ISSN 1977-091X

Official Journal

of the European Union

C 258
European flag  

English edition

Information and Notices

Volume 65
5 July 2022

Contents

page

 

II   Information

 

INFORMATION FROM EUROPEAN UNION INSTITUTIONS, BODIES, OFFICES AND AGENCIES

 

European Commission

2022/C 258/01

Non-opposition to a notified concentration (Case M.10708 – CURA / OCG / DEUTSCHE EUROSHOP JV) ( 1 )

1

2022/C 258/02

Non-opposition to a notified concentration (Case M.10529 – HEIDELBERGCEMENT / THOMA BRAVO / COMMAND ALKON) ( 1 )

2

 

IV   Notices

 

NOTICES FROM EUROPEAN UNION INSTITUTIONS, BODIES, OFFICES AND AGENCIES

 

European Commission

2022/C 258/03

Euro exchange rates — 4 July 2022

3

 

Court of Auditors

2022/C 258/04

Special report 14/2022: – The Commission’s response to fraud in the Common Agricultural Policy – Time to dig deeper

4

 

European Data Protection Supervisor

2022/C 258/05

Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation on geographical indication protection for craft and industrial products (The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu)

5

2022/C 258/06

Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation on information security in the institutions, bodies, offices and agencies of the Union (The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu)

7

2022/C 258/07

Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union (The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu)

10

 

NOTICES FROM MEMBER STATES

2022/C 258/08

Update of reference amounts for the crossing of the external borders, as referred to in Article 6(4) of Regulation (EU) 2016/399 of the European Parliament and of the Council on a Union Code on the rules governing the movement of persons across borders (Schengen Borders Code)

13

 

 

(1)   Text with EEA relevance.

EN

 

II Information

INFORMATION FROM EUROPEAN UNION INSTITUTIONS, BODIES, OFFICES AND AGENCIES

European Commission

5.7.2022   

EN

Official Journal of the European Union

C 258/1

Non-opposition to a notified concentration

(Case M.10708 – CURA / OCG / DEUTSCHE EUROSHOP JV)

(Text with EEA relevance)

(2022/C 258/01)

On 23 June 2022, the Commission decided not to oppose the above notified concentration and to declare it compatible with the internal market. This decision is based on Article 6(1)(b) of Council Regulation (EC) No 139/2004 (1). The full text of the decision is available only in English and will be made public after it is cleared of any business secrets it may contain. It will be available:

in the merger section of the ‘Competition policy’ website of the Commission (http://ec.europa.eu/competition/mergers/cases/). This website provides various facilities to help locate individual merger decisions, including company, case number, date and sectoral indexes,

in electronic form on the EUR-Lex website (http://eur-lex.europa.eu/homepage.html?locale=en) under document number 32022M10708. EUR-Lex is the online point of access to European Union law.

(1)  OJ L 24, 29.1.2004, p. 1.

5.7.2022   

EN

Official Journal of the European Union

C 258/2

Non-opposition to a notified concentration

(Case M.10529 – HEIDELBERGCEMENT / THOMA BRAVO / COMMAND ALKON)

(Text with EEA relevance)

(2022/C 258/02)

On 11 April 2022, the Commission decided not to oppose the above notified concentration and to declare it compatible with the internal market. This decision is based on Article 6(1)(b) of Council Regulation (EC) No 139/2004 (1). The full text of the decision is available only in English and will be made public after it is cleared of any business secrets it may contain. It will be available:

in the merger section of the ‘Competition policy’ website of the Commission (http://ec.europa.eu/competition/mergers/cases/). This website provides various facilities to help locate individual merger decisions, including company, case number, date and sectoral indexes,

in electronic form on the EUR-Lex website (http://eur-lex.europa.eu/homepage.html?locale=en) under document number 32022M10529. EUR-Lex is the online point of access to European Union law.

(1)  OJ L 24, 29.1.2004, p. 1.

