31 Amendments of Sandro GOZI related to 2020/0359(COD)
Amendment 95 #
Proposal for a directive
Recital 30
Recital 30
(30) Access to correct and timely information on vulnerabilities affecting ICT products and services contributes to an enhanced cybersecurity risk management. In that regard, sources of publicly available information on vulnerabilities are an important tool for entities and their users, but also national competent authorities and CSIRTs. For this reason, ENISA should establish a vulnerability registrydatabase where, essential and important entities and their suppliers, as well as entities which do not fall in the scope of application of this Directive may, on a voluntary basis, disclose vulnerabilities and provide the vulnerability information that allows users to take appropriate mitigating measures.
Amendment 104 #
Proposal for a directive
Recital 12
Recital 12
(12) Sector-specific legislation and instruments can contribute to ensuring high levels of cybersecurity, while taking full account of the specificities and complexities of those sectors. Where a sector–specific Union legal act requires essential or important entities to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats of at least an equivalent effect to the obligations laid down in this Directive, those sector-specific provisions, including on supervision and enforcement, should apply. The Commission mayshould issue guidelines in relation to the implementation of the lex specialis, taking relevant opinions, expertise and best practices of ENISA and the Cooperation Group into account. This Directive does not preclude the adoption of additional sector- specific Union acts addressing cybersecurity risk management measures and incident notifications. This Directive is without prejudice to the existing implementing powers that have been conferred to the Commission in a number of sectors, including transport and energy.
Amendment 146 #
Proposal for a directive
Recital 40
Recital 40
(40) Risk-management measures should include measures to identify any risks of incidents, to prevent, detect and handle incidents and to mitigate their impact. The security of network and information systems should comprise the security of stored, transmitted and processed data. It must be approached using systemic analysis that break down the various processes and the interactions between the subsystems, in order to have a complete picture of the security of the information system. The human factor should be fully taken into account in the analysis.
Amendment 158 #
Proposal for a directive
Recital 47
Recital 47
(47) The supply chain risk assessments, in light of the features of the sector concerned, should take into account both technical and, where relevant, non- technical factors including those defined in Recommendation (EU) 2019/534, in the EU wide coordinated risk assessment of 5G networks security and in the EU Toolbox on 5G cybersecurity agreed by the Cooperation Group. To identify the supply chains that should be subject to a coordinated risk assessment, the following criteria should be taken into account: (i) the extent to which essential and important entities use and rely on specific critical ICT services, systems or products; (ii) the relevance of specific critical ICT services, systems or products for performing critical or sensitive functions, including the processing of personal data; (iii) the availability of alternative ICT services, systems or products; (iv) the resilience of the overall supply chain of ICT services, systems or products against disruptive events and (v) for emerging ICT services, systems or products, their potential future significance for the entities’ activities.
Amendment 171 #
Proposal for a directive
Article 6 – title
Article 6 – title
Coordinated vulnerability disclosure and a European vulnerability registrydatabase
Amendment 175 #
Proposal for a directive
Article 6 – paragraph 2
Article 6 – paragraph 2
2. ENISA shall develop and maintain a European vulnerability registrydatabase. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures as well as the appropriate disclosure policies with a view in particular to enabling important and essential entities and their suppliers of network and information systems to disclose and easily register vulnerabilities present in ICT products or ICT services, as well as to provide access to the relevant information on vulnerabilities contained in the registry to all interested parties. The registry, provided that such actions do not undermine the protection of confidentiality and trade secrets. The vulnerability database shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, the availability of related patches and, in the absence of available patches, guidance addressed to users of vulnerable products and services as to how the risks resulting from disclosed vulnerabilities may be mitigated.
Amendment 209 #
Proposal for a directive
Article 18 – paragraph 2 – point d
Article 18 – paragraph 2 – point d
(d) measures for supply chain security risk assessment including on security- related aspects concerning the relationships between each entity and its suppliers or service providers such as providers of data storage and processing services or managed security services;
Amendment 210 #
Proposal for a directive
Article 18 – paragraph 2 – point f
Article 18 – paragraph 2 – point f
(f) policies and procedures (testing and auditing) and regular cybersecurity exercises to assess the effectiveness of cybersecurity risk management measures;
Amendment 215 #
Proposal for a directive
Article 18 – paragraph 2 – point g a (new)
Article 18 – paragraph 2 – point g a (new)
(ga) security training and awareness.
