The Slovenian Presidency of the Council of the EU presented its compromise proposal on measures to ensure a high level of cybersecurity in the European Union to the members of the Horizontal ‘Group on Cyberspace Issues’ on Friday 29 October (see EUROPE 12792/22).
As regards the scope, the Commission’s proposal provided for the definition of common criteria within the EU to identify which entities should be subject to enhanced supervision.
In this respect, the EU Council Presidency intends that entities meeting these criteria should “register” with the competent authorities, whereas previously they were required to “notify”.
This “self-certification” should include the name of the entity, its address and the sector to which it belongs, the document says.
The new version of the document also specifies the information to be provided by Member States to the European Commission on micro and small entities that meet certain criteria proving their key role for the economy or society and thus falling within the scope.
It will be up to the Member States to draw up a list of these micro and small entities - which will have to mention the sector and the type of services provided - and submit it to the European Commission.
Finally, the new version of the EU Council’s compromise text adds the areas of national security and defence to the list of public administrations that should be excluded from the scope of the Directive.
The choice of recipient
In addition, the Commission’s proposal offered the possibility for Member States, on a sectoral basis, to set up a “common, automatic and direct mechanism for reporting incidents and cyber threats” to the competent authorities. This could include authorities whose tasks are defined by the sectoral provisions or the Computer Security Incident Response Teams (CSIRT).
On this point, the EU Council’s compromise document wishes to give Member States the choice of which of the various potential authorities or CSIRTs will be the recipients of the notifications.
While the EU Council Presidency continues to work on this dossier, the European Parliament is already ready to start inter-institutional negotiations (‘trilogue’).
The text, put forward by Dutch MEP Bart Groothuis (Renew Europe), was adopted on Thursday 28 October by the European Parliament’s Committee on Industry, Research and Energy (ITRE) (see EUROPE 12822/11). MEPs on the ITRE committee also voted in favour of the European Parliament’s negotiating mandate on the same day.
See the compromise proposal: https://bit.ly/2ZF3uAU (Original version in French by Thomas Mangin)