50 Amendments of Rasmus ANDRESEN related to 2020/0359(COD)
Amendment 107 #
Proposal for a directive
Recital 15
Recital 15
(15) Upholding and preserving a reliable, resilient and secure domain name system (DNS) is a key factor in maintaining the integrity of the Internet and is essential for its continuous and stable operation, on which the digital economy and society depend. Therefore, this Directive should apply to all providers of DNS services along the DNS resolution chain, including operators of root name servers, top-level-domain (TLD) name servers, authoritative name servers for domain names and recursive resolvers.
Amendment 127 #
Proposal for a directive
Recital 25
Recital 25
(25) As regards personal data, CSIRTs should be able to provide, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council19 as regards personal data, on behalf of and upon request by an entity under this Directive, a proactive scanning of the network and information systems used for the provision of their services in order to identify, mitigate or prevent specific network and information security threats. Processing of personal data by such scanning should be kept to the minimum necessary and should, in particular, respect the principles of data minimisation, purpose limitation and data protection by design and by default. Member States should aim at ensuring an equal level of technical capabilities for all sectorial CSIRTs. Member States may request the assistance of the European Union Agency for Cybersecurity (ENISA) in developing national CSIRTs. _________________ 19Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
Amendment 141 #
Proposal for a directive
Recital 32
Recital 32
(32) The Cooperation Group set up under this Directive, should include representatives of Member States, the Commission, ENISA and, due to the link with the data protection framework, the European Data Protection Board (EDPB). The cooperation group should establish a work programme every two years including the actions to be undertaken by the Group to implement its objectives and tasks. The timeframe of the first programme adopted under this Directive should be aligned with the timeframe of the last programme adopted under Directive (EU) 2016/1148 in order to avoid potential disruptions in the work of the Group.
Amendment 143 #
Proposal for a directive
Recital 36
Recital 36
(36) The Union should, where appropriate, conclude international agreements, in accordance with Article 218 TFEU, with third countries or international organisations, allowing and organising their participation in some activities of the Cooperation Group and the CSIRTs network. Such agreements should ensure adequate protection of data and the European cyber crises liaison organisation network. Such agreements should ensure adequate protection of Union interests and data. This shall not preclude the right of Member States to cooperate with like- minded third countries on management of vulnerabilities and cyber security risk management, facilitating reporting and general information sharing in line with Union legislation.
Amendment 150 #
Proposal for a directive
Recital 43
Recital 43
(43) Addressing cybersecurity risks stemming from an entity’s supply chain and its relationship with its suppliers is particularly important given the prevalence of incidents where entities have fallen victim to cyber-attacks against information systems and where malicious actors were able to compromise the security of an entity’s network and information systems by exploiting vulnerabilities affecting third party products and services. Entities should therefore assess and take into account the overall quality of products and, the security measures embedded in them and the cybersecurity practices of their suppliers and service providers, including their secure development procedures and security features of the product.
Amendment 152 #
Proposal for a directive
Recital 43 a (new)
Recital 43 a (new)
Amendment 154 #
Proposal for a directive
Recital 44
Recital 44
(44) Among service providers, managed security services providers (MSSPs) in areas such as incident response, penetration testing, security audits and consultancy play a particularly important role in assisting entities in their efforts to detect and respond to incidents. Those MSSPs have however also been the targets of cyberattacks against information systems themselves and through their close integration in the operations of operators pose a particular cybersecurity risk. Entities should therefore exercise increased diligence in selecting an MSSP. (This amendment should apply across the text, replacing cyberattacks with “attacks against information systems", aligning the wording with the Cybercrime Directive 2013/40/EU)
Amendment 169 #
Proposal for a directive
Recital 53
Recital 53
(53) In particular, pEncryption is critical and irreplaceable for safeguarding the security of electronic communications networks and services data protection and privacy. Strong and state of the art encryption must be available to be used for mitigation of risks to network and information security and for the rights and freedoms of individuals. Providers of public electronic communications networks or publicly available electronic communications services, should implement security by design and by default, and inform the service recipients of particular and significant cyber threats and of additional measures they can take to protect the security of their devices and communications, for instance by using specific types of software or encryption technologies. The approach to security through obscurity has its limitations, while the open cooperative models can provide relief and increase the security of hardware and software, therefore service providers and traders are encouraged to use open source and open hardware.
