This is an HTML version of an attachment to the Freedom of Information request 'Compromise amendments A high common level of cybersecurity'.

21/09/2021.v03
Draft compromises - LIBE opinion on the NIS2 Directive
Rapporteur: Lukas MANDL
Chapters I and II
RECITALS 1-26
CA27
Covers AMs 1 (rapp), 2  (rapp), 3 (rapp), 4 (rapp), 5 (rapp), 6 (rapp), 7  (rapp), 8
(rapp), 9 (rapp), 10 (rapp), 11 (rapp), 12 (rapp), 13 (rapp), 85 (ID), 86 (S&D), 87part
(S&D), 88 (S&D), 89 (ID), 90 (ID), 92 (ECR), 95 (S&D), 96part (ECR), 97 (S&D),
100 (S&D), 101 (S&D), 134 (RE)
Fall: AMs 91 (ECR), 93 (ECR), 94 (Greens), 98 (ECR), 99 (Greens)
(1) Directive (EU) 2016/1148 of the European Parliament and the Council11 aimed
at  building  cybersecurity  capabilities  across  the  Union,  mitigating  threats  to
network and information systems used to provide essential services in key sectors
and ensuring the continuity of such services when facing cybersecurity incidents,
thus  contributing  to  the  Union's security  and  to  the  effective  functioning  of  its
economy and society to function effectively. (AMs 1R, 85)
(2) Since the entry into force of Directive (EU) 2016/1148 significant progress has
been made in increasing the Union’s level of cybersecurity resilience. The review
of that Directive has shown that it has served as a catalyst for the institutional and
regulatory approach to cybersecurity in the Union, paving the way for a significant
change  in  mind-set.  That  Directive  has  ensured  the  completion  of  national
frameworks  by  defining  national  cybersecurity  strategies,  establishing  national
capabilities,  and  implementing  regulatory  measures  covering  essential
infrastructures and actors identified by each Member State. It has also contributed
to cooperation at Union level through the establishment of the Cooperation Group
and a network of national Computer Security Incident Response Teams (‘CSIRTs
network’).  Notwithstanding  those  achievements,  the  review  of  Directive  (EU)
2016/1148  has  revealed  inherent  shortcomings  that  prevent  it  from  addressing
effectively  contemporaneous  and  emerging  cybersecurity  challenges. Moreover,
the expansion of online activities in the context of the COVID-19 pandemic has
highlighted the importance of cybersecurity, which is essential for EU citizens to
be able to trust innovation and connectivity, as well as large-scale education and
training thereon. The Commission should therefore support Member States in the
design of educational  programmes  on  cybersecurity  with  a  view  to enable
important and essential entities to recruit cybersecurity experts who allow them
to comply with the obligations arising from this Directive. (AM 134) (AM 86, 101,
134)

(3)  Network  and  information  systems  have  developed  into  a  central  feature  of
everyday  life  with  the  speedy  digital  transformation  and  interconnectedness  of
society,  including  in  cross-border  exchanges.  That  development  has  led  to  an
expansion  of  the  cybersecurity  threat  landscape,  bringing  about  new  challenges,
which require adapted, coordinated and innovative responses in all Member States.
The  number,  magnitude,  sophistication,  frequency  and  impact  of  cybersecurity
incidents are increasing, and present a major threat to the functioning of network
1

