REPORT on the proposal for a directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148

04.11.2021 - (COM(2020)0823 – C9‑0422/2020 – 2020/0359(COD)) - ***I

Committee on Industry, Research and Energy
Rapporteur: Bart Groothuis
Rapporteur for the opinion (*):
Lukas Mandl, Committee on Civil Liberties, Justice and Home Affairs
(*) Associated committees – Rule 57 of the Rules of Procedure


Procedure : 2020/0359(COD)
Document stages in plenary
Document selected :  
A9-0313/2021

DRAFT EUROPEAN PARLIAMENT LEGISLATIVE RESOLUTION

on the proposal for a directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148

(COM(2020)0823 – C9‑0422/2020 – 2020/0359(COD))

(Ordinary legislative procedure: first reading)

The European Parliament,

 having regard to the Commission proposal to Parliament and the Council (COM(2020)0823),

 having regard to Article 294(2) and Article 114 of the Treaty on the Functioning of the European Union, pursuant to which the Commission submitted the proposal to Parliament (C9‑0422/2020),

 having regard to Article 294(3) of the Treaty on the Functioning of the European Union,

 having regard to the opinion of the of the European Economic and Social Committee of 27 April 2021[1],

 after consulting the Committee of the Regions,

 having regard to Rule 59 of its Rules of Procedure,

 having regard to the opinions of the Committee on Civil Liberties, Justice and Home Affairs, the Committee on Foreign Affairs, the Committee on the Internal Market and Consumer Protection and the Committee on Transport and Tourism,

 having regard to the report of the Committee on Industry, Research and Energy (A9-0313/2021),

1. Adopts its position at first reading hereinafter set out;

2. Calls on the Commission to refer the matter to Parliament again if it replaces, substantially amends or intends to substantially amend its proposal;

3. Instructs its President to forward its position to the Council, the Commission and the national parliaments.


Amendment  1

 

Proposal for a directive

Title

 

Text proposed by the Commission

Amendment

Proposal for a

Proposal for a

DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148

on measures for a high common level of cybersecurity across the Union (NIS 2 Directive), repealing Directive (EU) 2016/1148

Amendment  2

 

Proposal for a directive

Recital 1

 

Text proposed by the Commission

Amendment

(1) Directive (EU) 2016/1148 of the European Parliament and the Council11 aimed at building cybersecurity capabilities across the Union, mitigating threats to network and information systems used to provide essential services in key sectors and ensuring the continuity of such services when facing cybersecurity incidents, thus contributing to the Union's economy and society to function effectively.

(1) Directive (EU) 2016/1148 of the European Parliament and the Council11, commonly known as the 'NIS directive' aimed at building cybersecurity capabilities across the Union, mitigating threats to network and information systems used to provide essential services in key sectors and ensuring the continuity of such services when facing cybersecurity incidents, thus contributing to the Union's security and to the effective functioning of its economy and society.

__________________

__________________

11 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194/1, 19.7.2016 p. 1).

11 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194/1, 19.7.2016 p. 1).

Amendment  3

 

Proposal for a directive

Recital 3

 

Text proposed by the Commission

Amendment

(3) Network and information systems have developed into a central feature of everyday life with the speedy digital transformation and interconnectedness of society, including in cross-border exchanges. That development has led to an expansion of the cybersecurity threat landscape, bringing about new challenges, which require adapted, coordinated and innovative responses in all Member States. The number, magnitude, sophistication, frequency and impact of cybersecurity incidents are increasing, and present a major threat to the functioning of network and information systems. As a result, cyber incidents can impede the pursuit of economic activities in the internal market, generate financial losses, undermine user confidence and cause major damage to the Union economy and society. Cybersecurity preparedness and effectiveness are therefore now more essential than ever to the proper functioning of the internal market.

(3) Network and information systems have developed into a central feature of everyday life with the speedy digital transformation and interconnectedness of society, including in cross-border exchanges. That development has led to an expansion of the cybersecurity threat landscape, bringing about new challenges, which require adapted, coordinated and innovative responses in all Member States. The number, magnitude, sophistication, frequency and impact of cybersecurity incidents are increasing, and present a major threat to the functioning of network and information systems. As a result, cyber incidents can impede the pursuit of economic activities in the internal market, generate financial losses, undermine user confidence and cause major damage to the Union economy and society. Cybersecurity preparedness and effectiveness are therefore now more essential than ever to the proper functioning of the internal market. Moreover, cybersecurity is a key enabler for many critical sectors to successfully embrace the digital transformation and to fully grasp the economic, social and sustainable benefits of digitalisation.

Amendment  4

 

Proposal for a directive

Recital 3 a (new)

 

Text proposed by the Commission

Amendment

 

(3a) Large-scale cybersecurity incidents and crises at Union level require coordinated action to ensure a rapid and effective response, because of the high degree of interdependence between sectors and countries. The availability of cyber-resilient networks and information systems and the availability, confidentiality and integrity of data are vital for the security of the Union within as well as beyond its borders, as cyber threats could originate from outside the Union. The Union’s ambition to acquire a more prominent geopolitical role also rests on credible cyber defence and deterrence, including the capacity to identify malicious actions in a timely and effective manner and to respond adequately.

Amendment  5

 

Proposal for a directive

Recital 5

 

Text proposed by the Commission

Amendment

(5) All those divergences entail a fragmentation of the internal market and are liable to have a prejudicial effect on its functioning, affecting in particular the cross-border provision of services and level of cybersecurity resilience due to the application of different standards. This Directive aims to remove such wide divergences among Member States, in particular by setting out minimum rules regarding the functioning of a coordinated regulatory framework, by laying down mechanisms for the effective cooperation among the responsible authorities in each Member State, by updating the list of sectors and activities subject to cybersecurity obligations and by providing effective remedies and sanctions which are instrumental to the effective enforcement of those obligations. Therefore, Directive (EU) 2016/1148 should be repealed and replaced by this Directive.

(5) All those divergences entail a fragmentation of the internal market and are liable to have a prejudicial effect on its functioning, affecting in particular the cross-border provision of services and level of cybersecurity resilience due to the application of different standards. Ultimately, those divergences could lead to higher vulnerability of some Member States to cybersecurity threats, with potential spill-over effects across the Union. This Directive aims to remove such wide divergences among Member States, in particular by setting out minimum rules regarding the functioning of a coordinated regulatory framework, by laying down mechanisms for the effective cooperation among the responsible authorities in each Member State, by updating the list of sectors and activities subject to cybersecurity obligations and by providing effective remedies and sanctions which are instrumental to the effective enforcement of those obligations. Therefore, Directive (EU) 2016/1148 should be repealed and replaced by this Directive (NIS 2 Directive).

Amendment  6

 

Proposal for a directive

Recital 6

 

Text proposed by the Commission

Amendment

(6) This Directive leaves unaffected the ability of Member States to take the necessary measures to ensure the protection of the essential interests of their security, to safeguard public policy and public security, and to allow for the investigation, detection and prosecution of criminal offences, in compliance with Union law. In accordance with Article 346 TFEU, no Member State is to be obliged to supply information the disclosure of which would be contrary to the essential interests of its public security. In this context, national and Union rules for protecting classified information, non-disclosure agreements, and informal non-disclosure agreements such as the Traffic Light Protocol14, are of relevance.

(6) This Directive leaves unaffected the ability of Member States to take the necessary measures to ensure the protection of the essential interests of their security, to safeguard public policy and public security, and to allow for the prevention, investigation, detection and prosecution of criminal offences, in compliance with Union law. In accordance with Article 346 TFEU, no Member State is to be obliged to supply information the disclosure of which would be contrary to the essential interests of its public security. In this context, national and Union rules for protecting classified information, non-disclosure agreements, and informal non-disclosure agreements such as the Traffic Light Protocol14, are of relevance.

__________________

__________________

14 The Traffic Light Protocol (TLP) is a means for someone sharing information to inform their audience about any limitations in further spreading this information. It is used in almost all CSIRT communities and some Information Analysis and Sharing Centres (ISACs).

14 The Traffic Light Protocol (TLP) is a means for someone sharing information to inform their audience about any limitations in further spreading this information. It is used in almost all CSIRT communities and some Information Analysis and Sharing Centres (ISACs).

Amendment  7

 

Proposal for a directive

Recital 7

 

Text proposed by the Commission

Amendment

(7) With the repeal of Directive (EU) 2016/1148, the scope of application by sectors should be extended to a larger part of the economy in light of the considerations set out in recitals (4) to (6). The sectors covered by Directive (EU) 2016/1148 should therefore be extended to provide a comprehensive coverage of the sectors and services of vital importance for key societal and economic activities within the internal market. The rules should not be different according to whether the entities are operators of essential services or digital service providers. That differentiation has proven obsolete, since it does not reflect the actual importance of the sectors or services for the societal and economic activities in the internal market.

(7) With the repeal of Directive (EU) 2016/1148, the scope of application by sectors should be extended to a larger part of the economy in light of the considerations set out in recitals (4) to (6). The sectors covered by Directive (EU) 2016/1148 should therefore be extended to provide a comprehensive coverage of the sectors and services of vital importance for key societal and economic activities within the internal market. The risk management requirements and reporting obligations should not be different according to whether the entities are operators of essential services or digital service providers. That differentiation has proven obsolete, since it does not reflect the actual importance of the sectors or services for the societal and economic activities in the internal market.

Amendment  8

 

Proposal for a directive

Recital 8

 

Text proposed by the Commission

Amendment

(8) In accordance with Directive (EU) 2016/1148, Member States were responsible for determining which entities meet the criteria to qualify as operators of essential services (‘identification process’). In order to eliminate the wide divergences among Member States in that regard and ensure legal certainty for the risk management requirements and reporting obligations for all relevant entities, a uniform criterion should be established that determines the entities falling within the scope of application of this Directive. That criterion should consist of the application of the size-cap rule, whereby all medium and large enterprises, as defined by Commission Recommendation 2003/361/EC15, that operate within the sectors or provide the type of services covered by this Directive, fall within its scope. Member States should not be required to establish a list of the entities that meet this generally applicable size-related criterion.

(8) In accordance with Directive (EU) 2016/1148, Member States were responsible for determining which entities meet the criteria to qualify as operators of essential services (‘identification process’). In order to eliminate the wide divergences among Member States in that regard and ensure legal certainty for the risk management requirements and reporting obligations for all relevant entities, a uniform criterion should be established that determines the entities falling within the scope of application of this Directive. That criterion should consist of the application of the size-cap rule, whereby all medium and large enterprises, as defined by Commission Recommendation 2003/361/EC15, that operate within the sectors or provide the type of services covered by this Directive, fall within its scope.

__________________

__________________

15 Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36).

15 Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36).

Amendment  9

 

Proposal for a directive

Recital 9

 

Text proposed by the Commission

Amendment

(9) However, small or micro entities fulfilling certain criteria that indicate a key role for the economies or societies of Member States or for particular sectors or types of services, should also be covered by this Directive. Member States should be responsible for establishing a list of such entities, and submit it to the Commission.

(9) However, small or micro entities fulfilling certain criteria that indicate a key role for the economies or societies of Member States or for particular sectors or types of services, should also be covered by this Directive.

Amendment  10

 

Proposal for a directive

Recital 9 a (new)

 

Text proposed by the Commission

Amendment

 

(9a) Member States should establish a list of all essential and important entities. That list should include the entities that meet the generally applicable size-related criteria as well as the small enterprises and microenterprises that fulfil certain criteria that indicate their key role for the economies or societies of Member States. In order for computer security incident response teams (CSIRTs) and competent authorities to provide assistance and to warn entities about cyber incidents that could affect them, it is important that those authorities have the correct contact details of the entities. Essential and important entities should therefore submit at least the following information to the competent authorities: the name of the entity, the address and up-to-date contact details, including email addresses, IP ranges, telephone numbers and relevant sector(s) and subsector(s) referred to in Annexes I and II. The entities should notify the competent authorities of any changes to that information. Member States should without undue delay, ensure that that information can be easily provided through a single entry point. To that end, ENISA, in cooperation with the Cooperation Group, should without undue delay issue guidelines and templates regarding the notification obligations. Member States should notify to the Commission and the Cooperation Group of the number of essential and important entities. Member States should also notify the Commission for the purpose of the review referred to in this Directive of the names of the small enterprises and microenterprises identified as essential and important entities, in order to enable the Commission to assess consistency among the Member States’ approaches. That information should be handled as strictly confidential.

Amendment  11

 

Proposal for a directive

Recital 10

 

Text proposed by the Commission

Amendment

(10) The Commission, in cooperation with the Cooperation Group, may issue guidelines on the implementation of the criteria applicable to micro and small enterprises.

(10) The Commission, in cooperation with the Cooperation Group and relevant stakeholders, should issue guidelines on the implementation of the criteria applicable to microenterprises and small enterprises. The Commission should also ensure that appropriate guidance is given to all micro and small enterprises falling within the scope of this Directive. The Commission should, with the support of the Member States, provide microenterprises and small enterprises with information in that regard.

Amendment  12

 

Proposal for a directive

Recital 10 a (new)

 

Text proposed by the Commission

Amendment

 

(10a) The Commission should also issue guidelines to support Member States in correctly implementing the provisions on the scope, and to evaluate the proportionality of the obligations set out by this Directive, in particular as regards entities with complex business models or operating environments, whereby an entity may simultaneously fulfil the criteria assigned to both essential and important entities, or may simultaneously conduct activities that are some within and some outside the scope of this Directive.

Amendment  13

 

Proposal for a directive

Recital 12

 

Text proposed by the Commission

Amendment

(12) Sector-specific legislation and instruments can contribute to ensuring high levels of cybersecurity, while taking full account of the specificities and complexities of those sectors. Where a sector–specific Union legal act requires essential or important entities to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats of at least an equivalent effect to the obligations laid down in this Directive, those sector-specific provisions, including on supervision and enforcement, should apply. The Commission may issue guidelines in relation to the implementation of the lex specialis. This Directive does not preclude the adoption of additional sector-specific Union acts addressing cybersecurity risk management measures and incident notifications. This Directive is without prejudice to the existing implementing powers that have been conferred to the Commission in a number of sectors, including transport and energy.

(12) Sector-specific legislation and instruments can contribute to ensuring high levels of cybersecurity, while taking full account of the specificities and complexities of those sectors. Sector-specific Union legal acts that require essential or important entities to adopt cybersecurity risk management measures or to report significant incidents, should, where possible, be consistent with the terminology, and refer to the definitions laid down in this Directive. Where a sector–specific Union legal act requires essential or important entities to adopt cybersecurity risk management measures or to notify incidents, and where those requirements are of at least an equivalent effect to the obligations laid down in this Directive, and apply to the entirety of the security aspects of the operations and services provided by essential and important entities, those sector-specific provisions, including on supervision and enforcement, should apply. The Commission should issue comprehensive guidelines in relation to the implementation of the lex specialis, taking into account relevant opinions, expertise and best practices of ENISA and the Cooperation Group. This Directive does not preclude the adoption of additional sector-specific Union acts addressing cybersecurity risk management measures and incident notifications that duly take into account the need for a comprehensive and consistent cybersecurity framework. This Directive is without prejudice to the existing implementing powers that have been conferred to the Commission in a number of sectors, including transport and energy.

Amendment  14

 

Proposal for a directive

Recital 14

 

Text proposed by the Commission

Amendment

(14) In view of the interlinkages between cybersecurity and the physical security of entities, a coherent approach should be ensured between Directive (EU) XXX/XXX of the European Parliament and of the Council17 and this Directive. To achieve this, Member States should ensure that critical entities, and equivalent entities, pursuant to Directive (EU) XXX/XXX are considered to be essential entities under this Directive. Member States should also ensure that their cybersecurity strategies provide for a policy framework for enhanced coordination between the competent authority under this Directive and the one under Directive (EU) XXX/XXX in the context of information sharing on incidents and cyber threats and the exercise of supervisory tasks. Authorities under both Directives should cooperate and exchange information, particularly in relation to the identification of critical entities, cyber threats, cybersecurity risks, incidents affecting critical entities as well as on the cybersecurity measures taken by critical entities. Upon request of competent authorities under Directive (EU) XXX/XXX, competent authorities under this Directive should be allowed to exercise their supervisory and enforcement powers on an essential entity identified as critical. Both authorities should cooperate and exchange information for this purpose.