Amendment 171 #
Proposal for a directive
Recital 54
Recital 54
(54) In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, should be promoted and, where necessary, should be mandatory for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18. The use of end-to-end encryption should be reconciled withis without prejudice to the Member State’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences in compliance with Union law. Such enforcement powers must always fully respect due process and other safeguards, as well as fundamental rights, in particular the right to respect for private life and communications and the right to the protection of personal data. Solutions for lawful access to information infrom end-to-end encrypted communications should maintain the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crime. Any actions taken have to carefully adhere to the principles of necessity, proportionality and subsidiarity and shall not lead to creating backdoors or weakening encryption, ensuring that the privacy and security of encrypted data, including in end-to-end encrypted communications is not compromised.
Amendment 180 #
Proposal for a directive
Recital 59
Recital 59
(59) Maintaining accurate and complete databases of domain names and registration data (so called ‘WHOIS data’) and providing lawful access to such data is essential to ensure the security, stability and resilience of the DNS, which in turn contributes to a high common level of cybersecurity within the Union. Whercompetent authorities for network and information security to such data may contribute to increased cybersecurity. Where processing includes personal data such processing shall comply with Union data protection law. This Directive is to be applied in full compliance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing includesof personal data such processing shall comply with Union data protection lawand on the free movement of such data, and with Directive 2002/58/EC on concerning the processing of personal data and the protection of privacy in the electronic communications sector, and is not modifying or adding to their provisions.
Amendment 182 #
Proposal for a directive
Recital 60
Recital 60
(60) The availability and timely accessibility of these data to public authorities, including competent authorities under Union or national law for the prevention, investigation or prosecution of criminal offences, CERTs, (CSIRTs, and as regards the data of their clients to providers of electronic communications networks and services and providers of cybersecurity technologies and services acting on behalf of those clients, is essentiaCERTs and CSIRTs can sometimes be useful to prevent and combat Domain Name System abuse, in particular to prevent, detect and respond to cybersecurity incidents. Such access should comply with Union data protection law insofar as it is related to personal data.
Amendment 184 #
Proposal for a directive
Recital 61
Recital 61
(61) In order to ensure the availability of accurate and complete domain name registration data, TLD registries and the entities providing domain name registration services for the TLD (so-called registrars) should collect and guarantee the integrity and availability of domain names registration data. In particular, TLD registries and the entities providing domain name registration services for the TLD should establish policies and procedures to collect and maintain accurate and complete registration data, as well as to prevent and correct inaccurate registration data in accordance with Union data protection rules.
Amendment 186 #
Proposal for a directive
Recital 62
Recital 62
Amendment 191 #
Proposal for a directive
Recital 65
Recital 65
(65) In cases where a DNS service provider, TLD name registry, content delivery network provider, cloud computing service provider, data centre service provider and digital provider not established in the Union offers services within the Union, it should designate a representative. In order to determine whether such an entity is offering services within the Union, it should be ascertained whether it is apparent that the entity is planning to offer services to persons in one or more Member States. The mere accessibility in the Union of the entity’s or an intermediary's website or of an email address and of other contact details, or the use of a language generally used in the third country where the entity is established, is as such insufficient to ascertain such an intention. However, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the entity is planning to offer services within the Union. The representative should act on behalf of the entity and it should be possible for competent authorities or the CSIRTs to contact the representative. The representative should be explicitly designated by a written mandate of the entity to act on the latter's behalf with regard to the latter's obligations under this Directive, including incident reporting.
