32 Amendments of Josef WEIDENHOLZER related to 2013/0027(COD)
Amendment 37 #
Proposal for a directive
Recital 16
Recital 16
(16) To ensure transparency and properly inform EU citizens and market operators, the competent authorities should set up a common website to publish, promptly, comprehensive non confidential information on the incidents and risks.
Amendment 42 #
Proposal for a directive
Recital 19
Recital 19
(19) Notification of an early warning within the network should be required only where the scale and severity of the incident or risk concerned are or may become so significant that information or coordination of the response at Union level is necessary. Early warnings should therefore be limited to, i.e. only in the case of actual or potential incidents or risks that grow rapidly, exceed national response capacity or affect more than one Member State. To allow for a proper evaluation, all information relevant for the assessment of the risk or incident should be communicated to the cooperation network.
Amendment 55 #
Proposal for a directive
Recital 28
Recital 28
(28) Competent authorities should pay due attention to preserving informal and trusted channels of information-sharing between market operators and between the public and the private sectors. Publicity of incidents reported to the competent authorities should duly balanceassign precedence to the interest of the public in being informed about threats with possible reputational and commercial damages for the public administrations and market operators reporting incidents. In the implementation of the notification obligations, competent authorities should pay particular attention to the need to maintain information about product vulnerabilities strictly confidential prior to the release of appropriate security fixerather than to short-term economic considerations.
Amendment 69 #
Proposal for a directive
Recital 41 a (new)
Recital 41 a (new)
(41a) In the case of all measures, fundamental human rights, particularly those referred to in the European Convention on Human Rights (Article 8, respect for private life), should be appropriately protected and the principle of proportionality must be respected.
Amendment 74 #
Proposal for a directive
Article 3 – point 1 – point c
Article 3 – point 1 – point c
(c) computer data stored, processed, retrieved or transmitted by elements covered under point (a) and (b) for the purposes of their operation, use, protection and maintenanc and use.
Amendment 78 #
Proposal for a directive
Article 3 – point 8 – point a
Article 3 – point 8 – point a
(a) provider of information society services which enable the provision of other information society services, a non- exhaustive list of which is set out in Annex II;
Amendment 80 #
Proposal for a directive
Article 3 – point 8 – point b
Article 3 – point 8 – point b
(b) operator of critical infrastructure that are essential for the maintenance of vital economic and societalsocietal and economic activities in the fields of energy, transport, banking, stock exchanges and health, a non-exhaustive list of which is set out in Annex II.
Amendment 82 #
Proposal for a directive
Article 5 – paragraph 1 – introductory part
Article 5 – paragraph 1 – introductory part
1. Each Member State shall adopt a national NIS strategy defining the strategic objectives and concrete policy and regulatory measures to achieve and maintain a high level of network and information security. The national NIS strategy shall address in particular the following issues:
Amendment 83 #
Proposal for a directive
Article 5 – paragraph 1 – point b
Article 5 – paragraph 1 – point b
(b) A governance framework to achieve the strategy objectives and priorities, including a clear definition of the roles and responsibilities of the government bodies and the other relevant actors;
Amendment 86 #
Proposal for a directive
Article 5 – paragraph 3
Article 5 – paragraph 3
3. The national NIS strategy and the national NIS cooperation plan shall be communicated to the Commission, the committee responsible at the European Parliament and the European Data Protection Supervisor within one month from their adoption.
Amendment 90 #
Proposal for a directive
Article 6 – paragraph 5
Article 6 – paragraph 5
5. The competent authorities shall consult and cooperate, whenever appropriate, closely with the relevacompetent law enforcement national authorities and data protection authorities.
Amendment 94 #
Proposal for a directive
Article 6 – paragraph 6
Article 6 – paragraph 6
6. Each Member State shall notify to the Commission, the committee responsible at the European Parliament and the European Data Protection Supervisor without delay the designation of the competent authority, its tasks, and any subsequent change thereto. Each Member State shall make public its designation of the competent authority.
Amendment 97 #
Proposal for a directive
Article 7 – paragraph 1
Article 7 – paragraph 1
1. Each Member State shall set up a Computer Emergency Response Team (hereinafter: "CERT") responsible for handling incidents and risks according to a well-defined process, which shall comply with the requirements set out in point (1) of Annex I. A CERT mayshall be established within the competent authority.
Amendment 98 #
Proposal for a directive
Article 7 – paragraph 4
Article 7 – paragraph 4
4. Member States shall inform the Commission, the European Data Protection Supervisor and also the public about the resources and mandate as well as the incident handling process of the CERTs.
