BETA

Activities of Marie-Christine VERGIAT related to 2013/0027(COD)

Shadow opinions (1)

OPINION on the proposal for a directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union
2016/11/22
Committee: LIBE
Dossiers: 2013/0027(COD)
Documents: PDF(412 KB) DOC(471 KB)

Amendments (42)

Amendment 20 #
Proposal for a directive
Recital 1
(1) Network and information systems and services play a vital role in the society. Their reliability and security are essential to economic activities and, social welfare, and in particular to the functioning of the internal marketcommunications and exchanges between people, civil-society organisations and undertakings, as well as protection of, and respect for, private life and personal data.
2014/01/07
Committee: LIBE
Amendment 22 #
Proposal for a directive
Recital 2
(2) The magnitude and frequency of deliberate or accidental security incidents, whoever may be responsible for them, is increasing and represents a major threat to the functioning of networks and information systems. Such incidents can impede the pursuit of economic activities, generate substantial financial losses, undermine user confidence and cause major damage to the economy of the Union. They particularly harm members of the public and damage their confidence in IT systems when their personal data are processed on a massive scale and are subjected to surveillance without any appropriate control.
2014/01/07
Committee: LIBE
Amendment 23 #
Proposal for a directive
Recital 3
(3) As a communication instrument without frontiers, digital information systems, and primarily the Internet play an essential role in facilitating the cross- border movement of goods, services and people. Due to that transnational nature, substantial disruption of those systems in one Member State can also affect other Member States and the Union as a whole. The resilience and stability of network and information systems is therefore essential to the smooth functioning of the internal market and to communications and exchanges between people, civil-society organisations and undertakings.
2014/01/07
Committee: LIBE
Amendment 24 #
Proposal for a directive
Recital 4
(4) A cooperation mechanism should be established at Union level to allow for information exchange and coordinated detection and response regarding network and information security ("NIS"). For that mechanism to be effective and inclusive, it is essential that all Member States have minimum capabilities and a strategy ensuring a high level of NIS in their territory. Minimum security requirements should also apply to public administrations and operators of critical information infrastructure to promote a culture of risk management and ensure that the most serious incidents are reported. This requires the establishment of appropriate training courses which, inter alia, deal with the impact of these incidents on data protection and protection of the private life of citizens.
2014/01/07
Committee: LIBE
Amendment 26 #
Proposal for a directive
Recital 5
(5) To cover all relevant incidents and risks, this Directive should apply to all network and information systems. The obligations on public administrations and market operatorundertakings should however not apply to undertakings providing public communication networks or publicly available electronic communication services within the meaning of Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive)25, which are subject to the specific security and integrity requirements laid down in Article 13a of that Directive nor should they apply to trust service providers. __________________ 25 OJ L 108, 24.4.2002, p. 33.
2014/01/07
Committee: LIBE
Amendment 27 #
Proposal for a directive
Recital 6
(6) The existing capabilities are not sufficient enough to ensure a high level of NIS within the Union. Member States have very different levels of preparedness leading to fragmented approaches across the Union. This leads to an unequal level of protection of consumers and businesses, and undermines the overall level of NIS within the Union. Lack of common minimum requirements on public administrations and market operatorundertakings in turn makes it impossible to set up a global and effective mechanism for cooperation at Union level.
2014/01/07
Committee: LIBE
Amendment 29 #
Proposal for a directive
Recital 8
(8) The provisions of this Directive should be without prejudice to the possibility for each Member State to take the necessary measures to ensure the protection of its essential security interests, to safeguard public policy and public security, and to permit the investigation, detection and prosecution of criminal offences, with the proviso that they should not take this as a pretext for failing to comply with their more general obligations with regard to respect for the protection of private life and personal data. In accordance with Article 346 TFEU, no Member State is to be obliged to supply information the disclosure of which it considers contrary to the essential interests of its security.
2014/01/07
Committee: LIBE
Amendment 30 #
Proposal for a directive
Recital 9
(9) To achieve and maintain a common high level of security of network and information systems, each Member State should have a national NIS strategy defining the strategic objectives and concrete policy actions to be implemented. NIS cooperation plans complying with essential requirements need to be developed at national level in order to reach capacity response levels allowing for effective and efficient cooperation at national and Union level in case of incidents, respecting and protecting private life and personal data.
