European Parliament legislative resolution of 13 March 2014 on the proposal for a directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union (COM(2013)0048 – C7-0035/2013 – 2013/0027(COD))
(Ordinary legislative procedure: first reading)
The European Parliament,
– having regard to the Commission proposal to Parliament and the Council (COM(2013)0048),
– having regard to Article 294(2) and Article 114 of the Treaty on the Functioning of the European Union, pursuant to which the Commission submitted the proposal to Parliament (C7‑0035/2013),
– having regard to Article 294(3) of the Treaty on the Functioning of the European Union,
– having regard to the reasoned opinion submitted, within the framework of Protocol No 2 on the application of the principles of subsidiarity and proportionality, by the Swedish Parliament, asserting that the draft legislative act does not comply with the principle of subsidiarity,
– having regard to the opinion of the European Economic and Social Committee of 22 May 2013(1),
– having regard to its resolution of 12 September 2013 on a Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace(2),
– having regard to Rule 55 of its Rules of Procedure,
– having regard to the report of the Committee on the Internal Market and Consumer Protection and the opinions of the Committee on Industry, Research and Energy, the Committee on Civil Liberties, Justice and Home Affairs and the Committee on Foreign Affairs (A7-0103/2014),
1. Adopts its position at first reading hereinafter set out;
2. Calls on the Commission to refer the matter to Parliament again if it intends to amend its proposal substantially or replace it with another text;
3. Instructs its President to forward its position to the Council, the Commission and the national parliaments.
Position of the European Parliament adopted at first reading on 13 March 2014 with a view to the adoption of Directive 2014/.../EU of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Having regard to the opinion of the European Economic and Social Committee(1),
Acting in accordance with the ordinary legislative procedure(2),
Whereas:
(1) Network and information systems and services play a vital role in society. Their reliability and security are essential to the freedom and overall security of Union citizens as well as to economic activities and social welfare, and in particular to the functioning of the internal market. [Am. 1]
(2) The magnitude and, frequency and impact of deliberate or accidental security incidents is increasing and represents a major threat to the functioning of networks and information systems. Those systems may also become an easy target for deliberate harmful actions intended to damage or interrupt the operation of the systems. Such incidents can impede the pursuit of economic activities, generate substantial financial losses, undermine user and investor confidence and cause major damage to the economy of the Union and, ultimately, endanger the wellbeing of Union citizens and the ability of Member States to protect themselves and ensure the security of critical infrastructures. [Am. 2]
(3) As a communication instrument without frontiers, digital information systems, and primarily the Internet, play an essential role in facilitating the cross-border movement of goods, services and people. Due to that transnational nature, substantial disruption of those systems in one Member State can also affect other Member States and the Union as a whole. The resilience and stability of network and information systems is therefore essential to the smooth functioning of the internal market.
(3a) Since common causes of system failure continue to be unintentional ones, such as natural causes or human error, infrastructure should be resilient both to intentional and unintentional disruptions, and operators of critical infrastructure should design resilience-based systems. [Am. 3]
(4) A cooperation mechanism should be established at Union level to allow for information exchange and coordinated prevention, detection and response regarding network and information security (‘NIS’). For that mechanism to be effective and inclusive, it is essential that all Member States have minimum capabilities and a strategy ensuring a high level of NIS in their territory. Minimum security requirements should also apply to public administrations and at least certain market operators of critical information infrastructure to promote a culture of risk management and ensure that the most serious incidents are reported. Companies listed on the stock markets should be encouraged to make incidents public in their financial reports on a voluntary basis. The legal framework should be based upon the need to safeguard the privacy and integrity of citizens. The Critical Infrastructure Warning Information Network (CIWIN) should be expanded to the market operators covered by this Directive. [Am. 4]
(4a) While public administrations, because of their public mission, should exercise due diligence in the management and the protection of their own network and information systems, this Directive should focus on critical infrastructure essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, financial market infrastructures and health. Software developers and hardware manufacturers should be excluded from the scope of this Directive. [Am. 5]
(4b) Cooperation and coordination between the relevant Union authorities with the High Representative/Vice President, with the responsibility for the Common Foreign and Security Policy and the Common Security and Defence Policy, as well as the EU Counter-terrorism Coordinator should be ensured where incidents having a significant impact are perceived to be of an external and terrorist nature. [Am. 6]
(5) To cover all relevant incidents and risks, this Directive should apply to all network and information systems. The obligations on public administrations and market operators should, however, not apply to undertakings providing public communication networks or publicly available electronic communication services within the meaning of Directive 2002/21/EC of the European Parliament and of the Council(3), which are subject to the specific security and integrity requirements laid down in Article 13a of that Directive nor should they apply to trust service providers.
(6) The existing capabilities are not sufficient enough to ensure a high level of NIS within the Union. Member States have very different levels of preparedness leading to fragmented approaches across the Union. This leads to an unequal level of protection of consumers and businesses, and undermines the overall level of NIS within the Union. Lack of common minimum requirements on public administrations and market operators in turn makes it impossible to set up a global and effective mechanism for cooperation at Union level. Universities and research centres have a decisive role in spurring research, development and innovation in those areas and should be provided with adequate funding.[Am. 7]
(7) Responding effectively to the challenges of the security of network and information systems therefore requires a global approach at Union level covering common minimum capacity building and planning requirements, developing sufficient cyber security skills, exchange of information and coordination of actions, and common minimum security requirements for all market operators concerned and public administrations. Minimum common standards should be applied in accordance with appropriate recommendations by the Cyber Security Coordination Groups (CSGCs). [Am. 8]
(8) The provisions of this Directive should be without prejudice to the possibility for each Member State to take the necessary measures to ensure the protection of its essential security interests, to safeguard public policy and public security, and to permit the investigation, detection and prosecution of criminal offences. In accordance with Article 346 of the Treaty on the Functioning of the European Union (TFEU), no Member State is to be obliged to supply information the disclosure of which it considers contrary to the essential interests of its security. No Member State is obliged to disclose EU classified information as defined in Council Decision 2011/292/EU(4), information subject to non-disclosure agreements or informal non-disclosure agreements, such as the Traffic Light Protocol. [Am. 9]
(9) To achieve and maintain a common high level of security of network and information systems, each Member State should have a national NIS strategy defining the strategic objectives and concrete policy actions to be implemented. NIS cooperation plans complying with essential requirements need to be developed at national level, on the basis of minimum requirements set out in this Directive, in order to reach capacity response levels allowing for effective and efficient cooperation at national and Union level in case of incidents,respecting and protecting private life and personal data. Each Member State should therefore be obliged to meet common standards regarding data format and the exchangeability of data to be shared and evaluated. Member States should be able to ask for the assistance of the European Union Agency for Network and Information Security (ENISA) in developing their national NIS strategies, based on a common minimum NIS strategy blueprint. [Am. 10]
(10) To allow for the effective implementation of the provisions adopted pursuant to this Directive, a body responsible for coordinating NIS issues and acting as a focal point for cross-border cooperation at Union level should be established or identified in each Member State. Those bodies should be given the adequate technical, financial and human resources to ensure that they can carry out in an effective and efficient manner the tasks assigned to them and thus achieve the objectives of this Directive.
