(1)

Network and information systems and services play a vital role in society. Their reliability and security are essential to the freedom and overall security of Union citizens as well as to economic activities and social welfare, and in particular to the functioning of the internal market. [Am. 1]

(2)

The magnitude and, frequency and impact of deliberate or accidental security incidents is increasing and represents a major threat to the functioning of networks and information systems. Those systems may also become an easy target for deliberate harmful actions intended to damage or interrupt the operation of the systems. Such incidents can impede the pursuit of economic activities, generate substantial financial losses, undermine user and investor confidence and cause major damage to the economy of the Union and, ultimately, endanger the wellbeing of Union citizens and the ability of Member States to protect themselves and ensure the security of critical infrastructures . [Am. 2]

(3)

As a communication instrument without frontiers, digital information systems, and primarily the Internet, play an essential role in facilitating the cross-border movement of goods, services and people. Due to that transnational nature, substantial disruption of those systems in one Member State can also affect other Member States and the Union as a whole. The resilience and stability of network and information systems is therefore essential to the smooth functioning of the internal market.

(3a)

Since common causes of system failure continue to be unintentional ones, such as natural causes or human error, infrastructure should be resilient both to intentional and unintentional disruptions, and operators of critical infrastructure should design resilience-based systems. [Am. 3]

(4)

A cooperation mechanism should be established at Union level to allow for information exchange and coordinated prevention, detection and response regarding network and information security (‘NIS’). For that mechanism to be effective and inclusive, it is essential that all Member States have minimum capabilities and a strategy ensuring a high level of NIS in their territory. Minimum security requirements should also apply to public administrations and at least certain market operators of critical information infrastructure to promote a culture of risk management and ensure that the most serious incidents are reported. Companies listed on the stock markets should be encouraged to make incidents public in their financial reports on a voluntary basis. The legal framework should be based upon the need to safeguard the privacy and integrity of citizens. The Critical Infrastructure Warning Information Network (CIWIN) should be expanded to the market operators covered by this Directive. [Am. 4]

(4a)

While public administrations, because of their public mission, should exercise due diligence in the management and the protection of their own network and information systems, this Directive should focus on critical infrastructure essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, financial market infrastructures and health. Software developers and hardware manufacturers should be excluded from the scope of this Directive. [Am. 5]

(4b)

Cooperation and coordination between the relevant Union authorities with the High Representative/Vice President, with the responsibility for the Common Foreign and Security Policy and the Common Security and Defence Policy, as well as the EU Counter-terrorism Coordinator should be ensured where incidents having a significant impact are perceived to be of an external and terrorist nature. [Am. 6]

(5)

To cover all relevant incidents and risks, this Directive should apply to all network and information systems. The obligations on public administrations and market operators should, however, not apply to undertakings providing public communication networks or publicly available electronic communication services within the meaning of Directive 2002/21/EC of the European Parliament and of the Council (3), which are subject to the specific security and integrity requirements laid down in Article 13a of that Directive nor should they apply to trust service providers.

(6)

The existing capabilities are not sufficient enough to ensure a high level of NIS within the Union. Member States have very different levels of preparedness leading to fragmented approaches across the Union. This leads to an unequal level of protection of consumers and businesses, and undermines the overall level of NIS within the Union. Lack of common minimum requirements on public administrations and market operators in turn makes it impossible to set up a global and effective mechanism for cooperation at Union level. Universities and research centres have a decisive role in spurring research, development and innovation in those areas and should be provided with adequate funding. [Am. 7]

(7)

Responding effectively to the challenges of the security of network and information systems therefore requires a global approach at Union level covering common minimum capacity building and planning requirements, developing sufficient cyber security skills, exchange of information and coordination of actions, and common minimum security requirements for all market operators concerned and public administrations. Minimum common standards should be applied in accordance with appropriate recommendations by the Cyber Security Coordination Groups (CSGCs). [Am. 8]

(8)

The provisions of this Directive should be without prejudice to the possibility for each Member State to take the necessary measures to ensure the protection of its essential security interests, to safeguard public policy and public security, and to permit the investigation, detection and prosecution of criminal offences. In accordance with Article 346 of the Treaty on the Functioning of the European Union (TFEU), no Member State is to be obliged to supply information the disclosure of which it considers contrary to the essential interests of its security. No Member State is obliged to disclose EU classified information as defined in Council Decision 2011/292/EU  (4) , information subject to non-disclosure agreements or informal non-disclosure agreements, such as the Traffic Light Protocol. [Am. 9]

