2022/0085(COD) High common level of cybersecurity at the institutions, bodies, offices and agencies of the Union
Lead committee dossier:
Progress: Procedure completed
| Role | Committee | Rapporteur | Shadows |
|---|---|---|---|
| Lead | ITRE |
VIRKKUNEN Henna ( EPP)
|
KUMPULA-NATRI Miapetra ( S&D),
BILBAO BARANDICA Izaskun ( Renew),
PEKSA Mikuláš ( Verts/ALE),
BUCHHEIT Markus ( ID),
TOŠENOVSKÝ Evžen ( ECR),
BOTENGA Marc ( GUE/NGL)
|
| Committee Opinion | BUDG |
UŠAKOVS Nils ( S&D)
|
Dimitrios PAPADIMOULIS ( GUE/NGL),
Petri SARVAMAA ( PPE),
Olivier CHASTEL ( RE)
|
| Committee Opinion | LIBE |
TOBÉ Tomas ( EPP)
|
Fabienne KELLER ( RE),
Patryk JAKI ( ECR),
Patrick BREYER ( Verts/ALE)
|
| Committee Opinion | AFCO |
GREGOROVÁ Markéta ( Verts/ALE)
|
Miapetra KUMPULA-NATRI ( S&D),
Maite PAGAZAURTUNDÚA ( RE),
Helmut SCHOLZ ( GUE/NGL)
|
Lead committee dossier:
Legal Basis:
Euratom Treaty A 106a-pa, RoP 57, TFEU 298-p2
Legal Basis:
Euratom Treaty A 106a-pa, RoP 57, TFEU 298-p2Subjects
Events
2023/12/18
Final act published in Official Journal
2023/12/13
CSL - Draft final act
Documents
2023/12/13
CSL - Final act signed
2023/12/08
EP/CSL - Act adopted by Council after Parliament's 1st reading
2023/11/21
EP - Decision by Parliament, 1st reading
Details
The European Parliament adopted by 557 votes to 0, with 27 abstentions, a legislative resolution on the proposal for a regulation of the European Parliament and of the Council laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union.
The European Parliament adopted its position at first reading under the ordinary legislative procedure.
Subject matter
This Regulation lays down measures that aim to achieve a high common level of cybersecurity within Union entities with regard to:
- the establishment by each Union entity of an internal cybersecurity risk-management, governance and control framework;
- cybersecurity risk management, reporting and information sharing;
- the organisation, functioning and operation of the Interinstitutional Cybersecurity Board as well as the organisation, functioning and operation of the Cybersecurity Service for the Union institutions, bodies, offices and agencies (CERT-EU);
- the monitoring of the implementation of this Regulation.
Cybersecurity risk-management, governance and control framework
Each Union entity should, after carrying out an initial cybersecurity review, such as an audit, establish an internal cybersecurity risk-management, governance and control framework. The establishment of the Framework should be overseen by and under the responsibility of the Union entity’s highest level of management . The Framework should be based on an all-hazards approach. It should ensure a high level of cybersecurity and be reviewed on a regular basis, in light of the changing cybersecurity risks, and at least every four years.
Each Union entity should appoint a local cybersecurity officer or an equivalent function who should act as its single point of contact regarding all aspects of cybersecurity. The local cybersecurity officer should facilitate the implementation of this Regulation and report directly to the highest level of management on a regular basis on the state of the implementation.
Cybersecurity risk-management measures
Without undue delay and in any event by 20 months from the date of entry into force of this Regulation, each Union entity should, under the oversight of its highest level of management, take appropriate and proportionate technical, operational and organisational measures to manage the cybersecurity risks identified under the Framework, and to prevent or minimise the impact of incidents. Those measures should ensure a level of security of network and information systems across the entirety of the ICT environment commensurate to the cybersecurity risks posed. When assessing the proportionality of those measures, due account should be taken of the degree of the Union entity’s exposure to cybersecurity risks, its size and the likelihood of occurrence of incidents and their severity, including their societal, economic and interinstitutional impact.
Cybersecurity plans
Following the conclusion of the cybersecurity maturity assessment carried out pursuant to the Regulation and taking into account the assets and cybersecurity risks identified in the Framework, as well as the cybersecurity risk-management measures, the highest level of management of each Union entity should approve a cybersecurity plan without undue delay and in any event by 24 months from the date of entry into force of this Regulation.
Interinstitutional Cyber Security Board
The Regulation establishes the Interinstitutional Cyber Security Board (IICB), with a view to facilitating the establishment of a common high level of cyber security among EU entities. The IICB will play an exclusive role in monitoring and supporting the implementation of the Regulation by EU entities, overseeing the implementation of the overall priorities and objectives of the EU-CERT and providing strategic direction to the EU-CERT.
In order to support Union entities, the IICB should provide guidance to the Head of CERT-EU, adopt a multiannual strategy on raising the level of cybersecurity in the Union entities, establish the methodology for and other aspects of voluntary peer reviews, and facilitate the establishment of an informal group of local cybersecurity officers, supported by the European Union Agency for Cybersecurity (ENISA), with the aim of exchanging best practices and information in relation to the implementation of this Regulation.
CERT-EU should collect, manage, analyse and share information with the Union entities on cyber threats, vulnerabilities and incidents in unclassified ICT infrastructure. It should coordinate responses to incidents at interinstitutional and Union entity level, including by providing or coordinating the provision of specialised operational assistance.
Reporting obligations
This Regulation lays down a multiple-stage approach to the reporting of significant incidents. All EU entities will have to inform CERT-EU of any incident with a significant impact. An incident should be considered to be significant if: (a) it has caused or is capable of causing severe operational disruption to the functioning of, or financial loss to, the Union entity concerned; (b) it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.
Union entities should submit to CERT-EU:
- without undue delay and in any event within 24 hours of becoming aware of the significant incident, an early warning, which, where applicable, shall indicate that the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-entity or a cross-border impact;
- without undue delay and in any event within 72 hours of becoming aware of the significant incident, an incident notification, which, where applicable, shall update the information referred to in point (a) and indicate an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise;
- a final report not later than one month after the submission of the incident notification, including the following: (i) a detailed description of the incident, including its severity and impact; (ii) the type of threat or root cause that is likely to have triggered the incident; (iii) applied and ongoing mitigation measures; (iv) where applicable, the cross-border or cross-entity impact of the incident.
A Union entity should, without undue delay and in any event within 24 hours of becoming aware of a significant incident, inform any relevant Member State counterparts in the Member State where it is located that a significant incident has occurred.
The amended text specifies that the processing, by CERT-EU, the Interinstitutional Cyber Security Council and Union entities, of personal data under the Regulation must be carried out in accordance with Regulation (EU) 2018/1725 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.
Documents
2023/09/19
EP - Approval in committee of the text agreed at 1st reading interinstitutional negotiations
Documents
2023/09/15
CSL - Coreper letter confirming interinstitutional agreement
Documents
2023/09/15
EP - Text agreed during interinstitutional negotiations
Documents
2023/03/15
EP - Committee decision to enter into interinstitutional negotiations confirmed by plenary (Rule 71)
2023/03/13
EP - Committee decision to enter into interinstitutional negotiations announced in plenary (Rule 71)
2023/03/10
EP - Committee report tabled for plenary, 1st reading
Details
The Committee on Industry, Research and Energy adopted the report by Henna VIRKUNEN (EPP, FI) on the proposal for a regulation of the European Parliament and of the Council laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union.
The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows:
Subject-matter
This Regulation lays down measures that aim to achieve a high common level of cybersecurity in Union entities. To that end, this Regulation lays down:
- obligations that require Union entities to establish a cybersecurity risk management, handling of incidents, governance and control framework;
- cybersecurity risk management and reporting obligations for Union entities;
- rules underpinning information sharing obligations and the facilitation of voluntary information sharing arrangements with regard to Union entities;
- rules on the organisation, tasks and operation of the Cybersecurity Centre for the Union entities (CERT-EU) and on the functioning, organisation and operation of the Interinstitutional Cybersecurity Board (IICB).
Risk management, handling of incidents, governance and control framework
On the basis of a full cybersecurity audit, each Union entity should establish its own cybersecurity risk management, handling of incidents, governance and control framework. The establishment of the framework should be overseen by the Union entity’s highest level of management .
The risk management framework should (i) define the strategic objectives to ensure a high level of cybersecurity in the Union entities; (ii) lay down cybersecurity policies for the security of network and information systems encompassing the entirety of the ICT environment, and define the roles and responsibilities of staff of the Union entities tasked with ensuring the effective implementation of this Regulation; (iii) include the key performance indicators (KPIs).
The framework should be reviewed regularly and at least every three years.
Cybersecurity risk management measures
Risk management measures should ensure a level of security for networks and information systems across the ICT environment that is appropriate to the risks identified in the risk management framework, taking into account the state of the art and, where appropriate, applicable European and international standards or available European cybersecurity certificates.
When assessing the proportionality of those measures, due account should be taken of the degree of the Union entity’s exposure to risks, its size, the likelihood of occurrence of incidents and their severity, including their societal, economic and interinstitutional impact.
The Interinstitutional Cybersecurity Board
The IICB aims to support entities in elevating their respective cybersecurity postures by implementing this Regulation. In order to support Union entities, the IICB should: (i) adopt guidance and recommendations required for Union entities’ cybersecurity maturity assessments and cybersecurity plans, (ii) review possible interconnections between Union entities’ ICT environments and (iii) support the establishment of a Cybersecurity Officers Group under ENISA, comprising the Local Cybersecurity Officers of all Union entities with an aim to facilitate the sharing of best practices and experiences gained from the implementation of this Regulation.
Where the IICB finds that a Union entity has not effectively applied or implemented this Regulation, it could, without prejudice to the internal procedures of the Union entity concerned: (i) request relevant and available documentation relating to the effective implementation of the provisions of this Regulation, (ii) communicate a reasoned opinion with observed gaps in the implementation of this Regulation, (iii) invite the Union entity concerned to provide a self-assessment on its reasoned opinion and (iv) issue, in cooperation with CERT-EU, guidance to bring its respective risk management, governance and control framework, cybersecurity risk-management measures, cybersecurity plans and reporting obligations.
CERT-EU mission and tasks
The mission of CERT-EU, the autonomous interinstitutional Cybersecurity Centre for all Union entities, should be to contribute to the security of the unclassified environment of all Union entities and providing for them services that are analogous to CSIRTs established by the Member Sates, in particular by advising them on cybersecurity, by helping them to prevent, detect, handle, mitigate, respond to and recover from incidents. CERT-EU is an autonomous interinstitutional service provider for all Union entities, integrated into the administrative structure of a Commission Directorate-General in order to benefit from the Commission's administrative, financial, management and accounting support structures.
Reporting obligations
This Regulation lays down a multiple-stage approach to the reporting of significant incidents . All Union entities should report to CERT-EU any incident that has a significant impact. An incident should be considered to be significant if: (a) it has caused or is capable of causing severe operational disruption of the service or financial losses for the entity concerned; (b) it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.
The Union entities should notify, inter alia, any information enabling the CERT-EU to determine any cross-entities impact, impact on the hosting Member State or cross border impact following a significant incident. All Union entities should submit to CERT-EU:
- without undue delay and in any event within 24 hours of becoming aware of the significant incident, an early warning, which, where applicable, should indicate whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-entity or a cross-border impact;
- without undue delay and in any event within 72 hours of becoming aware of the significant incident, an incident report.
CERT-EU should coordinate among the Union entities the handling of major incidents .
Documents
2023/03/09
EP - Vote in committee, 1st reading
2023/03/09
EP - Committee decision to open interinstitutional negotiations with report adopted in committee
2023/03/01
EP - Committee opinion
Documents
2023/02/01
EP - Committee opinion
Documents
2022/12/12
EP - TOBÉ Tomas (EPP) appointed as rapporteur in LIBE
2022/10/27
EP - Amendments tabled in committee
Documents
2022/10/07
EP - Committee draft report
Documents
2022/09/15
EP - Referral to associated committees announced in Parliament
2022/07/13
EP - Committee opinion
Documents
2022/06/20
EP - GREGOROVÁ Markéta (Verts/ALE) appointed as rapporteur in AFCO
2022/05/18
EP - VIRKKUNEN Henna (EPP) appointed as rapporteur in ITRE
2022/05/17
EDPS - Document attached to the procedure
Documents
2022/04/22
EP - UŠAKOVS Nils (S&D) appointed as rapporteur in BUDG
2022/04/04
EP - Committee referral announced in Parliament, 1st reading
2022/03/22
EC - Document attached to the procedure
Documents
2022/03/22
EC - Document attached to the procedure
Documents
2022/03/22
EC - Legislative proposal published
Details
PURPOSE: to establish measures to ensure a high common level of cybersecurity in the Union institutions, bodies and agencies.
PROPOSED ACT: Regulation of the European Parliament and of the Council.
ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.
BACKGROUND: evolving technology and increased complexity and interconnectedness of digital systems amplify cybersecurity risks making the Union administration more vulnerable to cyber threats and incidents .
From 2019 to 2021, the number of significant incidents affecting Union institutions, bodies and agencies, authored by advanced persistent threat actors, has surged dramatically. The first half of 2021 saw the equivalent in significant incidents as in the whole of 2020.
The Centre for Cybersecurity of the EU Institutions, Bodies and Agencies (CERT-EU) has assessed the main cyber threats to which the EU institutions, bodies and agencies are currently exposed or are likely to be exposed in the foreseeable future. The analysis examined the influence of major ongoing shifts affecting the ways in which the EU institutions manage and use their IT infrastructures and services. These shifts include the increase in teleworking, the migration of systems to the cloud and the increased outsourcing of IT services.
The analysis of the 20 Union institutions, bodies and agencies shows that their governance, cyber-hygiene, overall capability and maturity vary over a broad spectrum. Therefore, requiring all Union institutions, bodies and agencies to implement a baseline of cybersecurity measures is instrumental to address this disparity in maturity and to bring all Union institutions, bodies and agencies to a high common level of cybersecurity.
This proposal builds on the EU Strategy for the Security Union and the EU’s Cybersecurity Strategy for the Digital Decade.
CONTENT: this proposal establishes a framework to ensure common rules and measures on cybersecurity within the Union institutions, bodies, offices and agencies to enable them to perform their respective tasks in an open, efficient and independent manner. It aims to improve all entities’ resilience and incident response capacities.
The proposed Regulation:
- obliges the Union institutions, bodies, offices and agencies to (i) establish an internal framework for the management, governance and control of cybersecurity risks, ensuring effective and prudent management of all such risks, (ii) adopt a cybersecurity baseline to address the risks identified through this framework, (iii) carry out a cybersecurity maturity assessment covering all elements of its IT environment at least every three years, and (iv) adopt a cyber security plan ;
- establishes an inter-institutional cybersecurity board to monitor the implementation of this Regulation by the Union institutions, bodies, offices and agencies, as well to supervise the implementation of general priorities and objectives by CERT-EU and providing strategic direction to CERT-EU;
- defines the task and missions of CERT-EU as an autonomous inter-institutional cybersecurity centre at the service of all EU institutions, bodies, offices and agencies. CERT-EU will contribute to the security of the unclassified IT environment of all Union institutions, bodies and agencies by advising them on cybersecurity, by helping them to prevent, detect, mitigate and respond to incidents and by acting as their cybersecurity information exchange and incident response coordination hub;
- ensures cooperation and the exchange of information among CERT-EU, and the Union institutions , bodies and agencies to develop trust and confidence. To this end CERT-EU may request Union institutions, bodies and agencies to provide it with relevant information and CERT-EU may exchange incident-specific information with Union institutions, bodies and agencies to facilitate detection of similar cyber threats or incidents without the consent of the affected constituent. CERT-EU may only exchange incident-specific information which reveals the identity of the target of the cybersecurity incident with the consent of the affected constituent;
- obliges all EU institutions, bodies, offices and agencies to notify CERT-EU of significant cyber threats, significant vulnerabilities and significant incidents without undue delay and in any event no later than 24 hours after becoming aware of them.
Budgetary implications
According to studies, direct cybersecurity spending has tended to vary between 4 and 7% of the aggregated IT expenditures of organisations. However, the threat analysis undertaken by CERT-EU in support of this legislative proposal indicates that international bodies and political organisations face increased risks and therefore a level of 10% of IT spending on cybersecurity would seem a more adequate target.
The exact cost of such efforts cannot be determined due to the lack of detailed information on IT expenditure of the Union institutions, bodies and agencies and the relevant share of cybersecurity spending.
CERT-EU will require additional resources to fulfil its expanded role and these resources should be reallocated from the Union institutions, bodies and agencies benefitting from CERT-EU’s services.
