100 Amendments of Dan NICA related to 2022/0085(COD)

Amendment 95 #
Recital 4
(4) The Union institutions, bodies and agencies are attractive targets who face highly skilled and well-resourced threat actors as well as other threats. At the same time, the level and maturity of cyber resilience and the ability to detect and respond to malicious cyber activities varies significantly across those entities. It is thus necessary for the functioning of the European administration that the institutions, bodies and agencies of the Union achieve a high common level of cybersecurity through a cybersecurity baseline (a set of minimum cybersecurity rules with which network and information systems and their operators and users have to be compliant to minimise cybersecurity risks)the implementation of cybersecurity risk management measures commensurate to the respective risks posed, information exchange and collaboration.
Amendment 97 #
Recital 6
(6) To reach a high common level of cybersecurity, it is necessary that each Union institution, body and agency establishes an internal cybersecurity risk management, governance and control framework that ensures an effective and prudent management of all cybersecurity risks, and takes account of business continuity and crisis management. The framework should lay down cybersecurity policies and priorities for the security of network and information systems encompassing the entirety of the ICT environment. The framework should be reviewed on a regular basis and at least every three years on the basis of key performance indicators to ensure that strategic objectives are met.
Amendment 99 #
Recital 7
(7) The differences between Union institutions, bodies and agencies require flexibility in the implementation since one size will not fit all. The measures for a high common level of cybersecurity should not include any obligations directly interfering with the exercise of the missions of Union institutions, bodies and agencies or encroaching on their institutional autonomy. Thus, those institutions, bodies and agencies should establish their own frameworks for cybersecurity risk management, governance and control, and adopt their own baselines and cybersecurity plans. cybersecurity risk management measures and cybersecurity plans. Union institutions, bodies, offices and agencies should continuously evaluate the effectiveness of the adopted risk management measures and their proportionality relative to the identified risks, and where necessary, adjust and revise accordingly their frameworks and plans on the basis of the results of the cybersecurity maturity assessments.
Amendment 105 #
Recital 9
(9) A high common level of cybersecurity requires cybersecurity to come under the oversight of the highest level of management of each Union institution, body and agency, who should approve a cybersecurity baseline that shouldoversee the implementation of the provisions of this Regulation and approve the establishment, and any subsequent revisions thereof, of the risk management and control framework, the corresponding cybersecurity risk management measures addressing the risks identified underin the framework to be established by eachand the cybersecurity plans of each Union institution, body, office and agency. Addressing the cybersecurity culture, i.e. the daily practice of cybersecurity, is an integral part of a cybersecurity baselinerisk management, governance and control framework and the corresponding cybersecurity risk management measures in all Union institutions, bodies, offices and agencies.
Amendment 110 #
Recital 11
(11) In May 2011, the Secretaries- General of the Union institutions and bodies decided to establish a pre- configuration team for a computer emergency response team for the Union’s institutions, bodies and agencies (CERT- EU) supervised by an inter-institutional Steering Board. In July 2012, the Secretaries-General confirmed the practical arrangements and agreed to maintain CERT-EU as a permanent entity to continue to help improve the overall level of information technology security of the Union’s institutions, bodies and agencies as an example of visible inter-institutional cooperation in cybersecurity. In September 2012, CERT-EU was established as a Taskforce of the European Commission with an interinstitutional mandate. In December 2017, the Union institutions and bodies concluded an interinstitutional arrangement on the organisation and operation of CERT-EU3 . This arrangement should continue to evolve to support the implementation of this Regulation and be evaluated on a regular basis in light of future negotiations of long-term budget frameworks allowing for further decisions to be made with respect to the functioning and institutional role of CERT-EU, including the possible establishment of CERT-EU as a Union office. _________________ 3 OJ C 12, 13.1.2018, p. 1–11.
Amendment 113 #
Recital 13
(13) Many cyberattacks are part of wider campaigns that target groups of Union institutions, bodies and agencies or communities of interest that include Union institutions, bodies and agencies. To enable proactive detection, incident response or mitigating measures, and recovery from significant incidents, Union institutions, bodies and agencies should notify CERT- EU of significant cyber threats, significant vulnerabilities and significant incidents and share appropriate technical details that enable detection or mitigation of, as well as response to, similar cyber threats, vulnerabilities and and recovery from similar incidents in other Union institutions, bodies and agencies. Following the same approach as the one envisaged in Directive [proposal NIS 2], where entitUnion institutions, bodies, offices and agencies become aware of a significant incident they should be required to submit an initial notificationearly warning to CERT- EU within 24 hours. Such information exchange should enable CERT-EU to disseminate the information to other Union institutions, bodies and agencies, as well as to appropriate counterparts, to help protect the Union IT environments and the Union’s counterparts’ IT environments against similar incidents, threats and vulnerabilities.