(9)

To achieve and maintain a common high level of security of network and information systems, each Member State should have a national NIS strategy defining the strategic objectives and concrete policy actions to be implemented. NIS cooperation plans complying with essential requirements need to be developed at national level , on the basis of minimum requirements set out in this Directive, in order to reach capacity response levels allowing for effective and efficient cooperation at national and Union level in case of incidents , respecting and protecting private life and personal data . Each Member State should therefore be obliged to meet common standards regarding data format and the exchangeability of data to be shared and evaluated. Member States should be able to ask for the assistance of the European Union Agency for Network and Information Security (ENISA) in developing their national NIS strategies, based on a common minimum NIS strategy blueprint . [Am. 10]

(10)

To allow for the effective implementation of the provisions adopted pursuant to this Directive, a body responsible for coordinating NIS issues and acting as a focal point for cross-border cooperation at Union level should be established or identified in each Member State. Those bodies should be given the adequate technical, financial and human resources to ensure that they can carry out in an effective and efficient manner the tasks assigned to them and thus achieve the objectives of this Directive.

(10a)

In view of the differences in national governance structures and in order to safeguard pre-existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one national competent authority in charge of fulfilling the tasks linked to the security of the networks and information systems of market operators under this Directive. However, in order to ensure smooth cross-border cooperation and communication, it is necessary for each Member State, without prejudice to sectoral regulatory arrangements, to designate only one national single point of contact in charge of cross-border cooperation at Union level. Where its constitutional structure or other arrangements so require, a Member State should be able to designate only one authority to carry out the tasks of the competent authority and the single point of contact. The competent authorities and the single points of contact should be civilian bodies, subject to full democratic oversight and should not fulfil any tasks in the field of intelligence, law enforcement or defence or be organisationally linked in any form to bodies active in those fields. [Am. 11]

(11)

All Member States and market operators should be adequately equipped, both in terms of technical and organisational capabilities, to prevent, detect, respond to and mitigate network and information systems' incidents and risks at any time . The security systems of public administrations should be safe and subject to democratic control and scrutiny. Commonly required equipment and capabilities should comply with commonly agreed technical standards as well as standards procedures of operation (SPO). Well-functioning Computer Emergency Response Teams (CERTs) complying with essential requirements should therefore be established in all Member States to guarantee effective and compatible capabilities to deal with incidents and risks and ensure efficient cooperation at Union level. Those CERTs should be enabled to interact on the basis of common technical standards and SPO. In view of the different characteristics of existing CERTs, which respond to different subject needs and actors, Member States should guarantee that each of the sectors referred to in the list of market operators set out in this Directive is provided services by at least one CERT. Regarding cross-border CERT cooperation, Member States should ensure that CERTs have sufficient means to participate in the existing international and Union cooperation networks already in place. [Am. 12]

(12)

Building upon the significant progress within the European Forum of Member States (‘EFMS’) in fostering discussions and exchanges on good policy practices including the development of principles for European cyber crisis cooperation, the Member States and the Commission should form a network to bring them into permanent communication and support their cooperation. This secure and effective cooperation mechanism , including the participation of market operators, where appropriate, should enable structured and coordinated information exchange, detection and response at Union level. [Am. 13]

(13)

The European Network and Information Security Agency (‘ENISA’) should assist the Member States and the Commission by providing its expertise and advice and by facilitating exchange of best practices. In particular, in the application of this Directive, the Commission and Member States should consult ENISA. To ensure effective and timely information to the Member States and the Commission, early warnings on incidents and risks should be notified within the cooperation network. To build capacity and knowledge among Member States, the cooperation network should also serve as an instrument for the exchange of best practices, assisting its members in building capacity, steering the organisation of peer reviews and NIS exercises. [Am. 14]

(13a)

Where appropriate, Member States should be able to use or adapt existing organisational structures or strategies when applying the provisions of this Directive. [Am. 15]

(14)

