2020/0359(COD) A high common level of cybersecurity
Lead committee dossier:
Progress: Procedure completed
| Role | Committee | Rapporteur | Shadows |
|---|---|---|---|
| Lead | ITRE |
GROOTHUIS Bart ( Renew)
|
MAYDELL Eva ( EPP),
KAILI Eva ( S&D),
ANDRESEN Rasmus ( Verts/ALE),
MARIANI Thierry ( ID),
TOŠENOVSKÝ Evžen ( ECR),
MATIAS Marisa ( GUE/NGL)
|
| Committee Opinion | CULT | ||
| Committee Opinion | AFET |
GREGOROVÁ Markéta ( Verts/ALE)
|
Dragoş TUDORACHE ( RE),
Witold Jan WASZCZYKOWSKI ( ECR)
|
| Committee Opinion | TRAN |
DALUNDE Jakop G. ( Verts/ALE)
|
Petar VITANOV ( S&D)
|
| Committee Opinion | LIBE |
MANDL Lukas ( EPP)
|
Maite PAGAZAURTUNDÚA ( RE),
Peter KOFOD ( ID),
Patrick BREYER ( Verts/ALE)
|
| Committee Opinion | IMCO |
LØKKEGAARD Morten ( Renew)
|
Deirdre CLUNE ( PPE),
Stelios KOULOGLOU ( GUE/NGL),
Evžen TOŠENOVSKÝ ( ECR),
Marco CAMPOMENOSI ( ID),
Marcel KOLAJA ( Verts/ALE),
Maria-Manuel LEITÃO-MARQUES ( S&D)
|
| Committee Opinion | ECON |
Lead committee dossier:
Legal Basis:
RoP 57, TFEU 114-p1
Legal Basis:
RoP 57, TFEU 114-p1Subjects
Events
2023/01/17
EC - Commission response to text adopted in plenary
Documents
2022/12/27
Final act published in Official Journal
Details
PURPOSE: to strengthen cybersecurity and resilience across the EU.
LEGISLATIVE ACT: Directive (EU) 2022/2555 of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive).
CONTENT: the Directive establishes measures that aim to achieve a common high level of cybersecurity across the Union with a view to further improving the resilience and incident response capabilities of both the public and private sectors and the EU as a whole. The new Directive, called ‘NIS 2’, will replace the current Network and Information Security Directive (NIS Directive).
Objective
The revised Directive aims to harmonise cybersecurity requirements and implementation of cybersecurity measures in different Member States. To achieve this, it sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each Member State.
The NIS2 Directive will form the basis for cybersecurity risk management measures and reporting obligations in all key sectors covered by the Directive, namely energy, transport, banking, financial market infrastructure, health, drinking water, digital infrastructure, public administrations and the space sector, as well as in important sectors such as postal services, waste management, chemicals, food, medical device manufacturing, electronics, machinery, vehicle engines and digital suppliers.
Scope
The new NIS2 Directive introduces a size-cap rule as a general rule for identification of regulated entities. This means that all medium and large entities operating in the sectors covered by the Directive or providing services within its scope will fall within its scope.
The Directive will apply to public administration entities at central and regional level. In addition, Member States may decide to apply it also to such entities at local level and to educational institutions, in particular where they carry out critical research activities.
The Directive will not apply to public administration entities carrying out activities in the fields of national security, public security, defence or law enforcement, including the prevention, investigation, detection and prosecution of criminal offences. Parliaments and central banks are also excluded from the scope.
The Directive lays down minimum rules for a regulatory framework and does not prevent Member States from adopting or maintaining provisions ensuring a higher level of cybersecurity.
While the revised directive maintains this general rule, its text includes additional provisions to ensure proportionality , a higher level of risk management and clear-cut criticality criteria for allowing national authorities to determine further entities covered.
Coordinated cyber security frameworks
The Directive sets out obligations for Member States to adopt national cybersecurity strategies , designate or establish competent authorities, cyber crisis management authorities, single cyber security contact points and computer security incident response centres (CSIRTs).
Cooperation at EU level
The Directive sets out mechanisms for effective cooperation between the competent authorities of each Member State. It establishes a Cooperation Group to support and facilitate strategic cooperation and information exchange between Member States and to build confidence. A network of national CSIRTs is established to contribute to confidence building and to promote swift and effective operational cooperation between Member States.
The Directive also formally establishes the European cyber crisis liaison organisation network (EU-CyCLONe), which will support the coordinated management of large-scale cyber security incidents.
Voluntary peer learning mechanism
A voluntary peer learning mechanism will enhance mutual trust and learning from good practices and experiences in the Union, thereby contributing to a common high level of cyber security.
The Cooperation Group will establish, by 17 January 2025, with the assistance of the Commission and ENISA and, where appropriate, the CSIRT network, the methodology and organisational aspects of peer reviews with a view to learning from shared experiences, building mutual trust, achieving a common high level of cybersecurity, as well as strengthening Member States' cybersecurity capacities and policies necessary for the implementation of the Directive.
Simplification of reporting obligations
The Directive streamlines the reporting obligations to avoid over-reporting and creating an excessive burden for the entities concerned.
In order to simplify the reporting of information required under the Directive and to reduce the administrative burden on entities, Member States will provide technical means, such as a single entry point, automated systems, online forms, user-friendly interfaces, templates and dedicated platforms for the use of entities, irrespective of whether they fall within the scope of the Directive, for the submission of the relevant information to be reported.
Lastly, the Directive provides for remedies and penalties to ensure compliance with the legislation.
ENTRY INTO FORCE: 16.1.2023
TRANSPOSITION: no later than 17.10.2024. The provisions will apply from 18.10.2024.
2022/12/14
CSL - Draft final act
Documents
2022/12/14
CSL - Final act signed
2022/11/28
EP/CSL - Act adopted by Council after Parliament's 1st reading
2022/11/10
EP - Results of vote in Parliament
Documents
2022/11/10
EP - Debate in Parliament
Documents
2022/11/10
EP - Decision by Parliament, 1st reading
Details
The European Parliament adopted by 577 votes to 6 with 31 abstentions a legislative resolution on the proposal for a directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148.
The European Parliament's first reading position under the ordinary legislative procedure amends the proposal as follows:
Strengthening EU-wide cybersecurity and resilience
This Directive lays down measures that aim to achieve a high common level of cybersecurity across the Union, with a view to improving the functioning of the internal market and to further improve the resilience and incident response capacities of both the public and private sector and the EU as a whole.
To that end, this Directive lays down:
- obligations that require Member States to adopt national cybersecurity strategies and to designate or establish competent authorities, cyber crisis management authorities, single points of contact on cybersecurity (single points of contact) and computer security incident response teams (CSIRTs);
- cybersecurity risk management measures and reporting obligations for entities in ‘critical’ sectors such as energy, transport, banking, financial market infrastructure, health, drinking water, digital infrastructure, public administrations and the space sector, as well as in ‘important’ sectors such as postal services, waste management, chemicals, food, medical device manufacturing, electronics, machinery, vehicle engines and digital suppliers;
- rules and obligations on cybersecurity information sharing;
- supervisory and enforcement obligations on Member States.
The Directive lays down minimum rules for a regulatory framework and does not prevent Member States from adopting or maintaining provisions ensuring a higher level of cyber security.
Scope of application
All medium and large entities operating in the sectors covered by the Directive or providing services falling within its scope will fall within its scope.
As public administrations are often the target of cyber-attacks, the Directive will apply to public administration entities at central and regional level. In addition, Member States may decide to apply it also to such entities at local level as well as to educational institutions, in particular where they carry out critical research activities.
The Directive will not apply to public administration entities carrying out activities in the field of national security, public security, defence or law enforcement, including the prevention, investigation, detection and prosecution of criminal offences. Parliaments and central banks are also excluded from the scope.
The Directive includes additional provisions to ensure proportionality , a higher level of risk management and clear criteria on the criticality of entities to determine which ones are covered.
Cooperation at EU level
The Directive sets out mechanisms for effective cooperation between the competent authorities of each Member State. It establishes a Cooperation Group to support and facilitate strategic cooperation and information exchange between Member States and to build confidence. A network of national CSIRTs is established to contribute to confidence building and to promote swift and effective operational cooperation between Member States.
The Directive also formally establishes the European cyber crisis liaison organisation network ( EU-CyCLONe ), which will support the coordinated management of large-scale cyber security incidents.
Voluntary peer learning mechanism
Peer reviews should be introduced to help learn from shared experiences, build mutual trust and achieve a common high level of cyber security. The Cooperation Group should establish, no later than 2 years after the date of entry into force of the Directive, with the assistance of the Commission and ENISA and, where appropriate, the CSIRT network, the methodology and organisational aspects of peer reviews. Participation in peer reviews should be voluntary.
Simplification of reporting obligations
The Directive streamlines the reporting obligations to avoid over-reporting and creating an excessive burden for the entities concerned.
In order to simplify the reporting of information required under the Directive and to reduce the administrative burden on entities, Member States should provide technical means, such as a single entry point, automated systems, online forms, user-friendly interfaces, templates and dedicated platforms for the use of entities, irrespective of whether they fall within the scope of the Directive, for the submission of the relevant information to be reported.
Lastly, the Directive provides for remedies and penalties to ensure compliance with the legislation.
Documents
2022/07/13
EP - Approval in committee of the text agreed at 1st reading interinstitutional negotiations
2022/04/11
ECB - European Central Bank: opinion, guideline, report
Documents
2021/11/22
EP - Committee decision to enter into interinstitutional negotiations confirmed by plenary (Rule 71)
2021/11/10
EP - Committee decision to enter into interinstitutional negotiations announced in plenary (Rule 71)
2021/11/04
EP - Committee report tabled for plenary, 1st reading
Details
The Committee on Industry, Research and Energy adopted the report by Bart GROOTHUIS (Renew Europe, NL) on the proposal for a directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148.
The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows:
Subject matter and scope
This Directive should apply to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II who provide their services or carry out their activities within the Union. It should not apply to entities that qualify as micro and small enterprises. No later than 6 months after the transposition deadline, Member States should draw up a list of essential and important entities. This list should be updated regularly and at least every two years.
Essential and significant entities should submit at least the following information to the competent authorities : (i) name of the entity, (ii) address and updated contact details, including e-mail addresses, (iii) IP ranges, (iv) telephone numbers and (v) the relevant sector(s) and sub-sector(s) listed in Annexes I and II. Entities should inform the competent authorities of any changes to this information.
To this end, the European Union Agency for Cyber Security (ENISA), in cooperation with the Cooperation Group, should issue guidelines and templates on notification obligations as soon as possible. Processing of personal data under the Directive would be carried out in accordance with the General Data Protection Regulation (GDPR).
National cyber security strategy
The strategy should also include a framework for the allocation of roles and responsibilities of public bodies and entities and other relevant actors, a single point of contact on cyber security for SMEs, and an assessment of the general level of cyber security awareness among citizens.
Member States should also adopt:
- a cybersecurity policy for each sector covered by the Directive;
- requirements for encryption and the use of open source cyber security products;
- a policy related to maintaining the overall availability and integrity of the public core of the open Internet , including the cybersecurity of undersea communications cables;
- a policy to promote the development and integration of emerging technologies, such as artificial intelligence, into cybersecurity enhancing tools and applications;
- a policy to promote cyber hygiene , increasing general awareness of cyber security threats and best practices among citizens;
- a policy to promote active cyber defence ;
- a policy to help authorities develop competences and understanding of the security aspects needed to design, build and manage connected places;
- a policy specifically addressing the ransomware threat and disrupting the ransomware business model;
- a policy, including relevant procedures and governance frameworks , to support and promote the development of public-private partnerships in cyber security.
ENISA should provide guidance to Member States to align national cyber security strategies with the requirements and obligations set out in the Directive.
Coordinated vulnerability disclosure and European vulnerability database
ENISA should develop and maintain a European vulnerability database leveraging the global Common Vulnerabilities and Exposures (CVE) registry. To this end, ENISA should adopt the necessary technical and organisational measures to ensure the security and integrity of the database.
Computer Security Incident Response Teams (CSIRTs)
Member States should ensure the possibility of effective, efficient and secure information exchange on all classification levels between their own CSIRTs and CSIRTs from third countries on the same classification level. CSIRTs should develop at least the following technical capabilities
- the ability to conduct real-time or near-real-time monitoring of networks and information systems, and anomaly detection;
- the ability to support intrusion prevention and detection;
- the ability to collect and conduct complex forensic data analysis, and to reverse engineer cyber threats;
- the ability to filter malign traffic;
- the ability to enforce strong authentication and access privileges and controls; and
- the ability to analyse cyber threats.
CSIRTs should be responsible for monitoring cyber threats, vulnerabilities and incidents at national level and acquiring real-time threat intelligence , responding to incidents and assisting entities involved, as well as contributing to the deployment of secure information sharing tools.
ENISA should publish, in cooperation with the Commission, a biennial report on the state of cyber security in the EU and submit it to the European Parliament.
Reporting obligations
Member States should establish a single point of contact for all notifications required under the Directive and other relevant EU legislation.
Essential and important entities should notify CSIRTs about significant incidents that have an impact on the availability of their service within 24 hours of becoming aware of the incident. They should notify CIRTs about significant incidents that breach the confidentiality and integrity of their services within 72 hours of becoming aware of the incident.
Fines
To ensure effective enforcement of the obligations laid down in this Directive, each competent authority should have the power to impose or request the imposition of administrative fines if the infringement was intentional, negligent or the entity concerned had received notice of the entity’s non-compliance.
Documents
2021/10/28
EP - Vote in committee, 1st reading
2021/10/28
EP - Committee decision to open interinstitutional negotiations with report adopted in committee
2021/10/15
EP - Committee opinion
Documents
2021/07/15
EP - Committee opinion
Documents
2021/07/14
EP - Committee opinion
Documents
2021/07/14
EP - Committee opinion
Documents
2021/06/03
EP - Amendments tabled in committee
Documents
2021/06/03
EP - Amendments tabled in committee
Documents
2021/05/20
EP - Referral to associated committees announced in Parliament
2021/05/03
EP - Committee draft report
Documents
2021/04/12
EP - MANDL Lukas (EPP) appointed as rapporteur in LIBE
2021/03/23
CZ_SENATE - Contribution
Documents
2021/03/21
ES_PARLIAMENT - Contribution
Documents
2021/03/21
ES_PARLIAMENT - Contribution
Documents
2021/03/17
ES_PARLIAMENT - Contribution
Documents
2021/03/17
PT_PARLIAMENT - Contribution
Documents
2021/03/11
EDPS - Document attached to the procedure
Documents
2021/02/24
CZ_CHAMBER - Contribution
Documents
2021/02/22
EP - GREGOROVÁ Markéta (Verts/ALE) appointed as rapporteur in AFET
2021/02/09
EP - LØKKEGAARD Morten (Renew) appointed as rapporteur in IMCO
2021/02/03
EP - DALUNDE Jakop G. (Verts/ALE) appointed as rapporteur in TRAN
2021/01/21
EP - Committee referral announced in Parliament, 1st reading
2021/01/14
EP - GROOTHUIS Bart (Renew) appointed as rapporteur in ITRE
2020/12/16
EC - Document attached to the procedure
Documents
2020/12/16
EC - Document attached to the procedure
Documents
2020/12/16
EC - Document attached to the procedure
Documents
2020/12/16
EC - Legislative proposal published
Details
PURPOSE: to introduce new measures for a common level of cybersecurity across the EU.
PROPOSED ACT: Directive of the European Parliament and of the Council.
ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.
BACKGROUND: Directive (EU) 2016/1148 of the European Parliament and the Council aimed at building cybersecurity capabilities across the EU, mitigating threats to network and information systems used to provide essential services in key sectors and ensuring the continuity of such services when facing cybersecurity incidents, thus contributing to the EU's economy and society to function effectively.
However, since the entry into force of Directive (EU) 2016/1148 significant progress has been made in increasing the Union’s level of cybersecurity resilience.
CONTENT: this proposal builds on and repeals Directive (EU) 2016/1148 on security of network and information systems (NIS Directive), which is the first piece of EU-wide legislation on cybersecurity and provides legal measures to boost the overall level of cybersecurity in the EU. The proposal modernises the existing legal framework taking account of the increased digitisation of the internal market in recent years and an evolving cybersecurity threat landscape.
Specific provisions
Scope
The proposal should apply to certain public or private essential entities operating in the sectors listed in Annex I (energy; transport; banking; financial market infrastructures; health, drinking water; waste water; digital infrastructure; public administration and space) and certain important entities operating in the sectors listed in Annex II (postal and courier services; waste management; manufacture, production and distribution of chemicals; food production, processing and distribution; manufacturing and digital providers).
Micro and small entities are excluded from the scope of the Directive, except for providers of electronic communications networks or of publicly available electronic communications services, trust service providers, Top-level domain name (TLD) name registries and public administration, and certain other entities, such as the sole provider of a service in a Member State.
National cybersecurity frameworks
The proposal stipulates that Member States are required to adopt a national cybersecurity strategy defining the strategic objectives and appropriate policy and regulatory measures with a view to achieving and maintaining a high level of cybersecurity. The proposed directive also establishes a framework for Coordinated Vulnerability Disclosure and requires Member States to designate computer security incident response teams to act as trusted intermediaries and facilitate the interaction between the reporting entities and the manufacturers or providers of ICT products and ICT services.
Member States are required to put in place National Cybersecurity Crisis Management Frameworks, by designating national competent authorities responsible for the management of large-scale cybersecurity incidents and crises.
Cybersecurity risk management and reporting obligations
The proposal requires Member States to provide that management bodies of all entities under the scope to approve the cybersecurity risk management measures taken by the respective entities and to follow specific cybersecurity-related training. Member States are required to ensure that entities under the scope take appropriate and proportionate technical and organisational measures to manage the cybersecurity risks posed to the security of network and information systems.
TLD registries and the entities providing domain name registration services for the TLD shall collect and maintain accurate and complete domain name registration data. Furthermore, such entities are required to provide efficient access to domain registration data for legitimate access seekers.
Jurisdiction and registration
As a rule, essential and important entities are deemed to be under the jurisdiction of the Member State where they provide their services. However, certain types of entities (DNS service providers, TLD name registries, cloud computing service providers, data centre service providers and content delivery network providers, as well as certain digital providers) are deemed to be under the jurisdiction of the Member State in which they have their main establishment in the Union.
Information sharing
Member States should provide rules enabling entities to engage in cybersecurity-related information sharing within the framework of specific cybersecurity information-sharing arrangements.
Supervision and enforcement
Competent authorities are required to supervise the entities under the scope of the proposed directive, and in particular to ensure their compliance with the security and incident notification requirements. The proposal also requires Members States to impose administrative fines to essential and important entities and defines certain maximum fines.
Documents
Documents
- Commission response to text adopted in plenary: SP(2022)688
- Final act published in Official Journal: Directive 2022/2555
- Final act published in Official Journal: OJ L 333 27.12.2022, p. 0080
- Draft final act: 00032/2022/LEX
- Results of vote in Parliament: Results of vote in Parliament
- Debate in Parliament: Debate in Parliament
- Decision by Parliament, 1st reading: T9-0383/2022
- European Central Bank: opinion, guideline, report: CON/2022/0014
- European Central Bank: opinion, guideline, report: OJ C 233 16.06.2022, p. 0022
- Committee report tabled for plenary, 1st reading: A9-0313/2021
- Committee opinion: PE693.822
- Committee opinion: PE691.371
- Committee opinion: PE689.861
- Committee opinion: PE691.156
- Amendments tabled in committee: PE693.680
- Amendments tabled in committee: PE693.723
- Committee draft report: PE692.602
- Contribution: COM(2020)0823
- Contribution: SWD(2020)0344
- Contribution: SWD(2020)0345
- Contribution: COM(2020)0823
- Contribution: COM(2020)0823
- Document attached to the procedure: OJ C 183 11.05.2021, p. 0003
- Document attached to the procedure: N9-0025/2021
- Contribution: COM(2020)0823
- Document attached to the procedure: SEC(2020)0430
- Document attached to the procedure: EUR-Lex
- Document attached to the procedure: SWD(2020)0344
- Document attached to the procedure: SWD(2020)0345
- Legislative proposal published: COM(2020)0823
- Legislative proposal published: EUR-Lex
- Document attached to the procedure: SEC(2020)0430
- Document attached to the procedure: EUR-Lex SWD(2020)0344
- Document attached to the procedure: SWD(2020)0345
- Document attached to the procedure: OJ C 183 11.05.2021, p. 0003 N9-0025/2021
- Committee draft report: PE692.602
- Amendments tabled in committee: PE693.680
- Amendments tabled in committee: PE693.723
- Committee opinion: PE689.861
- Committee opinion: PE691.156
- Committee opinion: PE691.371
- Committee opinion: PE693.822
- European Central Bank: opinion, guideline, report: CON/2022/0014 OJ C 233 16.06.2022, p. 0022
- Draft final act: 00032/2022/LEX
- Commission response to text adopted in plenary: SP(2022)688
- Contribution: SWD(2020)0344
- Contribution: SWD(2020)0345
- Contribution: COM(2020)0823
- Contribution: COM(2020)0823
- Contribution: COM(2020)0823
- Contribution: COM(2020)0823
Activities
- Izaskun BILBAO BARANDICA
Plenary Speeches (1)
- Cristian-Silviu BUŞOI
Plenary Speeches (1)
- Maria da Graça CARVALHO
Plenary Speeches (1)
- Deirdre CLUNE
Plenary Speeches (1)
- Jakop G. DALUNDE
Plenary Speeches (1)
- Eva KAILI
Plenary Speeches (1)
- Othmar KARAS
Plenary Speeches (1)
- Karol KARSKI
Plenary Speeches (1)
- Marisa MATIAS
Plenary Speeches (1)
- Maite PAGAZAURTUNDÚA
Plenary Speeches (1)
- Stanislav POLČÁK
Plenary Speeches (1)
- Evžen TOŠENOVSKÝ
Plenary Speeches (1)
- Carlos ZORRINHO
Plenary Speeches (1)
- Clare DALY
Plenary Speeches (1)
- Edina TÓTH
Plenary Speeches (1)
- Patrick BREYER
Plenary Speeches (1)
- Johan NISSINEN
Plenary Speeches (1)
Votes
Un niveau élevé commun de cybersécurité dans l'ensemble de l'Union - A high common level of cybersecurity across the Union - Ein hohes gemeinsames Cybersicherheitsniveau in der Union - A9-0313/2021 - Bart Groothuis - Demande du groupe Verts/ALE #
2022/11/10 Outcome: -: 459, +: 123, 0: 28
The Left
NIA9-0313/2021 - Bart Groothuis - Accord provisoire - Am 281 #
2022/11/10 Outcome: +: 577, 0: 31, -: 6
| Amendments | Dossier |
| 1015 |
2020/0359(COD)
2021/05/28
TRAN
54 amendments...
Amendment 10 #
Proposal for a directive Recital 3 (3) Network and information systems have developed into a central feature of everyday life with the speedy digital transformation and interconnectedness of society, contributing to growth of new models of economy, such as gig, on- demand and platform economy, including in cross-border exchanges and aaS (as-a- service) approach. That development has led to an expansion of the cybersecurity threat landscape, bringing about new challenges, which require adapted, coordinated and innovative responses in all Member States. The number, magnitude, sophistication, frequency and impact of cybersecurity incidents are increasing, and present a major threat to the functioning of network and information systems. As a result, cyber incidents can impede the pursuit of economic activities in the internal market, social activities, generate financial losses, undermine user and worker confidence
Amendment 11 #
Proposal for a directive Recital 3 (3) Network and information systems have developed into a central feature of everyday life with the speedy digital transformation and interconnectedness of society, including in cross-border exchanges and mobility. That development has led to an
Amendment 12 #
Proposal for a directive Recital 8 (8) In accordance with Directive (EU) 2016/1148, Member States were responsible for determining which entities meet the criteria to qualify as operators of essential services (‘identification process’). In order to eliminate the wide divergences among Member States in that regard and ensure legal certainty for the risk management requirements and reporting obligations for all relevant entities, a uniform criterion should be established that determines the entities falling within the scope of application of this Directive. That criterion should consist of the application of the size-cap rule, whereby all medium
Amendment 13 #
Proposal for a directive Recital 8 a (new) (8 a) Guidelines should serve as a basis to define which ports in a given Member State should be designated as essential entities. Those guidelines should be developed by the Commission in close cooperation with the Member States and the stakeholders and should take into account the diverse nature of European ports, as they vary in size and in activities performed, and as their strategic importance in a given Member State may vary.
Amendment 14 #
Proposal for a directive Recital 9 (9) However, small or micro entities fulfilling certain criteria that indicate a key role for the economies or societies of Member States or for particular sectors or types of services, should also be covered by this Directive. Member States should be responsible for establishing a list of such entities, and submit it to the Commission. This exercise shall be carried out with full understanding of the specificity of SME business activity, and shall not place excessive administrative burden on them.
Amendment 15 #
Proposal for a directive Recital 10 (10) The Commission, in cooperation with the Cooperation Group, may issue guidelines on the implementation of the criteria applicable to micro and small enterprises. Relevant information materials shall be prepared and distributed by the Commission with the support of Member States, as well as appropriate guidance should be given to all micro, small and medium enterprises falling within the scope of this Directive.
Amendment 16 #
Proposal for a directive Recital 10 (10) The Commission, in cooperation with the Cooperation Group and industry stakeholders, may issue guidelines on the implementation of the criteria applicable to micro and small enterprises.
Amendment 17 #
Proposal for a directive Recital 11 a (new) (11 a) Some entities, such as ports, are complex ecosystems with many different stakeholders. The Commission, in close cooperation with the Member States and stakeholders, should therefore develop guidelines that enable Member States to define in a harmonized way which aspects of an entity should be protected and therefore subjected to the obligations set out in this Directive.
Amendment 18 #
Proposal for a directive Recital 12 (12) Sector-specific legislation and instruments can contribute to ensuring high levels of cybersecurity, while taking full account of the specificities and complexities of those sectors. Where a sector–specific Union legal act requires essential or important entities to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats of at least an equivalent effect to the obligations laid down in this Directive, those sector-specific provisions, including on supervision and enforcement, should apply. In order to avoid overregulation, legal uncertainty and unnecessary administrative burden, in the interpretation and application of this Directive the Commission should ensure coherence between this Directive and the applicable sector-specific legislation. To this end, the Commission should identify duplications/overlapping in the respective legislation, regulatory requirements or procedures, with a view to remove them. In that regard, the Commission action should specifically aim at preventing the proliferation/overlapping/duplication of systems of notification in sectors where EU sector-specific legislation is already applied, such as the transport sector. The Commission may issue guidelines in relation to the implementation of the lex specialis. This Directive does not preclude the adoption of additional sector-
Amendment 19 #
Proposal for a directive Recital 17 (17) Given the emergence of innovative technologies
Amendment 20 #
Proposal for a directive Recital 17 (17) Given the emergence of innovative technologies, such as artificial intelligence, and new business models, new cloud computing deployment and service models are expected to appear on the market in response to evolving customer needs. In that context, cloud computing services may be delivered in a highly distributed form, even closer to where data are being generated or collected, thus moving from the traditional model to a highly distributed one (‘edge computing’).
Amendment 21 #
Proposal for a directive Recital 18 a (new) (18 a) Given that the roll-out of autonomous mobility will bring considerable benefits, but also entails a variety of new risks, namely regarding road traffic safety, cybersecurity, intellectual property rights, data protection and data access issues, technical infrastructure, standardisation, and employment, it is of crucial importance to ensure that the EU legal framework adequately responds to those challenges and effectively manages all risks posed to the security of network and information systems.
Amendment 22 #
Proposal for a directive Recital 18 b (new) Amendment 23 #
Proposal for a directive Recital 19 (19) Postal service providers within the meaning of Directive 97/67/EC of the European Parliament and of the Council18 , as well as express and courier delivery service providers, should be subject to this Directive if they provide at least one of the steps in the postal delivery chain and in particular clearance, sorting or distribution, including pick-up services. Transport or delivery services that are not undertaken in conjunction with one of those steps should fall outside of the scope of postal services. _________________ 18Directive 97/67/EC of the European Parliament and of the Council of 15 December 1997 on common rules for the development of the internal market of Community postal services and the improvement of quality of service (OJ L 15, 21.1.1998, p. 14).
Amendment 24 #
Proposal for a directive Recital 27 a (new) (27 a) Member States should, in their national cybersecurity strategies, address specific cybersecurity needs of small and medium-sized enterprises (SMEs), namely low cyber-awareness, a lack of remote IT security, high cost of cybersecurity solutions and an increased level of threat. Member States should have a cybersecurity point of contact for SMEs to provide relevant information, service and guidance.
Amendment 25 #
Proposal for a directive Recital 33 (33) When developing guidance documents, the Cooperation Group should consistently: map national solutions and experiences, assess the impact of Cooperation Group deliverables on national approaches, discuss implementation challenges and formulate specific recommendations to be addressed through better implementation of existing rules. The Cooperation Group should also map the national solutions in order to promote compatibility of cybersecurity solutions applied to each specific sector across Europe. This is particular relevant for the sectors which have an international and cross-border nature such as transport.
Amendment 26 #
Proposal for a directive Recital 33 (33) When developing guidance documents, the Cooperation Group should consistently: map national solutions and experiences, assess the impact of Cooperation Group deliverables on national approaches, discuss implementation challenges and formulate specific recommendations, also on the proper alignment in the transposition of the Directive, to be addressed through better implementation of existing rules.
Amendment 27 #
Proposal for a directive Recital 34 (34) The Cooperation Group should remain a flexible forum and be able to react to changing and new policy priorities and challenges while taking into account the availability of resources. It should organize regular joint meetings with relevant private stakeholders
Amendment 28 #
Proposal for a directive Recital 34 (34) The Cooperation Group should remain a flexible forum and be able to react to changing and new policy priorities and challenges while taking into account the availability of resources. It should organize regular joint meetings with relevant private stakeholders from across the Union to discuss activities carried out by the Group and gather input on emerging policy challenges. In order to enhance cooperation at Union level, the Group should consider inviting Union bodies and agencies involved in cybersecurity policy, such as the European Cybercrime Centre (EC3), the European Union
Amendment 29 #
Proposal for a directive Recital 46 a (new) (46 a) In order to preserve and protect critical supply chains, the focus should also lay on the protection of the entire transport and logistics chain. The transport and logistics chains is made up of a large number of interlinked actors and systems, where goods are being transported in an intermodal fashion using road, rail, inland waterways and maritime transport. This process requires swift and reliable exchange of data between the various links of the transport and logistics chain through various interfaces. Due to the interconnected nature of the various links in the chain, insufficient cybersecurity risks to endanger the functioning of the entire chain through domino effects created by a cyber incident in one or several parts of the transport and logistics chain.
Amendment 30 #
Proposal for a directive Recital 46 a (new) (46 a) In order to preserve and protect critical supply chains, the focus should also lay on the protection of the entire transport and logistics chain. The transport and logistics chains is made up of a large number of interlinked actors and systems, where goods are being transported in an intermodal fashion using road, rail, inland waterways and maritime transport. This process requires swift and reliable exchange of data between the various links of the transport and logistics chain through various interfaces. Due to the interconnected nature of the various links in the chain, insufficient cybersecurity risks to endanger the functioning of the entire chain through domino effects created by a cyber incident in one or several parts of the transport and logistics chain.
Amendment 31 #
Proposal for a directive Recital 46 b (new) (46 b) The transport envelope of the Connecting Europe Facility, both the modernisation pillar (actions relating to smart, interoperable, sustainable, multimodal, inclusive, accessible, safe and secure mobility), as well as the military mobility pillar, should be used to enhance the resilience of Europe’s port infrastructure to cybersecurity threats. Member States should also strengthen the cyber resilience of the port sector in their national Recovery and Resilience Plans as part of the EU’s digital transition objective.
Amendment 32 #
(47) The supply chain risk assessments, in light of the features of the sector concerned, should take into account both technical and, where relevant, non- technical factors including those defined in Recommendation (EU) 2019/534, in the EU wide coordinated risk assessment of 5G networks security and in the EU Toolbox on 5G cybersecurity agreed by the Cooperation Group. To identify the supply chains that should be subject to a coordinated risk assessment, the following criteria should be taken into account: (i) the extent to which essential and important entities use and rely on specific critical ICT services, systems or products; (ii) the relevance of specific critical ICT services, systems or products for performing critical or sensitive functions, including the processing of personal data; (iii) the availability of alternative ICT services, systems or products; (iv) the resilience of the overall supply chain of ICT services, systems or products against disruptive events (iva) the extent to which specific critical ICT services, systems or products directly used by consumers are resilient and compliant with a customer friendly approach; and (v) for emerging ICT services, systems or products, their potential future significance for the entities’ activities.
Amendment 33 #
Proposal for a directive Recital 55 (55) This Directive lays down a two-
Amendment 34 #
Proposal for a directive Article 2 – paragraph 2 – subparagraph 1 Member States, in close cooperation with relevant industry stakeholders, shall establish a list of entities identified pursuant to points (b) to (f) and submit it to the Commission by [6 months after the transposition deadline]. Member States shall review the list, on a regular basis, and at least every two years thereafter and, where appropriate, update it.
Amendment 35 #
Proposal for a directive Article 2 – paragraph 6 6. Where provisions of sector–specific acts of Union law require essential or important entities either to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats, and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, including as to the power, mandate and functions of the respective supervisory authorities, the relevant provisions of this Directive, including the provision on supervision and enforcement laid down in Chapter VI, shall not apply.
Amendment 36 #
Proposal for a directive Article 3 – paragraph 1 a (new) The Commission, together with the Member States and stakeholders, shall develop guidelines that enable Member States to identify in a harmonised way which entities in selected sectors should be designated as essential or important entities and which entities would be considered smaller entities with a high security risk profile. Those guidelines should take into account the diverse nature of the entities, as they vary in size and in activities performed, and as their strategic importance may vary.
Amendment 37 #
Proposal for a directive Article 3 – paragraph 1 b (new) The Commission, in close cooperation with the Member States and stakeholders, shall develop guidelines that enable Member States to define in a harmonized way which aspects of an essential or important entity should be protected and therefore subjected to the obligations set out in this Directive.
Amendment 38 #
Proposal for a directive Article 5 – paragraph 2 – point h (h) a policy addressing specific needs of SMEs, in particular those excluded from the scope of this Directive, in relation to guidance, providing necessary and comprehensive information and support in improving their resilience to cybersecurity threats.
Amendment 39 #
Proposal for a directive Article 5 – paragraph 3 3. Member States shall notify their national cybersecurity strategies to the Commission within three months from their adoption. Member States may exclude specific information from the notification where and to the extent that it is
Amendment 40 #
Proposal for a directive Article 12 – paragraph 4 – point a (a) providing guidance to competent authorities in relation to the transposition and implementation of this Directive, so as to minimise existing disparities between cybersecurity risk management practices and standards among the Member States;
Amendment 41 #
Proposal for a directive Article 12 – paragraph 4 – point b a (new) (b a) mapping the national solutions in order to promote compatibility ofcybersecurity solutions applied to each specific sector across Europe;
Amendment 43 #
Proposal for a directive Article 16 – paragraph 1 – point iii a (new) Amendment 44 #
Proposal for a directive Article 18 – paragraph 2 – point b a (new) (b a) adoption of programmes for increasing employees competences and practical experience meeting the high cybersecurity standards;
Amendment 45 #
Proposal for a directive Article 18 – paragraph 5 Amendment 46 #
Proposal for a directive Article 18 – paragraph 5 5. The Commission may adopt
Amendment 47 #
Proposal for a directive Article 20 – paragraph 2 – introductory part 2. Member States shall en
Amendment 48 #
Proposal for a directive Article 20 – paragraph 2 – subparagraph 1 Where applicable, those entities
Amendment 49 #
Proposal for a directive Article 20 – paragraph 3 – point a (a) the incident has caused or
Amendment 50 #
Proposal for a directive Article 20 – paragraph 3 – point b (b) the incident has affected
Amendment 51 #
Proposal for a directive Article 20 – paragraph 4 – point a (a) without undue delay and in any event within 72
Amendment 52 #
Proposal for a directive Article 20 – paragraph 4 – point a (a) without undue delay and in any event within 72
Amendment 53 #
Proposal for a directive Article 20 – paragraph 4 – point c – point iii (iii) applied and ongoing mitigation measures and results thereof.
Amendment 54 #
Proposal for a directive Article 20 – paragraph 5 5. The competent national authorities or the CSIRT shall provide, within 72
Amendment 55 #
Proposal for a directive Article 20 – paragraph 11 11. The Commission, may adopt
Amendment 56 #
Proposal for a directive Article 21 Amendment 57 #
Proposal for a directive Article 21 – paragraph 1 1. In order to demonstrate compliance with certain requirements of Article 18, Member States
Amendment 58 #
Proposal for a directive Article 21 – paragraph 1 1. In order to demonstrate compliance with certain requirements of Article 18, Member States
Amendment 59 #
Proposal for a directive Article 21 – paragraph 1 a (new) 1 a. The requirements of this Directive regarding cybersecurity certification shall be without prejudice to Article 56 (2) and (3) of Regulation (EU) 2019/881.
Amendment 60 #
Proposal for a directive Article 21 – paragraph 2 Amendment 61 #
Proposal for a directive Article 21 – paragraph 2 Amendment 62 #
Proposal for a directive Article 21 – paragraph 3 3.
Amendment 9 #
Proposal for a directive Recital 3 (3) Network and information systems have developed into a central feature of everyday life with the speedy digital transformation and interconnectedness of society, including in cross-border exchanges. That development has led to an expansion of the cybersecurity threat landscape, bringing about new challenges, which require adapted, coordinated and innovative responses in all Member States. The number, magnitude, sophistication, frequency and impact of cybersecurity incidents are increasing, and present a major threat to the functioning of network and information systems. As a result, cyber incidents can impede the pursuit of economic activities in the internal market, generate financial losses, undermine user confidence and cause major damage to the Union economy and society. Cybersecurity preparedness and effectiveness are therefore now more essential than ever to the proper functioning of the internal market. Moreover, cybersecurity is a key enabler for many critical sectors, such as transport, to successfully embrace the digital transformation and to fully grasp the economic, social and sustainable benefits of digitalisation.
source: 693.632
2021/05/31
AFET
2 amendments...