(10a) In view of the differences in national governance structures and in order to safeguard pre-existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one national competent authority in charge of fulfilling the tasks linked to the security of the networks and information systems of market operators under this Directive. However, in order to ensure smooth cross-border cooperation and communication, it is necessary for each Member State, without prejudice to sectoral regulatory arrangements, to designate only one national single point of contact in charge of cross-border cooperation at Union level. Where its constitutional structure or other arrangements so require, a Member State should be able to designate only one authority to carry out the tasks of the competent authority and the single point of contact. The competent authorities and the single points of contact should be civilian bodies, subject to full democratic oversight and should not fulfil any tasks in the field of intelligence, law enforcement or defence or be organisationally linked in any form to bodies active in those fields. [Am. 11]
(11) All Member States and market operators should be adequately equipped, both in terms of technical and organisational capabilities, to prevent, detect, respond to and mitigate network and information systems' incidents and risks at any time. The security systems of public administrations should be safe and subject to democratic control and scrutiny. Commonly required equipment and capabilities should comply with commonly agreed technical standards as well as standards procedures of operation (SPO). Well-functioning Computer Emergency Response Teams (CERTs) complying with essential requirements should therefore be established in all Member States to guarantee effective and compatible capabilities to deal with incidents and risks and ensure efficient cooperation at Union level. Those CERTs should be enabled to interact on the basis of common technical standards and SPO. In view of the different characteristics of existing CERTs, which respond to different subject needs and actors, Member States should guarantee that each of the sectors referred to in the list of market operators set out in this Directive is provided services by at least one CERT. Regarding cross-border CERT cooperation, Member States should ensure that CERTs have sufficient means to participate in the existing international and Union cooperation networks already in place. [Am. 12]
(12) Building upon the significant progress within the European Forum of Member States (‘EFMS’) in fostering discussions and exchanges on good policy practices including the development of principles for European cyber crisis cooperation, the Member States and the Commission should form a network to bring them into permanent communication and support their cooperation. This secure and effective cooperation mechanism, including the participation of market operators, where appropriate, should enable structured and coordinated information exchange, detection and response at Union level. [Am. 13]
(13) The European Network and Information Security Agency (‘ENISA’) should assist the Member States and the Commission by providing its expertise and advice and by facilitating exchange of best practices. In particular, in the application of this Directive, the Commission and Member States should consult ENISA. To ensure effective and timely information to the Member States and the Commission, early warnings on incidents and risks should be notified within the cooperation network. To build capacity and knowledge among Member States, the cooperation network should also serve as an instrument for the exchange of best practices, assisting its members in building capacity, steering the organisation of peer reviews and NIS exercises. [Am. 14]
(13a) Where appropriate, Member States should be able to use or adapt existing organisational structures or strategies when applying the provisions of this Directive. [Am. 15]
(14) A secure information-sharing infrastructure should be put in place to allow for the exchange of sensitive and confidential information within the cooperation network. Existing structures within the Union should be fully used for that purpose. Without prejudice to their obligation to notify incidents and risks of Union dimension to the cooperation network, access to confidential information from other Member States should only be granted to Members States upon demonstration that their technical, financial and human resources and processes, as well as their communication infrastructure, guarantee their effective, efficient and secure participation in the network, using transparent methods. [Am. 16]
(15) As most network and information systems are privately operated, cooperation between the public and private sector is essential. Market operators should be encouraged to pursue their own informal cooperation mechanisms to ensure NIS. They should also cooperate with the public sector and mutually share information and best practices inincluding the reciprocal exchange of relevant information and operational support and strategically analysed information, in case of incidents. To effectively encourage the sharing of information and of best practices, it is essential to ensure that market operators who participate in such exchanges are not disadvantaged as a result of their cooperation. Adequate safeguards are needed to ensure that such cooperation will not expose those operators to higher compliance risk or new liabilities under, inter alia, competition, intellectual property, data protection or cybercrime law, nor expose them to increased operational or security risks. [Am. 17]
(16) To ensure transparency and properly inform Union citizens and market operators, the competent authorities single points of contact should set up a common Union-wide website to publish non confidential information on the incidents and, risks and means of risk mitigation,and where necessary advise on appropriate maintenance measures. The information on the website should be accessible irrespective of the device used. Any personal data published on that website should be limited only to what is necessary and should be as anonymous as possible. [Am. 18]
(17) Where information is considered confidential in accordance with Union and national rules on business confidentiality, such confidentiality shall be ensured when carrying out the activities and fulfilling the objectives set by this Directive.
(18) On the basis in particular of national crisis management experiences and in cooperation with ENISA, the Commission and the Member States should develop a Union NIS cooperation plan defining cooperation mechanisms, best practices and operation patterns to prevent, detect, report, and counter risks and incidents. That plan should be duly taken into account in the operation of early warnings within the cooperation network. [Am. 19]
(19) Notification of an early warning within the network should be required only where the scale and severity of the incident or risk concerned are or may become so significant that information or coordination of the response at Union level is necessary. Early warnings should therefore be limited to actual or potential incidents or risks that grow rapidly, exceed national response capacity or affect more than one Member State. To allow for a proper evaluation, all information relevant for the assessment of the risk or incident should be communicated to the cooperation network. [Am. 20]
(20) Upon receipt of an early warning and its assessment, the competent authorities single points of contact should agree on a coordinated response under the Union NIS cooperation plan. Competent authorities The single points of contact,ENISA and the Commission should be informed about the measures adopted at national level as a result of the coordinated response. [Am. 21]
(21) Given the global nature of NIS problems, there is a need for closer international cooperation to improve security standards and information exchange, and promote a common global approach to NIS issues. Any framework for such international cooperation should be subject to Directive 95/46/EC of the European Parliament and of the Council(5) and Regulation (EC) No 45/2001 of the European Parliament and of the Council(6). [Am. 22]
(22) Responsibility for ensuring NIS lies to a great extent with public administrations and market operators. A culture of risk management, close cooperationand trust, involving risk assessment and the implementation of security measures appropriate to the risks faced and incidents, whether deliberate or accidental, should be promoted and developed through appropriate regulatory requirements and voluntary industry practices. Establishing a trustworthy level playing field is also essential to the effective functioning of the cooperation network to ensure effective cooperation from all Member States. [Am. 23]
(23) Directive 2002/21/EC requires that undertakings providing public electronic communications networks or publicly available electronic communications services take appropriate measures to safeguard their integrity and security and introduces security breach and integrity loss notification requirements. Directive 2002/58/EC of the European Parliament and of the Council(7) requires a provider of a publicly available electronic communications service to take appropriate technical and organisational measures to safeguard the security of its services.