A secure information-sharing infrastructure should be put in place to allow for the exchange of sensitive and confidential information within the cooperation network. Existing structures within the Union should be fully used for that purpose. Without prejudice to their obligation to notify incidents and risks of Union dimension to the cooperation network, access to confidential information from other Member States should only be granted to Members States upon demonstration that their technical, financial and human resources and processes, as well as their communication infrastructure, guarantee their effective, efficient and secure participation in the network , using transparent methods . [Am. 16]

(15)

As most network and information systems are privately operated, cooperation between the public and private sector is essential. Market operators should be encouraged to pursue their own informal cooperation mechanisms to ensure NIS. They should also cooperate with the public sector and mutually share information and best practices in including the reciprocal exchange of relevant information and operational support and strategically analysed information, in case of incidents. To effectively encourage the sharing of information and of best practices, it is essential to ensure that market operators who participate in such exchanges are not disadvantaged as a result of their cooperation. Adequate safeguards are needed to ensure that such cooperation will not expose those operators to higher compliance risk or new liabilities under, inter alia, competition, intellectual property, data protection or cybercrime law, nor expose them to increased operational or security risks. [Am. 17]

(16)

To ensure transparency and properly inform Union citizens and market operators, the competent authorities single points of contact should set up a common Union-wide website to publish non confidential information on the incidents and, risks and means of risk mitigation, and where necessary advise on appropriate maintenance measures . The information on the website should be accessible irrespective of the device used. Any personal data published on that website should be limited only to what is necessary and should be as anonymous as possible. [Am. 18]

(17)

Where information is considered confidential in accordance with Union and national rules on business confidentiality, such confidentiality shall be ensured when carrying out the activities and fulfilling the objectives set by this Directive.

(18)

On the basis in particular of national crisis management experiences and in cooperation with ENISA, the Commission and the Member States should develop a Union NIS cooperation plan defining cooperation mechanisms , best practices and operation patterns to prevent, detect, report, and counter risks and incidents. That plan should be duly taken into account in the operation of early warnings within the cooperation network. [Am. 19]

(19)

Notification of an early warning within the network should be required only where the scale and severity of the incident or risk concerned are or may become so significant that information or coordination of the response at Union level is necessary. Early warnings should therefore be limited to actual or potential incidents or risks that grow rapidly, exceed national response capacity or affect more than one Member State. To allow for a proper evaluation, all information relevant for the assessment of the risk or incident should be communicated to the cooperation network. [Am. 20]

(20)

Upon receipt of an early warning and its assessment, the competent authorities single points of contact should agree on a coordinated response under the Union NIS cooperation plan. Competent authorities The single points of contact, ENISA and the Commission should be informed about the measures adopted at national level as a result of the coordinated response. [Am. 21]

(21)

Given the global nature of NIS problems, there is a need for closer international cooperation to improve security standards and information exchange, and promote a common global approach to NIS issues. Any framework for such international cooperation should be subject to Directive 95/46/EC of the European Parliament and of the Council  (5) and Regulation (EC) No 45/2001 of the European Parliament and of the Council  (6) . [Am. 22]

(22)

Responsibility for ensuring NIS lies to a great extent with public administrations and market operators. A culture of risk management , close cooperation and trust , involving risk assessment and the implementation of security measures appropriate to the risks faced and incidents, whether deliberate or accidental, should be promoted and developed through appropriate regulatory requirements and voluntary industry practices. Establishing a trustworthy level playing field is also essential to the effective functioning of the cooperation network to ensure effective cooperation from all Member States. [Am. 23]

(23)

Directive 2002/21/EC requires that undertakings providing public electronic communications networks or publicly available electronic communications services take appropriate measures to safeguard their integrity and security and introduces security breach and integrity loss notification requirements. Directive 2002/58/EC of the European Parliament and of the Council (7) requires a provider of a publicly available electronic communications service to take appropriate technical and organisational measures to safeguard the security of its services.

