27 Amendments of Maria da Graça CARVALHO related to 2013/0027(COD)
Amendment 128 #
Proposal for a directive
Recital 1
Recital 1
(1) Network and information systems and services play a vital role in the society. Their reliability and security are essential to the freedom and overall security for the citizens of the EU as well as to economic activities and social welfare, and in particular to the functioning of the internal market.
Amendment 130 #
Proposal for a directive
Recital 2
Recital 2
(2) The magnitude and frequency of deliberate or accidental security incidents is increasing and represents a major threat to the functioning of networks and information systems. Such incidents can impede the pursuit of economic activities, generate substantial financial losses, undermine user and investor confidence and cause major damage to the economy of the Union.
Amendment 132 #
Proposal for a directive
Recital 3
Recital 3
(3) As a communication instrument without traditional frontiers, digital information systems, and primarily the Internet play an essential role in facilitating the cross- border movement of goods, services, ideas and people. Due to that transnational nature, substantial disruption of those systems in one Member State can also affect other Member States and the Union as a whole. The resilience and stability of network and information systems is therefore essential to the smooth functioning of the internal market and moreover to the functioning of external markets, too.
Amendment 136 #
Proposal for a directive
Recital 4
Recital 4
(4) A cooperation mechanism should be established at Union level to allow for information exchange and coordinated detection and response regarding network and information security (‘NIS’). For that mechanism to be effective and inclusive, it is essential that all Member States have minimum capabilities and a strategy ensuring a high level of NIS in their territory. Minimum security requirements should also apply to public administrations and, operators of critical information infrastructure and stock listed companies to promote a culture of risk management and ensure that the most serious incidents are reported.
Amendment 150 #
Proposal for a directive
Recital 9
Recital 9
(9) To achieve and maintain a common high level of security of network and information systems, each Member State should have a national NIS strategy defining the strategic objectives and concrete policy actions to be implemented. NIS cooperation plans complying with essential requirements need to be developed at national level in order to reach capacity response levels allowing for effective and efficient cooperation at national and Union level in case of incidents. Each Member State should therefore be obliged to meet common standards regarding data format and the exchangeability of data to be shared and evaluated.
Amendment 155 #
Proposal for a directive
Recital 11
Recital 11
(11) All Member States and market operators should be adequately equipped, both in terms of technical and organisational capabilities, to prevent, detect, respond to and mitigate network and information systems' incidents and risks. Commonly required equipment and capabilities ought to comply with commonly agreed technical standards as well as standards procedures of operation (SPO). Well-functioning Computer Emergency Response Teams complying with essential requirements should therefore be established in all Member States to guarantee effective and compatible capabilities to deal with incidents and risks and ensure efficient cooperation at Union level. These CERTs should be enabled to interact on the basis of common technical standards and SPO.
Amendment 161 #
Proposal for a directive
Recital 13
Recital 13
(13) The European Network and Information Security Agency (‘ENISA’) should assist the Member States and the Commission by providing its expertise and advice and by facilitating exchange of best practices. In particular, in the application of this Directive, the Commission should consult ENISA. To ensure effective and timely information to the Member States and the Commission, early warnings on incidents and risks should be notified within the cooperation network. To build capacity and knowledge among Member States, the cooperation network should also serve as an instrument for the exchange of best practices, assisting its members in building capacity, steering the organisation of peer reviews and NIS exercises.
Amendment 167 #
Proposal for a directive
Recital 15
Recital 15
(15) As most network and information systems are privately operated, cooperation between the public and private sector is essential. Market operators should be encouraged to pursue their own informal cooperation mechanisms to ensure NIS. They should also cooperate with the public sector and share information and best practices in exchange of operational support and information in case of incidents.
Amendment 170 #
Proposal for a directive
Recital 16
Recital 16
(16) To ensure transparency and properly inform EU citizens and market operators, the competent authorities should set up a common website to publish non confidential information on the incidents and risks and to eventually advise on appropriate maintenance measures.
Amendment 185 #
Proposal for a directive
Recital 27
Recital 27
(27) To avoid imposing a disproportionate financial and administrative burden on small operators and users, the requirements should be proportionate to the risk presented by the network or information system concerned, taking into account the state of the art of such measures. These requirements should not apply to micro enterprises.
Amendment 189 #
Proposal for a directive
Recital 28
Recital 28
(28) Competent authorities should pay due attention to preserving informal and trusted channels of information-sharing between market operators and between the public and the private sectors. Publicity of incidents reported to the competent authorities should duly balance the interest of the public in being informed about threats with possible reputational and commercial damages for the public administrations and market operators reporting incidents. In the implementation of the notification obligations, competent authorities should pay particular attention to the need to maintain information about product vulnerabilities strictly confidential prior to the release of appropriate security fixes though not delay any notification more than compulsorily required.
Amendment 193 #
Proposal for a directive
Recital 30
Recital 30
(30) Criminal activities are in many cases underlying an incident. The criminal nature of incidents can be suspected even if the evidence to support it may not be sufficiently clear from the start. In this context, appropriate co-operation between competent authorities and law enforcement authorities as well as cooperation with the EC3 (Europol Cybercrime Centre) and ENISA should form part of an effective and comprehensive response to the threat of security incidents. In particular, promoting a safe, secure and more resilient environment requires a systematic reporting of incidents of a suspected serious criminal nature to law enforcement authorities. The serious criminal nature of incidents should be assessed in the light of EU laws on cybercrime.