Amendment 220 #
Proposal for a directive
Article 18 – paragraph 6
Article 18 – paragraph 6
6. The Commission, is empowered to adopt delegated actn cooperation with the Cooperation Group and ENISA, shall provide guidance and best practices ion accordance with Article 36 to supplement the elthe compliance by entities in a proportionate manner with the requirements, laid down in paragraph 2 to take account of new cyber threats, technological developments or sectorial specificitie, and in particular to the requirement in point (d) of that paragraph. In developing delegated acts, the Commission shall also consult all relevant stakeholders.
Amendment 237 #
Proposal for a directive
Article 2 – paragraph 6
Article 2 – paragraph 6
6. Where provisions of sector–specific acts of Union law require essential or important entities either to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats, and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, the relevant provisions of this Directive, including the provision on supervision and enforcement laid down in Chapter VI, shall not apply. The Commission shall issue guidelines in relation to the implementation of the sector–specific acts of Union law in order to ensure that security requirements established by this Directive are met by those acts. When preparing those guidelines, the Commission shall take into account ENISA and the Cooperation Group best practices and expertise.
Amendment 252 #
Proposal for a directive
Article 21 – paragraph 2
Article 21 – paragraph 2
2. The Commission shall be empowered to adopt delegated acts specifyingregularly assess the efficiency and use of the adopted European cybersecurity certification schemes under Article 49 of Regulation (EU) 2019/881 and shall identify which categories of essential entities shall be requirencouraged to obtain a certificate and under which specific European cybersecurity certification schemes pursuant to paragraph 1. The delegated acts shall be adopted in accordance with Article 36.
Amendment 255 #
Proposal for a directive
Article 23 – title
Article 23 – title
Databases infrastructure of domain names and registration data
Amendment 258 #
Proposal for a directive
Article 23 – paragraph 1
Article 23 – paragraph 1
1. For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall ensure that TLD registries and the entities providing domain name registration services for the TLD shallare required to collect and maintain accurate, verified and complete domain name registration data in a dedicated database facility with due diligence subject to Union data protection law as regards data which are personal data.
Amendment 260 #
Proposal for a directive
Article 23 – paragraph 2
Article 23 – paragraph 2
2. Member States shall ensure that the databases infrastructure of domain name registration data referred to in paragraph 1 contains relevant information, which shall include at least the registrants’ name, their physical and email address as well as their telephone number, to identify and contact the holders of the domain names and the points of contact administering the domain names under the TLDs.
Amendment 266 #
Proposal for a directive
Article 23 – paragraph 3
Article 23 – paragraph 3
3. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD have policies and procedures in place to ensure that the databases infrastructure includes accurate, verified and complete information. Member States shall ensure that such policies and procedures are made publicly available.
Amendment 268 #
Proposal for a directive
Article 23 – paragraph 4
Article 23 – paragraph 4
4. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD publish, without undue delaymake publicly available, without undue delay and in any event within 24 hours after the registration of a domain name, all domain registration data which are not personal dataof legal persons as registrants.
Amendment 271 #
Proposal for a directive
Article 23 – paragraph 5
Article 23 – paragraph 5
5. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD are required toprovide access to specific domain name registration data upon lawful and. including personal data, upon duly justified requests of legitimate access seekers, in compliance with Union data protection law. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD reply without undue delay and in any event within 72 hours to all requests for access. Member States shall ensure that policies and procedures to disclose such data are made publicly available.
Amendment 278 #
Proposal for a directive
Article 26 – paragraph 3
Article 26 – paragraph 3
3. Member States shall set out rulguidelines specifying the procedure, operational elements (including the use of dedicated ICT platforms), content and conditions of the information sharing arrangements referred to in paragraph 2. Such rulguidelines shall also lay downinclude the details of the involvement, where relevant, of public authorities and independent experts in such arrangements, as well as operational elements, including the use of dedicated IT platforms. Member States shall offer support to the application of such arrangements in accordance with their policies referred to in Article 5(2) (g).