Documents
Documents
- Final act published in Official Journal: Regulation 2023/2841
- Final act published in Official Journal: OJ L 000 18.12.2023, p. 0000
- Draft final act: 00057/2023/LEX
- Decision by Parliament, 1st reading: T9-0398/2023
- Approval in committee of the text agreed at 1st reading interinstitutional negotiations: PE753.446
- Approval in committee of the text agreed at 1st reading interinstitutional negotiations: GEDA/A/(2023)005465
- Coreper letter confirming interinstitutional agreement: GEDA/A/(2023)005465
- Text agreed during interinstitutional negotiations: PE753.446
- Committee report tabled for plenary, 1st reading: A9-0064/2023
- Committee opinion: PE739.801
- Committee opinion: PE730.184
- Amendments tabled in committee: PE738.403
- Committee draft report: PE737.231
- Committee opinion: PE732.682
- Document attached to the procedure: OJ C 258 05.07.2022, p. 0010
- Document attached to the procedure: N9-0039/2022
- Document attached to the procedure: EUR-Lex
- Document attached to the procedure: SWD(2022)0067
- Document attached to the procedure: EUR-Lex
- Document attached to the procedure: SWD(2022)0068
- Legislative proposal published: COM(2022)0122
- Legislative proposal published: EUR-Lex
- Document attached to the procedure: EUR-Lex SWD(2022)0067
- Document attached to the procedure: EUR-Lex SWD(2022)0068
- Document attached to the procedure: OJ C 258 05.07.2022, p. 0010 N9-0039/2022
- Committee opinion: PE732.682
- Committee draft report: PE737.231
- Amendments tabled in committee: PE738.403
- Committee opinion: PE730.184
- Committee opinion: PE739.801
- Coreper letter confirming interinstitutional agreement: GEDA/A/(2023)005465
- Text agreed during interinstitutional negotiations: PE753.446
- Draft final act: 00057/2023/LEX
Votes
High common level of cybersecurity at the institutions, bodies, offices and agencies of the Union – A9-0064/2023 – Henna Virkkunen – Provisional agreement – Am 2 #
2023/11/21 Outcome: +: 557, -: 27
NI
The Left| Amendments | Dossier |
| 469 |
2022/0085(COD)
2022/06/24
BUDG
18 amendments...
Amendment 14 #
Proposal for a regulation Recital 8 (8) In order to avoid imposing a disproportionate financial and administrative burden on Union institutions, bodies and agencies, the cybersecurity risk management requirements should be proportionate to the risk presented by the network and information system concerned, taking into account the state of the art of such measures. Each Union institution, body and agency should aim to allocate
Amendment 15 #
Proposal for a regulation Recital 8 (8) In order to avoid imposing a disproportionate financial and administrative burden on Union
Amendment 16 #
Proposal for a regulation Recital 8 a (new) (8 a) In the current geopolitical context, it is essential that the confidentiality of data be 24 hours a day, 7 days a week protected against cyber threat by specialised and operational teams.
Amendment 17 #
Proposal for a regulation Recital 8 a (new) (8 a) In order to be able to guarantee an effective cybersecurity framework, CERT- EU requires stable, highly qualified and specialised staff. Those staff should have access to continuous training programs.
Amendment 18 #
Proposal for a regulation Recital 8 a (new) (8 a) Prior to the allocation of additional staff resources, the Commission should conduct an analysis of the needs, including with regards to the long-term perspective.
Amendment 19 #
Proposal for a regulation Recital 10 a (new) (10 a) In its report of 15 February 2022 "Preliminary Remarks on Modern Spyware", the EDPS invited Members States to renounce the use and development on European soil of software such as Pegasus which might affect the right to privacy, the democracy and the rule of law, and could therefore be incompatible with the democratic values and the legal order of the Union;
Amendment 20 #
Proposal for a regulation Recital 11 (11) In May 2011, the Secretaries- General of the Union institutions and bodies decided to establish a pre- configuration team for a computer emergency response team for the Union’s institutions, bodies and agencies (CERT- EU) supervised by an inter-institutional Steering Board. In July 2012, the Secretaries-General confirmed the practical arrangements and agreed to maintain CERT-EU as a permanent entity to continue to help improve the overall level of information technology security of the Union’s institutions, bodies and agencies as an example of visible inter-institutional cooperation in cybersecurity. In September 2012, CERT-EU was established as a permanent Taskforce of the European Commission with an interinstitutional mandate. In December 2017, the Union institutions and bodies concluded an interinstitutional arrangement on the organisation and operation of CERT-EU3 . This arrangement should continue to evolve to support the implementation of this Regulation. _________________ 3 OJ C 12, 13.1.2018, p. 1–11.
Amendment 21 #
Proposal for a regulation Recital 14 (14) In addition to giving CERT-EU more tasks and an expanded role, an Interinstitutional Cybersecurity Board (IICB) should be established, which should facilitate a high common level of cybersecurity among Union institutions, bodies and agencies by monitoring the implementation of this Regulation by the Union institutions, bodies and agencies and by supervising implementation of general priorities and objectives by CERT-EU and providing strategic direction to CERT-EU. The IICB should ensure representation of the institutions and include representatives of agencies and bodies through the Union Agencies Network and enforce a gender balanced appointment procedure. The IICB should require that all its members nominate a gender balanced representation.
Amendment 22 #
Proposal for a regulation Recital 24 a (new) Amendment 23 #
Proposal for a regulation Recital 25 a (new) (25 a) On 9 March 2022, the EU Ministers of Telecommunications signed a declaration calling on the Commission to create an Emergency Response fund for cybersecurity to prepare the Union to face up to a large-scale cyber-threat. They ask the Cyber authorities concerned to make recommendations aimed at strengthening the empowerment and the resilience of Europe's digital infrastructures and connexions.
Amendment 24 #
Proposal for a regulation Article 4 – paragraph 4 4. Each Union institution, body and agency shall have effective mechanisms in
Amendment 25 #
Proposal for a regulation Article 4 – paragraph 4 a (new) 4 a. Each Union institution, body and agency shall ensure that the gender equality and gender balance principles apply in their appointments to the CERT- EU as well as in the allocation of their human resources for cyber security. Targeted training and adequate resources shall be devoted to promoting the employment of women in the area of cybersecurity within all Union institutions, bodies and agencies in order to help to close the digital gender gap.
Amendment 26 #
Proposal for a regulation Article 9 – paragraph 3 – subparagraph 2 Members may be assisted by an alternate. Other representatives of the organisations listed above or of other Union institutions, bodies and agencies may be invited by the chair to attend IICB meetings without
Amendment 27 #
Proposal for a regulation Article 12 – paragraph 7 a (new) 7 a. If the demand for chargeable services is higher than CERT-EU’s available resources to provide for these services, CERT-EU shall prioritise demands based on a risk analysis and the risk profile of the institutions, bodies and agencies.
Amendment 28 #
Proposal for a regulation Article 15 – paragraph 2 Amendment 29 #
Proposal for a regulation Article 15 – paragraph 3 3. CERT-EU tasks and activities, including services provided by CERT-EU pursuant to Article 12(2), (3), (4), (6), and Article 13(1) to Union institutions, bodies and agencies financed from the heading of the multiannual financial framework dedicated to European public administration, shall be funded through a distinct budget line of the Commission budget. CERT-EU earmarked posts shall be detailed in a footnote to the Commission establishment plan. The posts that are temporarily assigned shall be kept in the establishment plan of the donor institution during the temporary assignment, signalled with a footnote.
Amendment 30 #
Proposal for a regulation Article 15 – paragraph 3 3. CERT-EU tasks and activities, including services provided by CERT-EU pursuant to Article 12(2), (3), (4), (6), and Article 13(1) to Union institutions, bodies and agencies financed from the heading of the multiannual financial framework dedicated to European public administration, shall be funded through a distinct budget line of the Commission budget. CERT-EU earmarked posts shall be detailed in a footnote to the Commission establishment plan. This establishment plan shall be subject to a midterm review, every 2,5 years.
Amendment 31 #
Proposal for a regulation Article 23 – paragraph 1 The Commission shall propose the reallocation of staff and financial resources from relevant Union institutions, bodies and agencies to the Commission budget. Th
source: 734.223
2022/10/28
ITRE
309 amendments...
Amendment 100 #
Proposal for a regulation Recital 7 (7) The differences between Union institutions, bodies and agencies require flexibility in the implementation since one size will not fit all.
Amendment 101 #
Proposal for a regulation Recital 7 (7) The differences between Union
Amendment 102 #
Proposal for a regulation Recital 7 (7) The differences between Union institutions, bodies and agencies require flexibility in the implementation since one size will not fit all. The measures for a high common level of cybersecurity should not include any obligations directly interfering with the exercise of the missions of Union institutions, bodies and agencies or encroaching on their institutional autonomy. Thus, those institutions, bodies and agencies should establish their own frameworks for cybersecurity risk management, handling of incident, governance and control, and adopt their own baselines and cybersecurity plans.
Amendment 103 #
Proposal for a regulation Recital 8 (8) In order to avoid imposing a disproportionate financial and administrative burden on Union institutions, bodies and agencies, the cybersecurity risk management requirements should be proportionate to the risk presented by the network and information system concerned, taking into account the state of the art of such measures. Each Union institution, body and agency should aim to allocate an adequate percentage of its IT budget to improve its level of cybersecurity; in the longer term a target in the order of 10% should be pursued, provided that the budget increase is essentially devoted to the employment of new qualified staff.
Amendment 104 #
Proposal for a regulation Recital 8 (8) In order to avoid imposing a disproportionate financial and administrative burden on Union institutions, bodies and agencies, the cybersecurity risk management requirements should be proportionate to the risk presented by the network and information system concerned, taking into account the state of the art of such measures. Each Union institution, body and agency should aim to allocate an adequate percentage of its IT budget to improve its
Amendment 105 #
Proposal for a regulation Recital 9 (9) A high common level of cybersecurity requires cybersecurity to come under the oversight of the highest level of management of each Union institution, body and agency, who should
Amendment 106 #
(9) A high common level of cybersecurity requires cybersecurity to come under the oversight of an EU common board working with the highest level of management of each Union institution, body and agency, who should approve a cybersecurity baseline that should address the risks identified under the framework to be established by each institution, body and agency. Addressing the cybersecurity culture, i.e. the daily practice of cybersecurity,
Amendment 107 #
Proposal for a regulation Recital 9 (9) A high common level of cybersecurity requires cybersecurity to come under the oversight of the highest level of management of each Union institution, body and agency, who should approve a cybersecurity
Amendment 108 #
Proposal for a regulation Recital 10 (10) Union institutions, bodies and agencies should assess risks related to relationships with suppliers and service providers, including providers of data storage and processing services or managed security services, and take appropriate measures to address them. These measures should form part of the cybersecurity baseline and be further specified in guidance documents or recommendations issued by CERT-EU. When defining measures and guidelines, due account should be taken of relevant EU legislation and policies, including risk assessments and recommendations issued by the NIS Cooperation Group, such as the EU Coordinated risk assessment and EU Toolbox on 5G cybersecurity. In addition, considering the threat landscape and the importance of building up resilience for the Union institutions, bodies and agencies certification of relevant ICT products, services and processes
Amendment 109 #
Proposal for a regulation Recital 10 (10) Union institutions, bodies and agencies should assess risks related to relationships with suppliers and service
Amendment 110 #
Proposal for a regulation Recital 11 (11) In May 2011, the Secretaries- General of the Union institutions and bodies decided to establish a pre- configuration team for a computer emergency response team for the Union’s institutions, bodies and agencies (CERT- EU) supervised by an inter-institutional Steering Board. In July 2012, the Secretaries-General confirmed the practical arrangements and agreed to maintain CERT-EU as a permanent entity to continue to help improve the overall level of information technology security of the Union’s institutions, bodies and agencies as an example of visible inter-institutional
Amendment 111 #
Proposal for a regulation Recital 12 Amendment 112 #
Proposal for a regulation Recital 13 (13) Many cyberattacks are part of wider campaigns that target groups of Union institutions, bodies and agencies or communities of interest that include Union institutions, bodies and agencies. To enable proactive detection, incident response or mitigating measures, Union institutions, bodies and agencies should notify CERT- EU of significant cyber threats, significant vulnerabilities, near misses and significant incidents and share appropriate technical details that enable detection or mitigation of, as well as response to, similar cyber threats, vulnerabilities, near misses and incidents in other Union institutions, bodies and agencies. Following the same approach as the one envisaged in Directive [proposal NIS 2], where entities become aware of a significant incident they should be required to submit an
Amendment 113 #
Proposal for a regulation Recital 13 (13) Many cyberattacks are part of wider campaigns that target groups of Union institutions, bodies and agencies or communities of interest that include Union institutions, bodies and agencies. To enable proactive detection, incident response or mitigating measures, and recovery from significant incidents, Union institutions, bodies and agencies should notify CERT- EU of significant
Amendment 114 #
Proposal for a regulation Recital 13 a (new) (13 a) This Regulation lays down a multiple-stages approach to reporting of significant incidents in order to strike the right balance between, on the one hand, swift reporting hat helps mitigate the potential spread of incidents and allows entities to seek support, and, on the other hand, in-depth reporting that draws valuable lessons from individual incidents and improves over time the resilience of individual Union institutions, bodies, offices and agencies and contributes to increasing the overall cybersecurity posture of European administration. In this regard, the Regulation should also include reporting of incidents that, based on an initial assessment performed by the Union institution, body, office or agency, may be assumed to lead to severe operational disruption or financial losses or affect other natural or legal persons by causing considerable material or non- material losses. Such initial assessment should take into account, amongst other, the affected network and information systems and in particular their importance for the functioning and operations of the Union institution, body, office or agency, the severity and technical characteristics of a cyber threat and any underlying vulnerabilities that are being exploited as well as the Union institution, body, office or agency’s experience with similar incidents. Indicators such as the extent to which the functioning of Union institution, body, office or agency is affected, the duration of an incident or the number of affected users could play an important role in defining whether the operational disruption of the service is of severe nature.
Amendment 115 #
Proposal for a regulation Recital 14 (14) In addition to giving CERT-EU
Amendment 116 #
Proposal for a regulation Recital 14 a (new) (14 a) The IICB’s function is aimed at supporting Union institutions, bodies, offices and agencies in elevating their respective cybersecurity postures by implementing the provisions of this Regulation. In order to support Union institutions, bodies, office and agencies, the IICB could adopt guidance and recommendations towards Union institutions, bodies, offices and agencies’ cybersecurity maturity assessments and cybersecurity plans, review possible interconnections between Union institutions, bodies, offices and agencies’ ICT environments and support the establishment of a Cybersecurity Officers Group under ENISA, gathering the Local Cybersecurity Officers of all Union institutions, bodies, offices and agencies with an aim to facilitate the sharing of best practices and experiences gained from the implementation of this Regulation.
Amendment 117 #
Proposal for a regulation Recital 14 b (new) (14 b) In order to ensure alignment with Directive [proposal NIS 2], the IICB could adopt recommendations based on the results of EU coordinated risk assessments of critical supply chains referred to in Article19 of Directive [proposal NIS 2] to support Union institutions, bodies, offices and agencies in adopting effective and proportionate risk management measures relating to supply chain security and develop guidelines for information sharing arrangements of Union institutions, bodies, offices and agencies relating to the voluntary notification of cyber threats, near misses and incidents to CERT-EU.
Amendment 118 #
Proposal for a regulation Recital 16 (16) The IICB should monitor compliance with this Regulation as well as follow-up of guidance documents and recommendations, and calls for action issued by CERT-EU. The IICB should be supported on technical matters by technical advisory groups
Amendment 119 #
Proposal for a regulation Recital 16 a (new) (16 a) Where the IICB finds that Union institutions, bodies, offices or agencies have not effectively applied or implemented this Regulation it could, without prejudice to the internal procedures of the relevant Union institution, body, office or agency, request relevant and available documentation relating to the effective implementation of the provisions of this Regulation, communicate a reasoned opinion with observed gaps in the implementation of this Regulation, invite the Union institution, body, office or agency concerned to provide a self-assessment on its reasoned and issue, in cooperation with CERT-EU, guidance to bring its respective risk management, governance and control framework, cybersecurity risk management measures, cybersecurity plans and reporting obligations incompliance with this Regulation.
Amendment 120 #
Proposal for a regulation Recital 17 (17) CERT-EU should have the mission to contribute to the security of the ICT environment of all Union institutions, bodies, offices and agencies. Where appropriate, and in coordination with the Union institutions, bodies, offices and agencies, CERT-EU may propose to the IICB for its approval, a proposal for a coordinated cyber insurance policy covering Union institutions, bodies, offices and agencies, in order to establish first and third-party coverage to address the potential impact of incidents. CERT-EU should act as the equivalent of the designated coordinator for the Union institutions, bodies and agencies, for the purpose of coordinated vulnerability disclosure to the European vulnerability registry as referred to in Article 6 of Directive [proposal NIS 2].
Amendment 121 #
Proposal for a regulation Recital 19 (19) CERT-EU should also fulfil the role provided for it in Directive [proposal NIS 2] concerning cooperation and information exchange with the computer security incident response teams (CSIRTs) network. Moreover, in line with Commission Recommendation (EU) 2017/15844 , CERT-EU should cooperate and coordinate on the response with the relevant stakeholders. In order to contribute to a high level of cybersecurity across the Union, CERT-EU should share incident specific information with national counterparts. CERT-EU should also collaborate with other public as well as private counterparts,
Amendment 122 #
Proposal for a regulation Recital 20 (20) In supporting operational cybersecurity, CERT-EU should make use of the available expertise of the European Union Agency for Cybersecurity through structured cooperation as provided for in
Amendment 123 #
Proposal for a regulation Recital 20 (20) In supporting operational cybersecurity, CERT-EU should make use of the available expertise of the European Union Agency for Cybersecurity (ENISA) through structured cooperation as provided for in Regulation (EU) 2019/881 of the European Parliament and of the Council5 . Where appropriate, dedicated arrangements between the two entities should be established to define the practical implementation of such cooperation and to avoid the duplication of activities. CERT-
Amendment 124 #
Proposal for a regulation Recital 24 (24) As the services and tasks of CERT- EU are in the interest of all Union institutions, bodies and agencies, each Union institution, body and agency with IT expenditure should contribute
Amendment 125 #
Proposal for a regulation Recital 24 a (new) (24 a) This Regulation should however reflect that, apart from the Union institutions, the most Union entities, and particularly the small ones, do not have the necessary financial and human resources to be dedicated for additional cybersecurity tasks.
