47 Amendments of Christian EHLER related to 2013/0027(COD)
Amendment 118 #
Proposal for a directive
Article 14 – paragraph 1
Article 14 – paragraph 1
1. Member States shall ensure that public administrations and market operators take appropriate technical and organisational measures to detect and effectively manage the risks posed to the security of the networks and information systems which they control and use in their operations. Having regard to the state of the art, these measures shall guarantee a level of security appropriate to the risk presented. In particular, measures shall be taken to prevent and minimise the impact of incidents affecting their network and information system on the core services they provide and thus ensure the continuity of the services underpinned by those networks and information systems.
Amendment 120 #
Proposal for a directive
Article 14 – paragraph 2
Article 14 – paragraph 2
2. Member States shall ensure that public administrations and market operators completely and without measurable delay notify to the competent authority incidents having a significant impact on the security of the core services they provide.
Amendment 127 #
Proposal for a directive
Article 14 – paragraph 4 a (new)
Article 14 – paragraph 4 a (new)
4a. Besides reporting to public authorities, market operators shall be obliged to announce incidents involving their corporation in their annual business report.
Amendment 128 #
Proposal for a directive
Recital 1
Recital 1
(1) Network and information systems and services play a vital role in the society. Their reliability and security are essential to the freedom and overall security for the citizens of the EU as well as to economic activities and social welfare, and in particular to the functioning of the internal market.
Amendment 130 #
Proposal for a directive
Recital 2
Recital 2
(2) The magnitude and frequency of deliberate or accidental security incidents is increasing and represents a major threat to the functioning of networks and information systems. Such incidents can impede the pursuit of economic activities, generate substantial financial losses, undermine user and investor confidence and cause major damage to the economy of the Union.
Amendment 132 #
Proposal for a directive
Recital 3
Recital 3
(3) As a communication instrument without traditional frontiers, digital information systems, and primarily the Internet play an essential role in facilitating the cross- border movement of goods, services, ideas and people. Due to that transnational nature, substantial disruption of those systems in one Member State can also affect other Member States and the Union as a whole. The resilience and stability of network and information systems is therefore essential to the smooth functioning of the internal market and moreover to the functioning of external markets, too.
Amendment 136 #
Proposal for a directive
Recital 4
Recital 4
(4) A cooperation mechanism should be established at Union level to allow for information exchange and coordinated detection and response regarding network and information security (‘NIS’). For that mechanism to be effective and inclusive, it is essential that all Member States have minimum capabilities and a strategy ensuring a high level of NIS in their territory. Minimum security requirements should also apply to public administrations and, operators of critical information infrastructure and stock listed companies to promote a culture of risk management and ensure that the most serious incidents are reported.
Amendment 142 #
Proposal for a directive
Recital 5
Recital 5
(5) To cover all relevant incidents and risks, this Directive should apply to all network and information systems. The obligations on public administrations and market operators should however not apply to undertakings providing public communication networks or publicly available electronic communication services within the meaning of Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive)25 , which are subject to the specific security and integrity requirements laid down in Article 13a of that Directive nor should they apply to trust service providers. __________________ 25. __________________ 25 OJ L 108, 24.4.2002, p. 33. OJ L 108, 24.4.2002, p. 33.
Amendment 147 #
Proposal for a directive
Recital 7
Recital 7
(7) Responding effectively to the challenges of the security of network and information systems therefore requires a global approach at Union level covering common minimum capacity building and planning requirements, exchange of information and coordination of actions, and common minimum security requirements for all market operators concerned and public administrations. Minimal common standards should be applied in accordance with appropriate recommendations by the Cyber Security Co-Ordination Groups (CSGC).
Amendment 150 #
Proposal for a directive
Recital 9
Recital 9
(9) To achieve and maintain a common high level of security of network and information systems, each Member State should have a national NIS strategy defining the strategic objectives and concrete policy actions to be implemented. NIS cooperation plans complying with essential requirements need to be developed at national level in order to reach capacity response levels allowing for effective and efficient cooperation at national and Union level in case of incidents. Each Member State should therefore be obliged to meet common standards regarding data format and the exchangeability of data to be shared and evaluated.