Amendment 193 #
Proposal for a directive
Recital 69
Recital 69
(69) The processing of personal data, to the extentwhich should be limited to what is strictly necessary and proportionate for the purposes of ensuring network and information security by entities, public authorities, CERTs, CSIRTs, and providers of security technologies and services should constitute a legitimate interest of the data controller concerned, as referred to in Regulation (EU) 2016/679. That should include measures related to the prevention, detection, analysis and response to incidents, measures to raise awareness in relation to specific cyber threats, exchange of information in the context of vulnerability remediation and coordinated disclosure, as well as the voluntary exchange of information on those incidents, as well as cyber threats and vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools. Such measures may require the processing of the following types of personal data: IP addresses, uniform resources locators (URLs), domain names, and email addresses.
Amendment 205 #
Proposal for a directive
Recital 79
Recital 79
(79) A peer-review mechanism should be introduced, allowing the assessment by independent experts designated by the Member States, of the implementation of cybersecurity policies, including the level of Member States’ capabilities and available resources. When deciding on the methodology, the Commission, supported by ENISA, should establish an objective, non-discriminatory, technology neutral, fair and transparent system for the selection of such experts.
Amendment 214 #
Proposal for a directive
Article 2 – paragraph 1
Article 2 – paragraph 1
1. This Directive applies to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II. This Directive does not apply to entities that qualify as micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC.28 nor to non-commercial free and open source projects. Article 3 Paragraph 4 of the Annex to Commission Recommendation 2003/361/EC is not applicable. _________________ 28 Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium- sized enterprises (OJ L 124, 20.5.2003, p. 36).
Amendment 220 #
Proposal for a directive
Article 2 – paragraph 2 – point a – point iii
Article 2 – paragraph 2 – point a – point iii
Amendment 222 #
Proposal for a directive
Article 2 – paragraph 2 – point d
Article 2 – paragraph 2 – point d
(d) a potential disruption of the service provided by the entity could have an impact on public safety, public security or public health;
Amendment 223 #
Proposal for a directive
Article 2 – paragraph 2 – point e
Article 2 – paragraph 2 – point e
(e) a potential disruption of the service provided by the entity could induce systemic risks, in particular for the sectors where such disruption could have a cross- border impact;
Amendment 230 #
Proposal for a directive
Article 2 – paragraph 4
Article 2 – paragraph 4
4. This Directive applies without prejudice to Council Directive 2008/114/EC30 and Directives 2011/93/EU31 and 2013/40/EU32 and 2002/58/EC1a and Regulation (EU) 2016/6791b of the European Parliament and of the Council. _________________ 30Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p. 75). 31Directive 2011/93/EU of the European Parliament and of the Council of 13 December 2011 on combating the sexual abuse and sexual exploitation of children and child pornography, and replacing Council Framework Decision 2004/68/JHA (OJ L 335, 17.12.2011, p. 1). 32Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA (OJ L 218, 14.8.2013, p. 8). (1a Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector1b Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC)Or. en
Amendment 249 #
Proposal for a directive
Article 4 – paragraph 1 – point 9
Article 4 – paragraph 1 – point 9
(9) ‘representative’ means any natural or legal person established in the Union explicitly designated to act on behalf of i) a DNS service provider, a top-level domain (TLD) name registry, a cloud computing service provider, a data centre service provider, a content delivery network provider as referred to in point 8 of Annex I or ii) entities referred to in point 6 of Annex II that are not established in the Union, which may be addressed by a national competent authority or a CSIRT instead of the entity with regard to the obligations of that entity under this Directive;
Amendment 252 #
Proposal for a directive
Article 4 – paragraph 1 – point 14
Article 4 – paragraph 1 – point 14
Amendment 254 #
Proposal for a directive
Article 4 – paragraph 1 – point 15
Article 4 – paragraph 1 – point 15
Amendment 280 #
Proposal for a directive
Article 5 – paragraph 1 – point d a (new)
Article 5 – paragraph 1 – point d a (new)
(da) an assessment of the general level of cybersecurity awareness amongst citizens as well as on the general level of security of consumer connected devices;
Amendment 285 #
Proposal for a directive
Article 5 – paragraph 2 – point b
Article 5 – paragraph 2 – point b
(b) guidelines regarding the inclusion and specification of cybersecurity-related requirements for ICT products and service in public procurement, including but not limited to encryption requirements and the promotion of the use of open source cybersecurity products;
Amendment 286 #
Proposal for a directive
Article 5 – paragraph 2 – point d a (new)
Article 5 – paragraph 2 – point d a (new)
(da) a policy related to sustaining the use of open data and open source as part of security through transparency;
Amendment 291 #
Proposal for a directive
Article 5 – paragraph 2 – point f
Article 5 – paragraph 2 – point f
(f) a policy on supporting education establishments, in particular academic and research institutions to develop and deploy cybersecurity tools and secure network infrastructure;
Amendment 309 #
Proposal for a directive
Article 6 – paragraph 2
Article 6 – paragraph 2
2. ENISA shall develop and maintain a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures with a view in particular to enabling important and essential entities and their suppliers of network and information systems to disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties. The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, the availability of related patches and, in the absence of available patches, guidance addressed to users of vulnerable products and services as to how the risks resulting from disclosed vulnerabilities may be mitigated. For ensuring security and accessibility of information, state of the art cybersecurity measures shall be accompanied by machine-readable datasets and corresponding interfaces (APIs).