Amendment 126 #
Proposal for a regulation Recital 25 (25) The IICB, with the assistance of CERT-EU, should review and evaluate the implementation of this Regulation and should report its findings to the Commission. Building on this input, the Commission should report to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions every year.
Amendment 127 #
Proposal for a regulation Recital 25 a (new) (25 a) The tasks of supervision, advice and control assigned to CERT-EU and IICB require that the Regulation ensure the maximum cybersecurity cooperation among the Union institution, bodies, offices and agencies. This cooperation between them would be facilitated if mechanisms for exchanging and logging transmitted information are in place and ensure both the authenticity (integrity and non-repudiation) of the information and transparency for all Union institution, bodies, offices and agencies. If such mechanisms could already exist, it is important that CERT-EU evaluates among the existing solutions or that can be implemented, the solution that will ensure the best cooperation in the greatest transparency. After validation by IICB, the CERT-EU should implement this solution.
Amendment 128 #
Proposal for a regulation Recital 25 a (new) (25 a) The European Data Protection Supervisor was consulted in accordance with Article 42 of Regulation (EU) 2018/1725 of the European Parliament and of the Council and delivered an opinion on 17 May 2022.
Amendment 129 #
Proposal for a regulation Recital 25 b (new) (25 b) All cybersecurity systems and services involved in the prevention, detection, and response to cyber threats should be compliant with the current data protection and privacy framework, and should take relevant technical and organisational safeguards to ensure this compliance in an accountable way.
Amendment 130 #
Proposal for a regulation Recital 25 c (new) (25 c) The use of technologies for improving cybersecurity should not unduly interfere with the rights and freedoms of individuals. To avoid or mitigate those risks, data protection by design and by default requirements laid down in Article 27 of Regulation (EU) 2018/1725, should apply. Appropriate safeguards include pseudonymisation, encryption, data accuracy, data minimization, in the design, development and use of cybersecurity technologies and systems.
Amendment 131 #
Proposal for a regulation Recital 25 d (new) (25 d) A peer-review mechanism should be introduced, allowing the assessment by experts drawn from one institution and one body or agency different from the one being reviewed of the implementation of cybersecurity policies, including the level of institutions, bodies and agencies’ capabilities and available resources.
Amendment 132 #
Proposal for a regulation Article 1 – paragraph -1 (new) -1 This Regulation lays down measures aiming to achieve a high common level of cybersecurity within Union institutions, bodies, offices and agencies;
Amendment 133 #
Proposal for a regulation Article 1 – paragraph 1 – introductory part Amendment 134 #
Proposal for a regulation Article 1 – paragraph 1 – point a (a) obligations on Union institutions, bodies and agencies to establish an internal cybersecurity risk management, handling of incidents, governance and control framework;
Amendment 135 #
Proposal for a regulation Article 1 – paragraph 1 – point a (a) obligations on Union institutions, bodies, offices and agencies to establish an internal cybersecurity risk management, governance and control framework; (This amendment applies across the text, adding the word "offices" and aligning the reference to Union institutions, bodies, offices and agencies with the title whenever the wording "Union institutions, bodies and agencies" is used)
Amendment 136 #
Proposal for a regulation Article 1 – paragraph 1 – point a (a) obligations on Union institutions, bodies, offices and agencies to establish a
Amendment 137 #
Proposal for a regulation Article 1 – paragraph 1 – point b a (new) (b a) rules underpinning information sharing obligations and the facilitation of voluntary information sharing arrangements for Union institutions, bodies, offices and agencies;
Amendment 138 #
Proposal for a regulation Article 1 – paragraph 1 – point c (c) rules on the organisation, tasks and operation of the Cybersecurity Centre for the Union institutions, bodies, offices and agencies (CERT-EU) and on the functioning, organisation and operation of the Interinstitutional Cybersecurity Board (IICB).
Amendment 139 #
Proposal for a regulation Article 1 – paragraph 1 – point c (c) rules on the organisation and operation of the
Amendment 140 #
Proposal for a regulation Article 2 – paragraph 1 This Regulation applies to
Amendment 141 #
Proposal for a regulation Article 2 a (new) Article 2 a Processing of Personal Data The processing of personal data under this Regulation by CERT-EU, the IICB and all Union institutions, bodies, offices and agencies shall be carried out in compliance with Regulation (EU) 2018/1725 of the European Parliament and of the Council.
Amendment 142 #
Proposal for a regulation Article 3 – paragraph 1 – point 1 a (new) (1 a) ‘ICT environment’ means entire Union entities’ on-premise ICT environment (covering also dislocated premises and decentralised officies, such as the Liaison Offices, Representative Offices or Local Offices), outsourced assets and services in cloud computing environments or hosted by third parties, mobile devices, corporate networks, business networks not connected to the internet and any connected devices;
Amendment 143 #
Proposal for a regulation Article 3 – paragraph 1 – point 2 (2) ‘network and information system’ means network and information system
Amendment 144 #
Proposal for a regulation Article 3 – paragraph 1 – point 4 (4) ‘cybersecurity’ means cybersecurity
Amendment 145 #
Proposal for a regulation Article 3 – paragraph 1 – point 5 (5) ‘highest level of management’ means a manager, management or coordination and oversight body at the most senior administrative level, taking account of the high-level governance arrangements in each Union institution, body or agency and without prejudice to the formal responsibilities of other levels of management for compliance and risk management in their respective areas of responsibility;
Amendment 146 #
Proposal for a regulation Article 3 – paragraph 1 – point 5 (5) ‘highest level of management’ means a manager, management or coordination and oversight body at the
Amendment 147 #
Proposal for a regulation Article 3 – paragraph 1 – point 5 (5) ‘highest level of management’ means a manager, management or coordination and oversight body at the most senior administrative level with a mandate to make or authorise decisions, taking account of the high-level governance arrangements in each Union institution, body or agency;
Amendment 148 #
Proposal for a regulation Article 3 – paragraph 1 – point 7 Amendment 149 #
Proposal for a regulation Article 3 – paragraph 1 – point 7 Amendment 150 #
Proposal for a regulation Article 3 – paragraph 1 – point 7 (7) ‘significant incident’ means any incident unless it has limited impact
Amendment 151 #
Proposal for a regulation Article 3 – paragraph 1 – point 8 (8) ‘major
Amendment 152 #
Proposal for a regulation Article 3 – paragraph 1 – point 8 (8) ‘major
Amendment 153 #
Proposal for a regulation Article 3 – paragraph 1 – point 8 (8) ‘major
Amendment 154 #
Proposal for a regulation Article 3 – paragraph 1 – point 8 (8) ‘major attack’ means any incident requiring more resources than are available at the affected Union institution, body or agency
Amendment 155 #
Proposal for a regulation Article 3 – paragraph 1 – point 11 (11) ‘significant cyber threat’ means a cyber threat
Amendment 156 #
Proposal for a regulation Article 3 – paragraph 1 – point 11 (11) ‘significant cyber threat’ means a cyber threat within the
Amendment 157 #
Proposal for a regulation Article 3 – paragraph 1 – point 11 (11) ‘significant cyber threat’ means a cyber threat within the
Amendment 158 #
Proposal for a regulation Article 3 – paragraph 1 – point 13 a (new) (13 a) "near miss" means a near miss within the meaning of Article 4 (4a) of Directive [proposal NIS 2];
Amendment 159 #
(14) ‘
Amendment 160 #
Proposal for a regulation Article 3 – paragraph 1 – point 14 (14) ‘
Amendment 161 #
Proposal for a regulation Article 3 – paragraph 1 – point 14 (14) ‘risk’ means cybersecurity risk
Amendment 162 #
Proposal for a regulation Article 3 – paragraph 1 – point 14 (14) ‘cybersecurity risk’ means any
Amendment 163 #
Proposal for a regulation Article 3 – paragraph 1 – point 14 a (new) (14 a) ‘ICT environment’ means any on- premise or virtual ICT product, ICT service and ICT process as defined in Article 2 of Regulation (EU) 2019/881, and any network and information system whether owned and operated by a Union institution, body, office or agency, or hosted or operated by a third party, including mobile devices, corporate networks, and business networks not connected to the internet and any devices connected to the ICT environment;
Amendment 164 #
Proposal for a regulation Article 3 – paragraph 1 – point 14 a (new) (14 a) ‘standard’ means a standard within the meaning of Article 4(10) of Directive [proposal NIS 2];
Amendment 165 #
Proposal for a regulation Article 3 – paragraph 1 – point 14 b (new) (14 b) ‘technical specification’ means a technical specification within the meaning of Article 4(11) of Directive [proposal NIS 2];
Amendment 166 #
Proposal for a regulation Article 3 – paragraph 1 – point 14 c (new) (14 c) ‘ICT product’ means an ICT product within the meaning of Article 2(12) of Regulation (EU) 2019/881;
Amendment 167 #
Proposal for a regulation Article 3 – paragraph 1 – point 14 d (new) (14 d) ‘ICT service’ means an ICT service within the meaning of Article 2(13) of Regulation (EU) 2019/881;
Amendment 168 #
Proposal for a regulation Article 3 – paragraph 1 – point 14 e (new) (14 e) ‘ICT process’ means an ICT process within the meaning of Article 2(14) of Regulation (EU) 2019/881;
Amendment 169 #
Proposal for a regulation Article 3 – paragraph 1 – point 15 Amendment 170 #
Proposal for a regulation Article 3 – paragraph 1 – point 15 (15) ‘Joint Cyber Unit’ means a
Amendment 171 #
Proposal for a regulation Article 3 – paragraph 1 – point 16 Amendment 172 #
Proposal for a regulation Article 3 – paragraph 1 – point 16 Amendment 173 #
Proposal for a regulation Article 3 – paragraph 1 – point 16 (16) ‘cybersecurity
Amendment 174 #
Proposal for a regulation Article 4 – title Risk management, governance and control framework
Amendment 175 #
Proposal for a regulation Article 4 – title Risk management, handling, governance and control
Amendment 176 #
Proposal for a regulation Article 4 – paragraph 1 1.
Amendment 177 #
Proposal for a regulation Article 4 – paragraph 1 1. Each Union institution, body and agency shall establish its own internal cybersecurity risk management, handling of incidents, governance and control framework (‘the framework’) in support of the entity’s mission and exercising its institutional autonomy. This work shall be overseen by the entity’s highest level of management to ensure an effective and prudent management of all cybersecurity risks. The framework shall be in place by …. at the latest [15 months after the entry into force of this Regulation].
Amendment 178 #
Proposal for a regulation Article 4 – paragraph 1 1. Each Union institution, body and agency shall establish its own
Amendment 179 #
Proposal for a regulation Article 4 – paragraph 2 2. The framework shall cover the entirety of the IT environment of the concerned
Amendment 180 #
Proposal for a regulation Article 4 – paragraph 2 2. The framework shall cover the entirety of the ICT environment of the concerned
Amendment 181 #
Proposal for a regulation Article 4 – paragraph 2 a (new) 2 a. The framework shall define strategic objectives to ensure a high level of cybersecurity in the Union institution, body, office or agency, The framework shall lay down cybersecurity policies and priorities for the security of network and information systems encompassing the entirety of the ICT environment, and define the roles and responsibilities of staff tasked with ensuring the effective implementation of the provisions of this Regulation.
Amendment 182 #
Proposal for a regulation Article 4 – paragraph 2 b (new) 2 b. The framework shall be reviewed on a regular basis and at least every three years on the basis of key performance indicators. Where appropriate and upon request of the IICB, a Union institution, body, office or agency’s framework shall be updated following guidance from CERT-EU on observed incidents or possible gaps in the implementation of the provisions of this Regulation.
Amendment 183 #
Proposal for a regulation Article 4 – paragraph 3 3. The highest level of management of each Union
Amendment 184 #
Proposal for a regulation Article 4 – paragraph 3 3. The highest level of management of each Union institution, body and agency shall provide oversight over the compliance and functioning of their organisation with the obligations related to cybersecurity risk management, handling, governance, and control, without prejudice to the formal responsibilities of other levels of management for compliance and risk management in their respective areas of responsibility.
Amendment 185 #
Proposal for a regulation Article 4 – paragraph 3 3. The highest level of management of each Union institution, body and agency shall provide oversight over the compliance of their organisation with the obligations related to cybersecurity risk management, governance, and control, without prejudice to the formal responsibilities of other levels of management for compliance and risk management in their respective areas of responsibility, such as data protection.
Amendment 186 #
3. The highest level of management of each Union institution, body, office and agency shall
Amendment 187 #
Proposal for a regulation Article 4 – paragraph 4 4. Each Union institution, body and agency shall have effective mechanisms in place to ensure that an adequate percentage of the ICT budget is spent on cybersecurity.
Amendment 188 #
Proposal for a regulation Article 4 – paragraph 5 5. Each Union institution, body and
Amendment 189 #
Proposal for a regulation Article 4 – paragraph 5 a (new) 5 a. On the basis of a mutual agreement, the Union entity or several entities may appoint the same Local Cybersecurity Officer as another Union entity.
Amendment 190 #
Proposal for a regulation Article 5 – title Cybersecurity
Amendment 191 #
Proposal for a regulation Article 5 – title Cybersecurity
Amendment 193 #
Proposal for a regulation Article 5 – paragraph 1 1. The highest level of management of each Union institution, body and agency shall approve the entity’s own cybersecurity
Amendment 194 #
Proposal for a regulation Article 5 – paragraph 1 1. The highest level of management of each Union institution, body and agency shall approve the entity’s own cybersecurity
Amendment 195 #
Proposal for a regulation Article 5 – paragraph 1 1. The highest level of management of each Union institution, body and agency shall approve the entity’s own cybersecurity baseline to address the risks identified under the framework referred to in Article 4(1). It shall do so in support of its mission and exercising its institutional autonomy in full compliance with the requirements of this regulation, following the guidance and recommendations of IICB and CERT-EU and implementing the applicable EU cybersecurity schemes. The cybersecurity baseline shall be in place by …. at the latest [18 months after the entry into force of this Regulation] and shall address the domains listed in Annex I and the measures listed in Annex II.
Amendment 196 #
Proposal for a regulation Article 5 – paragraph 1 1. The highest level of management of each Union institution, body and agency shall approve the entity’s own cybersecurity
Amendment 197 #
Proposal for a regulation Article 5 – paragraph 1 a (new) 1 a. Union institutions, bodies, offices and agencies shall include at least the following domains in the implementation of the cybersecurity risk management measures: (a) cybersecurity policy, including specification on the measures needed to reach objectives and priorities referred to in Article 4 and Article 5(2a); (b) policy objectives and priorities regarding the use of cloud computing services as defined in Article 4(19) of Directive [proposal NIS 2]) and technical arrangements to enable and sustain teleworking; (c) organisation of cybersecurity, including definition of roles and responsibilities; (d) management of the ICT environment, including ICT inventory and network cartography; (e) access control, identity management and privileged access management; (f) operations security and human resources security; (g) communications security; (h) system acquisition, development and maintenance; (i) supply chain security and supplier relationships between each Union institution, body, office and agency with its direct suppliers and service providers; (j) incident handling, including approaches to improve the prevention, detection, analysis, and containment of, response to, and recovery from an incident and cooperation with CERT-EU, such as the maintenance of security monitoring and logging; (k) business continuity management and crisis management; (l) cybersecurity skills, education, awareness-raising, training programmes and exercises.
Amendment 198 #
Proposal for a regulation Article 5 – paragraph 1 a (new) 1 a. Union institutions, bodies and agencies shall address at least the following specific cybersecurity measures in the implementation of the cybersecurity baseline and in their cybersecurity plans, in line with the guidance documents and recommendations from the IICB: (a) concrete steps for moving towards Zero Trust Architecture (meaning a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries); (b) the adoption of multifactor authentication as a norm across network and information systems; (c) the establishment of software supply chain security through criteria for secure software development and evaluation; (d) the enhancement of procurement rules to facilitate a high common level of cybersecurity through: - the removal of contractual barriers that limit information sharing from IT service providers about incidents, vulnerabilities and cyber threats with CERT-EU; - the contractual obligation to report incidents, vulnerabilities and cyber threats as well as to have appropriate incidents response and monitoring in place.
Amendment 199 #
Proposal for a regulation Article 5 – paragraph 2 2. The senior management of each Union institution, body, office and agency as well as all relevant staff tasked with implementing the cybersecurity risks management measures and obligations of this Regulation shall follow specific trainings on a regular basis to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risk and management practices and their impact on the operations of the organisation.
Amendment 200 #
Proposal for a regulation Article 5 – paragraph 2 2. The
Amendment 201 #
Proposal for a regulation Article 5 – paragraph 2 a (new) Amendment 202 #
Proposal for a regulation Article 5 – paragraph 2 b (new) 2 b. The IICB may recommend technical and methodological requirements of the domains and risk management measures referred to in paragraphs 1(a) and 2(a) of this Article and, where necessary, recommend adaptations to reflect developments in attack methods, cyber threats and advances in technology, for the purposes of the review of this Regulation in accordance with Article 24.
Amendment 204 #
Proposal for a regulation Article 6 – paragraph 1 Each Union institution, body and agency shall carry out a cybersecurity maturity
Amendment 205 #
Proposal for a regulation Article 6 – paragraph 1 Each Union institution, body and agency shall carry out a cybersecurity maturity assessment at least every t
Amendment 206 #
Proposal for a regulation Article 6 – paragraph 1 1. Each Union
Amendment 207 #
Proposal for a regulation Article 6 – paragraph 1 a (new) The IICB, after consulting the European Union Agency for Cybersecurity (ENISA) and upon receiving guidance from CERT- EU, shall recommend guidelines to Union institutions, bodies, offices and agencies for the carrying out of cybersecurity maturity assessments.