(14) In view of the interlinkages between cybersecurity and the physical security of entities, a coherent approach should be ensured between Directive (EU) XXX/XXX of the European Parliament and of the Council17 and this Directive. To achieve this, Member States should ensure that critical entities, and equivalent entities, pursuant to Directive (EU) XXX/XXX are considered to be essential entities under this Directive. Member States should also ensure that their cybersecurity strategies provide for a policy framework for enhanced coordination between the competent authorities within and between Member States, under this Directive and the one under Directive (EU) XXX/XXX in the context of information sharing on incidents and cyber threats and the exercise of supervisory tasks. Authorities under both Directives should cooperate and exchange information without undue delay, particularly in relation to the identification of critical entities, cyber threats, cybersecurity risks, incidents affecting critical entities as well as on the cybersecurity measures taken by critical entities. Upon request of competent authorities under Directive (EU) XXX/XXX, competent authorities under this Directive should be allowed to exercise their supervisory and enforcement powers on an essential entity identified as critical. Both authorities should cooperate and exchange information where possible in real time, for this purpose.

__________________

__________________

17 [insert the full title and OJ publication reference when known]

17 [insert the full title and OJ publication reference when known]

Amendment  15

 

Proposal for a directive

Recital 15

 

Text proposed by the Commission

Amendment

(15) Upholding and preserving a reliable, resilient and secure domain name system (DNS) is a key factor in maintaining the integrity of the Internet and is essential for its continuous and stable operation, on which the digital economy and society depend. Therefore, this Directive should apply to all providers of DNS services along the DNS resolution chain, including operators of root name servers, top-level-domain (TLD) name servers, authoritative name servers for domain names and recursive resolvers.

(15) Upholding and preserving a reliable, resilient and secure domain name system (DNS) is a key factor in maintaining the integrity of the Internet and is essential for its continuous and stable operation, on which the digital economy and society depend. Therefore, this Directive should apply to top-level-domain (TLD) name servers, publicly available recursive domain name resolution services for internet end-users and authoritative domain name resolution services. This Directive does not apply to root name servers.

Amendment  16

 

Proposal for a directive

Recital 19

 

Text proposed by the Commission

Amendment

(19) Postal service providers within the meaning of Directive 97/67/EC of the European Parliament and of the Council18 , as well as express and courier delivery service providers, should be subject to this Directive if they provide at least one of the steps in the postal delivery chain and in particular clearance, sorting or distribution, including pick-up services. Transport services that are not undertaken in conjunction with one of those steps should fall outside of the scope of postal services.

(19) Postal service providers within the meaning of Directive 97/67/EC of the European Parliament and of the Council18, as well as express and courier delivery service providers, should be subject to this Directive if they provide at least one of the steps in the postal delivery chain and in particular clearance, sorting or distribution, including pick-up services, while taking into account the degree of their dependence on network and information systems. Transport services that are not undertaken in conjunction with one of those steps should fall outside of the scope of postal services.

__________________

__________________

18 Directive 97/67/EC of the European Parliament and of the Council of 15 December 1997 on common rules for the development of the internal market of Community postal services and the improvement of quality of service (OJ L 15, 21.1.1998, p. 14).

18 Directive 97/67/EC of the European Parliament and of the Council of 15 December 1997 on common rules for the development of the internal market of Community postal services and the improvement of quality of service (OJ L 15, 21.1.1998, p. 14).

Amendment  17

 

Proposal for a directive

Recital 20

 

Text proposed by the Commission

Amendment

(20) Those growing interdependencies are the result of an increasingly cross-border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. Those interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks.

(20) Those growing interdependencies are the result of an increasingly cross-border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. Those interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The intensified attacks against network and information systems during the COVID-19 pandemic have shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks.

Amendment  18

 

Proposal for a directive

Recital 24

 

Text proposed by the Commission

Amendment

(24) Member States should be adequately equipped, in terms of both technical and organisational capabilities, to prevent, detect, respond to and mitigate network and information system incidents and risks. Member States should therefore ensure that they have well-functioning CSIRTs, also known as computer emergency response teams (‘CERTs’), complying with essential requirements in order to guarantee effective and compatible capabilities to deal with incidents and risks and to ensure efficient cooperation at Union level. In view of enhancing the trust relationship between the entities and the CSIRTs, in cases where a CSIRT is part of the competent authority, Member States should consider functional separation between the operational tasks provided by CSIRTs, notably in relation to information sharing and support to the entities, and the supervisory activities of competent authorities.

(24) Member States should be adequately equipped, in terms of both technical and organisational capabilities, to prevent, detect, respond to and mitigate network and information system incidents and risks. Member States should therefore designate one or more CSIRTs under this Directive and ensure that they are well-functioning, complying with essential requirements in order to guarantee effective and compatible capabilities to deal with incidents and risks and to ensure efficient cooperation at Union level. Member States may designate existing computer emergency response teams (CERTs) as CSIRTs. In view of enhancing the trust relationship between the entities and the CSIRTs, in cases where a CSIRT is part of the competent authority, Member States should consider functional separation between the operational tasks provided by CSIRTs, notably in relation to information sharing and support to the entities, and the supervisory activities of competent authorities.

Amendment  19

 

Proposal for a directive

Recital 25

 

Text proposed by the Commission

Amendment

(25) As regards personal data, CSIRTs should be able to provide, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council19 as regards personal data, on behalf of and upon request by an entity under this Directive, a proactive scanning of the network and information systems used for the provision of their services. Member States should aim at ensuring an equal level of technical capabilities for all sectorial CSIRTs. Member States may request the assistance of the European Union Agency for Cybersecurity (ENISA) in developing national CSIRTs.

(25) As regards personal data, CSIRTs should be able to provide, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council19 as regards personal data, on behalf of and upon request by an entity under this Directive, or, in the case of a serious threat to national security, a proactive scanning of the network and information systems used for the provision of their services. Member States should aim at ensuring an equal level of technical capabilities for all sectorial CSIRTs. Member States may request the assistance of the European Union Agency for Cybersecurity (ENISA) in developing national CSIRTs.

__________________

__________________

19 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

19 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

Amendment  20

 

Proposal for a directive

Recital 25 a (new)

 

Text proposed by the Commission

Amendment

 

(25a) CSIRTs should have the ability to, upon an entity's request, continuously discover, manage and monitor all internet-facing assets, both on premises and off premises, to understand their overall organisational risk to newly discovered supply chain compromises or critical vulnerabilities. The knowledge whether an entity runs a privileged management interface, affects the speed of undertaking mitigating actions.

Amendment  21

 

Proposal for a directive

Recital 26

 

Text proposed by the Commission

Amendment

(26) Given the importance of international cooperation on cybersecurity, CSIRTs should be able to participate in international cooperation networks in addition to the CSIRTs network established by this Directive.

(26) Given the importance of international cooperation on cybersecurity, CSIRTs should be able to participate in international cooperation networks, including with CSIRTs from third countries where information exchange is reciprocal and beneficial to the security of citizens and entities, in addition to the CSIRTs network established by this Directive, in order to contribute to the development of Union standards that can shape the cybersecurity landscape at international level. Member States could also explore the possibility of increasing cooperation with like-minded partner countries and international organisations with the aim to secure multilateral agreements on cyber norms, responsible state and non-state behaviour in cyberspace and effective global digital governance as well as to create an open, free, stable and secure cyberspace based on international law.

Amendment  22

 

Proposal for a directive

Recital 26 a (new)

 

Text proposed by the Commission

Amendment

 

(26a) Cyber hygiene policies provide the foundations for protecting network and information system infrastructures, hardware, software and online application security, and business or end-user data on which entities rely upon. Cyber hygiene policies comprising a common baseline set of practices including, but not limited to, software and hardware updates, password changes, management of new installs, limitation of administrator-level access accounts, and backing up of data, enable a proactive framework of preparedness and overall safety and security in the event of incidents or threats. ENISA should monitor and assess Member States’ cyber hygiene policies, and explore Union wide schemes to enable cross-border checks ensuring equivalence independent of Member State requirements.

Amendment  23

 

Proposal for a directive

Recital 26 b (new)

 

Text proposed by the Commission

Amendment

 

(26b) The use of artificial intelligence (AI) in cybersecurity has the potential of improving the detection and to stop attacks against network and information systems, enabling resources to be diverted towards more sophisticated attacks. Member States should therefore encourage in their national strategies the use of (semi-)automated tools in cybersecurity and the sharing of data needed to train and improve automated tools in cybersecurity. In order to mitigate risks of unduly interference with the rights and freedoms of individuals that AI-enabled systems might pose, the requirements of data protection by design and by default laid down in Article 25 of Regulation (EU) 2016/679 shall apply. Integrating appropriate safeguards such as pseudonymisation, encryption, data accuracy and data minimisation could furthermore mitigate such risks.

Amendment  24

 

Proposal for a directive

Recital 26 c (new)

 

Text proposed by the Commission

Amendment

 

(26c) Open-source cybersecurity tools and applications can contribute to a higher degree of transparency and can have a positive impact on the efficiency of industrial innovation. Open standards facilitate interoperability between security tools, benefitting the security of industrial stakeholders. Open-source cybersecurity tools and applications can leverage the wider developer community, enabling entities to pursue vendor diversification and open security strategies. Open security can lead to a more transparent verification process of cybersecurity related tools and a community-driven process of discovering vulnerabilities. Member States should therefore promote the adoption of open-source software and open standards by pursuing policies relating to the use of open data and open-source as part of security through transparency. Policies promoting the adoption and sustainable use of open-source cybersecurity tools are of particular importance for small and medium-sized enterprises (SMEs) facing significant costs for implementation, which could be minimised by reducing the need for specific applications or tools.

Amendment  25

 

Proposal for a directive

Recital 26 d (new)

 

Text proposed by the Commission

Amendment

 

(26d) Public-Private Partnerships (PPPs) in the field of cybersecurity can provide the right framework for knowledge exchange, sharing of best practices and the establishment of a common level of understanding among all stakeholders. Member States should adopt policies underpinning the establishment of cybersecurity-specific PPPs as part of their national cybersecurity strategies. Those policies should clarify, inter alia, the scope and stakeholders involved, the governance model, the available funding options and the interaction among participating stakeholders. PPPs can leverage the expertise of private sector entities to support Member States’ competent authorities in developing state-of-the art services and processes including, but not limited to, information exchange, early warnings, cyber threat and incident exercises, crisis management, and resilience planning.

Amendment  26

 

Proposal for a directive

Recital 27

 

Text proposed by the Commission

Amendment

(27) In accordance with the Annex to Commission Recommendation (EU) 2017/1548 on Coordinated Response to Large Scale Cybersecurity Incidents and Crises (‘Blueprint’)20 , a large-scale incident should mean an incident with a significant impact on at least two Member States or whose disruption exceeds a Member State’s capacity to respond to it. Depending on their cause and impact, large-scale incidents may escalate and turn into fully-fledged crises not allowing the proper functioning of the internal market. Given the wide-ranging scope and, in most cases, the cross-border nature of such incidents, Member States and relevant Union institutions, bodies and agencies should cooperate at technical, operational and political level to properly coordinate the response across the Union.

(27) In accordance with the Annex to Commission Recommendation (EU) 2017/1548 on Coordinated Response to Large Scale Cybersecurity Incidents and Crises (‘Blueprint’)20, a large-scale incident should mean an incident with a significant impact on at least two Member States or whose disruption exceeds a Member State’s capacity to respond to it. Depending on their cause and impact, large-scale incidents may escalate and turn into fully-fledged crises not allowing the proper functioning of the internal market or posing serious public security and safety risks for entities or citizens in several Member States or the Union as a whole. Given the wide-ranging scope and, in most cases, the cross-border nature of such incidents, Member States and relevant Union institutions, bodies and agencies should cooperate at technical, operational and political level to properly coordinate the response across the Union.

__________________

__________________

20 Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises (OJ L 239, 19.9.2017, p. 36).

20 Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises (OJ L 239, 19.9.2017, p. 36).

Amendment  27

 

Proposal for a directive

Recital 27 a (new)

 

Text proposed by the Commission

Amendment

 

(27a) Member States should, in their national cybersecurity strategies, address specific cybersecurity needs of SMEs. SMEs represent, in the Union context, a large percentage of the industrial and business market and they are often struggling to adapt to new business practices in a more connected world, navigating the digital environment, with employees working from home and business increasingly being conducted online. Some SMEs face specific cybersecurity challenges such as low cyber-awareness, a lack of remote IT security, the high cost of cybersecurity solutions and an increased level of threat, such as ransomware, for which they should receive guidance and support. Member States should have a cybersecurity single point of contact for SMEs, which either provides guidance and support to SMEs or directs them to the appropriate bodies for guidance and support on cybersecurity related issues. Member States are encouraged to also offer services such as website configuration and logging enabling to small enterprises and microenterprises that lack those capabilities.

Amendment  28

 

Proposal for a directive

Recital 27 b (new)

 

Text proposed by the Commission

Amendment

 

(27b) Member States should adopt policies on the promotion of active cyber defence as part of their national cybersecurity strategies. Active cyber defence is the proactive prevention, detection, monitoring, analysis and mitigation of network security breaches, combined with the use of capabilities deployed within and outside the victim network. The ability to rapidly and automatically share and understand threat information and analysis, cyber activity alerts, and response action is critical to enabling a unity of effort in successfully detecting, preventing and addressing attacks against network and information systems. Active cyber defence is based on a defensive strategy that excludes offensive measures against critical civilian infrastructure.

Amendment  29

 

Proposal for a directive

Recital 28

 

Text proposed by the Commission

Amendment

(28) Since the exploitation of vulnerabilities in network and information systems may cause significant disruption and harm, swiftly identifying and remedying those vulnerabilities is an important factor in reducing cybersecurity risk. Entities that develop such systems should therefore establish appropriate procedures to handle vulnerabilities when they are discovered. Since vulnerabilities are often discovered and reported (disclosed) by third parties (reporting entities), the manufacturer or provider of ICT products or services should also put in place the necessary procedures to receive vulnerability information from third parties. In this regard, international standards ISO/IEC 30111 and ISO/IEC 29417 provide guidance on vulnerability handling and vulnerability disclosure respectively. As regards vulnerability disclosure, coordination between reporting entities and manufacturers or providers of ICT products or services is particularly important. Coordinated vulnerability disclosure specifies a structured process through which vulnerabilities are reported to organisations in a manner allowing the organisation to diagnose and remedy the vulnerability before detailed vulnerability information is disclosed to third parties or to the public. Coordinated vulnerability disclosure should also comprise coordination between the reporting entity and the organisation as regards the timing of remediation and publication of vulnerabilities.

(28) Since the exploitation of vulnerabilities in network and information systems may cause significant disruption and harm, swiftly identifying and remedying those vulnerabilities is an important factor in reducing cybersecurity risk. Entities that develop such systems should therefore establish appropriate procedures to handle vulnerabilities when they are discovered. Since vulnerabilities are often discovered and reported (disclosed) by third parties (reporting entities), the manufacturer or provider of ICT products or services should also put in place the necessary procedures to receive vulnerability information from third parties. In this regard, international standards ISO/IEC 30111 and ISO/IEC 29417 provide guidance on vulnerability handling and vulnerability disclosure respectively. Strengthening the coordination between reporting entities and manufacturers or providers of ICT products or services is particularly important to facilitate the voluntary framework of vulnerability disclosure. Coordinated vulnerability disclosure specifies a structured process through which vulnerabilities are reported to organisations in a manner allowing the organisation to diagnose and remedy the vulnerability before detailed vulnerability information is disclosed to third parties or to the public. Coordinated vulnerability disclosure should also comprise coordination between the reporting entity and the organisation as regards the timing of remediation and publication of vulnerabilities.