(24)

Those obligations should be extended beyond the electronic communications sector to operators of infrastructure which rely heavily on information and communications technology and are essential to the maintenance of vital economic or societal functions such as electricity and gas, transport, credit institutions, financial market infrastructures and health. Disruption of those network and information systems would affect the internal market. While the obligations set out in this Directive should not extend to key providers of information society services, as defined in Directive 98/34/EC of the European Parliament and of the Council (8), which underpin downstream information society services or on-line activities, such as e-commerce platforms, Internet payment gateways, social networks, search engines, cloud computing services, in general or application stores. Disruption of these enabling information society services prevents the provision of other information society services which rely on them as key inputs. Software developers and hardware manufacturers are not providers of information society services and are therefore excluded. Those obligations should also be extended to public administrations, and operators of critical infrastructure which rely heavily on information and communications technology and are essential to the maintenance of vital economical or societal functions such as electricity and gas, transport, credit institutions, stock exchange and health. Disruption of those network and information systems would affect the internal market. , those providers might, on a voluntary basis, inform the competent authority or single point of contact of those network security incidents they deem appropriate. The competent authority or the single point of contact should, if possible, present the market operators that informed it of the incident with strategically analysed information that will help to overcome the security threat . [Am. 24]

(24a)

While hardware and software providers are not market operators comparable to those covered in this Directive, their products facilitate the security of network and information systems. They therefore have an important role in enabling market operators to secure their network and information infrastructures. Given that hardware and software products are already subject to existing rules on product liability, Member States should ensure that those rules are enforced. [Am. 25]

(25)

Technical and organisational measures imposed on public administrations and market operators should not require that a particular commercial information and communications technology product be designed, developed or manufactured in a particular manner. [Am. 26]

(26)

The public administrations and market operators should ensure security of the networks and systems which are under their control. These would be primarily private networks and systems managed either by their internal IT staff or the security of which has been outsourced. The security and notification obligations should apply to the relevant market operators and public administrations regardless of whether they perform the maintenance of their network and information systems internally or outsource it. [Am. 27]

(27)

To avoid imposing a disproportionate financial and administrative burden on small operators and users, the requirements should be proportionate to the risk presented by the network or information system concerned, taking into account the state of the art of such measures. Those requirements should not apply to micro enterprises.

(28)

Competent authorities and single points of contact should pay due attention to preserving informal and trusted channels of information-sharing between market operators and between the public and the private sectors. Competent authorities and single points of contact should inform manufacturers and service providers of affected ICT products and services about incidents having a significant impact notified to them. Publicity of incidents reported to the competent authorities and single points of contact should duly balance the interest of the public in being informed about threats with possible reputational and commercial damages for the public administrations and market operators reporting incidents. In the implementation of the notification obligations, competent authorities and single points of contact should pay particular attention to the need to maintain information about product vulnerabilities strictly confidential prior to the release deployment of appropriate security fixes. As a general rule, single points of contact should not disclose the personal data of individuals involved in incidents. Single points of contact should only disclose personal data where the disclosure of such data is necessary and proportionate in view of the objective pursued. [Am. 28]

(29)

Competent authorities should have the necessary means to perform their duties, including powers to obtain sufficient information from market operators and public administrations in order to assess the level of security of network and information systems, measure the number, scale and scope of incidents, as well as reliable and comprehensive data about actual incidents that have had an impact on the operation of network and information systems. [Am. 29]

(30)

Criminal activities are in many cases underlying an incident. The criminal nature of incidents can be suspected even if the evidence to support it may not be sufficiently clear from the start. In this context, appropriate co-operation between competent authorities , single points of contact and law enforcement authorities as well as cooperation with the EC3 (Europol Cybercrime Centre) and ENISA should form part of an effective and comprehensive response to the threat of security incidents. In particular, promoting a safe, secure and more resilient environment requires a systematic reporting of incidents of a suspected serious criminal nature to law enforcement authorities. The serious criminal nature of incidents should be assessed in the light of Union laws on cybercrime. [Am. 30]

(31)

Personal data are in many cases compromised as a result of incidents. Member States and market operators should protect personal data stored, processed or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, access, disclosure or dissemination; and ensure the implementation of a security policy with respect to the processing of personal data. In this context, competent authorities , single points of contact and data protection authorities should cooperate and exchange information on all relevant matters including, where appropriate, with market operators, in order to tackle the personal data breaches resulting from incidents in accordance with applicable data protection rules . Member states shall implement The obligation to notify security incidents should be carried out in a way that minimises the administrative burden in case the security incident is also a personal data breach in line with the Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data  (9) . Liaising with the competent authorities and the data protection authorities, that has to be notified in accordance with Union data protection law. ENISA could should assist by developing information exchange mechanisms and templates avoiding the need for two notification templates. This a single notification template that would facilitate the reporting of incidents compromising personal data, thereby easing the administrative burden on businesses and public administrations. [Am. 31]