IV Notices

NOTICES FROM EUROPEAN UNION INSTITUTIONS, BODIES, OFFICES AND AGENCIES

European Commission

5.7.2022   

EN

Official Journal of the European Union

C 258/3

Euro exchange rates (1)

4 July 2022

(2022/C 258/03)

1 euro =


 

Currency

Exchange rate

USD

US dollar

1,0455

JPY

Japanese yen

141,51

DKK

Danish krone

7,4391

GBP

Pound sterling

0,85960

SEK

Swedish krona

10,7658

CHF

Swiss franc

1,0037

ISK

Iceland króna

139,30

NOK

Norwegian krone

10,2958

BGN

Bulgarian lev

1,9558

CZK

Czech koruna

24,745

HUF

Hungarian forint

401,52

PLN

Polish zloty

4,7100

RON

Romanian leu

4,9440

TRY

Turkish lira

17,5994

AUD

Australian dollar

1,5205

CAD

Canadian dollar

1,3435

HKD

Hong Kong dollar

8,2033

NZD

New Zealand dollar

1,6748

SGD

Singapore dollar

1,4587

KRW

South Korean won

1 353,40

ZAR

South African rand

17,0275

CNY

Chinese yuan renminbi

6,9977

HRK

Croatian kuna

7,5301

IDR

Indonesian rupiah

15 684,13

MYR

Malaysian ringgit

4,6138

PHP

Philippine peso

57,487

RUB

Russian rouble

 

THB

Thai baht

37,298

BRL

Brazilian real

5,5663

MXN

Mexican peso

21,1972

INR

Indian rupee

82,5067

(1)  Source: reference exchange rate published by the ECB.

Court of Auditors

5.7.2022   

EN

Official Journal of the European Union

C 258/4

Special report 14/2022:

“The Commission’s response to fraud in the Common Agricultural Policy – Time to dig deeper”

(2022/C 258/04)

The European Court of Auditors has published its special report 14/2022: “The Commission’s response to fraud in the Common Agricultural Policy – Time to dig deeper”.

The report can be consulted directly or downloaded at the European Court of Auditors’ website: https://www.eca.europa.eu/en/Pages/DocItem.aspx?did=61337

European Data Protection Supervisor

5.7.2022   

EN

Official Journal of the European Union

C 258/5

Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation on geographical indication protection for craft and industrial products

(The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu)

(2022/C 258/05)

On 13 April 2022, the European Commission adopted a Proposal for a Regulation of the European Parliament and of the Council on geographical indication protection for craft and industrial products and amending Regulations (EU) 2017/1001 and (EU) 2019/1753 of the European Parliament and of the Council and Council Decision (EU) 2019/1754 (hereafter ‘the Proposal’).

This proposal aims to complement the EU protection system for geographical indications, which already exist for agricultural products and foodstuffs, wines and spirits, and at enabling the effective fulfilment of obligations stemming from the EU accession to the Geneva Act of the Lisbon Agreement.

The EDPS positively notes that the Proposal determines the roles of the Commission, the EUIPO and the competent authorities of Member States with regard to the processing of personal data in the procedures under this Proposal.

The EDPS recommends clarifying whether the different controllers involved in the processing of personal data will act as joint controllers or not. If so, the EDPS recommends to provide for an arrangement as envisaged by Articles 28 EUDPR and/or Article 26 GDPR. In this regard, the EDPS recalls that detailed arrangements to ensure compliance with data protection requirements, where necessary, may also be defined by way of an implementing act.

The EDPS notes that the Proposal foresees the creation of a publicly accessible electronic register of geographical indications for craft and industrial products. In this regard, the EDPS recommends a clear delineation of the categories of data which will be processed. The EDPS recommends to specify in the Proposal itself any categories of personal data involved. Finally, the EDPS considers that the chosen data retention period for the documentation related to the cancellation of geographical indications should be further justified.

1.   INTRODUCTION

1.

On 13 April 2022, the European Commission adopted a Proposal for a Regulation of the European Parliament and of the Council on geographical indication protection for craft and industrial products and amending Regulations (EU) 2017/1001 and (EU) 2019/1753 of the European Parliament and of the Council and Council Decision (EU) 2019/1754 (‘the Proposal’).

2.

The objective of the Proposal is to establish a directly applicable geographical indication (‘GI’) protection for craft and industrial (‘CI’) products at EU level. It also aims to ensure that producers can benefit from the international framework for the registration and protection of GIs (’Lisbon system’) (1).