Amendment  30

 

Proposal for a directive

Recital 28 a (new)

 

Text proposed by the Commission

Amendment

 

(28a) The Commission, ENISA and the Member States should continue to foster international alignment with standards and existing industry best practices in the area of risk management, for example in the areas of supply chain security assessments, information sharing and vulnerability disclosure.

Amendment  31

 

Proposal for a directive

Recital 29

 

Text proposed by the Commission

Amendment

(29) Member States should therefore take measures to facilitate coordinated vulnerability disclosure by establishing a relevant national policy. In this regard, Member States should designate a CSIRT to take the role of ‘coordinator’, acting as an intermediary between the reporting entities and the manufacturers or providers of ICT products or services where necessary. The tasks of the CSIRT coordinator should in particular include identifying and contacting concerned entities, supporting reporting entities, negotiating disclosure timelines, and managing vulnerabilities that affect multiple organisations (multi-party vulnerability disclosure). Where vulnerabilities affect multiple manufacturers or providers of ICT products or services established in more than one Member State, the designated CSIRTs from each of the affected Member States should cooperate within the CSIRTs Network.

(29) Member States, in cooperation with ENISA, should therefore take measures to facilitate coordinated vulnerability disclosure by establishing a relevant national policy. In that national policy, Member States should address problems encountered by vulnerability researchers. Entities and natural persons researching vulnerabilities may in some Member States be exposed to criminal and civil liability. Member States are therefore encouraged to issue guidelines as regards the non-prosecution of information security research and an exemption from civil liability for those activities.

Amendment  32

 

Proposal for a directive

Recital 29 a (new)

 

Text proposed by the Commission

Amendment

 

(29a) Member States should designate a CSIRT to take the role of ‘coordinator’, acting as an intermediary between the reporting entities and the manufacturers or providers of ICT products or services, which are likely to be affected by the vulnerability, where necessary. The tasks of the CSIRT coordinator should in particular include identifying and contacting concerned entities, supporting reporting entities, negotiating disclosure timelines, and managing vulnerabilities that affect multiple organisations (multi-party vulnerability disclosure). Where vulnerabilities affect multiple manufacturers or providers of ICT products or services established in more than one Member State, the designated CSIRTs from each of the affected Member States should cooperate within the CSIRTs Network.

Amendment  33

 

Proposal for a directive

Recital 30

 

Text proposed by the Commission

Amendment

(30) Access to correct and timely information on vulnerabilities affecting ICT products and services contributes to an enhanced cybersecurity risk management. In that regard, sources of publicly available information on vulnerabilities are an important tool for entities and their users, but also national competent authorities and CSIRTs. For this reason, ENISA should establish a vulnerability registry where, essential and important entities and their suppliers, as well as entities which do not fall in the scope of application of this Directive may, on a voluntary basis, disclose vulnerabilities and provide the vulnerability information that allows users to take appropriate mitigating measures.

(30) Access to correct and timely information on vulnerabilities affecting ICT products and services contributes to an enhanced cybersecurity risk management. Sources of publicly available information on vulnerabilities are an important tool for entities and their users, but also for national competent authorities and CSIRTs. For this reason, ENISA should establish a vulnerability database where, essential and important entities and their suppliers, as well as entities which do not fall within the scope of application of this Directive may, on a voluntary basis, disclose vulnerabilities and provide the vulnerability information that allows users to take appropriate mitigating measures. The aim of that database is to address the unique challenges posed by cybersecurity risks to European entities. Furthermore, ENISA should establish a responsible procedure regarding the publication process, in order to give entities the time to take mitigating measures as regards their vulnerabilities, and employ state of the art cybersecurity measures, as well as machine-readable datasets and corresponding interfaces (API). To encourage a culture of disclosure of vulnerabilities a disclosure should be without detriment of the reporting entity.

Amendment  34

 

Proposal for a directive

Recital 31

 

Text proposed by the Commission

Amendment

(31) Although similar vulnerability registries or databases do exist, these are hosted and maintained by entities which are not established in the Union. A European vulnerability registry maintained by ENISA would provide improved transparency regarding the publication process before the vulnerability is officially disclosed, and resilience in cases of disruptions or interruptions on the provision of similar services. To avoid duplication of efforts and seek complementarity to the extent possible, ENISA should explore the possibility of entering into structured cooperation agreements with similar registries in third country jurisdictions.

(31) The European vulnerability database maintained by ENISA should leverage the Common Vulnerabilities and Exposures (CVE) registry, through the use of its framework for identification, tracking and scoring of vulnerabilities. Furthermore, ENISA should explore the possibility to enter into structured cooperation agreements with other similar registries or databases under the third country jurisdictions, to avoid duplications of efforts and to seek complementarity.

Amendment  35

 

Proposal for a directive

Recital 33

 

Text proposed by the Commission

Amendment

(33) When developing guidance documents, the Cooperation Group should consistently: map national solutions and experiences, assess the impact of Cooperation Group deliverables on national approaches, discuss implementation challenges and formulate specific recommendations to be addressed through better implementation of existing rules.

(33) When developing guidance documents, the Cooperation Group should consistently: map national solutions and experiences, assess the impact of Cooperation Group deliverables on national approaches, discuss implementation challenges and formulate specific recommendations, in particular as regards facilitating the alignment in the transposition of this Directive among Member States, to be addressed through better implementation of existing rules. The Cooperation Group should also map the national solutions in order to promote compatibility of cybersecurity solutions applied to each specific sector across the Union. This is particularly relevant for the sectors that have an international and cross-border nature.

Amendment  36

 

Proposal for a directive

Recital 34

 

Text proposed by the Commission

Amendment

(34) The Cooperation Group should remain a flexible forum and be able to react to changing and new policy priorities and challenges while taking into account the availability of resources. It should organize regular joint meetings with relevant private stakeholders from across the Union to discuss activities carried out by the Group and gather input on emerging policy challenges. In order to enhance cooperation at Union level, the Group should consider inviting Union bodies and agencies involved in cybersecurity policy, such as the European Cybercrime Centre (EC3), the European Union Aviation Safety Agency (EASA) and the European Union Agency for Space Programme (EUSPA) to participate in its work.

(34) The Cooperation Group should remain a flexible forum and be able to react to changing and new policy priorities and challenges while taking into account the availability of resources. It should organize regular joint meetings with relevant private stakeholders from across the Union to discuss activities carried out by the Group and gather input on emerging policy challenges. In order to enhance cooperation at Union level, the Group should consider inviting relevant Union bodies and agencies involved in cybersecurity policy, such as Europol, the European Union Aviation Safety Agency (EASA) and the European Union Agency for Space Programme (EUSPA) to participate in its work.

Amendment  37

 

Proposal for a directive

Recital 35

 

Text proposed by the Commission

Amendment

(35) The competent authorities and CSIRTs should be empowered to participate in exchange schemes for officials from other Member States in order to improve cooperation. The competent authorities should take the necessary measures to enable officials from other Member States to play an effective role in the activities of the host competent authority.

(35) The competent authorities and CSIRTs should be empowered to participate in exchange schemes for officials from other Member States, within structured rules and mechanisms underpinning the scope and, where applicable, the required security clearance of officials participating in such exchange schemes, in order to improve cooperation and strengthen trust among Member States. The competent authorities should take the necessary measures to enable officials from other Member States to play an effective role in the activities of the host competent authority or CSIRT.

Amendment  38

 

Proposal for a directive

Recital 36

 

Text proposed by the Commission

Amendment

(36) The Union should, where appropriate, conclude international agreements, in accordance with Article 218 TFEU, with third countries or international organisations, allowing and organising their participation in some activities of the Cooperation Group and the CSIRTs network. Such agreements should ensure adequate protection of data.

(36) The Union should, where appropriate, conclude international agreements, in accordance with Article 218 TFEU, with third countries or international organisations, allowing and organising their participation in some activities of the Cooperation Group and the CSIRTs network. Such agreements should ensure Union’s interests and adequate protection of data. This shall not preclude the right of Member States to cooperate with likeminded third countries on management of vulnerabilities and cyber security risk management, facilitating reporting and general information sharing in accordance with Union law.

Amendment  39

 

Proposal for a directive

Recital 38

 

Text proposed by the Commission

Amendment

(38) For the purposes of this Directive, the term ‘risk’ should refer to the potential for loss or disruption caused by a cybersecurity incident and should be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of said incident.

deleted

Amendment  40

 

Proposal for a directive

Recital 39

 

Text proposed by the Commission

Amendment

(39) For the purposes of this Directive, the term ‘near misses’ should refer to an event which could potentially have caused harm, but was successfully prevented from fully transpiring.

deleted

Amendment  41

 

Proposal for a directive

Recital 40

 

Text proposed by the Commission

Amendment

(40) Risk-management measures should include measures to identify any risks of incidents, to prevent, detect and handle incidents and to mitigate their impact. The security of network and information systems should comprise the security of stored, transmitted and processed data.

(40) Risk-management measures should include measures to identify any risks of incidents, to prevent, detect, respond to and recover from incidents and to mitigate their impact. The security of network and information systems should comprise the security of stored, transmitted and processed data. Those systems should provide for systemic analysis, breaking down the various processes and the interactions between subsystems and taking into account the human factor, in order to have a complete picture of the security of the information system.

Amendment  42

 

Proposal for a directive

Recital 41

 

Text proposed by the Commission

Amendment

(41) In order to avoid imposing a disproportionate financial and administrative burden on essential and important entities, the cybersecurity risk management requirements should be proportionate to the risk presented by the network and information system concerned, taking into account the state of the art of such measures.

(41) In order to avoid imposing a disproportionate financial and administrative burden on essential and important entities, the cybersecurity risk management requirements should be proportionate to the risk presented by the network and information system concerned, taking into account the state of the art of such measures and European or international standards, such as ISO31000 and ISA/IEC 27005.

Amendment  43

 

Proposal for a directive

Recital 43

 

Text proposed by the Commission

Amendment

(43) Addressing cybersecurity risks stemming from an entity’s supply chain and its relationship with its suppliers is particularly important given the prevalence of incidents where entities have fallen victim to cyber-attacks and where malicious actors were able to compromise the security of an entity’s network and information systems by exploiting vulnerabilities affecting third party products and services. Entities should therefore assess and take into account the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures.

(43) Addressing cybersecurity risks stemming from an entity’s supply chain and its relationship with its suppliers, such as providers of data storage and processing services or managed security services, is particularly important given the prevalence of incidents where entities have fallen victim to attacks against network and information systems and where malicious actors were able to compromise the security of an entity’s network and information systems by exploiting vulnerabilities affecting third party products and services. Entities should therefore assess and take into account the overall quality and resilience of products and services, the cybersecurity measures embedded in them, and the cybersecurity practices of their suppliers and service providers, including their secure development procedures. Entities should in particular be encouraged to incorporate cybersecurity measures into contractual arrangements with their first-level suppliers and service providers. Entities could consider cybersecurity risks stemming from other levels of suppliers and service providers.

Amendment  44

 

Proposal for a directive

Recital 44

 

Text proposed by the Commission

Amendment

(44) Among service providers, managed security services providers (MSSPs) in areas such as incident response, penetration testing, security audits and consultancy play a particularly important role in assisting entities in their efforts to detect and respond to incidents. Those MSSPs have however also been the targets of cyberattacks themselves and through their close integration in the operations of operators pose a particular cybersecurity risk. Entities should therefore exercise increased diligence in selecting an MSSP.

(44) Among service providers, managed security services providers (MSSPs) in areas such as incident response, penetration testing, security audits and consultancy play a particularly important role in assisting entities in their efforts to prevent, detect, respond to or recover from incidents. Those MSSPs have however also been the targets of cyberattacks themselves and through their close integration in the operations of operators pose a particular cybersecurity risk. Entities should therefore exercise increased diligence in selecting an MSSP.

Amendment  45

 

Proposal for a directive

Recital 45

 

Text proposed by the Commission

Amendment

(45) Entities should also address cybersecurity risks stemming from their interactions and relationships with other stakeholders within a broader ecosystem. In particular, entities should take appropriate measures to ensure that their cooperation with academic and research institutions takes place in line with their cybersecurity policies and follows good practices as regards secure access and dissemination of information in general and the protection of intellectual property in particular. Similarly, given the importance and value of data for the activities of the entities, when relying on data transformation and data analytics services from third parties, the entities should take all appropriate cybersecurity measures.

(45) Entities should also address cybersecurity risks stemming from their interactions and relationships with other stakeholders within a broader ecosystem, including to counter industrial espionage and to protect trade secrets. In particular, entities should take appropriate measures to ensure that their cooperation with academic and research institutions takes place in line with their cybersecurity policies and follows good practices as regards secure access and dissemination of information in general and the protection of intellectual property in particular. Similarly, given the importance and value of data for the activities of the entities, when relying on data transformation and data analytics services from third parties, the entities should take all appropriate cybersecurity measures.

Amendment  46

 

Proposal for a directive

Recital 45 a (new)

 

Text proposed by the Commission

Amendment

 

(45a) Entities should adopt a wide range of basic cyber hygiene practices, such as zero-trust architecture, software updates, device configuration, network segmentation, identity and access management or user awareness, and organise training for their staff regarding corporate email cyber threats, phishing or social engineering techniques. Furthermore, entities should evaluate their own cybersecurity capabilities and, where appropriate, pursue the integration of cybersecurity enhancing technologies driven by artificial intelligence or machine learning systems to automate their capabilities and the protection of network architectures.

Amendment  47

 

Proposal for a directive

Recital 46

 

Text proposed by the Commission

Amendment

(46) To further address key supply chain risks and assist entities operating in sectors covered by this Directive to appropriately manage supply chain and supplier related cybersecurity risks, the Cooperation Group involving relevant national authorities, in cooperation with the Commission and ENISA, should carry out coordinated sectoral supply chain risk assessments, as was already done for 5G networks following Recommendation (EU) 2019/534 on Cybersecurity of 5G networks21 , with the aim of identifying per sector which are the critical ICT services, systems or products, relevant threats and vulnerabilities.

(46) To further address key supply chain risks and assist entities operating in sectors covered by this Directive to appropriately manage supply chain and supplier related cybersecurity risks, the Cooperation Group involving relevant national authorities, in cooperation with the Commission and ENISA, should carry out coordinated supply chain risk assessments, as was already done for 5G networks following Recommendation (EU) 2019/534 on Cybersecurity of 5G networks21 , with the aim of identifying per sector which are the critical ICT and ICS services, systems or products, relevant threats and vulnerabilities. Such risk assessments should identify measures, mitigation plans and best practices against critical dependencies, potential single points of failure, threats, vulnerabilities and other risks associated with the supply chain and should explore ways to further encourage their wider adoption by entities. Potential non-technical risk factors, such as undue influence by a third country on suppliers and service providers, in particular in the case of alternative models of governance, include concealed vulnerabilities or backdoors and potential systemic supply disruptions, in particular in case of technological lock-in or provider dependency.

__________________

__________________

21 Commission Recommendation (EU) 2019/534 of 26 March 2019 Cybersecurity of 5G networks (OJ L 88, 29.3.2019, p. 42).

21 Commission Recommendation (EU) 2019/534 of 26 March 2019 Cybersecurity of 5G networks (OJ L 88, 29.3.2019, p. 42).

Amendment  48

 

Proposal for a directive

Recital 47

 

Text proposed by the Commission

Amendment

(47) The supply chain risk assessments, in light of the features of the sector concerned, should take into account both technical and, where relevant, non-technical factors including those defined in Recommendation (EU) 2019/534, in the EU wide coordinated risk assessment of 5G networks security and in the EU Toolbox on 5G cybersecurity agreed by the Cooperation Group. To identify the supply chains that should be subject to a coordinated risk assessment, the following criteria should be taken into account: (i) the extent to which essential and important entities use and rely on specific critical ICT services, systems or products; (ii) the relevance of specific critical ICT services, systems or products for performing critical or sensitive functions, including the processing of personal data; (iii) the availability of alternative ICT services, systems or products; (iv) the resilience of the overall supply chain of ICT services, systems or products against disruptive events and (v) for emerging ICT services, systems or products, their potential future significance for the entities’ activities.

