Activities of Evžen TOŠENOVSKÝ related to 2022/0085(COD)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union
Amendments (59)
Amendment 101 #
Proposal for a regulation
Recital 7
Recital 7
(7) The differences between Union institutions, bodies and agencies require flexibility in the implementation since one size will not fit all. The measures for a high common level of cybersecurity should not include any obligations directly interfering with the exercise of the missions of Union institutions, bodies and agencies or encroaching on their institutional autonomy. Thus, those institutions, bodies and agencies should establish their own frameworks for cybersecurity risk management, governance and control, and adopt their own baselines and cybersecurity planscybersecurity management measures and cybersecurity plans, covering their entire ICT environment.
Amendment 111 #
Proposal for a regulation
Recital 12
Recital 12
Amendment 115 #
Proposal for a regulation
Recital 14
Recital 14
(14) In addition to giving CERT-EU more tasks and an expanded role, an Interinstitutional Cybersecurity Board (IICB) should be established, which should facilitate a high common level of cybersecurity among Union institutions, bodies and agencies by monitoring the implementation of this Regulation by the Union institutions, bodies and agencies and by supervising implementation of general priorities and objectives by CERT-EU and providing strategic direction to CERT-EU. The IICB should ensure representation of the institutions and include representatives of agencies and bodies through the Union Agencies Network. Taking into account number of staff members and dimension of their ICT environment, the European Parliament, the Council of the European Union and the European Commission should be represented by two representatives. As regards the European Parliament, one representative should be nominated by its General Secretariat, and one by the competent committee. Similarly, one representative of the Council should be nominated by its General Secretariat, and one by the Presidency of the Council.
Amendment 125 #
Proposal for a regulation
Recital 24 a (new)
Recital 24 a (new)
(24 a) This Regulation should however reflect that, apart from the Union institutions, the most Union entities, and particularly the small ones, do not have the necessary financial and human resources to be dedicated for additional cybersecurity tasks.
Amendment 139 #
Proposal for a regulation
Article 1 – paragraph 1 – point c
Article 1 – paragraph 1 – point c
(c) rules on the organisation and operation of the Cybersecurity Centre for the Union institutions, bodies and agenccomputer emergency response team for the Union entities (CERT-EU) and on the organisation and operation of the Interinstitutional Cybersecurity Board (IICB).
Amendment 142 #
Proposal for a regulation
Article 3 – paragraph 1 – point 1 a (new)
Article 3 – paragraph 1 – point 1 a (new)
(1 a) ‘ICT environment’ means entire Union entities’ on-premise ICT environment (covering also dislocated premises and decentralised officies, such as the Liaison Offices, Representative Offices or Local Offices), outsourced assets and services in cloud computing environments or hosted by third parties, mobile devices, corporate networks, business networks not connected to the internet and any connected devices;
Amendment 148 #
Proposal for a regulation
Article 3 – paragraph 1 – point 7
Article 3 – paragraph 1 – point 7
Amendment 151 #
Proposal for a regulation
Article 3 – paragraph 1 – point 8
Article 3 – paragraph 1 – point 8
(8) ‘major attackincident’ means any incident requiring more resources than are available at whose disruption exceeds an affected Union entity’s and CERT-EU’s capacity to respond to it, or withe affected Union institution, body or agency and at CERT-EU; significant impact on at least two Union entities, or where a large-scale cybersecurity incident referred to in Article 4(5a) of Directive [proposal NIS 2] has significant impact on at least one Union entity;
Amendment 156 #
Proposal for a regulation
Article 3 – paragraph 1 – point 11
Article 3 – paragraph 1 – point 11
(11) ‘significant cyber threat’ means a cyber threat within the intention, opportunity and capability to cause a significant incidentmeaning of Article 4(7a) of Directive [proposal NIS 2];
Amendment 160 #
Proposal for a regulation
Article 3 – paragraph 1 – point 14
Article 3 – paragraph 1 – point 14
(14) ‘cybersecurity risk’ means any reasonably identifiable circumstance or event having a potential adverse effect on the security of network and information systemsrisk’ means a risk within the meaning of Article 4(7b) of Directive [proposal NIS 2];
Amendment 164 #
Proposal for a regulation
Article 3 – paragraph 1 – point 14 a (new)