21/09/2021.v03
and  information  systems.  As  a  result,  cyber  incidents  can  impede  the  pursuit  of
economic activities in the internal market, generate financial losses, undermine user
confidenceand cause major damage to the Union economy, and the functioning of
our democracy,  and  the  values  and  freedom  on  which  our society is  based.
Cybersecurity preparedness and effectiveness are therefore now more essential than
ever to the Union’s security and the proper functioning of the internal market in
light of the digital transformation of day-to-day activities across the Union. This
requires closer cooperation of authorities within and between Member States as
well as between national authorities and responsible Union bodies. 
(AMs 87part,
88)
(4) [...] COM proposal
(5) All those divergences entail a fragmentation of the internal market and are liable
to have a prejudicial effect on its functioning, affecting in particular the cross-border
provision of services and level of cybersecurity resilience due to the application of
different standards. Ultimately, these divergences can lead to higher vulnerability
of  some  Member  States to  cybersecurity  threats,  with  potential  spillover  effects
across the Union, both with regard to its internal market and its overall security.
This  Directive  aims  to  remove  such  wide  divergences  among  Member  States,  in
particular by setting out minimum rules regarding the functioning of a coordinated
regulatory framework, by laying down mechanisms for the effective and real time
cooperation among the responsible authorities in each Member State, between the
competent  authorities  of  the  Member  States
,  by  updating  the  list  of  sectors  and
activities subject to cybersecurity obligations and by providing effective remedies
and  sanctions  which  are  instrumental  to  the  effective  enforcement  of  those
obligations. Therefore, Directive (EU) 2016/1148 should be repealed and replaced
by this Directive. (AM 2, 89)
(6)
This  Directive  leaves  unaffected  the  ability  of  Member  States  to  take  the
necessary  measures  to  ensure  the  protection  of  the  essential  interests  of  their
national security, to safeguard public policy and public security, and to allow for
the prevention, investigation,  detection  and prosecution  of  criminal  offences,  in
compliance  with  Union  law.  In  accordance  with  Article  346  TFEU,  no  Member
State  is  to  be  obliged  to  supply  information  the  disclosure  of  which  would  be
contrary to the essential interests of its public security. In this context, national and
Union rules for protecting classified information, non-disclosure agreements, and
informal  non-disclosure  agreements  such  as  the  Traffic  Light  Protocol14,  are  of
relevance. (AMs 3, 90)
(7) [...] COM proposal
(8) The  responsibility  of Member  States in  accordance  with  Directive  (EU)
2016/1148for determining which entities meet the criteria to qualify as operators of
essential  services  (‘identification  process’) has  led  to wide  divergences  among
Member States in that regard. Without prejudice to the specific exceptions provided
in  this  Directive
,  a  uniform  criterion  should  be  established  that  determines  the
entities falling within the scope of application of this Directive to eliminate these
divergences  and  ensure  legal  certainty  regarding  the  risk  management
requirements  and  reporting  obligations  for  all  relevant  entities
.  That  criterion
should consist of the application of the size-cap rule, whereby all medium and large
enterprises,  as  defined  by  Commission  Recommendation  2003/361/EC15 , that
2

21/09/2021.v03
operate within the sectors or provide the type of services covered by this Directive,
fall within its scope. Member States should not be required to establish a list of the
entities that meet this generally applicable size-related criterion. (AM 4)
(8a) Taking  into  consideration  the  differences  in  the  national  public
administration frameworks, Member States retain their decision-making capacity
regarding the designation of entities within the scope of this Directive. (AM 92)

(9) Small or micro entities fulfilling certain criteria that indicate a key role for the
economies  or  societies  of  Member  States  or  for  particular  sectors  or  types  of
services based on a risk-assessment, including entities defined as critical entities
or  entities  equivalent  to  critical  entities  under Directive  (EU)  XXX/XXX  of  the
European Parliament and the Council1a
, should also be covered by this Directive.
Member  States  should  be  responsible  for  establishing  a  list  of  such  entities,  and
submit it to the Commission. (AM 5)
(10)  The  Commission,  in  cooperation  with  the  Cooperation  Group, should issue
guidelines  on  the  implementation  of  the  criteria  applicable  to  micro  and  small
entities. (AM 6)
(11) [...] COM proposal (AM 93 falls)
(12)
Sector-specific legislation and instruments can contribute to ensuring high
levels  of  cybersecurity,  while  taking  full  account  of  the  specificities  and
complexities  of  those  sectors.  Where  a  sector–specific  Union  legal  act  requires
essential or important entities to adopt cybersecurity risk management measures or
to notify incidents or significant cyber threats of at least an equivalent effect to the
obligations laid down in this Directive, those sector-specific provisions, including
on  supervision  and  enforcement,  should  apply.  The  Commission should issue
guidelines in relation to the implementation of the lex specialis. This Directive does
not  preclude  the  adoption  of  additional  sector-specific  Union  acts  addressing
cybersecurity risk management measures and incident notifications. This Directive
is without prejudice to the existing implementing powers that have been conferred
to the Commission in a number of sectors, including transport and energy. (AM 7)
(13) [...] COM proposal
(14) In view of the interlinkages between cybersecurity and the physical security of
entities, a coherent approach should be ensured between Directive (EU) XXX/XXX
of  the  European  Parliament  and  of  the  Council17 and  this  Directive,  wherever
possible and appropriate
. To achieve this, Member States should ensure that critical
entities,  and  equivalent  entities,  pursuant  to  Directive  (EU)  XXX/XXX  are
considered to be essential entities under this Directive. Member States should also
ensure  that  their  cybersecurity  strategies  provide  for  a  policy  framework  for
enhanced  coordination  between  the  competent authorities  within  and  between
Member States, 
under this Directive and the one under Directive (EU) XXX/XXX
in the context of information sharing on cyber incidents and cyber threats and the
exercise of supervisory tasks. Authorities under both Directives within and between
Member States 
should cooperate and exchange information, particularly on relation
to the identification of critical entities, cyber threats, cybersecurity risks, incidents
affecting  critical  entities  as  well  as  on the  cybersecurity  measures  taken  by
competent  authorities  under  this  Directive  relevant  for critical  entities.  Upon
request  of  competent  authorities  under  Directive  (EU)  XXX/XXX,  competent
3