Amendment 208 #
Proposal for a regulation Article 6 – paragraph 1 a (new) 2. Small Union entities with similar tasks or structure may carry out a combined maturity assessment.
Amendment 209 #
Proposal for a regulation Article 6 – paragraph 1 b (new) Upon request of the IICB, and with the explicit consent of the Union institution, body, office or agency concerned, the results of a cybersecurity maturity assessment may be discussed within the IICB configuration or within the established network of Local Cybersecurity Officers with a view to learning from experiences in the implementation of this Regulation and sharing best practices and results of use cases.
Amendment 210 #
Proposal for a regulation Article 7 – paragraph 1 1. Following the conclusions derived from the maturity cybersecurity assessment and considering
Amendment 211 #
Proposal for a regulation Article 7 – paragraph 1 1. Following the conclusions derived from the maturity assessment and considering the assets and risks identified pursuant to Article 4, the highest level of management of each Union institution, body and agency shall approve a cybersecurity plan without undue delay after the establishment of the risk management, governance and control framework and the cybersecurity baseline. The plan shall aim at increasing the overall cybersecurity of the concerned entity and shall thereby contribute to the achievement or enhancement of a high common level of cybersecurity among all Union institutions, bodies and agencies. To support the entity’s mission on the basis of its institutional autonomy, the plan shall at least include the domains listed in Annex I, the measures listed in Annex II, as well as measures related to incident preparedness, response and recovery, such as security assessment of the suppliers and services, monitoring and logging. The plan shall be revised at least every t
Amendment 212 #
Proposal for a regulation Article 7 – paragraph 1 1. Following the conclusions derived from the maturity assessment and considering the assets and risks identified pursuant to Article 4, the highest level of management of each Union institution, body and agency shall approve a cybersecurity plan without undue delay after the establishment of the risk management, handling, governance and control framework and the cybersecurity
Amendment 213 #
Proposal for a regulation Article 7 – paragraph 2 2. The cybersecurity plan shall include relevant staff members’ roles and responsibilities for its implementation, including detailed job descriptions for technical and operational staff as well as all relevant processes underpinning performance evaluation.
Amendment 214 #
Proposal for a regulation Article 7 – paragraph 2 2. The cybersecurity plan shall include staff members’ roles, preparedness and responsibilities for its implementation.
Amendment 215 #
Proposal for a regulation Article 7 – paragraph 2 a (new) Amendment 216 #
Proposal for a regulation Article 7 – paragraph 3 3. The cybersecurity plan shall consider any applicable guidance documents and recommendations issued by CERT-EU in accordance with Article 13 and another applicable or targeted recommendations issued by the IICB and CERT-EU.
Amendment 217 #
Proposal for a regulation Article 7 – paragraph 3 3. The cybersecurity plan shall
Amendment 218 #
1. Upon completion of
Amendment 219 #
Proposal for a regulation Article 9 – paragraph 2 – point a (a) monitoring the implementation of this Regulation by the Union institutions, bodies and agencies and making recommendations for achieving a common high level of cybersecurity;
Amendment 220 #
Proposal for a regulation Article 9 – paragraph 3 – subparagraph 1 – introductory part The IICB shall consist of
Amendment 221 #
Proposal for a regulation Article 9 – paragraph 3 – subparagraph 1 – point c – indent 1 (new) - one representative designated by each of the following:
Amendment 222 #
Proposal for a regulation Article 9 – paragraph 3 – subparagraph 1 – point k (k) the European Union Agency for Cybersecurity (ENISA).
Amendment 223 #
Proposal for a regulation Article 9 – paragraph 3 – subparagraph 1 – point k a (new) (k a) the European Cybersecurity Industrial, Technology and Research Competence Centre;
Amendment 224 #
Proposal for a regulation Article 9 – paragraph 3 – subparagraph 1 – point k a (new) (k a) the European Data Protection Supervisor (EDPS).
Amendment 225 #
Proposal for a regulation Article 9 – paragraph 3 – subparagraph 1 – point k b (new) (k b) the European Union Agency for the Space Programme;
Amendment 226 #
Proposal for a regulation Article 9 – paragraph 3 – subparagraph 1 a (new) A gender balance shall be maintained among the appointed representatives.
Amendment 227 #
Proposal for a regulation Article 9 – paragraph 3 – subparagraph 2 Amendment 228 #
Proposal for a regulation Article 9 – paragraph 3 – subparagraph 2 Members shall be nominated on a gender balance principle and may be assisted by an alternate. Other representatives of the organisations listed above or of other Union institutions, bodies and agencies may be invited by the chair to attend IICB meetings without voting power.
Amendment 229 #
Proposal for a regulation Article 9 – paragraph 3 – subparagraph 2 – indent 1 (new) - three representatives designated by the Union Agencies Network (EUAN) upon a proposal of its ICT Advisory Committee to represent the interests of the agencies, offices and bodies other than those referred to in (k) (ka) and (kb) that run their own IT environment.
Amendment 230 #
Proposal for a regulation Article 9 – paragraph 3 a (new) 3 a. Members may be assisted by an alternate. Other representatives of the organisations listed above or of other Union institutions, bodies and agencies may be invited by the chair to attend IICB meetings without voting power.
Amendment 231 #
Proposal for a regulation Article 9 – paragraph 3 b (new) 3 b. The Head of CERT-EU and the chairs of the Cooperation Group, the CSIRTs Network and the EU-CyCLONe, referred to in Articles 12, 13 and 14 of [NIS2 Directive], or their alternates, may participate in IICB meetings as observers, except where otherwise decided by the IICB.
Amendment 232 #
Proposal for a regulation Article 9 – paragraph 5 5. The IICB shall designate a chair, in accordance with its internal rules of procedure, from among its members for a period of four years. His or her alternate shall become a full member with voting rights of the IICB for the same duration.
Amendment 233 #
Proposal for a regulation Article 9 – paragraph 6 6. The IICB shall meet at the initiative of its chair, and at least two times a year, at the request of CERT-EU or at the request of any of its members.
Amendment 234 #
Proposal for a regulation Article 9 – paragraph 9 Amendment 235 #
Proposal for a regulation Article 9 – paragraph 9 9. The Head of CERT-EU, or his or her alternate, shall participate in IICB meetings. In except
Amendment 236 #
Proposal for a regulation Article 9 – paragraph 10 10. The secretariat of the IICB shall be provided by the
Amendment 237 #
Proposal for a regulation Article 9 – paragraph 10 10. The secretariat of the IICB shall be
Amendment 238 #
Proposal for a regulation Article 9 – paragraph 11 11. The representatives nominated by the EUAN
Amendment 239 #
Proposal for a regulation Article 9 – paragraph 12 Amendment 240 #
Proposal for a regulation Article 10 – paragraph 1 – point -a (new) (-a) support Union institutions, bodies, offices and agencies in implementing this Regulation with the aim to raise their respective levels of cybersecurity;
Amendment 241 #
Proposal for a regulation Article 10 – paragraph 1 – point -a a (new) (-a a) effectively monitor the implemenationof the obligations of this Regulation in Union institutions, bodies, offices and agencies without prejudice to their institutional autonomy and the overall institutional balance;
Amendment 242 #
Proposal for a regulation Article 10 – paragraph 1 – point a (a) re
Amendment 243 #
Proposal for a regulation Article 10 – paragraph 1 – point a a (new) (a a) approve, on the basis of a proposal from the Head of CERT-EU, recommendations for achieving a common high level of cybersecurity, aimed at one or all Union institutions, bodies, offices and agencies;
Amendment 244 #
Proposal for a regulation Article 10 – paragraph 1 – point a a (new) (a a) provide strategic direction to the head of CERT-EU;
Amendment 245 #
Proposal for a regulation Article 10 – paragraph 1 – point h a (new) Amendment 246 #
Proposal for a regulation Article 10 – paragraph 1 – point h b (new) (h b) where necessary, instruct CERT- EU to issue, withdraw or modify a proposal for guidance documents or recommendations, or a call for action.
Amendment 247 #
Proposal for a regulation Article 10 – paragraph 1 – point i (i) establish as many technical advisory groups as necessary, with concrete tasks to assist the IICB’s work, approve their terms of reference and designate their respective chairs.
Amendment 248 #
Proposal for a regulation Article 10 – paragraph 1 – point i (i) establish
Amendment 249 #
Proposal for a regulation Article 10 – paragraph 1 – point i a (new) (i a) Approve the methodology and content of a peer-review system for assessing the effectiveness of the institutions, bodies and agencies’ cybersecurity policies. The reviews shall be conducted by cybersecurity technical experts drawn from one institution and one body or agency different from the one being reviewed. The results of the peer- reviews shall be used in fulfilling the obligations foreseen in articles 7 and 8.
Amendment 250 #
Proposal for a regulation Article 10 – paragraph 1 – point i a (new) (i a) review and where requested, following relevant guidance from CERT- EU. provide feedback to Union institutions, bodies, offices and agencies’ cybersecurity maturity assessments referred to in Article 6 and cybersecurity plans referred to in Article 7;
Amendment 251 #
Proposal for a regulation Article 10 – paragraph 1 – point i a (new) (i a) facilitate the exchange of best practices among the Local Cybersecurity Officers; issue, where appropriate, the recommendations on their role within the Union entities;
Amendment 252 #
Proposal for a regulation Article 10 – paragraph 1 – point i b (new) (i b) review possible interconnections between Union institutions, bodies, offices and agencies’ ICT environments and maintain an inventory of shared components of ICT products, ICT services andic processes;
Amendment 253 #
Proposal for a regulation Article 10 – paragraph 1 – point i c (new) (i c) where appropriate, adopt recommendations on the interoperability of Union institutions, bodies, offices and agencies’ ICT environments or components thereof;
Amendment 254 #
Proposal for a regulation Article 10 – paragraph 1 – point i d (new) (i d) support the establishment of a Cybersecurity Officers Group under ENISA, gathering the Local Cybersecurity Officers of all Union institutions, bodies, offices and agencies with an aim to facilitate the sharing of best practices and experiences gained from the implementation of this Regulation;
Amendment 255 #
Proposal for a regulation Article 10 – paragraph 1 – point i e (new) (i e) develop an incident and response plan for major incidents at Union level referred to in Article 3(8) and coordinate the adoption of individual Union institutions, bodies, offices and agencies’ cyber crisis management plans referred to in Article 7(2a);
Amendment 256 #
Proposal for a regulation Article 10 – paragraph 1 – point i f (new) (i f) adopt recommendations based on the results of EU coordinated risk assessments of critical supply chains referred to in Article 19 of Directive [proposal NIS 2] to support Union institutions, bodies, offices and agencies in adopting effective and proportionate risk management measures relating to supply chain security referred to in Article5(1ai);
Amendment 257 #
Proposal for a regulation Article 10 – paragraph 1 – point i g (new) (i g) develop guidelines for information sharing arrangements referred to in Article 19;
Amendment 258 #
Proposal for a regulation Article 11 – paragraph -1 (new) -1 The IICB shall monitor the implementation of this Regulation and of adopted guidance documents, recommendations and calls for action by the Union institutions, bodies, offices and agencies.
Amendment 259 #
Proposal for a regulation Article 11 – paragraph 1 – introductory part Amendment 260 #
Proposal for a regulation Article 11 – paragraph 1 – introductory part Amendment 261 #
Proposal for a regulation Article 11 – paragraph 1 – point -a (new) (-a) request relevant and available documentation of the Union institution, body, office or agency concerned relating to the effective implementation of the provisions of this Regulation or the application of guidance documents, recommendations and calls for action issued in accordance with Article 13;
Amendment 262 #
Proposal for a regulation Article 11 – paragraph 1 – point -a a (new) (-a a) communicate a reasoned opinion to the Union institution, body, office or agency concerned with observed gaps in the implementation of this Regulation;
Amendment 263 #
Proposal for a regulation Article 11 – paragraph 1 – point -a b (new) (-a b) invite the Union institution, body, office or agency concerned to provide a self-assessment on its reasoned opinion within a specified timeframe;
Amendment 264 #
Proposal for a regulation Article 11 – paragraph 1 – point -a c (new) (-a c) issue, in cooperation with CERT- EU, guidance to the individual Union institution, body, office or agency to bring its respective risk management, governance and control framework, cybersecurity risk management measures, cybersecurity plans and reporting obligations in compliance with the provisions laid down in this Regulation in a specified manner and within a specified period;
Amendment 265 #
Proposal for a regulation Article 11 – paragraph 1 – point b (b) re
Amendment 266 #
Proposal for a regulation Article 11 – paragraph 1 – point b a (new) (b a) inform the European Court of Auditors about the lack of compliance.
Amendment 267 #
Proposal for a regulation Article 11 – paragraph 1 a (new) 1. The IICB shall monitor the implementation of this Regulation and of adopted guidance documents, recommendations and calls for action by the Union institutions, bodies and agencies.
Amendment 268 #
Proposal for a regulation Article 11 – paragraph 1 a (new) These warnings and recommendations shall be directed to the highest level of management of the concerned entity.
Amendment 269 #
Proposal for a regulation Article 11 – paragraph 1 b (new) 2. Where the small Union entities notify that they are unable to meet the deadlines referred to in Articles 4(1) and 5(1), the IICB shall authorize their prolongation and set the deadlines for the compliance.
Amendment 270 #
Proposal for a regulation Article 12 – paragraph 1 1. The mission of CERT-EU, the autonomous interinstitutional Cybersecurity Centre for all Union institutions, bodies and agencies, shall be to contribute to the security of the unclassified ICT environment of all Union institutions, bodies and agencies by advising them on cybersecurity, by helping them to prevent, detect, mitigate and respond to and recover from incidents and by acting as their cybersecurity information exchange and incident response coordination hub.
Amendment 271 #
Proposal for a regulation Article 12 – paragraph 1 1. The mission of CERT-EU, the autonomous interinstitutional Cybersecurity Centre for all Union institutions, bodies and agencies, shall be to contribute to the security of the unclassified IT environment of all Union institutions, bodies and agencies by advising them on cybersecurity, by helping
Amendment 272 #
Proposal for a regulation Article 12 – paragraph 1 1. The mission of CERT-EU
Amendment 273 #
Proposal for a regulation Article 12 – paragraph 2 – point b a (new) (b a) operate for smaller and some medium-sized Union entities the broad- spectrum Security Operations Centre (SOC) that monitor networks, including first-line 24/7 monitoring for high- severity threats;
Amendment 274 #
Proposal for a regulation Article 12 – paragraph 2 – point c a (new) (c a) act as the designated coordinator for all Union institutions, bodies, offices and agencies for the purposes of coordinated vulnerability disclosure to the European vulnerability registry referred to in Article 6 of Directive [proposal NIS2];
Amendment 275 #
Proposal for a regulation Article 12 – paragraph 2 – point d (d) raise to the attention of the IICB any issue relating to the implementation of this Regulation and of the implementation of the guidance documents, recommendations and calls for action and make proposals for recommendations;
Amendment 276 #
Proposal for a regulation Article 12 – paragraph 2 – point d (d) raise to the attention of the IICB any issue relating to the implementation of this Regulation and of the implementation of the
Amendment 277 #
Proposal for a regulation Article 12 – paragraph 2 – point e (e)
Amendment 278 #
Proposal for a regulation Article 12 – paragraph 2 – point e a (new) (e a) conduct regular risk analysis of the interconnectivity among the Union institutions, bodies, offices and agencies.
Amendment 279 #
Amendment 280 #
Proposal for a regulation Article 12 – paragraph 3 – point b a (new) (b a) coordinated management of major incidents and crises at operational level and to regularly exchange relevant information among Member States and Union institutions, bodies and agencies within the European cyber crises liaison organisation network (EU-CyCLONe);
Amendment 281 #
Proposal for a regulation Article 12 – paragraph 3 – point c a (new) (c a) proactive scanning of network and information systems;
Amendment 282 #
Proposal for a regulation Article 12 – paragraph 4 4. CERT-EU shall engage in structured cooperation with the European Union Agency for Cybersecurity on capacity building, operational cooperation and long-term strategic analyses of cyber threats in accordance with Regulation (EU) 2019/881 of the European Parliament and of the Council. Furthermore, CERT-EU may cooperate and exchange information with Europol’s Cybercrime Centre.
Amendment 283 #
Proposal for a regulation Article 12 – paragraph 5 – introductory part 5. CERT-EU may provide to the Union institutions, bodies, offices and agencies the following services not described in its service catalogue (‘chargeable services’):
Amendment 284 #
Proposal for a regulation Article 12 – paragraph 5 – point a (a) services that support the cybersecurity of Union
Amendment 285 #
Proposal for a regulation Article 12 – paragraph 6 6. CERT-EU
Amendment 286 #
Proposal for a regulation Article 12 – paragraph 6 6. CERT-EU may organise cybersecurity exercises or recommend participation in existing exercises, in close cooperation with
Amendment 287 #
Proposal for a regulation Article 12 – paragraph 7 7. CERT-EU may provide assistance to Union institutions, bodies and agencies regarding incidents in classified ICT environments if it is explicitly requested to do so by the constituent concerned. The provisions and obligations on all Union institutions, bodies, offices and agencies set out in Chapter V of this Regulation shall not apply to incidents in classified ICT environments unless an individual Union institution, body office or agency explicitly and voluntarily apply them in order to seek actionable assistance from CERT-EU or otherwise contribute to situational awareness at the Union level.