Amendment 332 #
Proposal for a directive
Article 10 – paragraph 2 – point e
Article 10 – paragraph 2 – point e
(e) providing, upon a specific request of an entity, a proactive scanning of the network and information systems used for the provision of their services in order to identify, mitigate or prevent specific and exceptional network and information security threats, in full respect of Regulation 2016/679;
Amendment 342 #
Proposal for a directive
Article 12 – paragraph 3 – subparagraph 1
Article 12 – paragraph 3 – subparagraph 1
The Cooperation Group shall be composed of representatives of Member States, the Commission and, ENISA and EDPB. The European External Action Service shall participate in the activities of the Cooperation Group as an observer. The European Supervisory Authorities (ESAs) in accordance with Article 17(5)(c) of Regulation (EU) XXXX/XXXX [the DORA Regulation] may participate in the activities of the Cooperation Group.
Amendment 363 #
Proposal for a directive
Article 15 – paragraph 1 – introductory part
Article 15 – paragraph 1 – introductory part
1. ENISA shall issue, in cooperation with the Commission, a biennial report on the state of cybersecurity in the Union. The report shall be delivered in machine- readable format and shall in particular include an assessment of the following:
Amendment 367 #
Proposal for a directive
Article 15 – paragraph 1 – point c a (new)
Article 15 – paragraph 1 – point c a (new)
(ca) an overview of the general level of cybersecurity awareness and use amongst citizens as well as on the general level of security of consumer-oriented connected devices put on the market in the Union.
Amendment 404 #
Proposal for a directive
Article 18 – paragraph 2 – point g
Article 18 – paragraph 2 – point g
(g) the use of cryptography and strong encryption.
Amendment 425 #
Proposal for a directive
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT in accordance with paragraphs 3 and 4 of any incident having a significant impact on the provision of their services. Where appropriate, tThose entities shall notify, without undue delay, the recipients of their services of incidents that are likely to adversely affect the provision of that service and provide information that would enable them to mitigate the adverse effects of the cyberattacks. By exception, where public disclosure could trigger further cyberattacks, essential and important entities, could delay the notification. Member States shall ensure that those entities report, among others, any information enabling the competent authorities or the CSIRT to determine any cross-border impact of the incident.
Amendment 432 #
Proposal for a directive
Article 20 – paragraph 2 – subparagraph 1
Article 20 – paragraph 2 – subparagraph 1
Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT of any significant cyber threat that those entities identify that could have potentially, if steps to mitigate the risk had not been taken or are not taken in the future, would have resulted or are likely in the future to resulted in a significant incident.
Amendment 435 #
Proposal for a directive
Article 20 – paragraph 2 – subparagraph 2
Article 20 – paragraph 2 – subparagraph 2
Amendment 469 #
Proposal for a directive
Article 20 – paragraph 7
Article 20 – paragraph 7
7. Where public awareness is necessary to prevent an incident or to deal with an ongoing incident, or where disclosure of the incident is otherwise in the public interest, the competent authority or the CSIRT, and where appropriate the authorities or the CSIRTs of other Member States concerned mayshall, after consulting the entity concerned, inform the public about the incident or require the entity to do so.