21/09/2021.v03
authorities  under  this  Directive  should  be  allowed  to assess  the  cybersecurity  of
essential  entity  identified  as  critical.  Both  authorities  should  cooperate  and
exchange information in real time for this purpose. (AM 8)
(15) [...] COM proposal (AM 94 falls)
(16) [...] COM proposal
(17) [...] COM proposal
(18) Services offered by data centre service providers may not always be provided
in a form of cloud computing service. Accordingly, data centres may not  always
constitute a part of cloud computing infrastructure. In order to manage all the risks
posed  to cybersecurity,  this  Directive  should  cover  also  providers  of  such  data
centre  services  that  are  not  cloud  computing  services.  For  the  purpose  of  this
Directive,  the  term  ‘data  centre  service’  should  cover  provision  of  a  service  that
encompasses  structures,  or  groups  of  structures,  dedicated  to  the  centralised
accommodation,  interconnection  and  operation  of  information  technology  and
network  equipment  providing  data  storage,  processing  and  transport  services
together  with  all  the  facilities  and  infrastructures  for  power  distribution  and
environmental control. The term ‘data centre service’ does not apply to in-house,
corporate  data  centres  owned  and  operated  for  own  purposes  of  the  concerned
entity. (AM 9)
(19) [...] COM proposal
(20) Those growing interdependencies are the result of an increasingly cross-border
and  interdependent  network  of  service  provision  using  key  infrastructures  across
the  Union  in  the  sectors  of  energy,  transport,  digital  infrastructure,  drinking  and
waste water, food production, processing and distribution, health, certain aspects
of public administration, as well as space in as far as the provision of certain services
depending on ground-based infrastructures that are owned, managed and operated
either by Member States or by private parties is concerned, therefore not covering
infrastructures owned, managed or operated by or on behalf of the Union as part of
its space programmes. Those interdependencies mean that any disruption, even one
initially  confined  to  one  entity  or  one  sector,  can  have  cascading  effects  more
broadly, potentially resulting in far-reaching and long-lasting negative impacts in
the delivery of services across the internal market. The intensified attacks against
information systems during the 
COVID-19 pandemic have shown the vulnerability
of  our  increasingly  interdependent  societies  in  the  face  of  low-probability  risks.
Therefore, further investments in cybersecurity are required. (AMs 10, 95)
(20a) It is crucial to raise cyber-awareness and cyber-resilience in all critical and
important entities, including public administration entities. 
(AM 96part)
(21) In  view  of  the  differences  in  national  governance  structures  and  in  order  to
safeguard already existing sectoral arrangements or Union supervisory and regulatory
bodies, Member States should be able to designate more than one national competent
authority responsible for fulfilling the tasks linked to the security of the network and
information systems of essential and important entities under this Directive. Member
States should be able to assign this role to an existing authority and ensure that it has
adequate resources to carry out its tasks effectively and efficiently. 
(AM 97)
4