Amendment 114 #
Recital 13 a (new)
(13 a) This Regulation lays down a multiple-stages approach to reporting of significant incidents in order to strike the right balance between, on the one hand, swift reporting hat helps mitigate the potential spread of incidents and allows entities to seek support, and, on the other hand, in-depth reporting that draws valuable lessons from individual incidents and improves over time the resilience of individual Union institutions, bodies, offices and agencies and contributes to increasing the overall cybersecurity posture of European administration. In this regard, the Regulation should also include reporting of incidents that, based on an initial assessment performed by the Union institution, body, office or agency, may be assumed to lead to severe operational disruption or financial losses or affect other natural or legal persons by causing considerable material or non- material losses. Such initial assessment should take into account, amongst other, the affected network and information systems and in particular their importance for the functioning and operations of the Union institution, body, office or agency, the severity and technical characteristics of a cyber threat and any underlying vulnerabilities that are being exploited as well as the Union institution, body, office or agency’s experience with similar incidents. Indicators such as the extent to which the functioning of Union institution, body, office or agency is affected, the duration of an incident or the number of affected users could play an important role in defining whether the operational disruption of the service is of severe nature.
Amendment 116 #
Recital 14 a (new)
(14 a) The IICB’s function is aimed at supporting Union institutions, bodies, offices and agencies in elevating their respective cybersecurity postures by implementing the provisions of this Regulation. In order to support Union institutions, bodies, office and agencies, the IICB could adopt guidance and recommendations towards Union institutions, bodies, offices and agencies’ cybersecurity maturity assessments and cybersecurity plans, review possible interconnections between Union institutions, bodies, offices and agencies’ ICT environments and support the establishment of a Cybersecurity Officers Group under ENISA, gathering the Local Cybersecurity Officers of all Union institutions, bodies, offices and agencies with an aim to facilitate the sharing of best practices and experiences gained from the implementation of this Regulation.
Amendment 117 #
Recital 14 b (new)
(14 b) In order to ensure alignment with Directive [proposal NIS 2], the IICB could adopt recommendations based on the results of EU coordinated risk assessments of critical supply chains referred to in Article19 of Directive [proposal NIS 2] to support Union institutions, bodies, offices and agencies in adopting effective and proportionate risk management measures relating to supply chain security and develop guidelines for information sharing arrangements of Union institutions, bodies, offices and agencies relating to the voluntary notification of cyber threats, near misses and incidents to CERT-EU.
Amendment 119 #
Recital 16 a (new)
(16 a) Where the IICB finds that Union institutions, bodies, offices or agencies have not effectively applied or implemented this Regulation it could, without prejudice to the internal procedures of the relevant Union institution, body, office or agency, request relevant and available documentation relating to the effective implementation of the provisions of this Regulation, communicate a reasoned opinion with observed gaps in the implementation of this Regulation, invite the Union institution, body, office or agency concerned to provide a self-assessment on its reasoned and issue, in cooperation with CERT-EU, guidance to bring its respective risk management, governance and control framework, cybersecurity risk management measures, cybersecurity plans and reporting obligations incompliance with this Regulation.
Amendment 123 #
Recital 20
(20) In supporting operational cybersecurity, CERT-EU should make use of the available expertise of the European Union Agency for Cybersecurity (ENISA) through structured cooperation as provided for in Regulation (EU) 2019/881 of the European Parliament and of the Council5 . Where appropriate, dedicated arrangements between the two entities should be established to define the practical implementation of such cooperation and to avoid the duplication of activities. CERT- EU should cooperate with the European Union Agency for CybersecurityENISA on threat analysis and share its threat landscape report with the Agency on a regular basis. _________________ 5 Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15).
Amendment 132 #
Article 1 – paragraph -1 (new)
-1 This Regulation lays down measures aiming to achieve a high common level of cybersecurity within Union institutions, bodies, offices and agencies;
Amendment 133 #
Article 1 – paragraph 1 – introductory part
T2. To that end, this Regulation lays down:
Amendment 136 #
Article 1 – paragraph 1 – point a
(a) obligations on Union institutions, bodies, offices and agencies to establish an internal cybersecurity risk management, governance and control framework;
Amendment 137 #
Article 1 – paragraph 1 – point b a (new)
(b a) rules underpinning information sharing obligations and the facilitation of voluntary information sharing arrangements for Union institutions, bodies, offices and agencies;
Amendment 138 #
Article 1 – paragraph 1 – point c
(c) rules on the organisation, tasks and operation of the Cybersecurity Centre for the Union institutions, bodies, offices and agencies (CERT-EU) and on the functioning, organisation and operation of the Interinstitutional Cybersecurity Board (IICB).