(47) The supply chain risk assessments, in light of the features of the sector concerned, should take into account both technical and, where relevant, non-technical factors including those defined in Recommendation (EU) 2019/534, in the EU wide coordinated risk assessment of 5G networks security and in the EU Toolbox on 5G cybersecurity agreed by the Cooperation Group. To identify the supply chains that should be subject to a coordinated risk assessment, the following criteria should be taken into account: (i) the extent to which essential and important entities use and rely on specific critical ICT services, systems or products; (ii) the relevance of specific critical ICT services, systems or products for performing critical or sensitive functions, including the processing of personal data; (iii) the availability of alternative ICT services, systems or products; (iv) the resilience of the overall supply chain of ICT services, systems or products throughout their entire lifecycle against disruptive events and (v) for emerging ICT services, systems or products, their potential future significance for the entities’ activities. Furthermore, particular emphasis should be placed on ICT services, systems or products that are subject to specific requirements stemming from third countries.

Amendment  49

 

Proposal for a directive

Recital 47 a (new)

 

Text proposed by the Commission

Amendment

 

(47a) The Stakeholder Cybersecurity Certification Group established pursuant to Article 22 of Regulation (EU) 2019/881 of the European Parliament and of the Council1a should issue an opinion on security risk assessments of specific critical ICT and ICS services, systems or products supply chains. The Cooperation Group and ENISA should take into account that opinion.

 

__________________

 

1a Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act)(OJ L 151, 7.6.2019, p.15).

Amendment  50

 

Proposal for a directive

Recital 50

 

Text proposed by the Commission

Amendment

(50) Given the growing importance of number-independent interpersonal communications services, it is necessary to ensure that such services are also subject to appropriate security requirements in view of their specific nature and economic importance. Providers of such services should thus also ensure a level of security of network and information systems appropriate to the risk posed. Given that providers of number-independent interpersonal communications services normally do not exercise actual control over the transmission of signals over networks, the degree of risk for such services can be considered in some respects to be lower than for traditional electronic communications services. The same applies to interpersonal communications services which make use of numbers and which do not exercise actual control over signal transmission.

(50) Given the growing importance of number-independent interpersonal communications services, it is necessary to ensure that such services are also subject to appropriate security requirements in view of their specific nature and economic importance. Providers of such services should thus also ensure a level of security of network and information systems appropriate to the risk posed. Given that providers of number-independent interpersonal communications services normally do not exercise actual control over the transmission of signals over networks, the degree of risk to network security for such services can be considered in some respects to be lower than for traditional electronic communications services. The same applies to interpersonal communications services which make use of numbers and which do not exercise actual control over signal transmission. However, as the attack surface continues to expand, number-independent interpersonal communications services including, but not limited to, social media messengers, are becoming popular attack vectors. Malicious actors use platforms to communicate and attract victims to open compromised web pages, therefore increasing the likelihood of incidents involving the exploitation of personal data, and by extension, the security of information systems.

Amendment  51

 

Proposal for a directive

Recital 51

 

Text proposed by the Commission

Amendment

(51) The internal market is more reliant on the functioning of the internet than ever before. The services of virtually all essential and important entities are dependent on services provided over the internet. In order to ensure the smooth provision of services provided by essential and important entities, it is important that public electronic communications networks, such as, for example, internet backbones or submarine communications cables, have appropriate cybersecurity measures in place and report incidents in relation thereto.

(51) The internal market is more reliant on the functioning of the internet than ever before. The services of virtually all essential and important entities are dependent on services provided over the internet. In order to ensure the smooth provision of services provided by essential and important entities, it is important that all public electronic communications networks, such as, for example, internet backbones or submarine communications cables, have appropriate cybersecurity measures in place and report significant incidents in relation thereto. Member States should ensure that the integrity and availability of those public electronic communications networks are maintained and should consider their protection from sabotage and espionage of vital security interest. Information about incidents, for example on submarine communication cables should be shared actively between Member States.

Amendment  52

 

Proposal for a directive

Recital 52

 

Text proposed by the Commission

Amendment

(52) Where appropriate, entities should inform their service recipients of particular and significant threats and of measures they can take to mitigate the resulting risk to themselves. The requirement to inform those recipients of such threats should not discharge entities from the obligation to take, at their own expense, appropriate and immediate measures to prevent or remedy any cyber threats and restore the normal security level of the service. The provision of such information about security threats to the recipients should be free of charge.

(52) Where appropriate, entities should inform their service recipients of particular and significant threats and of measures they can take to mitigate the resulting risk to themselves. This should not discharge entities from the obligation to take, at their own expense, appropriate and immediate measures to prevent or remedy any cyber threats and restore the normal security level of the service. The provision of such information about security threats to the recipients should be free of charge and drafted in an easily comprehensible language.

Amendment  53

 

Proposal for a directive

Recital 53

 

Text proposed by the Commission

Amendment

(53) In particular, providers of public electronic communications networks or publicly available electronic communications services, should inform the service recipients of particular and significant cyber threats and of measures they can take to protect the security of their communications, for instance by using specific types of software or encryption technologies.

(53) Providers of public electronic communications networks or publicly available electronic communications services, should implement security by design and by default, and inform the service recipients of particular and significant cyber threats and of measures they can take to protect the security of their devices and communications, for instance by using specific types of encryption software or other data-centric security technologies.

Amendment  54

 

Proposal for a directive

Recital 54

 

Text proposed by the Commission

Amendment

(54) In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, should be promoted and, where necessary, should be mandatory for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18. The use of end-to-end encryption should be reconciled with the Member State’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences in compliance with Union law. Solutions for lawful access to information in end-to-end encrypted communications should maintain the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crime.

(54) In order to safeguard the security of electronic communications networks and services, the use of encryption and other data-centric security technologies, such as, tokenisation, segmentation, throttle access, marking, tagging, strong identity and access management, and automated access decisions, should be promoted and, where necessary, should be mandatory for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18. The use of end-to-end encryption should be reconciled with the Member State’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences in compliance with Union law. However, this should not lead to any efforts to weaken end-to-end encryption, which is a critical technology for effective data protection and privacy.

Amendment  55

 

Proposal for a directive

Recital 54 a (new)

 

Text proposed by the Commission

Amendment

 

(54a) In order to safeguard the security and to prevent abuse and manipulation of electronic communications networks and services, the use of interoperable secure routing standards should be promoted to ensure the integrity and robustness of routing functions across the ecosystem of internet carriers.

Amendment  56

 

Proposal for a directive

Recital 54 b (new)

 

Text proposed by the Commission

Amendment

 

(54b) In order to safeguard the functionality and integrity of the internet and to reduce security issues relating to DNS, relevant stakeholders including Union businesses, internet service providers and browser vendors should be couraged to adopt a DNS resolution diversification strategy. Furthermore, Member States should encourage the development and use of a public and secure European DNS resolver service.

Amendment  57

 

Proposal for a directive

Recital 55

 

Text proposed by the Commission

Amendment

(55) This Directive lays down a two-stage approach to incident reporting in order to strike the right balance between, on the one hand, swift reporting that helps mitigate the potential spread of incidents and allows entities to seek support, and, on the other hand, in-depth reporting that draws valuable lessons from individual incidents and improves over time the resilience to cyber threats of individual companies and entire sectors. Where entities become aware of an incident, they should be required to submit an initial notification within 24 hours, followed by a final report not later than one month after. The initial notification should only include the information strictly necessary to make the competent authorities aware of the incident and allow the entity to seek assistance, if required. Such notification, where applicable, should indicate whether the incident is presumably caused by unlawful or malicious action. Member States should ensure that the requirement to submit this initial notification does not divert the reporting entity’s resources from activities related to incident handling that should be prioritised. To further prevent that incident reporting obligations either divert resources from incident response handling or may otherwise compromise the entities efforts in that respect, Member States should also provide that, in duly justified cases and in agreement with the competent authorities or the CSIRT, the entity concerned can deviate from the deadlines of 24 hours for the initial notification and one month for the final report.

(55) This Directive lays down a two-stage approach to incident reporting in order to strike the right balance between, on the one hand, swift reporting that helps mitigate the potential spread of incidents and allows entities to seek support, and, on the other hand, in-depth reporting that draws valuable lessons from individual incidents and improves over time the resilience to cyber threats of individual companies and entire sectors. Where entities become aware of an incident, they should be required to submit an initial notification followed by a comprehensive report not later than one month after the submission of the initial notification. The initial incident notification timeline should not preclude entities from reporting incidents earlier, therefore allowing them to seek support from CSIRTs swiftly enabling the mitigation and the potential spread of the reported incident. CSIRTs can request an intermediate report on relevant status updates, while taking into account the incident response and remediation efforts of the reporting entity.

Amendment  58

 

Proposal for a directive

Recital 55 a (new)

 

Text proposed by the Commission

Amendment

 

(55a) A significant incident may have an impact on the confidentiality, integrity or availability of the service. Essential and important entities should notify CSIRTs about significant incidents that have an impact on the availability of their service within 24 hours of becoming aware of the incident. They should notify CIRTs about significant incidents that breach the confidentiality and integrity of their services within 72 hours of becoming aware of the incident. The distinction between the types of incidents is not based on the seriousness of the incident, but on the difficulty for the reporting entity to assess the incident, its significance and the ability to report information that can be of use for the CSIRT. The initial notification should include the information necessary to make the CSIRT aware of the incident and allow the entity to seek assistance, if required. Member States should ensure that the requirement to submit this initial notification does not divert the reporting entity’s resources from activities related to incident handling that should be prioritised. To further prevent that incident reporting obligations either divert resources from incident response handling or may otherwise compromise the entities efforts in that respect, Member States should also provide that, in duly justified cases and in agreement with the CSIRT, the entity concerned can deviate from the deadlines for the initial notification and for the comprehensive report.

Amendment  59

 

Proposal for a directive

Recital 59

 

Text proposed by the Commission

Amendment

(59) Maintaining accurate and complete databases of domain names and registration data (so called ‘WHOIS data’) and providing lawful access to such data is essential to ensure the security, stability and resilience of the DNS, which in turn contributes to a high common level of cybersecurity within the Union. Where processing includes personal data such processing shall comply with Union data protection law.

(59) Maintaining accurate, verified and complete databases of domain names registration data (so called ‘WHOIS data’) is essential to ensure the security, stability and resilience of the DNS, which in turn contributes to a high common level of cybersecurity within the Union, and for tackling illegal activities. TLD registries and entities providing domain name registration services should therefore be required to collect domain name registration data, which should include at least the registrants’ name, their physical and email address as well as their telephone number. In practice, the collected data may not always be thoroughly accurate, however TLD registries and entities providing domain name registration services should adopt and implement proportionate processes to verify that natural or legal persons requesting or owning a domain name have provided contact details on which they can be reached and are expected to reply. Using a ‘best efforts’ approach, those verification processes should reflect the current best practices used within the industry. Those best practices in the verification process should reflect the advances being made in the electronic identification process. The TLD registries and entities providing domain name registration services should make publicly available their policies and procedures to ensure the integrity and availability of the domain name registration data. Where processing includes personal data such processing shall comply with Union data protection law.

Amendment  60

 

Proposal for a directive

Recital 60

 

Text proposed by the Commission

Amendment

(60) The availability and timely accessibility of these data to public authorities, including competent authorities under Union or national law for the prevention, investigation or prosecution of criminal offences, CERTs, (CSIRTs, and as regards the data of their clients to providers of electronic communications networks and services and providers of cybersecurity technologies and services acting on behalf of those clients, is essential to prevent and combat Domain Name System abuse, in particular to prevent, detect and respond to cybersecurity incidents. Such access should comply with Union data protection law insofar as it is related to personal data.

(60) The availability and timely accessibility of the domain name registration data to legitimate access seekers is essential for cybersecurity purposes and tackling illegal activities in the online ecosystem. TLD registries and entities providing domain name registration services should therefore be required to enable lawful access to specific domain name registration data, including personal data, to legitimate access seekers, in accordance with Union data protection law. Legitimate access seekers should make a duly justified request to access domain name registration data on the basis of Union or national law, and could include competent authorities under Union or national law for the prevention, investigation or prosecution of criminal offences, and national CERTs or CSIRTs. Member States should ensure that TLD registries and entities providing domain name registration services should respond without undue delay and in any event within 72 hours to requests from legitimate access seekers for the disclosure of domain name registration data. TLD registries and entities providing domain name registration services should establish policies and procedures for the publication and disclosure of registration data, including service level agreements to deal with requests for access from legitimate access seekers. The access procedure may also include the use of an interface, portal or other technical tools to provide an efficient system for requesting and accessing registration data. With a view to promoting harmonised practices across the internal market, the Commission may adopt guidelines on such procedures without prejudice to the competences of the European Data Protection Board.

Amendment  61

Proposal for a directive

Recital 61

 

Text proposed by the Commission

Amendment

(61) In order to ensure the availability of accurate and complete domain name registration data, TLD registries and the entities providing domain name registration services for the TLD (so-called registrars) should collect and guarantee the integrity and availability of domain names registration data. In particular, TLD registries and the entities providing domain name registration services for the TLD should establish policies and procedures to collect and maintain accurate and complete registration data, as well as to prevent and correct inaccurate registration data in accordance with Union data protection rules.

deleted

Amendment  62

 

Proposal for a directive

Recital 62

 

Text proposed by the Commission

Amendment

(62) TLD registries and the entities providing domain name registration services for them should make publically available domain name registration data that fall outside the scope of Union data protection rules, such as data that concern legal persons25 . TLD registries and the entities providing domain name registration services for the TLD should also enable lawful access to specific domain name registration data concerning natural persons to legitimate access seekers, in accordance with Union data protection law. Member States should ensure that TLD registries and the entities providing domain name registration services for them should respond without undue delay to requests from legitimate access seekers for the disclosure of domain name registration data. TLD registries and the entities providing domain name registration services for them should establish policies and procedures for the publication and disclosure of registration data, including service level agreements to deal with requests for access from legitimate access seekers. The access procedure may also include the use of an interface, portal or other technical tool to provide an efficient system for requesting and accessing registration data. With a view to promoting harmonised practices across the internal market, the Commission may adopt guidelines on such procedures without prejudice to the competences of the European Data Protection Board.

(62) TLD registries and entities providing domain name registration services should be required to make publicly available domain name registration data that does not contain personal data. A distinction should be made between natural and legal persons25. For legal persons, TLD registries and entities should make publicly available at least the registrants’ name, their physical and email address as well as their telephone number. The legal person should be required to either provide a generic email address that can be made publicly available or give consent to the publication of a personal email address. The legal person should be able to demonstrate such consent at the request of TLD registries and entities providing domain name registration services.

__________________

__________________

25 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL recital (14) whereby “this Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person”.

25 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL recital (14) whereby “this Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person”.

Amendment  63

 

Proposal for a directive

Recital 63

 

Text proposed by the Commission

Amendment

(63) All essential and important entities under this Directive should fall under the jurisdiction of the Member State where they provide their services. If the entity provides services in more than one Member State, it should fall under the separate and concurrent jurisdiction of each of these Member States. The competent authorities of these Member States should cooperate, provide mutual assistance to each other and where appropriate, carry out joint supervisory actions.

(63) All essential and important entities under this Directive should fall under the jurisdiction of the Member State where they provide their services or carry out their activities. If the entity provides services in more than one Member State, it should fall under the separate and concurrent jurisdiction of each of these Member States. The competent authorities of these Member States should cooperate, provide mutual assistance to each other and where appropriate, carry out joint supervisory actions.

