12 Amendments of Sophia IN 'T VELD related to 2022/0085(COD)
Amendment 22 #
Proposal for a regulation
Recital 22
Recital 22
(22) All personal data processed under this Regulation should be processed in accordance with data protection legislation including Regulation (EU) 2018/1725 of the European Parliament and of the Council.7 This Regulation shall not affect the application of existing EU laws governing the processing of personal data, including the tasks and powers of the EDPS. _________________ 7 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
Amendment 24 #
Proposal for a regulation
Recital 25 a (new)
Recital 25 a (new)
(25 a) The European Data Protection Supervisor was consulted in accordance with Article 42 of Regulation (EU) 2018/1725 and delivered anopinion on 17 May 2022;
Amendment 25 #
Proposal for a regulation
Article 2 – paragraph 1
Article 2 – paragraph 1
This Regulation applies to the management, governance and control of cybersecurity risks by all Union institutions, bodies and agencies and to the organisation and operation of CERT-EU and the Interinstitutional Cybersecurity Board. The minimum security requirements should be at least equal or higher than the minimum security requirements of the entities in the NIS 2.0 Directive.
Amendment 29 #
Proposal for a regulation
Article 9 – paragraph 3 – subparagraph 1 – point k a (new)
Article 9 – paragraph 3 – subparagraph 1 – point k a (new)
(k a) the European Data Protection Supervisor
Amendment 30 #
Proposal for a regulation
Article 9 – paragraph 3 – subparagraph 1 – point k b (new)
Article 9 – paragraph 3 – subparagraph 1 – point k b (new)
(k b) Europol
Amendment 33 #
Proposal for a regulation
Article 12 – paragraph 7 a (new)
Article 12 – paragraph 7 a (new)
7 a. CERT-EU shall work in close cooperation with the EDPS, when addressing incidents resulting in personal data breaches or in breach of confidentiality of electronic communications. CERT-EU shall inform the EDPS when addressing significant vulnerabilities, significant incidents or major attacks that have the potential to result in personal data breaches and/or in the breach of confidentiality of electronic communications. CERT-EU shall inform without undue delay the EDPS when it has indications that an infringement by the EUIs of the obligations laid down in the Proposal entails a personal data breach.
Amendment 35 #
Proposal for a regulation
Article 12 – paragraph 7 b (new)
Article 12 – paragraph 7 b (new)
Amendment 41 #
Proposal for a regulation
Article 18 – paragraph 5
Article 18 – paragraph 5
5. Any contacts with CERT-EU initiated or sought by national security and intelligence services shall be communicated to the Commission’s Security Directorate, Europol and the chair of the IICB without undue delay.
Amendment 49 #
Proposal for a regulation
Article 19 – paragraph 4
Article 19 – paragraph 4
4. The sharing obligations shall not extend to EU Classified Information (EUCI) and to information that a Union institution, body or agency has received from a Member State Security or Intelligence Service or law enforcement agency under the explicit condition that it will not be shared with CERT-EU, except if Europol decides that the sharing obligation shall be extended to that information.
Amendment 51 #
Proposal for a regulation
Article 20 – paragraph 5
Article 20 – paragraph 5
5. The notification obligations shall not extend to EUCI and to information that a Union institution, body or agency has received from a Member State Security or Intelligence Service or law enforcement agency under the explicit condition that it will not be shared with CERT-EU, except if Europol decides that the notification obligation shall be extended to that information.
Amendment 56 #
Proposal for a regulation
Article 21 – paragraph 4
Article 21 – paragraph 4
4. The IICB shall issue guidance on incident response coordination and cooperation for significant incidents. Where the criminal nature of an incident is suspected, CERT-EU shall advise on how to report the incident to law enforcement authorities without undue delay.
Amendment 57 #
Proposal for a regulation
Article 22 a (new)
Article 22 a (new)
Article 22 a Transparency After every significant incident and response, CERT-EU shall make the cybersecurity attack public, except if this presents an actual and foreseeable threat to the institution, office, body or agency.