(24) Those obligations should be extended beyond the electronic communications sector to operators of infrastructure which rely heavily on information and communications technology and are essential to the maintenance of vital economic or societal functions such as electricity and gas, transport, credit institutions, financial market infrastructures and health. Disruption of those network and information systems would affect the internal market. While the obligations set out in this Directive should not extend to key providers of information society services, as defined in Directive 98/34/EC of the European Parliament and of the Council(8), which underpin downstream information society services or on-line activities, such as e-commerce platforms, Internet payment gateways, social networks, search engines, cloud computing services,in general or application stores. Disruption of these enabling information society services prevents the provision of other information society services which rely on them as key inputs. Software developers and hardware manufacturers are not providers of information society services and are therefore excluded. Those obligations should also be extended to public administrations, and operators of critical infrastructure which rely heavily on information and communications technology and are essential to the maintenance of vital economical or societal functions such as electricity and gas, transport, credit institutions, stock exchange and health. Disruption of those network and information systems would affect the internal market.,those providers might, on a voluntary basis, inform the competent authority or single point of contact ofthosenetwork security incidents they deem appropriate. The competent authority or the single point of contact should, if possible, present the market operators that informed it of the incident with strategically analysedinformationthat will help to overcome the security threat. [Am. 24]
(24a) While hardware and software providers are not market operators comparable to those covered in this Directive, their products facilitate the security of network and information systems. They therefore have an important role in enabling market operators to secure their network and information infrastructures. Given that hardware and software products are already subject to existing rules on product liability, Member States should ensure that those rules are enforced. [Am. 25]
(25) Technical and organisational measures imposed on public administrations and market operators should not require that a particular commercial information and communications technology product be designed, developed or manufactured in a particular manner. [Am. 26]
(26) The public administrations and market operators should ensure security of the networks and systems which are under their control. These would be primarily private networks and systems managed either by their internal IT staff or the security of which has been outsourced. The security and notification obligations should apply to the relevant market operators and public administrations regardless of whether they perform the maintenance of their network and information systems internally or outsource it. [Am. 27]
(27) To avoid imposing a disproportionate financial and administrative burden on small operators and users, the requirements should be proportionate to the risk presented by the network or information system concerned, taking into account the state of the art of such measures. Those requirements should not apply to micro enterprises.
(28) Competent authorities and single points of contact should pay due attention to preserving informal and trusted channels of information-sharing between market operators and between the public and the private sectors. Competent authorities and single points of contact should inform manufacturers and service providers of affected ICT products and services about incidents having a significant impact notified to them. Publicity of incidents reported to the competent authorities and single points of contact should duly balance the interest of the public in being informed about threats with possible reputational and commercial damages for the public administrations and market operators reporting incidents. In the implementation of the notification obligations, competent authorities and single points of contact should pay particular attention to the need to maintain information about product vulnerabilities strictly confidential prior to the release deployment of appropriate security fixes. As a general rule, single points of contact should not disclose the personal data of individuals involved in incidents. Single points of contact should only disclose personal data where the disclosure of such data is necessary and proportionate in view of the objective pursued. [Am. 28]
(29) Competent authorities should have the necessary means to perform their duties, including powers to obtain sufficient information from market operators and public administrations in order to assess the level of security of network and information systems, measure the number, scale and scope of incidents, as well as reliable and comprehensive data about actual incidents that have had an impact on the operation of network and information systems. [Am. 29]
(30) Criminal activities are in many cases underlying an incident. The criminal nature of incidents can be suspected even if the evidence to support it may not be sufficiently clear from the start. In this context, appropriate co-operation between competent authorities, single points of contact and law enforcement authorities as well as cooperation with the EC3 (Europol Cybercrime Centre) and ENISA should form part of an effective and comprehensive response to the threat of security incidents. In particular, promoting a safe, secure and more resilient environment requires a systematic reporting of incidents of a suspected serious criminal nature to law enforcement authorities. The serious criminal nature of incidents should be assessed in the light of Union laws on cybercrime. [Am. 30]
(31) Personal data are in many cases compromised as a result of incidents. Member States and market operators should protect personal data stored, processed or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, access, disclosure or dissemination; and ensure the implementation of a security policy with respect to the processing of personal data. In this context, competent authorities, single points of contact and data protection authorities should cooperate and exchange information on all relevant matters including, where appropriate, with market operators, in order to tackle the personal data breaches resulting from incidents in accordance with applicable data protection rules. Member states shall implement The obligation to notify security incidents should be carried out in a way that minimises the administrative burden in case the security incident is also a personal data breach in line with the Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data(9). Liaising with the competent authorities and the data protection authorities, that has to be notified in accordance with Union data protection law. ENISA could should assist by developing information exchange mechanisms and templates avoiding the need for two notification templates. This a single notification template that would facilitate the reporting of incidents compromising personal data, thereby easing the administrative burden on businesses and public administrations. [Am. 31]
(32) Standardisation of security requirements is a market-driven process of a voluntary nature that should allow market operators to use alternative means to achieve at least similar outcomes. To ensure a convergent application of security standards, Member States should encourage compliance or conformity with specified interoperable standards to ensure a high level of security at Union level. To this end, itthe application of open international standards on network information security or the design of such tools need to be considered. Another necessary step forward might be necessary to draft harmonised standards, which should be done in accordance with Regulation (EU) No 1025/2012 of the European Parliament and of the Council(10). In particular, ETSI, CEN and CENELEC should be mandated to suggest effective and efficient Union open security standards, where technological preferences are avoided as much as possible, and which should be made easily manageable by small and medium-sized market operators. International standards pertaining to cybersecurity should be carefully vetted in order to ensure that they have not been compromised and that they provide adequate levels of security, thus making sure that the mandated compliance with cybersecurity standards enhances the overall level of cybersecurity of the Union and not the contrary. [Am. 32]
(33) The Commission should periodically review this Directive, inconsultation with all interested stakeholders, in particular with a view to determining the need for modification in the light of changing societal, political, technological or market conditions. [Am. 33]
(34) In order to allow for the proper functioning of the cooperation network, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission in respect of the definition of the criteria to be fulfilled for a Member State to be authorized to participate to common set of interconnection and security standards for the secure information-sharing system, of the infrastructure and the further specification of the triggering events for early warning, and of the definition of the circumstances in which market operators and public administrations are required to notify incidents. [Am. 34]
(35) It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. The Commission, when preparing and drawing up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and to the Council.
(36) In order to ensure uniform conditions for the implementation of this Directive, implementing powers should be conferred on the Commission as regards the cooperation between competent authorities single points of contact and the Commission within the cooperation network, the access to the secure information-sharing infrastructure without prejudice to existing cooperation mechanisms at national level, the Union NIS cooperation plan,and the formats and procedures applicable to informing the public about the notification of incidents, and the standards and/or technical specifications relevant to NIS having a significant impact. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council(11). [Am. 35]
(37) In the application of this Directive, the Commission should liaise as appropriate with relevant sectoral committees and relevant bodies set up at Union level in particular in the fields of e-government, energy, transport and, health and defence. [Am. 36]
(38) Information that is considered confidential by a competent authority or a single point of contact, in accordance with Union and national rules on business confidentiality, should be exchanged with the Commission, its relevant agencies, single points of contact and/or other national competent authorities only where such exchange is strictly necessary for the application of this Directive. The information exchanged should be limited to that which is relevant, necessary and proportionate to the purpose of such exchange, and should respect pre-defined criteria for confidentiality and security, in accordance with Decision 2011/292/EU, information subject to non-disclosure agreements and informal non-disclosure agreements, such as the Traffic Light Protocol. [Am. 37]
(39) The sharing of information on risks and incidents within the cooperation network and compliance with the requirements to notify incidents to the national competent authorities or single points of contact may require the processing of personal data. Such a processing of personal data is necessary to meet the objectives of public interest pursued by this Directive and is thus legitimate under Article 7 of Directive 95/46/EC. It does not constitute, in relation to those legitimate aims, a disproportionate and intolerable interference impairing the very substance of the right to the protection of personal data guaranteed by Article 8 of the Charter of Fundamental Rights of the European Union. In the application of this Directive, Regulation (EC) No 1049/2001 of the European Parliament and of the Council(12) should apply as appropriate. When data are processed by Union institutions and bodies, such processing for the purpose of implementing this Directive should comply with Regulation (EC) No 45/2001. [Am. 38]
(40) Since the objective of this Directive, namely to ensure a high level of NIS in the Union, cannot be sufficiently achieved by the Member States alone but can rather, by reason of the effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality, as set out in that Article, this Directive does not go beyond what is necessary in order to achieve that objective.