Amendment 501 #
Proposal for a directive
Article 23
Article 23
Amendment 510 #
Proposal for a directive
Article 24 – paragraph 1
Article 24 – paragraph 1
1. DNS service providers, TLD name registries, cCloud computing service providers, data centre service providers and content delivery network providers referred to in point 8 of Annex I, as well as digital providers referred to in point 6 of Annex II shall be deemed to be under the jurisdiction of the Member State in which they have their main establishment in the Union.
Amendment 520 #
Proposal for a directive
Article 25 – paragraph 1 – introductory part
Article 25 – paragraph 1 – introductory part
1. ENISA shall create and maintain a secure registry for essential and important entities referred to in Article 24(1). The entities shall submit the following information to ENISA by [12 months after entering into force of the Directive at the latest]:
Amendment 540 #
Proposal for a directive
Article 28 – paragraph 2
Article 28 – paragraph 2
2. Competent authorities shall work in close cooperation with data protection authorities when addressing incidents resulting in personal data breaches, without prejudice to the competences, tasks and powers of data protection authorities pursuant to Regulation (EU) 2016/679.
Amendment 545 #
Proposal for a directive
Article 29 – paragraph 2 – point c
Article 29 – paragraph 2 – point c
(c) targeted security audits based on risk assessments or risk-related available information carried out by a qualified independent body or a competent authority or independent experts and make the results thereof available to the competent authority; the cost of the audit shall be paid by the provider;
Amendment 573 #
Proposal for a directive
Article 30 – paragraph 2 – point b
Article 30 – paragraph 2 – point b
(b) targeted security audits based on risk assessments or risk-related available information carried out by a qualified independent body or a competent authority and make the results thereof available to the competent authority; the cost of the audit shall be paid by the provider;
Amendment 581 #
Proposal for a directive
Article 32 – paragraph 1
Article 32 – paragraph 1
1. Where the competent authorities have indications that the infringement by an essential or important entity of the obligations laid down in Articles 18 and 20 entails a personal data breach, as defined by Article 4(12) of Regulation (EU) 2016/679 which shall be notified pursuant to Article 33 of that Regulation, they shall inform the supervisory authorities competent pursuant to Articles 55 and 56 of that Regulation within a reasonable period of time72 hours.
Amendment 583 #
Proposal for a directive
Article 32 – paragraph 3
Article 32 – paragraph 3
3. Where the supervisory authority competent pursuant to Regulation (EU) 2016/679 is established in another Member State than the competent authority, the competent authority mayshall inform the supervisory authority established in the same Member State.
Amendment 584 #
Proposal for a directive
Article 34 a (new)
Article 34 a (new)
Article 34a Right to an effective judicial remedy Without prejudice to any available administrative or non-judicial remedy, the recipients of services provided by essential and important entities, having incurred damages as a result of the providers' non-compliance with this Directive, shall have the right to an effective judicial remedy.
Amendment 585 #
Proposal for a directive
Article 35 – paragraph 1
Article 35 – paragraph 1
The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the relevance of sectors, subsectors, size and type of entities referred to in Annexes I and II for the functioning of the economy and society in relation to cybersecurity. For this purpose and with a view to further advancing the strategic and operational cooperation, the Commission shall take into account the reports of the Cooperation Group and the CSIRTs network on the experience gained at a strategic and operational level. The first report shall be submitted by… [5436 months after the date of entry into force of this Directive].
Amendment 594 #
Proposal for a directive
Article 40 – paragraph 1
Article 40 – paragraph 1
Articles 40 and 41 of Directive (EU) 2018/1972 are deletedto be applied insofar as they are not in contradiction with this Directive.
Amendment 596 #
Proposal for a directive
Article 40 a (new)
Article 40 a (new)
Article 40a Amendments to Directive 2020/1828/EC on Representative Actions for the Protection of the Collective Interests of Consumers The following is added to Annex I: “(X) Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive(EU) 2016/1148”