(32)

Standardisation of security requirements is a market-driven process of a voluntary nature that should allow market operators to use alternative means to achieve at least similar outcomes . To ensure a convergent application of security standards, Member States should encourage compliance or conformity with specified interoperable standards to ensure a high level of security at Union level. To this end, it the application of open international standards on network information security or the design of such tools need to be considered. Another necessary step forward might be necessary to draft harmonised standards, which should be done in accordance with Regulation (EU) No 1025/2012 of the European Parliament and of the Council (10). In particular, ETSI, CEN and CENELEC should be mandated to suggest effective and efficient Union open security standards, where technological preferences are avoided as much as possible, and which should be made easily manageable by small and medium-sized market operators. International standards pertaining to cybersecurity should be carefully vetted in order to ensure that they have not been compromised and that they provide adequate levels of security, thus making sure that the mandated compliance with cybersecurity standards enhances the overall level of cybersecurity of the Union and not the contrary. [Am. 32]

(33)

The Commission should periodically review this Directive, in consultation with all interested stakeholders, in particular with a view to determining the need for modification in the light of changing societal, political, technological or market conditions. [Am. 33]

(34)

In order to allow for the proper functioning of the cooperation network, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission in respect of the definition of the criteria to be fulfilled for a Member State to be authorized to participate to common set of interconnection and security standards for the secure information-sharing system, of the infrastructure and the further specification of the triggering events for early warning, and of the definition of the circumstances in which market operators and public administrations are required to notify incidents. [Am. 34]

(35)

It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. The Commission, when preparing and drawing up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and to the Council.

(36)

In order to ensure uniform conditions for the implementation of this Directive, implementing powers should be conferred on the Commission as regards the cooperation between competent authorities single points of contact and the Commission within the cooperation network, the access to the secure information-sharing infrastructure without prejudice to existing cooperation mechanisms at national level, the Union NIS cooperation plan, and the formats and procedures applicable to informing the public about the notification of incidents, and the standards and/or technical specifications relevant to NIS having a significant impact . Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (11). [Am. 35]

(37)

In the application of this Directive, the Commission should liaise as appropriate with relevant sectoral committees and relevant bodies set up at Union level in particular in the fields of e-government, energy, transport and, health and defence . [Am. 36]

(38)

Information that is considered confidential by a competent authority or a single point of contact , in accordance with Union and national rules on business confidentiality, should be exchanged with the Commission, its relevant agencies, single points of contact and /or other national competent authorities only where such exchange is strictly necessary for the application of this Directive. The information exchanged should be limited to that which is relevant , necessary and proportionate to the purpose of such exchange , and should respect pre-defined criteria for confidentiality and security, in accordance with Decision 2011/292/EU, information subject to non-disclosure agreements and informal non-disclosure agreements, such as the Traffic Light Protocol. [Am. 37]

(39)

The sharing of information on risks and incidents within the cooperation network and compliance with the requirements to notify incidents to the national competent authorities or single points of contact may require the processing of personal data. Such a processing of personal data is necessary to meet the objectives of public interest pursued by this Directive and is thus legitimate under Article 7 of Directive 95/46/EC. It does not constitute, in relation to those legitimate aims, a disproportionate and intolerable interference impairing the very substance of the right to the protection of personal data guaranteed by Article 8 of the Charter of Fundamental Rights of the European Union. In the application of this Directive, Regulation (EC) No 1049/2001 of the European Parliament and of the Council (12) should apply as appropriate. When data are processed by Union institutions and bodies, such processing for the purpose of implementing this Directive should comply with Regulation (EC) No 45/2001. [Am. 38]

(40)

Since the objective of this Directive, namely to ensure a high level of NIS in the Union, cannot be sufficiently achieved by the Member States alone but can rather, by reason of the effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality, as set out in that Article, this Directive does not go beyond what is necessary in order to achieve that objective.

