BETA

27 Amendments of Seán KELLY related to 2022/0085(COD)

Amendment 38 #
Proposal for a regulation
Recital 1
(1) In the digital age, information and communication technology is a cornerstone in an open, efficient and independent Union administration. Evolving technology and increased complexity and interconnectedness of digital systems amplify cybersecurity risks making the Union administration more vulnerable to cyber threats and incidents, which ultimately poses threats to the administration’s business continuity and capacity to secure its data. While increased use of cloud services, the ubiquitous use of ITinformation and communication technology ('ICT'), high digitalisation, remote work and evolving technology and connectivity are nowadays core features of all activities of the Union administration entities, digital resilience is not yet sufficiently built in.
2022/11/15
Committee: AFCO
Amendment 40 #
Proposal for a regulation
Recital 3
(3) The Union institutions, bodies and agencies’ ICT environments have interdependencies, integrated data flows and their users collaborate closely. This interconnection means that any disruption, even when initially confined to one Union institution, body or agency, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts on the others. In addition, certain institutions, bodies and agencies’ ICT environments are connected with Member States’ ICT environments, causing an incident in one Union entity to pose a risk to the cybersecurity of Member States’ ICT environments and vice versa.
2022/11/15
Committee: AFCO
Amendment 44 #
Proposal for a regulation
Recital 8
(8) In order to avoid imposing a disproportionate financial and administrative burden on Union institutions, bodies and agencies, the cybersecurity risk management requirements should be proportionate to the risk presented by the network and information system concerned, taking into account the state of the art of such measures. Each Union institution, body and agency should aim to allocate an adequate percentage of its ICT budget to improve its level of cybersecurity; in the longer term a target in the order of 10% should be pursued.
2022/11/15
Committee: AFCO
Amendment 47 #
Proposal for a regulation
Recital 13
(13) Many cyberattacks are part of wider campaigns that target groups of Union institutions, bodies and agencies or communities of interest that include Union institutions, bodies and agencies. To enable proactive detection, incident response or mitigating measures, Union institutions, bodies and agencies should notify CERT- EU of significant cyber threats, significant vulnerabilities and significant incidents and share appropriate technical details that enable detection or mitigation of, as well as response to, similar cyber threats, vulnerabilities and incidents in other Union institutions, bodies and agencies. Following the same approach as the one envisaged in Directive [proposal NIS 2], where entities become aware of a significant incident they should be required to submit an initial notification to CERT- EU within 24 hours. Such information exchange should enable CERT-EU to disseminate the information to other Union institutions, bodies and agencies, as well as to appropriate counterparts, to help protect the Union ICT environments and the Union’s counterparts’ ICT environments against similar incidents, threats and vulnerabilities.
2022/11/15
Committee: AFCO
Amendment 48 #
Proposal for a regulation
Recital 17
(17) CERT-EU should have the mission to contribute to the security of the ICT environment of all Union institutions, bodies and agencies. CERT-EU should act as the equivalent of the designated coordinator for the Union institutions, bodies and agencies, for the purpose of coordinated vulnerability disclosure to the European vulnerability registry as referred to in Article 6 of Directive [proposal NIS 2].
2022/11/15
Committee: AFCO
Amendment 49 #
Proposal for a regulation
Recital 18
(18) In 2020, CERT-EU’s Steering Board set a new strategic aim for CERT- EU to guarantee a comprehensive level of cyber defence for all Union institutions, bodies and agencies with suitable breadth and depth and continuous adaptation to current or impending threats, including attacks against mobile devices, cloud environments and internet-of-things devices. The strategic aim also includes broad-spectrum Security Operations Centres (SOCs) that monitor networks, and 24/7 monitoring for high-severity threats. For the larger Union institutions, bodies and agencies, CERT-EU should support their ICT security teams, including with first-line 24/7 monitoring. For smaller and some medium-sized Union institutions, bodies and agencies, CERT-EU should provide all the services.
