Activities of Amelia ANDERSDOTTER related to 2013/0027(COD)
Shadow opinions (1)
OPINION on the proposal for a directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union
Amendments (48)
Amendment 137 #
Proposal for a directive
Recital 4
Recital 4
(4) A cooperation mechanism should be established at Union level to allow for information exchange and coordinated detection and response regarding network and information security (‘NIS’). For that mechanism to be effective and inclusive, it is essential that all Member States have minimum capabilities and a strategy ensuring a high level of NIS in their territory. Minimum security requirements should also apply to public administrations and market operators of critical information infrastructure to promote a culture of risk management and ensure that the most serious incidents are reported.
Amendment 139 #
Proposal for a directive
Recital 5
Recital 5
(5) To cover all relevant incidents and risks, this Directive should apply to all network and information systems. The obligations on public administrations and market operators should however not apply to undertakings providing public communication networks or publicly available electronic communication services within the meaning of Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive)25 , which are subject to the specific security and integrity requirements laid down in Article 13a of that Directive nor should they apply to trust service providers. __________________ 25__________________ 25 OJ L 108, 24.4.2002, p. 33. OJ L 108, 24.4.2002, p. 33.
Amendment 144 #
Proposal for a directive
Recital 7
Recital 7
(7) Responding effectively to the challenges of the security of network and information systems therefore requires a global approach at Union level covering common minimum capacity building and planning requirements, exchange of information and coordination of actions, and common minimum security requirements for all market operators concerned and public administrations.
Amendment 148 #
Proposal for a directive
Recital 8
Recital 8
Amendment 151 #
Proposal for a directive
Recital 9
Recital 9
(9) To achieve and maintain a common high level of security of network and information systems, each Member State should have a national NIS strategy defining the strategic objectives and concrete policy actions to be implemented. NIS cooperation plans complying with essential requirements need to be developed at national level, on the basis of minimum requirements set in this Directive, in order to reach capacity response levels allowing for effective and efficient cooperation at national and Union level in case of incidents.
Amendment 153 #
Proposal for a directive
Recital 10
Recital 10
(10) To allow for the effective implementation of the provisions adopted pursuant to this Directive, a civilian body responsible for coordinating NIS issues and acting as a focal point for cross-border cooperation at Union level should be established or identified in each Member State in the form of an Industrial Control System Computer Emergency Response Team (ICS-CERT). These bodies should be given the adequate technical, financial and human resources to ensure that they can carry out in an effective and efficient manner the tasks assigned to them and thus achieve the objectives of this Directive.
Amendment 157 #
Proposal for a directive
Recital 11
Recital 11
(11) All Member States should be adequately equipped, both in terms of technical and organisational capabilities, to prevent, detect, respond to and mitigate network and information systems' incidents and risks. Well-functioning Computer Emergency Response TeamICS-CERTs complying with essential requirements should therefore be established in all Member States to guarantee effective and compatible capabilities to deal with incidents and risks and ensure efficient cooperation at Union level.
Amendment 158 #
Proposal for a directive
Recital 12
Recital 12
(12) Building upon the significant progress within the European Forum of Member States (‘EFMS’) in fostering discussions and exchanges on good policy practices including the development of principles for European cyber e-crisis cooperation, the Member States and the Commission should form an institutional network to bring them into permanent communication and support their cooperation. This secure and effective cooperation mechanism should enable structured and coordinated information exchange, detection and response at Union level.
Amendment 162 #
Proposal for a directive
Recital 14
Recital 14
Amendment 171 #
Proposal for a directive
Recital 16
Recital 16
(16) To ensure transparency and properly inform EU citizens and market operators, the competent authorities should set up a common website to publish non confidential information on the incidents and risks, risks and ways of risk mitigation.
Amendment 175 #
Proposal for a directive
Recital 19
Recital 19
Amendment 176 #
Proposal for a directive
Recital 20
Recital 20
Amendment 179 #
Proposal for a directive
Recital 24
Recital 24
(24) Those obligations should be extended beyond the electronic communications sector to key providers of information society services, as defined in Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on Information Society services27 , which underpin downstream information society services or on-line activities, such as e- commerce platforms, Internet payment gateways, social networks, search engines, cloud computing services, application stores. Disruption of these enabling information society services prevents the provision of other information society services which rely on them as key inputs. Software developers and hardware manufacturers are not providers of information society services and are therefore excluded. Those obligations should also be extended to public administrations, and operators of critical infrastructure which rely heavily on information and communications technology and are essential to the maintenance of vital economical or societal functions such as electricity and gas, transport, credit institutions, stock exchange and health. Disruption of those network and information systems would affect the internal market. __________________ 27__________________ 27 OJ L 204, 21.7.1998, p. 37. OJ L 204, 21.7.1998, p. 37.