Amendment  64

 

Proposal for a directive

Recital 64

 

Text proposed by the Commission

Amendment

(64) In order to take account of the cross-border nature of the services and operations of DNS service providers, TLD name registries, content delivery network providers, cloud computing service providers, data centre service providers and digital providers, only one Member State should have jurisdiction over these entities. Jurisdiction should be attributed to the Member State in which the respective entity has its main establishment in the Union. The criterion of establishment for the purposes of this Directive implies the effective exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect. Whether this criterion is fulfilled should not depend on whether the network and information systems are physically located in a given place; the presence and use of such systems do not, in themselves, constitute such main establishment and are therefore not decisive criteria for determining the main establishment. The main establishment should be the place where the decisions related to the cybersecurity risk management measures are taken in the Union. This will typically correspond to the place of the companies’ central administration in the Union. If such decisions are not taken in the Union, the main establishment should be deemed to be in the Member States where the entity has an establishment with the highest number of employees in the Union. Where the services are carried out by a group of undertakings, the main establishment of the controlling undertaking should be considered to be the main establishment of the group of undertakings.

(64) In order to take account of the cross-border nature of the services and operations of DNS service providers, TLD name registries, content delivery network providers, cloud computing service providers, data centre service providers and digital providers, only one Member State should have jurisdiction over these entities. Jurisdiction should be attributed to the Member State in which the respective entity has its main establishment in the Union. The criterion of establishment for the purposes of this Directive implies the effective exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect. Whether this criterion is fulfilled should not depend on whether the network and information systems are physically located in a given place; the presence and use of such systems do not, in themselves, constitute such main establishment and are therefore not decisive criteria for determining the main establishment. The main establishment should be the place where the decisions related to the cybersecurity risk management measures are taken in the Union. This will typically correspond to the place of the companies’ central administration in the Union. If such decisions are not taken in the Union, the main establishment should be deemed to be in the Member States where either the entity has an establishment with the highest number of employees in the Union or the establishment where cybersecurity operations are carried out. Where the services are carried out by a group of undertakings, the main establishment of the controlling undertaking should be considered to be the main establishment of the group of undertakings.

Amendment  65

 

Proposal for a directive

Recital 65 a (new)

 

Text proposed by the Commission

Amendment

 

(65a) ENISA should create and maintain a registry containing information about essential and important entities that comprise DNS service providers, TLD name registries and providers of cloud computing services, data centre services, content delivery networks, online marketplaces, online search engines and social networking platforms. Those essential and important entities should submit to ENISA their names, addresses and up-to-date contact details. They should notify ENISA about any changes to those details without delay and, in any event, within two weeks from the date on which the change took effect. ENISA should forward the information to the relevant single point of contact. The essential and important entities submitting their information to ENISA are therefore not required to separately inform the competent authority within the Member State. ENISA should develop a simple publicly available application programme that those entities could use to update their information. Furthermore, ENISA should establish appropriate information classification and management protocols to ensure the security and confidentiality of disclosed information, and restrict the access, storage, and transmission of such information to intended users.

Amendment  66

 

Proposal for a directive

Recital 66

 

Text proposed by the Commission

Amendment

(66) Where information considered classified according to national or Union law is exchanged, reported or otherwise shared under the provisions of this Directive, the corresponding specific rules on the handling of classified information should be applied.

(66) Where information considered classified in accordance with national or Union law is exchanged, reported or otherwise shared under the provisions of this Directive, the corresponding specific rules on the handling of classified information should be applied. In addition, ENISA should have the infrastructure, procedures and rules in place to handle sensitive and classified information in compliance with the applicable security rules for protecting EU classified information.

Amendment  67

 

Proposal for a directive

Recital 68

 

Text proposed by the Commission

Amendment

(68) Entities should be encouraged to collectively leverage their individual knowledge and practical experience at strategic, tactical and operational levels with a view to enhance their capabilities to adequately assess, monitor, defend against, and respond to, cyber threats. It is thus necessary to enable the emergence at Union level of mechanisms for voluntary information sharing arrangements. To this end, Member States should actively support and encourage also relevant entities not covered by the scope of this Directive to participate in such information-sharing mechanisms. Those mechanisms should be conducted in full compliance with the competition rules of the Union as well as the data protection Union law rules.

(68) Entities should be encouraged and supported by Member States to collectively leverage their individual knowledge and practical experience at strategic, tactical and operational levels with a view to enhance their capabilities to adequately assess, monitor, defend against, and respond to, cyber threats. It is thus necessary to enable the emergence at Union level of mechanisms for voluntary information sharing arrangements. To this end, Member States should actively support and encourage also relevant entities not covered by the scope of this Directive, such as entities focusing on cybersecurity services and research, to participate in such information-sharing mechanisms. Those mechanisms should be conducted in full compliance with the competition rules of the Union as well as the data protection Union law rules.

Amendment  68

 

Proposal for a directive

Recital 69

 

Text proposed by the Commission

Amendment

(69) The processing of personal data, to the extent strictly necessary and proportionate for the purposes of ensuring network and information security by entities, public authorities, CERTs, CSIRTs, and providers of security technologies and services should constitute a legitimate interest of the data controller concerned, as referred to in Regulation (EU) 2016/679. That should include measures related to the prevention, detection, analysis and response to incidents, measures to raise awareness in relation to specific cyber threats, exchange of information in the context of vulnerability remediation and coordinated disclosure, as well as the voluntary exchange of information on those incidents, as well as cyber threats and vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools. Such measures may require the processing of the following types of personal data: IP addresses, uniform resources locators (URLs), domain names, and email addresses.

(69) The processing of personal data, to the extent strictly necessary and proportionate for the purposes of ensuring network and information security by essential and important entities, CSIRTs and providers of security technologies and services, is necessary for compliance with their legal obligations provided for in this Directive. Such processing of personal data might also be necessary for the purposes of the legitimate interests pursued by essential and important entities. Where this Directive requires the processing of personal data for the purpose of cybersecurity and network and information security in accordance with the provisions set out in Article 18, 20 and 23 of the Directive, that processing is considered to be necessary for compliance with a legal obligation as referred to in Article 6(1), point (c) of Regulation (EU) 2016/679. For the purpose of Article 26 and 27 of this Directive, processing, as referred to in Article 6(1), point (f) of Regulation (EU) 2016/679, is considered to be necessary for the purposes of the legitimate interests pursued by the essential and important entities. Measures related to the prevention, detection, identification, containment, analysis and response to incidents, measures to raise awareness in relation to specific cyber threats, exchange of information in the context of vulnerability remediation and coordinated disclosure, as well as the voluntary exchange of information on those incidents, as well as cyber threats and vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools require the processing of certain categories of personal data, such as IP addresses, uniform resources locators (URLs), domain names, email addresses, time stamps, Operation System- or browser-related information, cookies or other information indicating the modus operandi.

Amendment  69

 

Proposal for a directive

Recital 71

 

Text proposed by the Commission

Amendment

(71) In order to make enforcement effective, a minimum list of administrative sanctions for breach of the cybersecurity risk management and reporting obligations provided by this Directive should be laid down, setting up a clear and consistent framework for such sanctions across the Union. Due regard should be given to the nature, gravity and duration of the infringement, the actual damage caused or losses incurred or potential damage or losses that could have been triggered, the intentional or negligent character of the infringement, actions taken to prevent or mitigate the damage and/or losses suffered, the degree of responsibility or any relevant previous infringements, the degree of cooperation with the competent authority and any other aggravating or mitigating factor. The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter of Fundamental Rights of the European Union, including effective judicial protection and due process.

(71) In order to make enforcement effective, a minimum list of administrative penalties for breach of the cybersecurity risk management and reporting obligations provided by this Directive should be laid down, setting up a clear and consistent framework for such penalties across the Union. Due regard should be given to the nature, gravity and duration of the infringement, the damage caused or losses incurred, the intentional or negligent character of the infringement, actions taken to prevent or mitigate the damage and/or losses suffered, the degree of responsibility or any relevant previous infringements, the degree of cooperation with the competent authority and any other aggravating or mitigating factor. The penalties, including administrative fines, should be proportionate and their imposition should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter of Fundamental Rights of the European Union (the ‘Charter’), including effective judicial protection, due process, the presumption of innocence and the rights of defence.

Amendment  70

 

Proposal for a directive

Recital 72

 

Text proposed by the Commission

Amendment

(72) In order to ensure effective enforcement of the obligations laid down in this Directive, each competent authority should have the power to impose or request the imposition of administrative fines.

(72) In order to ensure effective enforcement of the obligations laid down in this Directive, each competent authority should have the power to impose or request the imposition of administrative fines if the infringement was intentional, negligent or the entity concerned had received notice of the entity’s non-compliance.

Amendment  71

 

Proposal for a directive

Recital 76

 

Text proposed by the Commission

Amendment

(76) In order to further strengthen the effectiveness and dissuasiveness of the penalties applicable to infringements of obligations laid down pursuant to this Directive, the competent authorities should be empowered to apply sanctions consisting of the suspension of a certification or authorisation concerning part or all the services provided by an essential entity and the imposition of a temporary ban from the exercise of managerial functions by a natural person. Given their severity and impact on the entities’ activities and ultimately on their consumers, such sanctions should only be applied proportionally to the severity of the infringement and taking account of the specific circumstances of each case, including the intentional or negligent character of the infringement, actions taken to prevent or mitigate the damage and/or losses suffered. Such sanctions should only be applied as ultima ratio, meaning only after the other relevant enforcement actions laid down by this Directive have been exhausted, and only for the time until the entities to which they apply take the necessary action to remedy the deficiencies or comply with the requirements of the competent authority for which such sanctions were applied. The imposition of such sanctions shall be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter of Fundamental Rights of the European Union, including effective judicial protection, due process, presumption of innocence and right of defence.

(76) In order to further strengthen the effectiveness and dissuasiveness of the penalties applicable to infringements of obligations laid down pursuant to this Directive, the competent authorities should be empowered to apply a temporary suspension of a certification or authorisation concerning part or all relevant services provided by an essential entity and the request to impose a temporary ban from the exercise of managerial functions by a natural person at chief executive officer or legal representative level. Member States should develop specific procedures and rules concerning the temporary ban from the exercise of managerial functions by a natural person at chief executive officer or legal representative level in public administration entities. In the process of developing such procedures and rules, Member States should take into account the particularities of their respective levels and systems of governance within their public administrations. Given their severity and impact on the entities’ activities and ultimately on their consumers, such temporary suspensions or bans should only be applied proportionally to the severity of the infringement and taking account of the specific circumstances of each case, including the intentional or negligent character of the infringement, actions taken to prevent or mitigate the damage and/or losses suffered. Such temporary suspensions or bans should only be applied as ultima ratio, meaning only after the other relevant enforcement actions laid down by this Directive have been exhausted, and only for the time until the entities to which they apply take the necessary action to remedy the deficiencies or comply with the requirements of the competent authority for which such temporary suspensions or bans were applied. The imposition of such temporary suspensions or bans shall be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection, due process, presumption of innocence and right of defence.

Amendment  72

 

Proposal for a directive

Recital 79

 

Text proposed by the Commission

Amendment

(79) A peer-review mechanism should be introduced, allowing the assessment by experts designated by the Member States of the implementation of cybersecurity policies, including the level of Member States’ capabilities and available resources.

(79) A peer-review mechanism should be introduced, allowing the assessment by independent experts designated by the Member States, of the implementation of cybersecurity policies, including the level of Member States’ capabilities and available resources. Peer-reviews can lead to valuable insights and recommendations strengthening the overall cybersecurity capabilities. In particular, they can contribute in facilitating the transfer of technologies, tools, measures and processes among the Member States involved in the peer-review, creating a functional path for the sharing of best practices across Member States with different levels of maturity in cybersecurity, and enabling the establishment of a high, common level of cybersecurity across the Union. The peer-review should be preceded by a self-assessment by the Member State under review, covering the reviewed aspects and any additional targeted issues communicated by the designated experts to the Member State under peer-review prior to the commencement of the process. The Commission, in cooperation with ENISA and the Cooperation Group, should develop templates for the self-assessment of the reviewed aspects in order to streamline the process and avoid procedural inconsistencies and delays, which Member States under peer-review should complete and provide to the designated experts carrying out the peer-review prior to the commencement of the peer-review process.

Amendment  73

 

Proposal for a directive

Recital 80

 

Text proposed by the Commission

Amendment

(80) In order to take into account new cyber threats, technological developments or sectorial specificities, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission in respect of the elements in relation to risk management measures required by this Directive. The Commission should also be empowered to adopt delegated acts establishing which categories of essential entities shall be required to obtain a certificate and under which specific European cybersecurity certification schemes. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Inter-institutional Agreement of 13 April 2016 on Better Law-Making26 . In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

(80) In order to take into account new cyber threats, technological developments or sectorial specificities, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission in respect of the elements in relation to cybersecurity risk management measures and reporting obligations required by this Directive. The Commission should also be empowered to adopt delegated acts establishing which categories of essential and important entities shall be required to obtain a certificate and under which specific European cybersecurity certification schemes. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Inter-institutional Agreement of 13 April 2016 on Better Law-Making. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

__________________

 

26 OJ L 123, 12.5.2016, p. 1.

 

Amendment  74

 

Proposal for a directive

Recital 81

 

Text proposed by the Commission

Amendment

(81) In order to ensure uniform conditions for the implementation of the relevant provisions of this Directive concerning the procedural arrangements necessary for the functioning of the Cooperation Group, the technical elements related to risk management measures or the type of information, the format and the procedure of incident notifications, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council.27

(81) In order to ensure uniform conditions for the implementation of the relevant provisions of this Directive concerning the procedural arrangements necessary for the functioning of the Cooperation Group and the procedure of incident notifications, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council.27

__________________

__________________

27 Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).

27 Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).

Amendment  75

 

Proposal for a directive

Recital 82

 

Text proposed by the Commission

Amendment

(82) The Commission should periodically review this Directive, in consultation with interested parties, in particular with a view to determining the need for modification in the light of changes to societal, political, technological or market conditions.

(82) The Commission should periodically review this Directive, in consultation with interested parties, in particular with a view to determining whether it is appropriate to propose amendments in the light of changes to societal, political, technological or market conditions. As part of those reviews, the Commission should assess the relevance of the sectors, subsectors and types of entities referred to in the annexes for the functioning of the economy and society in relation to cybersecurity. The Commission should assess, inter alia, whether digital providers that are classified as very large online platforms within the meaning of Article 25 of Regulation (EU) XXXX/XXXX [Single Market For Digital Services (Digital Services Act) or as gatekeepers as defined in Article 2, point 1 of Regulation (EU) XXXX/XXXX [Contestable and fair markets in the digital sector (Digital Markets Act)], should be designated as essential entities under this Directive. Furthermore, the Commission should assess whether it is appropriate to amend Annex I to the Directive 2020/1828 of the European Parliament and of the Council1a by adding a reference to this Directive.

 

__________________

 

1a Directive 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC (OJ L 409, 4.12.2020, p.1).

Amendment  76 

Proposal for a directive

Recital 82 a (new)

 

Text proposed by the Commission

Amendment

 

(82a) This Directive lays down cybersecurity requirements for Member States as well as essential and important entities established in the Union. Those cybersecurity requirements should also be applied by the Union institutions, bodies, offices and agencies on the basis of a Union legislative act.

Amendment  77

 

Proposal for a directive

Recital 82 b (new)

 

Text proposed by the Commission

Amendment

 

(82b) This Directive creates new tasks for ENISA, thereby enhancing its role, and could also result in ENISA being required to carry out its existing tasks under Regulation (EU) 2019/881 to a higher standard than before. In order to ensure that ENISA has the necessary financial and human resources to carry out existing and new activities under its tasks, as well as to satisfy any higher standard resulting from its enhanced role, its budget should be increased accordingly. In addition, in order to ensure the efficient use of resources, ENISA should be given greater flexibility in the way that it is permitted to allocate resources internally, so as to enable it to carry out its tasks, and to satisfy expectations, effectively.