Amendment 140 #
Article 2 – paragraph 1
This Regulation applies to the management, governance and control of cybersecurity risks by all Union institutions, bodies, offices and agencies and to the functioning, organisation and operation of CERT-EU and the Interinstitutional Cybersecurity BoardICB.
Amendment 141 #
Article 2 a (new)
Article 2 a Processing of Personal Data The processing of personal data under this Regulation by CERT-EU, the IICB and all Union institutions, bodies, offices and agencies shall be carried out in compliance with Regulation (EU) 2018/1725 of the European Parliament and of the Council.
Amendment 143 #
Article 3 – paragraph 1 – point 2
(2) ‘network and information system’ means network and information system within the meaning ofas defined in Article 4(1) of Directive [proposal NIS 2];
Amendment 144 #
Article 3 – paragraph 1 – point 4
(4) ‘cybersecurity’ means cybersecurity within the meaning of Article 4(3) of Directive [proposal NIS 2]; as defined in Article 2(1) of Regulation (EU) 2019/881 of the European Parliament and of the Council7a; _________________ 7a Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p.15).
Amendment 147 #
Article 3 – paragraph 1 – point 5
(5) ‘highest level of management’ means a manager, management or coordination and oversight body at the most senior administrative level with a mandate to make or authorise decisions, taking account of the high-level governance arrangements in each Union institution, body or agency;
Amendment 149 #
Article 3 – paragraph 1 – point 7
(7) ‘significant incident’ means any incident unless it has limited impact and is likely to be already well understood in terms of method or technology;deleted
Amendment 152 #
Article 3 – paragraph 1 – point 8
(8) ‘major attack’incident' means any incident requiring more resources than are available at whose disruption exceeds CERT-EU’s or any individual Union institution, body,office or agency’s capacity to respond to it or withe affected significant impact on at least two Union institutions, body or agency and at CERT-EUies, offices and agencies;
Amendment 155 #
Article 3 – paragraph 1 – point 11
(11) ‘significant cyber threat’ means a cyber threat with the intention, opportunity and capability to cause a significant incidentas defined in Article 4(7a) of Directive [proposal NIS 2];
Amendment 159 #
Committee: ITRE
Amendment 163 #
Article 3 – paragraph 1 – point 14 a (new)
Committee: ITRE
Amendment 172 #
Article 3 – paragraph 1 – point 16
(16) ‘cybersecurity baseline’ means a set of minimum cybersecurity rules with which network and information systems and their operators and users must be compliant, to minimise cybersecurity risks.deleted
Amendment 174 #
Article 4 – title
Risk management, governance and control framework
Committee: ITRE
Amendment 178 #
Proposal for a regulation
Article 4 – paragraph 1
1. Each Union institution, body and agency shall establish its own internal cybersecurity risk management, governance and control framework (‘the framework’) in support of the entity’s mission and exercising its institutional autonomy. This work shall be overseen by the entity’s highest level of management to ensure an effective and prudent management of all cybersecurity risks. The framework shall be in place by …. at the latest [15 months after the entry into force of this Regulation].
Amendment 180 #
Article 4 – paragraph 2
2. The framework shall cover the entirety of the ICT environment of the concerned institution, body or agency, including any on-premise IT environment, outsourced assets and services in cloud computing environments or hosted by third parties, mobile devices, corporate networks, business networks not connected to the internet and any devices connected to the IT environmentUnion institution, body, office or agency. The framework shall take account of business continuity and crisis management and it shall consider supply chain security as well as the management of human risks and all other relevant technical, operational and organisational risks that could impact the cybersecurity of the concerned Union institution, body or agency.
Amendment 181 #
Article 4 – paragraph 2 a (new)
2 a. The framework shall define strategic objectives to ensure a high level of cybersecurity in the Union institution, body, office or agency, The framework shall lay down cybersecurity policies and priorities for the security of network and information systems encompassing the entirety of the ICT environment, and define the roles and responsibilities of staff tasked with ensuring the effective implementation of the provisions of this Regulation.