Amendment 100 #
Proposal for a directive
Article 8 – paragraph 3 – point c
Article 8 – paragraph 3 – point c
(c) publish on a regular basis non- confidential, and immediately, comprehensive information on on-going early warnings and coordinated response on a common website;
Amendment 101 #
Proposal for a directive
Article 8 – paragraph 3 – point d
Article 8 – paragraph 3 – point d
(d) jointly discuss and assess, at the request of one Member State or of, the Commission or the European Parliament, one or more national NIS strategies and national NIS cooperation plans referred to in Article 5, within the scope of this Directive.
Amendment 102 #
Proposal for a directive
Article 8 – paragraph 3 – point e
Article 8 – paragraph 3 – point e
(e) jointly discuss and assess, at the request of a Member State or, the Commission or the European Parliament, the effectiveness of the CERTs, in particular when NIS exercises are performed at Union level;
Amendment 103 #
Proposal for a directive
Article 8 – paragraph 3 – point f
Article 8 – paragraph 3 – point f
(f) cooperate and exchange information on all relevant matters with the EuropeanCybercrime Center within Europol, and with other relevant European bodies in particular in the fields of data protection, energy, transport, banking, stock exchanges and healththe European Data Protection Supervisor and national data protection authorities;
Amendment 104 #
Proposal for a directive
Article 8 – paragraph 3 – point h
Article 8 – paragraph 3 – point h
(h) organise regular peer reviews on capabilities and, preparedness and compliance with data protection provisions;
Amendment 105 #
Proposal for a directive
Article 8 – paragraph 3 – point i
Article 8 – paragraph 3 – point i
(i) organise NIS exercises at Union level and participate, as appropriate, in international NIS exercises.
Amendment 109 #
Proposal for a directive
Article 10 – paragraph 4
Article 10 – paragraph 4
4. Where the risk or incident subject to an early warning is of a suspected criminal nature, the competent authorities or the Commission shall inform the European Cybercrime Centre within Europol.
Amendment 113 #
Proposal for a directive
Article 13
Article 13
Without prejudice to the possibility forscope open to the cooperation network to have informal international cooperation, the Union may conclude international agreements with third countries or international organisations allowing and organizing their participation in some activities of the cooperation network. Such agreement shall take into account the need to ensure adequatemust provide for a high level of protection of the personal data circulating on the cooperation network.
Amendment 116 #
Proposal for a directive
Article 14 – paragraph 1
Article 14 – paragraph 1
1. Member States shall ensure that public administrations and market operators take appropriate technical and organisational measures to managelimit the risks posed to the security of the networks and information systems which they control and use in their operations. Having regard to the state of the art, these measures shall guarantee a level of security appropriate to the risk presented. In particular, measures shall be taken to prevent and minimise the impact of incidents affecting their network and information system on the core services they provide and thus ensure the continuity of the services and security of the data underpinned by those networks and information systems.
Amendment 122 #
Proposal for a directive
Article 14 – paragraph 2
Article 14 – paragraph 2
2. Member States shall ensure that public administrations and market operators notify to the competent authority incidents having a significantn impact on the security of the core services they provide.
Amendment 125 #
Proposal for a directive
Article 14 – paragraph 4
Article 14 – paragraph 4
4. The competent authority mayust inform the public, or require the public administrations and market operators to do so, where it determines that disclosure of the incident is in the public interest. Once a year, the competent authority shall submit a summary report to the cooperation network on the notifications received and the action taken in accordance with this paragraph.
Amendment 128 #
Proposal for a directive
Article 14 – paragraph 5
Article 14 – paragraph 5
Amendment 130 #
Proposal for a directive
Article 14 – paragraph 6
Article 14 – paragraph 6
Amendment 132 #
Proposal for a directive
Article 14 – paragraph 8
Article 14 – paragraph 8
Amendment 133 #
Proposal for a directive
Article 15 – paragraph 1
Article 15 – paragraph 1
1. Member States shall ensure that the competent authorities have all the powers necessary to investigate cases of non- compliance of public administrations or market operators with their obligations under Article 14 and the effects thereof on the security of networks and information systems.
Amendment 138 #
Proposal for a directive
Article 15 – paragraph 5
Article 15 – paragraph 5
5. The competent authorities shall work in close cooperation with personal data protection authorities when addressing security incidents resulating into personal data breaches.
Amendment 142 #
Proposal for a directive
Article 20 – paragraph 1
Article 20 – paragraph 1
The Commission shall periodically review the functioning of this Directive and report to the European Parliament and the Council. The first report shall be submitted no later than threewo years after the date of transposition referred to in Article 21. For this purpose, the Commission may request Member States to provide information without undue delay.
Amendment 143 #
Proposal for a directive
Annex 1 – paragraph 1 – point 1 – point b
Annex 1 – paragraph 1 – point 1 – point b
(b) The CERT shall implement and manage security measures to ensure the confidentiality, integrity, availability and authenticity of information it receives and treats and ensure data protection.