Amendment 155 #
Proposal for a directive
Recital 11
Recital 11
(11) All Member States and market operators should be adequately equipped, both in terms of technical and organisational capabilities, to prevent, detect, respond to and mitigate network and information systems' incidents and risks. Commonly required equipment and capabilities ought to comply with commonly agreed technical standards as well as standards procedures of operation (SPO). Well-functioning Computer Emergency Response Teams complying with essential requirements should therefore be established in all Member States to guarantee effective and compatible capabilities to deal with incidents and risks and ensure efficient cooperation at Union level. These CERTs should be enabled to interact on the basis of common technical standards and SPO.
Amendment 161 #
Proposal for a directive
Recital 13
Recital 13
(13) The European Network and Information Security Agency (‘ENISA’) should assist the Member States and the Commission by providing its expertise and advice and by facilitating exchange of best practices. In particular, in the application of this Directive, the Commission should consult ENISA. To ensure effective and timely information to the Member States and the Commission, early warnings on incidents and risks should be notified within the cooperation network. To build capacity and knowledge among Member States, the cooperation network should also serve as an instrument for the exchange of best practices, assisting its members in building capacity, steering the organisation of peer reviews and NIS exercises.
Amendment 167 #
Proposal for a directive
Recital 15
Recital 15
(15) As most network and information systems are privately operated, cooperation between the public and private sector is essential. Market operators should be encouraged to pursue their own informal cooperation mechanisms to ensure NIS. They should also cooperate with the public sector and share information and best practices in exchange of operational support and information in case of incidents.
Amendment 170 #
Proposal for a directive
Recital 16
Recital 16
(16) To ensure transparency and properly inform EU citizens and market operators, the competent authorities should set up a common website to publish non confidential information on the incidents and risks and to eventually advise on appropriate maintenance measures.
Amendment 173 #
Proposal for a directive
Recital 18
Recital 18
(18) On the basis in particular of national crisis management experiences and in cooperation with ENISA, the Commission and the Member States should develop a Union NIS cooperation plan defining cooperation mechanisms to prevent, detect, report, and counter risks and incidents. That plan should be duly taken into account in the operation of early warnings within the cooperation network.
Amendment 181 #
Proposal for a directive
Recital 24
Recital 24
(24) Those obligations should be extended beyond the electronic communications sector to key providers of information society services, as defined in Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on Information Society services27 , which underpin downstream information society services or on-line activities, such as e- commerce platforms, Internet payment gateways, social networks, search engines, cloud computing services, application stores. Disruption of these enabling information society services prevents the provision of other information society services which rely on them as key inputs. Software developers and hardware manufacturers are not providers of information society services and are therefore excluded. Those obligations should also be extended to public administrations, and operators of critical infrastructure which rely heavily on information and communications technology and are essential to the maintenance of vital economical or societal functions such as electricity and gas, transport, credit institutions, stock exchange and health. Disruption of those network and information systems would affect the internal market. __________________ 27The obligations should also apply for stock listed companies due to their vital role for the functioning of the internal market. __________________ 27 OJ L 204, 21.7.1998, p. 37. OJ L 204, 21.7.1998, p. 37.
Amendment 182 #
Proposal for a directive
Recital 25
Recital 25
Amendment 185 #
Proposal for a directive
Recital 27
Recital 27
(27) To avoid imposing a disproportionate financial and administrative burden on small operators and users, the requirements should be proportionate to the risk presented by the network or information system concerned, taking into account the state of the art of such measures. These requirements should not apply to micro enterprises.
Amendment 189 #
Proposal for a directive
Recital 28
Recital 28
(28) Competent authorities should pay due attention to preserving informal and trusted channels of information-sharing between market operators and between the public and the private sectors. Publicity of incidents reported to the competent authorities should duly balance the interest of the public in being informed about threats with possible reputational and commercial damages for the public administrations and market operators reporting incidents. In the implementation of the notification obligations, competent authorities should pay particular attention to the need to maintain information about product vulnerabilities strictly confidential prior to the release of appropriate security fixes though not delay any notification more than compulsorily required.
Amendment 193 #
Proposal for a directive
Recital 30
Recital 30
(30) Criminal activities are in many cases underlying an incident. The criminal nature of incidents can be suspected even if the evidence to support it may not be sufficiently clear from the start. In this context, appropriate co-operation between competent authorities and law enforcement authorities as well as cooperation with the EC3 (Europol Cybercrime Centre) and ENISA should form part of an effective and comprehensive response to the threat of security incidents. In particular, promoting a safe, secure and more resilient environment requires a systematic reporting of incidents of a suspected serious criminal nature to law enforcement authorities. The serious criminal nature of incidents should be assessed in the light of EU laws on cybercrime.