Article 3 – paragraph 1 – point 14 a (new)
(14 a) ‘standard’ means a standard within the meaning of Article 4(10) of Directive [proposal NIS 2];
Amendment 165 #
Proposal for a regulation
Article 3 – paragraph 1 – point 14 b (new)
Article 3 – paragraph 1 – point 14 b (new)
(14 b) ‘technical specification’ means a technical specification within the meaning of Article 4(11) of Directive [proposal NIS 2];
Amendment 166 #
Proposal for a regulation
Article 3 – paragraph 1 – point 14 c (new)
Article 3 – paragraph 1 – point 14 c (new)
(14 c) ‘ICT product’ means an ICT product within the meaning of Article 2(12) of Regulation (EU) 2019/881;
Amendment 167 #
Proposal for a regulation
Article 3 – paragraph 1 – point 14 d (new)
Article 3 – paragraph 1 – point 14 d (new)
(14 d) ‘ICT service’ means an ICT service within the meaning of Article 2(13) of Regulation (EU) 2019/881;
Amendment 168 #
Proposal for a regulation
Article 3 – paragraph 1 – point 14 e (new)
Article 3 – paragraph 1 – point 14 e (new)
(14 e) ‘ICT process’ means an ICT process within the meaning of Article 2(14) of Regulation (EU) 2019/881;
Amendment 169 #
Proposal for a regulation
Article 3 – paragraph 1 – point 15
Article 3 – paragraph 1 – point 15
Amendment 171 #
Proposal for a regulation
Article 3 – paragraph 1 – point 16
Article 3 – paragraph 1 – point 16
Amendment 179 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
2. The framework shall cover the entirety of the IT environment of the concerned institution, body or agency, including any on-premise IT environment, outsourced assets and servicesUnion entity in cloud computing environments or hosted by third parties, mobile devices, corporate networks, business networks not connected to the internet and any devices connected to the IT environmenting any. The framework shall take account of business continuity and crisis management and it shall consider supply chain security as well as the management of human risks that could impact the cybersecurity of the concerned Union institution, body or agency.
Amendment 183 #
Proposal for a regulation
Article 4 – paragraph 3
Article 4 – paragraph 3
3. The highest level of management of each Union institution, body and agency shallentity shall be responsible for the implementation and provide oversight over the compliance of their organisation with the obligations related to cybersecurity risk management, governance, and control, without prejudice to the formal responsibilities of other levels of management for compliance and risk management in their respective areas of responsibility. The highest level of management of each Union entity may be held liable for breach of their duties to ensure compliance with the obligations laid down in this Regulation.
Amendment 189 #
Proposal for a regulation
Article 4 – paragraph 5 a (new)
Article 4 – paragraph 5 a (new)
5 a. On the basis of a mutual agreement, the Union entity or several entities may appoint the same Local Cybersecurity Officer as another Union entity.
Amendment 191 #
Proposal for a regulation
Article 5 – title
Article 5 – title
Cybersecurity baselinerisk management measures
Amendment 193 #
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
1. The highest level of management of each Union institution, body and agency shall approve the entity’s own cybersecurity baselinerisk management measures to address the risks identified under the framework referred to in Article 4(1). It shall do so in support of its mission and exercising its institutional autonomy. The cybersecurity baselinerisk management measures shall be in place by …. at the latest [186 months after the entry into force of this Regulation] and shall address the domains listed in Annex I and the measures listed in Annex IIestablishing the framework referred to in paragraph 1 of article 4 and shall address the following domains: (a) cybersecurity policy, including objectives and priorities for security of network and information systems, in particular regarding the use of cloud computing services (within the meaning of Article 4(19) of Directive [proposal NIS 2]) and technical arrangements to enable teleworking; (b) organisation of cybersecurity, including definition of roles and responsibilities; (c) asset management, including IT asset inventory and IT network cartography; (d) access control; (e) operations security; (f) communications security; (g) system acquisition, development and maintenance; (h) supply chain security and supplier relationships; (i) incident management, including approaches to improve the preparedness, response to and recovery from incidents and cooperation with CERT-EU, such as the maintenance of security monitoring and logging; (j) business continuity management and crisis management; (k) cybersecurity education, awareness- raising and training programmes.