(41)

This Directive respects the fundamental rights, and observes the principles, recognised by the Charter of Fundamental Rights of the European Union, in particular the right to respect for private life and communications, the protection for personal data, the freedom to conduct a business, the right to property, the right to an effective remedy before a court and the right to be heard. This Directive must be implemented in accordance with those rights and principles.

(41a)

In accordance with the Joint Political Declaration of Member States and the Commission on explanatory documents of 28 September 2011, Member States have undertaken to accompany, in justified cases, the notification of their transposition measures with one or more documents explaining the relationship between the components of a directive and the corresponding parts of national transposition instruments. With regard to this Directive, the legislator considers the transmission of such documents to be justified. [Am. 39]

(41b)

The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 and delivered an opinion on 14 June 2013 (13),

(a)

lays down obligations for all Member States concerning the prevention, the handling of and the response to risks and incidents affecting networks and information systems;

(b)

creates a cooperation mechanism between Member States in order to ensure a uniform application of this Directive within the Union and, where necessary, a coordinated and, efficient and effective handling of and response to risks and incidents affecting network and information systems with the participation of relevant stakeholders ; [Am. 40]

(c)

establishes security requirements for market operators and public administrations. [Am. 41]

(1)

‘network and information system’ means:

(2)

‘security’ means the ability of a network and information system to resist, at a given level of confidence, accident or malicious action that compromises the availability, authenticity, integrity and confidentiality of stored or transmitted data or the related services offered by or accessible via that network and information system; ‘security’ includes appropriate technical devices, solutions and operating procedures ensuring the security requirements set out in this Directive; [Am. 46]

(3)

‘risk’ means any reasonably identifiable circumstance or event having a potential adverse effect on security; [Am. 47]

(4)

‘incident’ means any circumstance or event having an actual adverse effect on security; [Am. 48]

(5)

‘information society service’ mean service within the meaning of point (2) of Article 1 of Directive 98/34/EC; [Am. 49]

(6)

‘NIS cooperation plan’ means a plan establishing the framework for organisational roles, responsibilities and procedures to maintain or restore the operation of networks and information systems, in the event of a risk or an incident affecting them;

(7)

‘incident handling’ means all procedures supporting the detection, prevention, analysis, containment and response to an incident; [Am. 50]

(8)

‘market operator’ means:

(8a)

‘incident having a significant impact’ means an incident affecting the security and continuity of an information network or system that leads to the major disruption of vital economic or societal functions; [Am. 53]

(9)

‘standard’ means a standard referred to in Regulation (EU) No 1025/2012;

(10)

‘specification’ means a specification referred to in Regulation (EU) No 1025/2012;

(11)

‘Trust service provider’ means a natural or legal person who provides any electronic service consisting in the creation, verification, validation, handling and preservation of electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services, website authentication, and electronic certificates, including certificates for electronic signature and for electronic seals;

(11a)

‘regulated market’ means regulated market as defined in point 14 of Article 4 of Directive 2004/39/EC of the European Parliament and of the Council  (17) ; [Am. 54]

(11b)

‘multilateral trading facility (MTF)’ means multilateral trading facility as defined in point 15 of Article 4 of Directive 2004/39/EC; [Am. 55]

(11c)

‘organised trading facility’ means a multilateral system or facility, which is not a regulated market, a multilateral trading facility or a central counterparty, operated by an investment firm or a market operator, in which multiple third-party buying and selling interests in bonds, structured finance products, emission allowances or derivatives are able to interact in the system in such a way as to result in a contract in accordance with Title II of Directive 2004/39/EC. [Am. 56]

(a)

The definition of the objectives and priorities of the strategy based on an up-to-date risk and incident analysis;

(b)

A governance framework to achieve the strategy objectives and priorities, including a clear definition of the roles and responsibilities of the government bodies and the other relevant actors;

(c)

The identification of the general measures on preparedness, response and recovery, including cooperation mechanisms between the public and private sectors;

(d)

An indication of the education, awareness raising and training programmes;

(e)

Research and development plans and a description of how these plans reflect the identified priorities;

(ea)

Member States may request the assistance of ENISA in developing their national NIS strategies and national NIS cooperation plans, based on a common minimum NIS strategy. [Am. 57]

(a)

A risk management framework to establish a methodology for the identification, prioritisation, evaluation and treatment of risks, the assessment plan to identify risks and assess of the impacts of potential incidents , prevention and control options, and to define criteria for the choice of possible countermeasures ; [Am. 58]

(b)

The definition of the roles and responsibilities of the various authorities and other actors involved in the implementation of the plan framework ; [Am. 59]

(c)

The definition of cooperation and communication processes ensuring prevention, detection, response, repair and recovery, and modulated in accordance with the alert level;

(d)

A roadmap for NIS exercises and training to reinforce, validate, and test the plan. Lessons learned to be documented and incorporated into updates to the plan.