Amendment 278 #
Proposal for a directive
Article 5 – paragraph 1 – point b
Article 5 – paragraph 1 – point b
(b) a governance framework to achieve those objectives and priorities, including the policies referred to in paragraph 2 and the roles and responsibilities of public bodies and entities as well as other relevant actors;
Amendment 279 #
Proposal for a directive
Article 5 – paragraph 1 – point b a (new)
Article 5 – paragraph 1 – point b a (new)
(ba) a framework for allocating the roles and responsibilities of public bodies and entities as well as other relevant actors, including the organisation of the cooperation at the national level, between the competent authorities designated under Article 7(1) and Article 8(1), the single point of contact designated under Article 8(3), and CSIRTs designated under Article 9;
Amendment 287 #
Proposal for a directive
Article 29 – paragraph 3
Article 29 – paragraph 3
3. Where exercising their powers under points (e) to (g) of paragraph 2, the competent authorities shall state the purpose of the request and, specify the information requested and shall limit their requests to the scope of the incident or issue of concern.
Amendment 291 #
Proposal for a directive
Article 30 – paragraph 3
Article 30 – paragraph 3
3. Where exercising their powers pursuant to points (d) or (e) of paragraph 2, the competent authorities shall state the purpose of the request and, specify the information requested and shall limit their requests to the scope of the incident or issue of concern.
Amendment 292 #
Proposal for a directive
Article 31 – paragraph 4
Article 31 – paragraph 4
4. Member States shall ensure that infringements of the obligations laid down in Article 18 or Article 20 shall, in accordance with paragraphs 2 and 3 of this Article, be subject to administrative fines of a maximum of at least 10 000 000 EUR or up to 2% of the total worldwide annual turnover of the undertaking to which the essential or important entity belongs in the preceding financial year, whichever is higher.
Amendment 347 #
Proposal for a directive
Article 12 – paragraph 4 – point d a (new)
Article 12 – paragraph 4 – point d a (new)
(da) provide advice on the overall consistency of sector-specific cybersecurity requirements;
Amendment 395 #
Proposal for a directive
Article 18 – paragraph 2 – point c
Article 18 – paragraph 2 – point c
(c) backup management, business continuity and crisis management;
Amendment 419 #
Proposal for a directive
Article 19 – paragraph 1 a (new)
Article 19 – paragraph 1 a (new)
1a. To identify the specific critical ICT services, systems or products supply chains that are subject to a coordinated risk assessment, the following criteria shall be taken into account: (a) the extent to which essential and important entities use and rely on specific critical ICT services, systems or products; (b) the relevance of specific critical ICT services, systems or products for performing critical or sensitive functions, including the processing of personal data; (c) the availability of alternative ICT services, systems or products; (d) the resilience of the overall supply chain of ICT services, systems or products against disruptive events; and (e) the potential significance to entities' activities of emerging ICT services, systems or products.
Amendment 426 #
Proposal for a directive
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT in accordance with paragraphs 3 and 4 of any incident having a significant impact on the provision of their services. Where appropriate, those entities shall notify, without undue delay, the recipients of their services of incidents that are likely to adversely affect the provision of that service. Member States shall ensure that those entities report, among others, any information enabling the competent authorities or the CSIRT to determine any cross-border impact of the incident. Where the competent authorities or the CSIRT consider that it is necessary, essential and important entities may notify other essential and important entities of any significant incident occurring in their sector.
Amendment 489 #
Proposal for a directive
Article 21 – paragraph 1
Article 21 – paragraph 1
1. In order to demonstrate compliance with certain requirements of Article 18, Member States may require essential and important entities to use certifyain certainified ICT products, ICT services and ICT processes, whether procured from third parties or developed by the essential or important entity, certified under specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881. The products, services and processes subject to certification may be developed by an essential or important entity or procured from third parti, or, in the absence of such a scheme, under equivalent internationally recognised certification schemes.
Amendment 497 #
Proposal for a directive
Article 21 – paragraph 2 a (new)
Article 21 – paragraph 2 a (new)
2a. In order to demonstrate compliance with certain requirements of Article 18 of this Directive, Member States may require essential and important entities to use qualified trust services pursuant to Regulation (EU) No 910/2014.
Amendment 498 #
Proposal for a directive
Article 21 – paragraph 2 b (new)
Article 21 – paragraph 2 b (new)
2b. Member States may rely on certified cybersecurity services providers, which could be certified under specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881, to enforce the supervision activities provided for in Articles 29 and 30 of this Directive.