(41) This Directive respects the fundamental rights, and observes the principles, recognised by the Charter of Fundamental Rights of the European Union, in particular the right to respect for private life and communications, the protection for personal data, the freedom to conduct a business, the right to property, the right to an effective remedy before a court and the right to be heard. This Directive must be implemented in accordance with those rights and principles.
(41a) In accordance with the Joint Political Declaration of Member States and the Commission on explanatory documents of 28 September 2011, Member States have undertaken to accompany, in justified cases, the notification of their transposition measureswith one or more documents explaining the relationship between the components of a directive and the corresponding parts of national transposition instruments. With regard to this Directive, the legislator considers the transmission of such documents to be justified. [Am. 39]
(41b) The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 and delivered an opinion on 14 June 2013(13),
HAVE ADOPTED THIS DIRECTIVE:
CHAPTER I
GENERAL PROVISIONS
Article 1
Subject matter and scope
1. This Directive lays down measures to ensure a high common level of network and information security ("NIS") within the Union.
2. To that end, this Directive:
(a) lays down obligations for all Member States concerning the prevention, the handling of and the response to risks and incidents affecting networks and information systems;
(b) creates a cooperation mechanism between Member States in order to ensure a uniform application of this Directive within the Union and, where necessary, a coordinated and, efficient andeffective handling of and response to risks and incidents affecting network and information systems with the participation of relevant stakeholders; [Am. 40]
(c) establishes security requirements for market operators and public administrations. [Am. 41]
3. The security requirements provided for in Article 14 of this Directive shall apply neither to undertakings providing public communication networks or publicly available electronic communication services within the meaning of Directive 2002/21/EC, which shall comply with the specific security and integrity requirements laid down in Articles 13a and 13b of that Directive, nor to trust service providers.
4. This Directive shall be without prejudice to Union laws on cybercrime and Council Directive 2008/114/EC(14).
5. This Directive shall also be without prejudice to Directive 95/46/EC, to Directive 2002/58/EC and to Regulation (EC) No 45/2001. Any use of the personal data shall be limited to what is strictly necessary for the purposes of this Directive, and those data shall be as anonymous as possible, if not completely anonymous. [Am. 42]
6. The sharing of information within the cooperation network under Chapter III and the notifications of NIS incidents under Article 14 may require the processing of personal data. Such processing, which is necessary to meet the objectives of public interest pursued by this Directive, shall be authorised by the Member State pursuant to Article 7 of Directive 95/46/EC and Directive 2002/58/EC, as implemented in national law.
Article 1a
Protection and processing of personal data
1. Any processing of personal data in the Member States pursuant to this Directive shall be carried out in accordance with Directive 95/46/EC and Directive 2002/58/EC.
2. Any processing of personal data by the Commission and ENISA pursuant to this Regulation shall be carried out in accordance with Regulation (EC) No 45/2001.
3. Any processing of personal data by the European Cybercrime Centre within Europol for the purposes of this Directive shall be carried out pursuant to Council Decision 2009/371/JHA(15).
4. The processing of personal data shall be fair and lawful and strictly limited to the minimum data needed for the purposes for which they are processed. They shall be kept in a form which permits the identification of data subjects for no longer than necessary for the purpose for which the personal data are processed.
5. Incident notifications referred to in Article 14 of this Directive shall be without prejudice to the provisions and obligations regarding personal data breach notifications set out in Article 4 of Directive 2002/58/EC and in Commission Regulation (EU) No 611/2013(16). [Am. 43]
Article 2
Minimum harmonisation
Member States shall not be prevented from adopting or maintaining provisions ensuring a higher level of security, without prejudice to their obligations under Union law.
Article 3
Definitions
For the purpose of this Directive, the following definitions shall apply:
(1) "network and information system" means:
(a) an electronic communications network within the meaning of Directive 2002/21/EC, and
(b) any device or group of inter-connected or related devices, one or more of which, pursuant to a program, perform automatic processing of computer digital data, as well as [Am. 44]
(c) computer digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; [Am. 45]
(2) "security" means the ability of a network and information system to resist, at a given level of confidence, accident or malicious action that compromises the availability, authenticity, integrity and confidentiality of stored or transmitted data or the related services offered by or accessible via that network and information system; "security" includes appropriate technical devices, solutions and operating procedures ensuring the security requirements set out in this Directive; [Am. 46]
(3) "risk" means any reasonably identifiable circumstance or event having a potential adverse effect on security; [Am. 47]
(4) "incident" means any circumstance or event having an actual adverse effect on security; [Am. 48]
(5) "information society service" mean service within the meaning of point (2) of Article 1 of Directive 98/34/EC; [Am. 49]
(6) "NIS cooperation plan" means a plan establishing the framework for organisational roles, responsibilities and procedures to maintain or restore the operation of networks and information systems, in the event of a risk or an incident affecting them;
(7) "incident handling" means all procedures supporting the detection, prevention, analysis, containment and response to an incident; [Am. 50]
(8) "market operator" means:
(a) provider of information society services which enable the provision of other information society services, a non exhaustive list of which is set out in Annex II; [Am. 51]
(b) operator of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, stock exchanges financial market infrastructures, internet exchange points, food supply chain and health, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions, a non-exhaustive list of which is set out in Annex II, insofar as the network and information systems concerned are related to its core services; [Am. 52]
(8a) "incident having a significant impact" means an incident affecting the security and continuity of an information network or system that leads to the major disruption of vital economic or societal functions; [Am. 53]
(9) "standard" means a standard referred to in Regulation (EU) No 1025/2012;
(10) "specification" means a specification referred to in Regulation (EU) No 1025/2012;
(11) "Trust service provider" means a natural or legal person who provides any electronic service consisting in the creation, verification, validation, handling and preservation of electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services, website authentication, and electronic certificates, including certificates for electronic signature and for electronic seals;
(11a) "regulated market" means regulated market as defined in point 14 of Article 4 of Directive 2004/39/EC of the European Parliament and of the Council(17); [Am. 54]
(11b) "multilateral trading facility (MTF)" means multilateral trading facility as defined in point 15 of Article 4 of Directive 2004/39/EC; [Am. 55]
(11c) "organised trading facility" means a multilateral system or facility, which is not a regulated market, a multilateral trading facility or a central counterparty, operated by an investment firm or a market operator, in which multiple third-party buying and selling interests in bonds, structured finance products, emission allowances or derivatives are able to interact in the system in such a way as to result in a contract in accordance with Title II of Directive 2004/39/EC. [Am. 56]
CHAPTER II
NATIONAL FRAMEWORKS ON NETWORK AND INFORMATION SECURITY
Article 4
Principle
Member States shall ensure a high level of security of the network and information systems in their territories in accordance with this Directive.