3.

The Proposal complements existing EU protection for GIs in the agricultural domain. It follows similar approaches taken on the eligibility conditions and the protection of GIs for agricultural products and foodstuffs, wines and spirits as set out in:

Regulation (EU) No 1151/2012 of the European Parliament and of the Council (2) on quality schemes for agricultural products and foodstuffs,

Regulation (EU) 2019/787 of the European Parliament and of the Council (3) on the definition, description, presentation and labelling of spirit drinks, and

Regulation (EU) No 1308/2013 of the European Parliament and of the Council (4) establishing a common organisation of the markets in agricultural products (5).

4.

The Proposal would amend Regulation (EU) 2017/1001 on the European Parliament and of the Council on the European Union trade mark concerning possible conflicts between GIs and trade marks and specify additional tasks for the European Union Intellectual Property Office (‘EUIPO’). It also proposes an amendment to Council Decision (EU) 2019/1754 on the accession of the European Union to the Geneva Act of the Lisbon Agreement on Appellations of Origin and Geographical Indications, in order to establish a connection between the EU GI protection system for CI products and the Lisbon system (6).

5.

The present Opinion of the EDPS is issued in response to a consultation by the European Commission of 13 April 2022, pursuant to Article 42(1) of EUDPR. The EDPS welcomes the reference to this consultation in Recital 63 of the Proposal. The comments and recommendations in this Opinion are limited to the provisions in the Proposal that are most relevant from a data protection perspective.

4.   CONCLUSIONS

16.

In light of the above, the EDPS:

welcomes the explicit designation of controllers in relation to the processing of personal data in the procedures laid down by the Proposal;

recommends clarifying whether or not the controllers should be considered as ‘joint controllers’ within the meaning of Articles 28 EUDPR and 26 GDPR;

recommends to specify in the Proposal any categories of data to be included in the Union register of geographical indications for craft and industrial products;

considers that the proposed retention period for documentation related to the cancellation of GIs registration should be further justified or reduced insofar as it concerns personal data.

Brussels, 2 June 2022.

Wojciech Rafał WIEWIÓROWSKI

(1)  COM(2022) 174 final, p. 1.

(2)  OJ L 343, 14.12.2012, p. 1.

(3)  OJ L 130, 17.5.2019, p. 1.

(4)  OJ L 347, 20.12.2013, p. 671.

(5)  The EDPS was consulted on Regulation (EU) No 1308/2013 and adopted his Opinion on 14 December 2011.

(6)  COM(2022) 174 final, p. 2.

5.7.2022   

EN

Official Journal of the European Union

C 258/7

Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation on information security in the institutions, bodies, offices and agencies of the Union

(The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu)

(2022/C 258/06)

The European Commission adopted on 22 March 2022 a Proposal for a Regulation of the European Parliament and of the Council on the information security in the institutions, bodies, offices and agencies of the Union (‘the Proposal’).

The EDPS welcomes the aim of the Proposal to improve the security of information handled by the EUIs, by establishing common information security rules as well fostering a coherent information security culture in a specific legal instrument.

The EDPS observes that personal data security as mandated by the EUDPR has a scope that only partially overlaps with the scope of the information security under the Proposal. The latter focuses on the confidentiality of information, whereas the EUDPR ensures also integrity and availability. Furthermore, the EUDPR personal data security provisions specifically address the risks for the rights and freedoms of natural persons.

The Proposal requires the EUIs to adopt information security measures, which will inevitably involve the processing of personal data and of electronic communications data, including traffic data. The EDPS considers that it must be made evident that all information security measures involving processing of personal data should be compliant with the current data protection and privacy legal framework and that EUIs should take relevant technical and organisational safeguards to ensure this compliance in an accountable way.

To achieve legal certainty and foreseeability, and to ensure compliance with the EUDPR, the EDPS strongly advises that the Proposal, or at the very least, a delegated act to be adopted subsequently by the Commission, clearly defines the personal data processing activities that are allowed for the purposes of this Regulation. The EDPS also draws the attention to the need to ensure compliance with the EUDPR rules regarding transfers of personal data to third countries and international organisations. Moreover, the EDPS recommends explaining in a Recital, that all of the EUDPR provisions will apply, including the rules on international transfers.