21/09/2021.v03
(22)  In  order  to  facilitate  cross-border  cooperation  and  communication  among
authorities and to enable this Directive to be implemented effectively, it is necessary
for each Member State to designate a national single point of contact responsible
for  coordinating  issues  related  to cybersecurity and  cross-border  cooperation  at
Union level. (AM 11)
(23) Competent authorities or the CSIRTs should receive notifications of incidents
from entities in an effective and efficient way. The single points of contact should
be tasked with forwarding incident notifications in real time to the single points of
contact of all other Member States. At the level of Member States’ authorities, to
ensure one single entry point in every Member States, the single points of contacts
should  also  be  the  addressees  of  relevant  information  on  incidents  concerning
financial  sector  entities from  the  competent  authorities  under  Regulation
XXXX/XXXX which they should be able to forward, as appropriate, to the relevant
national competent authorities or CSIRTs under this Directive. (AM 12)
(25)
As regards personal data, CSIRTs should be able to provide, in accordance
with Regulation (EU) 2016/679 of the European Parliament and of the Council19
and with Directive 2002/58/EC, on behalf of and upon request by an entity under
this Directive, a proactive scanning of the network and information systems used
for the provision of their services. a security scan of the information systems and
the network range used for the provision of their services to identify, mitigate or
prevent specific threats
. Member States should aim at ensuring an equal level of
technical  capabilities  for  all  sectorial  CSIRTs.  Member  States  may  request  the
assistance of the European Union Agency for Cybersecurity (ENISA) in developing
national  CSIRTs. Furthermore,  cybersecurity  risks  should  never  be  used  as  a
pretext for violations of fundamental rights. 
(AM 13, 100)
(26) [...] COM proposal
ARTICLES 1-11
CHAPTER I - General provisions (Art. 1-4)
Article 1 - subject matter
Falls: AM 137 (ECR)
1. This Directive lays down measures with a view to ensuring a high common level of
cybersecurity within the Union.
2. To that end, this Directive:
(a) lays down obligations on Member States to adopt national cybersecurity strategies,
designate competent national authorities, single points of contact and computer security
incident response teams (CSIRTs);
(b) lays down cybersecurity risk management and reporting obligations for entities of a type
referred to as essential entities in Annex I and important entities in Annex II;
CA1
Article 2 - scope
5

21/09/2021.v03
Covers  AMs  39  (rapp),  40  (rapp), 138part  (RE), 139  (Greens),  145 (Left), 146
(Greens), 147 (Greens), 150 (Left), 152part (Left), 153part (S&D), 155 (RE), 156
(Greens)
Fall: AMs 38 (rapp), 140 (Left), 141 (ECR), 142 (ECR), 143 (Greens), 144 (ECR),
149 (Left), 151 (ECR), 154 (S&D), 157 (ECR)
1. This Directive applies to public and private entities of a type referred to as
essential entities in Annex I and as important entities in Annex II. This Directive
does not apply to entities that qualify as micro and small enterprises within the
meaning of Commission Recommendation 2003/361/EC28. Article 3 Paragraph 4
of the Annex to Commission Recommendation 2003/361/EC is not applicable
.
(AM 139 part)
2. However, regardless of their size and based on a risk assessment in
accordance with Article 18
, this Directive also applies to entities referred to in
Annexes I and II, where: (AM 39)
(a) the services are provided by one of the following entities:
(i) public electronic communications networks or publicly available
electronic communications services referred to in point 8 of Annex I;
(ii) trust service providers referred to point 8 of Annex I;
(iii) top–level domain name registries and domain name system (DNS)
service providers referred to in point 8 of Annex I;
(b) the entity is a public administration entity as defined in point 23 of Article 4;
(c) the entity is the sole provider of a service at national or regional level; (AM
145)
(d) a potential disruption of the service provided by the entity could have an
impact on public safety, public security or public health; (AM 146)
(e) a potential disruption of the service provided by the entity could induce
systemic risks, in particular for the sectors where such disruption could have a
cross-border impact; (AM 147)
(f) the entity is critical because of its specific importance at regional or national
level for the particular sector or type of service, or for other interdependent sectors
in the Member State;
(g) the entity is identified as a critical entity pursuant to Directive (EU)
XXXX/XXXX of the European Parliament and of the Council29 [Resilience of
Critical Entities Directive], or as an entity equivalent to a critical entity pursuant
to Article 7 of that Directive.
Member States shall establish a list of entities identified pursuant to points (b) to
(f) and submit it to the Commission by [6 months after the transposition deadline].
Member States shall review the list, on a regular basis, and at least every two
years thereafter and, where appropriate, update it.
3.  This  Directive  is  without  prejudice  to  the  competences  of  Member  States
concerning  the  maintenance  of  public  security,  defence  and  national  security  in
compliance with Union law.
6

21/09/2021.v03
4. This Directive applies without prejudice to Council Directive 2008/114/EC30
and Directives 2011/93/EU31 and 2013/40/EU32 of the European Parliament and of
the Council.
4a. Any processing of personal data pursuant to this Directive shall comply with
Regulation (EU) 2016/679 and with Directive 2002/58/EC and shall be limited to
what  is  strictly  necessary  and  proportionate  for  the  purposes  of  this  Directive.
(AM 40, 138part, 150, 153part, 156)