Amendment 79 #
Proposal for a directive Annex I – ESSENTIAL ENTITIES: SECTORS, SUBSECTORS AND TYPES OF ENTITIES – Sector 6 a (new) 6a. Education and research — Higher education institutions and research institutions
Amendment 80 #
Proposal for a directive Annex I – ESSENTIAL ENTITIES: SECTORS, SUBSECTORS AND TYPES OF ENTITIES – Sector 9 Public administration – Type of entities Public administration entities of central governments Public administration entities of NUTS level 1 regions listed in Annex I of Regulation (EC) No 1059/2003 (27, 27 a (new)) Public administration entities of NUTS level 2 regions listed in Annex I of Regulation (EC) No 1059/2003 (27 b (new)) __________________ 27 Regulation (EC) No 1059/2003 of the European Parliament and of the Council of 26 May 2003 on the establishment of a common classification of territorial units for statistics (NUTS) (OJ L 154, 21.6.2003, p. 1).
source: 693.660
2021/06/01
AFET
56 amendments...
Amendment 23 #
Proposal for a directive Recital 2 (2) Since the entry into force of Directive (EU) 2016/1148 significant progress has been made in increasing the Union’s level of cybersecurity resilience. The review of that Directive has shown that it has served as a catalyst for the institutional and regulatory approach to cybersecurity in the Union, paving the way for a significant change in mind-set. That Directive has ensured the completion of national frameworks by defining national cybersecurity strategies, establishing national capabilities, and implementing regulatory measures covering essential infrastructures and actors identified by each Member State. It has also contributed to cooperation at Union level through the establishment of the Cooperation Group12 and a network of national Computer Security Incident Response Teams (‘CSIRTs network’)13 . Directive (EU) 2016/1148 was the first Union-wide legislative act on cybersecurity, providing legal measures to boost the overall level of cyber resilience also in the security and defence domain in the Union by ensuring Member States' cooperation and a culture of security across sectors. Notwithstanding those achievements, the review of Directive (EU) 2016/1148 has revealed inherent shortcomings that prevent it from addressing effectively contemporaneous and emerging cybersecurity challenges, which very often originate from outside the Union, posing a serious threat to internal and external security at Union level. _________________ 12 Article 11 of Directive (EU) 2016/1148.
Amendment 24 #
Proposal for a directive Recital 3 a (new) Amendment 25 #
Proposal for a directive Recital 3 a (new) (3 a) The Union understands hybrid campaigns to be ‘multidimensional, combining coercive and subversive measures, using both conventional and unconventional tools and tactics (diplomatic, military, economic, and technological) to destabilise the adversary. They are designed to be difficult to detect or attribute, and can be used by state and non-state actors’. The internet and online networks allow State and non-State actors to conduct aggressive action in new ways. They can be used to hack critical infrastructure and democratic processes, launch persuasive disinformation and propaganda campaigns, steal information and unload sensitive data into the public domain. In the worst cases, cyber-attacks allow an adversary to take control of assets such as military systems and command structures. Such large-scale cybersecurity incidents and crises at Union level must be adequately prepared for and protected against via joint training exercises as they have the potential to invoke Article 222 TFEU (the 'solidarity clause').
Amendment 26 #
Proposal for a directive Recital 3 a (new) (3 a) Cyber security is a priority of the Common Security and Defence Policy of the Union, including its cooperation with the North Atlantic Treaty Organisation (NATO). The EU Strategic Compass will enhance and guide the implementation of the Union’s level of ambition in the field of security and defence, and translate that ambition into capability needs in cyber defence, thereby increasing the ability of the Union and Member States to prevent, discourage, deter, respond to and recover from malicious cyber activities by strengthening its posture, situational awareness, tools, procedures and partnerships. The Union and NATO should further strengthen their capabilities to prevent, deter and respond to hybrid and cyber attacks, create a joint cyber threat information hub as well as a joint task force for cyber security, and establish a common EU/NATO cyber threat analysis on the basis of which important and less important, urgent and less urgent decisions should be taken and actions could be selected and launched.
Amendment 27 #
Proposal for a directive Recital 3 b (new) (3 b) During large-scale cyber security incidents and crises at Union level, the high degree of interdependence between sectors and countries require a coordinated action to ensure a rapid and effective response, as well as better prevention and preparedness for similar situations in the future. The availability of cyber-resilient networks and information systems and the availability, confidentiality and integrity of data are vital for the security of the Union within as well as beyond its borders. Union’s ambition to acquire a more prominent geopolitical role by becoming ‘strategically autonomous’ and ‘technologically sovereign’ also rests on credible cyber defence and deterrence, including the capacity to identify malicious actions in a timely effective manner and to respond adequately. Given the blurring of lines between the realms of civilian and military matters and the dual- use nature of cyber tools and technologies, there is a need for a comprehensive and holistic approach to the digital domain. This also applies to Common Security and Defence Policy operations and missions conducted by the Union to ensure peace and stability in its neighbourhood and beyond.
Amendment 28 #
Proposal for a directive Recital 6 (6) This Directive leaves unaffected the ability of Member States to take the necessary measures to ensure the protection of the essential interests of their security, to safeguard public policy and public security, and to allow for the investigation, detection and prosecution of criminal offences, in compliance with Union law. Independently of the technological environment of the day, it is essential to always fully respect due process and other safeguards, as well as fundamental rights, in particular the right to the respect for private life and communications and the right to the protection of personal data. Similarly, in order to ensure an all-encompassing resilience, it is necessary not only to strengthen technological infrastructures and to possess response capabilities, but also to spread a cybersecurity culture among the population according to Article 7 and 8 of the Cybersecurity Act. In accordance with Article 346 TFEU, no Member State is to be obliged to supply information the disclosure of which would be contrary to the essential interests of its public security. In this context, national and Union rules for protecting classified information, non-disclosure agreements, and informal non-disclosure agreements such as the Traffic Light Protocol14 , are of relevance. _________________ 14 The Traffic Light Protocol (TLP) is a means for someone sharing information to inform their audience about any limitations in further spreading this information. It is used in almost all CSIRT communities and some Information Analysis and Sharing Centres (ISACs).
Amendment 29 #
Proposal for a directive Recital 6 (6) This Directive leaves unaffected the ability of Member States to take the necessary measures to ensure the protection of the essential interests of their security, to safeguard public policy and public security, and to allow for the investigation, detection and prosecution of criminal offences, in compliance with Union law and fundamental rights. In accordance with Article 346 TFEU, no Member State is to be obliged to supply information the disclosure of which would be contrary to the essential interests of its public security. In this context, national and Union rules for protecting classified information, non-disclosure agreements, and informal non-disclosure agreements such as the Traffic Light Protocol14 , are of relevance. _________________ 14 The Traffic Light Protocol (TLP) is a means for someone sharing information to inform their audience about any limitations in further spreading this information. It is used in almost all CSIRT communities and some Information Analysis and Sharing Centres (ISACs).
Amendment 30 #
Proposal for a directive Recital 14 a (new) (14 a) In view of the development of a secure connectivity system, building on the European quantum communication infrastructure (EuroQCI) and the European Union Governmental Satellite Communication (GOVSATCOM), in particular the implementation of GALILEO GNSS for defence users, any future possible development should take into account the entire electronic communications infrastructure such as space, land and submarine network systems. At the same time, a common vision on Cloud adoption strategy for sensitive sectors with the aim of defining a European approach based on shared standards among like-minded States, in order to protect the digital know-how, sensitive data and information should be established.
Amendment 31 #
Proposal for a directive Recital 14 a (new) Amendment 32 #
Proposal for a directive Recital 20 (20) Those growing interdependencies are the result of an increasingly cross- border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. Infrastructure owned, managed or operated by or on behalf of the Union as part of its space programmes is particularly important for the security of the Union and its Member States and the proper functioning of the Union's Common Security and Defence Policy (CSDP ) missions. Such infrastructure is therefore to be adequately protected as set out in Regulation (EU) 2021/696 of the European Parliament and of the Council.18a Those interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low- probability risks. _________________ 18aRegulation (EU) 2021/696 of the European Parliament and of the Council of 28 April 2021 establishing the Union Space Programme and the European Union Agency for the Space Programme and repealing Regulations (EU) No 912/2010, (EU) No 1285/2013 and (EU) No 377/2014 and Decision No 541/2014/EU (OJ L 170, 12.5.2021, p. 69)
Amendment 33 #
Proposal for a directive Recital 26 (26) Given the importance of international cooperation on cybersecurity, CSIRTs should be able to participate in international cooperation networks in addition to the CSIRTs network established by this Directive, in order to contribute to the development of Union standards that can shape the cybersecurity landscape at international level. On this point, an essential role can be played by the important means of "cyberdiplomacy" in the EU toolbox. Striving to secure multilateral agreements on cyber norms, responsible state and non-state behaviour in cyberspace and effective global digital governance as well as creating an open, free, stable and secure cyberspace anchored in international law through alliances between like-minded countries, organisations, the private sector, civil society and experts, it's an integral part of a more comprehensive cybersecurity strategy.
Amendment 34 #
Proposal for a directive Recital 26 (26) Given the importance of international cooperation on cybersecurity, CSIRTs should be able to participate in international cooperation networks in addition to the CSIRTs network established by this Directive. Member States could also explore the possibility of increasing cooperation with like-minded partner countries and international organisations such as the Council of Europe, the North Atlantic Treaty Organisation, the Organisation for Economic Cooperation and Development, the Organisation for Security and Co-operation in Europe and the United Nations with the aim to create an open, free, stable and secure cyberspace based on international law.
Amendment 35 #
Proposal for a directive Recital 26 a (new) (26 a) Due to the fact that cybersecurity has both a civilian and a military dimension, an integrated policy approach and close cooperation between the CSIRTs Network and the foreseen Military CERT-Network should be developed.
Amendment 36 #
Proposal for a directive Recital 36 (36) The Union should, where appropriate, conclude international agreements, in accordance with Article 218 TFEU, with third countries or international organisations, allowing and organising their participation in some activities of the Cooperation Group and the CSIRTs network. Such agreements
Amendment 37 #
Proposal for a directive Recital 36 (36) The Union should, where
Amendment 38 #
Proposal for a directive Recital 37 (37) Member States should contribute to the establishment of the EU Cybersecurity Crisis Response Framework set out in Recommendation (EU) 2017/1584 through the existing cooperation networks, notably the Cyber Crisis Liaison Organisation Network (EU-CyCLONe), CSIRTs network and the Cooperation Group. EU- CyCLONe and the CSIRTs network should cooperate on the basis of procedural arrangements defining the modalities of that cooperation. The EU-CyCLONe’s rules of procedures should further specify the modalities through which the network should function, including but not limited to roles, cooperation modes, interactions with other relevant actors and templates for information sharing, as well as means of communication. For crisis management at Union level, relevant parties should rely on the Integrated Political Crisis Response (IPCR) arrangements. The Commission
Amendment 39 #
Proposal for a directive Recital 40 a (new) (40 a) Member States should consider an active cyber defense programme to be part of their national cybersecurity strategy. Such a programme should provide a synchronised, real-time capability to discover, detect, analyse, and mitigate threats. Active cyber defence operates at network speed using sensors, software and intelligence to detect and stop malicious activity ideally before it can affect networks and systems. Moreover, Member States should significantly enhance information sharing method, to define a common communication standard that could be used for classified and non-classified information, in order to enhance the rapid action and secure network to counter cyber-attacks.
Amendment 40 #
(40 a) Member States should consider an active cyber defence programme to be part of their national cybersecurity strategy that incorporates regular joint training exercises between Member States and across international organisations. Such a programme should provide a synchronised, real-time capability to discover, detect, analyse, and mitigate threats. Active cyber defence operates at network speed using sensors, software and intelligence to detect and stop malicious activity ideally before it can affect networks and systems.
Amendment 41 #
Proposal for a directive Recital 40 a (new) (40 a) Member States should improve their capabilities to detect, analyse, and mitigate cyber security incidents in real time in order to stop malicious activities ideally before they can affect networks and systems. The Union and the Member States should also strenghten their capabilities to attribute cyber attacks in order to effectively deter and respond to cyber attacks in a proportionate way.
Amendment 42 #
(40 b) Member States should come forward with an active cyber defence programme in their national cybersecurity strategies. Active cyber defence is the proactive detection, analysis and mitigation of network security breaches in real-time combined with the use of capabilities deployed outside the victim network. It is based on a defensive strategy that excludes offensive measures against the adversaries critical civilian infrastructure which would constitute a breach of international law (such as of the 1977 Additional Protocol to the Geneva Conventions). The ability to rapidly and automatically share and understand threat information and analysis, cyber activity alerts, and response action is critical to enabling unity of effort in successfully detecting and preventing cyber-attacks. Active cyber defence activities could include email server configurations, website configurations, logging enabling and DNS filtering. At the same time, Member State should adopt policies able to ensure the widest possible access to the most performing cybersecurity tools, supporting companies, SMEs and businesses with low financial capabilities, trough benefits, grants, loans or fiscal advantages dedicated to the acquisition of highest-level cybersecurity products and services, avoiding that their costs represent an element of discrimination. On the same level, Member States should aim to promote partnerships with Academia and other research centres aimed at fostering R&D cybersecurity programme in order to develop new common technologies, tools and skills applicable in both civilian and defence sectors through a multidisciplinary approach. Partnerships should be financed by existing and new funding tools under the auspices of the Commission.
Amendment 43 #
Proposal for a directive Recital 40 b (new) (40 b) Member states should consider the recently released ten-point plan of the Russian Ministry of Defence that places artificial intelligence (AI) at the core of Russian military modernization, driven by AI consortia across government, industry and academia that includes an active wargaming AI military application.
Amendment 44 #
Proposal for a directive Recital 43 (43) Addressing cybersecurity risks stemming from an entity’s supply chain and its relationship with its suppliers is particularly important given the prevalence of incidents where entities have fallen victim to cyber-attacks and where malicious actors were able to compromise the security of an entity’s network and information systems by exploiting vulnerabilities affecting third party products and services. Entities should therefore assess and take into account the overall quality of products and cybersecurity practices of their suppliers and service providers, including their
Amendment 45 #
Proposal for a directive Recital 43 (43) Addressing cybersecurity risks stemming from an entity’s supply chain and its relationship with its suppliers is particularly important given the prevalence of incidents where entities have fallen victim to cyber-attacks and where malicious actors were able to compromise the security of an entity’s network and information systems by exploiting vulnerabilities affecting third party products and services. Entities should therefore assess and take into account the overall quality of products and cybersecurity practices of their suppliers and service providers, including their risk- management systems and their secure development procedures.
Amendment 46 #
Proposal for a directive Recital 43 a (new) (43 a) Since the exploitation of vulnerabilities in defence sector may cause significant disruption and harm, cybersecurity of defence industry require special measures to ensure the security of the supply chains, particularly entities lower in supply chains, which do not require access to classified information, but that could carry serious risks to the entire sector. Special consideration should be given to the impact any breach could have and the threat of any potential manipulation of network data that could render critical defence assets useless or even override their operating systems making them vulnerable to hijacking.
Amendment 47 #
Proposal for a directive Recital 46 (46) To further address key supply chain risks and assist entities operating in sectors covered by this Directive to appropriately manage supply chain and supplier related cybersecurity risks, the Cooperation Group involving relevant national authorities, in cooperation with the Commission
Amendment 48 #
Proposal for a directive Recital 68 (68) Entities should be encouraged to collectively leverage their individual knowledge and practical experience at strategic, tactical and operational levels with a view to enhance their capabilities to adequately assess, monitor, defend against, and respond to, cyber threats. It is thus necessary to enable the emergence at Union level of mechanisms for voluntary information sharing arrangements. To this end, Member States should actively support and encourage also relevant entities not covered by the scope of this Directive to participate in such information-sharing mechanisms. Those mechanisms should be conducted in full compliance with the competition rules of the Union as well as the data protection Union law rules. To the same end, Member States should support competent authorities and CSIRTs to establish free- of-charge or accessible cybersecurity assistance, education, and audit programs for entities that fall outside the scope of this Directive, in particular start-ups, SMEs and non-governmental organisations.
Amendment 49 #
Proposal for a directive Recital 68 (68) Entities should be encouraged to collectively leverage their individual knowledge and practical experience at strategic, tactical and operational levels with a view to enhance their capabilities to adequately assess, monitor, defend against, and respond to, cyber threats. It is thus necessary to enable the emergence at Union level of mechanisms for voluntary information sharing arrangements. To this end, Member States should actively support and encourage also relevant entities not covered by the scope of this Directive to participate in such information-sharing mechanisms. In addition, Member States could also explore the possibility of including entities from like-minded partner countries in the information-sharing mechanisms. Those mechanisms should be conducted in full compliance with the competition rules of the Union as well as the data protection Union law rules.
Amendment 50 #
Proposal for a directive Recital 68 a (new) (68 a) Given that cybersecurity has both a civilian and a military dimension, information exchange across sectors (defence, civilian, law enforcement and external action) should also be encouraged. The Joint Cyber Unit could play an important role in protecting the EU from cyber-attacks by helping actors to acquire a common understanding of the threat landscape and to coordinate their response.
Amendment 51 #
Proposal for a directive Recital 73 (73) Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes. Where administrative fines are imposed on persons that are not an undertaking, the supervisory authority should take account of the general level of income in the Member State as well as the economic situation of the person in considering the appropriate amount of the fine, without prejudice to the objectives of this Directive. It should be for the Member States to determine whether and to what extent public authorities should be subject to administrative fines. Imposing an administrative fine does not affect the application of other powers by the competent authorities or of other penalties laid down in the national rules transposing this Directive.
Amendment 52 #
Proposal for a directive Article 5 – paragraph 2 – point a (a) a policy addressing cybersecurity in the supply chain for ICT products and services used by essential and important entities for the provision of their services, based on a comprehensive assessment of potential threats to supply chains;
Amendment 53 #
Proposal for a directive Article 5 – paragraph 2 – point b a (new) (b a) a policy for promoting interoperability and adherence to common European Union standards in cybersecurity;
Amendment 54 #
Proposal for a directive Article 5 – paragraph 2 – point d (d) a policy related to sustaining the general availability and integrity of the public core of the open internet, including the cybersecurity of internet backbones and, where applicable, of undersea communications cables;
Amendment 55 #
Proposal for a directive Article 5 – paragraph 2 – point e (e) a policy on promoting and developing cyber hygiene and cybersecurity skills, awareness raising and research and development initiatives;
Amendment 56 #
Proposal for a directive Article 5 – paragraph 2 – point f (f) a policy on supporting academic and research institutions
Amendment 57 #
Proposal for a directive Article 5 – paragraph 2 – point h (h) a policy addressing specific needs of
Amendment 58 #
Proposal for a directive Article 6 – paragraph 2 2. ENISA shall develop and maintain a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures with a view in particular to enabling important and essential entities and their suppliers of network and information systems to disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties. In accordance with Article 10 (2), CSIRTs should facilitate access to information on vulnerabilities registered in the European vulnerability registry, alongside risk mitigation assistance, to entities that do not fall under the scope of this directive, in particular start-ups, SMEs, and non- governmental organizations. The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, the availability of related patches and, in the absence of available patches, guidance addressed to users of vulnerable products and services as to how the risks resulting from disclosed vulnerabilities may be mitigated.
Amendment 59 #
Proposal for a directive Article 9 – paragraph 4 a (new) 4 a. CSIRTs shall cooperate and exchange relevant information with national institutions responsible for the maintenance of public security, defence, and national security.
Amendment 60 #
Proposal for a directive Article 9 – paragraph 4 b (new) 4 b. CSIRTs should cooperate and, where appropriate and without prejudice to Regulation(EU) 2016/679 or Union law, exchange relevant information with trusted third countries and international organizations on cyber threats, vulnerabilities, best practices, and standards.
Amendment 61 #
Proposal for a directive Article 9 – paragraph 4 c (new) 4 c. Without prejudice to Regulation (EU) 2016/679, to Union law, or to carrying out the obligations in the present Directive, CSIRTs should provide cybersecurity assistance to CSIRTs or equivalent structures in EU candidate countries and to countries in the Western Balkans and the Eastern Partnership.
Amendment 62 #
Proposal for a directive Article 10 – paragraph 1 – point d (d) CSIRTs shall be adequately staffed to properly fulfil the tasks in paragraph 2 of this article and to ensure availability at all times;
Amendment 63 #
Proposal for a directive Article 10 – paragraph 1 – point e a (new) (e a) establishing free-of-charge or accessible cybersecurity assistance, education, and audit programs for entities that fall outside the scope of this Directive, in particular start-ups, SMEs, and non-governmental organisations;
Amendment 64 #
Proposal for a directive Article 11 – paragraph 4 4. To the extent necessary to effectively carry out the tasks and obligations laid down in this Directive, Member States shall ensure appropriate cooperation between the competent authorities and single points of contact and law enforcement authorities, data protection authorities, national supervisory authorities for artificial intelligence, national competent authorities for data governance, and the authorities responsible for critical infrastructure pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive] and the national financial authorities designated in accordance with Regulation (EU) XXXX/XXXX of the European Parliament and of the Council39 [the DORA Regulation] within that Member State. _________________ 39[insert the full title and OJ publication reference when known]
Amendment 65 #
Proposal for a directive Article 12 – paragraph 3 – introductory part 3. The Cooperation Group shall be composed of representatives of Member States, the Commission
Amendment 66 #
Proposal for a directive Article 12 – paragraph 4 – point e a (new) (e a) without prejudice to Union law, engaging in cooperation, mutual assistance, and exchanging best practices and information with trusted third countries and international organizations;
Amendment 67 #
Proposal for a directive Article 13 – paragraph 3 – point k (k) cooperating and exchanging information with regional and Union-level Security Operations Centres (SOCs) and, where appropriate, with military CERTs in order to improve common situational awareness on incidents and threats across the Union;
Amendment 68 #
Proposal for a directive Article 13 – paragraph 3 – point k a (new) (k a) without prejudice to Union law, cooperating and exchanging information with equivalent structures or institutions in trusted third countries and international organization, such as the United States and NATO, for the purpose of increasing trust, promoting swift and effective operational coordination, harmonising cybersecurity standards, and ensuring interoperability;
Amendment 69 #
Proposal for a directive Article 14 – paragraph 2 2. EU-CyCLONe shall be composed of the representatives of Member States’ crisis management authorities designated in accordance with Article 7, the Commission and ENISA. ENISA shall provide the secretariat of the network and support the secure exchange of information. For large-scale cybersecurity incidents and crises at Union level involving more than one Member State, a Union level crisis management structure involving all relevant actors, including the Joint Cyber Unit, shall be established.
Amendment 70 #
Proposal for a directive Article 14 – paragraph 3 – point a (a) increasing the level of preparedness of the management of large scale incidents and crises and liaising with Member State institutions in charge of state security and territorial defence;
Amendment 71 #
Proposal for a directive Article 17 – paragraph 2 2. Member States shall ensure that members of the management body follow specific trainings, on a regular basis, to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risks and management practices and their impact on the operations of the entity. Member States should encourage essential and important entities to evaluate, on a regular basis, members of the management bodies referenced in paragraph 1 on the adequacy of their skills for ensuring compliance with Article 18.
Amendment 72 #
Proposal for a directive Article 18 – paragraph 3 3. Member States shall ensure that, where considering appropriate measures referred to in point (d) of paragraph 2, entities shall take into account the vulnerabilities specific to each supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures in accordance to Union cybersecurity standards and laws and potential non-technical risk factors, such as concealed vulnerabilities or backdoors and potential systemic supply disruptions.
Amendment 73 #
Proposal for a directive Article 19 – paragraph 1 1. The Cooperation Group, in cooperation with the Commission
Amendment 74 #
Proposal for a directive Article 19 – paragraph 2 2. The Commission, after consulting with the Cooperation Group
Amendment 75 #
Proposal for a directive Article 19 – paragraph 2 a (new) 2 a. Upon identifying risks to specific critical ICT services, systems or production supply chains, the Commission, after consulting with the Cooperation Group, ENISA, and the European Defence Agency, shall issue recommendations to Member States and the national competent authorities defined in this Regulation for remedying and increasing resilience to the identified risks.
Amendment 76 #
Proposal for a directive Article 25 – paragraph 1 – point c a (new) (c a) information on the management body responsible for the cybersecurity risk management measures defined in Article 18, as defined by Article 17;
Amendment 77 #
Proposal for a directive Article 29 – paragraph 2 – point c (c) targeted security audits based on risk assessments or risk-related available information, including on risks related to supply chains as defined in Article 18 (3);
Amendment 78 #
Proposal for a directive Article 30 – paragraph 2 – point b (b) targeted security audits based on risk assessments or risk-related available information, including on risks related to supply chains as defined in Article 18 (3);
source: 693.649
2021/06/03
IMCO
737 amendments...
Amendment 100 #
Proposal for a directive Recital 35 (35) The competent authorities and CSIRTs should be empowered to participate in exchange schemes for officials from other Member States in order to improve cooperation and strengthen confidence inside the networks. The competent authorities should take the necessary measures to enable officials from other Member States to play an effective role in the activities of the host competent authority or CSIRT.
Amendment 100 #
Proposal for a directive Recital 11 a (new) (11a) The Covid-19 pandemic has changed many pre-existing work situations, forcing many workers to work from home, and it seems that this change is here to stay for many of these situations. Therefore, it is necessary to ensure that homeworkers are also adequately protected against cybercrime threats and/or attacks. This requires such workers to be adequately trained to detect, prevent and/or react to cyber threats. These workers must as well be protected against employers' cyber surveillance systems that would not just violate their labour rights as their personal ones as the right to privacy. Trade unions and other relevant stakeholders must play a meaningful role in this protection.
Amendment 101 #
Proposal for a directive Recital 35 a (new) Amendment 101 #
Proposal for a directive Recital 11 b (new) (11b) The daily lives of a large part of the population are increasingly digitalised, both personally and professionally, and in this pandemic phase we are seeing much greater and growing use of various digital platforms for various purposes. Consumers' rights must therefore be properly protected, particularly the right to be informed of any cyberattacks on websites that they have used and/or on which they may have provided their personal data.
Amendment 102 #
Proposal for a directive Recital 44 (44) Among service providers, managed security services providers (MSSPs) in areas such as incident response, penetration testing, security audits and consultancy play a particularly important role in assisting entities in their efforts to detect and respond to incidents. Those MSSPs have however also been the targets of cyberattacks themselves and through their close integration in the operations of operators pose a particular cybersecurity risk. Entities should therefore exercise increased diligence in selecting an MSSP and should favour open source cybersecurity products for both software and hardware, as well as open source implementation of open and state-of-the- art, strong cryptography standards.
Amendment 102 #
Proposal for a directive Recital 12 (12) Sector-specific legislation and instruments can contribute to ensuring high levels of cybersecurity, while taking full account of the specificities and complexities of those sectors. Sector- specific legislation and instruments that require essential or important entities to adopt cybersecurity risk management measures, or impose reporting obligations for significant incidents, shall, where possible, be consistent with the terminology, and refer to the definitions in Article 4 of this Directive. Where a sector–specific Union legal act requires essential or important entities to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats of at least an equivalent effect to the obligations laid down in this Directive, and apply to the entirety of the security aspects of the operations and services provided by essential and important entities, those sector-specific provisions, including on supervision and enforcement, should apply. The Commission may issue guidelines in relation to the implementation of the lex specialis. This Directive does not preclude the adoption of additional sector-
Amendment 103 #
Proposal for a directive Recital 45 a (new) (45a) Additionally, entities should also ensure adequate cybersecurity education and training of their staff at all levels of the organisation.
Amendment 103 #
Proposal for a directive Recital 12 (12) Sector-specific legislation and instruments can contribute to ensuring high levels of cybersecurity, while taking full account of the specificities and complexities of those sectors.
Amendment 104 #
Proposal for a directive Recital 46 (46) To further address key supply chain risks and assist entities operating in sectors covered by this Directive to appropriately manage supply chain and supplier related cybersecurity risks, the Cooperation Group involving relevant national authorities, in cooperation with the Commission
Amendment 104 #
Proposal for a directive Recital 12 (12) Sector-specific legislation and instruments can contribute to ensuring high levels of cybersecurity, while taking full account of the specificities and complexities of those sectors. Where a sector–specific Union legal act requires essential or important entities to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats of at least an equivalent effect to the obligations laid down in this Directive, those sector-specific provisions, including on supervision and enforcement, should apply. The Commission
Amendment 105 #
Proposal for a directive Recital 47 (47) The supply chain risk assessments, in light of the features of the sector concerned, should take into account both technical and, where
Amendment 105 #
Proposal for a directive Recital 12 (12) Sector-specific legislation and instruments can contribute to ensuring high levels of cybersecurity, while taking full account of the specificities and complexities of those sectors. Where a sector–specific Union legal act requires essential or important entities to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats of at least an equivalent effect to the obligations laid down in this Directive, and where the requirements are neither conflicting nor overlapping, those sector- specific provisions, including on supervision and enforcement, should apply. The Commission
Amendment 106 #
Proposal for a directive Recital 51 (51) The internal market is more reliant on the functioning of the internet than ever before. The services of virtually all essential and important entities are dependent on services provided over the internet, and consumers rely on it for essential parts of their daily lives. In order to ensure the smooth provision of services provided by essential and important entities, it is important that public electronic communications networks, such as, for example, internet backbones or submarine communications cables, have appropriate cybersecurity measures in place and report incidents in relation thereto.
Amendment 106 #
Proposal for a directive Recital 14 (14) In view of the interlinkages between cybersecurity and the physical security of entities, a coherent approach should be ensured between Directive (EU) XXX/XXX of the European Parliament and of the Council17 and this Directive. To achieve this, Member States should ensure that critical entities, and equivalent entities, pursuant to Directive (EU) XXX/XXX are considered to be essential entities under this Directive. Member States should also ensure that their cybersecurity strategies provide for a policy framework for enhanced coordination between the competent authority under this Directive and the one under Directive (EU) XXX/XXX in the context of information sharing on incidents and cyber threats and the exercise of supervisory tasks. Authorities under both Directives should cooperate and exchange information on a regular basis, particularly in relation to the identification of critical entities, cyber threats, cybersecurity risks, incidents affecting critical entities as well as on the cybersecurity measures taken by critical entities. Upon request of competent authorities under Directive (EU) XXX/XXX, competent authorities under this Directive should be allowed to
Amendment 107 #
Proposal for a directive Recital 51 a (new) (51a) In order to offer the necessary transparency to mitigate supply chain risks, open source cybersecurity products (software and hardware), including open source encryption, should be favoured, in line with Opinion 5/2021 of the European Data Protection Supervisor1a. __________________ 1aOpinion 5/2021 of the European Data Protection Supervisor on the Cybersecurity Strategy and the NIS 2.0 Directive, 11 March 2021.
Amendment 107 #
Proposal for a directive Recital 15 (15) Upholding and preserving a reliable, resilient and secure domain name system (DNS) is a key factor in maintaining the integrity of the Internet and is essential for its continuous and stable operation, on which the digital economy and society depend.
Amendment 108 #
Proposal for a directive Recital 52 (52)
Amendment 108 #
Proposal for a directive Recital 15 (15) Upholding and preserving a reliable, resilient and secure domain name system (DNS) is a key factor in maintaining the integrity of the Internet and is essential for its continuous and stable operation, on which the digital economy and society depend. Therefore, this Directive should apply to
Amendment 109 #
Proposal for a directive Recital 53 (53)
Amendment 109 #
Proposal for a directive Recital 15 (15) Upholding and preserving a reliable, resilient and secure domain name system (DNS) is a key factor in maintaining the integrity of the Internet and is essential for its continuous and stable operation, on which the digital economy and society depend. Therefore,
Amendment 110 #
Proposal for a directive Recital 54 (54) In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, should be promoted and
Amendment 110 #
Proposal for a directive Recital 15 (15) Upholding and preserving a reliable, resilient and secure domain name system (DNS) is a key factor in maintaining the integrity of the Internet and is essential for its continuous and stable operation, on which the digital economy and society depend. Therefore, this Directive should apply to all providers of DNS services along the DNS resolution chain,
Amendment 111 #
Proposal for a directive Recital 54 (54) In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, should be promoted and,
Amendment 111 #
Proposal for a directive Recital 17 a (new) (17a) The edge ecosystem is an emerging vector susceptible to cyber threats and a growing trend with attacks targeting devices — such as routers, switches, and firewalls — is having a significant impact to both enterprises and to the connected digital ecosystem in its entirety. Edge computing ecosystems delivered in a highly distributed form are essential for the development of the Internet of Things (IoT), the Industrial Internet of Things (IIoT) and the sectoral ecosystems of connected devices such as connectivity infrastructure and autonomous vehicles. IoT devices may potentially offer additional attack surfaces and allow threats and attacks to trickle from the device to the network or the cloud. Poor security of IoT devices or IoT gateways can potentially hinder the security of the entire connectivity chain and the data flows towards the edge and the cloud, consequentially affecting the overall security of the ecosystem.
Amendment 112 #
Proposal for a directive Recital 54 (54) In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, should be promoted and, where necessary, should be mandatory for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18. The use of end-to-end encryption should be reconciled with the Member State’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences in compliance with Union law.
Amendment 112 #
Proposal for a directive Recital 17 b (new) (17b) The continuous increase of computing power combined with the rising levels of maturity of exponential technologies such as machine learning (ML) and artificial intelligence (AI) enable the development of advanced cybersecurity capabilities for real-time detection, analysis, containment and response to cyber threats in a rapidly evolving threat landscape. AI tools and applications are used to develop security controls including, but not limited to, active firewalls, smart antivirus, automated CTI (cyber threat intelligence) operations, AI fuzzing, smart forensics, email scanning, adaptive sandboxing, and automated malware analysis.
Amendment 113 #
Proposal for a directive Recital 55 (55) This Directive lays down a t
Amendment 113 #
Proposal for a directive Recital 17 c (new) (17c) Data-driven tools and applications powered by AI-enabled systems require the processing of large amounts of data, which may include personal data. Risks persist in the entire lifecycle of AI- enabled systems in cybersecurity- enhancing tools and applications, and in order to mitigate risks of unduly interference with the rights and freedoms of individuals, the requirements of data protection by design and by default laid down in Article 25 of Regulation (EU) 2016/679 shall be applied. Integrating appropriate safeguards such as pseudonymisation, encryption, data accuracy, and data minimisation in the design and use of AI-enabled systems deployed in cybersecurity applications and processes is essential to mitigate the risks that such systems may pose on personal data.
Amendment 114 #
Proposal for a directive Recital 55 (55) This Directive lays down a two- stage approach to incident reporting in order to strike the right balance between, on the one hand, swift reporting that helps mitigate the potential spread of incidents and allows entities to seek support, and, on the other hand, in-depth reporting that draws valuable lessons from individual incidents and improves over time the resilience to cyber threats of individual companies and entire sectors. Where entities become aware of an incident, they should be required to submit an initial notification with
Amendment 114 #
Proposal for a directive Recital 17 d (new) (17d) Member States should adopt policies on the promotion and integration of AI-enabled systems in the prevention and detection of cybersecurity incidents and threats as part of their national cybersecurity strategies. Such policies should emphasise the technological and operational measures including, but not limited to, workflow automation, streaming analytics, active monitoring, intelligent prediction and advanced network threat detection, in order to accelerate the analysis, validation and prioritisation of threats. ENISA’s National Capabilities Assessment Framework (NCAF) can assist in the evaluation and alignment of Member States’ policies building on available use cases and key performance indicators. Moreover, an assessment of Member States’ capabilities and overall level of maturity as regards the integration of AI- enabled systems in cybersecurity should be factored in the methodological construction of the cybersecurity index within the meaning of ENISA’s report on the state of cybersecurity in the Union under Article 15 of this Directive.
Amendment 115 #
Proposal for a directive Recital 55 a (new) (55a) Where entities become aware of an incident, they should be required to submit an initial notification within 72 hours, followed by a comprehensive report not later than one month after. The initial notification should only include the information strictly necessary to make the competent authorities aware of the incident and allow the entity to seek assistance, if required. Such notification, where applicable, should indicate whether the incident is presumably caused by unlawful or malicious action. The initial notification should be preceded by an early warning about an ongoing incident, without any obligation of additional information disclosures within the first 24 hours as of the moment the entity became aware of the incident. This early warning should be submitted as soon as possible, allowing entities to seek support from competent authorities or CSIRTs swiftly, and enabling competent authorities or CSIRTs to mitigate the potential spread of the reported incident, as well as serving as a situational awareness tool for CSIRTs. Member States should ensure that the requirement to submit both the initial notification and the early warning do not divert the reporting entity’s resources from activities related to incident handling that should be prioritised. To further prevent that incident reporting obligations either divert resources from incident response handling or may otherwise compromise the entities efforts in that respect, Member States should also provide that, in duly justified cases and in agreement with the competent authorities or the CSIRT, the entity concerned can deviate from the deadline of one month for the comprehensive report.
Amendment 115 #
Proposal for a directive Recital 17 e (new) (17e) Open-source cybersecurity tools contribute to a higher degree of transparency and have a positive impact on the efficiency of industrial innovation. Open standards facilitate interoperability between security tools, benefitting the security of industrial stakeholders, enabling the diversification of reliance from a single supplier or vendor, and leading to a more comprehensive CTI framework. Semi-automation of CTI production is an important tool to reduce the number of manual steps underpinning the analysis of CTI. The use of AI and ML within CTI should be further explored to increase the value of machine learning functions within CTI activities.