Amendment 182 #
Article 4 – paragraph 2 b (new)
2 b. The framework shall be reviewed on a regular basis and at least every three years on the basis of key performance indicators. Where appropriate and upon request of the IICB, a Union institution, body, office or agency’s framework shall be updated following guidance from CERT-EU on observed incidents or possible gaps in the implementation of the provisions of this Regulation.
Amendment 186 #
Amendment 187 #
Article 4 – paragraph 4
4. Each Union institution, body and agency shall have effective mechanisms in place to ensure that an adequate percentage of the ICT budget is spent on cybersecurity.
Amendment 190 #
Article 5 – title
Cybersecurity baselinerisk management measures
Amendment 194 #
Article 5 – paragraph 1
1. The highest level of management of each Union institution, body and agency shall approve the entity’s own cybersecurity baselinerisk management measures to address the risks identified under the framework referred to in Article 4(1). It shall do so in support of its mission and exercising its institutional autonomy. The cybersecurity baseline shall be in place by …. at the latest [18 months after the entry into force of this Regulation] and shall address the domains listed in Annex I and the measures listed in Annex IIHaving regard to the state of the art and, where applicable, relevant European and international standards, or available European cybersecurity certificates as defined in Article 2 of Regulation (EU) 2019/881, those risk management measures shall ensure a level of security of network and information systems across the entirety of the ICT environment commensurate to the risks identified under the framework referred to in Article 4(1). When assessing the proportionality of those measures, due account shall be taken of the degree of the Union institution, body, office or agency’s exposure to risks, its size, the likelihood of occurrence of incidents and their severity, including their societal, economic and interinstitutional impact.
Amendment 199 #
Article 5 – paragraph 2
2. The senior management of each Union institution, body, office and agency as well as all relevant staff tasked with implementing the cybersecurity risks management measures and obligations of this Regulation shall follow specific trainings on a regular basis to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risk and management practices and their impact on the operations of the organisation.
Amendment 201 #
Article 5 – paragraph 2 a (new)
2 a. Union institutions, bodies, offices and agencies shall address at least the following specific measures and sub- controls in the implementation of the cybersecurity risk management measures in their cybersecurity plans, in line with the guidance documents and recommendations from the IICB: (a) concrete steps for moving towards Zero Trust Architecture, within the meaning of a security model comprised of a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries; (b) the adoption of multifactor authentication as a norm across network and information systems; (c) the use of cryptography and encryption, and in particular end-to-end encryption, encryption in transit, and encryption at rest; (d) secured voice, video and text communications, and secured emergency communications systems, where appropriate; (e) the establishment of frequent and ad- hoc scanning capabilities of endpoint devices and other components of the ICT environment to detect and remove malware software such as spyware; (f) the establishment of software supply chain security through criteria for secure software development and evaluation; (g) the enhancement of procurement rules to facilitate a high common level of cybersecurity through: (i) the removal of contractual barriers that limit information sharing from ICT service providers about incidents, vulnerabilities and cyber threats with CERT-EU; (ii) the contractual obligation to report incidents, vulnerabilities and cyber threats as well as to have appropriate incident response mechanisms and monitoring in place; (h) the establishment and adoption of training curricula on cybersecurity commensurate to the prescribed tasks and expected capabilities for the highest level of management and technical and operational staff;
Committee: ITRE
Amendment 203 #
Amendment 207 #
Article 6 – paragraph 1 a (new)
The IICB, after consulting the European Union Agency for Cybersecurity (ENISA) and upon receiving guidance from CERT- EU, shall recommend guidelines to Union institutions, bodies, offices and agencies for the carrying out of cybersecurity maturity assessments.
Amendment 209 #
Article 6 – paragraph 1 b (new)
Upon request of the IICB, and with the explicit consent of the Union institution, body, office or agency concerned, the results of a cybersecurity maturity assessment may be discussed within the IICB configuration or within the established network of Local Cybersecurity Officers with a view to learning from experiences in the implementation of this Regulation and sharing best practices and results of use cases.
Amendment 210 #
Article 7 – paragraph 1
1. Following the conclusions derived from the maturity cybersecurity assessment and considering the assets and risks identified pursuant to Article 4, the highest level of management of each Union institution, body, office and agency shall approve a cybersecurity plan without undue delay after the establishment of the risk management, governance and control framework, and the cybersecurity baseline. Therisk management measures. The cybersecurity plan shall aim at increasing the overall cybersecurity of the concerned entity Union institution, body, office or agency and shall thereby contribute to the achievement or enhancement of a high common level of cybersecurity among all Union institutions, bodies, offices and agencies. To support the entity’Union institution, body, office or agency's mission on the basis of its institutional autonomy, the plan shall at least include the domains listed in Annex I, the measures listed in Annex II, as well ascybersecurity risk management measures relatferred to incident preparedness, response and recovery, such as security monitoring and logging. The plan shall be revised at least every three years, following the Article 5 (1a) and 5(2a). The cybersecurity plan shall be revised at least every three years, or where necessary, with any substantial revision of the framework referred to in Article 4, following the cybersecurity maturity assessments carried out pursuant to Article 6.
