The Portuguese Presidency of the EU Council presented its compromise text on measures to ensure a common high level of cyber security across the Union to the Member States on 21 June (see EUROPE 12734/10).
In addition, the text emphasises cooperation between the EU and national authorities. For example, the paper argues for an enhanced relationship between the Computer Security Incident Response Team (CSIRT) and its national counterparts to promote information exchange.
The Portuguese EU Council Presidency document also calls for a coherent approach to the links between cyber security and physical security of entities. Thus, Member States should ensure that critical entities - and equivalent entities - are considered as essential entities.
These include, among others, financial entities or information and communication technology service providers. Member States will need to ensure that the competent authorities communicate with each other and are informed of the actions taken in response to incidents.
Still on the subject of cooperation, the text wishes to go further and push the Member States to provide “a policy framework for enhanced coordination between competent authorities”.
The European Network and Information Security Agency (ENISA) could also develop guidance documents to facilitate harmonisation and transition and to avoid disruption.
For the sake of clarity, the Portuguese Presidency document proposes that entities such as providers of public electronic communications networks or providers of trust services be included in the scope of this new directive. This procedure would repeal the Regulation on electronic identification and trust services for electronic transactions in the internal market (910/2014) and the Directive on the European Electronic Communications Code (2018/1972).
In addition, the new version of the compromise text now states that the transfer of personal data to a third country or an international organisation may be necessary in certain cases, such as where a threat or incident would be likely to have a “significant impact on the provision of services”.
See the compromise text: https://bit.ly/3h2TTK6 (Original version in French by Thomas Mangin)