2022/11/15
Committee: AFCO
Amendment 52 #
Proposal for a regulation
Recital 24
(24) As the services and tasks of CERT- EU are in the interest of all Union institutions, bodies and agencies, each Union institution, body and agency with ICT expenditure should contribute a fair shareproportionally to those services and tasks. Those contributions are without prejudice to the budgetary autonomy of the Union institutions, bodies and agencies.
2022/11/15
Committee: AFCO
Amendment 66 #
Proposal for a regulation
Article 4 – paragraph 1
1. Each Union institution, body and agency shall establish its own internal cybersecurity risk management, governance and control framework (‘the framework’) in support of the entity’s mission and exercising its institutional autonomy. This work shall be overseen by the entity’s highest level of management to ensure an effective and prudent management of all cybersecurity risks. The framework shall be in place by …. at the latest [15 months after the date of entry into force of this Regulation].
2022/11/15
Committee: AFCO
Amendment 67 #
Proposal for a regulation
Article 4 – paragraph 2
2. The framework shall cover the entirety of the ICT environment of the concerned institution, body or agency, including any on-premise ICT environment, outsourced assets and services in cloud computing environments or hosted by third parties, mobile devices, corporate networks, business networks not connected to the internet and any devices connected to the ICT environment. The framework shall take account of business continuity and crisis management and it shall consider supply chain security as well as the management of human risks that could impact the cybersecurity of the concerned Union institution, body or agency.
2022/11/15
Committee: AFCO
Amendment 69 #
Proposal for a regulation
Article 4 – paragraph 4
4. Each Union institution, body and agency shall have effective mechanisms in place to ensure that an adequate percentaget least 10% of the ICT budget is spent on cybersecurity. The budget should eventually reach 10%.
2022/11/15
Committee: AFCO
Amendment 72 #
Proposal for a regulation
Article 5 – paragraph 1
1. The highest level of management of each Union institution, body and agency shall approve the entity’s own cybersecurity baseline to address the risks identified under the framework referred to in Article 4(1). It shall do so in support of its mission and exercising its institutional autonomy. The cybersecurity baseline shall be in place by …. at the latest [18 months after the date of entry into force of this Regulation] and shall address the domains listed in Annex I and the measures listed in Annex II.
2022/11/15
Committee: AFCO
Amendment 77 #
Proposal for a regulation
Article 6 – paragraph 1
Each Union institution, body and agency shall carry out a cybersecurity maturity assessment at least every three years, incorporating all the elements of their ICT environment as described in Article 4, taking account of the relevant guidance documents and recommendations adopted in accordance with Article 13.
2022/11/15
Committee: AFCO
Amendment 80 #
Proposal for a regulation
Article 7 – paragraph 3
3. The cybersecurity plan shall consider anytake into consideration all proposed measures expressed in applicable guidance documents and recommendations issued by CERT-EU.
2022/11/15
Committee: AFCO
Amendment 82 #
Proposal for a regulation
Article 7 – paragraph 3 a (new)
3a. The Union institutions, bodies and agencies shall submit their cybersecurity plans to the Interinstitutional Cybersecurity Board (IICB).
2022/11/15
Committee: AFCO
Amendment 83 #
Proposal for a regulation
Article 8 – paragraph 1
1. Upon completion of maturity assessments, the Union institutions, bodies and agencies shall submit thesem to the Interinstitutional Cybersecurity Board. Upon completion of security plans, the Union institutions, bodies and agencies shall notify the Interinstitutional Cybersecurity Board of the completion. Upon request of the Board, they shall report on specific aspects of this Chapter.