(a)

circulate early warnings on risks and incidents in accordance with Article 10;

(b)

ensure a coordinated response in accordance with Article 11;

(c)

publish on a regular basis non-confidential information on on-going early warnings and coordinated response on a common website;

(d)

jointly discuss and assess , at the request of one Member State or of the Commission, one or more national NIS strategies and national NIS cooperation plans referred to in Article 5, within the scope of this Directive;

(e)

jointly discuss and assess , at the request of a Member State or the Commission, the effectiveness of the CERTs, in particular when NIS exercises are performed at Union level;

(f)

cooperate and exchange information on all expertise on relevant matters with the European Cybercrime Centre within Europol, and with other relevant European bodies on network and information security, in particular in the fields of data protection, energy, transport, banking, stock exchanges financial markets and health with the European Cybercrime Centre within Europol, and with other relevant European bodies ;

(fa)

where appropriate, inform the EU Counter-terrorism Coordinator, by means of reporting, and may ask for assistance for analysis, preparatory works and actions of the cooperation network;

(g)

exchange information and best practices between themselves and the Commission, and assist each other in building capacity on NIS;

(h)

organise regular peer reviews on capabilities and preparedness;

(i)

organise NIS exercises at Union level and participate, as appropriate, in international NIS exercises;

(ia)

involve, consult and exchange, where appropriate, information with market operators with respect to the risks and incidents affecting their network and information systems;

(ib)

develop, in cooperation with ENISA, guidelines for sector-specific criteria for the notification of significant incidents, in addition to the parameters laid down in Article 14(2), for a common interpretation, consistent application and coherent implementation within the Union. [Am. 78]

(a)

the availability of a secure and resilient communication and information infrastructure at national level, compatible and interoperable with the secure infrastructure of the cooperation network in compliance with Article 7(3), and

(b)

the existence of adequate technical, financial and human resources and processes for their competent authority and CERT allowing an effective, efficient and secure participation in the secure information-sharing system under Article 6(3), Article 7(2) and Article 7(3). [Am. 82]

(a)

they grow rapidly or may grow rapidly in scale;

(b)

they exceed or may exceed the single point of contact assesses that the risk or incident potentially exceeds national response capacity;

(c)

they affect or may affect the single points of contact or the Commission assess that the risk or incident affects more than one Member State. [Am. 84]

(a)

for the purposes of Article 10:

(b)

the processes to be followed for the coordinated responses under Article 11, including identification of roles and responsibilities and cooperation procedures;

(c)

a roadmap for NIS exercises and training to reinforce, validate, and test the plan;

(d)

a programme for transfer of knowledge between the Member States in relation to capacity building and peer learning;

(e)

a programme for awareness raising and training between the Member States.

(a)

the number of users whose core service is affected; [Am. 98]

(b)

the duration of the incident; [Am. 99]

(c)

geographic spread with regard to the area affected by the incident. [Am. 100]

(a)

provide information needed to assess the security of their networks and information systems, including documented security policies;

(b)

undergo provide evidence of effective implementation of security policies, such as the results of a security audit carried out by a qualified independent body or national authority, and make the results thereof evidence available to the competent authority or to the single point of contact . [Am. 113]

(a)

competent authorities or the single points of contact, as applicable, shall have the power to submit a sufficiently specific request to market operators requiring them to provide evidence of effective implementation of security policies, such as the results of a security audit carried out by a qualified internal auditor, and make the evidence available to the competent authority or to the single point of contact;

(b)

where necessary, following the submission by the market operator of the request referred to in point (a), the competent authority or the single point of contact may require additional evidence or an additional audit to be carried out by a qualified independent body or national authority.