5. Without prejudice to Article 346 TFEU, information that is confidential
pursuant to Union and national rules, such as rules on business confidentiality,
shall be exchanged with the Commission and other relevant authorities only where
that exchange is necessary for the application of this Directive. The information
exchanged shall be limited to that which is necessary to the purpose of that
exchange. The exchange of information shall preserve the confidentiality of that
information and protect the security and commercial interests of essential or
important entities. (AM 152)
6.  Where  provisions  of  sector–specific  acts  of  Union  law  require  essential  or
important  entities  either  to  adopt  cybersecurity  risk  management  measures  or  to
notify incidents or significant cyber threats,  and  where those  requirements are at
least equivalent in effect to the obligations laid down in this Directive, the relevant
provisions of this Directive, including the provision on supervision and enforcement
laid down in Chapter VI, shall not apply.
6a. Before 31 December 2022, the Commission shall publish a legislative proposal
to include Union institutions, offices, bodies and agencies (EUIs) in the overall
EU-wide  cybersecurity  framework, with  a  view  to  achieving  a  uniform level  of
protection through consistent and homogeneous rules. (AM 155)

Article 3 - Minimum harmonisation (no AMs tabled = COM text)
CA2
Article 4 - Definitions
Covers AMs 41 (rapp), 42 (rapp), 43 (rapp), 159 (Left), 162 (Left)
Fall: AMs 158 (Greens), 160 (Greens), 161 (Greens), 163 (ECR), 164 (ECR), 165
(ECR), 166 (ECR), 167 (ECR), 168 (ECR)
For the purposes of this Directive, the following definitions apply:
(1) ‘network and information system’ means:
(a) an electronic communications network within the meaning of Article 2(1) of
Directive (EU) 2018/1972;
(b) any device or group of inter–connected or related devices, one or more of which,
pursuant to a program, perform automatic processing of digital data, and that are
integrated into the IT system and used for the provision of their intended services
;
(AM 41)
(c) digital data stored, processed, retrieved or transmitted by elements covered
under points (a) and (b) for the purposes of their operation, use, protection and
maintenance;
7

21/09/2021.v03
(2) ‘security of network and information systems’ means the ability of network
and information systems to resist, at a given level of confidence, any action that
compromises the availability, authenticity, integrity or confidentiality of stored or
transmitted or processed data or the related services offered by, or accessible via,
those network and information systems;
(3) ‘cybersecurity’ means cybersecurity within the meaning of Article 2(1) of
Regulation (EU) 2019/881 of the European Parliament and of the Council33;
(4) ‘national strategy on cybersecurity’ means a coherent framework of a Member
State providing strategic objectives and priorities on the cybersecurity in that
Member State; (AM 42)
(5) ‘incident’ means any event compromising the availability, authenticity,
integrity or confidentiality of stored, transmitted or processed data or of the related
services offered by, or accessible via, network and information systems;
(6) ‘incident handling’ means all actions and procedures aiming at detection,
analysis and containment of and a response to an incident;
(7) ‘cyber threat’ means a cyber threat within the meaning Article 2(8) of
Regulation (EU) 2019/881;
(8) ‘vulnerability’ means a weakness, susceptibility or flaw of an asset, system,
process or control that can be exploited by a cyber threat;
(9) ‘representative’ means any natural or legal person established in the Union
explicitly designated to act on behalf of i) a DNS service provider, a top-level
domain (TLD) name registry, a cloud computing service provider, a data centre
service provider, a content delivery network provider as referred to in point 8 of
Annex I or ii) entities referred to in point 6 of Annex II that are not established in
the Union, which may be addressed by a national competent authority or a CSIRT
instead of the entity with regard to the obligations of that entity under this
Directive;
(10) ‘standard’ means a standard within the meaning of Article 2(1) of Regulation
(EU) No 1025/2012 of the European Parliament and of the Council34;
(11) ‘technical specification’ means a technical specification within the meaning
of Article 2(4) of Regulation (EU) No 1025/2012;
(12)  ‘internet  exchange  point  (IXP)’  means  a  network  facility  which  enables  the
interconnection  of  more  than  two  independent  networks  (autonomous systems),
primarily  for  the  purpose  of  facilitating  the  exchange  of  internet  traffic;  an  IXP
provides interconnection only for autonomous systems; an IXP does not require the
internet  traffic  passing  between  any  pair  of  participating  autonomous  systems  to
pass through any third autonomous system, nor does it alter or otherwise interfere
with such traffic; (AM 159)
(13) ‘domain name system (DNS)’ means a hierarchical distributed naming system
which allows end-users to reach services and resources on the internet;
(14) ‘DNS service provider’ means an entity that provides recursive or
authoritative domain name resolution services to internet end-users and other DNS
service providers;
(15) ‘top–level domain name registry’ means an entity which has been delegated a
specific TLD and is responsible for administering the TLD including the
registration of domain names under the TLD and the technical operation of the
8