2014/01/07
Committee: LIBE
Amendment 35 #
Proposal for a directive
Recital 15
(15) As most network and information systems are privately operatedoperated by private undertakings, cooperation between the public and private sector is essential. Market operatorUndertakings should be encouraged to pursue their own informal cooperation mechanisms to ensure NIS. They should also cooperate with the public sector and share information and best practices in exchange of operational support in case of incidents.
2014/01/07
Committee: LIBE
Amendment 38 #
Proposal for a directive
Recital 16
(16) To ensure transparency and properly inform EU citizens and market operatorundertakings, the competent authorities should set up a common website to publish non confidential information on the incidents and risks and on simple measures to protect information systems.
2014/01/07
Committee: LIBE
Amendment 43 #
Proposal for a directive
Recital 21
(21) Given the global nature of NIS problems, there is a need for closer international cooperation to improve security standards and information exchange, and promote a common global approach to NIS issues, with the proviso that the States with which this cooperation is planned have data control and protection instruments which ensure the same level of security as those of the EU.
2014/01/07
Committee: LIBE
Amendment 45 #
Proposal for a directive
Recital 22
(22) Responsibilities in ensuring NIS lie to a great extent on public administrations and market operatorundertakings. A culture of risk management, involving risk assessment and the implementation of security measures appropriate to the risks facedwhich seek to anticipate security incidents, whether deliberate or accidental, should be promoted and developed through appropriate regulatory requirements and voluntary industry practices. Establishing a level playing field is also essential to the effective functioning of the cooperation network to ensure effective cooperation from all Member States.
2014/01/07
Committee: LIBE
Amendment 46 #
Proposal for a directive
Recital 22 a (new)
(22a) Public administrations and private undertakings, including network service- providers and suppliers of information and software, should regard the protection of their information systems and of the data which they contain as forming part of their duty of care. Appropriate levels of protection should be provided against reasonably identifiable threats and areas of vulnerability. The cost and burden of such protection should reflect the likely damage which a cyber- attack would cause to those affected.
2014/01/07
Committee: LIBE
Amendment 49 #
Proposal for a directive
Recital 25
(25) Technical and organisational measures imposed to public administrations and market operatorundertakings should not require that a particular commercial information and communications technology product be designed, developed or manufactured in a particular manner.
2014/01/07
Committee: LIBE
Amendment 50 #
Proposal for a directive
Recital 26
(26) The public administrations and market operatorundertakings should ensure security of the networks and systems which are under their control. These would be primarily private networks and systems managed either by their internal IT staff or the security of which has been outsourced. The security and notification obligations should apply to the relevant market operatorundertakings and public administrations regardless of whether they perform the maintenance of their network and information systems internally or outsource it.
2014/01/07
Committee: LIBE
Amendment 54 #
Proposal for a directive
Recital 27
(27) To avoid imposing a disproportionate financial and administrative burden on small operators and users, the requirements should be proportionate to the risk presented by the network or information system concerned, taking into account the state of the art of such measures. These requirements should not apply to micro enterprisessmall undertakings unless they fall within the field of the sensitive sectors to which the obligations pursuant to Directive 2002/58/EC of 12 July 2002 are extended by this Directive, as the risk in this field depends not on the size of the undertaking but on the nature and volume of the data processed.
2014/01/07
Committee: LIBE
Amendment 56 #
Proposal for a directive
Recital 28
(28) Competent authorities should pay due attention to preserving informal and trusted channels of information-sharing between market operators and between the public and the private sectors. Publicity of incidents reported to the competent authorities should duly balance the interest of the public in being informed about threats with possible reputational and commercial damages for the public administrations and market operators reporting incidentsundertakings and the public sector. In the implementation of the notification obligations, competent authorities should pay particular attention to the need to maintain information about product vulnerabilities strictly confidential prior to the release of appropriate security fixes.
2014/01/07
Committee: LIBE
Amendment 57 #
Proposal for a directive
Recital 29
(29) Competent authorities should have the necessary means to perform their duties, including powers to obtain sufficient information from market operatorundertakings and public administrations in order to assess the level of security of network and information systems as well as reliable and comprehensive data about actual incidents that have had an impact on the operation of network and information systems.