Amendment 184 #
Proposal for a directive
Recital 27
Recital 27
Amendment 186 #
Proposal for a directive
Recital 28
Recital 28
(28) Competent authorities should pay due attention to preserving informal and trusted channels of information-sharing between market operators and between the public and the private sectors. Publicity of incidents reported to the competent authorities should duly balance the interest of the public in being informed about threats with possible reputational and commercial damages for the public administrations and market operators reporting incidents. In the implementation of the notification obligations, competent authorities should pay particular attention to the need to maintain information about product vulnerabilities strictly confidential prior to the release of appropriate security fixes.
Amendment 191 #
Proposal for a directive
Recital 30
Recital 30
Amendment 200 #
Proposal for a directive
Recital 36
Recital 36
(36) In order to ensure uniform conditions for the implementation of this Directive, implementing powers should be conferred on the Commission as regards the cooperation between competent authorities and the Commission within the cooperation network, the access to the secure information-sharing infrastructure, the Union NIS cooperation plan, the formats and procedures applicable to informing the public about incidents, and the standards and/or technical specifications relevant to NIS. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission's exercise of implementing powers30 . __________________ 30 OJ L 55, 28.2.2011, p.13.
Amendment 203 #
Proposal for a directive
Article 1 – paragraph 2 – point b
Article 1 – paragraph 2 – point b
(b) creates an institutional cooperation mechanism between Member States in order to ensure a uniform application of this Directive within the Union and, where necessary, a coordinated and efficient handling of and response to risks and incidents affecting network and information systems;
Amendment 204 #
Proposal for a directive
Article 1 – paragraph 3
Article 1 – paragraph 3
Amendment 207 #
Proposal for a directive
Article 1 – paragraph 4
Article 1 – paragraph 4
4. This Directive shall be without prejudice to EU laws on cybercrimeDirective 2013/40/EU on unauthorised access to computer systems and Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection32 __________________ 32 OJ L 345, 23.12.2008, p. 75.
Amendment 209 #
Proposal for a directive
Article 1 – paragraph 6
Article 1 – paragraph 6
6. The sharing of information within the cooperation network under Chapter III and the notifications of NIS incidents under Article 14 may require the processing of personal data. Such processing, which is necessary to meet the objectives of public interest pursued by this Directive, shall be authorised by the Member State pursuant to Article 7 of Directive 95/46/EC and Directive 2002/58/EC, as implemented in national law, after taking all measures to ensure that the data is anonymised.
Amendment 214 #
Proposal for a directive
Article 3 – paragraph 1 – point 2 a (new)
Article 3 – paragraph 1 – point 2 a (new)
(2a) "high common level of network information security" means a network and information system across the Union where incidents are corrected and unrepeated.
Amendment 223 #
Proposal for a directive
Article 3 – paragraph 1 – point 8 – point b
Article 3 – paragraph 1 – point 8 – point b
(b) operator of critical infrastructure that are essential for the maintenance of vital economic and societal activities such as in the fields of energy, transport, banking, stock exchanges and health, a non- exhaustive list of which is set out in Annex II.
Amendment 227 #
Proposal for a directive
Article 4 – title
Article 4 – title
Amendment 229 #
Proposal for a directive
Article 4 – paragraph 1
Article 4 – paragraph 1
Amendment 232 #
Proposal for a directive
Article 4 a (new)
Article 4 a (new)
Article 4 a Liability of market operators A market operator under Article 3 shall be liable for any direct damage caused to any natural or legal person due to failure to comply with the obligations of this Directive if that damage is due to fault or neglect on its part.
Amendment 235 #
Proposal for a directive
Article 6 – paragraph 1
Article 6 – paragraph 1
1. Each Member State shall designate a national competent authority on the security of network and information systems used on the internal market (the ‘competent authority’).
Amendment 240 #
Proposal for a directive
Article 7 – paragraph 1
Article 7 – paragraph 1
1. Each Member State shall set up an Industrial Control System Computer Emergency Response Team (hereinafter: ‘CERT’) responsible for handling incidents and risks according to a well-defined process, which shall comply with the requirements set out in point (1) of Annex I. A CERT may be established within the competent authority.
Amendment 246 #
Proposal for a directive
Article 8 – paragraph 1
Article 8 – paragraph 1
1. The competent authorities and the Commission shall form an institutional network (‘cooperation network’) to cooperate against risks and incidents affecting network and information systems.