The EDPS stresses the importance of integrating the privacy and data protection perspective in the information security management, in order to achieve positive synergies between the Proposal and privacy and data protection legislation, and provides specific recommendations on how such synergies can be achieved, including: a specific obligation for EU officials responsible for information security to cooperate closely with the data protection officer designated in accordance with Article 43 EUDPR; the integration of end-to-end encryption in the list of minimum security measures of the Proposal, where applicable, and in particular when exchanging sensitive non-classified information; and the promotion of an integrated information security risk management and an integrated incident handling process that serve both information security and data protection obligations on data breach notifications.

1.   INTRODUCTION AND BACKGROUND

1.

The European Commission adopted on 22 March 2022 a Proposal for a Regulation of the European Parliament and of the Council on the information security in the institutions, bodies, offices and agencies of the Union (1) (‘the Proposal’).

2.

On the same date, the European Commission adopted another Proposal for a Regulation laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union (2) (‘the Cybersecurity Proposal’).

3.

Both Proposals had been envisaged by the EU’s Cybersecurity Strategy for the Digital Decade presented on 16 December 2020 (3) (‘he Strategy’). The overall aim of the Strategy was to strengthen the Union’s strategic autonomy in the fields of cybersecurity and to improve its resilience and collective response as well as to build a global and open Internet with strong guardrails to address the risks to security and fundamental rights and freedoms of people in Europe (4).

4.

The Proposal constitutes one of the regulatory initiatives of the Strategy, and in particular in the area of Cybersecurity of the EU Institutions, bodies, offices and agencies (‘the EUIs’). According to the Strategy, the aim of the Proposal is twofold:

to facilitate the interoperability of classified information systems, allowing a seamless transfer of information between the different entities, and

to enable an inter-institutional approach to the handling of EU classified information and sensitive non-classified information, which could also serve as a model for interoperability across Member States, stating that the EU should also further develop its ability to communicate in a secure manner with relevant partners, building to the extent possible on existing arrangements and procedures.

5.

The EDPS observes that the subject matter of the Proposal at hand is also directly related to the Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 (‘NIS 2.0 Proposal’). The EDPS recalls that he issued the Opinion 5/2021 on the Cybersecurity Strategy (5) and the NIS 2.0 Directive (‘NIS 2.0 Opinion’) (6). For this reason the present Opinion will refer to the NIS 2.0 Opinion.

6.

According to the explanatory memorandum of the Proposal, due to the ever-increasing amount of sensitive non-classified (‘SNC’) information and European Union classified information (‘EUCI’) that the EUIs need to share amongst themselves and considering the dramatic development of the threat landscape, the European administration is exposed to attacks in all its areas of activity. The information handled by the EUIs is very attractive for the threat actors and needs to be appropriately protected.

7.

According to the explanatory memorandum, the Proposal would:

establish harmonised and comprehensive categories of information, as well as common handling rules for all EUIs,

set up a lean cooperation scheme on information security between EUIs able to foster a coherent information security culture across the European administration,

modernise the information security policies at all levels of classification/categorisation, for all EUIs, taking into account the digital transformation and the development of teleworking as a structural practice.

8.

On 22 March 2022 the Commission consulted the European Data Protection Supervisor pursuant to Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (‘EUDPR’) (7). The comments and recommendations in this Opinion are limited to the provisions in the Proposal that are most relevant from a data protection and privacy perspective.

4.   CONCLUSIONS

31.