Amendment 198 #
Proposal for a regulation
Article 5 – paragraph 1 a (new)
Article 5 – paragraph 1 a (new)
1 a. Union institutions, bodies and agencies shall address at least the following specific cybersecurity measures in the implementation of the cybersecurity baseline and in their cybersecurity plans, in line with the guidance documents and recommendations from the IICB: (a) concrete steps for moving towards Zero Trust Architecture (meaning a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries); (b) the adoption of multifactor authentication as a norm across network and information systems; (c) the establishment of software supply chain security through criteria for secure software development and evaluation; (d) the enhancement of procurement rules to facilitate a high common level of cybersecurity through: - the removal of contractual barriers that limit information sharing from IT service providers about incidents, vulnerabilities and cyber threats with CERT-EU; - the contractual obligation to report incidents, vulnerabilities and cyber threats as well as to have appropriate incidents response and monitoring in place.
Amendment 206 #
Proposal for a regulation
Article 6 – paragraph 1
Article 6 – paragraph 1
1. Each Union institution, body and agencentity shall carry out a cybersecurity maturity assessment at least every three years, incorporating all the elements of their IT environment as described in Article 4, taking account of the relevant guidance documents and recommendations adopted in accordance with Article 13.
Amendment 208 #
Proposal for a regulation
Article 6 – paragraph 1 a (new)
Article 6 – paragraph 1 a (new)
2. Small Union entities with similar tasks or structure may carry out a combined maturity assessment.
Amendment 220 #
Proposal for a regulation
Article 9 – paragraph 3 – subparagraph 1 – introductory part
Article 9 – paragraph 3 – subparagraph 1 – introductory part
The IICB shall consist of three representatives nominated by the Union Agencies Network (EUAN) upon a proposal of its ICT Advisory Committee to represent the interests of the agencies and bodies that run their own IT environment and one representative- two representatives designated by each of the following:
Amendment 221 #
Proposal for a regulation
Article 9 – paragraph 3 – subparagraph 1 – point c – indent 1 (new)
Article 9 – paragraph 3 – subparagraph 1 – point c – indent 1 (new)
- one representative designated by each of the following:
Amendment 223 #
Proposal for a regulation
Article 9 – paragraph 3 – subparagraph 1 – point k a (new)
Article 9 – paragraph 3 – subparagraph 1 – point k a (new)
(k a) the European Cybersecurity Industrial, Technology and Research Competence Centre;
Amendment 225 #
Proposal for a regulation
Article 9 – paragraph 3 – subparagraph 1 – point k b (new)
Article 9 – paragraph 3 – subparagraph 1 – point k b (new)
(k b) the European Union Agency for the Space Programme;
Amendment 227 #
Proposal for a regulation
Article 9 – paragraph 3 – subparagraph 2
Article 9 – paragraph 3 – subparagraph 2
Amendment 229 #
Proposal for a regulation
Article 9 – paragraph 3 – subparagraph 2 – indent 1 (new)
Article 9 – paragraph 3 – subparagraph 2 – indent 1 (new)
- three representatives designated by the Union Agencies Network (EUAN) upon a proposal of its ICT Advisory Committee to represent the interests of the agencies, offices and bodies other than those referred to in (k) (ka) and (kb) that run their own IT environment.
Amendment 230 #
Proposal for a regulation
Article 9 – paragraph 3 a (new)
Article 9 – paragraph 3 a (new)
3 a. Members may be assisted by an alternate. Other representatives of the organisations listed above or of other Union institutions, bodies and agencies may be invited by the chair to attend IICB meetings without voting power.