Amendment 116 #
Proposal for a directive Recital 56 (56) Essential and important entities are often in a situation where a particular incident, because of its features, needs to be reported to various authorities as a result of notification obligations included in various legal instruments. Such cases create additional burdens and may also lead to uncertainties with regard to the format and procedures of such notifications. In view of this and, for the purposes of simplifying the reporting of security incidents and upholding the once- only principle, Member States should establish a single entry point for all notifications required under this Directive and also under other Union law such as Regulation (EU) 2016/679 and Directive 2002/58/EC. ENISA, in cooperation with the Cooperation Group should develop common notification templates by means of guidelines that would simplify and streamline the reporting information requested by Union law and decrease the burdens for companies.
Amendment 116 #
Proposal for a directive Recital 17 f (new) (17f) Member States should develop a policy for the integration of open-source tools in public administration, and further explore measures to incentivise the wider adoption of open-source software by developing strategies to address and minimise the legal and technical risks that entities are faced with, as regards licensing and the necessary levels of technical support. Such policies are of particular importance for small and medium-sized enterprises (SMEs) facing significant costs for implementation, which can be minimised by reducing the need for specific applications or tools.
Amendment 117 #
Proposal for a directive Recital 59 (59) Maintaining accurate
Amendment 117 #
Proposal for a directive Recital 19 (19) Postal service providers within the meaning of Directive 97/67/EC of the
Amendment 118 #
Proposal for a directive Recital 59 (59) Maintaining accurate, verified and complete databases of domain names and registration data (so called ‘WHOIS data’) and providing lawful access to such data is essential to ensure the security, stability and resilience of the DNS, which in turn contributes to a high common level of cybersecurity within the Union. Where processing includes personal data such processing shall comply with Union data protection law.
Amendment 118 #
Proposal for a directive Recital 20 (20) Those growing interdependencies are the result of an increasingly cross- border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, digital infrastructure, drinking and waste water, health,
Amendment 119 #
Proposal for a directive Recital 60 (60) The availability and timely accessibility of
Amendment 119 #
Proposal for a directive Recital 20 a (new) (20a) Member States should ensure that the network and information systems used by their public administration entities are subject to their national cybersecurity regulation. Where appropriate, public administration entities should be subject to obligations similar to those for essential and important entities, as appropriate.
Amendment 120 #
Proposal for a directive Recital 61 (61) In order to ensure the availability of accurate
Amendment 120 #
Proposal for a directive Recital 21 (21) In view of the differences in national governance structures and in order to safeguard already existing sectoral
Amendment 121 #
Proposal for a directive Recital 61 (61) In order to ensure the availability of accurate and complete domain name registration data, TLD registries and the entities providing domain name registration services
Amendment 121 #
Proposal for a directive Recital 21 a (new) (21a) Public-Private Partnerships (PPPs) in the field of cybersecurity can provide the right framework for knowledge exchange, sharing of best practices and the establishment of a common level of understanding amongst all stakeholders. Goal-oriented and service outsourcing PPPs foster a culture of cybersecurity at the Member State level, and leverage the exchange and transfer of expertise, thus raising cybersecurity awareness and the overall level of reciprocal support between public and private entities. Hybrid PPPs enable governments to assign either the operation, or the delivery of service- specific functions, of a CSIRT to an experienced entity facilitating the access of public administrations to private sector resources, and increasing the levels of trust between stakeholders by establishing a proactive attitude in case of incidents or crises.
Amendment 122 #
Proposal for a directive Recital 62 (62) TLD registries
Amendment 122 #
Proposal for a directive Recital 21 b (new) (21b) Member States should adopt policies underpinning the establishment of cybersecurity-specific PPPs as part of their national cybersecurity strategies. These policies should clarify, among others, the scope and stakeholders involved, the governance model, the available funding options, and the interaction among participating stakeholders. PPPs can leverage the expertise of private sector entities to support Member States’ competent authorities in developing state-of-the art services and processes including, but not limited to, information exchange, early warnings, cyber threat and incident exercises, crisis management, and resilience planning.
Amendment 123 #
Proposal for a directive Recital 62 (62) TLD registries and the entities providing domain name registration services for them should make publically available domain name registration data that fall outside the scope of Union data protection rules, such as data that concern legal persons25 . TLD registries and the entities providing domain name registration services for the TLD should also enable lawful access to specific domain name registration data concerning natural persons to legitimate access seekers, in accordance with Union data protection law. Member States should ensure that TLD registries and the entities providing domain name registration services for them should respond without undue delay and in any event within 24 hours to requests from legitimate access seekers for the disclosure of domain name registration data. TLD registries and the entities providing domain name registration services for them should establish policies and procedures for the publication and disclosure of registration data, including service level agreements to deal with requests for access from legitimate access seekers. The access procedure may also include the use of an interface, portal or other technical tool to provide an efficient system for requesting
Amendment 123 #
Proposal for a directive Recital 23 a (new) (23a) Cybercrime is a cross-border issue, in a constant changing process, so in order to achieve a common level of cybersecurity across the EU, the rules on prevention, detection and response to cyber threats and attacks need to be harmonized as far as possible. Therefore, ENISA should provide continuous technical support to Member States and national competent authorities and, in addition to its supervisory tasks, ENISA should provide regular recommendations and guidance for the implementation of cybersecurity best practices, also for support to SMEs. and to workers.
Amendment 124 #
Proposal for a directive Recital 68 (68) Entities should be encouraged and supported by Member States to collectively leverage their individual knowledge and practical experience at strategic, tactical and operational levels with a view to enhance their capabilities to adequately assess, monitor, defend against, and respond to, cyber threats. It is thus necessary to enable the emergence at Union level of mechanisms for voluntary information sharing arrangements that are based on already established internationally recognised standards. To this end, Member States should actively support and encourage also relevant entities not covered by the scope of this Directive to participate in such information-sharing mechanisms. Those mechanisms should be conducted in full compliance with the competition rules of the Union as well as the data protection
Amendment 124 #
Proposal for a directive Recital 24 (24) Member States should be adequately equipped, in terms of both technical and organisational capabilities, to
Amendment 125 #
Proposal for a directive Recital 69 (69) The processing of personal data,
Amendment 125 #
Proposal for a directive Recital 24 (24) Member States should be adequately equipped, in terms of both technical and organisational capabilities, to prevent, detect, respond to and mitigate network and information system incidents and risks. Member States should therefore
Amendment 126 #
Proposal for a directive Recital 70 (70) In order to strengthen the supervisory powers and actions that help ensure effective compliance and to achieve a common high level of security within the digital sector throughout the Union, this Directive should provide for a minimum list of supervisory actions and means through which competent authorities may supervise essential and important entities. In addition, this Directive should establish a differentiation of supervisory regime between essential and important entities with a view to ensuring a fair balance of obligations for both entities and competent authorities. Thus, essential entities should be subject to a fully-fledged supervisory regime (ex-ante and ex-post), while important entities should be subject to a light supervisory regime, ex-post only. For the latter, this means that important entities should not document systematically compliance with cybersecurity risk management requirements, while competent authorities should implement a reactive ex -post approach to supervision and, hence, not have a general obligation to supervise those entities, except where there is a manifest breach of obligations, in particular where such entities cause risk for users or other services included in the scope of this Directive.
Amendment 126 #
Proposal for a directive Recital 25 (25) As regards personal data, CSIRTs should be able to provide, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council19 as regards personal data, on behalf of and upon request by an entity under this Directive, or in case of a serious threat to national security, a proactive scanning of the network and information systems used for the provision of their services. The knowledge whether an entity runs a privileged management interface, affects the speed of undertaking mitigating actions. It is critical that an entity or a CSIRTs upon an entity's request, have the ability to continuously discover, inventory, manage, and monitor all internet-facing assets, both on premises and in the cloud, to understand their overall organisational risk to newly discovered supply chain compromises or critical vulnerabilities. Member States should aim at ensuring an equal level of technical capabilities for all sectorial CSIRTs. Member States may request the assistance of the European Union Agency for Cybersecurity (ENISA) in developing national CSIRTs.
Amendment 127 #
Proposal for a directive Recital 70 (70) In order to strengthen the supervisory powers and actions that help ensure effective compliance and to achieve a common high level of security throughout the digital sector including by preventing risks for users or other networks, information systems and services, this Directive should provide for a minimum list of supervisory actions and means through which competent authorities may supervise essential and important entities. In addition, this Directive should establish a differentiation of supervisory regime between essential and important entities with a view to ensuring a fair balance of obligations for both entities and competent authorities. Thus, essential entities should be subject to a fully-fledged supervisory regime (ex-ante and ex-post), while important entities should be subject to a light supervisory regime, ex-post only. For the latter, this means that important entities should not document systematically compliance with cybersecurity risk management requirements, while competent authorities should implement a reactive ex -post approach to supervision and, hence, not have a general obligation to supervise those entities except where there is a demonstrable breach of obligations.
Amendment 127 #
Proposal for a directive Recital 25 (25) As regards personal data, CSIRTs should be able to provide, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council19 as regards personal data, on behalf of and upon request by an entity under this Directive, a proactive scanning of the network and information systems used for the provision of their services in order to identify, mitigate or prevent specific network and information security threats. Processing of personal data by such scanning should be kept to the minimum necessary and should, in particular, respect the principles of data minimisation, purpose limitation and data protection by design and by default. Member States should aim at ensuring an equal level of technical capabilities for all sectorial CSIRTs. Member States may request the assistance of the European Union Agency for Cybersecurity (ENISA) in developing national CSIRTs.
Amendment 128 #
Proposal for a directive Recital 76 (76) In order to further strengthen the effectiveness and dissuasiveness of the penalties applicable to infringements of obligations laid down pursuant to this Directive, the competent authorities should be empowered to apply sanctions consisting of the suspension of a certification or authorisation concerning
Amendment 128 #
Proposal for a directive Recital 25 (25) As regards personal data, CSIRTs should be able to provide, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council19 as regards personal data, on behalf of and upon request by an entity under this Directive, a proactive scanning of the network and information systems used for the provision of their services. Member States should aim at ensuring an equal level of technical capabilities for all sectorial CSIRTs. Member States may request the assistance of the European Union Agency for Cybersecurity (ENISA) in developing national CSIRTs. With regard to personal data, all entities, public and/or private, which, due to a reported incident or a detected cybersecurity threat, wish to access or legitimately access personal data shall proceed in absolute accordance with the General Data Protection Regulation. _________________ 19Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
Amendment 129 #
Proposal for a directive Recital 79 (79) A peer-review mechanism should be introduced, allowing the assessment by independent experts designated by the Member States, of the implementation of cybersecurity policies, including the level of Member States’ capabilities and available resources. When deciding on the methodology, the Commission, supported by ENISA, should establish an objective, non-discriminatory, technology neutral, fair and transparent system for the selection of such experts.
Amendment 129 #
Proposal for a directive Recital 26 (26) Given the importance of international cooperation on cybersecurity, CSIRTs should be able to participate in international cooperation networks, including with CSIRTs outside the Union, in addition to the CSIRTs network established by this Directive.
Amendment 130 #
Proposal for a directive Recital 79 (79) A peer-review mechanism should be introduced, allowing the assessment by experts designated by the Member States and ENISA of the implementation of cybersecurity policies, including the level of Member States’ capabilities and available resources, and the exchange of experiences and best practices related to procedures and instruments.
Amendment 130 #
Proposal for a directive Recital 26 a (new) (26a) Cyber hygiene policies provide the foundations for protecting network and information system infrastructures, hardware, software and online application security, and business or end-user data which entities rely on. Cyber hygiene policies comprising a common baseline set of practices including, but not limited to, software and hardware updates, password changes, management of new installs, limitation of administrator-level access accounts, and backing up of data, enable a proactive framework of preparedness and overall safety and security in the event of incidents or threats.
Amendment 131 #
Proposal for a directive Article 1 – paragraph 1 1. This Directive lays down measures with a view to ensuring a high common level of cybersecurity within the Union to ensure a trustworthy digital environment for consumers and business and to improve and remove barriers to the functioning of the internal market.
Amendment 131 #
Proposal for a directive Recital 26 b (new) (26b) Member States should adopt policies to promote cyber hygiene as part of their national cybersecurity strategies. Such policies should build on cyber hygiene controls and programmes that are affordable and accreditable in order to minimise the cost of implementation, especially for SMEs, and encourage wider compliance thereto by both public and private entities. ENISA should monitor and assess Member States’ cyber hygiene policies, and explore EU wide schemes to enable cross-border checks ensuring equivalence independent of Member State requirements.
Amendment 132 #
Proposal for a directive Article 1 – paragraph 1 1. This Directive lays down measures with a view to ensuring a high common level of cybersecurity within the Union and strengthening the Digital Single Market.
Amendment 132 #
Proposal for a directive Recital 28 (28) Since the exploitation of vulnerabilities in network and information systems may cause significant disruption and harm, swiftly identifying and remedying those vulnerabilities is an important factor in reducing cybersecurity risk. Entities that develop such systems should therefore establish appropriate procedures to handle vulnerabilities when they are discovered. Since vulnerabilities are often discovered and reported (disclosed) by third parties (reporting entities), the manufacturer or provider of ICT products or services should also put in place the necessary procedures to receive vulnerability information from third parties. In this regard, international standards ISO/IEC 30111 and ISO/IEC 29417 provide guidance on vulnerability handling and vulnerability disclosure respectively. As regards vulnerability
Amendment 133 #
Proposal for a directive Article 2 – paragraph 1 1. This Directive applies to public and private entities of a type referred to as essential entities in Annex I and as
Amendment 133 #
Proposal for a directive Recital 29 (29) Member States should therefore take measures to facilitate coordinated vulnerability disclosure by establishing a relevant national policy. In this regard, Member States should designate a CSIRT to take the role of ‘coordinator’, acting as an intermediary between the reporting entities and the manufacturers or providers of ICT products or services, where
Amendment 134 #
Proposal for a directive Article 2 – paragraph 1 1. This Directive applies to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II. This Directive does not apply to entities that qualify as micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC
Amendment 134 #
Proposal for a directive Recital 29 (29) Member States should therefore take measures to facilitate coordinated vulnerability disclosure by establishing a relevant national policy. In this regard, Member States should designate a CSIRT to take the role of ‘coordinator’, acting as an intermediary between the
Amendment 135 #
Proposal for a directive Article 2 – paragraph 1 1. This Directive applies to public and private entities of a type referred to
Amendment 135 #
Proposal for a directive Recital 29 (29) Member States, in cooperation with ENISA, should therefore take measures to facilitate coordinated vulnerability disclosure by establishing a relevant national policy. In this regard, Member States should designate a CSIRT to take the role of ‘coordinator’, acting as an intermediary between the reporting entities and the manufacturers or providers of ICT products or services where necessary. The tasks of the CSIRT coordinator should in particular include identifying and contacting concerned entities, supporting reporting entities, negotiating disclosure timelines, and managing vulnerabilities that affect multiple organisations (multi-party vulnerability disclosure). Where vulnerabilities affect multiple manufacturers or providers of ICT products or services established in more than one Member State, the designated CSIRTs from each of the affected Member States should cooperate within the CSIRTs Network.
Amendment 136 #
Proposal for a directive Article 2 – paragraph 2 – introductory part 2.
Amendment 136 #
Proposal for a directive Recital 30 (30) Access to correct and timely information on vulnerabilities affecting ICT products and services contributes to an enhanced cybersecurity risk management. In that regard, sources of publicly available information on vulnerabilities are an important tool for entities and their users, but also national competent authorities and CSIRTs. For this reason, ENISA should establish a vulnerability registry where, essential and important entities and their suppliers, as well as entities which do not fall in the scope of application of this Directive may, on a voluntary basis, disclose vulnerabilities and provide the vulnerability information that allows users to take appropriate mitigating measures. In general, to encourage a culture of disclosure of incidents a voluntary disclosure should be without detriment to the reporting entity. Any exchange of information shall preserve the confidentiality of that information and protect the security and commercial interests of essential or important entities
Amendment 137 #
Proposal for a directive Article 2 – paragraph 2 – point d (d) a
Amendment 137 #
Proposal for a directive Recital 30 (30) Access to correct and timely information on vulnerabilities affecting ICT products and services and industrial control systems (ICS) contributes to an
Amendment 138 #
Proposal for a directive Article 2 – paragraph 2 – point e (e) a
Amendment 138 #
Proposal for a directive Recital 30 (30) Access to correct and timely information on vulnerabilities affecting ICT products and services contributes to an enhanced cybersecurity risk management. In that regard, sources of publicly available information on vulnerabilities are an important tool for entities and their users, but also national competent authorities and CSIRTs. For this reason, ENISA should establish a vulnerability
Amendment 139 #
Proposal for a directive Article 2 – paragraph 2 a (new) 2a. Member States shall ensure that all entities falling under the scope of this Directive comply with this Directive as important entities. Member States may decide which important entities shall be designated as essential entities, taking into account, in particular, whether the entities had already been identified as the operators of essential services pursuant to Article 5 of NIS Directive (2016/1148) and prioritisation of the sectors and subsectors with higher level of criticality listed in Annex I. Member States shall by [transposition deadline] establish an initial list of essential and important entities that are to comply with this Directive and shall review it, on a regular basis, and, where appropriate, update it. Member States shall set a deadline for initial self-notification or identification by the competent authority and compliance with this Directive for the entities falling under the scope of this Directive not exceeding [6 months after the transposition deadline]. The entities which had been already identified as the operators of essential services pursuant to Article 5 of NIS Directive (2016/1148) shall comply with this Directive by [transposition deadline]. The entities shall submit at least the following information: the name of the entity, address and up-to-date contact details, including email addresses and telephone numbers, and relevant sector(s) and subsector(s) referred to in Annexes I and II; The entities shall without undue delay notify any changes to the details they submitted, and in any event, within two weeks from the date on which the change took effect.
Amendment 139 #
Proposal for a directive Recital 31 (31) Although similar vulnerability registries or databases do exist, these are hosted and maintained by entities which are not established in the Union. A European vulnerability registry maintained by ENISA would provide improved transparency regarding the publication process before the vulnerability is officially disclosed, and resilience in cases of disruptions or interruptions on the provision of similar services. To avoid duplication of efforts and seek complementarity to the extent possible, ENISA should explore the possibility of entering into structured cooperation agreements with similar registries in third country jurisdictions. ENISA could play a more central management role either by exploring the option of becoming a “Root CVE Numbering Authority” in the global Common Vulnerabilities and Exposures (CVE) registry, or setting up a database to leverage the existing CVE programme for vulnerability identification and registration to enable interoperability and reference between the European and third country jurisdiction registries.
Amendment 140 #
Proposal for a directive Article 2 – paragraph 2 b (new) 2b. The entities referred to in Article 24(1) shall submit the self-notifications in the Member State in which they have their main establishment; In addition to the information referred to in the third subparagraph of paragraph 2a of this Article, they shall notify the address of its main establishment and its other legal establishments in the Union or, if not established in the Union, of its representative designated pursuant to Article 24(3) and the Member States where the entity provides services. Where an entity referred to in paragraph 1 has besides its main establishment in the Union further establishments or provides services in other Member States, the single contact point of the main establishment shall without undue delay forward the information to the single points of contact of those Member States. Where an entity fails to notify or to provide the relevant information on Member States concerned within the deadline set out by the Member State of its main establishment, any Member State where the entity provides services shall be competent to ensure that entity’s compliance with the obligations laid down in this Directive.
Amendment 140 #
Proposal for a directive Recital 31 (31)
Amendment 141 #
Proposal for a directive Article 2 – paragraph 2 c (new) 2c. By [6 months after the transposition deadline] and every 12 months thereafter, Member States shall submit to the Cooperation Group and, for the purpose of the review referred to in Article 35, to the Commission, the information necessary to enable to assess the consistency of Member States' approaches to the identification of essential and important services. That information shall include at least the number of all essential and important entities identified for each sector and subsector referred to in Annexes I and II, including number of small and micro enterprises in each category;
Amendment 141 #
Proposal for a directive Recital 32 (32) The Cooperation Group set up under this Directive, should include representatives of Member States, the Commission, ENISA and, due to the link with the data protection framework, the European Data Protection Board (EDPB). The cooperation group should establish a work programme every two years including the actions to be undertaken by the Group to implement its objectives and tasks. The timeframe of the first programme adopted under this Directive should be aligned with the timeframe of the last programme adopted under Directive (EU) 2016/1148 in order to avoid potential disruptions in the work of
Amendment 142 #
Proposal for a directive Article 2 – paragraph 3 a (new) 3a. Member States shall ensure that the network and information systems used by their public administration entities are subject to their national cybersecurity regulation.
Amendment 142 #
Proposal for a directive Recital 35 (35) The competent authorities and CSIRTs should be empowered to participate in exchange schemes for officials from other Member States, within structured rules and mechanisms underpinning the scope and, where applicable, the required security clearance of officials participating in such exchange schemes, in order to improve cooperation. The competent authorities should take the necessary measures to enable officials from other Member States to play an effective role in the activities of the host competent authority or CSIRT.
Amendment 143 #
Proposal for a directive Article 4 – paragraph 1 – point 4 (4) ‘national strategy on cybersecurity’ means a coherent framework of a Member State providing strategic objectives and priorities on the security of network and information systems in that Member State, as well as policies needed to achieve them;
Amendment 143 #
Proposal for a directive Recital 36 (36) The Union should, where appropriate, conclude international agreements, in accordance with Article 218 TFEU, with third countries or international organisations, allowing and organising their participation in some activities of the Cooperation Group and the CSIRTs network
Amendment 144 #
Proposal for a directive Article 4 – paragraph 1 – point 5 a (new) (5a) 'cross-border incident' means any incident which impacts operators under at least 2 different national competent authorities;
Amendment 144 #
Proposal for a directive Recital 38 Amendment 145 #
Proposal for a directive Article 4 – paragraph 1 – point 8 a (new) (8a) "early warning" means the information preceding the initial incident notification warning to third parties, without detailed information obligations, on the onset of an incident or on the discovery moment of an ongoing incident;
Amendment 145 #
Proposal for a directive Recital 39 Amendment 146 #
Proposal for a directive Article 4 – paragraph 1 – point 15 a (new) (15a) ‘domain name registration services’ means services provided by domain name registries and registrars, privacy or proxy registration service providers, domain brokers or resellers, and any other services which are related to the registration of domain names;
Amendment 146 #
Proposal for a directive Recital 40 (40) Risk-management measures should include measures to identify any risks of incidents, to prevent, detect and handle incidents and to mitigate their impact. The security of network and information systems should comprise the security of stored, transmitted and processed data. It must be approached using systemic analysis that break down the various processes and the interactions between the subsystems, in order to have a complete picture of the security of the information system. The human factor should be fully taken into account in the analysis.
Amendment 147 #
Proposal for a directive Article 4 – paragraph 1 – point 23 Amendment 147 #
Proposal for a directive Recital 40 (40) Risk-management measures should include measures to identify any risks of incidents, to prevent, detect
Amendment 148 #
Proposal for a directive Article 4 – paragraph 1 – point 26 a (new) (26a) 'non-critical entity' means any entity of a type referred to in Annex I and Annex II which, regardless of its size and resources, has no critical function within a specific sector or type of service provided and has a low level of dependency from other sectors or types of services.
Amendment 148 #
Proposal for a directive Recital 43 (43) Addressing cybersecurity risks stemming from an entity’s supply chain and its relationship with its suppliers is particularly important given the prevalence of incidents where entities have fallen victim to cyber-attacks and where malicious actors were able to compromise the security of an entity’s network and information systems by exploiting vulnerabilities affecting third party products and services. Entities should therefore assess and take into account the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures. Entities should be in particular encouraged to incorporate the cybersecurity safeguards into the contractual arrangements with the tier-1 suppliers and service providers, including responsibility of the tier-1 suppliers for other tiers of suppliers and service providers.
Amendment 149 #
Proposal for a directive Article 5 – paragraph 1 – point b (b) a governance framework to achieve
Amendment 149 #
Proposal for a directive Recital 43 (43) Addressing cybersecurity risks stemming from an entity’s supply chain and its relationship with its suppliers is particularly important given the prevalence
Amendment 150 #
Proposal for a directive Article 5 – paragraph 1 – point b (b) a governance framework to achieve those objectives and priorities, including the policies referred to in paragraph 2 and the roles and responsibilities of public bodies and entities as well as other relevant actors, including those responsible for cyber intelligence and cyber defence;
Amendment 150 #
Proposal for a directive Recital 43 (43) Addressing cybersecurity risks stemming from an entity’s supply chain and its relationship with its suppliers is particularly important given the prevalence of incidents where entities have fallen victim to
Amendment 151 #
Proposal for a directive Article 5 – paragraph 1 – point c (c) an assessment to identify relevant assets and cybersecurity risks in that Member State
Amendment 151 #
Proposal for a directive Recital 43 (43) Addressing cybersecurity risks stemming from an entity’s supply chain and its relationship with its suppliers is particularly important given the prevalence of incidents where entities have fallen victim to cyber-attacks and where malicious actors were able to compromise the security of an entity’s network and information systems by exploiting vulnerabilities affecting third party products and services. Entities should therefore assess and take into account the overall quality
Amendment 152 #
Proposal for a directive Article 5 – paragraph 1 – point f a (new) (fa) a policy framework for enhanced coordination between the competent authorities under this Directive and the independent body responsible for oversight of data collection, in line with Union law.
Amendment 152 #
Proposal for a directive Recital 43 a (new) Amendment 153 #
Proposal for a directive Article 5 – paragraph 2 – point a (a) a policy addressing cybersecurity in the supply chain for ICT products and services used by essential and important entities for the provision of their services, which should favour open source cybersecurity products for both software and hardware, as well as open source implementation of open and state-of-the- art, strong cryptography standards;
Amendment 153 #
Proposal for a directive Recital 44 (44) Among service providers, managed security services providers (MSSPs) in areas such as incident response, penetration testing, security audits and consultancy play a particularly important role in assisting entities in their efforts to prevent, detect and respond to incidents. Those MSSPs have however also been the targets of cyberattacks themselves and through their close integration in the operations of
Amendment 154 #
Proposal for a directive Article 5 – paragraph 2 – point a a (new) (aa) a policy framework addressing cybersecurity and the lawful access to information, which does not undermine the effectiveness of encryption in protecting privacy and security of communications and which includes independent oversight;
Amendment 154 #
Proposal for a directive Recital 44 (44) Among service providers, managed security services providers (MSSPs) in areas such as incident response, penetration testing, security audits and consultancy play a particularly important role in assisting entities in their efforts to detect and respond to incidents. Those MSSPs have however also been the targets of
Amendment 155 #
Proposal for a directive Article 5 – paragraph 2 – point a a (new) (aa) a policy addressing cybersecurity of consumers, including their awareness of cyber threats, their cyber literacy and cyber-hygiene, as well as the cybersecurity of products available for consumers;
Amendment 155 #
Proposal for a directive Recital 45 (45) Entities should also address cybersecurity risks stemming from their interactions and relationships with other stakeholders within a broader ecosystem, including to counter industrial espionage and to protect trade secrets. In particular, entities should take appropriate measures to ensure that their cooperation with academic and research institutions takes place in line with their cybersecurity policies and follows good practices as regards secure access and dissemination of information in general and the protection of intellectual property in particular. Similarly, given the importance and value of data for the activities of the entities, when relying on data transformation and data analytics services from third parties, the entities should take all appropriate cybersecurity measures.
Amendment 156 #
Proposal for a directive Article 5 – paragraph 2 – point b (b) guidelines regarding the inclusion and specification of cybersecurity-related requirements for ICT products and service in public procurement, including the promotion of the use of open source cybersecurity products;
Amendment 156 #
Proposal for a directive Recital 46 (46) To further address key supply chain risks and assist entities operating in sectors covered by this Directive to appropriately manage supply chain and supplier related cybersecurity risks, the Cooperation Group involving relevant national authorities, in cooperation with the Commission and ENISA, and in consultation with the European Data Protection Board (EDPB), should carry out coordinated sectoral supply chain risk assessments, as was already done for 5G networks following Recommendation (EU) 2019/534 on Cybersecurity of 5G networks21 , with the aim of identifying per sector which are the critical ICT services, systems or products, relevant threats and vulnerabilities. Particular emphasis should be placed on ICT services, systems or products subject to specific requirements, in particular in third country jurisdictions serving as the country of origin. _________________ 21Commission Recommendation (EU) 2019/534 of 26 March 2019 Cybersecurity of 5G networks (OJ L 88, 29.3.2019, p. 42).
Amendment 157 #
Proposal for a directive Article 5 – paragraph 2 – point c (c) a policy to promote and facilitate coordinated vulnerability disclosure within the meaning of Article 6 including by laying down guidelines and best practices based on already established internationally recognised standards on vulnerability handling and disclosure;
Amendment 157 #
Proposal for a directive Recital 46 (46) To further address key supply chain risks and assist entities operating in sectors covered by this Directive to appropriately manage supply chain and supplier related cybersecurity risks, the Cooperation Group involving relevant national authorities, in cooperation with the Commission and ENISA, should carry out coordinated
Amendment 158 #
Proposal for a directive Article 5 – paragraph 2 – point e (e) a policy on promoting and
Amendment 158 #
Proposal for a directive Recital 47 (47) The supply chain risk assessments, in light of the features of the sector concerned, should take into account both technical and, where relevant, non- technical factors including those defined in Recommendation (EU) 2019/534, in the EU wide coordinated risk assessment of 5G networks security and in the EU
Amendment 159 #
Proposal for a directive Article 5 – paragraph 2 – point e (e) a policy on promoting and developing technology neutral cybersecurity skills, awareness raising and research and development initiatives;
Amendment 159 #
Proposal for a directive Recital 47 (47) The supply chain risk assessments, in light of the features of the sector concerned, should take into account both technical and, where relevant, non- technical factors including those defined in Recommendation (EU) 2019/534, in the EU wide coordinated risk assessment of 5G networks security and in the EU Toolbox on 5G cybersecurity agreed by the Cooperation Group.
Amendment 160 #
Proposal for a directive Article 5 – paragraph 2 – point f (f) a policy on supporting academic and research institutions to develop cybersecurity tools and secure network infrastructure and promoting the coherent and synergic use of available funds;
Amendment 160 #
Proposal for a directive Recital 47 (47) The supply chain risk assessments, in light of the features of the sector concerned, should take into account both technical and, where relevant, non- technical factors including those defined in Recommendation (EU) 2019/534, in the EU wide coordinated risk assessment of 5G networks security and in the EU Toolbox on 5G cybersecurity agreed by the Cooperation Group. To identify the supply chains that should be subject to a coordinated risk assessment, the following criteria should be taken into account: (i) the extent to which essential and important entities use and rely on specific critical ICT services, systems or products; (ii) the relevance of specific critical ICT services, systems or products for performing critical
Amendment 161 #
Proposal for a directive Article 5 – paragraph 2 – point h (h) a policy addressing specific needs of SMEs in fulfilling the provisions laid down by this Directive, in particular those excluded from the scope of this Directive, in relation to guidance and support in improving their resilience to cybersecurity threats
Amendment 161 #
Proposal for a directive Recital 48 (48) In order to streamline the legal obligations imposed on providers of public electronic communications networks or publicly available electronic communications services, and trust service providers related to the security of their network and information systems, as well as to enable those entities and their respective competent authorities to benefit from the legal framework established by this Directive (including designation of CSIRT responsible for risk and incident handling, participation of competent authorities and bodies in the work of the Cooperation Group and the CSIRT network), they should be included in the scope of application of this Directive. The
Amendment 162 #
Proposal for a directive Article 5 – paragraph 2 – point h (h) a policy promoting cybersecurity and addressing the specific needs of SMEs, in particular those excluded from the scope of this Directive, in relation to guidance and support in improving their resilience to cybersecurity threats
Amendment 162 #
Proposal for a directive Recital 48 (48) In order to streamline the legal obligations imposed on providers of public electronic communications networks or publicly available electronic communications services, and trust service providers related to the security of their network and information systems, as well as to enable those entities and their respective competent authorities to benefit from the legal framework established by this Directive (including designation of CSIRT responsible for risk and incident handling, participation of competent authorities and bodies in the work of the Cooperation Group and the CSIRT network), they should be included in the scope of application of this Directive. The corresponding provisions laid down in Regulation (EU) No 910/2014 of the European Parliament and of the Council22 and Directive (EU) 2018/1972 of the European Parliament and of the Council23 related to the imposition of security and notification requirement on these types of entities should
Amendment 163 #
Proposal for a directive Article 5 – paragraph 2 – point h (h) a policy addressing specific needs of SMEs, in particular those excluded from the scope of this Directive, in relation to guidance and support in improving their resilience to cybersecurity threats
Amendment 163 #
Proposal for a directive Recital 48 a (new) (48a) The national regulatory authorities or other competent authorities responsible for public electronic communications networks or of publicly available electronic communications services pursuant to Directive (EU) 2018/1972 should be informed of significant incidents, cyber threats and near misses notified by providers of public electronic communications networks or publicly available electronic communications services and the measures taken in response to those risks and incidents.
Amendment 164 #
Proposal for a directive Article 5 – paragraph 2 – point h – point i (new) (i) this policy shall include the establishment of a national single point of contact for SMEs and a framework for the most efficient use of Digital Innovation Hubs and available funds in the achievement of policy objectives;
Amendment 164 #
Proposal for a directive Recital 50 (50) Given the growing importance of
Amendment 165 #
Proposal for a directive Article 5 – paragraph 2 – point h a (new) (ha) a policy to combat online identity theft of its citizens, a policy to protect its citizens from phishing, in particular elderly and low-literate citizens;
Amendment 165 #
Proposal for a directive Recital 50 (50) Given the growing importance of number-independent interpersonal communications services, it is necessary to ensure that such services are also subject to appropriate security requirements or used as means for meeting the requirements for risk management set under Article 18, in view of their specific nature, technological pervasiveness and economic importance. Providers of such services should thus also ensure a level of security of network and information systems appropriate to the risk posed. Given that providers of number-independent interpersonal communications services normally do not exercise actual control over the transmission of signals over networks, the degree of risk for such services can be considered in some respects to be lower than for traditional electronic communications services. The same applies to interpersonal communications services which make use of numbers and which do not exercise actual control over signal transmission.
Amendment 166 #
Proposal for a directive Article 5 – paragraph 2 – point h a (new) (ha) a policy to raise awareness and increase education about cybersecurity threats among consumers in the EU;
Amendment 166 #
Proposal for a directive Recital 50 (50) Given the growing importance of number-independent interpersonal communications services, it is necessary to ensure that such services are also subject to appropriate security requirements in view of their specific nature and economic
Amendment 167 #
Proposal for a directive Article 5 – paragraph 2 – point h b (new) (hb) a policy providing protection to consumers from the exploitation of vulnerabilities of the 'internet of things' or other network and information systems;
Amendment 167 #
Proposal for a directive Recital 51 (51) The internal market is more reliant on the functioning of the internet than ever before. The services of virtually all essential and important entities are dependent on services provided over the internet. The competent authorities should thus ensure that the integrity and availability of public electronic communications networks are maintained. In order to ensure the smooth provision of services provided by essential and important entities, it is important that all public electronic communications networks, such as, for example, internet backbones or submarine communications cables, have appropriate cybersecurity measures in place and report significant incidents in relation thereto.
Amendment 168 #
Proposal for a directive Article 5 – paragraph 2 a (new) 2a. Member States shall ensure that a regulatory framework is built to guarantee that connected products and associated services including supply chains are secure-by-design, resilient to cyber incidents, and quickly patched when vulnerabilities are discovered. Member States shall introduce cybersecurity requirements for applications, software, embedded software and operating systems;
Amendment 168 #
Proposal for a directive Recital 51 (51) The internal market is more reliant on the functioning of the internet than ever before. The services of virtually all essential and important entities are dependent on services provided over the internet. In order to ensure the smooth provision of services provided by essential and important entities, it is important that public electronic communications networks, such as, for example, internet backbones or submarine communications cables, have appropriate cybersecurity measures in place and report security incidents
Amendment 169 #
Proposal for a directive Article 5 – paragraph 4 – subparagraph 1 a (new) Key performance indicators shall be chosen taking into account recommendations from ENISA and, whenever possible, shall be comparable at the Union level;
Amendment 169 #
Proposal for a directive Recital 53 (53)
Amendment 170 #
Proposal for a directive Article 6 – title Coordinated vulnerability disclosure
Amendment 170 #
Proposal for a directive Recital 53 (53) In particular, providers of public electronic communications networks or publicly available electronic communications services, should inform the service recipients of particular and significant cyber threats and of measures they can take to protect the security of their communications, for instance by using specific types of software or
Amendment 171 #
Proposal for a directive Article 6 – title Coordinated vulnerability disclosure and a European vulnerability
Amendment 171 #
Proposal for a directive Recital 54 (54) In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, should be promoted and
Amendment 172 #
Proposal for a directive Article 6 – paragraph 1 1. Each Member State shall designate one of its CSIRTs as referred to in Article 9 as a coordinator for the purpose of coordinated vulnerability disclosure. The process of coordinated vulnerability disclosure shall be coherent with internationally recognised standards on vulnerability handling and disclosure. The designated CSIRT shall act as a trusted intermediary, facilitating, where necessary, the interaction between the reporting entity and the manufacturer or provider of ICT products or ICT services. Where the reported vulnerability concerns multiple manufacturers or providers of ICT products or ICT services across the Union, the designated CSIRT of each Member State concerned shall cooperate with the CSIRT
Amendment 172 #
Proposal for a directive Recital 54 (54) In order to safeguard the security of electronic communications networks and services, the use of
Amendment 173 #
Proposal for a directive Article 6 – paragraph 2 2.
Amendment 173 #
Proposal for a directive Recital 54 (54) In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, should be promoted and, where necessary, should be mandatory for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18. The use of end-to-end encryption should be reconciled with the Member State’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences in compliance with Union law.