In light of the above, the EDPS makes the following main recommendations:

the EDPS strongly advises that the Proposal clearly defines the personal data processing activities that are allowed for the purposes of this Regulation, including: the purpose(s) of the processing; categories of personal data; categories of data subjects; definition of roles as applicable (controller, processor, joint controllers), retention periods, recipients in case of transmission to entities not subject to the EUDPR. The EDPS considers that these elements should be provided for explicitly in the Proposal, or at the very least, in a delegated act to be adopted subsequently by the Commission. The Proposal should provide for such a delegation;

the EDPS recommends explaining in a Recital, that all of the EUDPR provisions will apply, including the rules on international transfers. Recital 6 can also be used to include any other general data protection recommendations made in this Opinion that do not aim at changing the substantive provisions;

the EDPS strongly recommends including end-to-end encryption in the list of minimum security measures of the Proposal, where applicable, and in particular when exchanging sensitive non-classified information;

the EDPS recommends adding in Article 5(3), that in the factors under consideration by the information security risk management process, also the threats stemming from access based on third countries jurisdiction (e.g. by their public authorities) shall be considered;

the EDPS strongly advises to explain in a relevant recital the benefits of having an integrated information security risk management and an integrated incident handling process that serves both information security and data protection obligations on data breach notifications;

the EDPS strongly advises that the proposal provides for a specific obligation for EU officials responsible for information security to cooperate closely with the data protection officer designated in accordance with Article 43 EUDPR, when dealing with activities such as applying data protection by design and by default to information security measures, selecting security measures that involve personal data, integrated risk management, integrated security incident handling.

Brussels, 17 May 2022.

Wojciech Rafał WIEWIÓROWSKI

(1)  COM(2022) 119 final.

(2)  COM(2022) 122 final.

(3)  The EU’s Cybersecurity Strategy for the Digital Decade | Shaping Europe’s digital future (europa.eu) including a Joint Communication with the High Representative of the Union for Foreign Affairs and Security Policy (JOIN(2020)18).

(4)  See chapter I. INTRODUCTION, page 4 of the Strategy.

(5)  Joint Communication from the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy to the European Parliament and the Council, titled ‘The EU’s Cybersecurity Strategy for the Digital Decade’.

(6)  EDPS Opinion 5/2021 on the Cybersecurity Strategy and the NIS 2.0 Directive.

(7)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).

5.7.2022   

EN

Official Journal of the European Union

C 258/10

Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union

(The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu)

(2022/C 258/07)

On 22 March 2022, the European Commission adopted a Proposal for a Regulation laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union (‘the Proposal’).

The EDPS welcomes the aim of the Proposal to improve the cybersecurity posture of the Union Institutions, bodies, offices and agencies (“EUIs”), and equally welcomes the new role of the former “Computer Emergency Response Team”, now called “Cybersecurity Centre” (CERT-EU), taking into account the amplified digitisation, the rapidly evolving cybersecurity threat landscape and the recent digitalisation shift due also to the Covid-19 pandemic.

The EDPS regrets that the Proposal does not align with the NIS Directive, and the NIS 2.0 Proposal so that consistent and homogeneous rules for Member States and the EUIs are achieved, contributing to the overall Union cybersecurity level. The EDPS recommends adding in the Proposal that its minimum security requirements should be at least equal or higher than the minimum security requirements of the entities of NIS and NIS 2.0 Proposal.

In order to comply with the Proposal, the EUIs, as well as CERT-EU will have to deploy certain cybersecurity processes and measures, which are bound to imply additional processing of personal data. To achieve legal certainty and foreseeability, and to ensure compliance with the EUDPR, the EDPS strongly advises that the Proposal, or at the very least, a delegated act to be adopted subsequently by the Commission, must clearly provide a legal ground for the processing of personal data by CERT-EU and the EUIs, including in particular the purposes of processing and the categories of personal data.

The EDPS stresses the importance of integrating the privacy and data protection perspective in the cybersecurity management, in order to achieve positive synergies between the Proposal and privacy and data protection legislation, and provides specific recommendations how such synergies can be achieved, including a specific obligation for EU officials responsible for cybersecurity to cooperate closely with the data protection officer designated in accordance with EUDPR.

The EDPS strongly advises that the Proposal provide for close cooperation between CERT-EU and EDPS, in activities like when addressing incidents resulting in personal data breaches, when addressing significant vulnerabilities, significant incidents or major attacks, that have the potential to result in personal data breaches, as well as when CERT-EU has indications that an infringement of the Proposal entails a personal data breach.

The EDPS also strongly recommends that the Proposal provide for the EDPS’ participation in the ‘Interinstitutional Cybersecurity Board’ (IICB).