Amendment 195 #
Proposal for a directive
Recital 31
Recital 31
(31) Personal data are in many cases compromised as a result of incidents. Member States and market operators should protect personal data stored, processed or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, access or disclosure, dissemination, or access; and ensure the implementation of a security policy with respect to the processing of personal data. In this context, competent authorities and data protection authorities should cooperate and exchange information on all relevant matters to tackle the personal data breaches resulting from incidents. Member states shall implement the obligation to notify security incidents in a way that minimises the administrative burden in case the security incident is also a personal data breach in line with the Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data28 . Liaising with the competent authorities and the data protection authorities, ENISA could assist by developing information exchange mechanisms and templates avoiding the need for two notification templates. This single notification template would facilitate the reporting of incidents compromising personal data thereby easing the administrative burden on businesses and public administrations. __________________ 28 SEC(2012) 72 final SEC(2012) 72 final
Amendment 199 #
Proposal for a directive
Recital 33
Recital 33
(33) The Commission should periodically review this Directive, in particular with a view to determining the need for modification in the light of changing societal, political, technological or market conditions.
Amendment 206 #
Proposal for a directive
Article 1 – paragraph 4
Article 1 – paragraph 4
4. This Directive shall be without prejudice to EU laws on cybercrime and Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection32 __________________ 32. However, that Directive shall be reviewed without further delay in particular regarding the inclusion of ICT as a European Infrastructure. __________________ 32 OJ L 345, 23.12.2008, p. 75. OJ L 345, 23.12.2008, p. 75.
Amendment 211 #
Proposal for a directive
Article 3 – paragraph 1 – point 1 – point b
Article 3 – paragraph 1 – point 1 – point b
(b) any device or group of inter-connected or related devices, one or more of which, pursuant to a program, perform automatic processing of computerdigital data, as well as
Amendment 212 #
Proposal for a directive
Article 3 – paragraph 1 – point 1 – point c
Article 3 – paragraph 1 – point 1 – point c
(c) computerdigital data stored, processed, retrieved or transmitted by elements covered under point (a) and (b) for the purposes of their operation, use, protection and maintenance.
Amendment 213 #
Proposal for a directive
Article 3 – paragraph 1 – point 2
Article 3 – paragraph 1 – point 2
(2) ‘security’ means the ability of a network and information system to resist, at a given level of confidence, accident or malicious action that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data or the related services offered by or accessible via that network and information system; "security" as defined here includes appropriate technical devices, solutions and operating procedures ensuring the security requirements set forth in this Directive.
Amendment 217 #
Proposal for a directive
Article 3 – paragraph 1 – point 7
Article 3 – paragraph 1 – point 7
(7) ‘incident handling’ means all procedures supporting the detection, prevention, analysis, containment and response to an incident;
Amendment 231 #
Proposal for a directive
Article 4 – paragraph 1
Article 4 – paragraph 1
Member States shall ensure a sustained continuous high level of security of the network and information systems in their territories in accordance with this Directive.
Amendment 242 #
Proposal for a directive
Article 7 – paragraph 5 – point 1 (new)
Article 7 – paragraph 5 – point 1 (new)
(1) The CERT shall be enabled and encouraged to initiate and to participate in joint exercises with certain CERT, with all Member States-CERT, and with appropriate institutions of non-Member States as well as with CERT of multi- and international institutions such as NATO and the UN.
Amendment 249 #
Proposal for a directive
Article 8 – paragraph 2
Article 8 – paragraph 2
2. The cooperation network shall bring into permanent communication the Commission and the competent authorities. When requested, tThe European Network and Information Security Agency (‘ENISA’) shall assist the cooperation network by providing its expertise and advice.
Amendment 255 #
Proposal for a directive
Article 8 – paragraph 3 – point e
Article 8 – paragraph 3 – point e
(e) jointly discuss and assess, at the request of a Member State or the Commission, the effectiveness of the CERTs, in particular when NIS exercises are performed at Union level and implement measures to resolve identified weaknesses without measurable delay;
Amendment 258 #
Proposal for a directive
Article 8 – paragraph 3 – point f
Article 8 – paragraph 3 – point f
(f) cooperate and exchange information on all relevant matters with the European Cybercrime Centre within Europol, and with other relevant European bodies in particular in the fields of criminal investigation, data protection, energy, transport, banking, stock exchanges and health;
Amendment 262 #
Proposal for a directive
Article 8 – paragraph 3 – point i – point 1 (new)
Article 8 – paragraph 3 – point i – point 1 (new)
1) NIS-authorities shall be encouraged to engage in security research and other appropriate programmes of Horizon2020.