2014/01/07
Committee: LIBE
Amendment 60 #
Proposal for a directive
Recital 30
(30) Criminal activities are in manycertain cases underlying an incident. The criminal nature of incidents can be suspected even if the evidence to support it may not be sufficiently clear from the start. In this context, and incidents may constitute criminal offences. In these cases, appropriate co-operation between competent authorities and law enforcement authorities should form part of an effective and comprehensive response to the threat of security incidents. In particular, promoting a safe, secure and more resilient environment requires a systematic reporting of incidents of a suspected serious criminal nature to law enforcement authorities. The serious criminal nature of incidents should be assessed in the light of EU laws on cybercrime.
2014/01/07
Committee: LIBE
Amendment 66 #
Proposal for a directive
Recital 33
(33) The Commission should periodically review this Directive, in particular with a view to determining the need for modification in the light of changing technological or market conditions and of obligations geared to the highest level of security and integrity of networks and information and protection of private life and personal data.
2014/01/07
Committee: LIBE
Amendment 67 #
Proposal for a directive
Recital 38
(38) Information that is considered confidential by a competent authority, in accordance with Union and national rules on business confidentiality, should be exchanged with the Commission and other competent authorities only where such exchange is strictly necessary for the application of this Directive, including for the purpose of applying the criminal law. The information exchanged should be limited to that which is relevant and proportionate to the purpose of such exchange.
2014/01/07
Committee: LIBE
Amendment 68 #
Proposal for a directive
Recital 39
(39) The sharing of information on risks and incidents within the cooperation network and compliance with the requirements to notify incidents to the national competent authorities may require the processing of personal data. SWhere such a processing of personal data is necessary to meet the objectives of public interest pursued by this Directive and is thus, it may be legitimate under Article 7 of Directive 95/46/EC. It does not constitute, in relation to these legitimate aims, a disproportionate and intolerable interference impairing the very substance of, however, relieve the competent authorities of the obligation to act proportionately, in a way which is likely not to impair the right to the protection of personal data guaranteed by Article 8 of the Charter of fundamental rights. In the application of this Directive, Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents31 should apply as appropriate31. When data are processed by Union institutions and bodies, such processing for the purpose of implementing this Directive should comply with Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data. __________________ 31 OJ L 145, 31.05.01, p. 43.
2014/01/07
Committee: LIBE
Amendment 70 #
Proposal for a directive
Article 1 – paragraph 2 – point c
(c) establishes security requirements for market operatorundertakings and public administrations.
2014/01/07
Committee: LIBE
Amendment 71 #
Proposal for a directive
Article 1 – paragraph 5
5. This Directive shall also be without prejudice tofully respects Directive 95/46/CEC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data33, and to Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector and to the Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data34. __________________ 33 OJ L 281, 23.11.95, p. 31. 34 SEC (2012) 72 final.
2014/01/07
Committee: LIBE
Amendment 75 #
Proposal for a directive
Article 3 – point 2
(2) "security" means the ability of a network and information system to resist, at a given level of confidence, accident or malicious action that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data or the related services offered by or accessible via that network and information system;
2014/01/07
Committee: LIBE
Amendment 77 #
Proposal for a directive
Article 3 – point 8 – introductory part
(8) "market operator"“undertakings” means:
2014/01/07
Committee: LIBE
Amendment 85 #
Proposal for a directive
Article 5 – paragraph 2 – point a
(a) A risk assessment plan to identify risks and assess the impacts of potential incidentsmanagement framework incorporating, at the minimum, regular assessment to identify risks and assess the impacts of potential incidents, and measures to preserve the security and integrity of information, including early warning;
2014/01/07
Committee: LIBE
Amendment 91 #
Proposal for a directive
Article 6 – paragraph 5
5. The competent authorities shall consult and cooperate, whenever appropriate, with the relevant law enforcement national authorities and data protection authorities in cases where this appears necessary, taking account of the principle of proportionality, and shall cooperate with them whenever appropriate.