Amendment 213 #
Article 7 – paragraph 2
2. The cybersecurity plan shall include relevant staff members’ roles and responsibilities for its implementation, including detailed job descriptions for technical and operational staff as well as all relevant processes underpinning performance evaluation.
Amendment 215 #
Article 7 – paragraph 2 a (new)
2 a. The cybersecurity plan shall include the Union institution, body, office and agency’s cyber crisis management plan for major incidents referred to in Article 3(8).
Amendment 216 #
Article 7 – paragraph 3
3. The cybersecurity plan shall consider any applicable guidance documents and recommendations issued by CERT-EU in accordance with Article 13 and another applicable or targeted recommendations issued by the IICB and CERT-EU.
Amendment 218 #
Amendment 222 #
Article 9 – paragraph 3 – subparagraph 1 – point k
(k) the European Union Agency for Cybersecurity (ENISA).
Amendment 233 #
Article 9 – paragraph 6
6. The IICB shall meet at the initiative of its chair, and at least two times a year, at the request of CERT-EU or at the request of any of its members.
Amendment 240 #
Article 10 – paragraph 1 – point -a (new)
(-a) support Union institutions, bodies, offices and agencies in implementing this Regulation with the aim to raise their respective levels of cybersecurity;
Amendment 241 #
Article 10 – paragraph 1 – point -a a (new)
(-a a) effectively monitor the implemenationof the obligations of this Regulation in Union institutions, bodies, offices and agencies without prejudice to their institutional autonomy and the overall institutional balance;
Amendment 242 #
Article 10 – paragraph 1 – point a
(a) review any reports requestedquest reports from CERT-EU on the state of implementation of this Regulation by the Union institutions, bodies and agencies;
Amendment 250 #
Article 10 – paragraph 1 – point i a (new)
(i a) review and where requested, following relevant guidance from CERT- EU. provide feedback to Union institutions, bodies, offices and agencies’ cybersecurity maturity assessments referred to in Article 6 and cybersecurity plans referred to in Article 7;
Amendment 252 #
Article 10 – paragraph 1 – point i b (new)
(i b) review possible interconnections between Union institutions, bodies, offices and agencies’ ICT environments and maintain an inventory of shared components of ICT products, ICT services andic processes;
Amendment 253 #
Article 10 – paragraph 1 – point i c (new)
(i c) where appropriate, adopt recommendations on the interoperability of Union institutions, bodies, offices and agencies’ ICT environments or components thereof;
Amendment 254 #
Article 10 – paragraph 1 – point i d (new)
(i d) support the establishment of a Cybersecurity Officers Group under ENISA, gathering the Local Cybersecurity Officers of all Union institutions, bodies, offices and agencies with an aim to facilitate the sharing of best practices and experiences gained from the implementation of this Regulation;
Amendment 255 #
Article 10 – paragraph 1 – point i e (new)
(i e) develop an incident and response plan for major incidents at Union level referred to in Article 3(8) and coordinate the adoption of individual Union institutions, bodies, offices and agencies’ cyber crisis management plans referred to in Article 7(2a);
Amendment 256 #
Article 10 – paragraph 1 – point i f (new)
(i f) adopt recommendations based on the results of EU coordinated risk assessments of critical supply chains referred to in Article 19 of Directive [proposal NIS 2] to support Union institutions, bodies, offices and agencies in adopting effective and proportionate risk management measures relating to supply chain security referred to in Article5(1ai);
Amendment 257 #
Article 10 – paragraph 1 – point i g (new)
(i g) develop guidelines for information sharing arrangements referred to in Article 19;
Amendment 258 #
Article 11 – paragraph -1 (new)
-1 The IICB shall monitor the implementation of this Regulation and of adopted guidance documents, recommendations and calls for action by the Union institutions, bodies, offices and agencies.