Amendment 231 #
Proposal for a regulation
Article 9 – paragraph 3 b (new)
Article 9 – paragraph 3 b (new)
3 b. The Head of CERT-EU and the chairs of the Cooperation Group, the CSIRTs Network and the EU-CyCLONe, referred to in Articles 12, 13 and 14 of [NIS2 Directive], or their alternates, may participate in IICB meetings as observers, except where otherwise decided by the IICB.
Amendment 232 #
Proposal for a regulation
Article 9 – paragraph 5
Article 9 – paragraph 5
5. The IICB shall designate a chair, in accordance with its internal rules of procedure, from among its members for a period of four years. His or her alternate shall become a full member with voting rights of the IICB for the same duration.
Amendment 234 #
Proposal for a regulation
Article 9 – paragraph 9
Article 9 – paragraph 9
Amendment 237 #
Proposal for a regulation
Article 9 – paragraph 10
Article 9 – paragraph 10
10. The secretariat of the IICB shall be provided by the CommissionENISA.
Amendment 251 #
Proposal for a regulation
Article 10 – paragraph 1 – point i a (new)
Article 10 – paragraph 1 – point i a (new)
(i a) facilitate the exchange of best practices among the Local Cybersecurity Officers; issue, where appropriate, the recommendations on their role within the Union entities;
Amendment 260 #
Proposal for a regulation
Article 11 – paragraph 1 – introductory part
Article 11 – paragraph 1 – introductory part
Amendment 267 #
Proposal for a regulation
Article 11 – paragraph 1 a (new)
Article 11 – paragraph 1 a (new)
1. The IICB shall monitor the implementation of this Regulation and of adopted guidance documents, recommendations and calls for action by the Union institutions, bodies and agencies.
Amendment 269 #
Proposal for a regulation
Article 11 – paragraph 1 b (new)
Article 11 – paragraph 1 b (new)
2. Where the small Union entities notify that they are unable to meet the deadlines referred to in Articles 4(1) and 5(1), the IICB shall authorize their prolongation and set the deadlines for the compliance.
Amendment 272 #
Proposal for a regulation
Article 12 – paragraph 1
Article 12 – paragraph 1
1. The mission of CERT-EU, the autonomous interinstitutional Cybersecurity Centre for all Union institutions, bodies and agencies, shall be to contribute to the security of the unclassified ICT environment of all Union institutions, bodies and agenciesentities and providing for them services analogical to CSIRTs established by the Member Sates under [NIS Directive], particularly by advising them on cybersecurity , by helping them to prevent, detect, mitigate and respond to incidents and by acting as their cybersecurity information exchange and incident response coordination hub.
Amendment 273 #
Proposal for a regulation
Article 12 – paragraph 2 – point b a (new)
Article 12 – paragraph 2 – point b a (new)
(b a) operate for smaller and some medium-sized Union entities the broad- spectrum Security Operations Centre (SOC) that monitor networks, including first-line 24/7 monitoring for high- severity threats;
Amendment 279 #
Amendment 284 #
Proposal for a regulation
Article 12 – paragraph 5 – point a
Article 12 – paragraph 5 – point a
(a) services that support the cybersecurity of Union institutions, bodies and agencentities’ ICT environment, other than those referred to in paragraph 2, on the basis of service level agreements and subject to available resources, including, via its Security Operations Centre referred to in paragraph 2(ba) of this Article, monitoring of the networks and first-line 24/7 monitoring for high-severity threats for larger Union entities;
Amendment 307 #
Proposal for a regulation
Article 14 – paragraph 1 a (new)
Article 14 – paragraph 1 a (new)
The Commission, after having obtained the approval by two-thirds of the IICB, shall appoint the Head of CERT-EU. The IICB shall be consulted at all stages of the procedure prior to the appointment of the Head of CERT-EU, in particular in drafting vacancy notices, examining applications and appointing selection boards in relation to this post.