21/09/2021.v03
TLD, including the operation of its name servers, the maintenance of its databases
and the distribution of TLD zone files across name servers;
(16) ‘digital service’ means a service within the meaning of Article 1(1)(b) of
Directive (EU) 2015/1535 of the European Parliament and of the Council35;
(17) ‘online marketplace’ means a digital service within the meaning of Article 2
point (n) of Directive 2005/29/EC of the European Parliament and of the
Council36;
(18) ‘online search engine’ means a digital service within the meaning of Article
2(5) of Regulation (EU) 2019/1150 of the European Parliament and of the
Council37;
(19) ‘cloud computing service’ means a digital service that enables on-demand
administration and broad remote access to a scalable and elastic pool of shareable
and distributed computing resources;
(20) ‘data centre service’ means a service that encompasses structures, or groups
of structures, dedicated to the centralised accommodation, interconnection and
operation of information technology and network equipment providing data
storage, processing and transport services together with all the facilities and
infrastructures for power distribution and environmental control;
(21) ‘content delivery network’ means a network of geographically distributed
servers for the purpose of ensuring high availability, accessibility or fast delivery
of digital content and services to internet users on behalf of content and service
providers;
(22) ‘social networking services platform’ means a platform that enables end-users
to  connect,  share,  discover  and  communicate  with  each  other  across  multiple
devices, and in particular, via chats, posts, videos and recommendations); (AM 162)
(23) ‘public administration entity’ means an entity in a Member State that
complies with the following criteria:
(a) it is established for the purpose of meeting needs in the general interest and
does not have an industrial or commercial character;
(b) it has legal personality;
(c) it is financed, for the most part, by the State, regional authority, or by other
bodies governed by public law; or it is subject to management supervision by
those authorities or bodies; or it has an administrative, managerial or supervisory
board, more than half of whose members are appointed by the State, regional
authorities, or by other bodies governed by public law;
(d) it has the power to address to natural or legal persons administrative or
regulatory decisions affecting their rights in the cross-border movement of
persons, goods, services or capital.
Public administration entities that carry out activities in the areas of public
security, law enforcement, defence or national security are excluded.
(24) ‘entity’ means any natural person or any legal person created and recognised
as such under the national law of its place of establishment, which may, acting under
its own name, exercise rights and be subject to obligations; (AM 43)
(25) ‘essential entity’ means any entity of a type referred to as an essential entity
in Annex I;
9

21/09/2021.v03
(26) ‘important entity’ means any entity of a type referred to as an important entity
in Annex II.
CHAPTER II - Coordinated cybersecurity regulatory frameworks (Art. 5-11)
CA3
Article 5 - National cybersecurity strategy
Covers AMs 44 (rapp), 45 (rapp), 169 (Greens), 171 (Greens), 172 (Greens), 173
(ECR), 174 (RE), 175 (S&D), 176part (Greens), 177 (S&D), 178 (ID)
Falls: AM 170 (ECR)
1. Each Member State shall adopt a national cybersecurity strategy defining the
strategic objectives and appropriate policy and regulatory measures, with a view
to achieving and maintaining a high level of cybersecurity. The national
cybersecurity strategy shall include, in particular, the following:
(a) a definition of objectives and priorities of the Member States’ strategy on
cybersecurity, taking into account the general level of cybersecurity awareness
amongst citizens as well as on the general level of security of consumer
connected devices; (AM 169)