1.   INTRODUCTION AND BACKGROUND

1.

On 22 March 2022, the European Commission adopted a Proposal for a Regulation laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union (1) (‘the Proposal’).

2.

On the same date, the European Commission adopted the Proposal for a Regulation of the European Parliament and of the Council on the information security in the institutions, bodies, offices and agencies of the Union (2) (‘the Infosec Proposal’).

3.

Both Proposals were envisaged by the EU’s Cybersecurity Strategy for the Digital Decade presented on 16 December 2020 (3) (‘the Strategy’). The overall aim of the Strategy is to strengthen the Union’s strategic autonomy in the field of cybersecurity and to improve its resilience and collective response as well as to build a global and open Internet with strong guardrails to address the risks to security and fundamental rights and freedoms of people in Europe (4).

4.

The Proposal constitutes one of the regulatory initiatives of the Strategy, and in particular in the area of cybersecurity for the EU institutions, bodies, offices and agencies (EUIs). According to its explanatory memorandum, the aim of the Proposal is twofold:

to address the increasingly hostile cyber threat landscape and the increased incidence of more sophisticated cyberattacks affecting the EU institutions, bodies and agencies, driving the need for increased investments to reach a high level of cyber maturity, and

to reinforce the EU Computer Emergency Response Team (CERT-EU) with an improved funding mechanism that is necessary to increase its ability to help EU institutions, bodies and agencies to apply the new cybersecurity rules, and improve their cyber resilience.

5.

The EDPS observes that the subject matter of the Proposal at hand is interlinked with the Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 (‘NIS 2.0 Proposal’). The EDPS recalls that he issued the Opinion 5/2021 on the Cybersecurity Strategy (5) and the NIS 2.0 Directive (‘NIS 2.0 Opinion’) (6). For this reason the present Opinion will refer to the NIS 2.0 Opinion.

6.

In line with the Strategy, the Proposal aims at further improving the resilience of all Union institutions, bodies and agencies together with their incident response capacities. It is also in line with the Commission’s priorities to make Europe fit for the digital age and to build a future-ready economy that works for the people. Moreover, it stresses that the security and resilience of the public administration is a cornerstone in the digital transformation of society as a whole.

7.

According to the explanatory memorandum, the Proposal:

outlines measures with a view to ensuring a high common level of cybersecurity for the European Union institutions, bodies and agencies,

establishes the ‘Interinstitutional Cybersecurity Board’, which shall be responsible for monitoring the implementation of the proposed Regulation,

establishes the new role of the Computer Emergency Response Team for the EU institutions, agencies and bodies (‘CERT-EU’) (7), as the ‘Cybersecurity Centre’ for the Union institutions, bodies and agencies, in line with developments in the Member States and globally.

8.

On 22 March 2022 the European Commission requested the EDPS to issue an Opinion on the Proposal pursuant to Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (‘EUDPR’) (8). The comments and recommendations in this Opinion are limited to the provisions in the Proposal that are most relevant from a data protection and privacy perspective.

4.   CONCLUSIONS

48.

In light of the above, the EDPS makes the following main recommendations:

the EDPS recommends adding in a recital that the Proposal builds on the NIS 2.0 Proposal, and further explain the link between the Proposal and the NIS Directive as well as the NIS 2.0 Proposal in the recitals 4 and 5. In addition, the EDPS recommends the inclusion of wording in the main text as follows: ‘The minimum security requirements should be at least equal or higher than the minimum security requirements of the entities of NIS and NIS 2.0 Proposal’;

the EDPS strongly advises that the Proposal must clearly provide a legal ground for the processing of personal data by CERT-EU and the EUIs, including in particular the purposes of processing and the categories of personal data. In addition, the following elements should be explicitly laid down: (a) Identification of the controller(s), processors or joint controllers, as applicable; (b) Categories of data subjects; (c) Retention periods or at least criteria to determine such periods. The EDPS considers that these elements should be provided for explicitly in the Proposal, or at the very least, in a delegated act to be adopted subsequently by the Commission. The Proposal should provide for such a delegation;