Amendment 309 #
Proposal for a regulation
Article 15 – paragraph 1
Article 15 – paragraph 1
Amendment 335 #
Proposal for a regulation
Article 20 – title
Article 20 – title
Amendment 345 #
Proposal for a regulation
Article 20 – paragraph 1 a (new)
Article 20 – paragraph 1 a (new)
1 a. -1. Union entities shall notify, without undue delay, the CERT-EU of any incident having a significant impact on the provision of their functioning. Where appropriate, those entities shall notify, without undue delay, other relevant Union entities that are likely to be adversely affected. The Union entities shall report, inter alia, any information enabling the CERT-EU to determine any cross-entities impact, impact on hosting Member State or cross-border impact of the incident. The mere act of notification shall not subject the notifying entity to increased liability of the Union entity. In the case of a cross-institutional or cross-sectorial incident, CERT-EU shall in due time inform the relevant Union entities or Member States.
Amendment 346 #
Proposal for a regulation
Article 20 – paragraph 1 b (new)
Article 20 – paragraph 1 b (new)
1 b. -2. Where applicable, the Union entities are required to communicate, without undue delay to other Union entities that are potentially affected by a significant cyber threat of the threat itself and any measures or remedies that those recipients are able to take in response to that threat.
Amendment 347 #
Proposal for a regulation
Article 20 – paragraph 1 c (new)
Article 20 – paragraph 1 c (new)
1 c. -3. An incident shall be considered significant if: (a) the incident has caused or is capable of causing severe operational disruption of the service or financial losses for the entity concerned; (b) the incident has affected or is capable of affecting other natural or legal persons by causing considerable material or non- material losses.
Amendment 369 #
Proposal for a regulation
Article 22 – title
Article 22 – title
Major attackincidents
Amendment 374 #
Proposal for a regulation
Article 22 – paragraph 3
Article 22 – paragraph 3
3. With the approval of the concerned Union institutions, bodies and agencies, CERT-EU may also call on experts from the list referred to in paragraph 2 for contributing to the response to a major attack in a Member State, in line with the Joint Cyber Unit’s operating procedures.
Amendment 377 #
Proposal for a regulation
Article 23 – title
Article 23 – title
Initial budgetary reallocationarrangements
Amendment 378 #
Proposal for a regulation
Article 23 – paragraph 1
Article 23 – paragraph 1
1. The Commission shall propose the reallocation of staff and financial resources from relevant Union institutions, bodies and agenciesin its proposal for the first budget to be adopted following the entry into force of this Regulation take into account an increased budgeting and staffing needs of all Union entities, and particularly the small ones, associated with the new obligations stemming from this Regulation. 2. In order to ensure proper and stable functioning of CERT-EU, the Commission may propose the reallocation of staff and financial resources from some large Union entities, particularly the EU institutions, to the Commission budget. The reallocation shall be effective at the same time as the first budget adopted following the entry into force of this Regulation.
Amendment 380 #
Proposal for a regulation
Article 24 – paragraph 1
Article 24 – paragraph 1
1. The IICB, with the assistance of CERT-EU, shall periodically report to the Commission on the implementation of this Regulation and on the experience gained at a strategic and operational level. The IICB may also make recommendations to the Commission to propose amendments to this Regulation.
Amendment 382 #
Proposal for a regulation
Article 24 – paragraph 2
Article 24 – paragraph 2
2. The Commission shall report on the implementaBy ... [36 months after the transposition deadline of this Directive] and every 36 months thereafter, the Commission shall review the functioning of this Regulation, and report to the European Parliament and to the Council at the latest 48 months after the entry into force of this Regulation and every three years thereafter. The report shall also assess possible organisational integration of CERT-EU into ENISA. The Commission shall take into account the reports of the IICB referred to in paragraph 1 of this Article. The report shall be accompanied, where necessary, by a legislative proposal.
Amendment 385 #
Proposal for a regulation
Article 24 – paragraph 3
Article 24 – paragraph 3
Amendment 387 #
Proposal for a regulation
Annex I
Annex I
Amendment 395 #
Proposal for a regulation
Annex II
Annex II