Amendment 288 #
Proposal for a regulation Article 12 – paragraph 7 7. CERT-EU
Amendment 289 #
Proposal for a regulation Article 12 – paragraph 7 a (new) 7 a. CERT-EU shall present, under appropriate confidentiality conditions, a yearly report of its activities to the European Parliament. This report shall include relevant and precise information about the major incidents and the way they were dealt with.
Amendment 290 #
Proposal for a regulation Article 12 – paragraph 7 a (new) 7 a. CERT-EU shall cooperate with the European Data Protection Supervisor (EDPS) to support Union institutions, bodies, office and agencies in incidents entailing a personal data breach as defined in Article 3(16) of Regulation (EU) 2018/1725.
Amendment 291 #
Proposal for a regulation Article 12 – paragraph 7 a (new) 7 a. The processing of personal data carried out by CERT-EU under this Regulation shall be subject to Regulation (EU) 2018/1725 of the European Parliament and of the Council.
Amendment 292 #
Proposal for a regulation Article 12 – paragraph 7 b (new) 7 b. CERT-EU may provide assistance to Union institutions, bodies, offices and agencies regarding the implementation of appropriate cybersecurity cooperation between them in terms of cybersecurity knowledge, staff and ICT resources, and cybersecurity expertise.
Amendment 293 #
Proposal for a regulation Article 12 – paragraph 7 b (new) 7 b. CERT-EU shall inform the EDPS when addressing significant vulnerabilities, significant incidents or major attacks that have the potential to result in personal data breaches and/or in the breach of confidentiality of electronic communications.
Amendment 294 #
Proposal for a regulation Article 12 – paragraph 7 c (new) 7 c. CERT-EU shall inform the EDPS about preventive cybersecurity activities that would result in the collection of personal data.
Amendment 295 #
Proposal for a regulation Article 13 – paragraph 1 – point c (c) proposals to the IICB for
Amendment 296 #
Proposal for a regulation Article 13 – paragraph 2 – point a (a) modalities for or improvements to cybersecurity risk management and
Amendment 297 #
Proposal for a regulation Article 13 – paragraph 2 – point a (a) modalities for or improvements to cybersecurity risk management and the cybersecurity
Amendment 298 #
Proposal for a regulation Article 13 – paragraph 2 – point b (b) modalities for cybersecurity maturity assessments and cybersecurity plans; and
Amendment 299 #
Proposal for a regulation Article 13 – paragraph 2 – point c (c) where appropriate, the use of common technology, open-source architecture and associated best practices with the aim of achieving control, interoperability and common standards within the meaning of Article 4(10) of Directive [proposal NIS 2].
Amendment 300 #
Proposal for a regulation Article 13 – paragraph 2 – point c a (new) (c a) where appropriate, facilitate the common purchasing of relevant services and equipments.
Amendment 301 #
Proposal for a regulation Article 13 – paragraph 3 Amendment 302 #
Proposal for a regulation Article 13 – paragraph 4 Amendment 303 #
Proposal for a regulation Article 14 – paragraph -1 (new) -1 The Commission, after having obtained the unanimous approval of the IICB, shall appoint the Head of CERT- EU. The IICB shall be consulted at all stages of the procedure prior to the appointment of the Head of CERT-EU, in particular in drafting vacancy notices, examining applications and appointing selection boards in relation to this post.
Amendment 304 #
Proposal for a regulation Article 14 – paragraph 1 The Head of CERT-EU shall regularly submit reports to the IICB and the IICB Chair, and submit ad-hoc reports to the IICB upon its request, on the performance of CERT-EU, financial planning, revenue, implementation of the budget, service level agreements and written agreements entered into, cooperation with counterparts and partners, and missions undertaken by staff, including the reports referred to in Article 10
Amendment 305 #
Proposal for a regulation Article 14 – paragraph 1 The Head of CERT-EU shall
Amendment 306 #
Proposal for a regulation Article 14 – paragraph 1 a (new) The Head of CERT-EU shall compose and submit to the IICB an annual report encompassing CERT-EU’s work programme, the financial planning of revenue and expenditure, including staffing, for CERT-EU activities, any updates of CERT-EU’s service catalogue and an assessment of the expected impact that such updates may have on its financial planning of revenue and expenditure, staffing and management of funds.
Amendment 307 #
Proposal for a regulation Article 14 – paragraph 1 a (new) The Commission, after having obtained the approval by two-thirds of the IICB, shall appoint the Head of CERT-EU. The IICB shall be consulted at all stages of the procedure prior to the appointment of the Head of CERT-EU, in particular in drafting vacancy notices, examining applications and appointing selection boards in relation to this post.
Amendment 308 #
Proposal for a regulation Article 15 – paragraph 1 Amendment 309 #
Proposal for a regulation Article 15 – paragraph 1 Amendment 310 #
Proposal for a regulation Article 15 – paragraph 1 1. The Commission, after having obtained the unanimous approval of the IICB, shall appoint the Head of CERT-EU. The IICB shall be consulted at all stages of the procedure prior to the appointment of the Head of CERT-EU, in particular in drafting vacancy notices, examining applications and appointing selection boards in relation to this post. The final list of candidates shall include at least one men and one woman.
Amendment 311 #
Proposal for a regulation Article 15 – paragraph 1 1. The Commission, after having obtained the
Amendment 312 #
Proposal for a regulation Article 15 – paragraph 1 a (new) 1 a. All decisions related to staffing and budget allocation of the CERT-EU shall be submitted to the formal approval of the IICB.
Amendment 313 #
Proposal for a regulation Article 15 – paragraph 2 2. For the application of administrative and financial procedures, the Head of CERT-EU shall act under the authority of the Commission under the supervision of the IICB.
Amendment 314 #
Proposal for a regulation Article 15 – paragraph 2 2. For the application of administrative and financial procedures, the Head of CERT-EU shall act under the authority of the Commission, after the approval of IICB.
Amendment 315 #
Proposal for a regulation Article 16 – paragraph 1 1. CERT-EU shall cooperate and exchange information with national counterparts in the Member States, including CERTs, National Cybersecurity Centres, CSIRTs, and single points of contact referred to in Article 8 of Directive [proposal NIS 2], on cyber threats, vulnerabilities
Amendment 316 #
Proposal for a regulation Article 16 – paragraph 2 2. CERT-EU may exchange incident- specific information with national counterparts in the Member States to facilitate detection of similar cyber threats or incidents without the
Amendment 317 #
Proposal for a regulation Article 17 – paragraph 1 1. CERT-EU may cooperate with non- Member State counterparts that are subject to European cybersecurity requeriments or requeriments of similar nature, including industry sector-specific counterparts, on tools and methods, such as techniques, tactics, procedures and best practices, and on cyber threats and vulnerabilities. For all cooperation with such counterparts, including in frameworks where non-EU counterparts cooperate with national counterparts of Member States, CERT-EU shall seek prior approval from the IICB.
Amendment 318 #
Proposal for a regulation Article 17 – paragraph 1 1. CERT-EU may cooperate with public non-
Amendment 319 #
Proposal for a regulation Article 17 – paragraph 2 2. CERT-EU may cooperate with other partners, such as commercial entities (including industry sector-specific entities) , international organisations, non- European Union national entities or individual experts, to gather information on general and specific cyber threats, vulnerabilities and possible countermeasures. For wider cooperation with such partners, CERT-EU shall seek prior approval from the IICB.
Amendment 320 #
Proposal for a regulation Article 17 – paragraph 2 2. CERT-EU may cooperate with other partners, such as commercial entities, international organisations, non-European Union national entities or individual
Amendment 321 #
Proposal for a regulation Article 17 – paragraph 2 a (new) 2 a. In particular in its relations with commercial entities, the EU institutions will refrain themselves to trade zero day exploits. EU institutions must notify all exploits and weaknesses to the manufacturer of the software, or make them public in a responsible way;
Amendment 322 #
Proposal for a regulation Article 18 – paragraph 3 Amendment 323 #
Proposal for a regulation Article 18 – paragraph 4 4. The handling of information by CERT-EU and its Union institutions, bodies and agencies shall be in line with the rules laid down in [proposed Regulation on information security]. When cooperating with other counterparts similar information handling should be used by the CERT-EU.
Amendment 324 #
Proposal for a regulation Article 18 – paragraph 5 a (new) 5 a. Information on the completion of security plans by the Union institutions, bodies, offices and agencies shall be shared with the discharge authorities;
Amendment 325 #
Proposal for a regulation Article 18 – paragraph 5 b (new) Amendment 326 #
Proposal for a regulation Article 19 – title 19
Amendment 327 #
Proposal for a regulation Article 19 – paragraph -1 (new) -1. Union institutions, bodies, offices and agencies may voluntarily notify CERT-EU on cyber threats, incidents, near misses and vulnerabilities that affect them. CERT-EU shall ensure that effective measures are adopted to ensure the confidentiality and appropriate protection of the information provided by the reporting Union institution, body, office or agency. When processing notifications, CERT-EU may prioritise the processing of mandatory notifications over voluntary notifications. Voluntary notification shall not result in the imposition of any additional obligations upon the reporting Union institution, body, office or agency to which it would not have been subject had it not submitted the notification.
Amendment 328 #
Proposal for a regulation Article 19 – paragraph 1 1. To enable CERT-EU
Amendment 329 #
Proposal for a regulation Article 19 – paragraph 1 1. To enable CERT-EU to coordinate
Amendment 330 #
Proposal for a regulation Article 19 – paragraph 1 a (new) 1 a. To enable CERT-EU to coordinate vulnerability management, it may request Union institutions, bodies and agencies to provide it with information from their respective IT system inventories that is relevant for the CERT-EU support. The requested institution, body or agency may transmit the requested information, and any subsequent updates thereto.
Amendment 331 #
Proposal for a regulation Article 19 – paragraph 2 Amendment 332 #
Proposal for a regulation Article 19 – paragraph 3 3. CERT-EU may only exchange incident-specific information which reveals the identity of the Union institution, body or agency affected by the incident with the consent of that entity. CERT-EU may only exchange incident-specific information which reveals the identity of the target of the cybersecurity incident with the consent of the entity affected by the incident. In view of its scrutiny tasks, the European Parliament can request this information even without the consent of the institutions concerned.
Amendment 333 #
Proposal for a regulation Article 19 – paragraph 3 3. CERT-EU may only exchange incident-specific information which reveals the identity of the Union institution, body or agency affected by the incident with the
Amendment 334 #
Proposal for a regulation Article 19 – paragraph 4 4. The
Amendment 337 #
Proposal for a regulation Article 20 – paragraph 1 – subparagraph 1 Amendment 338 #
Proposal for a regulation Article 20 – paragraph 1 – subparagraph 1 All Union institutions, bodies, offices and agencies shall
Amendment 339 #
Proposal for a regulation Article 20 – paragraph 1 – subparagraph 1 All Union institutions, bodies and agencies shall make an
Amendment 340 #
Proposal for a regulation Article 20 – paragraph 1 – subparagraph 1 a (new) Amendment 341 #
Proposal for a regulation Article 20 – paragraph 1 – subparagraph 1 b (new) Where a significant incident or significant cyber threat referred to in paragraph 1(a) is affecting a network and information system, or a component of a Union institution, body, office or agency's ICT environment that is knowingly connected with another Union institution, body, office and agency's ICT environment, CERT-EU shall notify, without undue delay, the affected Union institution, body, office or agency.
Amendment 342 #
Proposal for a regulation Article 20 – paragraph 1 – subparagraph 2 Amendment 343 #
Proposal for a regulation Article 20 – paragraph 1 – subparagraph 2 Amendment 344 #
Proposal for a regulation Article 20 – paragraph 1 – subparagraph 2 Amendment 345 #
Proposal for a regulation Article 20 – paragraph 1 a (new) 1 a. -1. Union entities shall notify, without undue delay, the CERT-EU of any incident having a significant impact on the provision of their functioning. Where appropriate, those entities shall notify, without undue delay, other relevant Union entities that are likely to be adversely affected. The Union entities shall report, inter alia, any information enabling the CERT-EU to determine any cross-entities impact, impact on hosting Member State or cross-border impact of the incident. The mere act of notification shall not subject the notifying entity to increased liability of the Union entity. In the case of a cross-institutional or cross-sectorial incident, CERT-EU shall in due time inform the relevant Union entities or Member States.
Amendment 346 #
Proposal for a regulation Article 20 – paragraph 1 b (new) 1 b. -2. Where applicable, the Union entities are required to communicate, without undue delay to other Union entities that are potentially affected by a significant cyber threat of the threat itself and any measures or remedies that those recipients are able to take in response to that threat.
Amendment 347 #
Proposal for a regulation Article 20 – paragraph 1 c (new) 1 c. -3. An incident shall be considered significant if: (a) the incident has caused or is capable of causing severe operational disruption of the service or financial losses for the entity concerned; (b) the incident has affected or is capable of affecting other natural or legal persons by causing considerable material or non- material losses.
Amendment 348 #
Proposal for a regulation Article 20 – paragraph 2 Amendment 349 #
Proposal for a regulation Article 20 – paragraph 2 – introductory part 2. The Union institutions, bodies and agencies shall further
Amendment 350 #
Proposal for a regulation Article 20 – paragraph 2 – point c (c) potential severity and impact;
Amendment 351 #
Proposal for a regulation Article 20 – paragraph 2 a (new) 2 a. The Union institutions, bodies and agencies shall make a final report to CERT-EU no later than one month after the submission of the incident notification, including at least the following: (a) a detailed description of the incident, its severity and impact; (b) the type of threat or root cause that likely triggered the incident; (c) applied and ongoing mitigation measures; (d) where applicable, the cross-border impact of the incident;
Amendment 352 #
Proposal for a regulation Article 20 – paragraph 2 a (new) 2 a. An incident shall be considered significant if: (a) the incident has caused or is capable of causing severe operational disruption to the Union institution, body, office or agency or financial losses thereto; (b) the incident has affected or is capable of affecting other natural or legal persons by causing considerable material or non- material losses.
Amendment 353 #
Proposal for a regulation Article 20 – paragraph 2 b (new) 2 b. All Union institutions, bodies, offices and agencies shall submit to CERT-EU: (a) without undue delay and in any event within 24 hours after having become aware of the significant incident, an early warning, which, where applicable, shall indicate whether the significant incident is presumably caused by unlawful or malicious action and has any or could have a cross-border or cross-institutional impact; (b) without undue delay and in any event within 72 hours after having become aware of the significant incident, an incident notification, which, where applicable, shall update the information referred to in subparagraph (a) and indicate an initial assessment of the significant incident, its severity and impact, as well as where available, the indicators of compromise; (c) upon the request of CERT-EU, an intermediate report on relevant status updates; (d) a final report not later than one month after the submission of the significant incident notification under point (b), including at least the following: (i) a detailed description of the significant incident, its severity and impact; (ii) the type of threat or root cause that likely triggered the significant incident; (iii) applied and ongoing mitigation measures; (iv) where applicable, the cross-border or cross-institutional impact of the significant incident; (e) in cases of ongoing significant incidents at the time of the submission of the final report referred to in point (d), a progress report at that time and a final report within one month after the incident has been handled.
Amendment 354 #
Proposal for a regulation Article 20 – paragraph 2 b (new) 2 b. In duly justified cases and in agreement with CERT-EU, the Union institution, body or agency concerned may deviate from the deadline laid down in the previous paragraphs. The Union institution, body or agency concerned shall provide a progress report by the deadline of the submission of a final report, if a deviation is agreed on.
Amendment 355 #
Proposal for a regulation Article 20 – paragraph 2 c (new) 2 c. The Union institutions, bodies and agencies, upon request from CERT-EU, shall without undue delay provide the digital information created by the use of electronic devices involved in their respective incidents. CERT-EU may further clarify which types of such digital information it requires for situational awareness and incident response
Amendment 356 #
Proposal for a regulation Article 20 – paragraph 2 c (new) 2 c. In duly justified cases and in agreement with CERT-EU, the Union institution, body, office or agency concerned can deviate from the deadline laid down in paragraph 2(b).
Amendment 357 #
Proposal for a regulation Article 20 – paragraph 2 d (new) 2 d. The Union institutions, bodies and agencies may on a voluntary basis notify the CERT-EU of significant cyber threats, vulnerabilities and near misses.
Amendment 358 #
Proposal for a regulation Article 20 – paragraph 3 3. CERT-EU shall submit to ENISA on a monthly basis a summary report including anonymised and aggregated data on significant
Amendment 359 #
Proposal for a regulation Article 20 – paragraph 3 3. CERT-EU shall submit to ENISA on a monthly basis a summary report including anonymised and aggregated data on significant cyber threats, significant vulnerabilities, near misses and significant incidents notified
Amendment 360 #
4. The IICB may issue guidance documents or recommendations concerning the modalities and content of the notification. When preparing such guidance documents or recommendations, the IICB shall take into account the specifications made by any implementing acts adopted by the Commission specifying the type of information, the format and the procedure of a notification submitted pursuant to Article 20 (11) of Directive [proposal NIS2]. CERT-EU shall disseminate the appropriate technical details to enable proactive detection, incident response or mitigating measures by Union institutions, bodies, offices and agencies.
Amendment 361 #
Proposal for a regulation Article 20 – paragraph 4 4. The
Amendment 362 #
Proposal for a regulation Article 20 – paragraph 5 Amendment 363 #
Proposal for a regulation Article 20 – paragraph 5 5. The
Amendment 364 #
Proposal for a regulation Article 21 – paragraph 1 – introductory part 1. In acting as a cybersecurity
Amendment 365 #
Proposal for a regulation Article 21 – paragraph 3 3. CERT-EU shall support Union institutions, bodies and agencies regarding situational awareness of cyber threats, vulnerabilities, near misses and incidents, as well as sharing the latest developments in the field of cybersecurity.