(b) a governance framework to achieve those objectives and priorities, including
the policies referred to in paragraph 2 and the roles and responsibilities of public
bodies and entities as well as other relevant actors;
(c) an assessment to identify relevant assets and cybersecurity risks in that
Member State;
(d) an identification of the measures ensuring preparedness, response and recovery
to incidents, including cooperation between the public and private sectors;
(e) a list of the various authorities and actors involved in the implementation of
the national cybersecurity strategy;
(f) a policy framework for enhanced coordination between the competent
authorities under this Directive and Directive (EU) XXXX/XXXX of the
European Parliament and of the Council38 [Resilience of Critical Entities
Directive], both within and between Member States, for the purposes of
information sharing on incidents and cyber threats and the exercise of supervisory
tasks. (AM 44)
2. As part of the national cybersecurity strategy, Member States shall in particular
adopt the following policies:
(a) a policy addressing cybersecurity in the supply chain for ICT products and
services used by essential and important entities for the provision of their services;
(b) guidelines regarding the inclusion and specification of cybersecurity-related
requirements for ICT products and service in public procurement, including but
not limited to encryption requirements and the promotion of the use of open
source cybersecurity products
; (AM 171)
(c) a policy to promote and facilitate coordinated vulnerability disclosure within
the meaning of Article 6;
10

21/09/2021.v03
(d) a policy related to sustaining the general availability and integrity of the public
core of the open internet;
(da) a policy related to sustaining the use of open data and open source as part
of security through transparency; (AM 172)

(db) a policy promoting the privacy and security of personal data of users of
online services; (AM 173)

(e) a policy on promoting and developing cybersecurity skills, awareness raising
and research and development initiatives, including the development of training
programmes on cybersecurity to provide entities with specialists and
technicians; (AM 174)

(f) a policy on supporting academic and research institutions that contribute to the
national cybersecurity strategy by developing and deploying 
cybersecurity tools
and secure network infrastructure that contribute to the national cybersecurity
strategy
including specific policies addressing issues related to gender
representation and balance in this sector
; (AM 175, 176part, 177)
(g) a policy, relevant procedures and appropriate information-sharing tools to
support voluntary cybersecurity information sharing between companies in
compliance with Union law;
(h) a policy addressing specific needs of SMEs, in particular those excluded from
the scope of this Directive, in relation to guidance and support in improving their
resilience to cybersecurity threats and their capability to respond to cybersecurity
incidents
. (AM 45R, 178)
3. Member States shall notify their national cybersecurity strategies to the
Commission within three months from their adoption. Member States may
exclude specific information from the notification where and to the extent that it is
strictly necessary to preserve national security.
4. Member States shall assess their national cybersecurity strategies at least every
four years on the basis of key performance indicators and, where necessary, amend
them. The European Union Agency for Cybersecurity (ENISA) shall assist Member
States,  upon  request,  in  the  development  of  a  national  strategy  and  of  key
performance indicators for the assessment of the strategy.
CA4
Article 6 - Coordinated  vulnerability  disclosure  and  a  European  vulnerability
registry

Covers AM 179 (Greens)
Falls: 180 (ECR), 181 (Left)
1. Each Member State shall designate one of its CSIRTs as referred to in Article 9 as
a coordinator for the purpose of coordinated vulnerability disclosure. The designated
CSIRT shall act as a trusted intermediary, facilitating, where necessary, the
interaction between the reporting entity and the manufacturer or provider of ICT
products or ICT services. Where the reported vulnerability concerns multiple
manufacturers or providers of ICT products or ICT services across the Union, the
designated CSIRT of each Member State concerned shall cooperate with the CSIRT
network.
11

21/09/2021.v03
2. ENISA shall develop and maintain a European vulnerability registry. To that end,
ENISA shall establish and maintain the appropriate information systems, policies and
procedures with a view in particular to enabling important and essential entities and
their suppliers of network and information systems to disclose and register
vulnerabilities present in ICT products or ICT services, as well as to provide access to
the information on vulnerabilities contained in the registry to all interested parties.
The registry shall, in particular, include information describing the vulnerability, the
affected ICT product or ICT services and the severity of the vulnerability in terms of
the circumstances under which it may be exploited, the availability of related patches
and, in the absence of available patches, guidance addressed to users of vulnerable
products and services as to how the risks resulting from disclosed vulnerabilities may
be mitigated. To ensure security and accessibility of the information included in
the registry, ENISA shall apply state of the art security measures and make the
information available in machine-readable formats through corresponding
interfaces. (AM 179)

CA5
Article 7 - National cybersecurity crisis management frameworks
Covers
Covers AM 182 (Left)
only
[...] par. 3 (a) objectives of national and, where relevant and applicable, regional and
AM
cross-border preparedness measures and activities; (AM 182)
182

Article  8 - National  competent  authorities  and  single  points  of  contact - no
AMs were tabled.