Amendment  78

 

Proposal for a directive

Recital 84

 

Text proposed by the Commission

Amendment

(84) This Directive respects the fundamental rights, and observes the principles, recognised by the Charter of Fundamental Rights of the European Union, in particular the right to respect for private life and communications, the protection of personal data, the freedom to conduct a business, the right to property, the right to an effective remedy before a court and the right to be heard. This Directive should be implemented in accordance with those rights and principles,

(84) This Directive respects the fundamental rights, and observes the principles, recognised by the Charter, in particular the right to respect for private life and communications, the protection of personal data, the freedom to conduct a business, the right to property, the right to an effective remedy before a court and the right to be heard. This includes the right to an effective remedy before a court for the recipients of services provided by essential and important entities. This Directive should be implemented in accordance with those rights and principles.

Amendment  79

 

Proposal for a directive

Article 1 – paragraph 2 – point c a (new)

 

Text proposed by the Commission

Amendment

 

(ca) lays down supervision and enforcement obligations on Member States.

Amendment  80

 

Proposal for a directive

Article 2 – paragraph 1

 

Text proposed by the Commission

Amendment

1. This Directive applies to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II. This Directive does not apply to entities that qualify as micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC.28

1. This Directive applies to public and private essential and important entities of a type referred to as essential entities in Annex I and as important entities in Annex II that provide their services or carry out their activities within the Union. This Directive does not apply to small enterprises or microenterprises within the meaning of Article 2(2) and (3) of the Annex to Commission Recommendation 2003/361/EC28. Article 3(4) of the Annex of that Recommendation is not applicable.

__________________

__________________

28 Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36).

28 Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36).

Amendment  81

 

Proposal for a directive

Article 2 – paragraph 2 – subparagraph 1 – introductory part

 

Text proposed by the Commission

Amendment

However, regardless of their size, this Directive also applies to entities referred to in Annexes I and II, where:

Regardless of their size, this Directive also applies to essential and important entities, where:

Amendment  82

 

Proposal for a directive

Article 2 – paragraph 2 – subparagraph 1 – point d

 

Text proposed by the Commission

Amendment

(d) a potential disruption of the service provided by the entity could have an impact on public safety, public security or public health;

(d) a disruption of the service provided by the entity could have an impact on public safety, public security or public health;

Amendment  83

 

Proposal for a directive

Article 2 – paragraph 2 - subparagraph 1 – point e

 

Text proposed by the Commission

Amendment

(e) a potential disruption of the service provided by the entity could induce systemic risks, in particular for the sectors where such disruption could have a cross-border impact;

(e) a disruption of the service provided by the entity could induce systemic risks, in particular for the sectors where such disruption could have a cross-border impact;

Amendment  84

 

Proposal for a directive

Article 2 – paragraph 2 – subparagraph 2

 

Text proposed by the Commission

Amendment

Member States shall establish a list of entities identified pursuant to points (b) to (f) and submit it to the Commission by [6 months after the transposition deadline]. Member States shall review the list, on a regular basis, and at least every two years thereafter and, where appropriate, update it.

deleted

Amendment  85

 

Proposal for a directive

Article 2 – paragraph 2 a (new)

 

Text proposed by the Commission

Amendment

 

2a. By ... [6 months after the transposition deadline], Member States shall establish a list of essential and important entities, including the entities referred to in paragraph 1 and the entities identified pursuant to paragraph 2, points (b) to (f) and Article 24 (1). Member States shall review and, where appropriate update, that list, on a regular basis, and at least every two years thereafter.

Amendment  86

 

Proposal for a directive

Article 2 – paragraph 2 b (new)

 

Text proposed by the Commission

Amendment

 

2b. Member States shall ensure that essential and important entities submit at least the following information to competent authorities:

 

(a) the name of the entity;

 

(b) address and up-to-date contact details, including email addresses, IP ranges, telephone numbers; and

 

(c) the relevant sector(s) and subsector(s) referred to in Annexes I and II.

 

The essential and important entities shall notify any changes to the details submitted pursuant to the first subparagraph without delay, and, in any event, within two weeks from the date on which the change takes effect. To that end, the Commission, with the assistance of ENISA, shall without undue delay issue guidelines and templates regarding the obligations set out in this paragraph.

Amendment  87

 

Proposal for a directive

Article 2 – paragraph 2 c (new)

 

Text proposed by the Commission

Amendment

 

2c. By …[6 months after the transposition deadline] and every two years thereafter, Member States shall notify:

 

(a) the Commission and the Cooperation Group of the number of all essential and important entities identified for each sector and subsector referred to in Annexes I and II, and

 

(b) the Commission, of the names of the entities identified pursuant to paragraph 2, points (b) to (f).

Amendment  88

 

Proposal for a directive

Article 2 – paragraph 4

 

Text proposed by the Commission

Amendment

4. This Directive applies without prejudice to Council Directive 2008/114/EC30 and Directives 2011/93/EU31 and 2013/40/EU32 of the European Parliament and of the Council.

4. This Directive applies without prejudice to Council Directive 2008/114/EC30 and Directives 2011/93/EU31, 2013/40/EU32 and 2002/58/EC32a of the European Parliament and of the Council.

__________________

__________________

30 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p. 75).

30 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p. 75).

31 Directive 2011/93/EU of the European Parliament and of the Council of 13 December 2011 on combating the sexual abuse and sexual exploitation of children and child pornography, and replacing Council Framework Decision 2004/68/JHA (OJ L 335, 17.12.2011, p. 1).

31 Directive 2011/93/EU of the European Parliament and of the Council of 13 December 2011 on combating the sexual abuse and sexual exploitation of children and child pornography, and replacing Council Framework Decision 2004/68/JHA (OJ L 335, 17.12.2011, p. 1).

32 Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA (OJ L 218, 14.8.2013, p. 8).

32 Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA (OJ L 218, 14.8.2013, p. 8).

 

32a Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37).

Amendment  89

 

Proposal for a directive

Article 2 – paragraph 6

 

Text proposed by the Commission

Amendment

6. Where provisions of sector–specific acts of Union law require essential or important entities either to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats, and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, the relevant provisions of this Directive, including the provision on supervision and enforcement laid down in Chapter VI, shall not apply.

6. Where provisions of sector–specific acts of Union law require essential or important entities to adopt cybersecurity risk management measures or to notify incidents, and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, the relevant provisions of this Directive, including the provision on supervision and enforcement laid down in Chapter VI, shall not apply. The Commission shall, without undue delay, issue guidelines in relation to the implementation of the sector–specific acts of Union law in order to ensure that cybersecurity requirements established by this Directive are fulfilled by those acts and that there is no overlap or legal uncertainty. When preparing those guidelines, the Commission shall take into account the best practices and expertise of ENISA and the Cooperation Group.

Amendment  90

 

Proposal for a directive

Article 2 – paragraph 6 a (new)

 

Text proposed by the Commission

Amendment

 

6a. Essential and important entities, CSIRTs and providers of security technologies and services, shall process personal data, to the extent strictly necessary and proportionate for the purposes of cybersecurity and network and information security, to meet the obligations set out in this Directive. That processing of personal data under this Directive shall be carried out in compliance with Regulation (EU) 2016/679, in particular Article 6 thereof.

Amendment  91

 

Proposal for a directive

Article 2 – paragraph 6 b (new)

 

Text proposed by the Commission

Amendment

 

6b. The processing of personal data pursuant to this Directive, providers of public electronic communications networks or providers of publicly available electronic communications referred to in Annex I, point 8, shall be carried out in accordance with Directive 2002/58/EC.

Amendment  92

 

Proposal for a directive

Article 4 – paragraph 1 – point 4 a (new)

 

Text proposed by the Commission

Amendment

 

(4a) ‘near miss’ means an event which could have compromised the availability, authenticity, integrity or confidentiality of data, or could have caused harm, but was successfully prevented from producing their negative impact;

Amendment  93

 

Proposal for a directive

Article 4 – paragraph 1 – point 6

 

Text proposed by the Commission

Amendment

(6) ‘incident handling’ means all actions and procedures aiming at detection, analysis and containment of and a response to an incident;

(6) ‘incident handling’ means all actions and procedures aiming at prevention, detection, analysis, and containment of and a response to an incident;

Amendment  94

 

Proposal for a directive

Article 4 – paragraph 1 – point 7a (new)

 

Text proposed by the Commission

Amendment

 

(7a) ‘risk’ means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of that incident;

Amendment  95

 

Proposal for a directive

Article 4 – paragraph 1 – point 11

 

Text proposed by the Commission

Amendment

(11) ‘technical specification’ means a technical specification within the meaning of Article 2(4) of Regulation (EU) No 1025/2012;

(11) ‘technical specification’ means a technical specification as defined in Article 2, point (20) of Regulation (EU) No 2019/881;

Amendment  96

 

Proposal for a directive

Article 4 – paragraph 1 – point 13

 

Text proposed by the Commission

Amendment

(13) ‘domain name system (DNS)’ means a hierarchical distributed naming system which allows end-users to reach services and resources on the internet;

(13) ‘domain name system (DNS)’ means a hierarchical distributed naming system which enables the identification of internet services and resources, allowing end-user devices to utilise internet routing and connectivity services, to reach those services and resources;

Amendment  97

 

Proposal for a directive

Article 4 – paragraph 1 – point 14

 

Text proposed by the Commission

Amendment

(14) ‘DNS service provider’ means an entity that provides recursive or authoritative domain name resolution services to internet end-users and other DNS service providers;

(14) ‘DNS service provider’ means an entity that provides:

Amendment  98

 

Proposal for a directive

Article 4 – paragraph 1 – point 14 – point a (new)

 

Text proposed by the Commission

Amendment

 

(a) open and public recursive domain name resolution services to internet end-users; or

Amendment  99

 

Proposal for a directive

Article 4 – paragraph 1 – point 14 – point b (new)

 

Text proposed by the Commission

Amendment

 

(b) authoritative domain name resolution services as a service procurable by third-party entities;

Amendment  100

 

Proposal for a directive

Article 4 – paragraph 1 – point 15

 

Text proposed by the Commission

Amendment

(15) ‘top–level domain name registry’ means an entity which has been delegated a specific TLD and is responsible for administering the TLD including the registration of domain names under the TLD and the technical operation of the TLD, including the operation of its name servers, the maintenance of its databases and the distribution of TLD zone files across name servers;

(15) ‘top–level domain name registry’ means an entity which has been delegated a specific TLD and is responsible for administering the TLD including the registration of domain names under the TLD and the technical operation of the TLD, including the operation of its name servers, the maintenance of its databases and the distribution of TLD zone files across name servers, irrespective of whether any of those operations are being performed by the entity or are outsourced;

Amendment  101

 

Proposal for a directive

Article 4 – paragraph 1 – point 15 a (new)

 

Text proposed by the Commission

Amendment

 

(15a) ‘domain name registration services’ means services provided by domain name registries and registrars, privacy or proxy registration service providers, domain brokers or resellers, and any other services which are related to the registration of domain names;

Amendment  102

 

Proposal for a directive

Article 4 – paragraph 1 – point 23 a (new)

 

Text proposed by the Commission

Amendment

 

(23a) ‘public electronic communications network’ means a public electronic communications network as defined in Article 2, point (8) of Directive (EU) 2018/1972;

Amendment  103

 

Proposal for a directive

Article 4 – paragraph 1 – point 23 b (new)

 

Text proposed by the Commission

Amendment

 

(23b) ‘electronic communications service’ means a electronic communications service as defined in Article 2, point (4) of Directive (EU) 2018/1972;

Amendment  104

 

Proposal for a directive

Article 5 – paragraph 1 – introductory part

 

Text proposed by the Commission

Amendment

1. Each Member State shall adopt a national cybersecurity strategy defining the strategic objectives and appropriate policy and regulatory measures, with a view to achieving and maintaining a high level of cybersecurity. The national cybersecurity strategy shall include, in particular, the following:

1. Each Member State shall adopt a national cybersecurity strategy defining the strategic objectives, the required technical, organisational and financial resources to achieve those objectives, as well as the appropriate policy and regulatory measures, with a view to achieving and maintaining a high level of cybersecurity. The national cybersecurity strategy shall include, in particular, the following:

Amendment  105

 

Proposal for a directive

Article 5 – paragraph 1 – point a

 

Text proposed by the Commission

Amendment

(a) a definition of objectives and priorities of the Member States’ strategy on cybersecurity;

(a) a definition of objectives and priorities of the Member State's strategy on cybersecurity;

Amendment  106

 

Proposal for a directive

Article 5 – paragraph 1 – point b

 

Text proposed by the Commission

Amendment

(b) a governance framework to achieve those objectives and priorities, including the policies referred to in paragraph 2 and the roles and responsibilities of public bodies and entities as well as other relevant actors;

(b) a governance framework to achieve those objectives and priorities, including the policies referred to in paragraph 2;

Amendment  107

 

Proposal for a directive

Article 5 – paragraph 1 – point b a (new)

 

Text proposed by the Commission

Amendment

 

(ba) a framework allocating the roles and responsibilities of public bodies and entities as well as other relevant actors, underpinning the cooperation and coordination, at the national level, between the competent authorities designated pursuant to Articles 7(1) and Article 8(1), the single point of contact designated pursuant to Article 8(3), and the CSIRTs designated pursuant to Article 9;

Amendment  108

 

Proposal for a directive

Article 5 – paragraph 1 – point e

 

Text proposed by the Commission

Amendment

(e) a list of the various authorities and actors involved in the implementation of the national cybersecurity strategy;

(e) a list of the various authorities and actors involved in the implementation of the national cybersecurity strategy, including a cybersecurity single point of contact for SMEs that provides support for implementing the specific cybersecurity measures;

Amendment  109

 

Proposal for a directive

Article 5 – paragraph 1 – point f

 

Text proposed by the Commission

Amendment

(f) a policy framework for enhanced coordination between the competent authorities under this Directive and Directive (EU) XXXX/XXXX of the European Parliament and of the Council38 [Resilience of Critical Entities Directive] for the purposes of information sharing on incidents and cyber threats and the exercise of supervisory tasks.

(f) a policy framework for enhanced coordination between the competent authorities under this Directive and Directive (EU) XXXX/XXXX of the European Parliament and of the Council38 [Resilience of Critical Entities Directive], both within and between Member States, for the purposes of information sharing on incidents and cyber threats and the exercise of supervisory tasks.

__________________

__________________

38 [insert the full title and OJ publication reference when known]

38 [insert the full title and OJ publication reference when known]

Amendment  110

 

Proposal for a directive

Article 5 – paragraph 1 – point f a (new)

 

Text proposed by the Commission

Amendment

 

(fa) an assessment of the general level of cybersecurity awareness among citizens.

Amendment  111

 

Proposal for a directive

Article 5 – paragraph 2 – point -a (new)

 

Text proposed by the Commission

Amendment

 

(-a) a policy addressing cybersecurity for each sector covered by this Directive;

Amendment  112

 

Proposal for a directive

Article 5 – paragraph 2 – point b

 

Text proposed by the Commission

Amendment

(b) guidelines regarding the inclusion and specification of cybersecurity-related requirements for ICT products and service in public procurement;

(b) guidelines regarding the inclusion and specification of cybersecurity-related requirements for ICT products and service in public procurement, including encryption requirements and the use of open-source cybersecurity products;

Amendment  113

 

Proposal for a directive

Article 5 – paragraph 2 – point d

 

Text proposed by the Commission

Amendment

(d) a policy related to sustaining the general availability and integrity of the public core of the open internet;

(d) a policy related to sustaining the general availability and integrity of the public core of the open internet, including cybersecurity of undersea communications cables;

Amendment  114

 

Proposal for a directive

Article 5 – paragraph 2 – point d a (new)

 

Text proposed by the Commission

Amendment

 

(da) a policy to promote and support the development and integration of emerging technologies, such as artificial intelligence, in cybersecurity-enhancing tools and applications;

Amendment  115

 

Proposal for a directive

Article 5 – paragraph 2 – point d b (new)

 

Text proposed by the Commission

Amendment

 

(db) a policy to promote the integration of open-source tools and applications;

Amendment  116

 

Proposal for a directive

Article 5 – paragraph 2 – point f

 

Text proposed by the Commission

Amendment

(f) a policy on supporting academic and research institutions to develop cybersecurity tools and secure network infrastructure;

(f) a policy on supporting academic and research institutions to develop, enhance and deploy cybersecurity tools and secure network infrastructure;

Amendment  117

 

Proposal for a directive

Article 5 – paragraph 2 – point h

 

Text proposed by the Commission

Amendment

(h) a policy addressing specific needs of SMEs, in particular those excluded from the scope of this Directive, in relation to guidance and support in improving their resilience to cybersecurity threats.