Amendment 174 #
Proposal for a directive Article 6 – paragraph 2 2. ENISA shall develop and maintain a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures, as well as the necessary technical and organisational measures for the security of the registry, with a view in particular to enabling important and essential entities and their suppliers of network and information systems to disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties. ENISA shall clarify the terms of work and use of registry, including procedures for reporting, use and storage of the vulnerability information. The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, the availability of related patches and, in the absence of available patches, guidance addressed to users of vulnerable products and services as to how the risks resulting from disclosed vulnerabilities may be mitigated.
Amendment 174 #
Proposal for a directive Recital 54 (54) In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption,
Amendment 175 #
Proposal for a directive Article 6 – paragraph 2 2. ENISA shall develop and maintain a European vulnerability
Amendment 175 #
Proposal for a directive Recital 54 a (new) (54a) Any measures aimed at weakening encryption or circumventing the technology’s architecture may incur significant risks to the effective protection capabilities it entails, thus inevitably compromising the protection of personal data and privacy, resulting in an overall loss of trust in security controls. Any unauthorised decryption, reverse engineering of encryption code, or monitoring of electronic communications outside clear legal authorities should be prohibited to ensure the effectiveness of the technology and its wider use. The cases where encryption can be used to mitigate risks related to non-compliant data transfers as presented in EDPB Recommendations 01/2020 may enable stronger encryption, whether in transit or at rest, for providers of such services and networks for the purposes of Article 18.
Amendment 176 #
Proposal for a directive Article 6 – paragraph 2 2. ENISA shall develop and maintain
Amendment 176 #
Proposal for a directive Recital 54 a (new) (54a) An incident should be typically considered significant by the competent authorities or the CSIRT if the incident has caused substantial operational disruption or financial losses for the entity concerned and the incident has affected other natural or legal persons by causing considerable material or non- material losses.
Amendment 177 #
Proposal for a directive Article 7 – paragraph 1 1. Each Member State shall designate one or more competent authorities responsible for the management of large- scale incidents and crises. Where a Member State designates more than one competent authority, it should clearly indicate which of these competent authorities would serve as the main point of contact during a large-scale incident or crisis. Member States shall ensure that competent authorities have adequate resources to perform, in an effective and efficient manner, the tasks
Amendment 177 #
Proposal for a directive Recital 55 (55) This Directive lays down a t
Amendment 178 #
Proposal for a directive Article 7 – paragraph 1 a (new) 1a. Where a Member State designates more than one competent authority referred to in paragraph 1, it shall clearly indicate which of these competent authorities will serve as the main point of contact during a large-scale incident or crisis.
Amendment 178 #
Proposal for a directive Recital 55 (55) This Directive lays down a two- stage approach to incident reporting in order to strike the right balance between, on the one hand, swift reporting that helps mitigate the potential spread of incidents and allows entities to seek support, and, on the other hand, in-depth reporting that draws valuable lessons from individual incidents and improves over time the resilience to cyber threats of individual companies and entire sectors. In this regard, the Directive should also include reporting of incidents that, based on an initial assessment performed by the entity, may be assumed to lead to substantial operational disruption or financial losses or affect other natural or legal persons by causing considerable material or non- material losses. The initial assessment should take into account amongst other, the affected network and information systems and in particular their importance in the provision of the entity’s services, the severity and technical characteristics of the cyber threat, and any underlying vulnerabilities that are being exploited as well as the entity’s experience with similar incidents. Where entities become aware of an incident, they should be required to submit an initial
Amendment 179 #
Proposal for a directive Article 7 – paragraph 3 – point f a (new) (fa) coordination with authorities responsible for cyber intelligence and cyber defence
Amendment 179 #
Proposal for a directive Recital 55 (55) This Directive lays down a two- stage approach to incident reporting in order to strike the right balance between, on the one hand, swift reporting that helps mitigate the potential spread of incidents and allows entities to seek support, and, on the other hand, in-depth reporting that draws valuable lessons from individual incidents and improves over time the resilience to cyber threats of individual companies and entire sectors. Where entities become aware of an significant incident, they should be required to submit an initial notification with
Amendment 180 #
Proposal for a directive Article 9 – paragraph 5 Amendment 180 #
Proposal for a directive Recital 59 (59) Maintaining accurate and complete databases of domain names and registration data (so called ‘WHOIS data’) and providing lawful access to
Amendment 181 #
Proposal for a directive Article 10 – paragraph 2 – point a a (new) (aa) protecting all data, including from unauthorised exfiltration and network logging using all necessary safeguards and to set parameters and standards for transparency when sharing information and or data;
Amendment 181 #
Proposal for a directive Recital 59 (59) Maintaining accurate, verified and complete databases of domain names and registration data (so called
Amendment 182 #
Proposal for a directive Article 10 – paragraph 2 – point c (c) responding to incidents
Amendment 182 #
Proposal for a directive Recital 60 (60) The availability and timely accessibility of
Amendment 183 #
Proposal for a directive Article 10 – paragraph 2 – point d (d) providing dynamic risk and incident analysis and situational awareness regarding cybersecurity, namely through the analysis of early warnings and notifications as referred to in Article 20;
Amendment 183 #
Proposal for a directive Recital 60 (60) The availability and timely accessibility of the
Amendment 184 #
Proposal for a directive Article 10 – paragraph 2 – point e (e) providing, upon a specific request of an entity,
Amendment 184 #
Proposal for a directive Recital 61 (61) In order to ensure the availability of accurate and complete domain name registration data, TLD registries and the entities providing domain name registration services for the TLD (so-called
Amendment 185 #
Proposal for a directive Article 10 – paragraph 2 – point f (f) actively participating in the CSIRTs network and providing mutual assistance to other members of the network upon their request.
Amendment 185 #
Proposal for a directive Recital 61 (61) In order to ensure the availability of accurate and complete domain name registration data, TLD registries and the entities providing domain name registration services for the TLD (so-called registrars) should collect and guarantee the integrity and availability of domain names registration data. In particular, TLD registries and
Amendment 186 #
Proposal for a directive Article 10 – paragraph 2 – point f a (new) (fa) providing practical and operational guidance to essential and important entities in cybersecurity response and prevention activities, including in particular dedicated technical support to SMEs;
Amendment 186 #
Proposal for a directive Recital 62 Amendment 187 #
Proposal for a directive Article 10 – paragraph 2 – point f a (new) (fa) participating in joint cybersecurity exercises at Union level;
Amendment 187 #
Proposal for a directive Recital 62 (62) TLD registries and
Amendment 188 #
Proposal for a directive Article 11 – paragraph 2 2. Member States shall ensure that either their competent authorities or their CSIRTs receive notifications on incidents, and significant cyber threats and near misses submitted pursuant to this Directive. Where a Member State decides that its CSIRTs shall not receive those notifications, the CSIRTs shall, to the extent necessary to effectively carry out their tasks, be granted adequate access to data on incidents notified by the essential or important entities, pursuant to Article 20.
Amendment 188 #
Proposal for a directive Recital 63 (63) All essential and important entities under this Directive should fall under the jurisdiction of the Member State where they provide their services or carry out their activities. If the entity provides services in more than one Member State, it should fall under the separate and concurrent jurisdiction of each of these Member States. The competent
Amendment 189 #
Proposal for a directive Article 11 – paragraph 4 4. To the extent necessary to effectively carry out the tasks and obligations laid down in this Directive, Member States shall ensure appropriate cooperation between the competent authorities and single points of contact and law enforcement authorities, data protection authorities, and the authorities responsible for critical infrastructure
Amendment 189 #
Proposal for a directive Recital 64 (64) In order to take account of the cross-border nature of the services and operations of DNS service providers, TLD name registries, content delivery network providers, cloud computing service providers, data centre service providers
Amendment 190 #
Proposal for a directive Article 12 – paragraph 4 – point d (d) exchanging advice and cooperating with the Commission on draft Commission implementing
Amendment 190 #
Proposal for a directive Recital 65 (65) In cases where a DNS service provider, TLD name registry, content delivery network provider, cloud computing service provider, data centre service provider
Amendment 191 #
Proposal for a directive Article 12 – paragraph 4 – point f Amendment 191 #
Proposal for a directive Recital 65 (65) In cases where a
Amendment 192 #
Proposal for a directive Article 12 – paragraph 4 – point f a (new) (fa) assessing the functioning of the peer review system and drawing up recommendations for its improvement;
Amendment 192 #
Proposal for a directive Recital 68 (68) Entities should be encouraged to collectively leverage their individual knowledge and practical experience at strategic, tactical and operational levels with a view to enhance their capabilities to adequately assess, monitor, defend against,
Amendment 193 #
Proposal for a directive Article 12 – paragraph 4 – point k a (new) (ka) supporting ENISA in organising joint training of national competent authorities at the EU level.
Amendment 193 #
Proposal for a directive Recital 69 (69) The processing of personal data,
Amendment 194 #
Proposal for a directive Article 13 – paragraph 3 – point l Amendment 194 #
Proposal for a directive Recital 69 (69) The processing of personal data, to the extent strictly necessary and proportionate for the purposes of ensuring network and information security by entities,
Amendment 195 #
Proposal for a directive Article 13 – paragraph 4 4. For the purpose of the review referred to in Article 35 and by [24 months after the date of entry into force of this Directive], and every two years thereafter, the CSIRTs network shall assess the progress made with the operational cooperation and produce a report.
Amendment 195 #
Proposal for a directive Recital 69 (69) The processing of personal data, to the extent strictly necessary and proportionate for the purposes of ensuring network and information security by essential and important entities, public authorities, CERTs, CSIRTs, and providers of security technologies and services
Amendment 196 #
Proposal for a directive Article 14 – paragraph 3 – point a (a) increasing the level of preparedness of the management of large scale incidents and crises, including cross-border cyber threats;
Amendment 196 #
Proposal for a directive Recital 69 (69) The processing of personal data, to the extent strictly necessary and proportionate for the purposes of ensuring network and information security by entities, public authorities, CERTs, CSIRTs, and providers of security technologies and services should constitute a legitimate interest of the data controller concerned, as referred to in Regulation (EU) 2016/679. That should include measures related to the prevention, detection, identification, containment, analysis and response to incidents, measures to raise awareness in relation to specific cyber threats, exchange of information in the context of vulnerability remediation and coordinated disclosure, as well as the voluntary exchange of information on those incidents, as well as cyber threats and vulnerabilities, indicators of compromise, tactics, techniques and procedures,
Amendment 197 #
Proposal for a directive Article 15 – paragraph 1 – introductory part 1. ENISA shall issue, in cooperation with the Commission, a biennial report on the state of cybersecurity in the Union and present it to the European Parliament. The report shall in particular include an assessment of the following:
Amendment 197 #
Proposal for a directive Recital 70 (70) In order to strengthen the supervisory powers and actions that help ensure effective compliance, this Directive should provide for a minimum list of supervisory actions and means through which competent authorities may supervise essential and important entities. The supervisory regime shall, amongst other issues, verify that essential and important entities take appropriate technical and organisational measures to manage the risks posed to the security of network and information systems by implementing basic computer hygiene practices such as software updates, device configuration, network segmentation, identity and access management or user awareness and training regarding corporate email cyber threats, phishing or social engineering techniques. In addition, this Directive should establish a differentiation of supervisory regime between essential and important entities with a view to ensuring a fair balance of obligations for both entities and competent authorities. Thus, essential entities should be subject to a fully-fledged supervisory regime (ex-ante and ex-post), while important entities should be subject to a light supervisory regime, ex-post only. For the latter, this means that important entities should not document systematically compliance with cybersecurity risk management requirements, while competent authorities should implement a reactive ex -post approach to supervision and, hence, not have a general obligation to supervise those entities.
Amendment 198 #
Proposal for a directive Article 15 – paragraph 1 – point a (a) the development of cybersecurity capabilities across the Union, including the general level of skills and competences in cybersecurity in the Digital Single Market;
Amendment 198 #
Proposal for a directive Recital 71 (71) In order to make enforcement effective, a minimum list of administrative sanctions for breach of the cybersecurity risk management and reporting obligations provided by this Directive should be laid down, setting up a clear and consistent framework for such sanctions across the Union. Due regard should be given to the nature, gravity and duration of the infringement, the actual damage caused or losses incurred
Amendment 199 #
Proposal for a directive Article 15 – paragraph 1 – point b (b) the technical, financial and human resources available to competent
Amendment 199 #
Proposal for a directive Recital 71 (71) In order to make enforcement effective, a minimum list of administrative sanctions for breach of the cybersecurity risk management and reporting obligations provided by this Directive should be laid down, setting up a clear and consistent framework for such sanctions across the Union. Due regard should be given to the nature, gravity and duration of the infringement, the actual damage caused or losses incurred
Amendment 200 #
Proposal for a directive Article 15 – paragraph 1 – point c a (new) (ca) an aggregated index providing an assessment of the cybersecurity of European consumers.
Amendment 200 #
Proposal for a directive Recital 72 (72) In order to ensure effective enforcement of the obligations laid down in this Directive, each competent authority should have the power to impose or request the imposition of administrative fines if the infringement was intentional, negligent or the entity had had prior notice of the possibility of committing an infringement.
Amendment 201 #
Proposal for a directive Recital 76 (76) In order to further strengthen the effectiveness and dissuasiveness of the penalties applicable to infringements of obligations laid down pursuant to this Directive, the competent authorities should be empowered to apply sanctions consisting of
Amendment 202 #
Proposal for a directive Article 16 – paragraph 1 – introductory part 1. The Commission shall establish, after consulting the Cooperation Group and ENISA, and at the latest by 18 months following the entry into force of this Directive, the methodology and content of a peer-review system for assessing the effectiveness of the Member States’ cybersecurity policies. The reviews shall be conducted by cybersecurity technical experts drawn from ENISA and several Member States different than the one reviewed, and shall cover at least the following:
Amendment 202 #
Proposal for a directive Recital 76 (76) In order to further strengthen the effectiveness and dissuasiveness of the penalties applicable to infringements of
Amendment 203 #
Proposal for a directive Article 16 – paragraph 2 2. The methodology shall include objective, non-discriminatory, technology- neutral, fair and transparent criteria on the basis of which the Member States shall designate experts eligible to carry out the peer reviews. ENISA and the Commission shall designate experts to participate as observers in the peer-reviews. The Commission, supported by ENISA, shall establish within the methodology as referred to in paragraph 1 an objective, non-discriminatory, fair and transparent system for the selection and the random allocation of experts for each peer review.
Amendment 203 #
Proposal for a directive Recital 76 (76) In order to further strengthen the effectiveness and dissuasiveness of the penalties applicable to infringements of obligations laid down pursuant to this Directive, the competent authorities should be empowered to apply sanctions consisting of the suspension of a certification or authorisation concerning part or all the services provided by an essential entity
Amendment 204 #
Proposal for a directive Article 16 – paragraph 7 7. Experts participating in peer reviews shall draft reports on the findings and conclusions of the reviews. The reports shall be submitted to the Commission, the Cooperation Group, the CSIRTs network and ENISA. The reports shall be discussed in the Cooperation Group and the CSIRTs network.
Amendment 204 #
Proposal for a directive Recital 79 Amendment 205 #
Proposal for a directive Article 18 – paragraph 1 1. Member States shall ensure that essential and important entities shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which those entities use in the provision of their services and to prevent or minimise the impact of incidents on recipients of their services and on other services. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk presented, and differentiate between the essential and important entities and between the sectors and subsectors with higher or lower level of criticality referred to in Annexes I and II.
Amendment 205 #
Proposal for a directive Recital 79 (79) A peer-review mechanism should be introduced, allowing the assessment by independent experts designated by the Member States, of the implementation of cybersecurity policies, including the level of Member States’ capabilities and available resources. When deciding on the methodology, the Commission, supported by ENISA, should establish an objective, non-discriminatory, technology neutral, fair and transparent system for the selection of such experts.
Amendment 206 #
Proposal for a directive Article 18 – paragraph 1 1. Member States shall ensure that essential and important entities shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which those entities use in the provision of their services. These measures shall be adopted following a risk-based assessment that takes the utmost account of the level of criticality of the concerned entities. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk presented and shall not undermine valid security offering mechanisms already in place.
Amendment 206 #
Proposal for a directive Recital 79 (79) A peer-review mechanism should be introduced, allowing the assessment by experts designated by the Member States and ENISA of the implementation of cybersecurity policies, including the level of Member States’ capabilities and available resources, and provide an effective path for the transfer of cybersecurity-enhancing technologies, mechanisms and processes between and among competent authorities or CSIRTs.
Amendment 207 #
Proposal for a directive Article 18 – paragraph 1 1. Member States shall ensure that essential and important entities shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which those entities use in the provision of their services. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk presented. In particular, measures shall be taken to prevent and minimise the impact of security incidents on consumers.
Amendment 207 #
Proposal for a directive Recital 80 Amendment 208 #
Proposal for a directive Article 18 – paragraph 1 1. Member States shall ensure that essential and important entities shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network
Amendment 208 #
Proposal for a directive Recital 80 (80) In order to take into account new cyber threats, technological developments or sectorial specificities, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission in respect of the elements in relation to risk management measures required by this Directive. The Commission should also be empowered to
Amendment 209 #
Proposal for a directive Article 18 – paragraph 2 – point d (d) measures for supply chain security risk assessment including on security- related aspects concerning the relationships between each entity and its suppliers or service providers such as providers of data storage and processing services or managed security services;
Amendment 209 #
Proposal for a directive Article 1 – paragraph 2 – point a a (new) (aa) establishes framework for cooperation among Member States;
Amendment 210 #
Proposal for a directive Article 18 – paragraph 2 – point f (f) policies and procedures (testing and auditing) and regular cybersecurity exercises to assess the effectiveness of cybersecurity risk management measures;
Amendment 210 #
Proposal for a directive Article 1 – paragraph 2 – point b (b) lays down obligation on Member States to introduce cybersecurity risk management and reporting obligations for entities of a type referred to as essential entities in Annex I and important entities in Annex II;
Amendment 211 #
Proposal for a directive Article 18 – paragraph 2 – point g (g) the use of cryptography and encryption where appropriate.
Amendment 211 #
Proposal for a directive Article 1 – paragraph 2 – point c (c) lays down obligations on Member States to facilitate the cybersecurity information sharing
Amendment 212 #
Proposal for a directive Article 18 – paragraph 2 – point g (g) the use of cryptography and strong encryption.
Amendment 212 #
Proposal for a directive Article 1 – paragraph 2 – point c a (new) (ca) lays down supervision and enforcement obligations on Member States.
Amendment 213 #
Proposal for a directive Article 18 – paragraph 2 – point g a (new) (ga) policies to ensure adequate education and training in cybersecurity at all levels of the organisation for essential and important entities.
Amendment 213 #
Proposal for a directive Article 2 – paragraph 1 1. This Directive applies to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II, including ICT suppliers providing products and services for critical functions performed by essential or important entities. This Directive does not apply to entities regarded by Member States as non- critical. This Directive does not apply to entities that qualify as micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC.28 _________________ 28 Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium- sized enterprises (OJ L 124, 20.5.2003, p. 36).
Amendment 214 #
Proposal for a directive Article 18 – paragraph 2 – point g a (new) (ga) policies that ensure reproducible- builds and code auditability.
Amendment 214 #
Proposal for a directive Article 2 – paragraph 1 1. This Directive applies to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II. This Directive does not apply to entities that qualify as micro and small enterprises
Amendment 215 #
Proposal for a directive Article 18 – paragraph 2 – point g a (new) (ga) security training and awareness.
Amendment 215 #
Proposal for a directive Article 2 – paragraph 1 1. This Directive applies to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II that provide their services or carry out their activities within the Union. This Directive does not apply to entities that qualify as micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC.28 _________________ 28 Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium- sized enterprises (OJ L 124, 20.5.2003, p. 36).
Amendment 216 #
Proposal for a directive Article 18 – paragraph 2 a (new) 2a. ENISA may facilitate, in accordance with Regulation (EU) No 526/2013 of the European Parliament and of the Council, the coordination of Member States regarding the measures referred to in paragraph 1, to avoid regulatory fragmentation that may create barriers in the internal market and present additional risks.
Amendment 216 #
Proposal for a directive Article 2 – paragraph 1 1. This Directive applies to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II in so far as they carry out in-scope activities within the Union. This Directive does not apply to entities that qualify as micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC.28 _________________ 28 Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium- sized enterprises (OJ L 124, 20.5.2003, p. 36).
Amendment 217 #
Proposal for a directive Article 18 – paragraph 2 a (new) 2a. ENISA shall create and maintain an updated list of state of the art measures, as referred to in paragraph 1.
Amendment 217 #
Proposal for a directive Article 2 – paragraph 1 1. This Directive applies to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II, including manufacturers and providers of ICT products. This Directive does not apply to entities that qualify as micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC.28 _________________ 28 Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium- sized enterprises (OJ L 124, 20.5.2003, p. 36).
Amendment 218 #
Proposal for a directive Article 18 – paragraph 3 3. Member States shall ensure that, where considering appropriate measures referred to in point (d) of paragraph 2, entities shall take into account the vulnerabilities specific to each supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures. For this purpose they should also favour open source cybersecurity products for both software and hardware, as well as open source implementation of open and state-of-the-art, strong cryptography standards.
Amendment 218 #
Proposal for a directive Article 2 – paragraph 1 1. This Directive applies to public and private entities of a type referred to
Amendment 219 #
Proposal for a directive Article 18 – paragraph 6 Amendment 219 #
Proposal for a directive Article 2 – paragraph 2 – introductory part 2.
Amendment 220 #
Proposal for a directive Article 18 – paragraph 6 6. The Commission, i
Amendment 220 #
Proposal for a directive Article 2 – paragraph 2 – point a – point iii Amendment 221 #
Proposal for a directive Article 19 – paragraph 1 1. The Cooperation Group, in cooperation with the Commission and ENISA, and after having consulted the affected essential and important entities, may carry out coordinated security risk assessments of specific critical ICT services, systems or products supply chains, taking into account technical and, where
Amendment 221 #
Proposal for a directive Article 2 – paragraph 2 – point d (d) a potential disruption of the service
Amendment 222 #
Proposal for a directive Article 19 – paragraph 1 1. The Cooperation Group, in cooperation with the Commission and ENISA,
Amendment 222 #
Proposal for a directive Article 2 – paragraph 2 – point d (d) a
Amendment 223 #
Proposal for a directive Article 19 – paragraph 2 2. The Commission, after consulting with the Cooperation Group
Amendment 223 #
Proposal for a directive Article 2 – paragraph 2 – point e (e) a
Amendment 224 #
Proposal for a directive Article 19 a (new) Article 19a When the Cooperation Group includes non-technical risk factors in its supply chain risk assessments, it shall ensure that those factors are evidence-based, clearly defined and that their interpretation is aligned across the Union to the greatest extent possible. Member States shall ensure that any affected party has clear and lawful means to raise concerns, challenge and object to the final decision taken as a result of the supply chain assessments referred to in paragraph 1 of this Article.
Amendment 224 #
Proposal for a directive Article 2 – paragraph 2 – point f a (new) (fa) the entity is critical for the provision of services in insular, remote or unpopulated areas;
Amendment 225 #
Proposal for a directive Article 20 – paragraph 1 1. Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT in accordance with paragraphs 3 and 4 of any incident having a significant impact on the provision of their services. Where appropriate, those entities shall notify, without undue delay, the recipients of their services of incidents that are likely to adversely affect the provision of that service. Member States shall ensure that those entities report, among others, any information enabling the competent authorities or the CSIRT to determine any cross-border impact of the incident. Member States shall establish a single entry point for all notifications required under this Directive and under other Union law, such as Regulation (EU) 2016/679 and Directive 2002/58/EC. ENISA, in cooperation with the Cooperation Group shall develop common notification templates for the reporting information requested by Union law.
Amendment 225 #
Proposal for a directive Article 2 – paragraph 2 a (new) 2a. Member States shall ensure that all entities falling under the scope of this Directive comply with this Directive as important entities. Member States may decide which important entities shall be designated as essential entities, taking into account particularly whether the entities had already been identified as the operators of essential services pursuant to Article 5 of NIS Directive (2016/1148) and prioritisation of the sectors and subsectors with higher level of criticality listed in Annex I. Member States shall by [transposition deadline] establish an initial list of essential and important entities, which should comply with this Directive and review it, on a regular basis, and, where appropriate, update it. Member States shall set a deadline for initial self-notification or identification by the competent authority and compliance with this Directive for the entities falling under the scope of this Directive not exceeding [6 months after the transposition deadline]. The entities which had been already identified as the operators of essential services pursuant to Article 5 of NIS Directive (2016/1148) shall comply with this Directive by [transposition deadline]. The entities shall submit at least the following information: the name of the entity, address and up-to-date contact details, including email addresses and telephone numbers, and relevant sector(s) and subsector(s) referred to in Annexes I and II. The entities shall without undue delay notify any changes to the details they submitted, and in any event, within two weeks from the date on which the change took effect.
Amendment 226 #
Proposal for a directive Article 20 – paragraph 1 1. Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT in accordance with paragraphs 3 and 4 of any incident having a significant impact on the provision of their services.
Amendment 226 #
Proposal for a directive Article 2 – paragraph 2 a (new) 2a. This Directive applies only to manufacturing facilities of important and essential entities listed in Annexes I and II that are located within the Union.
Amendment 227 #
Proposal for a directive Article 20 – paragraph 1 a (new) 1a. For the purpose of simplifying reporting obligations, Member States shall establish a single entry point for all notifications required under this Directive and also under other Union law such as Regulation (EU) 2016/679 and Directive 2002/58/EC.
Amendment 227 #
Proposal for a directive Article 2 – paragraph 2 b (new) 2b. The entities referred to in Article 24(1) shall submit the self-notifications in the Member State in which they have their main establishment. Apart from information referred to in the third subparagraph of paragraph 2a of this Article, they shall notify the address of its main establishment and its other legal establishments in the Union or, if not established in the Union, of its representative designated pursuant to Article 24(3) and the Member States where the entity provides services. Where an entity referred to in paragraph 1 has besides its main establishment in the Union further establishments or provides services in other Member States, the single contact point of the main establishment shall without undue delay forward the information to the single points of contact of those Member States. Where an entity fails to notify or to provide the relevant information on Member States concerned within the deadline set out by the Member State of its main establishment, any Member State where the entity provides services shall be competent to ensure that entity’s compliance with the obligations laid down in this Directive.
Amendment 228 #
Proposal for a directive Article 20 – paragraph 1 b (new) 1b. ENISA, in cooperation with the Cooperation Group shall develop common notification templates by means of guidelines that would simplify and streamline the reporting information requested by Union law and decrease the burden for companies.
Amendment 228 #
Proposal for a directive Article 2 – paragraph 2 c (new) 2c. By [6 months after the transposition deadline] and every 12 months thereafter, Member States shall submit to the Cooperation Group and for the purpose of the review referred to in Article 35 to the Commission the information necessary to enable to assess the consistency of Member States' approaches to the identification of essential and important services. That information shall include at least the number of all essential and important entities identified for each sector and subsector referred to in Annexes I and II, including number of small and micro enterprises in each category;
Amendment 229 #
Proposal for a directive Article 20 – paragraph 2 Amendment 229 #
Proposal for a directive Article 2 – paragraph 3 a (new) 3a. Member States shall ensure that the network and information systems used by their public administration entities are subject to their national cybersecurity regulation.
Amendment 230 #
Proposal for a directive Article 20 – paragraph 2 – subparagraph 1 Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT of any significant cyber threat that
Amendment 230 #
Proposal for a directive Article 2 – paragraph 4 4. This Directive applies without prejudice to Council Directive 2008/114/EC30 and Directives 2011/93/EU31 and 2013/40/EU32 and 2002/58/EC1a and Regulation (EU) 2016/6791b of the European Parliament and of the Council. _________________ 30Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p. 75). 31Directive 2011/93/EU of the European Parliament and of the Council of 13 December 2011 on combating the sexual abuse and sexual exploitation of children and child pornography, and replacing Council Framework Decision 2004/68/JHA (OJ L 335, 17.12.2011, p. 1). 32Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA (OJ L 218, 14.8.2013, p. 8).
Amendment 231 #
Proposal for a directive Article 20 – paragraph 2 – subparagraph 1 Member States shall ensure that essential and important entities may notify, without undue delay where feasible or through periodic threat analysis reports, the competent authorities or the CSIRT of any significant cyber threat
Amendment 231 #
Proposal for a directive Article 2 – paragraph 5 a (new) 5a. As regards the processing of personal data, essential and important entities as well as competent authorities, CERTs, and CSIRTs, shall process personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security in accordance with the obligations set out in this Directive. Where the processing of personal data is required for the purpose of cybersecurity and network and information security in accordance with the provisions set out in Article 18 and Article 20 of the Directive, including the provisions set out in Article 23, that processing is considered necessary for compliance with a legal obligation in accordance with paragraph1(c) of Article 6 of Regulation (EU) 2016/679.
Amendment 232 #
Proposal for a directive Article 20 – paragraph 3 Amendment 232 #
Proposal for a directive Article 2 – paragraph 5 a (new) 5a. To fulfil the tasks set out in this Directive, competent authorities and CSIRTs shall process personal data, including the data referred to in Article 9 of the Regulation (EU) 2016/679, and shall process information that is confidential pursuant to Union and national rules, for the purposes and to the extent strictly necessary to fulfil these tasks.
Amendment 233 #
Proposal for a directive Article 20 – paragraph 3 – point a (a) the incident has caused or
Amendment 233 #
Proposal for a directive Article 2 – paragraph 5 b (new) 5b. For the purposes of arrangements underpinning cybersecurity information- sharing and voluntary notification of information as set out in Articles 26 and 27 of this Directive, the processing of personal data constitutes a legitimate interest of the data controller concerned in accordance with paragraph 1(f) of Article 6 of Regulation (EU) 2016/679.
Amendment 234 #
Proposal for a directive Article 20 – paragraph 3 – point b (b) the incident has affected or
Amendment 234 #
Proposal for a directive Article 2 – paragraph 5 b (new) 5b. To fulfil the tasks set out in this Directive, SPOCs, the Cooperation Group, the CSIRT Network and CyCLONe shall process personal data and information that is confidential pursuant to Union and national rules, for the purposes and to the extent strictly necessary to fulfil these tasks.
Amendment 235 #
Proposal for a directive Article 20 – paragraph 3 a (new) 3a. Member States shall ensure that in order to determine the significance of the individual incident, where available, the following parameters shall, in particular, be taken into account: (a) the number of the recipients of the services affected by the incident; (b) the duration of the incident; (c) the geographical spread of the area affected by the incident; (d) the extent to which the functioning and continuity of the service is affected; (e) the extent of impact, including financial, on economic and societal activities of the entity directly concerned, of other entities or on national security.
Amendment 235 #
Proposal for a directive Article 2 – paragraph 5 c (new) 5c. As regards the processing of personal data from essential entities providing services of public electronic communications networks or publicly available electronic communications referred to in point 8 of Annex I and point (a)(i) of paragraph2(1), such processing of personal data required for the purposes of ensuring network and information security shall be in compliance with the provisions set out in Directive 2002/58/EC.
Amendment 236 #
Proposal for a directive Article 20 – paragraph 4 – subparagraph 1 – point -a (new) (-a) an early warning within 24 hours after having become aware of an incident, without any obligations on the entity concerned to disclose additional information regarding the incident;
Amendment 236 #
Proposal for a directive Article 2 – paragraph 5 c (new) 5c. When processing the personal data referred to in Article 9 of the Regulation (EU) 2016/679, competent authorities and CSIRTs shall conduct the risk analyses, introduce proper safeguards and procedures to exchange information.
Amendment 237 #
Proposal for a directive Article 20 – paragraph 4 – subparagraph 1 – point a (a) without undue delay and in any event
Amendment 237 #
Proposal for a directive Article 2 – paragraph 6 6. Where provisions of sector–specific acts of Union law require essential or important entities either to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats, and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, the relevant provisions of this Directive, including the provision on supervision and enforcement laid down in Chapter VI, shall not apply. The Commission shall issue guidelines in relation to the implementation of the sector–specific acts of Union law in order to ensure that security requirements established by this Directive are met by those acts. When preparing those guidelines, the Commission shall take into account ENISA and the Cooperation Group best practices and expertise.
Amendment 238 #
Proposal for a directive Article 20 – paragraph 4 – subparagraph 1 – point a (a) without undue delay and in any event
Amendment 238 #
Proposal for a directive Article 2 – paragraph 6 6. Sector-specific acts that require essential or important entities either to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats, shall, where possible, refer to the definitions in Article 4 of this Directive. Where provisions of sector–specific acts of Union law require essential or important entities either to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats, and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, the relevant provisions of this Directive, including the provision on supervision and enforcement laid down in Chapter VI, shall not apply.
Amendment 239 #
Proposal for a directive Article 20 – paragraph 4 – subparagraph 1 – point a (a) without undue delay
Amendment 239 #
Proposal for a directive Article 2 – paragraph 6 6. Where provisions of sector–specific acts of Union law require essential or important entities either to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats, and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, including with regards to the competence and obligations of the supervisory authority, the relevant provisions of this Directive, including the provision on supervision and enforcement laid down in Chapter VI, shall not apply.
Amendment 240 #
Proposal for a directive Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part (c) a
Amendment 240 #
Proposal for a directive Article 2 – paragraph 6 6. Where provisions of sector–specific acts of Union law require essential or important entities
Amendment 241 #
Proposal for a directive Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part (c) a
Amendment 241 #
Proposal for a directive Article 2 – paragraph 6 a (new) 6a. Sector-specific acts of Union law referred to in paragraph 6 should at minimum include: (a) cybersecurity risk management measures as laid down in Article 18 (1) and (2); and (b) requirements to notify incidents and significant cyber threats as laid down in Article 20 (1- 4)
Amendment 242 #
Proposal for a directive Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part (c) a final report not later than
Amendment 242 #
Proposal for a directive Article 4 – paragraph 1 – point 4 Amendment 243 #
Proposal for a directive Article 20 – paragraph 4 – subparagraph 1 – point c a (new) (ca) a final report should be provided one month after the incident has been mitigated
Amendment 243 #
Proposal for a directive Article 4 – paragraph 1 – point 4 a (new) (4a) ‘near miss’ means an event which could have caused harm, but was successfully prevented from fully transpiring;
Amendment 244 #
Proposal for a directive Article 20 – paragraph 4 – subparagraph 2 Member States shall provide that in duly justified cases and in agreement with the competent authorities or the CSIRT, the entity concerned can deviate from the deadlines laid down in points (a), (b) and (
Amendment 244 #
Proposal for a directive Article 4 – paragraph 1 – point 5 (5) ‘incident’ means any unwanted or unexpected event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the related services offered by, or accessible via, network and information systems;
Amendment 245 #
Proposal for a directive Article 20 – paragraph 5 5. The competent national authorities or the CSIRT shall provide, within 24 hours after receiving the initial notification referred to in point (
Amendment 245 #
Proposal for a directive Article 4 – paragraph 1 – point 5 – point i (new) (i) by way of derogation 'security incident' as defined in Article 2(41) of Directive (EU) 2018/1972 remains applicable for interpersonal electronic communications service providers.
Amendment 246 #
Proposal for a directive Article 20 – paragraph 7 7. Where public awareness is necessary to prevent an incident or to deal with an ongoing incident, or where disclosure of the incident is otherwise in the public interest, the competent authority or the CSIRT, and where appropriate the authorities or the CSIRTs of other Member States concerned
Amendment 246 #
Proposal for a directive Article 4 – paragraph 1 – point 5 a (new) (5a) ‘near miss’ means any event which could have compromised the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the related services offered by, or accessible via, network and information systems, but was successfully prevented from fully transpiring;
Amendment 247 #
Proposal for a directive Article 21 – title Use of European cybersecurity certification schemes and standardisation
Amendment 247 #
Proposal for a directive Article 4 – paragraph 1 – point 6 (6) ‘incident handling’ means all actions and procedures aiming at prevention, detection, analysis, attribution, and containment of and
Amendment 248 #
Proposal for a directive Article 21 – paragraph 1 1. In order to demonstrate compliance with certain requirements of Article 18,
Amendment 248 #
Proposal for a directive Article 4 – paragraph 1 – point 7 a (new) (7a) ‘risk’ means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of that incident;
Amendment 249 #
Proposal for a directive Article 21 – paragraph 1 1. In order to demonstrate compliance with certain requirements of Article 18, Member States
Amendment 249 #
Proposal for a directive Article 4 – paragraph 1 – point 9 (9) ‘representative’ means any natural or legal person established in the Union explicitly designated to act on behalf of i)
Amendment 250 #
Proposal for a directive Article 21 – paragraph 1 1. In order to
Amendment 250 #
Proposal for a directive Article 4 – paragraph 1 – point 13 (13) ‘domain name system (DNS)’ means a hierarchical distributed naming system which
Amendment 251 #
Proposal for a directive Article 21 – paragraph 2 Amendment 251 #
Proposal for a directive Article 4 – paragraph 1 – point 13 (13) ‘domain name system (DNS)’ means a hierarchical, distributed naming system which
Amendment 252 #
Proposal for a directive Article 21 – paragraph 2 2. The Commission shall
Amendment 252 #
Proposal for a directive Article 4 – paragraph 1 – point 14 Amendment 253 #
Proposal for a directive Article 21 – paragraph 3 Amendment 253 #
Proposal for a directive Article 4 – paragraph 1 – point 14 (14) ‘DNS service provider’ means an entity that provides
Amendment 254 #
Proposal for a directive Article 22 – paragraph 1 1. In order to promote the convergent implementation of Article 18(1) and (2), Member States shall, without imposing or discriminating in favour of the use of a particular type of technology, and according to guidance from ENISA and the Cooperation Group, encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems.