Article 5
National NIS strategy and national NIS cooperation plan
1. Each Member State shall adopt a national NIS strategy defining the strategic objectives and concrete policy and regulatory measures to achieve and maintain a high level of network and information security. The national NIS strategy shall address in particular the following issues:
(a) The definition of the objectives and priorities of the strategy based on an up-to-date risk and incident analysis;
(b) A governance framework to achieve the strategy objectives and priorities, including a clear definition of the roles and responsibilities of the government bodies and the other relevant actors;
(c) The identification of the general measures on preparedness, response and recovery, including cooperation mechanisms between the public and private sectors;
(d) An indication of the education, awareness raising and training programmes;
(e) Research and development plans and a description of how these plans reflect the identified priorities;
(ea) Member States may request the assistance of ENISA in developing their national NIS strategies and national NIS cooperation plans, based on a common minimum NIS strategy. [Am. 57]
2. The national NIS strategy shall include a national NIS cooperation plan complying at least with the following requirements:
(a) A risk management framework to establish a methodology for the identification, prioritisation, evaluation and treatment of risks, the assessment plan to identify risks and assess of the impacts of potential incidents, prevention and control options, and to define criteria for the choice of possible countermeasures; [Am. 58]
(b) The definition of the roles and responsibilities of the various authorities and other actors involved in the implementation of the plan framework; [Am. 59]
(c) The definition of cooperation and communication processes ensuring prevention, detection, response, repair and recovery, and modulated in accordance with the alert level;
(d) A roadmap for NIS exercises and training to reinforce, validate, and test the plan. Lessons learned to be documented and incorporated into updates to the plan.
3. The national NIS strategy and the national NIS cooperation plan shall be communicated to the Commission within one month three months from their adoption. [Am. 60]
Article 6
National competent authority authorities and single points of contact on the security of network and information systems [Am. 61]
1. Each Member State shall designate a one or more civilian national competent authority authorities on the security of network and information systems (the ‘competent authority/ies’). [Am. 62]
2. The competent authorities shall monitor the application of this Directive at national level and contribute to its consistent application throughout the Union.
2a. Where a Member State designates more than one competent authority, it shall designate a civilian national authority, for instance a competent authority, as national single point of contact on the security of network and information systems (‘single point of contact’). Where a Member State designates only one competent authority, that competent authority shall also be the single point of contact. [Am. 63]
2b. The competent authorities and the single point of contact of the same Member State shall cooperate closely with regard to the obligations laid down in this Directive. [Am. 64]
2c. The single point of contact shall ensure cross-border cooperation with other single points of contact. [Am. 65]
3. Member States shall ensure that the competent authorities and the single points of contact have adequate technical, financial and human resources to carry out in an effective and efficient manner the tasks assigned to them and thereby to fulfil the objectives of this Directive. Member States shall ensure the effective, efficient and secure cooperation of the competent authorities single points of contact via the network referred to in Article 8. [Am. 66]
4. Member States shall ensure that the competent authorities and single points of contact, where applicable in accordance with paragraph 2a of this Article, receive the notifications of incidents from public administrations and market operators as specified in Article 14(2) and are granted the implementation and enforcement powers referred to in Article 15. [Am. 67]
4a. Where Union law provides for a sector-specific Union supervisory or regulatory body, inter alia on the security of network and information systems, that body shall receive the notifications of incidents in accordance with Article 14(2) from the market operators concerned in that sector and shall be granted the implementation and enforcement powers referred to in Article 15. That Union body shall cooperate closely with the competent authorities and the single point of contact of the host Member State with regard to those obligations. The single point of contact of the host Member State shall represent the Union body with regard to the obligations laid down in Chapter III. [Am. 68]
5. The competent authorities and single points of contact shall consult and cooperate, whenever appropriate, with the relevant law enforcement national authorities and data protection authorities. [Am. 69]
6. Each Member State shall notify to the Commission without delay the designation of the competent authority authorities and the single point of contact, its tasks, and any subsequent change thereto. Each Member State shall make public its designation of the competent authority authorities. [Am. 70]
Article 7
Computer Emergency Response Team
1. Each Member State shall set up aat least one Computer Emergency Response Team ("CERT") for each of the sectors listed in Annex II, responsible for handling incidents and risks according to a well-defined process, which shall comply with the requirements set out in point (1) of Annex I. A CERT may be established within the competent authority. [Am. 71]
2. Member States shall ensure that CERTs have adequate technical, financial and human resources to effectively carry out their tasks set out in point (2) of Annex I.
3. Member States shall ensure that CERTs rely on a secure and resilient communication and information infrastructure at national level, which shall be compatible and interoperable with the secure information-sharing system referred to in Article 9.
4. Member States shall inform the Commission about the resources and mandate as well as the incident handling process of the CERTs.
5. The CERT CERTs shall act under the supervision of the competent authority or the single point of contact, which shall regularly review the adequacy of its their resources, its mandate mandates and the effectiveness of its their incident-handling process. [Am. 72]
5a. Member States shall ensure that CERTs have adequate human and financial resources to participate actively in international, and in particular Union, cooperation networks. [Am. 73]
5b. The CERTs shall be enabled and encouraged to initiate and to participate in joint exercises with other CERTs, with all the CERTs of the Member States, and with appropriate institutions of non-Member States as well as with CERTs of multinational and international institutions such as the North Atlantic Treaty Organisation and the United Nations. [Am. 74]
5c. Member States may ask for the assistance of ENISA or of other Member States in developing their national CERTs. [Am. 75]
CHAPTER III
COOPERATION BETWEEN COMPETENT AUTHORITIES
Article 8
Cooperation network
1. The competent authorities single points of contact and the Commission and ENISA shall form a network (‘cooperation network’) to cooperate against risks and incidents affecting network and information systems. [Am. 76]
2. The cooperation network shall bring into permanent communication the Commission and the competent authorities single points of contact. When requested, the European Network and Information Security Agency (‘ENISA’) shall assist the cooperation network by providing its expertise and advice. Where appropriate, market operators and suppliers of cyber security solutions may also be invited to participate in the activities of the cooperation network referred to in points (g) and (i) of paragraph 3.
Where relevant, the cooperation network shall cooperate with the data protection authorities.