Amendment 278 #
Proposal for a directive
Article 10 – paragraph 4
Article 10 – paragraph 4
4. Where the risk or incident subject to an early warning is of a suspected criminal nature, the competent authorities or the Commission shall inform the European Cybercrime Centre within Europol without measurable delay.
Amendment 285 #
Proposal for a directive
Article 12 – paragraph 3
Article 12 – paragraph 3
3. The Union NIS cooperation plan shall be adopted no later than one year following the entry into force of this Directive and shall be revised regularly. Results of each revision shall be reported to the European Parliament.
Amendment 294 #
Proposal for a directive
Article 14 – paragraph 1
Article 14 – paragraph 1
1. Member States shall ensure that public administrations and market operators take appropriate technical and organisational measures to detect and effectively manage the risks posed to the security of the networks and information systems which they control and use in their operations. Having regard to the state of the art, these measures shall guarantee a level of security appropriate to the risk presented. In particular, measures shall be taken to prevent and minimise the impact of incidents affecting their network and information system on the core services they provide and thus ensure the continuity of the services underpinned by those networks and information systems.
Amendment 298 #
Proposal for a directive
Article 14 – paragraph 2
Article 14 – paragraph 2
2. Member States shall ensure that public administrations and market operators notify to the competent authority incidents having a significant impact on the security of the core services they provide. completely and without measurable delay.
Amendment 303 #
Proposal for a directive
Article 14 – paragraph 3
Article 14 – paragraph 3
3. The requirements under paragraphs 1 and 2 apply to all market operators providing services within the European Union. Public authorities and market operators should provide disclosure tailored to their particular circumstances.
Amendment 308 #
Proposal for a directive
Article 14 – paragraph 4
Article 14 – paragraph 4
4. The competent authority may inform the public, or require the public administrations and market operators to do so, where it determines that disclosure of the incident is in the public interest. Once a yearEvery six months, the competent authority shall submit a summary report to the cooperation network on the notifications received and the action taken in accordance with this paragraph.
Amendment 310 #
Proposal for a directive
Article 14 – paragraph 4 – subparagraph 1 (new)
Article 14 – paragraph 4 – subparagraph 1 (new)
Besides reporting to the competent authority market operators shall be encouraged to announce incidents involving their corporation in their financial reports (on a voluntary basis).
Amendment 326 #
Proposal for a directive
Article 15 – paragraph 3
Article 15 – paragraph 3
3. Member States shall ensure that competent authorities have the power to issue binding instructions to market operators and public administrations and to issue enactments for legal and liability obligations, especially where a voluntary approach does not prove efficient.
Amendment 342 #
Proposal for a directive
Article 20 – paragraph 1
Article 20 – paragraph 1
The Commission shall periodically review the functioning of this Directive and report to the European Parliament and the Council. The main focus of the review should be the provisions of Annex II, in particular the provisions regarding the internet enablers. The first report shall be submitted no later than threewo years after the date of transposition referred to in Article 21. For this purpose, the Commission may request Member States to provide information without undue delay. The review should also evaluate the voluntary incentives for stock listed companies set forth in this Directive: The effectiveness of this voluntary approach is to be evaluated by the competent national authority every 2 years. Results ought to be reported to the European Commission without delay. Should the voluntary approach aimed at protecting customers and investors interests not prove sufficient Member States shall introduce legal obligations.
Amendment 345 #
Proposal for a directive
Annex 1 – paragraph 1 – point 2 – point a – indent 1
Annex 1 – paragraph 1 – point 2 – point a – indent 1
– MDetection and monitoring incidents at a national level,
Amendment 346 #
Proposal for a directive
Annex 2 – heading 1
Annex 2 – heading 1
List of market operators - This list is non- exhaustive and shall be reviewed every 2 years:
Amendment 353 #
Proposal for a directive
Annex 2 – paragraph 1 – point 4
Annex 2 – paragraph 1 – point 4
Amendment 359 #
Proposal for a directive
Annex 2 – paragraph 1 – point 5 a (new)
Annex 2 – paragraph 1 – point 5 a (new)
5a. Hardware developers and producers
Amendment 360 #
Proposal for a directive
Annex 2 – paragraph 1 – point 5 b (new)
Annex 2 – paragraph 1 – point 5 b (new)
5b. Software developers and producers