Amendment 366 #
Proposal for a regulation Article 21 – paragraph 3 3. CERT-EU, in cooperation with ENISA, shall support Union institutions, bodies and agencies regarding situational awareness of cyber threats, vulnerabilities and incidents.
Amendment 370 #
Proposal for a regulation Article 22 – paragraph 1 1. CERT-EU shall coordinate among Union institutions, bodies and agencies responses to major
Amendment 371 #
Proposal for a regulation Article 22 – paragraph 1 1. CERT-EU shall coordinate among Union institutions, bodies and agencies responses to major
Amendment 372 #
Proposal for a regulation Article 22 – paragraph 2 2. The Union institutions, bodies and agencies shall contribute to the inventory of available technical expertise by providing an
Amendment 373 #
Proposal for a regulation Article 22 – paragraph 3 3. With the approval of the concerned Union institutions, bodies and agencies, CERT-EU may also call on experts from the list referred to in paragraph 2 for contributing to the response to a major attack in a Member State, in line with the Joint Cyber Unit’s operating procedures. Specific rules on access to and use of technical experts from Union institutions, bodies, offices and agencies shall be approved by IICB at the proposal of CERT EU.
Amendment 374 #
Proposal for a regulation Article 22 – paragraph 3 3. With the approval of the concerned Union institutions, bodies and agencies, CERT-EU may also call on experts from the list referred to in paragraph 2 for contributing to the response to a major attack in a Member State
Amendment 375 #
Proposal for a regulation Article 22 – paragraph 3 3. With the approval of the concerned Union institutions, bodies and agencies, CERT-EU may also call on experts from the list referred to in paragraph 2 for contributing to the response to a major
Amendment 376 #
Proposal for a regulation Article 22 – paragraph 3 3. With the approval of the concerned Union institutions, bodies and agencies, CERT-EU may also call on experts from the list referred to in paragraph 2 for contributing to the response to a major
Amendment 377 #
Proposal for a regulation Article 23 – title Initial budgetary
Amendment 378 #
Proposal for a regulation Article 23 – paragraph 1 1. The Commission shall
Amendment 379 #
Proposal for a regulation Article 23 – paragraph 1 The Commission shall propose the reallocation of staff and financial resources from relevant Union institutions, bodies, offices and agencies to the Commission budget for the use of CERT-EU operations. The reallocation shall be effective at the same time as the first budget adopted following the entry into force of this Regulation.
Amendment 380 #
Proposal for a regulation Article 24 – paragraph 1 1. The IICB, with the assistance of CERT-EU, shall periodically report to the Commission on the implementation of this Regulation and on the experience gained at a strategic and operational level. The IICB may also make recommendations to the Commission to propose amendments to this Regulation.
Amendment 381 #
Proposal for a regulation Article 24 – paragraph 1 1. The IICB, with the assistance of CERT-EU, shall
Amendment 382 #
Proposal for a regulation Article 24 – paragraph 2 2.
Amendment 383 #
Proposal for a regulation Article 24 – paragraph 2 2. The Commission shall report on the implementation of this Regulation to the European Parliament and the Council at the latest
Amendment 384 #
Proposal for a regulation Article 24 – paragraph 2 a (new) 2 a. The first report of implementation of this Regulation shall evaluate the CERT-EU as an independent body.
Amendment 385 #
Proposal for a regulation Article 24 – paragraph 3 Amendment 386 #
Proposal for a regulation Article 24 – paragraph 3 3. The Commission shall evaluate the functioning of this Regulation and report to the European Parliament, the Council, the
Amendment 387 #
Proposal for a regulation Annex I Amendment 388 #
Proposal for a regulation Annex I Amendment 389 #
Proposal for a regulation Annex I – paragraph 1 – introductory part The following domains shall be addressed in the cybersecurity
Amendment 390 #
Proposal for a regulation Annex I – paragraph 1 – point 7 (7) system acquisition, development
Amendment 391 #
Proposal for a regulation Annex I – paragraph 1 – point 7 a (new) (7 a) cybersecurity audits;
Amendment 392 #
Proposal for a regulation Annex I – paragraph 1 – point 7 b (new) (7 b) IT staff workload and overall satisfaction;
Amendment 393 #
Proposal for a regulation Annex I – paragraph 1 a (new) In order to assess whether the Institutions, bodies and agencies have sufficient control over the security of their ICT systems, a complete cybersecurity review, including a risk, vulnerability and threat assessment, and penetration-test of the ICT systems and devices of the Institutions should be carried out by a leading and verified third party external to the EU institutions, bodies and agencies (such as a leading cybersecurity company) when this regulation enters into force and each following year. It should take due consideration of the information security requirements of the respective institutions (e.g. the handling of confidential or secret information). The reported risks and vulnerabilities should be mitigated in cybersecurity updates, and the recommendations from the assessment should be implemented through cybersecurity policy and can include replacement of infected ICT systems if deemed necessary.
Amendment 394 #
Proposal for a regulation Annex II Amendment 395 #
Proposal for a regulation Annex II Amendment 396 #
Proposal for a regulation Annex II – paragraph 1 – introductory part Union institutions, bodies and agencies shall address at least the following specific cybersecurity measures in the implementation of the cybersecurity
Amendment 397 #
Proposal for a regulation Annex II – paragraph 1 – point 2 a (new) (2 a) the large scale deployment of end to end encrypted communications, including mandatory end to end encrypted messaging services, email encryption and secure digital signing;
Amendment 398 #
Proposal for a regulation Annex II – paragraph 1 – point 2 b (new) (2 b) ensuring privacy by design and the enhanced security of all personal data;
Amendment 399 #
Proposal for a regulation Annex II – paragraph 1 – point 2 c (new) (2 c) the large scale deployment and development of open source software, including inter-institutional software re- use and migrating from software solutions and service based on non-auditable source code;
Amendment 400 #
Proposal for a regulation Annex II – paragraph 1 – point 3 a (new) (3 a) regular cybersecurity training of staff members;
Amendment 401 #
Proposal for a regulation Annex II – paragraph 1 – point 3 b (new) (3 b) the deployment of mandatory penetration tests, based on the recommendation of CERT-EU;
Amendment 402 #
Proposal for a regulation Annex II – paragraph 1 – point 3 c (new) (3 c) participation in interconnectivity risk analyses between the Union institutions, bodies and agencies;
Amendment 403 #
Proposal for a regulation Annex II – paragraph 1 – point 4 – point b (b) the contractual obligation to report incidents, vulnerabilities, near misses and cyber threats as well as to have appropriate incidents response and monitoring in place.
Amendment 95 #
Proposal for a regulation Recital 4 (4) The Union institutions, bodies and agencies are attractive targets who face highly skilled and well-resourced threat actors as well as other threats. At the same time, the level and maturity of cyber resilience and the ability to detect and respond to malicious cyber activities varies significantly across those entities. It is thus necessary for the functioning of the European administration that the institutions, bodies and agencies of the Union achieve a high common level of cybersecurity through
Amendment 96 #
Proposal for a regulation Recital 4 (4) The Union institutions, bodies and agencies are attractive targets who face highly skilled and well-resourced threat actors as well as other threats. At the same time, the level and maturity of cyber resilience and the ability to detect and respond to malicious cyber activities varies
Amendment 97 #
Proposal for a regulation Recital 6 (6) To reach a high common level of cybersecurity, it is necessary that each Union institution, body and agency establishes an internal cybersecurity risk management, governance and control framework that ensures an effective and prudent management of all cybersecurity risks, and takes account of business continuity and crisis management. The framework should lay down cybersecurity policies and priorities for the security of network and information systems encompassing the entirety of the ICT environment. The framework should be reviewed on a regular basis and at least every three years on the basis of key performance indicators to ensure that strategic objectives are met.
Amendment 98 #
Proposal for a regulation Recital 6 (6) To reach a high common level of cybersecurity, it is necessary that each Union institution, body and agency establishes an internal cybersecurity risk management, handling of incident, governance and control framework that ensures an effective and prudent management of all cybersecurity risks, and takes account of business continuity and crisis management.
Amendment 99 #
Proposal for a regulation Recital 7 (7) The differences between Union institutions, bodies and agencies require flexibility in the implementation since one size will not fit all. The measures for a high common level of cybersecurity should not include any obligations directly interfering with the exercise of the missions of Union institutions, bodies and agencies or encroaching on their institutional autonomy. Thus, those institutions, bodies and agencies should establish their own frameworks for cybersecurity risk management, governance and control, and adopt their own
source: 738.403
2022/11/15
AFCO
96 amendments...
Amendment 100 #
Proposal for a regulation Article 19 – paragraph 1 1. To
Amendment 101 #
Proposal for a regulation Article 19 – paragraph 1 1. To enable CERT-EU to coordinate vulnerability management and incident response, it may request Union institutions, bodies and agencies to provide it with information from their respective ICT system inventories that is relevant for the CERT-EU support. The requested institution, body or agency shall transmit the requested information, and any subsequent updates thereto, without undue delay.
Amendment 102 #
Proposal for a regulation Article 19 – paragraph 2 2. The Union
Amendment 103 #
Proposal for a regulation Article 19 – paragraph 3 3. CERT-EU may only exchange incident-specific information which reveals the identity of the
Amendment 104 #
Proposal for a regulation Article 19 – paragraph 4 4. The sharing obligations shall not extend to EU Classified Information
Amendment 106 #
Proposal for a regulation Article 20 – paragraph -1 (new) -1. An incident shall be considered to be significant if: (a) it has caused or is capable of causing severe operational disruption to the functioning of the Union entity or financial loss for the Union entity concerned; (b) it has affected or is capable of affecting other natural or legal persons by causing considerable material or non- material damage.
Amendment 107 #
Proposal for a regulation Article 20 – paragraph 1 – subparagraph 1 All Union
Amendment 108 #
Proposal for a regulation Article 20 – paragraph 1 – subparagraph 1 All Union institutions, bodies and agencies shall
Amendment 109 #
Proposal for a regulation Article 20 – paragraph 1 – subparagraph 1 – point a (new) (a) without undue delay and in any event within 24 hours after having become aware of the significant incident, an early warning, which, where applicable, shall indicate whether the significant incident is presumably caused by unlawful or malicious action and has or could have a cross-border impact;
Amendment 110 #
Proposal for a regulation Article 20 – paragraph 1 – subparagraph 1 – point b (new) (b) without undue delay and in any event within 72 hours after having become aware of the significant incident, an incident notification, which, where applicable, shall update the information referred to in subparagraph (a) and indicate an initial assessment of the significant incident, its severity and impact, as well as where available, the indicators of compromise;
Amendment 111 #
Proposal for a regulation Article 20 – paragraph 1 – subparagraph 1 – point c (new) (c) upon the request of CERT-EU, an intermediate report on relevant status updates;
Amendment 112 #
Proposal for a regulation Article 20 – paragraph 1 – subparagraph 1 – point d (new) (d) a final report not later than one month after submitting the significant incident notification under point (b), including at least the following: (i) a detailed description of the significant incident, its severity and impact; (ii) the type of threat or root cause that likely triggered the significant incident; (iii) applied and ongoing mitigation measures; (iv) where applicable, the cross-border impact of the significant incident;
Amendment 113 #
Proposal for a regulation Article 20 – paragraph 1 – subparagraph 1 – point e (new) (e) in cases of ongoing significant incidents at the time of the submission of the final report referred to in point (d), a progress report at that time and a final report within one month after the incident has been handled.
Amendment 114 #
Proposal for a regulation Article 20 – paragraph 1 – subparagraph 2 Amendment 115 #
Proposal for a regulation Article 20 – paragraph 2 Amendment 116 #
Proposal for a regulation Article 20 – paragraph 2 – introductory part 2. The Union institutions, bodies and agencies shall further
Amendment 117 #
Proposal for a regulation Article 20 – paragraph 2 a (new) 2a. No later than one month after submitting the incident notification, the Union institutions, bodies and agencies shall submit a final report to CERT-EU, including at least the following: (a) a detailed description of the incident, its severity and impact; (b) the type of threat or root cause that likely triggered the incident; (c) applied and ongoing mitigation measures; (d) where applicable, the cross-border impact of the incident;
Amendment 118 #
Proposal for a regulation Article 20 – paragraph 2 a (new) 2a. All Union entities shall share the information reported in accordance with paragraph 1 within the same timeline with any relevant national counterparts referred to in Article 16(1) where it is located.
Amendment 119 #
Proposal for a regulation Article 20 – paragraph 2 b (new) 2b. In duly justified cases, and in agreement with CERT-EU, the Union institution, body or agency concerned can deviate from the deadline laid down in paragraph 2a.
Amendment 120 #
Proposal for a regulation Article 20 – paragraph 3 3. CERT-EU shall submit to
Amendment 121 #
Proposal for a regulation Article 20 – paragraph 4 4. The IICB
Amendment 122 #
Proposal for a regulation Article 20 – paragraph 4 Amendment 123 #
Proposal for a regulation Article 20 – paragraph 5 5. The
Amendment 124 #
Proposal for a regulation Article 24 – paragraph 1 1. The IICB, with the assistance of CERT-EU, shall
Amendment 125 #
Proposal for a regulation Article 24 – paragraph 2 2. The Commission shall report on the implementation of this Regulation to the European Parliament and the Council at the latest
Amendment 126 #
Proposal for a regulation Article 24 – paragraph 3 3. The Commission shall evaluate the functioning of this Regulation and report to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions no sooner than
Amendment 127 #
Proposal for a regulation Annex I – paragraph 1 – introductory part Amendment 128 #
Proposal for a regulation Annex I – paragraph 1 – point 1 a (new) (1a) cybersecurity training of staff members;
Amendment 129 #
Proposal for a regulation Annex I – paragraph 1 – point 3 (3) asset acquisition and management, including IT asset inventory and IT network cartography;
Amendment 130 #
Proposal for a regulation Annex I – paragraph 1 – point 3 (3) asset management, including ICT
Amendment 131 #
Proposal for a regulation Annex I – paragraph 1 – point 9 (9) incident management, including approaches to improve the preparedness, response to, compliance with and shortening timescales for reporting obligations and recovery from incidents and cooperation with CERT-EU, such as the maintenance of security monitoring and logging;
Amendment 132 #
Proposal for a regulation Annex II – paragraph 1 – point 1 a (new) (1a) The set up of a regular cybersecurity training of staff members
Amendment 133 #
Proposal for a regulation Annex II – paragraph 1 – point 4 – point a (a) the removal of contractual barriers that limit information sharing from ICT service providers about incidents, vulnerabilities and cyber threats with CERT-EU;
Amendment 38 #
Proposal for a regulation Recital 1 (1) In the digital age, information and communication technology is a cornerstone in an open, efficient and independent Union administration. Evolving technology and increased complexity and interconnectedness of digital systems amplify cybersecurity risks making the Union administration more vulnerable to cyber threats and incidents, which ultimately poses threats to the administration’s business continuity and capacity to secure its data. While increased use of cloud services, the ubiquitous use of
Amendment 39 #
Proposal for a regulation Recital 2 (2) The cyber threat landscape faced by Union institutions, bodies and agencies is in constant evolution. The tactics,
Amendment 40 #
Proposal for a regulation Recital 3 (3) The Union institutions, bodies and agencies’ ICT environments have interdependencies, integrated data flows and their users collaborate closely. This interconnection means that any disruption, even when initially confined to one Union institution, body or agency, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts on the others. In addition, certain institutions, bodies and agencies’ ICT environments are connected with Member States’ ICT environments, causing an incident in one Union entity to pose a risk to the cybersecurity of Member States’ ICT environments and vice versa.