Amendment 257 #
Proposal for a directive
Article 8 – paragraph 3 – point f
Article 8 – paragraph 3 – point f
(f) cooperate and exchange information on all relevant matters with the European Cybercrime Centre within Europol, and with other relevant European bodies in particular in the fields of data protection, energy, transport, banking, stock exchanges and health;
Amendment 265 #
Proposal for a directive
Article 9
Article 9
Amendment 270 #
Proposal for a directive
Article 10 – paragraph 1 – introductory part
Article 10 – paragraph 1 – introductory part
1. The competent authorities or the Commission shall provide early warnings within the institutional cooperation network on those risks and incidents that fulfil at least one of the following conditions:
Amendment 275 #
Proposal for a directive
Article 10 – paragraph 4
Article 10 – paragraph 4
Amendment 283 #
Proposal for a directive
Article 12 – paragraph 1
Article 12 – paragraph 1
1. The Commission shall be empowered to adopt, by means of implementingdelegated acts, a Union NIS cooperation plan. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 19(3).
Amendment 287 #
Proposal for a directive
Article 13 – paragraph 1
Article 13 – paragraph 1
Without prejudice to the possibility for the cooperation network to have informal international cooperation, the Union may conclude international agreements with third countries or international organisations allowing and organizing their participation in some activities of the cooperation network. Such agreement shall take into account the need to ensure adequate protection of the personal data circulating on the cooperation network, without disclosing EU citizens' personal data to third parties.
Amendment 291 #
Proposal for a directive
Article 14 – paragraph 1
Article 14 – paragraph 1
1. Member States shall ensure thatThe European Union and its Member States, public administrations and market operators shall take appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which theythey develop, and/or operate, and/or control and use in their operations. Having regard to the state of the art, these measures shall guarantee a level of security appropriate to the risk presented. In particular, measures shall be taken to prevent and minimise the impact of incidents affecting their network and information system on the core services they provide and thus ensure the continuity of the services underpinned by those networks and information systems.
Amendment 299 #
Proposal for a directive
Article 14 – paragraph 2
Article 14 – paragraph 2
2. Member States shall ensure that public administrations and market operators notify to the competent authority incidents having a significantn impact on the security of the core services they provide.
Amendment 306 #
Proposal for a directive
Article 14 – paragraph 4
Article 14 – paragraph 4
4. The competent authority may inform the public, or require the public administrations and market operators to do so, where it determines that disclosure of the incident is in the public interest. In particular, the competent authority shall ensure that members of the public can mitigate risks to themselves arising from any security incident in a public or market operated service. Once a year, the competent authority shall submit a summary report to the cooperation network on the notifications received and the action taken in accordance with this paragraph.
Amendment 312 #
Proposal for a directive
Article 14 – paragraph 5
Article 14 – paragraph 5
Amendment 314 #
Proposal for a directive
Article 14 – paragraph 6
Article 14 – paragraph 6
Amendment 316 #
Proposal for a directive
Article 14 – paragraph 7
Article 14 – paragraph 7
Amendment 318 #
Proposal for a directive
Article 14 – paragraph 8
Article 14 – paragraph 8
Amendment 320 #
Proposal for a directive
Article 15 – paragraph 1
Article 15 – paragraph 1
1. Member States shall ensure that the competent authorities have all the powers necessary toThe competent authorities shall investigate cases of non- compliance of public administrations or market operators with their obligations under Article 14of this Directive and the effects thereof on the security of networks and information systems.
Amendment 327 #
Proposal for a directive
Article 15 – paragraph 4
Article 15 – paragraph 4
Amendment 332 #
Proposal for a directive
Article 16 – paragraph 1
Article 16 – paragraph 1
1. To ensure convergent implementation of Article 14(1), Member States shall encourage the use of open standards and/or specifications relevant to networks and information security, and ensure that these standards comply with existing Union legislation.
Amendment 339 #
Proposal for a directive
Article 18 – paragraph 2
Article 18 – paragraph 2
2. The power to adopt delegated acts referred to in Articles 9(2), 10(5) and 14(5) shall be conferred on the Commission. The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the five-year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period.
Amendment 340 #
Proposal for a directive
Article 18 – paragraph 3
Article 18 – paragraph 3
3. The delegation of powers referred to in Articles 9(2), 10(5) and 14(5) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the powers specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated act already in force.
Amendment 341 #
Proposal for a directive
Article 18 – paragraph 5
Article 18 – paragraph 5
5. A delegated act adopted pursuant to Articles 9(2), 10(5) and 14(5) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.