, bodies and agencies regarding situational awareness of cyber threats, vulnerabilities, near misses and incidents, as well as sharing the latest developments in the field of cybersecurity.
Amendment 368 #
Proposal for a regulation
Article 22 – title
Article 22 – title
Major attackincidents
Amendment 371 #
Proposal for a regulation
Article 22 – paragraph 1
Article 22 – paragraph 1
1. CERT-EU shall coordinate among Union institutions, bodies and agencies responses to major attackincidents. It shall maintain an inventory of technical expertise that would be needed for incident response in the event of such attacksincident.
Amendment 376 #
Proposal for a regulation
Article 22 – paragraph 3
Article 22 – paragraph 3
3. With the approval of the concerned Union institutions, bodies and agencies, CERT-EU may also call on experts from the list referred to in paragraph 2 for contributing to the response to a major attackincident in a Member State, in line with the Joint Cyber Unit’s operating procedures of EU CyCLONe.
Amendment 381 #
Proposal for a regulation
Article 24 – paragraph 1
Article 24 – paragraph 1
1. The IICB, with the assistance of CERT-EU, shall periodically, at least once a year, report to the Commission on the implementation of this Regulation. The IICB may also make recommendations to the Commission to propose amendments to this Regulation.
Amendment 383 #
Proposal for a regulation
Article 24 – paragraph 2
Article 24 – paragraph 2
2. The Commission shall report on the implementation of this Regulation to the European Parliament and the Council at the latest 4836 months after the entry into force of this Regulation and every threewo years thereafter.
Amendment 384 #
Proposal for a regulation
Article 24 – paragraph 2 a (new)
Article 24 – paragraph 2 a (new)
2 a. The first report of implementation of this Regulation shall evaluate the CERT-EU as an independent body.
Amendment 389 #
Proposal for a regulation
Annex I – paragraph 1 – introductory part
Annex I – paragraph 1 – introductory part
The following domains shall be addressed in the cybersecurity baselinemeasures:
Amendment 396 #
Proposal for a regulation
Annex II – paragraph 1 – introductory part
Annex II – paragraph 1 – introductory part
Union institutions, bodies and agencies shall address at least the following specific cybersecurity measures in the implementation of the cybersecurity baselinemeasures and in their cybersecurity plans, in line with the guidance documents and recommendations from the IICB:
Amendment 403 #
Proposal for a regulation
Annex II – paragraph 1 – point 4 – point b
Annex II – paragraph 1 – point 4 – point b
(b) the contractual obligation to report incidents, vulnerabilities, near misses and cyber threats as well as to have appropriate incidents response and monitoring in place.