2014/01/07
Committee: LIBE
Amendment 106 #
Proposal for a directive
Article 8 – paragraph 3 – point i
(i) organise NIS exercises at Union level and participate, as appropriate, in international NIS exercises, with the proviso that the data of European citizens must be protected by the Member States concerned.
2014/01/07
Committee: LIBE
Amendment 107 #
Proposal for a directive
Article 9 – paragraph 1 a (new)
1a. Personal data shall be communicated only to recipients authorised to process them for the purpose of carrying out their duties. The data communicated shall be confined to those necessary for the purpose of carrying out those duties in accordance with European law on the subject. Compliance with the purpose limitation principle shall be ensured. The time limit for the retention of these data shall not exceed six months, which may be extended once for the same period.
2014/01/07
Committee: LIBE
Amendment 114 #
Proposal for a directive
Article 13
Without prejudice to the possibility for the cooperation network to have informal international cooperation, the Union may conclude international agreements with third countries or international organisations allowing and organizing their participation in some activities of the cooperation network. Such agreement shall take into account the need to ensure adequate protection of the personal data circulating on themay be concluded only with Member States which protect the data of their citizens to a level comparable to that of the Union and which enables European citizens to defend their rights within their territory. Otherwise they may only engage in informal cooperation network.
2014/01/07
Committee: LIBE
Amendment 117 #
Proposal for a directive
Article 14 – paragraph 1
1. Member States shall ensure that public administrations and market operatorundertakings take appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations. Having regard to the state of the art, these measures shall guarantee a level of security appropriate to the risk presented. In particular, measures shall be taken to prevent and minimise the impact of incidents affecting their network and information system on the core services they provide and thus ensure the continuity of the services underpinned by those networks and information systems.
2014/01/07
Committee: LIBE
Amendment 121 #
Proposal for a directive
Article 14 – paragraph 2
2. Member States shall ensure that public administrations and market operatorundertakings notify to the competent authority incidents having a significant impact on the security of the core services they provide.
2014/01/07
Committee: LIBE
Amendment 124 #
Proposal for a directive
Article 14 – paragraph 3
3. The requirements under paragraphs 1 and 2 apply to all market operatorundertakings providing services within the European Union.
2014/01/07
Committee: LIBE
Amendment 126 #
Proposal for a directive
Article 14 – paragraph 4
4. The competent authority may inform the public, or require the public administrations and market operatorundertakings to do so, where it determines that disclosure of the incident is in the public interest. Once a year, the competent authority shall submit a summary report to the cooperation network on the notifications received and the action taken in accordance with this paragraph.
2014/01/07
Committee: LIBE
Amendment 129 #
Proposal for a directive
Article 14 – paragraph 5
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 18 concerning the definition of circumstances in which public administrations and market operatorundertakings are required to notify incidents.
2014/01/07
Committee: LIBE
Amendment 131 #
Proposal for a directive
Article 14 – paragraph 6
6. Subject to any delegated act adopted under paragraph 5, the competent authorities may adopt guidelines and, where necessary, issue instructions concerning the circumstances in which public administrations and market operatorundertakings are required to notify incidents.
2014/01/07
Committee: LIBE
Amendment 134 #
Proposal for a directive
Article 15 – paragraph 1
1. Member States shall ensure that the competent authorities have all the powers necessary to investigate cases of non- compliance of public administrations or market operatorundertakings with their obligations under Article 14 and the effects thereof on the security of networks and information systems.
2014/01/07
Committee: LIBE
Amendment 135 #
Proposal for a directive
Article 15 – paragraph 2 – introductory part
2. Member States shall ensure that the competent authorities have the power to require market operatorundertakings and public administrations to:
2014/01/07
Committee: LIBE
Amendment 137 #
Proposal for a directive
Article 15 – paragraph 3
3. Member States shall ensure that competent authorities have the power to issue binding instructions to market operatorundertakings and public administrations.
2014/01/07
Committee: LIBE
Amendment 140 #
Proposal for a directive
Article 15 – paragraph 6
6. Member States shall ensure that any obligations imposed on public administrations and market operators undertakings under this Chapter may be subject to judicial review.
2014/01/07
Committee: LIBE
Amendment 145 #
Proposal for a directive
Annex 2 – title
List of market operatorundertakings to which this directive applies
2014/01/07
Committee: LIBE