2022/11/15
Committee: AFCO
Amendment 84 #
Proposal for a regulation
Article 9 – paragraph 3 – subparagraph 1 – introductory part
The IICB shall consist of three representatives nominated by the Union Agencies Network (EUAN) upon a proposal of its ICT Advisory Committee to represent the interests of the agencies and bodies that run their own ICT environment and one representative designated by each of the following:
2022/11/15
Committee: AFCO
Amendment 87 #
Proposal for a regulation
Article 12 – paragraph 1
1. The mission of CERT-EU, the autonomous interinstitutional Cybersecurity Centre for all Union institutions, bodies and agencies, shall be to contribute to the security of the unclassified ICT environment of all Union institutions, bodies and agencies by advising them on cybersecurity, by helping them to prevent, detect, mitigate and respond to incidents and by acting as their cybersecurity information exchange and incident response coordination hub.
2022/11/15
Committee: AFCO
Amendment 88 #
Proposal for a regulation
Article 12 – paragraph 2 – point d
(d) raise to the attention of the IICB any issue relating to the implementation of this Regulation and of the implementation of the guidance documents, recommendations and calls for action and make proposals for redress;
2022/11/15
Committee: AFCO
Amendment 90 #
Proposal for a regulation
Article 12 – paragraph 5 – point a
(a) services that support the cybersecurity of Union institutions, bodies and agencies’ ICT environment, other than those referred to in paragraph 2, on the basis of service level agreements and subject to available resources;
2022/11/15
Committee: AFCO
Amendment 91 #
Proposal for a regulation
Article 12 – paragraph 5 – point b
(b) services that support cybersecurity operations or projects of Union institutions, bodies and agencies, other than those to protect their ICT environment, on the basis of written agreements and with the prior approval of the IICB;
2022/11/15
Committee: AFCO
Amendment 92 #
Proposal for a regulation
Article 12 – paragraph 5 – point c
(c) services that support the security of their ICT environment to organisations other than the Union institutions, bodies and agencies that cooperate closely with Union institutions, bodies and agencies, for instance by having assigned tasks or responsibilities under Union law, on the basis of written agreements and with the prior approval of the IICB.
2022/11/15
Committee: AFCO
Amendment 94 #
Proposal for a regulation
Article 12 – paragraph 7
7. CERT-EU may provide assistance to Union institutions, bodies and agencies regarding incidents in classified ICT environments if it is explicitly requested to do so by the constituent concerned.
2022/11/15
Committee: AFCO
Amendment 96 #
Proposal for a regulation
Article 16 – paragraph 1
1. CERT-EU shall cooperate and exchange information with national counterparts in the Member States, including CERTs, National Cybersecurity Centres, CSIRTs, and single points of contact referred to in Article 8 of Directive [proposal NIS 2], on cyber threats, vulnerabilities and incidents, on possible countermeasures and on all matters relevant for improving the protection of the ICT environments of Union institutions, bodies and agencies, including through the CSIRTs network referred to in Article 13 of Directive [proposal NIS 2].
2022/11/15
Committee: AFCO
Amendment 101 #
Proposal for a regulation
Article 19 – paragraph 1
1. To enable CERT-EU to coordinate vulnerability management and incident response, it may request Union institutions, bodies and agencies to provide it with information from their respective ICT system inventories that is relevant for the CERT-EU support. The requested institution, body or agency shall transmit the requested information, and any subsequent updates thereto, without undue delay.
2022/11/15
Committee: AFCO
Amendment 126 #
Proposal for a regulation
Article 24 – paragraph 3
3. The Commission shall evaluate the functioning of this Regulation and report to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions no sooner than fivthree years after the date of entry into force, given the rapidly evolving cyber threat landscape.
2022/11/15
Committee: AFCO
Amendment 130 #
Proposal for a regulation
Annex I – paragraph 1 – point 3
(3) asset management, including ICT asset inventory and ICT network cartography;
2022/11/15
Committee: AFCO
Amendment 133 #
Proposal for a regulation
Annex II – paragraph 1 – point 4 – point a
(a) the removal of contractual barriers that limit information sharing from ICT service providers about incidents, vulnerabilities and cyber threats with CERT-EU;
2022/11/15
Committee: AFCO