Amendment 254 #
Proposal for a directive Article 4 – paragraph 1 – point 15 Amendment 255 #
Proposal for a directive Article 23 – title Databases infrastructure of domain names and registration data
Amendment 255 #
Proposal for a directive Article 4 – paragraph 1 – point 15 (15) ‘top–level domain name registry’ means an entity which has been delegated a specific TLD and is responsible for administering the TLD including the registration of domain names under the TLD and the technical operation of the TLD, including the operation of its name servers, the maintenance of its databases and the distribution of TLD zone files across name servers, irrespective of whether any of those operations are being performed by the entity or are outsourced;
Amendment 256 #
Proposal for a directive Article 23 – paragraph 1 1. For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall ensure that TLD registries and
Amendment 256 #
Proposal for a directive Article 4 – paragraph 1 – point 15 a (new) (15a) ‘legitimate access seekers’ means any natural or legal person, including competent authorities under Union or national law for the prevention, investigation or prosecution of criminal offences, CSIRTs, CERTs, providers of electronic communications networks and services, and providers of cybersecurity technologies and services, seeking DNS data upon a justified request on the basis of Union or national law for the purposes of preventing DNS abuse, detecting and preventing crime and fraud, protecting minors, protecting intellectual property, and protecting against hate speech;
Amendment 257 #
Proposal for a directive Article 23 – paragraph 1 1. For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall ensure that TLD registries and the entities providing domain name registration services for the TLD shall collect and maintain the accurate
Amendment 257 #
Proposal for a directive Article 4 – paragraph 1 – point 22 (22) ‘social networking services platform’ means a platform that enables end-users to connect, share, discover and communicate with each other via number- independent interpersonal communications services across multiple devices, and in particular, via chats, posts, videos and recommendations
Amendment 258 #
Proposal for a directive Article 23 – paragraph 1 1. For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall ensure that TLD registries and
Amendment 258 #
Proposal for a directive Article 4 – paragraph 1 – point 22 a (new) (22a) ‘compromise assessment’ is an objective inspection by a qualified entity of a network and its devices to discover unknown security breaches and ongoing or past intrusions, signs of indicators of compromise, unauthorised access, malware, and to assess risks by identifying weaknesses in the security architecture, vulnerabilities, improper usage or policy violations and system security misconfigurations;
Amendment 259 #
Proposal for a directive Article 23 – paragraph 2 Amendment 259 #
Proposal for a directive Article 4 – paragraph 1 – point 23 Amendment 260 #
Proposal for a directive Article 23 – paragraph 2 2. Member States shall ensure that the database
Amendment 260 #
Proposal for a directive Article 4 – paragraph 1 – point 23 – introductory part (23) ‘public administration entity’ means an entity in a Member State that has legal personality and complies with some of the following criteria:
Amendment 261 #
Proposal for a directive Article 23 – paragraph 2 2. Member States shall ensure that the databases of domain name registration data referred to in paragraph 1 contain relevant information to identify and contact the
Amendment 261 #
Proposal for a directive Article 4 – paragraph 1 – point 23 – point b Amendment 262 #
Proposal for a directive Article 23 – paragraph 2 2. Member States shall ensure that the databases of domain name registration data referred to in paragraph 1 contain relevant the information necessary to identify and contact the holders of the domain names
Amendment 262 #
Proposal for a directive Article 4 – paragraph 1 – point 23 a (new) (23a) ‘public electronic communications network’ means a public electronic communications network as defined in point (8) of Article 2 of Directive (EU) 2018/1972;
Amendment 263 #
Proposal for a directive Article 23 – paragraph 3 Amendment 263 #
Proposal for a directive Article 4 – paragraph 1 – point 23 b (new) (23b) ‘electronic communications service’ means an electronic communications service as defined in point (4) of Article 2 of Directive (EU) 2018/1972;
Amendment 264 #
Proposal for a directive Article 23 – paragraph 3 3. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD have policies and procedures in place to ensure that the databases infrastructure includes accurate, verified and complete information, and that inaccurate or incomplete data should be corrected or erased by the registrant without delay. Member States shall ensure that such policies and procedures are made publicly available.
Amendment 264 #
Proposal for a directive Article 4 – paragraph 1 – point 23 c (new) (23c) ‘number-based interpersonal communications service’ means a number-based interpersonal communications service as defined in point (6) of Article 2 of Directive (EU) 2018/1972;
Amendment 265 #
Proposal for a directive Article 23 – paragraph 3 3. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD have policies and procedures in place to ensure that the databases include accurate
Amendment 265 #
Proposal for a directive Article 4 – paragraph 1 – point 23 d (new) (23d) ‘number-independent interpersonal communications service’ means a number-independent interpersonal communications service as defined in point (7) of Article 2 of Directive (EU) 2018/1972;
Amendment 266 #
Proposal for a directive Article 23 – paragraph 3 3. Member States shall ensure that
Amendment 266 #
Proposal for a directive Article 4 – paragraph 1 – point 25 (25) ‘essential entity’ means any entity of a type referred to in Annex I and II, designated by the Member State as an essential entity
Amendment 267 #
Proposal for a directive Article 23 – paragraph 4 Amendment 267 #
Proposal for a directive Article 4 – paragraph 1 – point 26 (26) ‘important entity’ means any entity of a type referred to
Amendment 268 #
Proposal for a directive Article 23 – paragraph 4 4. Member States shall ensure that the TLD registries and the entities providing domain name registration services
Amendment 268 #
Proposal for a directive Article 4 – paragraph 1 – point 26 a (new) (26a) ‘non-critical entity’ means any entity of a type referred to in Annex I and Annex II which, regardless of its size and resources, has no critical function within a specific sector or type of service and is not highly dependent on other sectors or types of service;
Amendment 269 #
Proposal for a directive Article 23 – paragraph 5 5. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD provide access to specific domain name registration data upon lawful and duly justified requests of legitimate access seekers, in compliance with Union data protection law. Legitimate access seekers may include natural or legal persons making a duly justified request to access the DNS data under Union or national law, and they may include competent authorities under Union or national law, CERTs, CSIRTs, and as regards the data of their clients – providers of electronic communications networks and services and providers of cybersecurity technologies and services and cybersecurity researchers. Such duly justified requests shall include requests made to prevent DNS abuse. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD
Amendment 269 #
Proposal for a directive Article 4 – paragraph 1 – point 26 a (new) (26a) 'service' means any activity referred to in Annexes I and II provided for essential, important or other public or private entities or consumers, including provision of electronic communication networks and manufacture;
Amendment 270 #
Proposal for a directive Article 23 – paragraph 5 5. Member States shall ensure that the TLD registries
Amendment 270 #
Proposal for a directive Article 4 – paragraph 1 – point 26 b (new) (26b) ‘critical function' means a network and information system function of an essential or important entity in connection with which disruption to availability, integrity, authenticity and confidentiality will result in a significant failure or deterioration of the functionality of the services provided by the critical or important entity concerned;
Amendment 271 #
Proposal for a directive Article 23 – paragraph 5 5. Member States shall ensure that
Amendment 271 #
Proposal for a directive Article 5 – paragraph 1 – introductory part 1. Each Member State shall adopt a national cybersecurity strategy defining the strategic objectives and appropriate policy and regulatory measures, with a view to achieving and maintaining a high level of cybersecurity and taking into account each sector specificities in terms of cyber risk management and resilience. The national cybersecurity strategy shall include, in particular, the following:
Amendment 272 #
Proposal for a directive Article 24 – paragraph 2 2. For the purposes of this Directive, entities referred to in paragraph 1 shall be deemed to have their main establishment in the Union in the Member State where the decisions related to the cybersecurity risk management measures are taken. If such decisions are not taken in any
Amendment 272 #
Proposal for a directive Article 5 – paragraph 1 – introductory part 1. Each Member State shall adopt a national cybersecurity strategy defining the strategic objectives
Amendment 273 #
Proposal for a directive Article 25 Amendment 273 #
Proposal for a directive Article 5 – paragraph 1 – introductory part 1. Each Member State shall adopt a national cybersecurity strategy, a coherent framework defining the strategic objectives and appropriate policy and regulatory measures, with a view to achieving and maintaining a high level of
Amendment 274 #
Proposal for a directive Article 25 – paragraph 1 – introductory part 1. ENISA shall create and maintain a registry for essential and important entities referred to in Article 24(1).
Amendment 274 #
Proposal for a directive Article 5 – paragraph 1 – introductory part 1. Each Member State shall adopt a national cybersecurity strategy defining the strategic objectives and appropriate policy and regulatory measures, with a view to achieving and maintaining a high level of cybersecurity, and strengthening the Union’s strategic autonomy. The national cybersecurity strategy shall include, in particular, the following:
Amendment 275 #
Proposal for a directive Article 25 – paragraph 2 2. The entities referred to in paragraph 1 shall notify
Amendment 275 #
Proposal for a directive Article 5 – paragraph 1 – point a (a) a definition of objectives and priorities of the Member States’ strategy on cybersecurity for each sector covered by this Directive;
Amendment 276 #
Proposal for a directive Article 25 – paragraph 3 3. Upon receipt of the information under paragraph 1,
Amendment 276 #
Proposal for a directive Article 5 – paragraph 1 – point b (b) a governance framework to achieve those objectives and priorities, including the policies referred to in paragraph 2 and the roles and responsibilities of public bodies and entities as well as other relevant actors, in particular those with responsibility for specific support for SMEs. The governance framework shall clearly lay down the organisational arrangements for cooperation and coordination between the national competent authorities designated under this Directive, taking account of their specific national circumstances;
Amendment 277 #
Proposal for a directive Article 26 – paragraph 2 2. Member States shall ensure that the exchange of information takes place within trusted communities of essential and important entities. Such exchange shall be implemented through information sharing arrangements in respect of the potentially sensitive nature of the information shared and in compliance with the rules of Union law referred to in paragraph 1. Any such information shared shall be subject to Freedom of information requests by the public.
Amendment 277 #
Proposal for a directive Article 5 – paragraph 1 – point b (b) a governance framework to achieve those objectives and priorities, including the policies referred to in paragraph 2, and an appropriate framework defining the roles and responsibilities of public bodies and entities as well as other relevant actors, underpinning the cooperation and coordination, at the national level, between the competent authorities designated under Articles 7(1) and 8(1), the single point of contact designated under Article 8(3), and the CSIRTs designated under Article 9;
Amendment 278 #
Proposal for a directive Article 26 – paragraph 3 3. Member States shall set out
Amendment 278 #
Proposal for a directive Article 5 – paragraph 1 – point b (b) a governance framework to achieve those objectives and priorities, including the policies referred to in paragraph 2
Amendment 279 #
Proposal for a directive Article 26 – paragraph 5 5. In compliance with Union law, ENISA shall support the establishment of cybersecurity information-sharing arrangements referred to in paragraph 2 by providing best practices and guidance; as well as by facilitating information-sharing at Union level, with the aim of promoting the cross-border exchange of information between relevant trusted communities of essential and important entities as referred to in the second paragraph, taking into account Union law and safeguarding business-sensitive information.
Amendment 279 #
Proposal for a directive Article 5 – paragraph 1 – point b a (new) (ba) a framework for allocating the roles and responsibilities of public bodies and entities as well as other relevant actors, including the organisation of the cooperation at the national level, between the competent authorities designated under Article 7(1) and Article 8(1), the single point of contact designated under Article 8(3), and CSIRTs designated under Article 9;
Amendment 280 #
Proposal for a directive Article 26 – paragraph 5 5. In compliance with Union law, ENISA shall support the establishment of cybersecurity information-sharing arrangements referred to in paragraph 2 by
Amendment 280 #
Proposal for a directive Article 5 – paragraph 1 – point d a (new) (da) an assessment of the general level of cybersecurity awareness amongst citizens as well as on the general level of security of consumer connected devices;
Amendment 281 #
Proposal for a directive Article 27 – paragraph 1 Member States shall ensure that, without prejudice to Article 3, entities falling outside the scope of this Directive may submit notifications, on a voluntary basis, of significant incidents, cyber threats or near misses. When processing notifications, Member States shall act in accordance with the procedure laid down in Article 20. Member States
Amendment 281 #
Proposal for a directive Article 5 – paragraph 1 – point e (e) a list of the various authorities and actors involved in the implementation of the national cybersecurity strategy, taking steps to establish a single cybersecurity point of contact for SMEs in order to support them in implementing specific cybersecurity measures;
Amendment 282 #
Proposal for a directive Article 27 – paragraph 1 Member States shall ensure that, without prejudice to Article 3, entities within the scope and falling
Amendment 282 #
Proposal for a directive Article 5 – paragraph 1 – point e (e) a list of the various authorities and actors involved in the implementation of the national cybersecurity strategy, including trade unions and other focused on workers' protection;
Amendment 283 #
Proposal for a directive Article 28 – paragraph 1 1. Member States shall ensure that competent authorities effectively monitor and take the measures necessary to ensure compliance with this Directive, in particular the obligations laid down in Articles 18 and 20, and are provided with the adequate means to perform their function.
Amendment 283 #
Proposal for a directive Article 5 – paragraph 2 – introductory part 2.
Amendment 284 #
Proposal for a directive Article 28 – paragraph 2 2. Competent authorities shall work in close cooperation with data protection authorities when addressing incidents resulting in personal data breaches without prejudice to the competences, tasks, and powers of data protection authorities pursuant to Regulation (EU) 2016/679.
Amendment 284 #
Proposal for a directive Article 5 – paragraph 2 – point a a (new) (aa) guidelines addressing cybersecurity in the supply chain for ICT products and services used by entities outside the scope of this Directive, and in particular supply chain challenges faced by SMEs;
Amendment 285 #
Proposal for a directive Article 28 – paragraph 2 2. Competent authorities shall work in close cooperation with data protection authorities when addressing incidents resulting in personal data breaches, including data protection authorities from other Member States whenever relevant.
Amendment 285 #
Proposal for a directive Article 5 – paragraph 2 – point b (b) guidelines regarding the inclusion and specification of cybersecurity-related requirements for ICT products and service in public procurement, including but not limited to encryption requirements and the promotion of the use of open source cybersecurity products;
Amendment 286 #
Proposal for a directive Article 29 – paragraph 2 – point c (c)
Amendment 286 #
Proposal for a directive Article 5 – paragraph 2 – point d a (new) (da) a policy related to sustaining the use of open data and open source as part of security through transparency;
Amendment 287 #
Proposal for a directive Article 29 – paragraph 3 3. Where exercising their powers under points (e) to (g) of paragraph 2, the competent authorities shall state the purpose of the request
Amendment 287 #
Proposal for a directive Article 5 – paragraph 2 – point d a (new) (da) a policy on promoting the integration of open-source tools and applications;
Amendment 288 #
Proposal for a directive Article 29 – paragraph 5 – subparagraph 1 – point b Amendment 288 #
Proposal for a directive Article 5 – paragraph 2 – point d b (new) (db) a policy to promote and support the development and integration of AI and other emerging technologies in cybersecurity-enhancing tools and applications;
Amendment 289 #
Proposal for a directive Article 29 – paragraph 6 6. Member States shall ensure that any natural person responsible for or acting as a representative of an essential entity on the basis of the power to represent it, the authority to take decisions on its behalf or the authority to exercise control of it has the powers to ensure its compliance with the obligations laid down in this Directive.
Amendment 289 #
Proposal for a directive Article 5 – paragraph 2 – point e (e) a policy on promoting and developing cybersecurity skills, awareness raising and research and development initiatives, including targeted policies addressing issues relating to gender representation and balance in the aforementioned areas;
Amendment 290 #
Proposal for a directive Article 30 – paragraph 2 – point b (b)
Amendment 290 #
Proposal for a directive Article 5 – paragraph 2 – point e a (new) (ea) a policy to promote cyber hygiene programmes comprising a baseline set of practices and controls;
Amendment 291 #
Proposal for a directive Article 30 – paragraph 3 3. Where exercising their powers pursuant to points (d) or (e) of paragraph 2, the competent authorities shall state the purpose of the request
Amendment 291 #
Proposal for a directive Article 5 – paragraph 2 – point f (f) a policy on supporting education establishments, in particular academic and research institutions to develop and deploy cybersecurity tools and secure network infrastructure;
Amendment 292 #
Proposal for a directive Article 31 – paragraph 4 4. Member States shall ensure that infringements of the obligations laid down in Article 18 or Article 20 shall, in accordance with paragraphs 2 and 3 of this Article, be subject to administrative fines of a maximum of
Amendment 292 #
Proposal for a directive Article 5 – paragraph 2 – point f (f) a policy on supporting academic and research institutions to develop and enhance cybersecurity tools and secure network infrastructure;
Amendment 293 #
Proposal for a directive Article 31 – paragraph 6 Amendment 293 #
Proposal for a directive Article 5 – paragraph 2 – point f a (new) (fa) a policy, including relevant procedures and governance frameworks, to support and promote the establishment of cybersecurity PPPs;
Amendment 294 #
Proposal for a directive Article 32 – paragraph 1 1. Where the competent authorities have indications that the infringement by an essential or important entity of the obligations laid down in Articles 18 and 20 entails a personal data breach, as defined by Article 4(12) of Regulation (EU) 2016/679 which shall be notified pursuant to Article 33 of that Regulation, they shall inform the supervisory authorities competent pursuant to Articles 55 and 56 of that Regulation with
Amendment 294 #
Proposal for a directive Article 5 – paragraph 2 – point h (h) a policy promoting cybersecurity and addressing specific needs of SMEs, in particular those excluded from the scope of this Directive, in
Amendment 295 #
Proposal for a directive Article 32 – paragraph 1 1. Where the competent authorities have indications that the infringement by an essential or important entity of the obligations laid down in Articles 18 and 20 entails a personal data breach, as defined by Article 4(12) of Regulation (EU) 2016/679 which shall be notified pursuant to Article 33 of that Regulation, they shall inform the supervisory authorities competent pursuant to Articles 55 and 56 of that Regulation within
Amendment 295 #
Proposal for a directive Article 5 – paragraph 2 – point h a (new) (ha) a policy for cyber hygiene, and protection and training of workers against these new labour risks and threats.
Amendment 296 #
Proposal for a directive Article 32 – paragraph 3 3. Where the supervisory authority competent pursuant to Regulation (EU) 2016/679 is established in another Member State than the competent authority, the competent authority
Amendment 296 #
Proposal for a directive Article 5 – paragraph 2 – point h a (new) (ha) a policy raising awareness for cybersecurity threats and best practices among the general population.
Amendment 297 #
Proposal for a directive Article 32 – paragraph 3 3. Where the supervisory authority competent pursuant to Regulation (EU) 2016/679 is established in another Member State than the competent authority, the competent authority
Amendment 297 #
Proposal for a directive Article 5 – paragraph 2 – point h b (new) (hb) a policy for addressing awareness and security of consumers of digital services.
Amendment 298 #
Proposal for a directive Article 36 Amendment 298 #
Proposal for a directive Article 5 – paragraph 2 – point h c (new) (hc) an evaluation of the proper harmonisation between this Directive and the General Date Protection Regulation.
Amendment 299 #
Proposal for a directive Annex I – subheading 1 Amendment 299 #
Proposal for a directive Article 5 – paragraph 2 a (new) 2a. A policy to help authorities build awareness and understanding of the security considerations needed to design, build, and manage connected places.
Amendment 300 #
Proposal for a directive Annex II – subheading 1 Amendment 300 #
Proposal for a directive Article 5 – paragraph 2 b (new) 2b. A policy specifically addressing the ransomware threat and disrupting the ransomware business model.
Amendment 301 #
3. Member States shall notify their national cybersecurity strategies to the Commission within three months from their adoption. Member States may exclude specific information from the notification where and to the extent that it is
Amendment 302 #
Proposal for a directive Article 5 – paragraph 4 4. Member States shall assess their national cybersecurity strategies at least every four years on the basis of key performance indicators and, where necessary, amend them. The European Union Agency for Cybersecurity (ENISA) shall assist Member States, upon request, in the development of a national strategy and of key performance indicators for the assessment of the strategy. ENISA shall provide guidance to Member States in order to align their already formulated national cybersecurity strategies with the requirements and obligations set out in this Directive.
Amendment 303 #
Proposal for a directive Article 5 – paragraph 4 4. Member States shall assess their national cybersecurity strategies at least every four years on the basis of key performance indicators and, where necessary, amend them. The European Union Agency for Cybersecurity (ENISA)
Amendment 304 #
Proposal for a directive Article 5 – paragraph 4 a (new) 4a. While implementing this Directive, Member States shall enforce EU guidance in order to ensure harmonisation at EU level, also by defining a homogeneous set of cybersecurity rules for new players that could enter in the European market;
Amendment 305 #
Proposal for a directive Article 6 – title Coordinated vulnerability disclosure and a European vulnerability
Amendment 306 #
Proposal for a directive Article 6 – paragraph 1 1.
Amendment 307 #
Proposal for a directive Article 6 – paragraph 2 Amendment 308 #
Proposal for a directive Article 6 – paragraph 2 2. ENISA shall develop and maintain a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures with a view in particular to enabling important and essential entities and their suppliers of network and information systems to disclose and register only those vulnerabilities present in ICT products or ICT services that have a mitigation available , as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties. The registry shall, in particular, include information describing
Amendment 309 #
Proposal for a directive Article 6 – paragraph 2 2. ENISA shall develop and maintain a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures with a view in particular to enabling important and essential entities and their suppliers of network and information systems to disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties. The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, the availability of related patches and, in the absence of available patches, guidance
Amendment 310 #
Proposal for a directive Article 6 – paragraph 2 2. ENISA shall develop and maintain a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures with a view in particular to enabling important and essential entities and their suppliers of network and information systems to disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties. The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, the availability of related patches and, in the absence of available patches,
Amendment 311 #
Proposal for a directive Article 6 – paragraph 2 2. ENISA shall develop and maintain a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures, and the necessary technical and organisational measures to ensure the security and integrity of the registry, with a view in particular to enabling important and essential entities and their suppliers of network and information systems, as well as entities excluded from the scope of this Directive, and their suppliers, to disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties, enabling all parties and in particular, the users of the ICT products or ICT services concerned to adopt appropriate mitigating measures. The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, and the availability of related patches
Amendment 312 #
Proposal for a directive Article 6 – paragraph 2 2. ENISA shall develop and maintain a European vulnerability database leveraging the global Common Vulnerabilities and Exposures (CVE) registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures with a view in particular to enabling important and essential entities and their suppliers of network and information systems to voluntarily disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the
Amendment 313 #
Proposal for a directive Article 6 – paragraph 2 a (new) 2a. ENISA shall establish a structured cooperation agreements with Common Vulnerability and Exposure registry or other similar registries.
Amendment 314 #
Proposal for a directive Article 7 – paragraph 1 a (new) 1a. Where a Member State designates more than one competent authorities referred to in paragraph1, it should clearly indicate which of these competent authorities shall serve as the main point of contact for the management of large- scale incidents and crises.
Amendment 315 #
Proposal for a directive Article 7 – paragraph 3 – introductory part Amendment 316 #
Proposal for a directive Article 7 – paragraph 4 4. Member States shall communicate to the EU-CyCLONe and the Commission the designation of their competent authorities referred to in paragraph 1 and submit their national cybersecurity incident and crisis response plans as referred to in paragraph 3 within three months from that designation and the adoption of those plans to the EU-CyCLONe. Member States may exclude specific information from the plan where and to the extent that it is strictly necessary for their national security.
Amendment 317 #
Proposal for a directive Article 8 – paragraph 2 a (new) 2a. Member States shall ensure that the competent authorities designated pursuant to paragraph 1 cooperate with competent authorities designated pursuant to Article 8 of (CER Directive) for the purposes of information sharing on incidents and cyber threats and the exercise of supervisory tasks.
Amendment 318 #
Proposal for a directive Article 8 – paragraph 3 3. Each Member State shall designate one of the competent authorities referred to in paragraph 1 as a national single point of contact on cybersecurity (‘single point of contact’). Where a Member State designates only one competent authority, that competent authority shall also be the single point of contact for that Member State.
Amendment 319 #
Proposal for a directive Article 9 – paragraph 1 a (new) 1a. Each Member State shall designate one of its CSIRTs referred to in paragraph 1 as a coordinator for the purpose of coordinated vulnerability disclosure pursuant to Article 6(1) (‘CVD CSIRT coordinator’). Where a Member State designates only one CSIRT, that CSIRT shall also be the CVD CSIRT coordinator for that Member State.
Amendment 320 #
Proposal for a directive Article 9 – paragraph 2 2. Member States shall ensure that each CSIRT has adequate resources and the technical capabilities necessary to carry out effectively their tasks as set out in Article 10(
Amendment 321 #
Proposal for a directive Article 9 – paragraph 5 Amendment 322 #
6a. The Union may conclude international agreements, in accordance with Article 218 TFEU, with third countries or international organisations, allowing and organising their participation in some activities of the Cooperation Group, the CSIRTs Network and the European cyber crises liaison organisation network. Such agreements shall take into account the need to ensure adequate protection of data.
Amendment 323 #
Proposal for a directive Article 9 – paragraph 6 b (new) 6b. Member States may cooperate with particular third countries as a means to meeting the provisions in this Directive on management of vulnerabilities, peer reviews, cyber security risk management, reporting measures and information sharing arrangements.
Amendment 324 #
Proposal for a directive Article 9 – paragraph 7 7. Member States shall communicate to the Commission without undue delay the CSIRTs designated in accordance with paragraph 1
Amendment 325 #
Proposal for a directive Article 10 – paragraph 1 – point c (c) CSIRTs shall be equipped with an appropriate system for
Amendment 326 #
(ca) CSIRTs shall have appropriate codes of conduct in place to ensure the confidentiality and trustworthiness of their operations;
Amendment 327 #
Proposal for a directive Article 10 – paragraph 1 – point e (e) CSIRTs shall be equipped with redundant systems and backup working space to ensure continuity of its services, including full-spectrum connectivity across networks, information systems and services, and devices;
Amendment 328 #
Proposal for a directive Article 10 – paragraph 1 – point e a (new) (ea) CSIRTs shall have appropriate descriptions of the skillsets required by staff to meet the technical capabilities necessary to perform assigned tasks;
Amendment 329 #
Proposal for a directive Article 10 – paragraph 1 – point e b (new) (eb) CSIRTs shall have appropriate internal training frameworks and, where suitable, relevant policies to support external technical training of staff in order to reinforce a culture of continuous improvement;
Amendment 330 #
Proposal for a directive Article 10 – paragraph 1 a (new) 1a. CSIRTs shall develop the following technical capabilities to perform their tasks: (a) The ability to conduct real-time monitoring of networks and information systems, and anomaly detection; (b) The ability to support penetration prevention operations including, in particular, the detection and analysis of sophisticated cyber threats; (c) The ability to collect and conduct complex forensic data analysis, and reverse engineering of cyber threats; (d) The ability to filter harmful communication content including, but not limited to, malicious e-mails; (e) The ability to protect data, including personal and sensitive data, from unauthorised exfiltration; (f) The ability to enforce strong authentication and access privileges; (g) The ability to analyse and attribute cyber threats.
Amendment 331 #
Proposal for a directive Article 10 – paragraph 2 – point d a (new) (da) acquiring real time threat intelligence and sharing the information among public and private entities based on interoperable solutions.
Amendment 332 #
Proposal for a directive Article 10 – paragraph 2 – point e (e) providing, upon a specific request of an entity,
Amendment 333 #
Proposal for a directive Article 10 – paragraph 2 – point f a (new) (fa) providing practical and operational guidance for essential and important entities in connection with cybersecurity response and prevention activities, including, in particular, dedicated technical support for SMEs;
Amendment 334 #
Proposal for a directive Article 10 – paragraph 2 – point f a (new) (fa) contributing to the deployment of secure information sharing tools pursuant to Article 9(3) of this Directive.
Amendment 335 #
Proposal for a directive Article 10 – paragraph 3 3. CSIRTs shall establish cooperation relationships with relevant entities, industry and other relevant actors in the private sector, with a view to better achieving the objectives of the Directive.
Amendment 336 #
Proposal for a directive Article 11 – paragraph 2 2. Member States shall ensure
Amendment 337 #
Proposal for a directive Article 11 – paragraph 3 3. Each Member State shall ensure that its competent authorities or CSIRTs inform its single point of contact and other relevant authorities in accordance with Article 20 of notifications on significant incidents, significant cyber threats and
Amendment 338 #
Proposal for a directive Article 11 – paragraph 4 4. To the extent necessary to effectively carry out the tasks and obligations laid down in this Directive, including supervision and enforcement, Member States shall ensure appropriate cooperation between the competent authorities
Amendment 339 #
Proposal for a directive Article 11 – paragraph 4 a (new) 4a. Where relevant to the extent necessary to effectively carry out the tasks and obligations laid down in this Directive, Member States shall ensure appropriate cooperation with other relevant stakeholders, such as CSIRTs other than those referred to in Article 9(1), CERTs and SOCs.
Amendment 340 #
Proposal for a directive Article 11 – paragraph 5 Amendment 341 #
Proposal for a directive Article 12 – paragraph 3 – subparagraph 1 The Cooperation Group shall be composed of representatives of Member States nominated by the single point of contact, the Commission and ENISA. The European External Action Service shall participate in the activities of the Cooperation Group as an observer. The European Supervisory Authorities (ESAs) in accordance with Article 17(5)(c) of Regulation (EU) XXXX/XXXX [the DORA Regulation] may participate in the activities of the Cooperation Group. Where appropriate, the Cooperation Group may invite representatives of relevant stakeholders, particularly representatives of industry, to participate in its work.
Amendment 342 #
Proposal for a directive Article 12 – paragraph 3 – subparagraph 1 The Cooperation Group shall be composed of representatives of Member States, the Commission
Amendment 343 #
Proposal for a directive Article 12 – paragraph 3 – subparagraph 2 Where appropriate, the Cooperation Group may invite representatives of relevant industry stakeholders covered by this Directive to participate in its work.
Amendment 344 #
Proposal for a directive Article 12 – paragraph 3 – subparagraph 2 Amendment 345 #
Proposal for a directive Article 12 – paragraph 4 – point b (b) exchanging best practices and information in relation to the implementation of this Directive, including in relation to identification of essential and important entities, cyber threats, incidents, vulnerabilities, near misses, awareness-
Amendment 346 #
Proposal for a directive Article 12 – paragraph 4 – point d (d) exchanging advice and cooperating with the Commission on draft Commission implementing
Amendment 347 #
Proposal for a directive Article 12 – paragraph 4 – point d a (new) (da) provide advice on the overall consistency of sector-specific cybersecurity requirements;
Amendment 348 #
Proposal for a directive Article 12 – paragraph 4 – point f Amendment 349 #
Proposal for a directive Article 12 – paragraph 4 – point f a (new) (fa) carrying out coordinated security risk assessments pursuant to Article 19(1), where applicable;
Amendment 350 #
Proposal for a directive Article 12 – paragraph 4 – point k a (new) (ka) submitting to the Commission for the purpose of review referred to in Article 35 the reports on the experience gained at a strategic and operational level;
Amendment 351 #
Proposal for a directive Article 12 – paragraph 4 – point k a (new) (ka) providing a yearly assessment in cooperation with ENISA on which Nation States are harbouring ransomware criminals.
Amendment 352 #
Proposal for a directive Article 13 – paragraph 3 – point a a (new) (aa) facilitating the transfer of technology and relevant measures, policies and frameworks among the CSIRTs;
Amendment 353 #
Proposal for a directive Article 13 – paragraph 3 – point g – point v (v) contribution to the national cybersecurity incident and crisis response plan referred to in Article 7 (
Amendment 354 #
Proposal for a directive Article 13 – paragraph 3 – point l Amendment 355 #
Proposal for a directive Article 13 – paragraph 4 4. For the purpose of the review referred to in Article 35 and by
Amendment 356 #
Proposal for a directive Article 14 – paragraph 1 1. In order to support the coordinated management of large-scale cybersecurity incidents and crises at operational level and to ensure the regular exchange of information among Member States and Union institutions, bodies and agencies considering such incidents and crises, the European Cyber Crises Liaison Organisation Network (EU - CyCLONe) is hereby established.
Amendment 357 #
Proposal for a directive Article 14 – paragraph 2 2. EU-CyCLONe shall be composed of the representatives of Member States’ crisis management authorities designated in accordance with Article 7
Amendment 358 #
Proposal for a directive Article 14 – paragraph 3 – introductory part 3. EU-CyCLONe, while avoiding any duplication of tasks with the CSIRT Network, shall have the following tasks:
Amendment 359 #
Proposal for a directive Article 14 – paragraph 3 – point b Amendment 360 #
Proposal for a directive Article 14 – paragraph 3 – point d Amendment 361 #
Proposal for a directive Article 14 – paragraph 3 – point d Amendment 362 #
Proposal for a directive Article 14 – paragraph 5 5. EU-CyCLONe shall regularly report to the Cooperation Group on
Amendment 363 #
Proposal for a directive Article 15 – paragraph 1 – introductory part 1. ENISA shall issue, in cooperation with the Commission, a biennial report on the state of cybersecurity in the Union. The report shall be delivered in machine- readable format and shall in particular include an assessment of the following:
Amendment 364 #
Proposal for a directive Article 15 – paragraph 1 – point a a (new) (aa) the general level of cybersecurity awareness amongst citizens and consumers, the security of consumer- facing connected devices, and the security of digital public services and the respective digital infrastructures through which such services are offered to citizens;
Amendment 365 #
Proposal for a directive Article 15 – paragraph 1 – point b (b) the technical, financial and human resources available to competent authorities and cybersecurity policies
Amendment 366 #
Proposal for a directive Article 15 – paragraph 1 – point c (c) a cybersecurity index providing for an aggregated assessment of the maturity level of Union's cybersecurity capabilities.
Amendment 367 #
Proposal for a directive Article 15 – paragraph 1 – point c a (new) (ca) an overview of the general level of cybersecurity awareness and use amongst citizens as well as on the general level of security of consumer-oriented connected devices put on the market in the Union.
Amendment 368 #
Proposal for a directive Article 15 – paragraph 1 – point c b (new) (cb) the alignment of Member States’ national cybersecurity strategies referred to in Article 5, including the level of convergence of key performance indicators for the assessment of the strategies.
Amendment 369 #
Proposal for a directive Article 15 – paragraph 2 2. The report shall include the obstacles identified at the national level, particular policy recommendations for increasing the level of cybersecurity across the Union, and a summary of the findings for the particular period from the Agency’s EU Cybersecurity Technical Situation Reports issued by ENISA in accordance with Article 7(6) of Regulation (EU) 2019/881.
Amendment 370 #
Proposal for a directive Article 15 – paragraph 2 a (new) 2a. ENISA, in cooperation with the Commission and with guidance from the Cooperation Group and the CSIRTs network, shall prepare the methodological specifications, including the relevant variables underpinning the scoring and validation of the cybersecurity index referred to in paragraph 1(e).
Amendment 372 #
Proposal for a directive Article 16 – paragraph 1 – introductory part 1. The Commission shall establish, after consulting the Cooperation Group and ENISA, and at the latest by 18 months following the entry into force of this Directive, the methodology and content of a peer-review system for assessing the effectiveness of the Member States’ cybersecurity policies. ENISA shall develop templates for the self-assessment of the reviewed aspects, which Member States being reviewed shall complete and provide to designated experts prior to the commencement of the peer-review process. The reviews shall be conducted by cybersecurity technical experts drawn from ENISA and at least two Member States different than the one reviewed and shall cover at least the following:
Amendment 373 #
Proposal for a directive Article 16 – paragraph 1 – introductory part 1. The Commission shall establish, after consulting the Cooperation Group and ENISA, and at the latest by 18 months following the entry into force of this Directive, the methodology and content of a peer-review system for assessing the effectiveness of the Member States’ cybersecurity policies. The reviews shall be conducted by cybersecurity technical experts drawn from Member States different than the one reviewed, in consultation with ENISA, and shall cover at least the following:
Amendment 374 #
Proposal for a directive Article 16 – paragraph 1 – point iii (iii) the
Amendment 375 #
Proposal for a directive Article 16 – paragraph 2 2. The methodology shall include objective, non-discriminatory, fair and transparent criteria on the basis of which the Member States shall designate experts eligible to carry out the peer reviews. The Commission, supported by ENISA, shall develop appropriate codes of conduct underpinning the work methods of designated experts participating in peer- reviews to safeguard the confidentiality of information obtained through the peer- review process, and the non-disclosure of such information to any third parties. ENISA and the Commission shall designate experts to participate as observers in the peer-reviews. The Commission, supported by ENISA, shall establish within the methodology as referred to in paragraph 1 an objective, non-discriminatory, fair and transparent system for the selection and the random allocation of experts for each peer review.
Amendment 376 #
Proposal for a directive Article 16 – paragraph 4 4. Peer reviews shall entail actual or virtual on-site visits and off-site exchanges. In view of the principle of good cooperation, the designated experts tasked with carrying out the peer-review shall communicate the aspects under review as referred to in paragraph 1, including any additional targeted issues specific to the Member State or sectors referred to in paragraph 3, and request a corresponding self-assessment report from the Member States being reviewed. The Member States being reviewed shall provide the designated experts with the requested information necessary for the assessment of the reviewed aspects. Any information obtained through the peer review process shall be used solely for that purpose.
Amendment 377 #
Proposal for a directive Article 16 – paragraph 5 5. Once reviewed in a Member State, the same aspects shall not be subject to further peer review within that Member State during the two years following the
Amendment 378 #
Proposal for a directive Article 16 – paragraph 6 6. Member States shall ensure that any risk of conflict of interests concerning the designated experts are revealed to the other Member States, the Commission and ENISA
Amendment 379 #
Proposal for a directive Article 16 – paragraph 7 7. Experts participating in peer reviews shall draft reports on the findings and conclusions of the reviews. The reports shall include recommendations to enable improvement on the aspects covered by the peer-review process, including recommendations on the transfer of technologies, tools, measures, and processes from Member States carrying out the peer-review to the Member State being reviewed. The reports shall be submitted to the Commission, the
Amendment 380 #
Proposal for a directive Article 16 – paragraph 7 7. Experts participating in peer reviews shall draft reports on the findings and conclusions of the reviews. The reports shall be submitted to the Commission, the Cooperation Group, the CSIRTs network and ENISA. The reports shall be discussed in the Cooperation Group and the CSIRTs network.