(h) a policy promoting cybersecurity for SMEs, including those excluded from the scope of this Directive, addressing their specific needs and providing easily accessed guidance and support, including guidelines addressing supply chain challenges faced;

Amendment  118

 

Proposal for a directive

Article 5 – paragraph 2 – point h a (new)

 

Text proposed by the Commission

Amendment

 

(ha) a policy to promote cyber hygiene comprising a baseline set of practices sand controls and raising the general cybersecurity awareness among citizens of cybersecurity threats and best practices;

Amendment  119

 

Proposal for a directive

Article 5 – paragraph 2 – point h b (new)

 

Text proposed by the Commission

Amendment

 

(hb) a policy on promoting active cyber defence;

Amendment  120

 

Proposal for a directive

Article 5 – paragraph 2 – point h c (new)

 

Text proposed by the Commission

Amendment

 

(hc) a policy to help authorities develop competences and understanding of the security considerations needed to design, build and manage connected places;

Amendment  121

 

Proposal for a directive

Article 5 – paragraph 2 – point h d (new)

 

Text proposed by the Commission

Amendment

 

(hd) a policy specifically addressing the ransomware threat and disrupting the ransomware business model;

Amendment  122

 

Proposal for a directive

Article 5 – paragraph 2 – point h e (new)

 

Text proposed by the Commission

Amendment

 

(he) a policy, including relevant procedures and governance frameworks, to support and promote the establishment of cybersecurity PPPs.

Amendment  123

 

Proposal for a directive

Article 5 – paragraph 3

 

Text proposed by the Commission

Amendment

3. Member States shall notify their national cybersecurity strategies to the Commission within three months from their adoption. Member States may exclude specific information from the notification where and to the extent that it is strictly necessary to preserve national security.

3. Member States shall notify their national cybersecurity strategies to the Commission within three months from their adoption. Member States may exclude specific information from the notification where and to the extent that it is necessary to preserve national security.

Amendment  124

 

Proposal for a directive

Article 5 – paragraph 4

 

Text proposed by the Commission

Amendment

4. Member States shall assess their national cybersecurity strategies at least every four years on the basis of key performance indicators and, where necessary, amend them. The European Union Agency for Cybersecurity (ENISA) shall assist Member States, upon request, in the development of a national strategy and of key performance indicators for the assessment of the strategy.

4. Member States shall assess their national cybersecurity strategies at least every four years on the basis of key performance indicators and, where necessary, amend them. The European Union Agency for Cybersecurity (ENISA) shall assist Member States, upon request, in the development of a national strategy and of key performance indicators for the assessment of the strategy. ENISA shall provide guidance to Member States in order to align their already formulated national cybersecurity strategies with the requirements and obligations set out in this Directive.

Amendment  125

 

Proposal for a directive

Article 6 – title

 

Text proposed by the Commission

Amendment

Coordinated vulnerability disclosure and a European vulnerability registry

Coordinated vulnerability disclosure and a European vulnerability database

Amendment  126

 

Proposal for a directive

Article 6 – paragraph 1

 

Text proposed by the Commission

Amendment

1. Each Member State shall designate one of its CSIRTs as referred to in Article 9 as a coordinator for the purpose of coordinated vulnerability disclosure. The designated CSIRT shall act as a trusted intermediary, facilitating, where necessary, the interaction between the reporting entity and the manufacturer or provider of ICT products or ICT services. Where the reported vulnerability concerns multiple manufacturers or providers of ICT products or ICT services across the Union, the designated CSIRT of each Member State concerned shall cooperate with the CSIRT network.

1. Each Member State shall designate one of its CSIRTs as referred to in Article 9 as a coordinator for the purpose of coordinated vulnerability disclosure. The designated CSIRT shall act as a trusted intermediary, facilitating, upon the request of the reporting entity, the interaction between the reporting entity and the manufacturer or provider of ICT products or ICT services. Where the reported vulnerability concerns multiple manufacturers or providers of ICT products or ICT services across the Union, the designated CSIRT of each Member State concerned shall cooperate with the CSIRT network.

Amendment  127

 

Proposal for a directive

Article 6 – paragraph 2

 

Text proposed by the Commission

Amendment

2. ENISA shall develop and maintain a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures with a view in particular to enabling important and essential entities and their suppliers of network and information systems to disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties. The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, the availability of related patches and, in the absence of available patches, guidance addressed to users of vulnerable products and services as to how the risks resulting from disclosed vulnerabilities may be mitigated.

2. ENISA shall develop and maintain a European vulnerability database leveraging the global Common Vulnerabilities and Exposures (CVE). To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures, and shall adopt the necessary technical and organisational measures to ensure the security and integrity of the database, with a view in particular to enabling important and essential entities and their suppliers of network and information systems, as well as entities which do not fall within the scope of this Directive, and their suppliers, to disclose and register vulnerabilities present in ICT products or ICT services. All interested parties shall be provided access to the information on the vulnerabilities contained in the database that have patches or mitigation measures available. The database shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, the availability of related patches. In absence of available patches, guidance addressed to users of vulnerable ICT products and ICT services as to how the risks resulting from disclosed vulnerabilities may be mitigated shall be included in the database.

Amendment  128

 

Proposal for a directive

Article 7 – paragraph 1 a (new)

 

Text proposed by the Commission

Amendment

 

1a. Where a Member State designates more than one competent authority referred to in paragraph 1, it shall clearly indicate which of those competent authorities is to serve as the coordinator for the management of large-scale incidents and crises.

Amendment  129

 

Proposal for a directive

Article 7 – paragraph 2

 

Text proposed by the Commission

Amendment

2. Each Member State shall identify capabilities, assets and procedures that can be deployed in case of a crisis for the purposes of this Directive.

2. Each Member State shall identify capabilities, assets and procedures that can be deployed in the case of a crisis for the purposes of this Directive.

Amendment  130

 

Proposal for a directive

Article 7 – paragraph 4

 

Text proposed by the Commission

Amendment

4. Member States shall communicate to the Commission the designation of their competent authorities referred to in paragraph 1 and submit their national cybersecurity incident and crisis response plans as referred to in paragraph 3 within three months from that designation and the adoption of those plans. Member States may exclude specific information from the plan where and to the extent that it is strictly necessary for their national security.

4. Member States shall communicate to the Commission the designation of their competent authorities referred to in paragraph 1 and submit to the EU-CyCLONe their national cybersecurity incident and crisis response plans as referred to in paragraph 3 within three months from that designation and the adoption of those plans. Member States may exclude specific information from the plan where and to the extent that it is strictly necessary for their national security.

Amendment  131

 

Proposal for a directive

Article 8 – paragraph 3

 

Text proposed by the Commission

Amendment

3. Each Member State shall designate one national single point of contact on cybersecurity (‘single point of contact’). Where a Member State designates only one competent authority, that competent authority shall also be the single point of contact for that Member State.

3. Each Member State shall designate one of the competent authorities referred to in paragraph 1 as a national single point of contact on cybersecurity (‘single point of contact’). Where a Member State designates only one competent authority, that competent authority shall also be the single point of contact for that Member State.

Amendment  132

 

Proposal for a directive

Article 8 – paragraph 4

 

Text proposed by the Commission

Amendment

4. Each single point of contact shall exercise a liaison function to ensure cross–border cooperation of its Member State’s authorities with the relevant authorities in other Member States, as well as to ensure cross-sectorial cooperation with other national competent authorities within its Member State.

4. Each single point of contact shall exercise a liaison function to ensure cross–border cooperation of its Member State’s authorities with the relevant authorities in other Member States, the Commission and ENISA, as well as to ensure cross-sectorial cooperation with other national competent authorities within its Member State.

Amendment  133

 

Proposal for a directive

Article 9 – paragraph 2

 

Text proposed by the Commission

Amendment

2. Member States shall ensure that each CSIRT has adequate resources to carry out effectively their tasks as set out in Article 10(2).

2. Member States shall ensure that each CSIRT has adequate resources and the technical capabilities necessary to carry out effectively their tasks as set out in Article 10(2).

Amendment  134

 

Proposal for a directive

Article 9 – paragraph 6 a (new)

 

Text proposed by the Commission

Amendment

 

6a. Member States shall ensure the possibility of effective, efficient and secure information exchange on all classification levels between their own CSIRTs and CSIRTs from third countries on the same classification level.

Amendment  135

 

Proposal for a directive

Article 9 – paragraph 6 b (new)

 

Text proposed by the Commission

Amendment

 

6b. CSIRTs shall, without prejudice to Union law, in particular Regulation (EU) 2016/679, cooperate with CSIRTs or equivalent bodies in candidate countries and in other third countries in the Western Balkans and the Eastern Partnership and, where possible, provide them with cybersecurity assistance.

Amendment  136

 

Proposal for a directive

Article 9 – paragraph 7

 

Text proposed by the Commission

Amendment

7. Member States shall communicate to the Commission without undue delay the CSIRTs designated in accordance with paragraph 1, the CSIRT coordinator designated in accordance with Article 6(1) and their respective tasks provided in relation to the entities referred to in Annexes I and II.

7. Member States shall communicate to the Commission without undue delay the CSIRTs designated in accordance with paragraph 1 and the CSIRT coordinator designated in accordance with Article 6(1), including their respective tasks provided in relation to the essential and important entities.

Amendment  137

 

Proposal for a directive

Article 10 – title

 

Text proposed by the Commission

Amendment

Requirements and tasks of CSIRTs

Requirements, technical capabilities and tasks of CSIRTs

Amendment  138

 

Proposal for a directive

Article 10 – paragraph 1 – point c

 

Text proposed by the Commission

Amendment

(c) CSIRTs shall be equipped with an appropriate system for managing and routing requests, in particular, to facilitate effective and efficient handovers;

(c) CSIRTs shall be equipped with an appropriate system for classifying, routing and tracking requests, in particular, to facilitate effective and efficient handovers;

Amendment  139

 

Proposal for a directive

Article 10 – paragraph 1 – point c a (new)

 

Text proposed by the Commission

Amendment

 

(ca) CSIRTs shall have appropriate codes of conduct in place to ensure the confidentiality and trustworthiness of their operations;

Amendment  140

 

Proposal for a directive

Article 10 – paragraph 1 – point d

 

Text proposed by the Commission

Amendment

(d) CSIRTs shall be adequately staffed to ensure availability at all times;

(d) CSIRTs shall be adequately staffed to ensure availability at all times and ensure appropriate training frameworks of their staff;

Amendment  141

 

Proposal for a directive

Article 10 – paragraph 1 – point e

 

Text proposed by the Commission

Amendment

(e) CSIRTs shall be equipped with redundant systems and backup working space to ensure continuity of its services;

(e) CSIRTs shall be equipped with redundant systems and backup working space to ensure continuity of its services, including broad connectivity across networks, information systems, services and devices;

Amendment  142

 

Proposal for a directive

Article 10 – paragraph 1 a (new)

 

Text proposed by the Commission

Amendment

 

1a. CSIRTs shall develop at least the following technical capabilities:

 

(a) the ability to conduct real-time or near-real-time monitoring of networks and information systems, and anomaly detection;

 

(b) the ability to support intrusion prevention and detection;

 

(c) the ability to collect and conduct complex forensic data analysis, and to reverse engineer cyber threats;

 

(d) the ability to filter malign traffic;

 

(e) the ability to enforce strong authentication and access privileges and controls; and

 

(f) the ability to analyse cyber threats.

Amendment  143

 

Proposal for a directive

Article 10 – paragraph 2 – point a

 

Text proposed by the Commission

Amendment

(a) monitoring cyber threats, vulnerabilities and incidents at national level;

(a) monitoring cyber threats, vulnerabilities and incidents at national level and acquiring real-time threat intelligence;

Amendment  144

 

Proposal for a directive

Article 10 – paragraph 2 – point b

 

Text proposed by the Commission

Amendment

(b) providing early warning, alerts, announcements and dissemination of information to essential and important entities as well as to other relevant interested parties on cyber threats, vulnerabilities and incidents;

(b) providing early warning, alerts, announcements and dissemination of information to essential and important entities as well as to other relevant interested parties on cyber threats, vulnerabilities and incidents, if possible near-real-time;

Amendment  145

 

Proposal for a directive

Article 10 – paragraph 2 – point c

 

Text proposed by the Commission

Amendment

(c) responding to incidents;

(c) responding to incidents and providing assistance to the entities involved;

Amendment  146

 

Proposal for a directive

Article 10 – paragraph 2 – point e

 

Text proposed by the Commission

Amendment

(e) providing, upon request of an entity, a proactive scanning of the network and information systems used for the provision of their services;

(e) providing, upon request of an entity or in the case of a serious threat to national security, a proactive scanning of the network and information systems used for the provision of their services;

Amendment  147

 

Proposal for a directive

Article 10 – paragraph 2 – point f a (new)

 

Text proposed by the Commission

Amendment

 

(fa) providing, upon request of an entity, enabling and configuration of network logging to protect data, including personal data from unauthorised exfiltration;

Amendment  148

 

Proposal for a directive

Article 10 – paragraph 2 – point f b (new)

 

Text proposed by the Commission

Amendment

 

(fb) contributing to the deployment of secure information sharing tools pursuant to Article 9(3).

Amendment  149

 

Proposal for a directive

Article 10 – paragraph 4 – introductory part

 

Text proposed by the Commission

Amendment

4. In order to facilitate cooperation, CSIRTs shall promote the adoption and use of common or standardised practices, classification schemes and taxonomies in relation to the following:

4. In order to facilitate cooperation, CSIRTs shall promote automation of information exchange, the adoption and use of common or standardised practices, classification schemes and taxonomies in relation to the following:

Amendment  150

 

Proposal for a directive

Article 11 – paragraph 2

 

Text proposed by the Commission

Amendment

2. Member States shall ensure that either their competent authorities or their CSIRTs receive notifications on incidents, and significant cyber threats and near misses submitted pursuant to this Directive. Where a Member State decides that its CSIRTs shall not receive those notifications, the CSIRTs shall, to the extent necessary to carry out their tasks, be granted access to data on incidents notified by the essential or important entities, pursuant to Article 20.

2. Member States shall ensure that their CSIRTs receive notifications on significant incidents pursuant to Article 20 and cyber threats and near misses pursuant to Article 27 through the single entry point referred to in Article 20(4a).

Amendment  151

 

Proposal for a directive

Article 11 – paragraph 4

 

Text proposed by the Commission

Amendment

4. To the extent necessary to effectively carry out the tasks and obligations laid down in this Directive, Member States shall ensure appropriate cooperation between the competent authorities and single points of contact and law enforcement authorities, data protection authorities, and the authorities responsible for critical infrastructure pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive] and the national financial authorities designated in accordance with Regulation (EU) XXXX/XXXX of the European Parliament and of the Council39 [the DORA Regulation] within that Member State.

4. To the extent necessary to effectively carry out the tasks and obligations laid down in this Directive, Member States shall ensure appropriate cooperation between the competent authorities, single points of contact, CSIRTs, law enforcement authorities, national regulatory authorities or other competent authorities responsible for public electronic communications networks or for publicly available electronic communications services pursuant to Directive (EU) 2018/1972, data protection authorities, the authorities responsible for critical infrastructure pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive] and the national financial authorities designated in accordance with Regulation (EU) XXXX/XXXX of the European Parliament and of the Council39 [the DORA Regulation] within that Member State in line with their respective competences.