The Commission shall regularly inform the cooperation network of security research and other relevant programmes of Horizon 2020. [Am. 77]
3. Within the cooperation network the competent authorities single points of contact shall:
(a) circulate early warnings on risks and incidents in accordance with Article 10;
(b) ensure a coordinated response in accordance with Article 11;
(c) publish on a regular basis non-confidential information on on-going early warnings and coordinated response on a common website;
(d) jointly discuss and assess , at the request of one Member State or of the Commission, one or more national NIS strategies and national NIS cooperation plans referred to in Article 5, within the scope of this Directive;
(e) jointly discuss and assess , at the request of a Member State or the Commission, the effectiveness of the CERTs, in particular when NIS exercises are performed at Union level;
(f) cooperate and exchange information on all expertise on relevant matters with the European Cybercrime Centre within Europol, and with other relevant European bodies on network and information security, in particular in the fields of data protection, energy, transport, banking, stock exchanges financial markets and health with the European Cybercrime Centre within Europol, and with other relevant European bodies;
(fa) where appropriate, inform the EU Counter-terrorism Coordinator, by means of reporting, and may ask for assistance for analysis, preparatory works and actions of the cooperation network;
(g) exchange information and best practices between themselves and the Commission, and assist each other in building capacity on NIS;
(h) organise regular peer reviews on capabilities and preparedness;
(i) organise NIS exercises at Union level and participate, as appropriate, in international NIS exercises;
(ia) involve, consult and exchange, where appropriate, information with market operators with respect to the risks and incidents affecting their network and information systems;
(ib) develop, in cooperation with ENISA, guidelines for sector-specific criteria for the notification of significant incidents, in addition to the parameters laid down in Article 14(2), for a common interpretation, consistent application and coherent implementation within the Union. [Am. 78]
3a. The cooperation network shall publish a report once a year, based on the activities of the network and on the summary report submitted in accordance with Article 14(4) of this Directive, for the preceding 12 months. [Am. 79]
4. The Commission shall establish, by means of implementing acts, the necessary modalities to facilitate the cooperation between competent authorities and single points of contact, the Commission and ENISA referred to in paragraphs 2 and 3. Those implementing acts shall be adopted in accordance with the consultation examination procedure referred to in Article 19(23). [Am. 80]
Article 9
Secure information-sharing system
1. The exchange of sensitive and confidential information within the cooperation network shall take place through a secure infrastructure.
1a. Participants to the secure infrastructure shall comply with, inter alia, appropriate confidentiality and security measures in accordance with Directive 95/46/EC and Regulation (EC) No 45/2001 at all steps of the processing. [Am. 81]
2. The Commission shall be empowered to adopt delegated acts in accordance with Article 18 concerning the definition of the criteria to be fulfilled for a Member State to be authorized to participate to the secure information-sharing system, regarding:
(a) the availability of a secure and resilient communication and information infrastructure at national level, compatible and interoperable with the secure infrastructure of the cooperation network in compliance with Article 7(3), and
(b) the existence of adequate technical, financial and human resources and processes for their competent authority and CERT allowing an effective, efficient and secure participation in the secure information-sharing system under Article 6(3), Article 7(2) and Article 7(3). [Am. 82]
3. The Commission shall adopt, by means of implementingdelegated acts in accordance with Article 18, decisions on the access of the Member States to this secure infrastructure, pursuant to the criteria referred to in paragraph 2 and 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 19(3) a common set of interconnection and security standards that single points of contact are to meet before exchanging sensitive and confidential information across the cooperation network. [Am. 83]
Article 10
Early warnings
1. The competent authorities single points of contact or the Commission shall provide early warnings within the cooperation network on those risks and incidents that fulfil at least one of the following conditions:
(a) they grow rapidly or may grow rapidly in scale;
(b) they exceed or may exceed the single point of contact assesses that the risk or incident potentially exceeds national response capacity;
(c) they affect or may affect the single points of contact or the Commission assess that the risk or incident affects more than one Member State. [Am. 84]
2. In the early warnings, the competent authorities single points of contact and the Commission shall communicate without undue delay any relevant information in their possession that may be useful for assessing the risk or incident. [Am. 85]
3. At the request of a Member State, or on its own initiative, the Commission may request a Member State to provide any relevant information on a specific risk or incident. [Am. 86]
4. Where the risk or incident subject to an early warning is of a suspected criminal nature, the competent authorities or the Commission and where the concerned market operator has reported incidents of a suspected serious criminal nature as referred to in Article 15(4), the Member States shall informensure that the European Cybercrime Centre within Europol is informed, where appropriate. [Am. 87]
4a. Members of the cooperation network shall not make public any information received on risks and incidents referred to in paragraph 1 without having received the prior approval of the notifying single point of contact.
Furthermore, prior to sharing information in the cooperation network, the notifying single point of contact shall inform the market operator to which the information relates of its intention and, where it considers this appropriate, it shall make the information concerned anonymous. [Am. 88]
4b. Where the risk or incident subject to an early warning is of a suspected severe cross-border technical nature, the single points of contact or the Commission shall inform ENISA. [Am. 89]
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 18, concerning the further specification of the risks and incidents triggering early warning referred to in paragraph 1 of this Article.
Article 11
Coordinated response
1. Following an early warning referred to in Article 10 the competent authorities single points of contact shall, after assessing the relevant information, agree without undue delay on a coordinated response in accordance with the Union NIS cooperation plan referred to in Article 12. [Am. 90]
2. The various measures adopted at national level as a result of the coordinated response shall be communicated to the cooperation network.
Article 12
Union NIS cooperation plan
1. The Commission shall be empowered to adopt, by means of implementing acts, a Union NIS cooperation plan. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 19(3).
2. The Union NIS cooperation plan shall provide for:
(a) for the purposes of Article 10:
– a definition of the format and procedures for the collection and sharing of compatible and comparable information on risks and incidents by the competent authorities single points of contact, [Am. 91]
– a definition of the procedures and the criteria for the assessment of the risks and incidents by the cooperation network;
(b) the processes to be followed for the coordinated responses under Article 11, including identification of roles and responsibilities and cooperation procedures;
(c) a roadmap for NIS exercises and training to reinforce, validate, and test the plan;
(d) a programme for transfer of knowledge between the Member States in relation to capacity building and peer learning;
(e) a programme for awareness raising and training between the Member States.
3. The Union NIS cooperation plan shall be adopted no later than one year following the entry into force of this Directive and shall be revised regularly. The results of each revision shall be reported to the European Parliament. [Am. 92]
3a. Coherence between the Union NIS cooperation plan and national NIS strategies and cooperation plans, as provided for in Article 5, shall be ensured. [Am. 93]
Article 13
International cooperation
Without prejudice to the possibility for the cooperation network to have informal international cooperation, the Union may conclude international agreements with third countries or international organisations allowing and organizing their participation in some activities of the cooperation network. Such agreement shall take into account the need to ensure adequate protection of the personal data circulating on the cooperation network and shall set out the monitoring procedure that must be followed to guarantee the protection of such personal data. The European Parliament shall be informed about the negotiation of the agreements. Any transfer of personal data to recipients located in countries outside the Union shall be conducted in accordance with Articles 25 and 26 of Directive 95/46/EC and Article 9 of Regulation (EC) No 45/2001. [Am. 94]
Article 13a
Level of criticality of market operators
Member States may determine the level of criticality of market operators, taking into account the specificities of sectors, parameters including the importance of the particular market operator for maintaining a sufficient level of the sectoral service, the number of parties supplied by the market operator, and the time period until the discontinuity of the core services of the market operator has a negative impact on the maintenance of vital economic and societal activities. [Am. 95]
CHAPTER IV
SECURITY OF THE NETWORKS AND INFORMATION SYSTEMS OF PUBLIC ADMINISTRATIONS AND MARKET OPERATORS
Article 14
Security requirements and incident notification
1. Member States shall ensure that public administrations and market operators take appropriate andproportionate technical and organisational measures to detect and effectively manage the risks posed to the security of the networks and information systems which they control and use in their operations. Having regard to the state of the art, these those measures shall guarantee ensure a level of security appropriate to the risk presented. In particular, measures shall be taken to prevent and minimise the impact of incidents affecting the security of their network and information system systems on the core services they provide and thus ensure the continuity of the services underpinned by those networks and information systems. [Am. 96]
2. Member States shall ensure that public administrations and market operators notify without undue delay to the competent authority or to the single point of contact incidents having a significant impact on the security continuity of the core services they provide. Notification shall not expose the notifying party to increased liability.