Amendment 381 #
Proposal for a directive Article 16 – paragraph 7 a (new) 7a. The Commission will review the peer-review system taking into account the implementation in Member States. In case of misalignment of the implementations at national level, intervention plans that address existing differences are needed.
Amendment 382 #
Proposal for a directive Article 17 – paragraph 1 1. Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk management measures taken by those entities in order to comply with Article 18, supervise its implementation and be accountable for the non-compliance by the entities with the obligations under this Article. Those measures shall non-exhaustively include an appropriate deployment of state-of-the- art products, services and processes for the resilience of the entity’s network and information systems.
Amendment 383 #
Proposal for a directive Article 17 – paragraph 2 2. Member States shall ensure that members of the management body
Amendment 384 #
Proposal for a directive Article 17 – paragraph 2 2. Member States shall ensure that members of the management body of essential and important entities follow specific trainings, where possible on a regular basis, to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risks and management practices and their impact on the
Amendment 385 #
Proposal for a directive Article 18 – paragraph 1 1. Member States shall ensure that essential and important entities, including ICT suppliers providing products and services for critical functions performed by essential or important entities, shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which those entities use in the provision of their services. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk presented. ICT suppliers shall bear sole liability for non-compliance by providers of essential or important functions with the obligations under this article unless such non-compliance was known to and disregarded by the commissioning authority concerned.
Amendment 386 #
Proposal for a directive Article 18 – paragraph 1 1. Member States shall ensure that essential and important entities shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and
Amendment 387 #
Proposal for a directive Article 18 – paragraph 1 1. Member States shall ensure that essential and important entities shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which those entities use in the provision of their services.
Amendment 388 #
Proposal for a directive Article 18 – paragraph 1 1. Member States shall ensure that essential and important entities, including manufacturers and providers of ICT products, shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which those entities use in the provision of their services. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk presented.
Amendment 389 #
Proposal for a directive Article 18 – paragraph 1 1. Member States shall ensure that essential and important entities
Amendment 390 #
Proposal for a directive Article 18 – paragraph 2 – point a (a) risk analysis and information system security policies in connection with critical network and information system functions;
Amendment 391 #
Proposal for a directive Article 18 – paragraph 2 – point b (b) incident handling (prevention, detection,
Amendment 392 #
Proposal for a directive Article 18 – paragraph 2 – point b (b) incident handling (prevention, detection,
Amendment 393 #
Proposal for a directive Article 18 – paragraph 2 – point b (b) incident
Amendment 394 #
Proposal for a directive Article 18 – paragraph 2 – point c (c) business continuity, disaster recovery and crisis management;
Amendment 395 #
Proposal for a directive Article 18 – paragraph 2 – point c (c) backup management, business continuity and crisis management;
Amendment 396 #
Proposal for a directive Article 18 – paragraph 2 – point c a (new) (ca) where relevant, multi-factor authentication and/or continuous authentication solutions;
Amendment 397 #
Proposal for a directive Article 18 – paragraph 2 – point d (d) supply chain security including security-related aspects concerning the relationships between each entity and its suppliers or service providers
Amendment 398 #
Proposal for a directive Article 18 – paragraph 2 – point f (f) policies and procedures (training, testing and auditing) to assess the effectiveness of cybersecurity risk management measures;
Amendment 399 #
Proposal for a directive Article 18 – paragraph 2 – point f a (new) (fa) deployment of secured voice, video and text communications, and of secured emergency communications systems within the entity;
Amendment 400 #
Proposal for a directive Article 18 – paragraph 2 – point f b (new) (fb) periodic compromise assessments of the entity’s network, infrastructure and devices;
Amendment 401 #
Proposal for a directive Article 18 – paragraph 2 – point g (g) support the use of cryptography and encryption, where appropriate.
Amendment 402 #
Proposal for a directive Article 18 – paragraph 2 – point g (g) the use of cryptography and encryption where appropriate.
Amendment 403 #
Proposal for a directive Article 18 – paragraph 2 – point g (g) the use, where appropriate, of cryptography and encryption.
Amendment 404 #
Proposal for a directive Article 18 – paragraph 2 – point g (g) the use of cryptography and strong encryption.
Amendment 405 #
Proposal for a directive Article 18 – paragraph 2 – point g a (new) (ga) wide adoption of basic computer hygiene practices such as software updates, device configuration, network segmentation, identity and access management or user awareness and training regarding corporate email cyber threats, phishing or social engineering techniques.
Amendment 406 #
Proposal for a directive Article 18 – paragraph 3 3. Member States shall ensure that, where considering appropriate measures referred to in point (d) of paragraph 2, entities shall take into account the
Amendment 407 #
Proposal for a directive Article 18 – paragraph 3 3. Member States shall ensure that, where considering appropriate measures referred to in point (d) of paragraph 2, entities shall take into account the vulnerabilities specific to each first-level supplier and
Amendment 408 #
Proposal for a directive Article 18 – paragraph 4 4. Member States shall ensure that where an entity finds that respectively its services or tasks are not in compliance with the requirements laid down in paragraph 2, it shall
Amendment 409 #
Proposal for a directive Article 18 – paragraph 4 a (new) 4a. In order to promote the convergent implementation of paragraph 1 and 2, Member States shall be in accordance with Article 12(4) assisted by the Cooperation Group, and shall, without imposing or discriminating in favour of the use of a particular type of technology, encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems.
Amendment 410 #
Proposal for a directive Article 18 – paragraph 4 b (new) 4b. ENISA, in collaboration with Member States and industry, shall draw up advice and guidelines regarding the technical areas to be considered in relation to paragraphs 1 and 2 as well as regarding already existing standards, including Member States' national standards, which would allow for those areas to be covered.
Amendment 411 #
Proposal for a directive Article 18 – paragraph 5 Amendment 412 #
Proposal for a directive Article 18 – paragraph 5 5. ENISA, in collaboration with Member States shall draw up advice and guidelines regarding the technical and methodological specifications areas to be considered in relation to paragraph 2. The Commission may adopt implementing acts in order to lay down the technical and the methodological specifications of the elements referred to in paragraph 2. Where preparing those acts, the Commission shall proceed in accordance with the examination procedure referred to in Article 37(2) and follow
Amendment 413 #
Proposal for a directive Article 18 – paragraph 5 5. The Commission may adopt
Amendment 414 #
Proposal for a directive Article 18 – paragraph 5 5. The Commission may adopt
Amendment 415 #
Proposal for a directive Article 18 – paragraph 5 5. The Commission may adopt
Amendment 416 #
Proposal for a directive Article 18 – paragraph 6 Amendment 417 #
Proposal for a directive Article 18 – paragraph 6 a (new) 6a. Member States shall ensure that, where considering appropriate measures referred to in point (d) of paragraph 2, they will always seek harmonisation at EU level.
Amendment 418 #
Proposal for a directive Article 18 a (new) Amendment 419 #
Proposal for a directive Article 19 – paragraph 1 a (new) 1a. To identify the specific critical ICT services, systems or products supply chains that are subject to a coordinated risk assessment, the following criteria shall be taken into account: (a) the extent to which essential and important entities use and rely on specific critical ICT services, systems or products; (b) the relevance of specific critical ICT services, systems or products for performing critical or sensitive functions, including the processing of personal data; (c) the availability of alternative ICT services, systems or products; (d) the resilience of the overall supply chain of ICT services, systems or products against disruptive events; and (e) the potential significance to entities' activities of emerging ICT services, systems or products.
Amendment 420 #
Proposal for a directive Article 19 – paragraph 2 2. The Commission, after consulting with the Cooperation Group
Amendment 421 #
Proposal for a directive Article 19 – paragraph 2 2. The Commission, after consulting with the Cooperation Group and ENISA, shall identify the specific critical ICT and ICS services, systems or products that may be subject to the coordinated risk assessment referred to in paragraph 1.
Amendment 422 #
Proposal for a directive Article 19 – paragraph 2 a (new) 2a. To identify the supply chains that should be subject to a coordinated risk assessment, the following criteria shall be taken into account: (a) the extent to which essential and important entities use and rely on specific critical ICT services, systems or products; (b) the relevance of specific critical ICT services, systems or products for performing critical or sensitive functions, including the processing of personal data; (c) the availability of alternative ICT services, systems or products; (d) the resilience of the overall supply chain of ICT services, systems or products against disruptive events; (e) for emerging ICT services, systems or products, their potential future significance for the entities’ activities.
Amendment 423 #
Proposal for a directive Article 19 – paragraph 2 a (new) 2a. The Stakeholder Cybersecurity Certification Group as per pursuant to Article 22 of Regulation (EU) 2019/881 shall issue an opinion on security risk assessments of specific critical ICT services, systems or products supply chains and the opinion shall be taken into account by the Cooperation Group and ENISA when it develops and executes an EU coordinated risk assessment of critical supply chain.
Amendment 424 #
Proposal for a directive Article 20 – paragraph 1 1. Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT in accordance with paragraphs
Amendment 425 #
Proposal for a directive Article 20 – paragraph 1 1. Member States shall ensure that
Amendment 426 #
Proposal for a directive Article 20 – paragraph 1 1. Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT in accordance with paragraphs 3 and 4 of any incident having a significant impact
Amendment 427 #
Proposal for a directive Article 20 – paragraph 1 1. Member States shall ensure that essential and important entities notify
Amendment 428 #
Proposal for a directive Article 20 – paragraph 1 1. Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT in accordance with paragraphs 3 and 4 of any incident having a significant impact on the provision of their services. Where appropriate, those entities shall notify, without undue delay, the recipients of their services of incidents
Amendment 429 #
Proposal for a directive Article 20 – paragraph 2 Amendment 430 #
Proposal for a directive Article 20 – paragraph 2 – subparagraph 1 Amendment 431 #
Proposal for a directive Article 20 – paragraph 2 – subparagraph 1 Amendment 432 #
Proposal for a directive Article 20 – paragraph 2 – subparagraph 1 Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT of any significant cyber threat that
Amendment 433 #
Proposal for a directive Article 20 – paragraph 2 – subparagraph 2 Amendment 434 #
Proposal for a directive Article 20 – paragraph 2 – subparagraph 2 Amendment 435 #
Proposal for a directive Article 20 – paragraph 2 – subparagraph 2 Amendment 436 #
Proposal for a directive Article 20 – paragraph 2 – subparagraph 2 Where applicable and in respect to their contractual arrangements, those entities shall notify, without undue delay, the recipients of their services that are potentially affected by a significant cyber threat of any measures or remedies that those recipients can take in response to that threat. Where appropriate, the entities shall also notify those recipients of the threat itself. The notification shall not make the notifying entity subject to increased liability
Amendment 437 #
Proposal for a directive Article 20 – paragraph 3 Amendment 438 #
Proposal for a directive Article 20 – paragraph 3 – point b (b) the incident has affected or has the potential to affect other natural or legal persons by causing considerable material or non-material losses. Non-material losses shall include:
Amendment 439 #
Proposal for a directive Article 20 – paragraph 3 – point b – point i (new) (i) a loss of integrity, authenticity or confidentiality of stored or transmitted or processed data or of the related services offered by an essential or important entity or accessible via a network and an information system;
Amendment 440 #
Proposal for a directive Article 20 – paragraph 3 – point b – point ii (new) (ii) a risk to public safety and security or loss of life.
Amendment 441 #
Proposal for a directive Article 20 – paragraph 3 a (new) 3a. Member States shall ensure that in order to determine the significance of the individual incident, where available, the following parameters shall, in particular, be taken into account: (a) the number of the recipients of the services affected by the incident; (b) the duration of the incident; (c) the geographical spread of the area affected by the incident; (d) the extent to which the functioning and continuity of the service is affected; (e) the extent of impact, including financial, on economic and societal activities of the entity directly concerned, of other entities or on national security.
Amendment 442 #
Proposal for a directive Article 20 – paragraph 3 b (new) 3b. Member States shall establish a single entry point for notifications required from essential and important entities under paragraph 1, and where relevant also for other notifications under this Directive and under other relevant Union law, and decide on which authorities shall receive the notifications and the scope of the information provided for each authority, including for the purpose of information sharing pursuant to paragraphs 7a, 8a and 8b of this Article.
Amendment 443 #
Proposal for a directive Article 20 – paragraph 4 – subparagraph 1 – introductory part 4. Member States shall ensure that, for the purpose of the notification under paragraph 1, the entities concerned shall submit to
Amendment 444 #
Proposal for a directive Article 20 – paragraph 4 – subparagraph 1 – introductory part 4. Member States shall ensure that, for the purpose of the notification under paragraph 1, the entities concerned shall submit to the competent authorities
Amendment 445 #
Proposal for a directive Article 20 – paragraph 4 – subparagraph 1 – point -a (new) (-a) an early warning within 24 hours after having become aware of an incident, without any obligations on the entity concerned to disclose additional information regarding the incident;
Amendment 446 #
Proposal for a directive Article 20 – paragraph 4 – subparagraph 1 – point a (a) without undue delay and in any event within 72
Amendment 447 #
Proposal for a directive Article 20 – paragraph 4 – subparagraph 1 – point a (a) without undue delay and in any event
Amendment 448 #
Proposal for a directive Article 20 – paragraph 4 – subparagraph 1 – point a (a) without undue delay and in any event within 72
Amendment 449 #
Proposal for a directive Article 20 – paragraph 4 – subparagraph 1 – point a (a) without undue delay
Amendment 450 #
Proposal for a directive Article 20 – paragraph 4 – subparagraph 1 – point b (b) upon the request of a competent authority or a CSIRT, without undue delay an intermediate
Amendment 451 #
Proposal for a directive Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part (c) a
Amendment 452 #
Proposal for a directive Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part (c) a
Amendment 453 #
Proposal for a directive Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part (c) a
Amendment 454 #
Proposal for a directive Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part (c) a
Amendment 455 #
Proposal for a directive Article 20 – paragraph 4 – subparagraph 1 – point c – point i (i) a detailed description of the confirmed incident, its severity and impact;
Amendment 456 #
Proposal for a directive Article 20 – paragraph 4 – subparagraph 1 – point c a (new) (ca) a final report should be drawn up one month after the incident had been mitigated.
Amendment 457 #
Proposal for a directive Article 20 – paragraph 4 – subparagraph 1 a (new) Member States may establish a single entry point for all notifications required under this Directive, the Regulation (EU) 2016/679, Directive2002/58/EC and sector specific legislation.
Amendment 458 #
Proposal for a directive Article 20 – paragraph 4 – subparagraph 1 b (new) ENISA, in cooperation with the Cooperation Group, should develop common notification templates by means of guidelines to streamline the reporting information requested by this Directive and decrease the burdens for reporting entities.
Amendment 459 #
Proposal for a directive Article 20 – paragraph 4 – subparagraph 1 c (new) Member States shall ensure confidentiality and appropriate protections around sensitive information about incidents shared with competent authorities, and enact parameters around how incident information is further shared and reused.
Amendment 460 #
Proposal for a directive Article 20 – paragraph 4 a (new) 4a. When processing notifications, the competent authorities and the CSIRT shall, taking into account their available capacity, prioritise the processing of notifications from essential entities over those from important entities and processing of mandatory notifications from essential and important entities over the voluntary notifications pursuant to Article 27.
Amendment 461 #
Proposal for a directive Article 20 – paragraph 5 5. The competent national authorities or the CSIRT shall provide, within 24 hours after receiving the initial notification referred to in point (a) of paragraph 4, a response to the notifying entity, including initial feedback on the incident and, upon request of the entity, guidance and actionable advice on the implementation of possible mitigation measures. Where the CSIRT did not receive the notification referred to in paragraph 1
Amendment 462 #
Proposal for a directive Article 20 – paragraph 5 5. The
Amendment 463 #
Proposal for a directive Article 20 – paragraph 5 5. The competent national authorities or the CSIRT shall provide, within 24 hours after receiving the initial notification referred to in point (
Amendment 464 #
Proposal for a directive Article 20 – paragraph 5 a (new) 5a. Member States shall establish a single entry point for all notifications required under this Directive.
Amendment 465 #
Proposal for a directive Article 20 – paragraph 5 b (new) 5b. ENISA, in cooperation with the Cooperation Group, shall develop common notification templates by means of guidelines that would simplify and streamline the reporting information requested by Union law.
Amendment 466 #
Proposal for a directive Article 20 – paragraph 6 6. Where appropriate, and in particular where the incident referred to in paragraph 1 concerns two or more Member States, the competent authority or the CSIRT shall inform without undue delay the other affected Member States and ENISA of the incident. In so doing, the competent authorities, CSIRTs and single points of contact shall, in accordance with Union law or national legislation that complies with Union law, preserve the entity’s security and commercial interests as well as the confidentiality of the information provided.
Amendment 467 #
Proposal for a directive Article 20 – paragraph 7 7. Where public awareness is necessary to prevent an incident or to deal with an ongoing incident, or where disclosure of the incident is otherwise in the public interest, the competent authority or the CSIRT, and where appropriate the authorities or the CSIRTs of other Member States concerned may
Amendment 468 #
7. Where public awareness is necessary to prevent an incident or to deal with an ongoing incident, or where disclosure of the incident is otherwise in the public interest, the competent authority or the CSIRT, and where appropriate the authorities or the CSIRTs of other Member States concerned may, after consulting the entity concerned, inform the public on a mutual basis about the incident or require the entity to do so.
Amendment 469 #
Proposal for a directive Article 20 – paragraph 7 7. Where public awareness is necessary to prevent an incident or to deal with an ongoing incident, or where disclosure of the incident is otherwise in the public interest, the competent authority or the CSIRT, and where appropriate the authorities or the CSIRTs of other Member States concerned
Amendment 470 #
Proposal for a directive Article 20 – paragraph 7 a (new) 7a. Competent authorities or the CSIRTs shall provide without undue delay to the single point of contact information on significant incidents notified in accordance with paragraph 1.
Amendment 471 #
Proposal for a directive Article 20 – paragraph 8 8. At the request of the competent authority or the CSIRT, the single point of contact shall forward notifications received pursuant to paragraph
Amendment 472 #
Proposal for a directive Article 20 – paragraph 8 8. At the request of the competent authority or the CSIRT, the single point of contact shall forward without undue delay notifications received pursuant to paragraph
Amendment 473 #
Proposal for a directive Article 20 – paragraph 8 8. At the request of the competent authority or the CSIRT, the single point of contact shall forward notifications received pursuant to paragraph
Amendment 474 #
Proposal for a directive Article 20 – paragraph 9 9. The single point of contact shall submit to ENISA on a monthly basis a summary report including anonymised and
Amendment 475 #
Proposal for a directive Article 20 – paragraph 9 9. The single point of contact shall submit to ENISA on a monthly basis a summary report including anonymised and aggregated data on incidents, significant cyber threats and near misses notified in accordance with paragraph
Amendment 476 #
Proposal for a directive Article 20 – paragraph 9 9. The single point of contact shall submit to ENISA on a monthly basis a summary report including anonymised and aggregated data on incidents, significant cyber threats and near misses notified in accordance with paragraph
Amendment 477 #
Proposal for a directive Article 20 – paragraph 10 10. Competent authorities
Amendment 478 #
Proposal for a directive Article 20 – paragraph 10 10. Competent authorities shall provide to the competent authorities designated pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive] information on incidents and cyber threats notified in accordance with paragraph
Amendment 479 #
Proposal for a directive Article 20 – paragraph 10 10. Competent authorities shall provide to the competent authorities designated pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive] information on incidents and cyber threats notified in accordance with paragraph
Amendment 480 #
Proposal for a directive Article 20 – paragraph 10 a (new) 10a. Competent authorities or the CSIRTs shall provide without undue delay to the national regulatory authorities or other competent authorities responsible for public electronic communications networks or for publicly available electronic communications services pursuant to Directive (EU) 2018/1972, information on significant incidents notified in accordance with paragraph 1 by providers of public electronic communications networks or publicly available electronic communications services referred to in point 8 of Annex I, as well as on the measures taken by competent authorities or CSIRTs in response to those incidents.
Amendment 481 #
Proposal for a directive Article 20 – paragraph 10 a (new) 10a. ENISA, in cooperation with the Cooperation Group, shall develop common incident notification templates by [date of transposition deadline of the Directive], to streamline the reporting obligations of essential and important entities, and simplify the sharing of relevant information referred to in point (b) of paragraph 1 of this Article.
Amendment 482 #
Proposal for a directive Article 20 – paragraph 11 11.
Amendment 483 #
Proposal for a directive Article 20 – paragraph 11 11. The Commission
Amendment 484 #
Proposal for a directive Article 20 – paragraph 11 11. The Commission, after it has consulted the industry and taking utmost account of ENISA’s opinion, may adopt implementing acts further specifying the type of information, the format and the procedure of a notification submitted pursuant to paragraph
Amendment 485 #
Proposal for a directive Article 20 – paragraph 11 11. The Commission, may adopt
Amendment 486 #
Proposal for a directive Article 21 – title Use of European cybersecurity certification schemes and standardisation
Amendment 487 #
Proposal for a directive Article 21 – paragraph 1 1. In order to
Amendment 488 #
Proposal for a directive Article 21 – paragraph 1 1. In order to demonstrate compliance with certain requirements of Article 18,
Amendment 489 #
Proposal for a directive Article 21 – paragraph 1 1. In order to demonstrate compliance with certain requirements of Article 18, Member States may require essential and important entities to use cert
Amendment 490 #
Proposal for a directive Article 21 – paragraph 1 1. In order to
Amendment 491 #
Proposal for a directive Article 21 – paragraph 1 1. In order to demonstrate compliance with certain requirements of Article 18, Member States may require
Amendment 492 #
Proposal for a directive Article 21 – paragraph 1 1. In order to demonstrate compliance with certain requirements of Article 18, Member States
Amendment 493 #
Proposal for a directive Article 21 – paragraph 2 Amendment 494 #
Proposal for a directive Article 21 – paragraph 2 Amendment 495 #
Proposal for a directive Article 21 – paragraph 2 Amendment 496 #
Proposal for a directive Article 21 – paragraph 2 2. T
Amendment 497 #
Proposal for a directive Article 21 – paragraph 2 a (new) 2a. In order to demonstrate compliance with certain requirements of Article 18 of this Directive, Member States may require essential and important entities to use qualified trust services pursuant to Regulation (EU) No 910/2014.
Amendment 498 #
Proposal for a directive Article 21 – paragraph 2 b (new) 2b. Member States may rely on certified cybersecurity services providers, which could be certified under specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881, to enforce the supervision activities provided for in Articles 29 and 30 of this Directive.
Amendment 499 #
Proposal for a directive Article 21 – paragraph 3 Amendment 500 #
Proposal for a directive Article 21 – paragraph 3 3. The Commission, after consulting the Cooperation Group and the European Cybersecurity Certification Group, may request ENISA to prepare a candidate scheme pursuant to Article 48(2) of Regulation (EU) 2019/881
Amendment 501 #
Proposal for a directive Article 23 Amendment 502 #
Proposal for a directive Article 23 – paragraph 1 1. For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall ensure that TLD registries and
Amendment 503 #
Proposal for a directive Article 23 – paragraph 1 1. For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall ensure that TLD registries and
Amendment 504 #
Proposal for a directive Article 23 – paragraph 3 3. Member States shall ensure that the TLD registries and the
Amendment 505 #
Proposal for a directive Article 23 – paragraph 4 4. Member States shall ensure that
Amendment 506 #
Proposal for a directive Article 23 – paragraph 4 4. Member States shall ensure that the TLD registries and the
Amendment 507 #
Proposal for a directive Article 23 – paragraph 5 5. Member States shall ensure that
Amendment 508 #
Proposal for a directive Article 23 – paragraph 5 5. Member States shall ensure that the TLD registries and the
Amendment 509 #
Proposal for a directive Article 24 – paragraph 1 1. DNS service providers, TLD name registries, cloud computing service providers, data centre service providers
Amendment 510 #
Proposal for a directive Article 24 – paragraph 1 1.
Amendment 511 #
Proposal for a directive Article 24 – paragraph 1 a (new) 1a. All essential and important entities referred to in Annexes I and II, with the exception of entities referred to in paragraph 1 of this Article, shall fall under the jurisdiction of the Member State where they provide their services. If the entity provides services in more than one Member State, it shall fall under the separate and concurrent jurisdiction of each of these Member States. The competent authorities of these Member States shall cooperate, provide mutual assistance to each other and where appropriate, carry out joint supervisory actions.
Amendment 512 #
Proposal for a directive Article 24 – paragraph 2 2. For the purposes of this Directive, entities referred to in paragraph 1 shall be deemed to have their main establishment in the Union in the Member State where the decisions related to the cybersecurity risk management measures are taken. If such decisions are not taken in any establishment in the Union, the main establishment shall be deemed to be in the Member State where the entities have the establishment with the
Amendment 513 #
Proposal for a directive Article 24 – paragraph 2 2. For the purposes of this Directive, entities referred to in paragraph 1 shall be deemed to have their main establishment in the Union in the Member State where the decisions related to the cybersecurity risk management measures are taken. If such decisions are not taken in any establishment in the Union, the main establishment shall be deemed to be in the Member State where the entities have the establishment
Amendment 514 #
Proposal for a directive Article 24 – paragraph 2 2. For the purposes of this Directive, entities referred to in paragraph 1 shall be deemed to have their main establishment in the Union in the Member State where the decisions related to the cybersecurity risk management measures are taken, or where cybersecurity operations are carried out. If such decisions are not taken in any establishment in the Union, the main establishment shall be deemed to be in the
Amendment 515 #
Proposal for a directive Article 24 – paragraph 2 2. For the purposes of this Directive, entities providing activities referred to in paragraph 1 shall be deemed to have their main establishment in the Union in the Member State where the decisions related to the cybersecurity risk management measures are taken. If such decisions are not taken in any establishment in the Union, the main establishment shall be
Amendment 516 #
Proposal for a directive Article 24 – paragraph 2 a (new) 2a. Essential and important entities should be subject to this Directive only in those Member States where they perform activities relevant to their designation as essential or important entities.
Amendment 517 #
Proposal for a directive Article 25 Amendment 518 #
Proposal for a directive Article 25 – paragraph 1 – introductory part 1. ENISA shall create and maintain a registry for essential and important entities referred to in Article 24(1). ENISA shall establish appropriate information classification and management protocols to ensure the security and confidentiality of disclosed information, and restrict the access, storage, and transmission of such information to intended users. The entities shall submit the following information to ENISA by [12 months after entering into force of the Directive at the latest]:
Amendment 519 #
Proposal for a directive Article 25 – paragraph 1 – introductory part 1. ENISA shall create and maintain a registry for essential and important entities referred to in Article 24(1)
Amendment 520 #
Proposal for a directive Article 25 – paragraph 1 – introductory part 1. ENISA shall create and maintain a secure registry for essential and important entities referred to in Article 24(1). The entities shall submit the following information to ENISA by [12 months after entering into force of the Directive at the latest]:
Amendment 521 #
Proposal for a directive Article 25 – paragraph 3 Amendment 522 #
Proposal for a directive Article 26 – paragraph 1 – introductory part 1. Without prejudice to Regulation (EU) 2016/679, Member States shall ensure that essential and important entities and other relevant entities not covered by the scope of this Directive may exchange relevant cybersecurity information among themselves including information relating to cyber threats, vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools, where such information sharing:
Amendment 523 #
Proposal for a directive Article 26 – paragraph 1 – introductory part 1.
Amendment 524 #
Proposal for a directive Article 26 – paragraph 1 – introductory part 1.
Amendment 525 #
Proposal for a directive Article 26 – paragraph 1 – point b (b) enhances the level of cybersecurity, in particular through raising awareness in relation to cyber threats, limiting or impeding such threats ‘ability to spread, supporting a range of defensive capabilities, vulnerability remediation and disclosure, threat detection, containment and prevention techniques, mitigation strategies, or response and recovery stages, facilitating collaboration in cyber threat research among public entities, private entities and research bodies.
Amendment 526 #
Proposal for a directive Article 26 – paragraph 2 2. Member States shall ensure that the exchange of information takes place within trusted communities of essential and important entities. Such exchange shall be implemented through information sharing arrangements in respect of the potentially sensitive nature of the information shared
Amendment 527 #
Proposal for a directive Article 26 – paragraph 2 2. Member States shall
Amendment 528 #
Proposal for a directive Article 26 – paragraph 2 2. Member States shall
Amendment 529 #
Proposal for a directive Article 26 – paragraph 3 3. Member States shall
Amendment 530 #
Proposal for a directive Article 26 – paragraph 3 3. Member States, pursuant to paragraph 5, shall set out rules specifying the procedure, operational
Amendment 531 #
Proposal for a directive Article 26 – paragraph 3 3. Member States shall set out r
Amendment 532 #
Proposal for a directive Article 26 – paragraph 3 a (new) 3a. Provisions of paragraphs 1, 2 and 3 of this Article shall apply mutatis mutandis for the information-sharing with entities under the jurisdiction of other Member State. The competent authorities of Member States concerned shall cooperate to facilitate the information-sharing.
Amendment 533 #
Proposal for a directive Article 26 – paragraph 4 4. Essential and important entities
Amendment 534 #
Proposal for a directive Article 26 – paragraph 5 5. In compliance with Union law, ENISA shall support the establishment of
Amendment 535 #
Proposal for a directive Article 27 – title Voluntary
Amendment 536 #
Proposal for a directive Article 27 – paragraph 1 Member States shall ensure that, without prejudice to Article 3, entities falling outside the scope of this Directive may submit notifications to competent authorities or the CSIRT, on a voluntary basis, of significant incidents,
Amendment 537 #
Proposal for a directive Article 27 – paragraph 1 Member States shall ensure that, without prejudice to Article 3, entities within the scope and those falling outside the scope of this Directive may submit notifications, on a voluntary basis, of significant incidents, cyber threats or near misses. When processing notifications, Member States shall act in accordance with the procedure laid down in Article 20. Member States may prioritise the processing of mandatory notifications over voluntary notifications. Voluntary reporting shall not result in the imposition of any additional obligations upon the reporting entity to which it would not have been subject had it not submitted the notification.
Amendment 538 #
Proposal for a directive Article 27 – paragraph 1 a (new) Member States shall ensure that Article 20 applies mutatis mutandis for the submission and processing of the voluntary notifications referred to in paragraph 1 and 1a of this Article. Voluntary reporting shall not result in the imposition of any additional obligations upon the reporting entity to which it would not have been subject had it not submitted the notification.
Amendment 539 #
Proposal for a directive Article 27 – paragraph 1 b (new) Member States shall ensure that Article 20 applies mutatis mutandis for the submission and processing of the voluntary notifications referred to in paragraphs 1 and 1a of this Article. Where applicable, the voluntarily reporting entities shall be encouraged to notify simultaneously the recipients of their services that are potentially affected of any measures or remedies that those recipients can take in response to the threat. The notification shall not make the notifying entity subject to increased liability. Voluntary reporting shall not result in the imposition of any additional obligations upon the reporting entity to which it would not have been subject had it not submitted the notification.
Amendment 540 #
Proposal for a directive Article 28 – paragraph 2 2. Competent authorities shall work in close cooperation with data protection authorities when addressing incidents resulting in personal data breaches, without prejudice to the competences, tasks and powers of data protection authorities pursuant to Regulation (EU) 2016/679.
Amendment 541 #
Proposal for a directive Article 29 – paragraph 1 1. Member States shall ensure that the measures of supervision or enforcement imposed on essential entities in respect of the obligations set out in this Directive are effective, proportionate and dissuasive, taking into account the circumstances of each individual case of each individual case as well as the need to promote the exchange of information between competent authorities and essential entities.
Amendment 542 #
Proposal for a directive Article 29 – paragraph 2 – point a (a) on-site inspections and off-site supervision, including random checks, carried out by certified professionals;
Amendment 543 #
Proposal for a directive Article 29 – paragraph 2 – point b (b)
Amendment 544 #
Proposal for a directive Article 29 – paragraph 2 – point b – point i (new) (i) an ad hoc audit can be carried out in cases justified on the ground of a significant incident or non-compliance by the essential entity;
Amendment 545 #
Proposal for a directive Article 29 – paragraph 2 – point c (c)
Amendment 546 #
Proposal for a directive Article 29 – paragraph 2 – point c (c) targeted security audits based on risk assessments
Amendment 547 #
Proposal for a directive Article 29 – paragraph 2 – point g (g) requests for evidence of implementation of cybersecurity policies, such as the results of security audits carried out by a qualified auditor and the respective underlying evidence
Amendment 548 #
Proposal for a directive Article 29 – paragraph 2 a (new) 2a. where exercising their power under points (a) to (d) in paragraph 2, the competent authorities shall follow a due process in order to minimise the impact on business processes for the entity;
Amendment 549 #
Proposal for a directive Article 29 – paragraph 4 – point a a (new) (aa) investigate cases of non- compliance and the effects thereof on the security of the services;
Amendment 550 #
Proposal for a directive Article 29 – paragraph 4 – point b (b) issue binding instructions, including those regarding the measures required to remedy an incident or prevent one from occurring when a significant threat has been identified, time-limits for implementation and reporting obligations, or an order requiring those entities to remedy the deficiencies identified or the infringements of the obligations laid down in this Directive;
Amendment 551 #
Proposal for a directive Article 29 – paragraph 4 – point h (h) order, where necessary for risk management purposes, those entities to make public aspects of non-compliance with the obligations laid down in this Directive in a specified manner;
Amendment 552 #
Proposal for a directive Article 29 – paragraph 4 – point i Amendment 553 #
Proposal for a directive Article 29 – paragraph 4 – point i (i) make a public statement, where necessary for risk management purposes, which identifies the legal and natural person(s) responsible for the infringement of an obligation laid down in this Directive and the nature of that infringement;
Amendment 554 #
Proposal for a directive Article 29 – paragraph 4 – point j (j) impose or request the imposition by the relevant bodies or courts according to national laws of an administrative fine pursuant to Article 31 in addition to
Amendment 555 #
Proposal for a directive Article 29 – paragraph 5 – subparagraph 1 – introductory part 5. Where enforcement actions adopted pursuant to points (a) to (d) and (f) of paragraph (4) prove ineffective, Member States shall ensure that competent authorities have the power to establish a deadline within which the essential entity
Amendment 556 #
Proposal for a directive Article 29 – paragraph 5 – subparagraph 1 – introductory part Amendment 557 #
Proposal for a directive Article 29 – paragraph 5 – subparagraph 1 – point a (a) where applicable, temporarily suspend or request a certification or authorisation body to temporarily suspend a certification or authorisation concerning part or all the services or activities provided by an essential entity until the entity takes the necessary action to remedy the deficiencies or comply with the requirements of the competent authority for which such sanctions were applied;
Amendment 558 #
Proposal for a directive Article 29 – paragraph 5 – subparagraph 1 – point a (a) suspend or request a certification or authorisation body to suspend a certification or authorisation concerning part or all the services or activities provided by an essential entity or related ICT suppliers providing products and services for critical functions performed by essential or important entities;
Amendment 559 #
Proposal for a directive Article 29 – paragraph 5 – subparagraph 1 – point a (a) suspend or request a certification or authorisation body to suspend a certification or authorisation concerning part or all the services or activities provided by an essential entity or the related manufacturers and providers of ICT products;
Amendment 560 #
Proposal for a directive Article 29 – paragraph 5 – subparagraph 1 – point a (a)
Amendment 561 #
Proposal for a directive Article 29 – paragraph 5 – subparagraph 1 – point b Amendment 562 #
Proposal for a directive Article 29 – paragraph 5 – subparagraph 1 – point b Amendment 563 #
Proposal for a directive Article 29 – paragraph 5 – subparagraph 1 – point b (b) impose or request the imposition by the relevant bodies or courts according to national laws of a temporary ban against any person discharging managerial responsibilities at chief executive officer or legal representative level in that essential entity
Amendment 564 #
Proposal for a directive Article 29 – paragraph 5 – subparagraph 1 – point b (b) impose or request the imposition by the relevant bodies or courts according to national laws of a temporary ban against any person discharging managerial responsibilities at chief executive officer or legal representative level in that essential entity, and of any other natural person held responsible for the breach, from exercising managerial functions in that entity, or the related manufacturers and providers of ICT products.
Amendment 565 #
Proposal for a directive Article 29 – paragraph 5 – subparagraph 1 – point b (b) impose or request the imposition by the relevant bodies or courts according to national laws of a temporary ban against any person discharging managerial responsibilities at chief executive officer or legal representative level in that essential entity
Amendment 566 #
Proposal for a directive Article 29 – paragraph 5 – subparagraph 2 Amendment 567 #
Proposal for a directive Article 29 – paragraph 5 – subparagraph 2 These sanctions shall be applied only until the entity or related ICT suppliers providing products and services for critical functions performed by essential or important entities take
Amendment 568 #
Proposal for a directive Article 29 – paragraph 5 – subparagraph 2 These sanctions shall be applied only until the entity, or the related manufacturers and providers of ICT products, takes the necessary action to remedy the deficiencies or comply with the requirements of the competent authority for which such sanctions were applied.
Amendment 569 #
Proposal for a directive Article 29 – paragraph 6 6. Member States shall ensure that any natural person responsible for or acting as a representative of an essential entity on the basis of the power to represent it, the authority to take decisions on its behalf or the authority to exercise control of it has the powers to ensure its compliance with the obligations laid down in this Directive.