Amendment 259 #
Article 11 – paragraph 1 – introductory part
The IICB shall monitor the implementation of this Regulation and of adopted guidance documents, recommendations and calls for action by the Union institutions, bodies and agencies. Where the IICB finds that Union institutions, bodies or agencies have not effectively applied or implemented this Regulation or guidance documents, recommendations and calls for action issued under this Regulation, it may, without prejudice to the internal procedures of the relevant Union institution, body or agency:
Amendment 261 #
Article 11 – paragraph 1 – point -a (new)
(-a) request relevant and available documentation of the Union institution, body, office or agency concerned relating to the effective implementation of the provisions of this Regulation or the application of guidance documents, recommendations and calls for action issued in accordance with Article 13;
Amendment 262 #
Article 11 – paragraph 1 – point -a a (new)
(-a a) communicate a reasoned opinion to the Union institution, body, office or agency concerned with observed gaps in the implementation of this Regulation;
Amendment 263 #
Article 11 – paragraph 1 – point -a b (new)
(-a b) invite the Union institution, body, office or agency concerned to provide a self-assessment on its reasoned opinion within a specified timeframe;
Amendment 264 #
Article 11 – paragraph 1 – point -a c (new)
(-a c) issue, in cooperation with CERT- EU, guidance to the individual Union institution, body, office or agency to bring its respective risk management, governance and control framework, cybersecurity risk management measures, cybersecurity plans and reporting obligations in compliance with the provisions laid down in this Regulation in a specified manner and within a specified period;
Amendment 270 #
Article 12 – paragraph 1
1. The mission of CERT-EU, the autonomous interinstitutional Cybersecurity Centre for all Union institutions, bodies and agencies, shall be to contribute to the security of the unclassified ICT environment of all Union institutions, bodies and agencies by advising them on cybersecurity, by helping them to prevent, detect, mitigate and respond to and recover from incidents and by acting as their cybersecurity information exchange and incident response coordination hub.
Amendment 274 #
Article 12 – paragraph 2 – point c a (new)
(c a) act as the designated coordinator for all Union institutions, bodies, offices and agencies for the purposes of coordinated vulnerability disclosure to the European vulnerability registry referred to in Article 6 of Directive [proposal NIS2];
Amendment 286 #
Article 12 – paragraph 6
6. CERT-EU may organise cybersecurity exercises or recommend participation in existing exercises, in close cooperation with the European Union Agency for CybersecurityENISA whenever applicable, to test the level of cybersecurity of the Union institutions, bodies and agencies.
Amendment 287 #
Article 12 – paragraph 7
7. CERT-EU may provide assistance to Union institutions, bodies and agencies regarding incidents in classified ICT environments if it is explicitly requested to do so by the constituent concerned. The provisions and obligations on all Union institutions, bodies, offices and agencies set out in Chapter V of this Regulation shall not apply to incidents in classified ICT environments unless an individual Union institution, body office or agency explicitly and voluntarily apply them in order to seek actionable assistance from CERT-EU or otherwise contribute to situational awareness at the Union level.
Amendment 290 #
Article 12 – paragraph 7 a (new)
7 a. CERT-EU shall cooperate with the European Data Protection Supervisor (EDPS) to support Union institutions, bodies, office and agencies in incidents entailing a personal data breach as defined in Article 3(16) of Regulation (EU) 2018/1725.
Amendment 296 #
Article 13 – paragraph 2 – point a
(a) modalities for or improvements to cybersecurity risk management and the cybersecurity baselinerisk management measures;
Amendment 298 #
Article 13 – paragraph 2 – point b
(b) modalities for cybersecurity maturity assessments and cybersecurity plans; and
Amendment 303 #
Article 14 – paragraph -1 (new)
-1 The Commission, after having obtained the unanimous approval of the IICB, shall appoint the Head of CERT- EU. The IICB shall be consulted at all stages of the procedure prior to the appointment of the Head of CERT-EU, in particular in drafting vacancy notices, examining applications and appointing selection boards in relation to this post.
Amendment 304 #
Article 14 – paragraph 1
The Head of CERT-EU shall regularly submit reports to the IICB and the IICB Chair, and submit ad-hoc reports to the IICB upon its request, on the performance of CERT-EU, financial planning, revenue, implementation of the budget, service level agreements and written agreements entered into, cooperation with counterparts and partners, and missions undertaken by staff, including the reports referred to in Article 10(1).
Amendment 306 #
Article 14 – paragraph 1 a (new)
The Head of CERT-EU shall compose and submit to the IICB an annual report encompassing CERT-EU’s work programme, the financial planning of revenue and expenditure, including staffing, for CERT-EU activities, any updates of CERT-EU’s service catalogue and an assessment of the expected impact that such updates may have on its financial planning of revenue and expenditure, staffing and management of funds.