To determine the significance of the impact of an incident, the following parameters shall inter alia be taken into account: [Am. 97]
(a) the number of users whose core service is affected; [Am. 98]
(b) the duration of the incident; [Am. 99]
(c) geographic spread with regard to the area affected by the incident. [Am. 100]
Those parameters shall be further specified in accordance with point (ib) of Article 8(3). [Am. 101]
2a. Market operators shall notify the incidents referred to in paragraphs 1 and 2 to the competent authority or the single point of contact in the Member State where the core service is affected. Where core services in more than one Member State are affected, the single point of contact which has received the notification shall, based on the information provided by the market operator, alert the other single points of contact concerned. The market operator shall be informed, as soon as possible, which other single points of contact have been informed of the incident, as well as of any undertaken steps, results and any other information with relevance to the incident. [Am. 102]
2b. Where the notification contains personal data, it shall be only disclosed to recipients within the notified competent authority or single point of contact who need to process those data for the performance of their tasks in accordance with data protection rules. The disclosed data shall be limited to what is necessary for the performance of their tasks. [Am. 103]
2c. Market operators not covered by Annex II may report incidents as specified in Article 14(2) on a voluntary basis. [Am. 104]
3. Paragraphs 1 and 2 shall apply to all market operators providing services within the European Union.
4. The After consultation with the notified competent authority and the market operator concerned, the single point of contact may inform the public, or require the public administrations and about individual incidents, where it determines that public awareness is necessary to prevent an incident or deal with an ongoing incident, or where that market operators to do so, where it determines that operator, subject to an incident, has refused to address a serious structural vulnerability related to that incident without undue delay.
Before any public disclosure of the incident is in the public interest, the notified competent authority shall ensure that the market operator concerned has the possibility to be heard and that the decision for public disclosure is duly balanced with the public interest.
Where information about individual incidents is made public, the notified competent authority or the single point of contact shall ensure that it is made as anonymous as possible.
The competent authority or the single point of contact shall, if reasonably possible, provide the market operator concerned with information that supports the effective handling of the notified incident.
Once a year, the competent authority single point of contact shall submit a summary report to the cooperation network on the notifications received, including the number of notifications, and regarding the incident parameters listed in paragraph 2 of this Article, and the action taken in accordance with this paragraph. [Am. 105]
4a. Member States shall encourage market operators to make public incidents involving their business in their financial reports on a voluntary basis. [Am. 106]
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 18 concerning the definition of circumstances in which public administrations and market operators are required to notify incidents. [Am. 107]
6. Subject to any delegated act adopted under paragraph 5, the competent authorities The competent authorities or the single points of contact may adopt guidelines and, where necessary, issue instructions concerning the circumstances in which public administrations and market operators are required to notify incidents. [Am. 108]
7. The Commission shall be empowered to define, by means of implementing acts, the formats and procedures applicable for the purpose of paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 19(3).
8. Paragraphs 1 and 2 shall not apply to microenterprises as defined in Commission Recommendation 2003/361/EC(18), unless the microenterprise acts as subsidiary for a market operator as defined in point (b) of Article 3(8). [Am. 109]
8a. Member States may decide to apply this Article and Article 15 to public administrations mutatis mutandis. [Am. 110]
Article 15
Implementation and enforcement
1. Member States shall ensure that the competent authorities have all and the single points of contact have the powers necessary to investigate cases of non-compliance of public administrations or ensure complianceof market operators with their obligations under Article 14 and the effects thereof on the security of networks and information systems. [Am. 111]
2. Member States shall ensure that the competent authorities and the single points of contact have the power to require market operators and public administrations to: [Am. 112]
(a) provide information needed to assess the security of their networks and information systems, including documented security policies;
(b) undergo provide evidence of effective implementation of security policies, such as the results of a security audit carried out by a qualified independent body or national authority, and make the results thereof evidence available to the competent authority or to the single point of contact. [Am. 113]
When sending that request, the competent authorities and the single points of contact shall state the purpose of the request and sufficiently specify what information is required. [Am. 114]
3. Member States shall ensure that the competent authorities and the single points of contact have the power to issue binding instructions to market operators and public administrations. [Am. 115]
3a. By way of derogation from point (b) of paragraph 2 of this Article, Member States may decide that the competent authorities or the single points of contact, as applicable, are to apply a different procedure to particular market operators, based on their level of criticality determined in accordance with Article 13a. In the event that Member States so decide:
(a) competent authorities or the single points of contact, as applicable, shall have the power to submit a sufficiently specific request to market operators requiring them to provide evidence of effective implementation of security policies, such as the results of a security audit carried out by a qualified internal auditor, and make the evidence available to the competent authority or to the single point of contact;
(b) where necessary, following the submission by the market operator of the request referred to in point (a), the competent authority or the single point of contact may require additional evidence or an additional audit to be carried out by a qualified independent body or national authority.
3b. Member States may decide to reduce the number and intensity of audits for a market operator concerned, where its security audit has indicated compliance with Chapter IV in a consistent manner. [Am. 116]
4. The competent authorities and the single points of contact shall notify inform the market operators concerned about the possibility of reporting incidents of a suspected serious criminal nature to the law enforcement authorities. [Am. 117]
5. Without prejudice to applicable data protection rules the competent authorities and the single points of contact shall work in close cooperation with personal data protection authorities when addressing incidents resulting in personal data breaches. The single points of contact and the data protection authorities shall develop, in cooperation with ENISA, information exchange mechanisms and a single template to be used both for notifications under Article 14(2) of this Directive and other Union law on data protection. [Am. 118]
6. Member States shall ensure that any obligations imposed on public administrations and market operators under this Chapter may be subject to judicial review. [Am. 119]
6a. Member States may decide to apply Article 14 and this Article to public administrations mutatis mutandis. [Am. 120]
Article 16
Standardisation
1. To ensure convergent implementation of Article 14(1), Member States, without prescribing the use of any particular technology, shall encourage the use of European or international interoperable standards and/or specifications relevant to networks and information security. [Am. 121]
2. The Commission shall give a mandate to a relevant European standardisation body to draw up, in consultation with relevant stakeholders, , by means of implementing acts a list of the standards and/or specifications referred to in paragraph 1. The list shall be published in the Official Journal of the European Union. [Am. 122]
CHAPTER V
FINAL PROVISIONS
Article 17
Penalties
1. Member States shall lay down rules on penalties applicable to infringements of the national provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The penalties provided for must be effective, proportionate and dissuasive. The Member States shall notify those provisions to the Commission by the date of transposition of this Directive at the latest and shall notify it without delay of any subsequent amendment affecting them.