Amendment 570 #
Proposal for a directive Article 29 – paragraph 7 – point c (c) the actual damage caused or losses incurred
Amendment 571 #
Proposal for a directive Article 29 – paragraph 7 – point c (c) the actual damage caused or losses incurred
Amendment 572 #
Proposal for a directive Article 30 – paragraph 2 – point a a (new) (aa) investigate cases of non- compliance and the effects thereof on the security of the services;
Amendment 573 #
Proposal for a directive Article 30 – paragraph 2 – point b (b)
Amendment 574 #
Proposal for a directive Article 30 – paragraph 2 – point b (b) targeted security audits based on risk assessments
Amendment 575 #
Proposal for a directive Article 30 – paragraph 2 – point c (c) security scans based on objective, non-discriminatory, fair and transparent risk assessment criteria;
Amendment 576 #
Proposal for a directive Article 30 – paragraph 4 – point g (g) order, where necessary for risk management purposes, those entities to make public aspects of non-compliance with their obligations laid down in this Directive in a specified manner;
Amendment 577 #
Proposal for a directive Article 30 – paragraph 4 – point h Amendment 578 #
Proposal for a directive Article 30 – paragraph 4 – point h (h) make a public statement, where necessary for risk management purposes, which identifies the legal and natural person(s) responsible for the infringement of an obligation laid down in this Directive and the nature of that infringement;
Amendment 579 #
Proposal for a directive Article 31 – paragraph 1 1. Member States shall ensure that the imposition of administrative fines on essential and important entities pursuant to this Article in respect of infringements of the obligations laid down in this Directive are, in each individual case, effective,
Amendment 580 #
Proposal for a directive Article 31 – paragraph 6 Amendment 581 #
Proposal for a directive Article 32 – paragraph 1 1. Where the competent authorities have indications that the infringement by an essential or important entity of the obligations laid down in Articles 18 and 20 entails a personal data breach, as defined by Article 4(12) of Regulation (EU) 2016/679 which shall be notified pursuant to Article 33 of that Regulation, they shall inform the supervisory authorities
Amendment 582 #
Proposal for a directive Article 32 – paragraph 1 1. Where the competent authorities have indications that the infringement by an essential or important entity of the obligations laid down in Articles 18 and 20 entails a personal data breach, as defined by Article 4(12) of Regulation
Amendment 583 #
Proposal for a directive Article 32 – paragraph 3 3. Where the supervisory authority competent pursuant to Regulation (EU) 2016/679 is established in another Member State than the competent authority, the competent authority
Amendment 584 #
Proposal for a directive Article 34 a (new) Article 34a Right to an effective judicial remedy Without prejudice to any available administrative or non-judicial remedy, the recipients of services provided by essential and important entities, having incurred damages as a result of the providers' non-compliance with this Directive, shall have the right to an effective judicial remedy.
Amendment 585 #
Proposal for a directive Article 35 – paragraph 1 The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the relevance of sectors, subsectors, size and type of entities referred to in Annexes I and II for the functioning of the economy and society in relation to cybersecurity. For this purpose and with a view to further advancing the strategic and operational cooperation, the Commission shall take into account the reports of the Cooperation Group and the CSIRTs network on the experience gained at a strategic and operational level. The first report shall be submitted by… [
Amendment 586 #
Proposal for a directive Article 35 – paragraph 1 a (new) As regards Digital Providers referred to in point (6) of Annex II, where platforms operated by such important entities are classified as very large online platforms within the meaning of Article 25 of Regulation (EU) XXXX/XXXX [Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC], or where the providers of core platform services are designated as gatekeepers within the meaning of Article 3 of Regulation (EU) XXXX/XXXX [Contestable and fair markets in the digital sector (Digital Markets Act)], these providers shall be designated as essential entities within the meaning of this Directive to adequately address the functioning of the economy and society in relation to cybersecurity, given the systemic risk stemming from the functioning and use made of their services in the Union, or the important gateway function that their core platform services serve for business users to reach end users.
Amendment 587 #
Proposal for a directive Article 36 Amendment 588 #
Proposal for a directive Article 37 – paragraph 3 – subparagraph 1 a (new) Where no opinion is delivered, the draft implementing act may not be adopted.
Amendment 589 #
Proposal for a directive Article 38 – paragraph 1 1. Member States shall adopt and publish, by … [
Amendment 590 #
Proposal for a directive Article 38 – paragraph 1 1. Member States shall adopt and publish, by … [
Amendment 591 #
Proposal for a directive Article 39 Amendment 592 #
Proposal for a directive Article 39 – paragraph 1 Article 19 of Regulation (EU) No 910/2014 is deleted with effect from [date of transposition deadline of the Directive].
Amendment 593 #
Proposal for a directive Article 40 – paragraph 1 Amendment 594 #
Proposal for a directive Article 40 – paragraph 1 Articles 40 and 41 of Directive (EU) 2018/1972 are
Amendment 595 #
Proposal for a directive Article 40 – paragraph 1 Articles 40 and 41 of Directive (EU) 2018/1972 are deleted 18 months after the date of entry into force of this Directive.
Amendment 596 #
Proposal for a directive Article 40 a (new) Article 40a Amendments to Directive 2020/1828/EC on Representative Actions for the Protection of the Collective Interests of Consumers The following is added to Annex I: “(X) Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive(EU) 2016/1148”
Amendment 597 #
Proposal for a directive Article 42 – paragraph 1 This Directive shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union, with exception to Article 39 which enters into force on the day following the day when the transposition deadline as laid down in Article 38 expires.
Amendment 598 #
Proposal for a directive Annex I – subheading 1 E
Amendment 599 #
Proposal for a directive Annex I – table – point 9 Amendment 600 #
Proposal for a directive Annex II – subheading 1 Amendment 73 #
Proposal for a directive Recital 5 (5) All those divergences entail a fragmentation of the internal market and are liable to have a prejudicial effect on its functioning, affecting in particular the cross-border provision of services and level of cybersecurity resilience due to the application of different standards. This Directive aims to remove such wide divergences among Member States and strengthen the internal market, in particular by setting out minimum rules regarding the functioning of a coordinated regulatory framework, by laying down mechanisms for the effective cooperation among the responsible authorities in each Member State, by updating the list of sectors and activities subject to cybersecurity obligations and by providing effective remedies and sanctions which are instrumental to the effective enforcement of those obligations. Therefore, Directive (EU) 2016/1148 should be repealed and replaced by this Directive.
Amendment 74 #
Proposal for a directive Recital 6 a (new) Amendment 75 #
Proposal for a directive Recital 9 (9) However, small or micro entities fulfilling certain criteria that indicate a key role for the economies or societies of Member States or for particular sectors or types of services, should also be covered by this Directive. Member States should be responsible for establishing a list of such entities, and submit it to the Commission. The Commission should provide clear guidance on the criteria establishing which SMEs would be critical or important, especially for SME's who provide services in multiple Member States.
Amendment 76 #
Proposal for a directive Recital 9 (9) However, small or micro entities, unless fulfilling certain criteria that indicate a key role for the economies or societies of Member States or for particular sectors or types of services, should
Amendment 77 #
Proposal for a directive Recital 10 (10) The Commission, in cooperation with the Cooperation Group,
Amendment 78 #
Proposal for a directive Recital 11 (11) Depending on the sector in which they operate or the type of service they provide, the entities falling within the scope of this Directive should be classified into two categories: essential and important. That categorisation should take into account the level of criticality of the sector or of the type of service, as well as the level of dependency of other sectors or types of services. Both essential and important entities should be subject to the
Amendment 79 #
Proposal for a directive Recital 12 (12) Sector-specific legislation and instruments can contribute to ensuring high levels of cybersecurity, while taking full account of the specificities and complexities of those sectors. Where a sector–specific Union legal act requires essential or important entities to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats of at least an equivalent effect to the obligations laid down in this Directive, those sector-specific provisions, including on supervision and enforcement, should apply. In order to reduce unnecessary administrative burden, sector-specific legislation and instruments should, whenever possible, align their notification procedures with those present in this Directive, according to the once-only principle. The Commission may issue guidelines in relation to the implementation of the lex specialis. This Directive does not preclude the adoption of additional sector- specific Union acts addressing cybersecurity risk management measures and incident notifications. This Directive is without prejudice to the existing implementing powers that have been
Amendment 80 #
Proposal for a directive Recital 12 a (new) (12a) The extension of the scope of this directive will mean the inclusion of entities subject to parallel regulation which may entail additional reporting requirements. In order to ensure coherence with all regulatory requirements, the Commission should ensure that where there are sector-specific acts that require essential or important entities either to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats, that they should be consistent with the definitions and requirements of this Directive so that horizontal and sectoral legal instruments are sufficiently aligned in order to avoid any regulatory duplication or burden.
Amendment 81 #
Proposal for a directive Recital 12 b (new) (12b) The Commission should publish clear guidance accompanying this Directive to help ensure harmonisation in implementation across Member States and avoid fragmentation.
Amendment 82 #
Proposal for a directive Recital 14 (14) In view of the interlinkages between cybersecurity and the physical security of entities, a coherent approach should be ensured between Directive (EU) XXX/XXX of the European Parliament and of the Council17 and this Directive. To achieve this, Member States should ensure that critical entities, and equivalent entities, pursuant to Directive (EU) XXX/XXX are considered to be essential entities under this Directive. Member States should also ensure that their national cybersecurity strategies provide for a policy framework for enhanced coordination between the competent authority under this Directive and the one under Directive (EU) XXX/XXX in the context of incident reporting, information sharing on incidents and cyber threats and the exercise of supervisory tasks. Authorities under both Directives should cooperate and exchange information, particularly in relation to the identification of critical entities, cyber threats, cybersecurity risks, incidents affecting critical entities as well as on the cybersecurity measures taken by critical entities. Upon request of competent
Amendment 83 #
Proposal for a directive Recital 15 (15) Upholding and preserving a reliable, resilient and secure domain name system (DNS) is a key factor in maintaining the integrity of the Internet and is essential for its continuous and stable operation, on which the digital economy and society depend. Therefore, this Directive should apply to all providers of DNS services along the DNS resolution chain, including operators of root name servers, top-level-domain (TLD) name servers, authoritative name servers for domain names and recursive resolvers, and privacy or proxy registration service providers, domain brokers or resellers, and any other services that are related to the registration of domain names.
Amendment 84 #
Proposal for a directive Recital 15 (15) Upholding and preserving a reliable, resilient and secure domain name system (DNS) is a key factor in maintaining the integrity of the Internet and is essential for its continuous and stable operation, on which the digital economy, the internal market and society depend. Therefore, this Directive should apply to all providers of DNS services along the DNS resolution chain, including operators of root name servers, top-level- domain (TLD) name servers, authoritative name servers for domain names and recursive resolvers.
Amendment 85 #
Proposal for a directive Recital 20 (20) Those growing interdependencies are the result of an increasingly cross- border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as
Amendment 86 #
Proposal for a directive Recital 20 a (new) (20a) When adopting national cybersecurity strategies, Member States should ensure that policy frameworks are available in order to address cybersecurity and the lawful access to information. In particular they should make sure that lawful access to information does not directly or indirectly lead to encryption being undermined and includes oversight, independent from the government.
Amendment 87 #
Proposal for a directive Recital 20 b (new) (20b) A policy addressing cybersecurity in the supply chain should favour open source cybersecurity products, in line with Opinion 5/2021 of the European Data Protection Supervisor1a __________________ 1aOpinion 5/2021 of the European Data Protection Supervisor on the Cybersecurity Strategy and the NIS 2.0 Directive, 11 March 2021
Amendment 88 #
Proposal for a directive Recital 23 (23) Competent authorities or the CSIRTs should receive notifications of incidents from entities in a
Amendment 89 #
Proposal for a directive Recital 25 (25)
Amendment 90 #
Proposal for a directive Recital 26 a (new) (26a) Member States should, in accordance with their national cybersecurity strategies, put in place policies directed at cybersecurity awareness, cyber literacy and cyber- hygiene of citizens, with a view of strengthening the human element of network and information systems and protecting consumers from harm.
Amendment 91 #
Proposal for a directive Recital 26 b (new) (26b) In order to use resources with efficiency and effectiveness, and to be able to manage the increased amount of risks and incidents, Member States should adopt policies on the promotion and integration of AI-enabled and intelligent systems in the prevention and detection of cybersecurity incidents and threats as part of their national cybersecurity strategies, as well as make full use of them within their national competent authorities.
Amendment 92 #
Proposal for a directive Recital 27 (27) In accordance with the Annex to Commission Recommendation (EU) 2017/1548 on Coordinated Response to Large Scale Cybersecurity Incidents and Crises (‘Blueprint’)20 , a large-scale incident should mean an incident with a significant impact on at least two Member States or whose disruption exceeds a Member State’s capacity to respond to it, thus endangering the internal market. Depending on their cause and impact, large-scale incidents may escalate and turn into fully-fledged crises not allowing the proper functioning of the internal market. Given the wide-ranging scope and, in most cases, the cross-border nature of such incidents, Member States and relevant Union institutions, bodies and agencies should cooperate at technical, operational and political level to properly coordinate the response across the Union. __________________ 20Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises (OJ L 239, 19.9.2017, p. 36).
Amendment 92 #
Proposal for a directive Title 1 Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on measures for a high common level of cybersecurity across the Union (NIS Directive), repealing Directive (EU) 2016/1148 (Text with EEA relevance)
Amendment 93 #
Proposal for a directive Recital 28 (28) Since the exploitation of vulnerabilities in network and information systems may cause significant disruption and harm to businesses and consumers, swiftly identifying and
Amendment 93 #
Proposal for a directive Recital 3 (3) Network and information systems have developed into a central feature of everyday life with the speedy digital transformation and interconnectedness of society, including in cross-border exchanges. That development has led to an expansion of the cybersecurity threat landscape, bringing about new challenges, which require adapted, coordinated and innovative responses in all Member States. The number, magnitude, sophistication, frequency and impact of cybersecurity incidents are increasing, and present a major threat to the functioning of network and information systems. As a result, cyber incidents can impede the pursuit of economic activities in the internal market, generate financial losses, undermine user confidence and cause major damage to the Union economy and society. Cybersecurity
Amendment 94 #
Proposal for a directive Recital 28 a (new) (28a) The Commission, ENISA and the Member States should continue to foster international alignment with standards and existing industry best practices in the area of risk management, for example in the areas of supply chain security assessments, information sharing and vulnerability disclosure.
Amendment 94 #
Proposal for a directive Recital 7 (7) With the repeal of Directive (EU) 2016/1148, the scope of application by sectors should be extended to a larger part of the economy in light of the considerations set out in recitals (4) to (6). The sectors covered by Directive (EU) 2016/1148 should therefore be extended to provide a comprehensive coverage of the sectors and services of vital importance for key societal and economic activities within the internal market.
Amendment 95 #
Proposal for a directive Recital 30 (30) Access to correct and timely information on vulnerabilities affecting ICT products and services contributes to an enhanced cybersecurity risk management. In that regard, sources of publicly available information on vulnerabilities are an important tool for entities and their users, but also national competent authorities and CSIRTs. For this reason, ENISA should establish a vulnerability
Amendment 95 #
Proposal for a directive Recital 7 (7) With the repeal of Directive (EU) 2016/1148, the scope of application by sectors should be extended to a larger part of the economy in light of the considerations set out in recitals (4) to (6). The sectors covered by Directive (EU) 2016/1148 should therefore be extended to provide a comprehensive coverage of the sectors and services of vital importance for key societal and economic activities within the internal market. The r
Amendment 96 #
Proposal for a directive Recital 30 (30) Access to correct and timely information on vulnerabilities affecting ICT products and services contributes to an enhanced cybersecurity risk management. In that regard, sources of publicly available information on vulnerabilities are an important tool for entities and their users, but also national competent authorities and CSIRTs. For this reason, ENISA should e
Amendment 96 #
Proposal for a directive Recital 10 (10)
Amendment 97 #
Proposal for a directive Recital 31 (31)
Amendment 97 #
Proposal for a directive Recital 11 (11) Depending on the sector in which they operate or the type of service they provide, the entities falling within the scope of this Directive should be classified into two categories: essential and important. That categorisation should take into account the level of criticality of the sector or of the type of service, as well as the level of dependency of other sectors or types of services. Both essential and important entities should be subject to the same risk management requirements and reporting obligations. The supervisory and penalty regimes between these two
Amendment 98 #
Proposal for a directive Recital 32 a (new) (32a) The Cooperation Group should be composed of representatives of Member States, the Commission and ENISA.
Amendment 98 #
Proposal for a directive Recital 11 (11) Depending on the sector in which they operate or the type of service they provide, the entities falling within the scope of this Directive should be classified into two categories: essential and important. That categorisation should take into account the level of criticality of the sector or of the type of service, as well as
Amendment 99 #
Proposal for a directive Recital 34 (34) The Cooperation Group should remain a flexible forum and be able to react to changing and new policy priorities and challenges while taking into account the availability of resources. It should organize regular joint meetings with relevant private stakeholders from across the Union to discuss activities carried out by the Group and gather input on emerging policy challenges. In order to enhance cooperation at Union level, the Group should consider inviting Union bodies and agencies involved in cybersecurity policy, such as the European Cybercrime Centre (EC3), the European Union Aviation Safety Agency (EASA) and the European
Amendment 99 #
Proposal for a directive Recital 11 (11) Depending on the sector in which they operate or the type of service they provide, the entities falling within the scope of this Directive should be classified into two categories: essential and important. That categorisation should take into account the level of criticality of the sector or of the type of service, as well as the level of dependency of other sectors or types of services.
source: 692.865
2021/06/30
LIBE
3 amendments...
Amendment 248 #
Proposal for a directive Annex I – Point 5 (Health) – indent 6 (new) Sector Subsecto
Amendment 249 #
Proposal for a directive Annex I – Point 8 (Digital infrastructure) – indent 2 and 3 8. Digital –
Amendment 250 #
Proposal for a directive Annex I – Point 9 (Public administration) source: 695.134
2021/07/02
LIBE
163 amendments...
Amendment 100 #
Proposal for a directive Recital 25 (25) As regards personal data, CSIRTs should be able to provide, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council19 as regards personal data, on behalf of and upon request by an entity under this Directive, a proactive scanning of the network and information systems used for the provision of their services. Member States should aim at ensuring an equal level of technical capabilities for all sectorial CSIRTs. Member States may request the assistance of the European Union Agency for Cybersecurity (ENISA) in developing national CSIRTs. Also, cybersecurity risks should never be used as a pretext for breaching human rights. _________________ 19 Regulation (EU) 2016/679 of the
Amendment 101 #
Proposal for a directive Recital 27 (27) In accordance with the Annex to Commission Recommendation (EU) 2017/1548 on Coordinated Response to Large Scale Cybersecurity Incidents and Crises (‘Blueprint’)20 , a large-scale incident should mean an incident with a significant impact on at least two Member States or whose disruption exceeds a Member State’s capacity to respond to it. Depending on their cause and impact, large-scale incidents may escalate and turn into fully-fledged crises not allowing the proper functioning of the internal market. Given the wide-ranging scope and, in most cases, the cross-border nature of such incidents, Member States and relevant Union institutions, bodies and agencies should cooperate at technical, operational and political level to properly coordinate the response across the Union. Cybersecurity is indispensable for network and global internet connectivity, therefore improving cybersecurity is essential for EU citizens to be able to trust innovation and connectivity, given the expansion of online activities in the context of the COVID-19 pandemic. _________________
Amendment 102 #
Proposal for a directive Recital 29 (29) Member States should therefore take measures to facilitate coordinated vulnerability disclosure by establishing a relevant national policy. In this regard, Member States should designate a CSIRT to take the role of ‘coordinator’, acting as an intermediary between the reporting entities and the manufacturers or providers of ICT products or services where necessary. The tasks of the CSIRT coordinator should in particular include identifying and contacting concerned entities, supporting reporting entities, negotiating disclosure timelines, and managing vulnerabilities that affect multiple organisations (multi-party vulnerability disclosure). Where vulnerabilities affect multiple manufacturers or providers of ICT products or services established in more than one Member State, the designated CSIRTs from each of the affected Member States should cooperate within the CSIRTs Network. Member States should jointly monitor the way in which EU rules are implemented, support each other in the event of any cross-border problems, establish a more structured dialogue with the private sector and cooperate on security risks and the threats associated with new technologies, as was the case with 5G technology.
Amendment 103 #
Proposal for a directive Recital 30 (30) Access to correct and timely information on vulnerabilities affecting ICT products and services contributes to an enhanced cybersecurity risk management. In that regard, sources of publicly available information on vulnerabilities are an important tool for entities and their users, but also national competent authorities and CSIRTs. For this reason, ENISA should establish a vulnerability registry where, essential and important entities and their suppliers, as well as entities which do not fall in the scope of application of this Directive may, on a voluntary basis, disclose vulnerabilities and provide the vulnerability information that allows users to take appropriate mitigating measures. Member States should support each other in the event of any cross-border problems, establish a more structured dialogue with the private sector and cooperate on security risks and the threats associated with new technologies, as was the case with 5G technology.
Amendment 104 #
Proposal for a directive Recital 36 (36) The Union should, where appropriate, conclude international agreements, in accordance with Article 218 TFEU, with third countries or international organisations, allowing and organising their participation in some activities of the Cooperation Group and the CSIRTs network.
Amendment 105 #
Proposal for a directive Recital 37 (37) Member States should contribute to the establishment of the EU Cybersecurity Crisis Response Framework set out in Recommendation (EU) 2017/1584 through the existing cooperation networks, notably the Cyber Crisis Liaison Organisation Network (EU-CyCLONe), CSIRTs network and the Cooperation Group. EU- CyCLONe and the CSIRTs network should cooperate on the basis of procedural arrangements defining the modalities of that cooperation. The EU-CyCLONe’s rules of procedures should further specify the modalities through which the network should function, including but not limited to roles, cooperation modes, interactions with other relevant actors and templates for information sharing, as well as means of communication. For crisis management at Union level, relevant parties should rely on the Integrated Political Crisis Response
Amendment 106 #
Proposal for a directive Recital 42 (42) Essential and important entities and public administration entities should ensure the security of the network and information systems which they use in their activities. Those are primarily private network and information systems managed by their internal IT staff or the security of which has been outsourced. The cybersecurity risk management and reporting requirements pursuant to this Directive should apply to the relevant essential and important entities and public administration entities regardless of whether they perform the maintenance of their network and information systems internally or outsource it.
Amendment 107 #
Proposal for a directive Recital 45 (45) Entities should also address cybersecurity risks stemming from their interactions and relationships with other stakeholders within a broader ecosystem. In particular, entities should take appropriate measures to ensure that their cooperation with academic and research institutions takes place in line with their cybersecurity policies and follows good practices as regards secure access and dissemination of information in general and the protection of intellectual property in particular. Similarly, given the importance and value of data for the activities of the entities, when relying on data transformation and data analytics services from third parties, the entities should take all appropriate cybersecurity measures and report any potential cyber attacks that they identify.
Amendment 108 #
Proposal for a directive Recital 46 (46) To further address key supply chain risks and assist entities operating in sectors covered by this Directive to appropriately manage supply chain and supplier related cybersecurity risks, the Cooperation Group involving relevant national authorities, in cooperation with the Commission and ENISA, should carry out coordinated sectoral supply chain risk assessments, as
Amendment 109 #
Proposal for a directive Recital 46 (46) To further address key supply chain risks and assist entities operating in sectors covered by this Directive and public administration entities to appropriately manage supply chain and supplier related cybersecurity risks, the Cooperation Group involving relevant national authorities, in cooperation with the Commission and ENISA, should carry out coordinated sectoral supply chain risk assessments, as was already done for 5G networks following Recommendation (EU) 2019/534 on Cybersecurity of 5G networks21 , with the aim of identifying per sector which are the critical ICT services, systems or products, relevant threats and
Amendment 110 #
Proposal for a directive Recital 46 a (new) (46a) Free and open source software as well as open source hardware could bring huge benefits in terms of cybersecurity, in particular as regards transparency and verifiability of features. As this could help address and mitigate specific supply chain risks, their use should be preferred where feasible.
Amendment 111 #
Proposal for a directive Recital 47 (47) The supply chain risk assessments, in light of the features of the sector concerned, should take into account both technical and, where relevant, non- technical factors including those defined in Recommendation (EU) 2019/534, in the EU wide coordinated risk assessment of
Amendment 112 #
Proposal for a directive Recital 48 a (new) (48a) Small and medium-sized enterprises (SMEs) often lack the scale and resources to fulfil abroad and growing range of cybersecurity needs in an interconnected world with an increase of remote work. Member States should therefore address in their national cybersecurity strategies guidance and support for SMEs.
Amendment 113 #
Proposal for a directive Recital 51 (51) The internal market is more reliant on the functioning of the internet than ever before. The services of virtually all essential and important entities and public administration entities are dependent on services provided over the internet. In order to ensure the smooth provision of services provided by essential and important entities and public administration entities, it is important that public electronic communications networks, such as, for example, internet backbones or submarine communications cables, have appropriate cybersecurity measures in place and report incidents in relation thereto.
Amendment 114 #
Proposal for a directive Recital 51 a (new) Amendment 115 #
Proposal for a directive Recital 53 (53) In particular, providers of public electronic communications networks or publicly available electronic communications services, should implement security by design and by default and inform the service recipients of particular and significant cyber threats and of measures they can take to protect the security of their devices and communications, for instance by using specific types of software or encryption technologies. In order to increase the security of hardware and software, providers should be encouraged to use open source and open hardware.
Amendment 116 #
Proposal for a directive Recital 54 (54) In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, should be promoted and, where necessary, should be mandatory for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18.
Amendment 117 #
Proposal for a directive Recital 54 (54) In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, which is a critical and irreplaceable technology for effective data protection and privacy, should be promoted and, where necessary, should be mandatory for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18.
Amendment 118 #
Proposal for a directive Recital 54 (54)
Amendment 119 #
Proposal for a directive Recital 54 (54) In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, should be promoted and, where necessary, should be mandatory for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18. The use of end-to-end encryption should be reconciled with the Member State’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences in compliance with Union law. Solutions for lawful access to information within end-to-end encrypted communications should maintain the effectiveness of encryption in protecting privacy and the security of communications,
Amendment 120 #
Proposal for a directive Recital 54 a (new) (54a) any measure aimed at weakening encryption or circumventing the technology’s architecture may incur significant risks to the effective protection capabilities it entails, thus inevitably compromising the protection of personal data and privacy, resulting in an overall loss of trust in security controls. Any unauthorised decryption, reverse engineering of encryption codes or monitoring of electronic communications other than by legal authorities should be prohibited to ensure the effectiveness of the technology and its wider use. The cases in which encryption can be used to mitigate the risks related to non-compliant data transfers, as presented in EDPB Recommendations 01/2020, may enable a stronger encryption, whether in transit or at rest, for the providers of such services and networks for the purposes of Article 18.
Amendment 121 #
Proposal for a directive Recital 55 (55) This Directive lays down a two- stage approach to incident reporting in order to strike the right balance between, on the one hand, swift reporting that helps
Amendment 122 #
Proposal for a directive Recital 56 (56) Essential and important entities and public administration entities are often in a situation where a particular incident, because of its features, needs to be reported to various authorities as a result of notification obligations included in various legal instruments. Such cases create additional burdens and may also lead to uncertainties with regard to the format and procedures of such notifications. In view of this and, for the purposes of simplifying the reporting of security incidents, Member States should establish a single entry point for all notifications required under this Directive and also under other Union law such as Regulation (EU) 2016/679 and Directive 2002/58/EC. ENISA, in cooperation with the Cooperation Group should develop common notification templates by means of guidelines that would simplify and streamline the reporting information requested by Union law and decrease the burdens for companies.
Amendment 123 #
Proposal for a directive Recital 57 (57) Where it is suspected that an incident is related to serious criminal activities under Union or national law, Member States should encourage essential and important entities and public administration entities, on the basis of applicable criminal proceedings rules in compliance with Union law, to report incidents of a suspected serious criminal nature to the relevant law enforcement authorities. Where appropriate, and without prejudice to the personal data protection rules applying to Europol, it is desirable
Amendment 124 #
Proposal for a directive Recital 57 (57) Where it is suspected that an incident is related to serious criminal activities under Union or national law,
Amendment 125 #
Proposal for a directive Recital 59 Amendment 126 #
Proposal for a directive Recital 60 Amendment 127 #
Proposal for a directive Recital 61 Amendment 128 #
Proposal for a directive Recital 62 Amendment 129 #
Proposal for a directive Recital 63 (63) All essential and important entities under this Directive should fall under the jurisdiction of the Member State where they provide their services. If the entity provides services in more than one Member State, it should fall under the separate and concurrent jurisdiction of each of these Member States. The competent authorities of these Member States should cooperate, provide mutual assistance to each other and where appropriate, carry out joint supervisory actions. Public administration entities shall fall under the jurisdiction of the Member State in which they were identified pursuant to Article 2a.
Amendment 130 #
Proposal for a directive Recital 65 (65) In cases where a
Amendment 131 #
Proposal for a directive Recital 69 Amendment 132 #
Proposal for a directive Recital 69 (69) The processing of personal data, to the extent strictly necessary and proportionate for the purposes of ensuring network and information security by entities, public authorities, CERTs, CSIRTs, and providers of security technologies and services should constitute a legitimate interest of the data controller concerned, as referred to in Regulation (EU) 2016/679. That should include measures related to the prevention, detection, analysis and response to incidents, measures to raise awareness in relation to specific cyber threats, exchange of information in the context of vulnerability remediation and coordinated disclosure, as well as the voluntary exchange of information on those incidents, as well as cyber threats and vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools. In many cases, personal data are compromised following cyber incidents and, therefore, the competent authorities and data protection authorities of EU Member States should cooperate and exchange information on all relevant matters in order to tackle any personal data breaches. Such measures may require the
Amendment 133 #
Proposal for a directive Recital 70 (70) In order to strengthen the supervisory powers and actions that help ensure effective compliance, this Directive should provide for a minimum list of supervisory actions and means through which competent authorities may supervise essential and important entities. In addition, this Directive should establish a differentiation of supervisory regime between essential and important entities with a view to ensuring a fair balance of obligations for both entities and competent authorities. Thus, essential entities should be subject to a fully-fledged supervisory regime (ex-ante and ex-post), while important entities should be subject to a light supervisory regime, ex-post only. For the latter, this means that important entities should not document systematically compliance with cybersecurity risk management requirements, while competent authorities should implement a reactive ex -post approach to supervision and, hence, not have a general obligation to
Amendment 134 #
Proposal for a directive Recital 78 a (new) (78a) The European Commission should support Member States to design educational programmes on cybersecurity, to enable members of the management body of entities falling within the scope of this Directive to receive or recruit cybersecurity specialists and technicians in order to comply with the obligations arising from this Directive.
Amendment 135 #
Proposal for a directive Recital 79 (79) A peer-review mechanism should be introduced, allowing the assessment by experts designated by the Member States of the implementation of cybersecurity policies, including the level of Member States’ capabilities and available resources. The EU must ensure a coordinated response to large-scale cyber incidents and crises and, also, must offer assistance in order to facilitate recovery following such cyber attacks.
Amendment 136 #
Proposal for a directive Recital 82 a (new) (82a) This Directive does not apply to Union bodies, however, Union bodies could be considered essential or important entities under this Directive. By [6 months after entry into force], the Commission should evaluate the need to apply the provisions of this Directive to Union bodies and present, where appropriate, legislative proposals to this effect.
Amendment 137 #
Proposal for a directive Article 1 – paragraph 2 – point b (b) lays down cybersecurity risk management and reporting obligations for entities of a type referred to as essential entities in Annex I
Amendment 138 #
Proposal for a directive Article 1 a (new) Article 1 a Protection and processing of personal data 1. Any processing of personal data in the Member States pursuant to this Directive shall be carried out in accordance with Regulation (EU) 2016/679and Directive 2002/58/EC.2. Any processing of personal data by the Commission and ENISA pursuant to this Directive shall be carried out in accordance with Regulation (EC) No 2018/1725.
Amendment 139 #
Proposal for a directive Article 2 – paragraph 1 1. This Directive applies to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II. This Directive does not apply to entities that qualify as micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC
Amendment 140 #
Proposal for a directive Article 2 – paragraph 1 1. This Directive applies to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II. This Directive does not apply to entities that qualify as micro
Amendment 141 #
Proposal for a directive Article 2 – paragraph 1 a (new) 1 a. This Directive also applies to public administration entities identified by the Member States in accordance with art. 2a, notwithstanding para 1b.
Amendment 142 #
Proposal for a directive Article 2 – paragraph 1 b (new) 1b. This directive does not apply to public administration entities that carry out activities in the areas of public security, defence or national security.
Amendment 143 #
Proposal for a directive Article 2 – paragraph 2 – point a – point iii Amendment 144 #
Proposal for a directive Article 2 – paragraph 2 – point b Amendment 145 #
Proposal for a directive Article 2 – paragraph 2 – point c (c) the entity is the sole provider of a service in a Member State or region;
Amendment 146 #
Proposal for a directive Article 2 – paragraph 2 – point d (d) a
Amendment 147 #
Proposal for a directive Article 2 – paragraph 2 – point e (e) a
Amendment 148 #
Proposal for a directive Article 2 – paragraph 2 – subparagraph 1 Member States shall establish a list of entities identified pursuant to points (b) to (
Amendment 149 #
Proposal for a directive Article 2 – paragraph 4 4. This Directive applies without prejudice to
Amendment 150 #
Proposal for a directive Article 2 – paragraph 4 a (new) Amendment 151 #
Proposal for a directive Article 2 – paragraph 5 5. Without prejudice to Article 346 TFEU, information that is confidential pursuant to Union and national rules, such as rules on business confidentiality, shall be exchanged with the Commission and other relevant authorities only where that exchange is necessary for the application of this Directive. The information exchanged shall be limited to that which is relevant and proportionate to the purpose of that exchange. The exchange of information shall preserve the confidentiality of that information and protect the security and commercial interests of essential or important entities or public administration entities.
Amendment 152 #
Proposal for a directive Article 2 – paragraph 5 5. Without prejudice to Article 346 TFEU, information that is confidential
Amendment 153 #
Proposal for a directive Article 2 – paragraph 5 a (new) 5a. As regards the processing of personal data, essential and important entities, as well as competent authorities, CERTs, and CSIRTs, shall process personal data to an extent that is strictly necessary and proportionate for the purposes of ensuring network and information security, in accordance with the obligations set out in this Directive. Where the processing of personal data is required for the purpose of cybersecurity and network and information security in accordance with the provisions set out in Article 18 and Article 20 of the Directive, including the provisions set out in Article 23, this processing shall be considered necessary in order to ensure compliance with a legal obligation in accordance with paragraph 1(c) of Article 6 of Regulation (EU) 2016/679.
Amendment 154 #
Proposal for a directive Article 2 – paragraph 5 b (new) 5b. As regards the processing of personal data from essential entities providing services of public electronic communication networks or publicly available electronic communications referred to in point 8 of Annex I and point (a)(i) of paragraph (1), such processing of personal data required for the purposes of ensuring network and information security must be in compliance with the provisions set out in Directive 2002/58/EC.
Amendment 155 #
Proposal for a directive Article 2 – paragraph 6 a (new) 6 a. Before 31 December 2021, the Commission shall publish a legislative proposal to include Union institutions, offices, bodies and agencies (EUIs) in the overall EU-wide cybersecurity framework, with a view to achieving a uniform level of protection through consistent and homogeneous rules.
Amendment 156 #
Proposal for a directive Article 2 – paragraph 6 a (new) 6 a. This Directive is to be applied in full compliance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and is not modifying or adding to its provisions.
Amendment 157 #
Proposal for a directive Article 2 a (new) Article 2 a Identification of Public Administration Entities 1. By [date] Member States may identify public administration entities established on their territory. 2. The criteria for the progressive identification of public administration entities shall be as follows: (a) it is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character; (b) it is financed, for the most part, by the State, regional authority, or by other bodies governed by public law; or it is subject to management supervision by those authorities or bodies; or it has an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional authorities, or by other bodies governed by public law; (c) it has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital. 3. The public administration entities identified in line with this Article shall be reviewed and where appropriate updated by Member States when necessary. 4. Member States shall inform the Commission about the result of the process of identification of public administration entities in accordance with this Article.
Amendment 158 #
Proposal for a directive Article 4 – paragraph 1 – point 9 (9) ‘representative’ means any natural or legal person established in the Union explicitly designated to act on behalf of i)
Amendment 159 #
Proposal for a directive Article 4 – paragraph 1 – point 12 Amendment 160 #
Proposal for a directive Article 4 – paragraph 1 – point 14 Amendment 161 #
Proposal for a directive Article 4 – paragraph 1 – point 15 Amendment 162 #
Amendment 163 #
Proposal for a directive Article 4 – paragraph 1 – point 23 – introductory part (23) ‘public administration entity’ means an entity in a Member State that
Amendment 164 #
Proposal for a directive Article 4 – paragraph 1 – point 23 – point a Amendment 165 #
Proposal for a directive Article 4 – paragraph 1 – point 23 – point b Amendment 166 #
Proposal for a directive Article 4 – paragraph 1 – point 23 – point c Amendment 167 #
Proposal for a directive Article 4 – paragraph 1 – point 23 – point d Amendment 168 #
Proposal for a directive Article 4 – paragraph 1 – point 23 – paragraph 1 Amendment 169 #
Proposal for a directive Article 5 – paragraph 1 – point d a (new) (da) an assessment of the general level of cybersecurity awareness amongst citizens as well as on the general level of security of consumer connected devices;
Amendment 170 #
Proposal for a directive Article 5 – paragraph 2 – point a (a) a policy addressing cybersecurity in the supply chain for ICT products and services used by essential and important entities and public administration entities for the provision of their services;
Amendment 171 #
Proposal for a directive Article 5 – paragraph 2 – point b (b) guidelines regarding the inclusion and specification of cybersecurity-related requirements for ICT products and service in public procurement, , including but not limited to encryption requirements and the promotion of the use of open source cybersecurity products;
Amendment 172 #
Proposal for a directive Article 5 – paragraph 2 – point d a (new) (da) a policy related to sustaining the use of open data and open source as part of security through transparency;
Amendment 173 #
Proposal for a directive Article 5 – paragraph 2 – point d a (new) (da) a policy promoting the privacy and security of personal data of users of online services;
Amendment 174 #
Proposal for a directive Article 5 – paragraph 2 – point e a (new) (ea) a policy on education to develop training programmes on cybersecurity to provide entities with specialists and technicians;
Amendment 175 #
Proposal for a directive Article 5 – paragraph 2 – point f (f) a policy on supporting academic and research institutions to develop cybersecurity tools and secure network infrastructure, including specific policies that address aspects related to representation and gender balance in the above-mentioned fields;
Amendment 176 #
Proposal for a directive Article 5 – paragraph 2 – point f (f) a policy on supporting education establishments, in particular academic and research institutions to develop and deploy cybersecurity tools and secure network infrastructure;
Amendment 177 #
Proposal for a directive Article 5 – paragraph 2 – point g a (new) (ga) carrying out research projects that contribute to the national cybersecurity strategy, in order to maintain the highest level of cybersecurity possible.