Amendment 41 #
Proposal for a regulation Recital 4 (4) The Union institutions, bodies and agencies are attractive targets who face highly skilled and well-resourced threat actors as well as other threats. At the same time, the level and maturity of cyber resilience and the ability to detect and respond to malicious cyber activities varies significantly across those entities. It is thus necessary for the functioning of the European administration that the institutions, bodies and agencies of the Union achieve a high common level of cybersecurity through a cybersecurity baseline (a set of minimum cybersecurity rules with which network and information systems and their operators and users have to be compliant to minimise cybersecurity risks), information exchange
Amendment 42 #
Proposal for a regulation Recital 7 (7) The differences between Union institutions, bodies and agencies require flexibility in the implementation since one size will not fit all. The measures for a high common level of cybersecurity should
Amendment 43 #
Proposal for a regulation Recital 8 (8)
Amendment 44 #
Proposal for a regulation Recital 8 (8) In order to avoid imposing a
Amendment 45 #
Proposal for a regulation Recital 10 (10) Union institutions, bodies and agencies should assess risks related to relationships with suppliers and service providers, including providers of data storage and processing services or managed security services, and take appropriate measures to address them. These suppliers and service providers should be vetted thoroughly, taking into account the full range of the supply chain and economic and political environment in which they operate. Where these relationships pose a risk to the integrity of democratic processes in the EU, these should be terminated without undue delay. These measures should form part of the cybersecurity baseline and be further specified in guidance documents or recommendations issued by CERT-EU. When defining measures and guidelines, due account should be taken of relevant EU legislation and policies, including risk assessments and recommendations issued by the NIS Cooperation Group, such as the EU Coordinated risk assessment and EU Toolbox on 5G cybersecurity. In addition, certification of relevant ICT products, services and processes could be required, under specific EU cybersecurity certification schemes adopted pursuant to
Amendment 46 #
Proposal for a regulation Recital 13 (13) Many cyberattacks are part of wider campaigns that target groups of Union institutions, bodies and agencies or communities of interest that include Union institutions, bodies and agencies. To enable proactive detection, incident response or mitigating measures, Union institutions, bodies and agencies should notify CERT- EU of significant cyber threats, significant vulnerabilities and significant incidents and share appropriate technical details that enable detection or mitigation of, as well as response to, similar cyber threats, vulnerabilities and incidents in other Union institutions, bodies and agencies. Following the same approach as the one envisaged in Directive [proposal NIS 2], where entities become aware of a significant incident they should be required to submit an
Amendment 47 #
Proposal for a regulation Recital 13 (13) Many cyberattacks are part of wider campaigns that target groups of Union institutions, bodies and agencies or communities of interest that include Union institutions, bodies and agencies. To enable proactive detection, incident response or mitigating measures, Union institutions, bodies and agencies should notify CERT- EU of significant cyber threats, significant vulnerabilities and significant incidents and share appropriate technical details that enable detection or mitigation of, as well as response to, similar cyber threats, vulnerabilities and incidents in other Union institutions, bodies and agencies. Following the same approach as the one envisaged in Directive [proposal NIS 2], where entities become aware of a significant incident they should be required to submit an initial notification to CERT- EU within 24 hours. Such information exchange should enable CERT-EU to disseminate the information to other Union institutions, bodies and agencies, as well as to appropriate counterparts, to help protect the Union ICT environments and the Union’s counterparts’ ICT environments
Amendment 48 #
Proposal for a regulation Recital 17 (17) CERT-EU should have the mission to contribute to the security of the ICT environment of all Union institutions, bodies and agencies. CERT-EU should act as the equivalent of the designated coordinator for the Union institutions, bodies and agencies, for the purpose of coordinated vulnerability disclosure to the European vulnerability registry as referred to in Article 6 of Directive [proposal NIS 2].
Amendment 49 #
Proposal for a regulation Recital 18 (18) In 2020, CERT-EU’s Steering Board set a new strategic aim for CERT- EU to guarantee a comprehensive level of cyber defence for all Union institutions, bodies and agencies with suitable breadth and depth and continuous adaptation to current or impending threats, including attacks against mobile devices, cloud environments and internet-of-things devices. The strategic aim also includes
Amendment 50 #
Proposal for a regulation Recital 19 a (new) (19a) In order to ensure a better implementation of cybersecurity measures and guidelines for Union institutions, bodies and agencies, and to consolidate a culture of cybersecurity therein, CERT- EU should also enhance cooperation with the European Cyber Cybersecurity Competence Network and Centre.
Amendment 51 #
Proposal for a regulation Recital 24 (24) As the services and tasks of CERT- EU are in the interest of all Union institutions, bodies and agencies, each Union institution, body and agency with IT expenditure should contribute a fair share
Amendment 52 #
Proposal for a regulation Recital 24 (24) As the services and tasks of CERT- EU are in the interest of all Union institutions, bodies and agencies, each Union institution, body and agency with ICT expenditure should contribute
Amendment 53 #
Proposal for a regulation Recital 24 a (new) (24a) This Regulation should however take into account the fact that, apart from the Union institutions, most Union entities, and in particular the small ones, do not have the necessary financial and human resources to carry out additional cybersecurity tasks.
Amendment 54 #
Proposal for a regulation Recital 25 (25) The IICB, with the assistance of CERT-EU, should review and evaluate the implementation of this Regulation and should report its findings to the Commission. Building on this input, the Commission should report to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions at least every three years.
Amendment 55 #
Proposal for a regulation Article 1 – paragraph 1 – point a (a) obligations on Union institutions, bodies, offices and agencies to establish an internal cybersecurity risk management, governance and control framework;
Amendment 56 #
Proposal for a regulation Article 1 – paragraph 1 – point c (c) rules on the organisation and operation of the Cybersecurity Centre for the Union institutions, bodies, offices and agencies (CERT-EU) and on the functioning, organisation and operation of the Interinstitutional Cybersecurity Board (IICB).
Amendment 57 #
Proposal for a regulation Article 2 a (new) Article 2a Processing of personal data The processing of personal data under this Regulation by CERT-EU, the IICB and all Union institutions, bodies, offices and agencies shall be carried out in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council.
Amendment 58 #
Proposal for a regulation Article 3 – paragraph 1 – point 2 (2) ‘network and information system’ means network and information system
Amendment 59 #
Proposal for a regulation Article 3 – paragraph 1 – point 4 (4) ‘cybersecurity’ means cybersecurity
Amendment 60 #
Proposal for a regulation Article 3 – paragraph 1 – point 5 (5) ‘highest level of management’ means a manager, management or coordination and oversight body at the most senior administrative level with a mandate to make or authorise decisions, taking account of the high-level governance arrangements in each Union institution, body or agency;
Amendment 61 #
Proposal for a regulation Article 3 – paragraph 1 – point 8 (8) ‘major
Amendment 62 #
Proposal for a regulation Article 3 – paragraph 1 – point 11 (11) ‘significant cyber threat’ means a cyber threat
Amendment 63 #
Proposal for a regulation Article 3 – paragraph 1 – point 14 (14) ‘
Amendment 64 #
Proposal for a regulation Article 3 – paragraph 1 – point 14 a (new) (14a) ‘ICT environment’ means any on- premise or virtual ICT product, ICT service and ICT process as defined in Article 2 of Regulation (EU) 2019/881, and any network and information system whether owned and operated by a Union institution, body, office or agency, or hosted or operated by a third party, including mobile devices, corporate networks, and business networks not connected to the internet and any devices connected to the ICT environment;
Amendment 65 #
Proposal for a regulation Article 4 – paragraph 1 1. Each Union institution, body and agency shall establish its own internal
Amendment 66 #
Proposal for a regulation Article 4 – paragraph 1 1. Each Union institution, body and agency shall establish its own internal cybersecurity risk management, governance and control framework (‘the framework’) in support of the entity’s mission and exercising its institutional autonomy. This work shall be overseen by the entity’s highest level of management to ensure an effective and prudent management of all cybersecurity risks. The framework shall be in place by …. at the latest [15 months after the date of entry into force of this Regulation].
Amendment 67 #
Proposal for a regulation Article 4 – paragraph 2 2. The framework shall cover the entirety of the ICT environment of the concerned institution, body or agency, including any on-premise ICT environment, outsourced assets and services in cloud computing environments or hosted by third parties, mobile devices, corporate networks, business networks not connected to the internet and any devices connected to the ICT environment. The framework shall take account of business continuity and crisis management and it shall consider supply chain security as well as the management of human risks that could impact the cybersecurity of the concerned Union institution, body or agency.
Amendment 68 #
Proposal for a regulation Article 4 – paragraph 4 4. Each Union institution, body and agency shall have effective mechanisms in place to ensure that an adequate percentage of the IT budget is spent on cybersecurity. By ... [3 years after the entry into force of this Regulation], each Union institution, body and agency should ensure that at least 10 % of that budget is dedicated to cybersecurity
Amendment 69 #
Proposal for a regulation Article 4 – paragraph 4 4. Each Union institution, body and agency shall have effective mechanisms in place to ensure that a
Amendment 70 #
Proposal for a regulation Article 4 – paragraph 5 a (new) 5a. On the basis of a mutual agreement, a Union entity or several Union entities may appoint the same Local Cybersecurity Officer as another Union entity.
Amendment 71 #
Proposal for a regulation Article 5 – paragraph 1 1. The highest level of management of each Union institution, body and agency shall approve the entity’s own cybersecurity baseline to address the risks identified under the framework referred to in Article 4(1). It shall do so in support of
Amendment 72 #
Proposal for a regulation Article 5 – paragraph 1 1. The highest level of management of each Union institution, body and agency shall approve the entity’s own cybersecurity baseline to address the risks identified under the framework referred to in Article 4(1). It shall do so in support of its mission and exercising its institutional autonomy. The cybersecurity baseline shall be in place by …. at the latest [18 months after the date of entry into force of this Regulation] and shall address the domains listed in Annex I and the measures listed in Annex II.
Amendment 73 #
Proposal for a regulation Article 5 – paragraph 2 2. The senior management of each
Amendment 74 #
Proposal for a regulation Article 5 – paragraph 2 2. The senior management of each Union institution, body and agency shall follow specific trainings on a regular basis to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risk and management practices and their impact on the operations of the organisation with proper resources.
Amendment 75 #
Proposal for a regulation Article 5 – paragraph 2 a (new) 2a. Regular cybersecurity training of the entire staff pool shall be included in the cybersecurity plan and updated at least every two years. Sufficient resources shall be ensured to provide quality training.
Amendment 76 #
Proposal for a regulation Article 6 – paragraph 1 Each Union institution, body and agency shall carry out a cybersecurity maturity assessment by ... [6 months after the entry into force of this Regulation], and at least every t
Amendment 77 #
Proposal for a regulation Article 6 – paragraph 1 Each Union institution, body and agency shall carry out a cybersecurity maturity assessment at least every three years, incorporating all the elements of their ICT environment as described in Article 4, taking account of the relevant guidance documents and recommendations adopted in accordance with Article 13.
Amendment 78 #
Proposal for a regulation Article 6 – paragraph 1 a (new) Small Union entities with similar tasks or structure may carry out a combined maturity assessment.
Amendment 79 #
Proposal for a regulation Article 7 – paragraph 1 1. Following the conclusions derived from the maturity assessment and considering the assets and risks identified pursuant to Article 4, the highest level of management of each Union institution, body and agency shall approve a cybersecurity plan without undue delay after the establishment of the risk management, governance and control framework and the cybersecurity baseline. The plan shall aim at increasing the overall cybersecurity of the concerned entity and shall thereby contribute to the achievement or enhancement of a high common level of cybersecurity among all Union institutions, bodies and agencies. To support the entity’s mission on the basis of its institutional autonomy, the plan shall at least include the domains listed in Annex I, the measures listed in Annex II, as well as measures related to incident preparedness, response and recovery, such as security monitoring and logging. The plan shall be
Amendment 80 #
Proposal for a regulation Article 7 – paragraph 3 3. The cybersecurity plan shall
Amendment 81 #
Proposal for a regulation Article 7 – paragraph 3 3. The cybersecurity plan shall co
Amendment 82 #
Proposal for a regulation Article 7 – paragraph 3 a (new) 3a. The Union institutions, bodies and agencies shall submit their cybersecurity plans to the Interinstitutional Cybersecurity Board (IICB).
Amendment 83 #
Proposal for a regulation Article 8 – paragraph 1 1. Upon completion of maturity assessments, the Union institutions, bodies and agencies shall submit the
Amendment 84 #
Proposal for a regulation Article 9 – paragraph 3 – subparagraph 1 – introductory part The IICB shall consist of three representatives nominated by the Union Agencies Network (EUAN) upon a proposal of its ICT Advisory Committee to represent the interests of the agencies and bodies that run their own ICT environment and one representative designated by each
Amendment 85 #
Proposal for a regulation Article 11 – paragraph 1 – point a (a) issue a warning; where necessary in view of a compelling cybersecurity risk, the audience of the warning shall be restricted appropriately, through a commonly agreed upon methodology;
Amendment 86 #
Proposal for a regulation Article 11 – paragraph 1 – point b (b)
Amendment 87 #
Proposal for a regulation Article 12 – paragraph 1 1. The mission of CERT-EU, the autonomous interinstitutional
Amendment 88 #
Proposal for a regulation Article 12 – paragraph 2 – point d (d) raise to the attention of the IICB any issue relating to the implementation of this Regulation and of the implementation of the guidance documents, recommendations and calls for action and make proposals for redress;
Amendment 89 #
Proposal for a regulation Article 12 – paragraph 4 4. CERT-EU shall engage in structured cooperation with the European Union Agency for Cybersecurity on capacity building, operational cooperation and long-term strategic analyses of cyber threats in accordance with Regulation (EU) 2019/881 of the European Parliament and
Amendment 90 #
Proposal for a regulation Article 12 – paragraph 5 – point a (a) services that support the cybersecurity of Union institutions, bodies and agencies’ ICT environment, other than those referred to in paragraph 2, on the basis of service level agreements and subject to available resources;
Amendment 91 #
Proposal for a regulation Article 12 – paragraph 5 – point b (b) services that support cybersecurity operations or projects of Union institutions, bodies and agencies, other than those to protect their ICT environment, on the basis of written agreements and with the prior approval of the IICB;
Amendment 92 #
Proposal for a regulation Article 12 – paragraph 5 – point c (c) services that support the security of their ICT environment to organisations other than the Union institutions, bodies and agencies that cooperate closely with Union institutions, bodies and agencies, for instance by having assigned tasks or responsibilities under Union law, on the basis of written agreements and with the prior approval of the IICB.
Amendment 93 #
Proposal for a regulation Article 12 – paragraph 6 6. CERT-EU may organise cybersecurity exercises or recommend participation in existing exercises, in close cooperation with the European Union Agency for Cybersecurity whenever applicable, to test the level of cybersecurity of the Union institutions, bodies and agencies. Moreover, through enhanced cooperation and joint programmes with the European Cyber Cybersecurity Competence Network and Centre, CERT- EU can support research and innovation and aid in strengthening the Union institutions, bodies and agencies’ cybersecurity capabilities.
Amendment 94 #
Proposal for a regulation Article 12 – paragraph 7 7. CERT-EU may provide assistance to Union institutions, bodies and agencies regarding incidents in classified ICT environments if it is explicitly requested to do so by the constituent concerned.
Amendment 95 #
Proposal for a regulation Article 14 – paragraph 1 The Head of CERT-EU shall
Amendment 96 #
Proposal for a regulation Article 16 – paragraph 1 1. CERT-EU shall cooperate and exchange information with national
Amendment 97 #
Proposal for a regulation Article 17 – paragraph 1 1. CERT-EU may cooperate with non- Member State counterparts including industry sector-specific counterparts, on tools and methods, such as techniques, tactics, procedures and best practices, and on cyber threats and vulnerabilities. For all cooperation with such counterparts, including in frameworks where non-EU counterparts cooperate with national counterparts of Member States, CERT-EU shall seek prior approval from the IICB. Any such cooperation shall respect the democratic integrity of the EU.
Amendment 98 #
Proposal for a regulation Article 17 – paragraph 2 2. CERT-EU may cooperate with other partners, such as commercial entities, international organisations, non-European Union national entities or individual experts, to gather information on general and specific cyber threats, vulnerabilities and possible countermeasures. For wider cooperation with such partners, CERT-EU shall seek prior approval from the IICB. Any such cooperation shall respect the democratic integrity of the EU.
Amendment 99 #
Proposal for a regulation Article 19 – paragraph -1 (new) -1. Union entities may voluntarily provide CERT-EU with information on cyber threats, incidents, near misses and vulnerabilities affecting them. CERT-EU shall ensure that efficient means of communication are available for the purpose of facilitating information sharing with the Union entities. CERT- EU may prioritise the processing of mandatory notifications over voluntary notifications.
source: 731.765
2023/01/23
LIBE
46 amendments...
Amendment 14 #
Proposal for a regulation Recital 2 (2) The cyber threat landscape faced by Union institutions, bodies, offices and agencies is in constant evolution. The tactics, techniques and procedures employed by threat actors are constantly evolving, while the prominent motives for such attacks change little, from stealing valuable undisclosed information to making money, manipulating public opinion or undermining digital infrastructure. The pace at which they conduct their cyberattacks keeps increasing, while their campaigns are increasingly sophisticated and automated, targeting exposed attack surfaces that keep expanding and quickly exploiting vulnerabilities. (This amendment applies throughout the text, namely also under Recitals 3 (x2), 4 (x2), 5, 7 (x3), 8, 9, 10, 11 (x2), 12, 13 (x5), 14 (x2), 15, 16, 17 (x2), 18 (x3), 22, 24 (x2), and Articles 1(a), 1(b), 1(c), 2, 3(1) (x2), 7.1, 8.1 (x2), 9.2(a), 9.3, 10(a), 11, 12.1 (x2), 12.2, 12.2(e), 12.3(a), 12.5(a), 12.5(b), 12.5.(c) (x2), 12.6, 12.7, 13.1(a), 13.1(b), 13.1(c), 15.3, 15.4, 15.5, 16.1, 18.1, 18.2, 18.4, 19.1, 19.2, 20.1, 20.2, 20.4, 21.1(a), 21.2, 21.3, 22.1, 22.2, 22.3, 23, Annex II.)
Amendment 15 #
Proposal for a regulation Recital 2 (2) The cyber threat landscape faced by Union
Amendment 16 #
Proposal for a regulation Recital 3 (3) The Union
Amendment 17 #
Proposal for a regulation Recital 3 a (new) (3 a) Union entities very often handle large amounts of often sensitive information from Member States, therefore incidents could negatively directly affect Member States. For this reason, the cybersecurity of the Union entities is of high importance for the Member States as well.
Amendment 18 #
Proposal for a regulation Recital 4 (4) The Union institutions, bodies and agencies are attractive targets wh
Amendment 19 #
Proposal for a regulation Recital 6 a (new) (6a) Institutions exposed to multiple cyber attacks must be provided with adequate means and tools to strengthen their cyber resilience. It is essential to ensure that appropriate coordination mechanisms are in place to ensure decision-making in an efficient and effective manner.