Amendment 195 #
Proposal for a directive
Recital 31
Recital 31
(31) Personal data are in many cases compromised as a result of incidents. Member States and market operators should protect personal data stored, processed or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, access or disclosure, dissemination, or access; and ensure the implementation of a security policy with respect to the processing of personal data. In this context, competent authorities and data protection authorities should cooperate and exchange information on all relevant matters to tackle the personal data breaches resulting from incidents. Member states shall implement the obligation to notify security incidents in a way that minimises the administrative burden in case the security incident is also a personal data breach in line with the Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data28 . Liaising with the competent authorities and the data protection authorities, ENISA could assist by developing information exchange mechanisms and templates avoiding the need for two notification templates. This single notification template would facilitate the reporting of incidents compromising personal data thereby easing the administrative burden on businesses and public administrations. __________________ 28 SEC(2012) 72 final SEC(2012) 72 final
Amendment 199 #
Proposal for a directive
Recital 33
Recital 33
(33) The Commission should periodically review this Directive, in particular with a view to determining the need for modification in the light of changing societal, political, technological or market conditions.
Amendment 206 #
Proposal for a directive
Article 1 – paragraph 4
Article 1 – paragraph 4
4. This Directive shall be without prejudice to EU laws on cybercrime and Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection32 __________________ 32. However, that Directive shall be reviewed without further delay in particular regarding the inclusion of ICT as a European Infrastructure. __________________ 32 OJ L 345, 23.12.2008, p. 75. OJ L 345, 23.12.2008, p. 75.
Amendment 211 #
Proposal for a directive
Article 3 – paragraph 1 – point 1 – point b
Article 3 – paragraph 1 – point 1 – point b
(b) any device or group of inter-connected or related devices, one or more of which, pursuant to a program, perform automatic processing of computerdigital data, as well as
Amendment 212 #
Proposal for a directive
Article 3 – paragraph 1 – point 1 – point c
Article 3 – paragraph 1 – point 1 – point c
(c) computerdigital data stored, processed, retrieved or transmitted by elements covered under point (a) and (b) for the purposes of their operation, use, protection and maintenance.
Amendment 213 #
Proposal for a directive
Article 3 – paragraph 1 – point 2
Article 3 – paragraph 1 – point 2
(2) ‘security’ means the ability of a network and information system to resist, at a given level of confidence, accident or malicious action that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data or the related services offered by or accessible via that network and information system; "security" as defined here includes appropriate technical devices, solutions and operating procedures ensuring the security requirements set forth in this Directive.
Amendment 217 #
Proposal for a directive
Article 3 – paragraph 1 – point 7
Article 3 – paragraph 1 – point 7
(7) ‘incident handling’ means all procedures supporting the detection, prevention, analysis, containment and response to an incident;
Amendment 242 #
Proposal for a directive
Article 7 – paragraph 5 – point 1 (new)
Article 7 – paragraph 5 – point 1 (new)
(1) The CERT shall be enabled and encouraged to initiate and to participate in joint exercises with certain CERT, with all Member States-CERT, and with appropriate institutions of non-Member States as well as with CERT of multi- and international institutions such as NATO and the UN.
Amendment 249 #
Proposal for a directive
Article 8 – paragraph 2
Article 8 – paragraph 2
2. The cooperation network shall bring into permanent communication the Commission and the competent authorities. When requested, tThe European Network and Information Security Agency (‘ENISA’) shall assist the cooperation network by providing its expertise and advice.
Amendment 278 #
Proposal for a directive
Article 10 – paragraph 4
Article 10 – paragraph 4
4. Where the risk or incident subject to an early warning is of a suspected criminal nature, the competent authorities or the Commission shall inform the European Cybercrime Centre within Europol without measurable delay.
Amendment 285 #
Proposal for a directive
Article 12 – paragraph 3
Article 12 – paragraph 3
3. The Union NIS cooperation plan shall be adopted no later than one year following the entry into force of this Directive and shall be revised regularly. Results of each revision shall be reported to the European Parliament.
Amendment 294 #
Proposal for a directive
Article 14 – paragraph 1
Article 14 – paragraph 1
1. Member States shall ensure that public administrations and market operators take appropriate technical and organisational measures to detect and effectively manage the risks posed to the security of the networks and information systems which they control and use in their operations. Having regard to the state of the art, these measures shall guarantee a level of security appropriate to the risk presented. In particular, measures shall be taken to prevent and minimise the impact of incidents affecting their network and information system on the core services they provide and thus ensure the continuity of the services underpinned by those networks and information systems.
Amendment 326 #
Proposal for a directive
Article 15 – paragraph 3
Article 15 – paragraph 3
3. Member States shall ensure that competent authorities have the power to issue binding instructions to market operators and public administrations and to issue enactments for legal and liability obligations, especially where a voluntary approach does not prove efficient.
Amendment 342 #
Proposal for a directive
Article 20 – paragraph 1
Article 20 – paragraph 1
The Commission shall periodically review the functioning of this Directive and report to the European Parliament and the Council. The main focus of the review should be the provisions of Annex II, in particular the provisions regarding the internet enablers. The first report shall be submitted no later than threewo years after the date of transposition referred to in Article 21. For this purpose, the Commission may request Member States to provide information without undue delay. The review should also evaluate the voluntary incentives for stock listed companies set forth in this Directive: The effectiveness of this voluntary approach is to be evaluated by the competent national authority every 2 years. Results ought to be reported to the European Commission without delay. Should the voluntary approach aimed at protecting customers and investors interests not prove sufficient Member States shall introduce legal obligations.
Amendment 345 #
Proposal for a directive
Annex 1 – paragraph 1 – point 2 – point a – indent 1
Annex 1 – paragraph 1 – point 2 – point a – indent 1
– MDetection and monitoring incidents at a national level,