Amendment 178 #
Proposal for a directive Article 5 – paragraph 2 – point h (h) a policy addressing specific needs of SMEs, in particular those excluded from the scope of this Directive, in relation to guidance and support in improving their resilience to cybersecurity threats and also taking into account their capabilities to respond to such threats.
Amendment 179 #
Proposal for a directive Article 6 – paragraph 2 2. ENISA shall develop and maintain a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures with a view in particular to enabling important and essential entities and their suppliers of network and information systems to disclose and register vulnerabilities present
Amendment 180 #
Proposal for a directive Article 6 – paragraph 2 2. ENISA shall develop and maintain a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures with a view in particular to enabling important and essential entities and public administration entities and their suppliers of network and information systems to disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties. The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the
Amendment 181 #
Proposal for a directive Article 6 – paragraph 2 2. ENISA shall develop and maintain a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures with a view in particular to enabling important and essential entities and their suppliers of network and information systems to disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registry to
Amendment 182 #
Proposal for a directive Article 7 – paragraph 3 – point a (a) objectives of national, regional and cross-border preparedness measures and activities;
Amendment 183 #
Proposal for a directive Article 9 – paragraph 3 3. Member States shall ensure that each CSIRT has at its disposal an appropriate, secure, and resilient communication and information infrastructure to exchange information with essential and important entities and public administration entities and other relevant interested parties. To this end, Member States shall ensure that the CSIRTs contribute to the deployment of secure information sharing tools.
Amendment 184 #
Proposal for a directive Article 9 – paragraph 4 4. CSIRTs shall cooperate and, where appropriate, exchange relevant information in accordance with Article 26 with trusted sectorial or cross-sectorial communities of essential and important entities and public administration entities.
Amendment 185 #
Proposal for a directive Article 10 – paragraph 2 – point b (b) providing early warning, alerts, announcements and dissemination of information to essential and important entities and public administration entities as well as to other relevant interested parties on cyber threats, vulnerabilities and incidents;
Amendment 186 #
Proposal for a directive Article 10 – paragraph 2 – point e Amendment 187 #
Proposal for a directive Article 10 – paragraph 2 – point e (e) providing, upon request of an entity, a proactive scanning of the network and information systems used for the provision of their services; the processing of personal data in the context of such scanning shall be limited to what is strictly necessary, and in any case to IP addresses and URLs.
Amendment 188 #
Proposal for a directive Article 11 – paragraph 2 2. Member States shall ensure that either their competent authorities or their CSIRTs receive notifications on incidents, and significant cyber threats and near misses submitted pursuant to this Directive. Where a Member State decides that its CSIRTs shall not receive those notifications, the CSIRTs shall, to the extent necessary to carry out their tasks, be granted access to data on incidents notified by the essential or important entities
Amendment 189 #
Proposal for a directive Article 12 – paragraph 3 – introductory part 3. The Cooperation Group shall be composed of representatives of Member States, the Commission and ENISA.
Amendment 190 #
Proposal for a directive Article 12 – paragraph 3 – introductory part 3. The Cooperation Group shall be composed of representatives of Member States, the Commission and ENISA. The European External Action Service and the European Cybercrime Centre at Europol shall participate in the activities of the Cooperation Group as an observer. The European Supervisory Authorities (ESAs) in accordance with Article 17(5)(c) of Regulation (EU) XXXX/XXXX [the DORA Regulation] may participate in the
Amendment 191 #
Proposal for a directive Article 12 – paragraph 3 – introductory part 3. The Cooperation Group shall be composed of representatives of Member States, the Commission
Amendment 192 #
Proposal for a directive Article 12 – paragraph 3 – subparagraph 1 Where appropriate, the Cooperation Group
Amendment 193 #
Proposal for a directive Article 12 – paragraph 8 8. The Cooperation Group shall meet regularly and at least once a year with the Critical Entities Resilience Group established under Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive] to
Amendment 194 #
Proposal for a directive Article 13 – paragraph 2 2. The CSIRTs network shall be composed of representatives of the Member States’ CSIRTs and CERT–EU. The Commission and the European Cybercrime Centre at Europol shall participate in the CSIRTs network as an observer. ENISA shall provide the secretariat and shall actively support cooperation among the CSIRTs.
Amendment 195 #
Proposal for a directive Article 14 – paragraph 2 2. EU-CyCLONe shall be composed of the representatives of Member States’ crisis management authorities designated in accordance with Article 7, the Commission and ENISA. The European Cybercrime Centre at Europol shall participate in the activities of EU- CyCLONe as an observer. ENISA shall provide the secretariat of the network and support the secure exchange of information.
Amendment 196 #
Proposal for a directive Article 14 – paragraph 5 5. EU-CyCLONe shall regularly report to the Cooperation Group on
Amendment 197 #
Proposal for a directive Article 14 – paragraph 6 6. EU-CyCLONe shall cooperate with the CSIRTs network on the basis of agreed procedural arrangements, and with law enforcement in the framework of the EU Law Enforcement Emergency Response Protocol.
Amendment 198 #
Proposal for a directive Article 15 – paragraph 1 – introductory part 1. ENISA shall issue, in cooperation with the Commission, a biennial report on the state of cybersecurity in the Union. The report shall be delivered in machine- readable format and in particular include an assessment of the following:
Amendment 199 #
Proposal for a directive Article 15 – paragraph 1 – introductory part 1. ENISA shall issue, in cooperation with the Commission, a
Amendment 200 #
Proposal for a directive Article 15 – paragraph 1 – point c a (new) (ca) an overview of the general level of cybersecurity awareness and use amongst citizens as well as on the general level of security of consumer-oriented connected devices put on the market in the Union.
Amendment 201 #
Proposal for a directive Article 17 – paragraph 1 1. Member States shall ensure that the management bodies of essential and important entities and public administration entities approve the cybersecurity risk management measures taken by those entities in order to comply with Article 18, supervise its implementation and be accountable for the non-compliance by the entities with the obligations under this Article.
Amendment 202 #
Proposal for a directive Article 17 – paragraph 2 2. Member States shall ensure that members of the management body and cybersecurity specialists in charge, follow specific trainings, on a regular basis, to gain sufficient knowledge and skills, in order to apprehend and assess cybersecurity risks and management practices and their impact on the operations of the entity.
Amendment 203 #
Proposal for a directive Article 18 – paragraph 1 1. Member States shall ensure that essential and important entities shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the cybersecurity of network and information systems
Amendment 204 #
Proposal for a directive Article 18 – paragraph 1 1. Member States shall ensure that essential and important entities and public administration entities shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which those entities use in the provision of their services. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk presented.
Amendment 205 #
Proposal for a directive Article 18 – paragraph 2 – point g (g) the use of cryptography and strong encryption.
Amendment 206 #
3. Member States shall ensure that, where considering appropriate and proportionate measures referred to in point (d) of paragraph 2, entities shall take into account the vulnerabilities specific to each supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures.
Amendment 207 #
Proposal for a directive Article 18 – paragraph 6 a (new) 6 a. Member States shall give the user of a network and information system provided by an essential or important entity the right to obtain from the entity information on the technical and organisational measures in place to manage the risks posed to the security of network and information systems. Member States shall define the limitations to that right.
Amendment 208 #
Proposal for a directive Article 19 – paragraph 1 1. The Cooperation Group, in cooperation with the Commission and ENISA,
Amendment 209 #
Proposal for a directive Article 19 – paragraph 2 2. The Commission, after consulting with the Cooperation Group, The European Data Protection Board and ENISA, shall identify the specific critical ICT services, systems or products that may be subject to the coordinated risk assessment referred to in paragraph 1.
Amendment 210 #
Proposal for a directive Article 19 – paragraph 2 2. The Commission, after consulting with the Cooperation Group and ENISA, shall identify the specific critical ICT services, systems or products that
Amendment 211 #
Proposal for a directive Article 20 – paragraph 1 1. Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT in accordance with paragraphs 3 and 4 of any incident having a significant impact on the provision of their services.
Amendment 212 #
Proposal for a directive Article 20 – paragraph 1 1. Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT in accordance with paragraphs 3 and 4 of any incident having a significant impact on the provision of their services, and to the competent law enforcement authorities if the incident is of a suspected or known malicious nature. Where appropriate, those entities shall notify, without undue delay, the recipients of their services of incidents that are likely to adversely affect the provision of that service. Member States shall ensure that those entities report, among others, any information enabling the competent authorities or the CSIRT to determine any cross-border impact of the incident.
Amendment 213 #
Proposal for a directive Article 20 – paragraph 1 1. Member States shall ensure that essential and important entities and public administration entities notify, without undue delay, but within 24 hours, the competent authorities or the CSIRT in accordance with paragraphs 3 and 4 of any incident having a significant impact on the provision of their services. Where appropriate, those entities shall notify,
Amendment 214 #
Proposal for a directive Article 20 – paragraph 1 1. Member States shall
Amendment 215 #
Proposal for a directive Article 20 – paragraph 2 – introductory part 2. Member States shall ensure that essential and important entities and public administration entities notify, without undue delay, but within 24 hours, the competent authorities or the CSIRT of any significant cyber threat that those entities identify that could have potentially resulted in a significant incident.
Amendment 216 #
Proposal for a directive Article 20 – paragraph 2 – subparagraph 1 Amendment 217 #
Proposal for a directive Article 20 – paragraph 6 6. Where appropriate, and in particular where the incident referred to in paragraph 1 concerns two or more Member States, the competent authority or the CSIRT shall inform the other affected Member States and ENISA of the incident. If the incident concerns two or more Member States and is, or may be, suspected to be of criminal nature, the competent authority or the CSIRT shall inform EUROPOL. In so doing, the competent authorities, CSIRTs and single points of contact shall, in accordance with Union law or national legislation that complies with Union law, preserve the entity’s security and commercial interests as well as the confidentiality of the information provided.
Amendment 218 #
Proposal for a directive Article 20 – paragraph 7 7. Where public awareness is necessary to prevent an incident or to deal with an ongoing incident, or where disclosure of the incident is otherwise in the public interest, the competent authority or the CSIRT, and where appropriate the
Amendment 219 #
Proposal for a directive Article 20 a (new) Article 20 a Divergence for Public Administration Entities Member States may lay down the rules on whether and to what extent public administration entities are excluded from the obligations provided in Article 17, Article 18 and Article 20.
Amendment 220 #
Proposal for a directive Article 21 – paragraph 1 1. In order to demonstrate compliance with certain requirements of Article 18, Member States may require essential and important entities and public administration entities to certify certain ICT products, ICT services and ICT processes under specific European cybersecurity
Amendment 221 #
Proposal for a directive Article 22 – paragraph 2 2. ENISA, in collaboration with Member States and in consultation with the EDPB, shall draw up advice and guidelines regarding the technical areas to be considered in relation to paragraph 1 as well as regarding already existing standards, including Member States' national standards, which would allow for those areas to be covered.
Amendment 222 #
Proposal for a directive Article 22 – paragraph 2 2. ENISA, after having consulted the EDPB, in collaboration with Member States, shall draw up advice and guidelines regarding the technical areas to
Amendment 223 #
Proposal for a directive Article 23 Amendment 224 #
Proposal for a directive Article 23 – paragraph 1 1. For the purpose of contributing to
Amendment 225 #
Proposal for a directive Article 23 – paragraph 2 2. Member States shall ensure that the databases of domain name registration data referred to in paragraph 1 contain
Amendment 226 #
Proposal for a directive Article 23 – paragraph 5 5. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD provide access to specific domain name registration data upon lawful and
Amendment 227 #
Proposal for a directive Article 23 – paragraph 5 5. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD provide access to specific domain name registration data upon lawful and duly justified requests of
Amendment 228 #
Proposal for a directive Article 24 – paragraph 1 1.
Amendment 229 #
Proposal for a directive Article 25 – paragraph 1 – introductory part 1. ENISA shall create and maintain a secure registry for essential and important entities referred to in Article 24(1). The entities shall submit the following information to ENISA by [12 months after entering into force of the Directive at the latest]:
Amendment 230 #
Proposal for a directive Article 26 – paragraph 1 – introductory part 1. Without prejudice to Regulation (EU) 2016/679, Member States shall ensure that essential and important entities may exchange relevant cybersecurity information among themselves including information relating to cyber threats, vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools, as well as the location or identity of the attacker where such information sharing:
Amendment 231 #
Proposal for a directive Article 26 – paragraph 1 – introductory part 1. Without prejudice to Regulation (EU) 2016/679, Member States shall ensure that essential and important entities and public administration entities may exchange relevant cybersecurity information among themselves including information relating to cyber threats, vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools, where such information sharing:
Amendment 232 #
Proposal for a directive Article 26 – paragraph 2 2. Member States shall ensure that the exchange of information takes place within trusted communities of essential and important entities and public administration entities. Such exchange shall be implemented through information sharing arrangements in respect of the potentially sensitive nature of the information shared and in compliance with the rules of Union law referred to in paragraph 1.
Amendment 233 #
Proposal for a directive Article 26 – paragraph 4 4. Essential and important entities and public administration entities shall notify the competent authorities of their participation in the information-
Amendment 234 #
Proposal for a directive Article 28 – paragraph 2 2. Competent authorities shall work in close cooperation with data protection authorities when addressing incidents resulting in personal data breaches without prejudice to the competences, tasks and powers of data protection authorities pursuant to Regulation (EU) 2016/679.
Amendment 235 #
Proposal for a directive Article 30 a (new) Article 30 a Supervision and enforcement for public administration entities 1. Member States shall ensure that the measures of supervision or enforcement imposed on public administration entities in respect of the obligations set out in this Directive are effective, proportionate and dissuasive, taking into account the circumstances of each individual case. 2. Member States shall ensure that competent authorities, where exercising their supervisory tasks and enforcement powers in relation to public administration entities have the appropriate powers in accordance with national legislation.
Amendment 236 #
Proposal for a directive Article 31 – title General conditions for imposing administrative fines on essential and important entities and public administration entities
Amendment 237 #
Proposal for a directive Article 31 – paragraph 1 1. Member States shall ensure that the imposition of administrative fines on essential and important entities and public administration entities pursuant to this Article in respect of infringements of the obligations laid down in this Directive are, in each individual case, effective, proportionate and dissuasive.
Amendment 238 #
Proposal for a directive Article 31 – paragraph 6 6. Without prejudice to the powers of competent authorities pursuant to Articles
Amendment 239 #
Proposal for a directive Article 32 – paragraph 1 1. Where the competent authorities have indications that the infringement by an essential or important entity or public administration entity of the obligations laid down in Articles 18 and 20 entails a personal data breach, as defined by Article 4(12) of Regulation (EU) 2016/679 which shall be notified pursuant to Article 33 of that Regulation, they shall inform the supervisory authorities competent pursuant to Articles 55 and 56 of that Regulation within a reasonable period of time.
Amendment 240 #
Proposal for a directive Article 32 – paragraph 1 1. Where the competent authorities have indications that the infringement by an essential or important entity of the obligations laid down in Articles 18 and 20
Amendment 241 #
Proposal for a directive Article 32 – paragraph 1 1. Where the competent authorities have indications that the infringement by an essential or important entity of the obligations laid down in Articles 18 and 20 entails a personal data breach, as defined by Article 4(12) of Regulation (EU) 2016/679 which shall be notified pursuant to Article 33 of that Regulation, they shall inform the supervisory authorities competent pursuant to Articles 55 and 56 of that Regulation within
Amendment 242 #
Proposal for a directive Article 32 – paragraph 3 3. Where the supervisory authority competent pursuant to Regulation (EU) 2016/679 is established in another Member State than the competent authority, the competent authority
Amendment 243 #
Proposal for a directive Article 34 a (new) Article 34 a Liability for non-compliance Without prejudice to any available administrative or non-judicial remedy, the recipients of services provided by essential and important entities, having incurred damages as a result of the providers' non- compliance with this Directive, shall have the right to an effective judicial remedy.
Amendment 244 #
Proposal for a directive Article 35 – paragraph 1 The Commission shall
Amendment 245 #
Proposal for a directive Article 35 – paragraph 1 The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the
Amendment 246 #
Proposal for a directive Article 40 – paragraph 1 Articles 40 and 41 of Directive (EU) 2018/1972 are
Amendment 247 #
Proposal for a directive Article 40 a (new) Article 40 a Amendments to Directive 2020/1828/EC on Representative Actions for the Protection of the Collective Interests of Consumers The following is added to Annex I:“(X) Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive(EU) 2016/1148”
Amendment 85 #
Proposal for a directive Recital 1 (1) Directive (EU) 2016/1148 of the European Parliament and the Council11 aimed at building cybersecurity capabilities across the Union, mitigating threats to network and information systems used to provide essential services in key sectors and ensuring the continuity of such services when facing cybersecurity incidents, thus contributing to the Union's security, economy and society to function effectively. _________________ 11Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194/1, 19.7.2016 p. 1).
Amendment 86 #
Proposal for a directive Recital 2 (2) Since the entry into force of Directive (EU) 2016/1148 significant progress has been made in increasing the Union’s level of cybersecurity resilience. The review of that Directive has shown that it has served as a catalyst for the institutional and regulatory approach to cybersecurity in the Union, paving the way
Amendment 87 #
Proposal for a directive Recital 3 (3) Network and information systems have developed into a central feature of everyday life with the speedy digital transformation and interconnectedness of society, including in cross-border exchanges. That development has led to an expansion of the cybersecurity threat
Amendment 88 #
Proposal for a directive Recital 5 (5) All those divergences entail a fragmentation of the internal market and are liable to have a prejudicial effect on its functioning, affecting in particular the cross-border provision of services and level of cybersecurity resilience due to the application of different standards. Cybersecurity must form the basis for the digital transformation of daily activities within the entire European Union and must consolidate cooperation between the EU bodies and the authorities of the Member States that are responsible for preventing and discouraging cyber attacks. This Directive aims to remove such wide divergences among Member States, in particular by setting out minimum rules regarding the functioning of a coordinated
Amendment 89 #
Proposal for a directive Recital 5 (5) All those divergences entail a fragmentation of the internal market and are liable to have a prejudicial effect on its functioning, affecting in particular the cross-border provision of services and level of cybersecurity resilience due to the application of different standards, but also threaten the overall security of the Union. This Directive aims to remove such wide divergences among Member States, in particular by setting out minimum rules regarding the functioning of a coordinated regulatory framework, by laying down mechanisms for the effective cooperation among the responsible authorities in each Member State, by updating the list of sectors and activities subject to cybersecurity obligations and by providing
Amendment 90 #
Proposal for a directive Recital 6 (6) This Directive leaves unaffected the ability of Member States to take the necessary measures to ensure the protection of the essential interests of their national security, to safeguard public policy and public security, and to allow for the investigation, detection and prosecution of criminal offences, in compliance with Union law. In accordance with Article 346 TFEU, no Member State is to be obliged to supply information the disclosure of which would be contrary to the essential interests of its public security. In this context, national and Union rules for protecting classified information, non-disclosure agreements, and informal non-disclosure agreements such as the Traffic Light Protocol14 , are of relevance. _________________ 14 The Traffic Light Protocol (TLP) is a means for someone sharing information to inform their audience about any limitations in further spreading this information. It is used in almost all CSIRT communities and some Information Analysis and Sharing Centres (ISACs).
Amendment 91 #
Proposal for a directive Recital 8 (8) In accordance with Directive (EU) 2016/1148, Member States were responsible for determining which entities meet the criteria to qualify as operators of essential services (‘identification process’). In order to eliminate the wide divergences among Member States in that regard and ensure legal certainty for the risk management requirements and reporting obligations for all relevant entities, a uniform criterion should be established that determines the entities falling within the scope of application of this Directive. That criterion should consist of the application of the size-cap rule, whereby all medium and large enterprises, as defined by Commission Recommendation 2003/361/EC15 , that operate within the sectors or provide the type of services covered by this Directive, fall within its scope. Member States should not be required to establish a list of the entities that meet this generally applicable size- related criterion. Nevertheless, taking into account the difference in composition of public administration in the Member States, the identification process provided in Directive (EU) 2016/1148 remains an appropriate mechanism to determine which public administration entities should fall under the scope of this Directive. _________________ 15 Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium- sized enterprises (OJ L 124, 20.5.2003, p. 36).
Amendment 92 #
Proposal for a directive Recital 8 a (new) (8a) Taking into consideration the differences in the national public administration frameworks, Member States retain full decision-making autonomy regarding the question of whether to identify public administration entities and if Member States decided to do so which entities are to be identified. It would also be possible to foresee in the national legislation that particular categories of public administration entities are identified as falling under the scope of this Directive. Member States should also be able to structure the obligations for public administration entities regarding security requirements, incident notification, supervision and sanctions.
Amendment 93 #
Proposal for a directive Recital 11 (11) Depending on the sector in which they operate or the type of service they provide, the entities falling within the scope of this Directive should be classified into t
Amendment 94 #
Proposal for a directive Recital 15 (15) Upholding and preserving a reliable, resilient and secure domain name system (DNS) is a key factor in maintaining the integrity of the Internet and is essential for its continuous and stable operation, on which the digital economy and society depend.
Amendment 95 #
Proposal for a directive Recital 20 (20) Those growing interdependencies are the result of an increasingly cross- border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. Those interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks. Cybersecurity must be one of the EU priorities in responding to the COVID-19 pandemic, during which cyber attacks have intensified, which will have to lead to further investment in this field.
Amendment 96 #
Proposal for a directive Recital 20 a (new) (20a) It is crucial to raise the cyber awareness and resilience in public administration entities. At the same time it is also essential to take into account the specificities of the composition of national public administrations. Therefore Member States should be given a flexibility to decide if and which public administration entities should be covered by this Directive and should have right to exclude select obligations for these entities. Identification of public administration entities should be at the individual Member State’s sole discretion.
Amendment 97 #
Proposal for a directive Recital 21 (21) In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, Member States should be able to designate more than one national competent authority responsible for fulfilling the tasks linked to the security of the network and information systems of essential and important entities under this Directive. Member States should be able to assign this role to an existing authority and make sure that this authority has adequate resources to fulfil its duties in an efficient and effective way.
Amendment 98 #
Proposal for a directive Recital 21 (21) In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, Member States should be able to designate more than one national competent authority responsible for fulfilling the tasks linked to the security of the network and information systems of essential and important entities and public administration entities under this Directive. Member States should be able to assign this role to an existing authority.
Amendment 99 #
Proposal for a directive Recital 25 (25)
source: 695.133
|
History
(these mark the time of scraping, not the official date of the change)
2023-08-03Show (6) Changes | Timetravel
| docs/11 |
|
| docs/13 |
|
| events/9 |
|
| events/13 |
|
| events/14 |
|
| events/14/summary |
|
2023-01-05Show (3) Changes | Timetravel
| events/13 |
|
| procedure/final |
|
| procedure/stage_reached |
Old
Procedure completed, awaiting publication in Official JournalNew
Procedure completed |
2022-12-22Show (20) Changes | Timetravel
| docs/0 |
|
| docs/14 |
|
| docs/14/date |
Old
2021-03-22T00:00:00New
2021-03-21T00:00:00 |
| docs/15 |
|
| docs/15 |
|
| docs/15/date |
Old
2021-03-22T00:00:00New
2021-03-21T00:00:00 |
| docs/16 |
|
| docs/16 |
|
| docs/16/date |
Old
2021-03-24T00:00:00New
2021-03-23T00:00:00 |
| docs/17 |
|
| docs/17 |
|
| docs/17/date |
Old
2021-03-18T00:00:00New
2021-03-17T00:00:00 |
| docs/18 |
|
| docs/18 |
|
| docs/18/date |
Old
2021-03-18T00:00:00New
2021-03-17T00:00:00 |
| docs/19 |
|
| docs/19 |
|
| docs/19/date |
Old
2021-02-25T00:00:00New
2021-02-24T00:00:00 |
| docs/20 |
|
| events/0 |
|
2022-12-18Show (20) Changes | Timetravel
| docs/0 |
|
| docs/14 |
|
| docs/15 |
|
| docs/15 |
|
| docs/15/date |
Old
2021-03-21T00:00:00New
2021-03-22T00:00:00 |
| docs/16 |
|
| docs/16 |
|
| docs/16/date |
Old
2021-03-21T00:00:00New
2021-03-22T00:00:00 |
| docs/17 |
|
| docs/17 |
|
| docs/17/date |
Old
2021-03-23T00:00:00New
2021-03-24T00:00:00 |
| docs/18 |
|
| docs/18 |
|
| docs/18/date |
Old
2021-03-17T00:00:00New
2021-03-18T00:00:00 |
| docs/19 |
|
| docs/19 |
|
| docs/19/date |
Old
2021-03-17T00:00:00New
2021-03-18T00:00:00 |
| docs/20 |
|
| docs/20/date |
Old
2021-02-24T00:00:00New
2021-02-25T00:00:00 |
| events/0 |
|
2022-12-17Show (20) Changes | Timetravel
| docs/0 |
|
| docs/14 |
|
| docs/14/date |
Old
2021-03-22T00:00:00New
2021-03-21T00:00:00 |
| docs/15 |
|
| docs/15 |
|
| docs/15/date |
Old
2021-03-22T00:00:00New
2021-03-21T00:00:00 |
| docs/16 |
|
| docs/16 |
|
| docs/16/date |
Old
2021-03-24T00:00:00New
2021-03-23T00:00:00 |
| docs/17 |
|
| docs/17 |
|
| docs/17/date |
Old
2021-03-18T00:00:00New
2021-03-17T00:00:00 |
| docs/18 |
|
| docs/18 |
|
| docs/18/date |
Old
2021-03-18T00:00:00New
2021-03-17T00:00:00 |
| docs/19 |
|
| docs/19 |
|
| docs/19/date |
Old
2021-02-25T00:00:00New
2021-02-24T00:00:00 |
| docs/20 |
|
| events/0 |
|
2022-12-16Show (22) Changes | Timetravel
| docs/0 |
|
| docs/14 |
|
| docs/15 |
|
| docs/15 |
|
| docs/15/date |
Old
2021-03-21T00:00:00New
2021-03-22T00:00:00 |
| docs/16 |
|
| docs/16 |
|
| docs/16/date |
Old
2021-03-21T00:00:00New
2021-03-22T00:00:00 |
| docs/17 |
|
| docs/17 |
|
| docs/17/date |
Old
2021-03-23T00:00:00New
2021-03-24T00:00:00 |
| docs/18 |
|
| docs/18 |
|
| docs/18/date |
Old
2021-03-17T00:00:00New
2021-03-18T00:00:00 |
| docs/19 |
|
| docs/19 |
|
| docs/19/date |
Old
2021-03-17T00:00:00New
2021-03-18T00:00:00 |
| docs/20 |
|
| docs/20/date |
Old
2021-02-24T00:00:00New
2021-02-25T00:00:00 |
| events/0 |
|
| events/11 |
|
| procedure/stage_reached |
Old
Awaiting signature of actNew
Procedure completed, awaiting publication in Official Journal |
2022-12-09Show (1) Changes | Timetravel
| docs/13 |
|
2022-12-06Show (20) Changes | Timetravel
| docs/0 |
|
| docs/13 |
|
| docs/13/date |
Old
2021-03-22T00:00:00New
2021-03-21T00:00:00 |
| docs/14 |
|
| docs/14 |
|
| docs/14/date |
Old
2021-03-22T00:00:00New
2021-03-21T00:00:00 |
| docs/15 |
|
| docs/15 |
|
| docs/15/date |
Old
2021-03-24T00:00:00New
2021-03-23T00:00:00 |
| docs/16 |
|
| docs/16 |
|
| docs/16/date |
Old
2021-03-18T00:00:00New
2021-03-17T00:00:00 |
| docs/17 |
|
| docs/17 |
|
| docs/17/date |
Old
2021-03-18T00:00:00New
2021-03-17T00:00:00 |
| docs/18 |
|
| docs/18 |
|
| docs/18/date |
Old
2021-02-25T00:00:00New
2021-02-24T00:00:00 |
| docs/19 |
|
| events/0 |
|
2022-12-05Show (22) Changes | Timetravel
| docs/0 |
|
| docs/13 |
|
| docs/14 |
|
| docs/14 |
|
| docs/14/date |
Old
2021-03-21T00:00:00New
2021-03-22T00:00:00 |
| docs/15 |
|
| docs/15 |
|
| docs/15/date |
Old
2021-03-21T00:00:00New
2021-03-22T00:00:00 |
| docs/16 |
|
| docs/16 |
|
| docs/16/date |
Old
2021-03-23T00:00:00New
2021-03-24T00:00:00 |
| docs/17 |
|
| docs/17 |
|
| docs/17/date |
Old
2021-03-17T00:00:00New
2021-03-18T00:00:00 |
| docs/18 |
|
| docs/18 |
|
| docs/18/date |
Old
2021-03-17T00:00:00New
2021-03-18T00:00:00 |
| docs/19 |
|
| docs/19/date |
Old
2021-02-24T00:00:00New
2021-02-25T00:00:00 |
| events/0 |
|
| events/10 |
|
| procedure/stage_reached |
Old
Awaiting Council's 1st reading positionNew
Awaiting signature of act |
2022-11-25Show (2) Changes | Timetravel
| docs/13 |
|
| events/10/summary |
|
2022-11-18Show (1) Changes | Timetravel
| events/9/docs |
|
2022-11-12Show (6) Changes | Timetravel
| docs/11 |
|
| docs/13 |
|
| events/9 |
|
| events/10 |
|
| forecasts |
|
| procedure/stage_reached |
Old
Awaiting Parliament's position in 1st readingNew
Awaiting Council's 1st reading position |
2022-10-23Show (2) Changes | Timetravel
| forecasts/0 |
|
| forecasts/0 |
|
2022-10-22Show (20) Changes | Timetravel
| docs/0 |
|
| docs/12 |
|
| docs/12/date |
Old
2021-03-22T00:00:00New
2021-03-21T00:00:00 |
| docs/13 |
|
| docs/13 |
|
| docs/13/date |
Old
2021-03-22T00:00:00New
2021-03-21T00:00:00 |
| docs/14 |
|
| docs/14 |
|
| docs/14/date |
Old
2021-03-24T00:00:00New
2021-03-23T00:00:00 |
| docs/15 |
|
| docs/15 |
|
| docs/15/date |
Old
2021-03-18T00:00:00New
2021-03-17T00:00:00 |
| docs/16 |
|
| docs/16 |
|
| docs/16/date |
Old
2021-03-18T00:00:00New
2021-03-17T00:00:00 |
| docs/17 |
|
| docs/17 |
|
| docs/17/date |
Old
2021-02-25T00:00:00New
2021-02-24T00:00:00 |
| docs/18 |
|
| events/0 |
|
2022-10-17Show (20) Changes | Timetravel
| docs/0 |
|
| docs/12 |
|
| docs/13 |
|
| docs/13 |
|
| docs/13/date |
Old
2021-03-21T00:00:00New
2021-03-22T00:00:00 |
| docs/14 |
|
| docs/14 |
|
| docs/14/date |
Old
2021-03-21T00:00:00New
2021-03-22T00:00:00 |
| docs/15 |
|
| docs/15 |
|
| docs/15/date |
Old
2021-03-23T00:00:00New
2021-03-24T00:00:00 |
| docs/16 |
|
| docs/16 |
|
| docs/16/date |
Old
2021-03-17T00:00:00New
2021-03-18T00:00:00 |
| docs/17 |
|
| docs/17 |
|
| docs/17/date |
Old
2021-03-17T00:00:00New
2021-03-18T00:00:00 |
| docs/18 |
|
| docs/18/date |
Old
2021-02-24T00:00:00New
2021-02-25T00:00:00 |
| events/0 |
|
2022-09-02Show (1) Changes | Timetravel
| forecasts/0/date |
Old
2022-10-17T00:00:00New
2022-11-09T00:00:00 |
2022-08-30Show (20) Changes | Timetravel
| docs/0 |
|
| docs/12 |
|
| docs/12/date |
Old
2021-03-22T00:00:00New
2021-03-21T00:00:00 |
| docs/13 |
|
| docs/13 |
|
| docs/13/date |
Old
2021-03-22T00:00:00New
2021-03-21T00:00:00 |
| docs/14 |
|
| docs/14 |
|
| docs/14/date |
Old
2021-03-24T00:00:00New
2021-03-23T00:00:00 |
| docs/15 |
|
| docs/15 |
|
| docs/15/date |
Old
2021-03-18T00:00:00New
2021-03-17T00:00:00 |
| docs/16 |
|
| docs/16 |
|
| docs/16/date |
Old
2021-03-18T00:00:00New
2021-03-17T00:00:00 |
| docs/17 |
|
| docs/17 |
|
| docs/17/date |
Old
2021-02-25T00:00:00New
2021-02-24T00:00:00 |
| docs/18 |
|
| events/0 |
|
2022-08-29Show (20) Changes | Timetravel
| docs/0 |
|
| docs/12 |
|
| docs/13 |
|
| docs/13 |
|
| docs/13/date |
Old
2021-03-21T00:00:00New
2021-03-22T00:00:00 |
| docs/14 |
|
| docs/14 |
|
| docs/14/date |
Old
2021-03-21T00:00:00New
2021-03-22T00:00:00 |
| docs/15 |
|
| docs/15 |
|
| docs/15/date |
Old
2021-03-23T00:00:00New
2021-03-24T00:00:00 |
| docs/16 |
|
| docs/16 |
|
| docs/16/date |
Old
2021-03-17T00:00:00New
2021-03-18T00:00:00 |
| docs/17 |
|
| docs/17 |
|
| docs/17/date |
Old
2021-03-17T00:00:00New
2021-03-18T00:00:00 |
| docs/18 |
|
| docs/18/date |
Old
2021-02-24T00:00:00New
2021-02-25T00:00:00 |
| events/0 |
|
2022-07-28Show (10) Changes | Timetravel
| docs/11/docs/1/url |
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:C:2022:233:TOC
|
| docs/12/docs/0/url |
Old
http://www.connefof.europarl.europa.eu/connefof/app/exp/SWD(2020)0344New
https://connectfolx.europarl.europa.eu/connefof/app/exp/SWD(2020)0344 |
| docs/13/docs/0/url |
Old
http://www.connefof.europarl.europa.eu/connefof/app/exp/SWD(2020)0345New
https://connectfolx.europarl.europa.eu/connefof/app/exp/SWD(2020)0345 |
| docs/14/docs/0/url |
Old
http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2020)0823New
https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2020)0823 |
| docs/15/docs/0/url |
Old
http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2020)0823New
https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2020)0823 |
| docs/16/docs/0/url |
Old
http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2020)0823New
https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2020)0823 |
| docs/17/docs/0/url |
Old
http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2020)0823New
https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2020)0823 |
| events/8 |
|
| links |
|
| procedure/Legislative priorities/1 |
|
2022-06-28Show (1) Changes | Timetravel
| forecasts |
|
2022-06-18Show (1) Changes | Timetravel
| docs/11/docs/0/url |
https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52022AB0014:EN:NOT
|
2022-06-16Show (6) Changes | Timetravel
| docs/11 |
|
| procedure/subject/2.80 |
Cooperation between administrations
|
| procedure/subject/3.30.06 |
Information and communication technologies, digital technologies
|
| procedure/subject/3.30.07 |
Cybersecurity, cyberspace policy
|
| procedure/subject/3.30.25 |
International information networks and society, internet
|
| procedure/subject/7.30.09 |
Public security
|
2022-06-03Show (25) Changes | Timetravel
| docs/0 |
|
| docs/11 |
|
| docs/11/date |
Old
2021-03-22T00:00:00New
2021-03-21T00:00:00 |
| docs/12 |
|
| docs/12 |
|
| docs/12/date |
Old
2021-03-22T00:00:00New
2021-03-21T00:00:00 |
| docs/13 |
|
| docs/13 |
|
| docs/13/date |
Old
2021-03-24T00:00:00New
2021-03-23T00:00:00 |
| docs/14 |
|
| docs/14 |
|
| docs/14/date |
Old
2021-03-18T00:00:00New
2021-03-17T00:00:00 |
| docs/15 |
|
| docs/15 |
|
| docs/15/date |
Old
2021-03-18T00:00:00New
2021-03-17T00:00:00 |
| docs/16 |
|
| docs/16 |
|
| docs/16/date |
Old
2021-02-25T00:00:00New
2021-02-24T00:00:00 |
| docs/17 |
|
| events/0 |
|
| procedure/subject/2.80 |
Cooperation between administrations
|
| procedure/subject/3.30.06 |
Information and communication technologies, digital technologies
|
| procedure/subject/3.30.07 |
Cybersecurity, cyberspace policy
|
| procedure/subject/3.30.25 |
International information networks and society, internet
|
| procedure/subject/7.30.09 |
Public security
|
2022-01-21Show (4) Changes
| docs/15/body |
Old
PT_PARLIAMENTNew
ES_PARLIAMENT |
| docs/16/body |
Old
ES_PARLIAMENTNew
PT_PARLIAMENT |
| docs/17/body |
Old
PT_PARLIAMENTNew
CZ_CHAMBER |
| docs/17/date |
Old
2021-03-18T00:00:00New
2021-02-25T00:00:00 |