1a. Member States shall ensure that the penalties referred to in paragraph 1 of this Article only apply where the market operator has failed to fulfil its obligations under Chapter IV with intent or as a result of gross negligence. [Am. 123]
2. Member States shall ensure that when a security incident involves personal data, the penalties provided for are consistent with the penalties provided by the Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data(19).
Article 18
Exercise of the delegation
1. The power to adopt the delegated acts is conferred on the Commission subject to the conditions laid down in this Article.
2. The power to adopt delegated acts referred to in Article 9(3) and Article 10(5) shall be conferred on the Commission. The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the five‑year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period.
3. The delegation of powers power referred to in Articles Article 9(3) and Article 10(5) and 14(5) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the powers specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated act already in force. [Am. 124]
4. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.
5. A delegated act adopted pursuant to Articles Article 9(3) and Article 10(5) and 14(5) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council. [Am. 125]
Article 19
Committee procedure
1. The Commission shall be assisted by a committee (the Network and Information Security Committee). That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.
2. Where reference is made to this paragraph, Article 4 of Regulation (EU) No 182/2011 shall apply.
3. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.
Article 20
Review
The Commission shall periodically review the functioning of this Directive, in particular the list set out in Annex II, and shall report to the European Parliament and the Council. The first report shall be submitted no later than three years after the date of transposition referred to in Article 21. For that purpose, the Commission may request Member States to provide information without undue delay. [Am. 126]
Article 21
Transposition
1. Member States shall adopt and publish, by [one year and a half after adoption] at the latest, the laws, regulations and administrative provisions necessary to comply with this Directive. They shall forthwith communicate to the Commission the text of such measures.
They shall apply those measures from [one year and a half after adoption].
When Member States adopt those measures, they shall contain a reference to this Directive or be accompanied by such a reference on the occasion of their official publication. Member States shall determine how such reference is to be made.
2. Member States shall communicate to the Commission the text of the main provisions of national law which they adopt in the field covered by this Directive.
Article 22
Entry into force
This Directive shall enter into force on the [twentieth] day following that of its publication in the Official Journal of the European Union.
Article 23
Addressees
This Directive is addressed to the Member States.
Done at
For the European Parliament For the Council
The President The President
ANNEX I
Requirements and tasks of the Computer Emergency Response Team (CERT)Teams (CERTs) [Am. 127]
The requirements and tasks of the CERT shall be adequately and clearly defined and supported by national policy and/or regulation. They shall include the following elements:
(1) Requirements for the CERT
(a) The CERT CERTs shall ensure high availability of its communications services by avoiding single points of failure and have several means for being contacted and for contacting others at all times. Furthermore, the communication channels shall be clearly specified and well known to the constituency and cooperative partners. [Am. 128]
(b) The CERT shall implement and manage security measures to ensure the confidentiality, integrity, availability and authenticity of information it receives and treats.
(c) The offices of the CERT CERTs and the supporting information systems shall be located in secure sites with secured network information systems. [Am. 129]
(d) A service management quality system shall be created to follow-up on the performance of the CERT and ensure a steady process of improvement. It shall be based on clearly defined metrics that include formal service levels and key performance indicators.
(e) Business continuity:
– The CERT shall be equipped with an appropriate system for managing and routing requests, in order to facilitate handovers,
– The CERT shall be adequately staffed to ensure availability at all times,
– The CERT shall rely on an infrastructure whose continuity is ensured. To this end, redundant systems and backup working space shall be set up for the CERT to ensure permanent access to the means of communication.
(2) Tasks of the CERT
(a) Tasks of the CERT shall include at least the following:
– Detecting and monitoring incidents at a national level, [Am. 130]
– Providing early warning, alerts, announcements and dissemination of information to relevant stakeholders about risks and incidents,
– Responding to incidents,
– Providing dynamic risk and incident analysis and situational awareness,
– Building broad public awareness of the risks associated with online activities,
– Actively participating in Union and international CERT cooperation networks, [Am. 131]
– Organising campaigns on NIS.
(b) The CERT shall establish cooperative relationships with private sector.
(c) To facilitate cooperation, the CERT shall promote the adoption and use of common or standardised practises for:
– incident and risk handling procedures,
– incident, risk and information classification schemes,
– taxonomies for metrics,
– information exchange formats on risks, incidents, and system naming conventions.
ANNEX II
List of market operators
Referred to in Article 3(8) a):
1. e-commerce platforms
2. Internet payment gateways
3. Social networks
4. Search engines
5. Cloud computing services
6. Application stores
Referred to in Article (3(8) b): [Am. 132]
1. Energy
(a) Electricity
– Electricity and gas Suppliers
– Electricity and/or gas Distribution system operators and retailers for final consumers
– Natural gas transmission system operators, storage operators and LNG operators
– Transmission system operators in electricity
(b) Oil
– Oil transmission pipelines and oil storage
– Operators of oil production, refining and treatment facilities, storage and transmission
(c) Gas
– Electricity and gas market operators
– Suppliers
– Distribution system operators and retailers for final consumers
– Natural gas transmission system operators, storage system operators and Liquefied Natural Gas system operators
– Operators of oil and natural gas production, refining and, treatment facilities, storage facilities and transmission
– Gas market operators [Am. 133]
2. Transport
– Air carriers (freight and passenger air transport)
– Maritime carriers (sea and coastal passenger water transport companies and sea and coastal freight water transport companies)
– Railways (infrastructure managers, integrated companies and railway transport operators)
– Airports
– Ports
– Traffic management control operators
– Auxiliary logistics services (a) warehousing and storage, b) cargo handling and c) other transportation support activities)
(a) Road transport
(i) Traffic management control operators
(ii) Auxiliary logistics services:
– warehousing and storage,
– cargo handling, and
– other transportation support activities
(b) Rail transport
(i) Railways (infrastructure managers, integrated companies and railway transport operators)
(ii) Traffic management control operators
(iii) Auxiliary logistics services:
– warehousing and storage,
– cargo handling, and
– other transportation support activities
(c) Air transport
(i) Air carriers (freight and passenger air transport)
(ii) Airports
(iii) Traffic management control operators
(iv) Auxiliary logistics services:
– warehousing,
– cargo handling, and
– other transportation support activities
(d) Maritime transport
(i) Maritime carriers (inland, sea and coastal passenger water transport companies and inland, sea and coastal freight water transport companies) [Am. 134]
3. Banking: credit institutions in accordance with point 1 of Article 4 of Directive 2006/48/EC of the European Parliament and of the Council(20)
Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive) (OJ L 108, 24.4.2002, p. 33).
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31).
Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1).
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37).
Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on Information Society services (OJ L 204, 21.7.1998, p. 37).
Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).
Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).
Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).
Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p. 75).
Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (OJ L 173, 26.6.2013, p. 2).
Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36).
Directive 2006/48/EC of the European Parliament and of the Council of 14 June 2006 relating to the taking up and pursuit of the business of credit institutions (OJ L 177, 30.6.2006, p. 1)