Article 9 - Computer security incident response teams (CSIRTs)
No compromise is proposed on Article 9.
Given that the ECR AMs 183 + 184 to Article 9 are consequential AMs linked to
the  different  treatment  of  public  administration  entities,  they  should  fall  if  the
COMP on Article 1 is adopted; if the COMP falls and AM 137 is adopted, they
should also be deemed adopted.
CA6
Article 10 - Requirements and tasks of CSIRTs
Covers AM 187 (Left)
Falls: AM 185 (ECR), 186 (Greens)
1. CSIRTs shall comply with the following requirements:
(a) CSIRTs shall ensure a high level of availability of their communications
services by avoiding single points of failure, and shall have several means for
being contacted and for contacting others at all times. CSIRTs shall clearly specify
the communication channels and make them known to constituency and
cooperative partners;
(b) CSIRTs’ premises and the supporting information systems shall be located in
secure sites;
12

21/09/2021.v03
(c) CSIRTs shall be equipped with an appropriate system for managing and
routing requests, in particular, to facilitate effective and efficient handovers;
(d) CSIRTs shall be adequately staffed to ensure availability at all times;
(e) CSIRTs shall be equipped with redundant systems and backup working space
to ensure continuity of its services;
(f) CSIRTs shall have the possibility to participate in international cooperation
networks.
2. CSIRTs shall have the following tasks:
(a) monitoring cyber threats, vulnerabilities and incidents at national level;
(b) providing early warning, alerts, announcements and dissemination of
information to essential and important entities as well as to other relevant
interested parties on cyber threats, vulnerabilities and incidents;
(c) responding to incidents;
(d)  providing  dynamic  risk  and  incident analysis  and  situational  awareness
regarding cybersecurity;
(e) providing,  upon  request  of  an  entity,  a proactive  scanning  of  the  network  and
security scan of the information systems and network range used for the provision
of their services to identify, mitigate or prevent specific threatsthe processing of
personal data in the context of such scanning shall be limited to what is strictly
necessary, and in any case to IP addresses and URLs; (AM 187)
(f) participating in the CSIRTs network and providing mutual assistance to other
members of the network upon their request.
3. CSIRTs shall establish cooperation relationships with relevant actors in the
private sector, with a view to better achieving the objectives of the Directive.
4. In order to facilitate cooperation, CSIRTs shall promote the adoption and use of
common or standardised practices, classification schemes and taxonomies in
relation to the following:
(a) incident handling procedures;
(b) cybersecurity crisis management;
(c) coordinated vulnerability disclosure.
CA7
Article 11 - Cooperation at national level
Covers AM 46 (rapp), 47 (rapp)
Fall: AM 188 (ECR)
1. Where they are separate, the competent authorities referred to in Article 8, the
single point of contact and the CSIRT(s) of the same Member State shall
cooperate with each other with regard to the fulfilment of the obligations laid
down in this Directive.
2. Member States shall ensure that either their competent authorities or their
CSIRTs receive notifications on incidents, and significant cyber threats and near
misses submitted pursuant to this Directive. Where a Member State decides that
its CSIRTs shall not receive those notifications, the CSIRTs shall, to the extent
necessary to carry out their tasks, be granted access to data on incidents notified
by the essential or important entities, pursuant to Article 20.
13

21/09/2021.v03
3. Each Member State shall ensure that its competent authorities or CSIRTs
inform its single point of contact of notifications on incidents, significant cyber
threats and near misses submitted pursuant to this Directive.
4. To the extent necessary to effectively carry out the tasks and obligations laid
down in this Directive, Member States shall ensure appropriate cooperation
between the competent authorities and single points of contact and law
enforcement authorities, data protection authorities, and the authorities responsible
for critical infrastructure pursuant to Directive (EU) XXXX/XXXX [Resilience of
Critical Entities Directive] and the national financial authorities designated in
accordance with Regulation (EU) XXXX/XXXX of the European Parliament and
of the Council39 [the DORA Regulation] within that Member State in line with
their respective competences
. (AM 46R)
5.  Member  States  shall  ensure  that  their  competent  authorities  regularly  provide
timely information to competent authorities designated pursuant to Directive (EU)
XXXX/XXXX [Resilience  of  Critical  Entities  Directive]  on  cybersecurity  risks,
cyber  threats  and  incidents  affecting  essential  entities  identified  as  critical,  or  as
entities  equivalent  to  critical  entities,  pursuant  to  Directive  (EU)  XXXX/XXXX
[Resilience  of  Critical  Entities  Directive],  as  well  as  the  measures  taken  by
competent authorities in response to those risks and incidents. (AM 47)
14