Amendment 308 #
Article 15 – paragraph 1
1. The Commission, after having obtained the unanimous approval of the IICB, shall appoint the Head of CERT- EU. The IICB shall be consulted at all stages of the procedure prior to the appointment of the Head of CERT-EU, in particular in drafting vacancy notices, examining applications and appointing selection boards in relation to this post.deleted
Amendment 322 #
Article 18 – paragraph 3
3. The processing of personal data carried out under this Regulation shall be subject to Regulation (EU) 2018/1725 of the European Parliament and of the Council.deleted
Amendment 326 #
Article 19 – title
19 SharingCybersecurity information sharing arrangements and obligations
Amendment 327 #
Article 19 – paragraph -1 (new)
-1. Union institutions, bodies, offices and agencies may voluntarily notify CERT-EU on cyber threats, incidents, near misses and vulnerabilities that affect them. CERT-EU shall ensure that effective measures are adopted to ensure the confidentiality and appropriate protection of the information provided by the reporting Union institution, body, office or agency. When processing notifications, CERT-EU may prioritise the processing of mandatory notifications over voluntary notifications. Voluntary notification shall not result in the imposition of any additional obligations upon the reporting Union institution, body, office or agency to which it would not have been subject had it not submitted the notification.
Amendment 328 #
Article 19 – paragraph 1
1. To enable CERT-EU to coordinate vulnerabileffectively perform itys management and incident responseission tasks in accordance with Article 12 of this Regulation, it may request Union institutions, bodies and agencies to provide it with information from their respective ICT system inventories that is relevant for the CERT- EU support. The requested institution, body or agency shall transmit the requested information, and any subsequent updates thereto, without undue delay.
Amendment 334 #
Article 19 – paragraph 4
4. The sharingcybersecurity information sharing arrangements and obligations obligations shall not extend to EU Classified Information (EUCI) and to information that a Union institution, body or agency has received from a Member State Security or Intelligence Service or law enforcement agency under the explicit condition that it will not be shared with CERT-EU.
Amendment 336 #
Amendment 337 #
Proposal for a regulation
All Union institutions, bodies and agencies shall make an initial notification to CERT-EU of significant cyber threats, significant vulnerabilities and significant incidents without undue delay and in any event no later than 24 hours after becoming aware of them.deleted
Amendment 338 #
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 1
All Union institutions, bodies, offices and agencies shall make an initial notification to CERT-EU of significant cyber threats, significant vulnerabilities and significreport, without undue delay to CERT-EU in accordance with paragraph 2(b) of anty incidents without undue delay and having any event no later than 24 hours after becoming aware of them significant impact.
Amendment 340 #
Article 20 – paragraph 1 – subparagraph 1 a (new)
Where applicable, Union institutions, bodies, offices and agencies shall communicate, without undue delay, to the users of the affected network and information systems, or other components of the ICT environment, that are potentially affected by a significant incident or a significant cyber threat of any measures or remedies that can be taken in response to the incident or threat. Where appropriate, Union institutions, bodies, offices and agencies shall inform users of the threat itself.
Amendment 341 #
Article 20 – paragraph 1 – subparagraph 1 b (new)
Where a significant incident or significant cyber threat referred to in paragraph 1(a) is affecting a network and information system, or a component of a Union institution, body, office or agency's ICT environment that is knowingly connected with another Union institution, body, office and agency's ICT environment, CERT-EU shall notify, without undue delay, the affected Union institution, body, office or agency.
Amendment 342 #
Article 20 – paragraph 1 – subparagraph 2
In duly justified cases and in agreement with CERT-EU, the Union institution, body or agency concerned can deviate from the deadline laid down in the previous paragraph.deleted
Amendment 348 #
Article 20 – paragraph 2
2. The Union institutions, bodies and agencies shall further notify to CERT-EU without undue delay appropriate technical details of cyber threats, vulnerabilities and incidents that enable detection, incident response or mitigating measures. The notification shall include if available: (a) relevant indicators of compromise; (b) relevant detection mechanisms; (c) potential impact; (d) relevant mitigating measures.deleted
Amendment 352 #
Article 20 – paragraph 2 a (new)
2 a. An incident shall be considered significant if: (a) the incident has caused or is capable of causing severe operational disruption to the Union institution, body, office or agency or financial losses thereto; (b) the incident has affected or is capable of affecting other natural or legal persons by causing considerable material or non- material losses.