Amendment 20 #
Proposal for a regulation Recital 22 (22) All personal data processed under this Regulation should be processed in accordance with data protection legislation including Regulation (EU) 2018/1725 of the European Parliament and of the Council
Amendment 21 #
Proposal for a regulation Recital 22 (22) All personal data processed under this Regulation should be processed in accordance with Union data protection legislation including
Amendment 22 #
Proposal for a regulation Recital 22 (22) All personal data processed under this Regulation should be processed in accordance with data protection legislation including Regulation (EU) 2018/1725 of the European Parliament and of the Council.7
Amendment 23 #
Proposal for a regulation Recital 23 (23) The handling of information by CERT-EU and the Union institutions, bodies, offices and agencies should be in line with
Amendment 24 #
Proposal for a regulation Recital 25 a (new) (25 a) The European Data Protection Supervisor was consulted in accordance with Article 42 of Regulation (EU) 2018/1725 and delivered anopinion on 17 May 2022;
Amendment 25 #
Proposal for a regulation Article 2 – paragraph 1 This Regulation applies to the management, governance and control of cybersecurity risks by all Union institutions, bodies and agencies and to the organisation and operation of CERT-EU and the Interinstitutional Cybersecurity Board. The minimum security requirements should be at least equal or higher than the minimum security requirements of the entities in the NIS 2.0 Directive.
Amendment 26 #
Proposal for a regulation Article 3 – paragraph 1 – point 15 Amendment 27 #
Proposal for a regulation Article 4 – paragraph 5 5. Each Union institution, body and agency shall appoint a Local Cybersecurity Officer or an equivalent function who shall act as its single point of contact regarding all aspects of cybersecurity. The Local Cybersecurity Officer shall cooperate with the data protection officer designated in accordance with Article 43 of Regulation (EU) 2018/1725, when dealing with overlapping activities applying data protection by design and by default to cybersecurity measures, selecting cybersecurity measures that involve protection of personal data, integrated risk management, and integrated security incident handling;
Amendment 28 #
Proposal for a regulation Article 9 – paragraph 3 – subparagraph 1 – point k a (new) (k a) the European Data Protection Supervisor (EDPS).
Amendment 29 #
Proposal for a regulation Article 9 – paragraph 3 – subparagraph 1 – point k a (new) (k a) the European Data Protection Supervisor
Amendment 30 #
Proposal for a regulation Article 9 – paragraph 3 – subparagraph 1 – point k b (new) (k b) Europol
Amendment 31 #
Proposal for a regulation Article 12 – paragraph 2 – point e a (new) (e a) inform without undue delay the European Data Protection Supervisor when it has indications that an infringement by the EU Institutions of the obligations laid down in this Regulation entails unlawful processing of personal data;
Amendment 32 #
Proposal for a regulation Article 12 – paragraph 2 – point e b (new) (e b) work in close cooperation with the European Data Protection Supervisor when addressing incidents resulting in personal data breaches or in breach of confidentiality of electronic communications.
Amendment 33 #
Proposal for a regulation Article 12 – paragraph 7 a (new) 7 a. CERT-EU shall work in close cooperation with the EDPS, when addressing incidents resulting in personal data breaches or in breach of confidentiality of electronic communications. CERT-EU shall inform the EDPS when addressing significant vulnerabilities, significant incidents or major attacks that have the potential to result in personal data breaches and/or in the breach of confidentiality of electronic communications. CERT-EU shall inform without undue delay the EDPS when it has indications that an infringement by the EUIs of the obligations laid down in the Proposal entails a personal data breach.
Amendment 34 #
Proposal for a regulation Article 12 – paragraph 7 a (new) 7 a. CERT-EU shall inform the EDPS when addressing significant vulnerabilities, significant incidents or major attacks that have the potential to result in personal data breaches and/or in the breach of confidentiality of electronic communications.
Amendment 35 #
Proposal for a regulation Article 12 – paragraph 7 b (new) Amendment 36 #
Proposal for a regulation Chapter V – title V COOPERATION AND REPORTING OBLIGATIONS, PERSONAL DATA
Amendment 37 #
Proposal for a regulation Article 18 – paragraph 2 2. The provisions of Regulation (EC) No 1049/2001 of the European Parliament and the Council9 shall apply with regard to requests for public access to documents held by CERT-EU, including the obligation under that Regulation to consult other Union institutions, bodies and agencies, or a Member State, whenever a request concerns their documents. _________________ 9 Regulation (EC) No 1049/2001 of the
Amendment 38 #
Proposal for a regulation Article 18 – paragraph 3 3. The processing of personal data carried out under this Regulation shall be subject to Regulation (EU) 2018/1725 of the European Parliament and of the Council.
Amendment 39 #
Proposal for a regulation Article 18 – paragraph 3 3. The processing of personal data carried out under this Regulation shall be subject to Regulation (EU) 2018/1725 of the European Parliament and of the Council and guarantee a high level of public safety and ensure the exchange, collection and retention of personal data is limited to what is strictly necessary for a legitimate purpose and hereby secures the protection of privacy rights.
Amendment 40 #
Proposal for a regulation Article 18 – paragraph 4 4. The handling of information by CERT-EU and its Union institutions, bodies, offices and agencies shall be in line with
Amendment 41 #
Proposal for a regulation Article 18 – paragraph 5 5. Any contacts with CERT-EU initiated or sought by national security and intelligence services shall be communicated to the Commission’s Security Directorate, Europol and the chair of the IICB without undue delay.
Amendment 42 #
Proposal for a regulation Article 19 – paragraph 1 1. To enable CERT-EU to coordinate vulnerability management and incident response, it may request Union institutions, bodies and agencies to provide it with information from their respective IT system inventories that is relevant for the CERT-EU support. The requested institution, body or agency shall transmit the requested information, and any subsequent updates thereto, without undue delay. Any sharing of data between CERT-EU and Union institutions, bodies and agencies shall follow the principles of clear safeguards for specific use-cases, use mutual legal assistance treaties and other agreements to ensure a higher level of protection for rights when processing requests for cross-border access to data.
Amendment 43 #
Proposal for a regulation Article 19 – paragraph 1 1. To enable CERT-EU to carry out its tasks as set out in Article 12, and in particular to coordinate vulnerability management and incident response,
Amendment 44 #
Proposal for a regulation Article 19 – paragraph 1 1. To enable CERT-EU to coordinate vulnerability management and incident response, it may request Union institutions, bodies and agencies to provide it with information from their respective IT system inventories that is relevant for the CERT-EU support, including any changes in their IT environment. The requested institution, body or agency shall transmit the requested information, and any subsequent updates thereto, without undue
Amendment 45 #
Proposal for a regulation Article 19 – paragraph 1 a (new) 1 a. Union institutions, bodies and agencies may voluntarily provide CERT- EU with information on cyber threats and incidents, moreover request further technical assistance and advise by CERT- EU to combat cybersecurity incidents and attacks. CERT-EU may prioritise the processing of mandatory notifications over voluntary notifications, unless there is a duly justified and urgent need on voluntary requests by Union institutions, bodies and agencies.
Amendment 46 #
Proposal for a regulation Article 19 – paragraph 3 3. CERT-EU may only exchange incident-specific information which reveals the identity of the Union institution, body or agency affected by the incident with the consent of that entity, except where such exchange is essential to prevent an imminent cybersecurity-incident affecting other Union institution, body or agency. CERT-EU may only exchange incident- specific information which reveals the identity of the target of the cybersecurity incident with the consent of the entity affected by the incident, except where such exchange is essential to prevent an imminent cybersecurity-incident affecting other Union institution, body or agency.
Amendment 47 #
Proposal for a regulation Article 19 – paragraph 3 3. CERT-EU may only exchange incident-specific information which reveals the identity of the Union institution, body or agency affected by the incident with the
Amendment 48 #
Proposal for a regulation Article 19 – paragraph 3 – subparagraph 1 (new) Amendment 49 #
Proposal for a regulation Article 19 – paragraph 4 4. The sharing obligations shall not extend to EU Classified Information (EUCI) and to information that a Union institution, body or agency has received from a Member State Security or Intelligence Service or law enforcement agency under the explicit condition that it will not be shared with CERT-EU, except if Europol decides that the sharing obligation shall be extended to that information.
Amendment 50 #
Proposal for a regulation Article 19 – paragraph 4 4. The sharing obligations shall not extend to EU Classified Information (EUCI) and to information that a Union institution, body or agency has received from a Member State Security or Intelligence Service or law enforcement agency under the explicit condition that it will not be shared with CERT-EU, unless they decide otherwise at a later stage.
Amendment 51 #
Proposal for a regulation Article 20 – paragraph 5 5. The notification obligations shall not extend to EUCI and to information that a Union institution, body or agency has received from a Member State Security or Intelligence Service or law enforcement agency under the explicit condition that it will not be shared with CERT-EU, except if Europol decides that the notification obligation shall be extended to that information.
Amendment 52 #
Proposal for a regulation Article 20 – paragraph 5 5. The notification obligations shall not extend to EUCI and to information that a Union institution, body or agency has received from a Member State Security or Intelligence Service or law enforcement agency under the explicit condition that it will not be shared with CERT-EU, unless they decide otherwise at a later stage.
Amendment 53 #
Proposal for a regulation Article 21 – paragraph 3 – subparagraph 1 (new) Union institutions, bodies, offices and agencies shall provide CERT-EU with information on cyber threats, incidents, near misses and vulnerabilities affecting them. CERT-EU shall ensure that efficient means of communication are available for the purpose of facilitating information sharing with Union institutions, bodies, offices and agencies.
Amendment 54 #
Proposal for a regulation Article 21 – paragraph 4 4. The IICB shall issue guidance on incident response coordination and cooperation for significant incidents. Where the criminal nature of an incident is suspected, CERT-EU shall advise on how to comply with their obligation to report the incident to competent law enforcement authorities.
Amendment 55 #
Proposal for a regulation Article 21 – paragraph 4 4. The IICB shall issue guidance on
Amendment 56 #
Proposal for a regulation Article 21 – paragraph 4 4. The IICB shall issue guidance on incident response coordination and cooperation for significant incidents. Where the criminal nature of an incident is suspected, CERT-EU shall
Amendment 57 #
Proposal for a regulation Article 22 a (new) Article 22 a Transparency After every significant incident and response, CERT-EU shall make the cybersecurity attack public, except if this presents an actual and foreseeable threat to the institution, office, body or agency.
Amendment 58 #
Proposal for a regulation Article 24 a (new) Amendment 59 #
Proposal for a regulation Annex II – paragraph 1 – point 2 a (new) (2 a) the use of encryption at rest, encryption in transit as well as end-to-end encryption wherever possible;
source: 740.795
|
History
(these mark the time of scraping, not the official date of the change)
2024-01-04Show (4) Changes | Timetravel
| events/10 |
|
| events/12 |
|
| procedure/final |
|
| procedure/stage_reached |
Old
Awaiting Council's 1st reading positionNew
Procedure completed |
2023-12-14Show (1) Changes | Timetravel
| events/10 |
|
2023-12-10Show (1) Changes | Timetravel
| docs/10 |
|
2023-12-08Show (2) Changes | Timetravel
| docs/10 |
|
| events/9/summary |
|
2023-11-23Show (4) Changes | Timetravel
| docs/10 |
|
| events/9 |
|
| forecasts |
|
| procedure/stage_reached |
Old
Awaiting Parliament's position in 1st readingNew
Awaiting Council's 1st reading position |
2023-11-22Show (1) Changes | Timetravel
| forecasts/0/title |
Old
Vote in plenary scheduledNew
Vote scheduled |
2023-11-18Show (2) Changes | Timetravel
| forecasts/0 |
|
| forecasts/0 |
|
2023-10-29Show (2) Changes | Timetravel
| docs/2/docs/0/url |
Old
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:C:2022:258:TOCNew
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:258:TOC |
| events/8/date |
Old
2023-09-18T00:00:00New
2023-09-19T00:00:00 |
2023-09-21Show (1) Changes | Timetravel
| events/8 |
|
2023-09-19Show (2) Changes | Timetravel
| docs/8 |
|
| docs/9 |
|
2023-09-07Show (1) Changes | Timetravel
| forecasts/0/date |
Old
2023-11-08T00:00:00New
2023-11-20T00:00:00 |
2023-08-22Show (1) Changes | Timetravel
| forecasts/0/date |
Old
2023-10-16T00:00:00New
2023-11-08T00:00:00 |
2023-05-05Show (1) Changes | Timetravel
| forecasts |
|
2023-03-30Show (2) Changes | Timetravel
| docs/8 |
|
| events/5/summary |
|
2023-03-17Show (1) Changes | Timetravel
| events/7 |
|
2023-03-14Show (1) Changes | Timetravel
| events/6 |
|
2023-03-11Show (2) Changes | Timetravel
| docs/8/docs/0/url |
https://www.europarl.europa.eu/doceo/document/A-9-2023-0064_EN.html
|
| events/5/docs/0/url |
https://www.europarl.europa.eu/doceo/document/A-9-2023-0064_EN.html
|
2023-03-10Show (7) Changes | Timetravel
| docs/7/docs/0/url |
https://www.europarl.europa.eu/doceo/document/LIBE-AD-739801_EN.html
|
| docs/8 |
|
| events/3 |
|
| events/4 |
|
| events/5 |
|
| procedure/Other legal basis |
Rules of Procedure EP 159
|
| procedure/stage_reached |
Old
Awaiting committee decisionNew
Awaiting Parliament's position in 1st reading |
2023-03-03Show (1) Changes | Timetravel
| docs/7 |
|
2023-02-03Show (1) Changes | Timetravel
| docs/6/date |
Old
2023-01-31T00:00:00New
2023-02-01T00:00:00 |
2023-02-02Show (1) Changes | Timetravel
| docs/6/docs/0/url |
https://www.europarl.europa.eu/doceo/document/AFCO-AD-730184_EN.html
|
2023-02-01Show (1) Changes | Timetravel
| docs/6 |
|
2022-12-22Show (2) Changes | Timetravel
| docs/0 |
|
| events/0 |
|
2022-12-17Show (2) Changes | Timetravel
| docs/0 |
|
| events/0 |
|
2022-12-16Show (5) Changes | Timetravel
| committees/0 |
|
| committees/0 |
|
| committees/1 |
Old
New
|
| committees/2 |
Old
New
|
| committees/3 |
Old
New
|
2022-12-15Show (1) Changes | Timetravel
| committees/2/rapporteur |
|
2022-11-26Show (2) Changes | Timetravel
| docs/0 |
|
| events/0 |
|
2022-11-25Show (2) Changes | Timetravel
| docs/0 |
|
| events/0 |
|
2022-11-04Show (1) Changes | Timetravel
| docs/5/docs/0/url |
https://www.europarl.europa.eu/doceo/document/ITRE-AM-738403_EN.html
|
2022-10-28Show (1) Changes | Timetravel
| docs/5 |
|
2022-10-12Show (1) Changes | Timetravel
| docs/4/docs/0/url |
https://www.europarl.europa.eu/doceo/document/ITRE-PR-737231_EN.html
|
2022-10-08Show (1) Changes | Timetravel
| docs/4 |
|
2022-10-02Show (2) Changes | Timetravel
| docs/0 |
|
| events/0 |
|
2022-10-01Show (2) Changes | Timetravel
| docs/0 |
|
| events/0 |
|
2022-09-22Show (2) Changes | Timetravel
| docs/0 |
|
| events/0 |
|
2022-09-21Show (3) Changes | Timetravel
| docs/0 |
|
| events/0 |
|
| events/1 |
|
2022-09-15Show (1) Changes | Timetravel
| procedure/legal_basis/1 |
Rules of Procedure EP 57
|
2022-09-03Show (1) Changes | Timetravel
| links |
|
2022-07-20Show (1) Changes | Timetravel
| docs/2 |
|
2022-07-19Show (2) Changes | Timetravel
| docs/0 |
|
| events/0 |
|
2022-07-18Show (5) Changes | Timetravel
| docs/0 |
|
| docs/2 |
|
| docs/3 |
|
| docs/3/docs/0/url |
https://www.europarl.europa.eu/doceo/document/BUDG-AD-732682_EN.html
|
| events/0 |
|
2022-07-14Show (1) Changes | Timetravel
| docs/2/date |
Old
2022-07-12T00:00:00New
2022-07-13T00:00:00 |
2022-07-13Show (1) Changes | Timetravel
| docs/2 |
|
2022-06-23Show (2) Changes | Timetravel
| docs/0 |
|
| events/0 |
|
2022-06-22Show (13) Changes | Timetravel
| committees/1 |
|
| committees/1 |
Old
New
|
| committees/2 |
Old
New
|
| committees/3 |
|
| committees/3/rapporteur |
|
| docs/0 |
|
| docs/0 |
|
| docs/1 |
|
| docs/1 |
|
| docs/1/docs/0 |
|
| docs/2 |
|
| docs/2/docs/0 |
|
| events/0 |
|
2022-06-03Show (5) Changes | Timetravel
| committees/0/shadows |
|
| committees/1 |
Old
New
|
| committees/3 |
Old
New
|
| docs/0 |
|
| events/0 |
|
2022-05-25Show (4) Changes | Timetravel
| commission |
|
| committees/0/rapporteur |
|
| committees/1/rapporteur |
|
| docs/0/docs/0/url |
http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/com/2022/0122/COM_COM(2022)0122_EN.pdf
|
2022-04-27Show (1) Changes | Timetravel
| docs/0/summary |
|
2022-04-05Show (3) Changes
| events |
|
| procedure/dossier_of_the_committee |
|
| procedure/stage_reached |
Old
Preparatory phase in ParliamentNew
Awaiting committee decision |