__________________

__________________

39 [insert the full title and OJ publication reference when known]

39 [insert the full title and OJ publication reference when known]

Amendment  152

 

Proposal for a directive

Article 11 – paragraph 5

 

Text proposed by the Commission

Amendment

5. Member States shall ensure that their competent authorities regularly provide information to competent authorities designated pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive] on cybersecurity risks, cyber threats and incidents affecting essential entities identified as critical, or as entities equivalent to critical entities, pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive], as well as the measures taken by competent authorities in response to those risks and incidents.

5. Member States shall ensure that their competent authorities regularly provide timely information to competent authorities designated pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive] on cybersecurity risks, cyber threats and incidents affecting essential entities identified as critical, or as entities equivalent to critical entities, pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive], as well as the measures taken by competent authorities in response to those risks and incidents.

Amendment  153

 

Proposal for a directive

Article 12 – paragraph 3 – subparagraph 1

 

Text proposed by the Commission

Amendment

The Cooperation Group shall be composed of representatives of Member States, the Commission and ENISA. The European External Action Service shall participate in the activities of the Cooperation Group as an observer. The European Supervisory Authorities (ESAs) in accordance with Article 17(5)(c) of Regulation (EU) XXXX/XXXX [the DORA Regulation] may participate in the activities of the Cooperation Group.

The Cooperation Group shall be composed of representatives of Member States, the Commission and ENISA. The European Parliament and the European External Action Service shall participate in the activities of the Cooperation Group as observers. The European Supervisory Authorities (ESAs) in accordance with Article 17(5)(c) of Regulation (EU) XXXX/XXXX [the DORA Regulation] may participate in the activities of the Cooperation Group.

Amendment  154

 

Proposal for a directive

Article 12 – paragraph 3 – subparagraph 2

 

Text proposed by the Commission

Amendment

Where appropriate, the Cooperation Group may invite representatives of relevant stakeholders to participate in its work.

Where appropriate, the Cooperation Group may invite representatives of relevant stakeholders, such as the European Data Protection Board and representatives of industry, to participate in its work.

Amendment  155

 

Proposal for a directive

Article 12 – paragraph 4 – point b

 

Text proposed by the Commission

Amendment

(b) exchanging best practices and information in relation to the implementation of this Directive, including in relation to cyber threats, incidents, vulnerabilities, near misses, awareness-raising initiatives, trainings, exercises and skills, building capacity as well as standards and technical specifications;

(b) exchanging best practices and information in relation to the implementation of this Directive, including in relation to cyber threats, incidents, vulnerabilities, near misses, awareness-raising initiatives, trainings, exercises and skills, capacity building, standards and technical specifications as well as the identification of essential and important entities;

Amendment  156

 

Proposal for a directive

Article 12 – paragraph 4 – point b a (new)

 

Text proposed by the Commission

Amendment

 

(ba) mapping the national solutions in order to promote compatibility of cybersecurity solutions applied to each specific sector across the Union;

Amendment  157

 

Proposal for a directive

Article 12 – paragraph 4 – point c

 

Text proposed by the Commission

Amendment

(c) exchanging advice and cooperating with the Commission on emerging cybersecurity policy initiatives;

(c) exchanging advice and cooperating with the Commission on emerging cybersecurity policy initiatives and the overall consistency of sector-specific cybersecurity requirements;

Amendment  158

 

Proposal for a directive

Article 12 – paragraph 4 – point f

 

Text proposed by the Commission

Amendment

(f) discussing reports on the peer review referred to in Article 16(7);

(f) discussing reports on the peer review referred to in Article 16(7), and drawing up conclusions and recommendations;

Amendment  159

 

Proposal for a directive

Article 12 – paragraph 4 – point f a (new)

 

Text proposed by the Commission

Amendment

 

(fa) carrying out coordinated security risk assessments that may be initiated pursuant to Article 19(1), in cooperation with the Commission and ENISA;

Amendment  160

 

Proposal for a directive

Article 12 – paragraph 4 – point k a (new)

 

Text proposed by the Commission

Amendment

 

(ka) submitting to the Commission for the purpose of the review referred to in Article 35 reports on the experience gained at a strategic and operational level;

Amendment  161

 

Proposal for a directive

Article 12 – paragraph 4 – point k b (new)

 

Text proposed by the Commission

Amendment

 

(kb) providing a yearly assessment in cooperation with ENISA, Europol and national law enforcement institutions on which third countries are harbouring ransomware criminals.

Amendment  162

 

Proposal for a directive

Article 12 – paragraph 8

 

Text proposed by the Commission

Amendment

8. The Cooperation Group shall meet regularly and at least once a year with the Critical Entities Resilience Group established under Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive] to promote strategic cooperation and exchange of information.

8. The Cooperation Group shall meet regularly and at least twice a year with the Critical Entities Resilience Group established under Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive] to facilitate strategic cooperation and information exchange.

Amendment  163

 

Proposal for a directive

Article 13 – paragraph 3 – point a a (new)

 

Text proposed by the Commission

Amendment

 

(aa) facilitating the sharing and transferring of technology and relevant measures, policies, best practices and frameworks among the CSIRTs;

Amendment  164

 

Proposal for a directive

Article 13 – paragraph 3 – point b a (new)

 

Text proposed by the Commission

Amendment

 

(ba) ensuring interoperability with regard to information sharing standards;

Amendment  165

 

Proposal for a directive

Article 14 – paragraph 1

 

Text proposed by the Commission

Amendment

1. In order to support the coordinated management of large-scale cybersecurity incidents and crises at operational level and to ensure the regular exchange of information among Member States and Union institutions, bodies and agencies, the European Cyber Crises Liaison Organisation Network (EU - CyCLONe) is hereby established.

1. In order to support the coordinated management of large-scale cybersecurity incidents and crises at operational level and to ensure the regular exchange of relevant information among Member States and Union institutions, bodies and agencies, the European Cyber Crises Liaison Organisation Network (EU - CyCLONe) is hereby established.

Amendment  166

 

Proposal for a directive

Article 14 – paragraph 2

 

Text proposed by the Commission

Amendment

2. EU-CyCLONe shall be composed of the representatives of Member States’ crisis management authorities designated in accordance with Article 7, the Commission and ENISA. ENISA shall provide the secretariat of the network and support the secure exchange of information.

2. EU - CyCLONe shall be composed of the representatives of Member States’ crisis management authorities designated in accordance with Article 7, the Commission and ENISA. ENISA shall provide the secretariat of the EU - CyCLONe and support the secure exchange of information.

Amendment  167

 

Proposal for a directive

Article 14 – paragraph 5

 

Text proposed by the Commission

Amendment

5. EU-CyCLONe shall regularly report to the Cooperation Group on cyber threats, incidents and trends, focusing in particular on their impact on essential and important entities.

5. EU - CyCLONe shall regularly report to the Cooperation Group on large-scale incidents and crises, as well as trends, focusing in particular on their impact on essential and important entities.

Amendment  168

 

Proposal for a directive

Article 15 – paragraph 1 – introductory part

 

Text proposed by the Commission

Amendment

1. ENISA shall issue, in cooperation with the Commission, a biennial report on the state of cybersecurity in the Union. The report shall in particular include an assessment of the following:

1. ENISA shall issue, in cooperation with the Commission, a biennial report on the state of cybersecurity in the Union and shall submit and present it to the European Parliament. The report shall be delivered in machine-readable format and shall in particular include an assessment of the following:

Amendment  169

 

Proposal for a directive

Article 15 – paragraph 1 – point a a (new)

 

Text proposed by the Commission

Amendment

 

(aa) the general level of cybersecurity awareness and hygiene among citizens and entities, including SMEs, as well as the general level of security of connected devices;

Amendment  170

 

Proposal for a directive

Article 15 – paragraph 1 – point c

 

Text proposed by the Commission

Amendment

(c) a cybersecurity index providing for an aggregated assessment of the maturity level of cybersecurity capabilities.

(c) a cybersecurity index providing for an aggregated assessment of the maturity level of cybersecurity capabilities across the Union, including the alignment of Member States national cybersecurity strategies.

Amendment  171

 

Proposal for a directive

Article 15 – paragraph 2

 

Text proposed by the Commission

Amendment

2. The report shall include particular policy recommendations for increasing the level of cybersecurity across the Union and a summary of the findings for the particular period from the Agency’s EU Cybersecurity Technical Situation Reports issued by ENISA in accordance with Article 7(6) of Regulation (EU) 2019/881.

2. The report shall include particular identification of obstacles and policy recommendations for increasing the level of cybersecurity across the Union and a summary of the findings for the particular period from the Agency’s EU Cybersecurity Technical Situation Reports issued by ENISA in accordance with Article 7(6) of Regulation (EU) 2019/881.

Amendment  172

 

Proposal for a directive

Article 15 – paragraph 2 a (new)

 

Text proposed by the Commission

Amendment

 

2a. ENISA, in cooperation with the Commission and with guidance from the Cooperation Group and the CSIRTs network, shall prepare the methodology including the relevant variables of the cybersecurity index referred to in paragraph 1, point (c).

Amendment  173

 

Proposal for a directive

Article 16 – paragraph 1 – introductory part

 

Text proposed by the Commission

Amendment

1. The Commission shall establish, after consulting the Cooperation Group and ENISA, and at the latest by 18 months following the entry into force of this Directive, the methodology and content of a peer-review system for assessing the effectiveness of the Member States’ cybersecurity policies. The reviews shall be conducted by cybersecurity technical experts drawn from Member States different than the one reviewed and shall cover at least the following:

1. The Commission shall establish, after consulting the Cooperation Group and ENISA, and at the latest by [18 months following the entry into force of this Directive], the methodology and content of a peer-review system for assessing the effectiveness of the Member States’ cybersecurity policies. The peer-reviews shall be conducted in consultation with ENISA by cybersecurity technical experts drawn from at least two Member States different than the one reviewed and shall cover at least the following:

Amendment  174

 

Proposal for a directive

Article 16 – paragraph 1 – point iii

 

Text proposed by the Commission

Amendment

(iii) the operational capabilities and effectiveness of CSIRTs;

(iii) the operational capabilities and effectiveness of CSIRTs in executing their tasks;

Amendment  175

 

Proposal for a directive

Article 16 – paragraph 3

 

Text proposed by the Commission

Amendment

3. The organisational aspects of the peer reviews shall be decided by the Commission, supported by ENISA, and, following consultation of the Cooperation Group, be based on criteria defined in the methodology referred to in paragraph 1. Peer reviews shall assess the aspects referred to in paragraph 1 for all Member States and sectors, including targeted issues specific to one or several Member States or one or several sectors.

3. The organisational aspects of the peer reviews shall be decided by the Commission, supported by ENISA, and, following consultation of the Cooperation Group, be based on criteria defined in the methodology referred to in paragraph 1. Peer reviews shall assess the aspects referred to in paragraph 1 for all Member States and sectors, including targeted issues specific to one or several Member States or one or several sectors. The designated experts carrying out the review shall communicate these targeted issues to the Member State under peer-review, prior to its commencement.

Amendment  176

 

Proposal for a directive

Article 16 – paragraph 3 a (new)

 

Text proposed by the Commission

Amendment

 

3a. Prior to the commencement of the peer-review process, the Member State under to the peer-review shall carry out a self-assessment of the reviewed aspects and provide that self-assessment to the designated experts.

Amendment  177

 

Proposal for a directive

Article 16 – paragraph 4

 

Text proposed by the Commission

Amendment

4. Peer reviews shall entail actual or virtual on-site visits and off-site exchanges. In view of the principle of good cooperation, the Member States being reviewed shall provide the designated experts with the requested information necessary for the assessment of the reviewed aspects. Any information obtained through the peer review process shall be used solely for that purpose. The experts participating in the peer review shall not disclose any sensitive or confidential information obtained in the course of that review to any third parties.

4. Peer reviews shall entail actual or virtual on-site visits and off-site exchanges. In view of the principle of good cooperation, the Member States being reviewed shall provide the designated experts with the requested information necessary for the assessment of the reviewed aspects. The Commission, in cooperation with ENISA, shall develop appropriate codes of conduct underpinning the working methods of designated experts. Any information obtained through the peer review process shall be used solely for that purpose. The experts participating in the peer review shall not disclose any sensitive or confidential information obtained in the course of that review to any third parties.

Amendment  178

 

Proposal for a directive

Article 16 – paragraph 6

 

Text proposed by the Commission

Amendment

6. Member State shall ensure that any risk of conflict of interests concerning the designated experts are revealed to the other Member States, the Commission and ENISA without undue delay.

6. Member State shall ensure that any risk of conflict of interests concerning the designated experts are revealed to the other Member States, the Commission and ENISA, before the commencement of the peer-review process.

Amendment  179

 

Proposal for a directive

Article 16 – paragraph 7

 

Text proposed by the Commission

Amendment

7. Experts participating in peer reviews shall draft reports on the findings and conclusions of the reviews. The reports shall be submitted to the Commission, the Cooperation Group, the CSIRTs network and ENISA. The reports shall be discussed in the Cooperation Group and the CSIRTs network. The reports may be published on the dedicated website of the Cooperation Group.

7. Experts participating in peer reviews shall draft reports on the findings and conclusions of the reviews. The reports shall include recommendations to enable improvement on the aspects covered by the peer-review process. The reports shall be submitted to the Commission, the Cooperation Group, the CSIRTs network and ENISA. The reports shall be discussed in the Cooperation Group and the CSIRTs network. The reports may be published on the dedicated website of the Cooperation Group, excluding sensitive and confidential information.

Amendment  180

 

Proposal for a directive

Article 17 – paragraph 2

 

Text proposed by the Commission

Amendment

2. Member States shall ensure that members of the management body follow specific trainings, on a regular basis, to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risks and management practices and their impact on the operations of the entity.

2. Member States shall ensure that members of the management body of essential and important entities follow specific training, and shall encourage essential and important entities to offer similar training to all employees on a regular basis, to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risks and management practices and their impact on the services provided by the entity.

Amendment  181

 

Proposal for a directive

Article 18 – paragraph 1

 

Text proposed by the Commission

Amendment

1. Member States shall ensure that essential and important entities shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which those entities use in the provision of their services. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk presented.

1. Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services and prevent or minimise the impact of incidents on recipients of their services and on other services. Having regard to the state of the art and to European or international standards, those measures shall ensure a level of security of network and information systems appropriate to the risk presented.

Amendment  182

 

Proposal for a directive

Article 18 – paragraph 2 – point b

 

Text proposed by the Commission

Amendment

(b) incident handling (prevention, detection, and response to incidents);

(b) incident handling;

Amendment  183

 

Proposal for a directive

Article 18 – paragraph 2 – point c

 

Text proposed by the Commission

Amendment

(c) business continuity and crisis management;

(c) business continuity, such as backup management and disaster recovery, and crisis management;

Amendment  184

 

Proposal for a directive

Article 18 – paragraph 2 – point d

 

Text proposed by the Commission

Amendment

(d) supply chain security including security-related aspects concerning the relationships between each entity and its suppliers or service providers such as providers of data storage and processing services or managed security services;

(d) supply chain security including security-related aspects concerning the relationships between each entity and its suppliers or service providers;

Amendment  185

 

Proposal for a directive

Article 18 – paragraph 2 – point f

 

Text proposed by the Commission

Amendment

(f) policies and procedures (testing and auditing) to assess the effectiveness of cybersecurity risk management measures;

(f) policies and procedures (training, testing and auditing) to assess the effectiveness of cybersecurity risk management measures;

Amendment  186

 

Proposal for a directive

Article 18 – paragraph 2 – point f a (new)

 

Text proposed by the Commission

Amendment

 

(fa) basic computer hygiene practices and cybersecurity training;

Amendment  187

 

Proposal for a directive