Amendment 353 #
Article 20 – paragraph 2 b (new)
2 b. All Union institutions, bodies, offices and agencies shall submit to CERT-EU: (a) without undue delay and in any event within 24 hours after having become aware of the significant incident, an early warning, which, where applicable, shall indicate whether the significant incident is presumably caused by unlawful or malicious action and has any or could have a cross-border or cross-institutional impact; (b) without undue delay and in any event within 72 hours after having become aware of the significant incident, an incident notification, which, where applicable, shall update the information referred to in subparagraph (a) and indicate an initial assessment of the significant incident, its severity and impact, as well as where available, the indicators of compromise; (c) upon the request of CERT-EU, an intermediate report on relevant status updates; (d) a final report not later than one month after the submission of the significant incident notification under point (b), including at least the following: (i) a detailed description of the significant incident, its severity and impact; (ii) the type of threat or root cause that likely triggered the significant incident; (iii) applied and ongoing mitigation measures; (iv) where applicable, the cross-border or cross-institutional impact of the significant incident; (e) in cases of ongoing significant incidents at the time of the submission of the final report referred to in point (d), a progress report at that time and a final report within one month after the incident has been handled.
Amendment 356 #
Article 20 – paragraph 2 c (new)
2 c. In duly justified cases and in agreement with CERT-EU, the Union institution, body, office or agency concerned can deviate from the deadline laid down in paragraph 2(b).
Amendment 358 #
Article 20 – paragraph 3
3. CERT-EU shall submit to ENISA on a monthly basis a summary report including anonymised and aggregated data on significant cyber threats, significant vulnerabilities and significant incidentincidents notified in accordance with paragraph 2(b) and cyber threats, incidents, near misses and vulnerabilities notified in accordance with paragraph 1Article 19(1).
Amendment 360 #
Amendment 363 #
Article 20 – paragraph 5
5. The notificationreporting obligations shall not extend to EUCI and to information that a Union institution, body or agency has received from a Member State Security or Intelligence Service or law enforcement agency under the explicit condition that it will not be shared with CERT-EU.
Amendment 366 #
Article 21 – paragraph 3
3. CERT-EU, in cooperation with ENISA, shall support Union institutions, bodies and agencies regarding situational awareness of cyber threats, vulnerabilities and incidents.
Amendment 367 #
Proposal for a regulation
1. CERT-EU shall coordinate among Union institutions, bodies and agencies responses to major attackincidents. It shall maintain an inventory of technical expertise that would be needed for incident response in the event of such attacksmajor incidents and assist the IICB in coordinating Union institutions, bodies, offices and agencies’ cyber crisis management plans for major incidents referred to in Article 10(if).
Amendment 375 #
Article 22 – paragraph 3
3. With the approval of the concerned Union institutions, bodies and agencies, CERT-EU may also call on experts from the list referred to in paragraph 2 for contributing to the response to a major attackincident in a Member State, in line with the Joint Cyber Unit’s operating procedures.
Amendment 386 #
Article 24 – paragraph 3
3. The Commission shall evaluate the functioning of this Regulation and report to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions no soonlater than five years after the date of entry into force.
Amendment 388 #
Annex I
The following domains shall be addressed in the cybersecurity baseline: (1) cybersecurity policy, including objectives and priorities for security of network and information systems, in particular regarding the use of cloud computing services (within the meaning of Article 4(19) of Directive [proposal NIS 2]) and technical arrangements to enable teleworking; (2) organisation of cybersecurity, including definition of roles and responsibilities; (3) asset management, including IT asset inventory and IT network cartography; (4) access control; (5) operations security; (6) communications security; (7) system acquisition, development and maintenance; (8) supplier relationships; (9) incident management, including approaches to improve the preparedness, response to and recovery from incidents and cooperation with CERT-EU, such as the maintenance of security monitoring and logging; (10) business continuity management and crisis management; and (11) cybersecurity education, awareness- raising and training programmes.deleted
Amendment 394 #
Annex II
Union institutions, bodies and agencies shall address at least the following specific cybersecurity measures in the implementation of the cybersecurity baseline and in their cybersecurity plans, in line with the guidance documents and recommendations from the IICB: (1) concrete steps for moving towards Zero Trust Architecture (meaning a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries); (2) the adoption of multifactor authentication as a norm across network and information systems; (3) the establishment of software supply chain security through criteria for secure software development and evaluation; (4) the enhancement of procurement rules to facilitate a high common level of cybersecurity through: (a) the removal of contractual barriers that limit information sharing from IT service providers about incidents, vulnerabilities and cyber threats with CERT-EU; (b) the contractual obligation to report incidents, vulnerabilities and cyber threats as well as to have appropriate incidents response and monitoring in place.deleted
