Activities of Indrek TARAND related to 2013/0027(COD)
Shadow opinions (1)
OPINION on the proposal for a directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union
Amendments (17)
Amendment 21 #
Proposal for a directive
Recital 2 a (new)
Recital 2 a (new)
(2a) A large number of cyber incidents occur due to lack of resilience and robustness of private and public network infrastructure, poorly protected or secured databases and other flaws in the critical information infrastructure; whereas only few Member States consider the protection of their network and information systems and associated data as part of their respective duty of care which explains the lack of investment in state-of-the art security technology, training and the development of appropriate guidelines.
Amendment 22 #
Proposal for a directive
Recital 3 a (new)
Recital 3 a (new)
(3a) Raising awareness and educating users of information and communication technologies on best practises on the securing personal data as well as sustainable maintenance of communication services should constitute the basis of any comprehensive cyber security strategy.
Amendment 24 #
Proposal for a directive
Recital 8 a (new)
Recital 8 a (new)
(8a) Security measures have to respect and fundamental rights incumbent upon the EU and its Member States in accordance with articles 2, 6 and 21 TFEU, such as the freedom of expression, data protection and privacy; whereas the rights to privacy and data protection are laid down in the EU Charter and Article 16 TFEU.
Amendment 25 #
Proposal for a directive
Recital 11 a (new)
Recital 11 a (new)
(11a) All Member States shall focus national cyber security strategies on the protection of information systems and associated data and shall consider the protection this critical infrastructure as part of their respective duty of care. All Member States shall adopt and implement strategies, guidelines and instruments that provide reasonable levels of protection against reasonably identifiable levels of threats, with costs and burdens of the protection proportionate to the probable damage to the parties concerned. Also all Member States shall take appropriate steps to oblige legal persons under their jurisdictions to protect personal data under their care.
Amendment 26 #
Proposal for a directive
Recital 16
Recital 16
(16) To ensure transparency and properly inform EU citizens and market operators, the competent authorities should set up a common website to publish non confidential information on the incidents and risks. Any personal data published on this website should be limited to only what is necessary and as anonymous as possible.
Amendment 27 #
Proposal for a directive
Recital 30 a (new)
Recital 30 a (new)
(30a) This Directive is without prejudice to the Union acquis relating to data protection. Any personal data used according to the provisions of this Directive should be kept to the minimum set of personal data strictly necessary and only transmitted to the actors strictly necessary, and as be as anonymous as possible, if not completely anonymous.
Amendment 28 #
Proposal for a directive
Recital 32 a (new)
Recital 32 a (new)
(32a) Adopting at EU level general data protection legislation should precede the adoption of cyber security legislation at EU level. Therefore, the NIS directive should be adopted only after the General Data Protection Regulation has been adopted.
Amendment 29 #
Proposal for a directive
Recital 34 a (new)
Recital 34 a (new)
(34a) There is need to regulate on EU level the sale, supply, transfer or export to third countries of equipment or software intended primarily for monitoring or interception of the Internet and of telephone communications on mobile or fixed networks and the provision of assistance to install, operate or update such equipment or software. As soon as possible the Commission must prepare legislation which prevents European companies from exporting such dual-use items to non-democratic, authoritarian and repressive regimes.
Amendment 30 #
Proposal for a directive
Article 3 – paragraph 2 a (new)
Article 3 – paragraph 2 a (new)
a) "cyber resilience" means the ability of a network and information system to resist and recover to full operational capacity after incidents, including but not limited to; technical malfunction, power failure or security incidents;
Amendment 32 #
Proposal for a directive
Article 6 – paragraph 1
Article 6 – paragraph 1
1. Each Member State shall designate a civil national competent authority on the security of network and information systems (the ‘"competent authority’").
Amendment 34 #
Proposal for a directive
Article 9 – paragraph 1 a (new)
Article 9 – paragraph 1 a (new)
1a. Personal data shall be only disclosed to recipients who need to process these data for the performance of their tasks in accordance with an appropriate legal basis. The disclosed data shall be limited to what is necessary for the performance of their tasks. Compliance with the purpose limitation principle shall be ensured. The time limit for the retention of these data shall be specified for the purposes set out in this Directive.
Amendment 35 #
Proposal for a directive
Article 10 – paragraph 2
Article 10 – paragraph 2
2. In the early warnings, the competent authorities and the Commission shall communicate any relevant information in their possession that may be useful for assessing the risk or incident, in accordance with the provisions of the General Data Protection Regulation.
Amendment 36 #
Proposal for a directive
Article 10 – paragraph 3
Article 10 – paragraph 3
3. At the request of a Member State, or on its own initiative, the Commission may request a Member State to provide any relevant information on a specific risk or incident, in accordance with the provisions of the General Data Protection Regulation.
Amendment 37 #
Proposal for a directive
Article 10 – paragraph 4
Article 10 – paragraph 4
4. Where the risk or incident subject to an early warning is of a suspected criminal nature, the competent authorities or the Commission shall inform the European Cybercrime Centre within Europol, in accordance with the provisions in the General Data Protection Regulation.
Amendment 38 #
Proposal for a directive
Article 14 – paragraph 2 a (new)
Article 14 – paragraph 2 a (new)
2a. Software producers shall be responsible for correcting security breaches, within 24 hours of being informed for serious cases, and 72 hours for cases were the effects are unlikely to result in any significant financial loss or serious breach of privacy.
Amendment 39 #
Proposal for a directive
Article 14 – paragraph 2 b (new)
Article 14 – paragraph 2 b (new)
2b. Commercial software producers shall not be protected from "no-liability" clauses when it can be demonstrated that their products are not properly designed to handle foreseeable security threats.
Amendment 40 #
Proposal for a directive
Annex 1 – paragraph 1 – point b
Annex 1 – paragraph 1 – point b
(b) The CERT shall implement and manage security measures to ensure the confidentiality, integrity, availability and authenticity of information it receives and treats, complying with data protection requirements.