the EDPS strongly recommends including ‘encryption at rest’, ‘encryption in transit’ as well as ‘end-to-end encryption’ in the list of minimum cybersecurity measures of the Annex II of the Proposal;

the EDPS strongly advises that the proposal provides for a specific obligation for the Local Cybersecurity Officer defined in article 4(5) to cooperate with the data protection officer designated in accordance with Article 43 EUDPR, when dealing with overlapping activities like applying data protection by design and by default to cybersecurity measures, selecting cybersecurity measures that involve personal data, integrated risk management, and integrated security incident handling;

the EDPS strongly advises adding a provision in Article 12 ‘CERT-EU mission and tasks’ of the Proposal that ‘CERT-EU shall work in close cooperation with the EDPS, when addressing incidents resulting in personal data breaches or in breach of confidentiality of electronic communications’;

the EDPS recommends adding an obligation for CERT-EU to inform the EDPS when addressing significant vulnerabilities, significant incidents or major attacks that have the potential to result in personal data breaches and/or in the breach of confidentiality of electronic communications;

the EDPS recommends providing in Article 12 that that the EDPS shall be involved in the CERT-EU cybersecurity awareness raising activities of the EUIs, in order to cover the interplay between personal data breach and cybersecurity incidents;

the EDPS recommends adding a provision in Article 12 ‘CERT-EU mission and tasks’ of the Proposal that would specify that CERT-EU shall inform without undue delay the EDPS when it has indications that an infringement by the EUIs of the obligations laid down in the Proposal entails a personal data breach;

the EDPS strongly advises that the European Data Protection Supervisor is added in Article 9(3) as a permanent participant in the IICB with one representative.

Brussels, 17 May 2022.

Wojciech Rafał WIEWIÓROWSKI

(1)  COM(2022) 122 final.

(2)  COM(2022) 119 final.

(3)  The EU’s Cybersecurity Strategy for the Digital Decade | Shaping Europe’s digital future (europa.eu) including a Joint Communication with the High Representative of the Union for Foreign Affairs and Security Policy (JOIN(2020)18).

(4)  See chapter I. INTRODUCTION of the Strategy, page 4.

(5)  Joint Communication from the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy to the European Parliament and the Council, titled ‘The EU’s Cybersecurity Strategy for the Digital Decade’.

(6)  EDPS Opinion 5/2021 on the Cybersecurity Strategy and the NIS 2.0 Directive.

(7)  The current role of CERT-EU stems from the Interinstitutional Agreement 2018/C 12/01.

(8)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).

NOTICES FROM MEMBER STATES

5.7.2022   

EN

Official Journal of the European Union

C 258/13

Update of reference amounts for the crossing of the external borders, as referred to in Article 6(4) of Regulation (EU) 2016/399 of the European Parliament and of the Council on a Union Code on the rules governing the movement of persons across borders (Schengen Borders Code) (1)

(2022/C 258/08)

The publication of reference amounts for the crossing of the external borders, as referred to in Article 6(4) of Regulation (EU) 2016/399 of the European Parliament and of the Council of 9 March 2016 on a Union Code on the rules governing the movement of persons across borders (Schengen Borders Code) (2), is based on the information communicated by the Member States to the Commission in conformity with Article 39 of the Schengen Borders Code.

In addition to the publication in the Official Journal, a monthly update is available on the website of the Directorate-General for Migration and Home Affairs.

REFERENCE AMOUNTS REQUIRED FOR THE CROSSING OF THE EXTERNAL BORDER FIXED BY NATIONAL AUTHORITIES

ICELAND

Replacement of the information published in OJ C 247, 13.10.2006, p. 19.

Under Icelandic law, aliens must prove that they have enough money to meet their needs in Iceland and to make the return journey. In practice, the reference amount is set at ISK 8 000 per person per day. If the expenses connected with the stay are borne by a third party, the amount is halved. The total minimum amount is ISK 40 000 for each entry.

List of previous publications

OJ C 247, 13.10.2006, p. 19.

OJ C 77, 5.4.2007, p. 11.

OJ C 153, 6.7.2007, p. 22.

OJ C 164, 18.7.2007, p. 45.

OJ C 182, 4.8. 2007, p. 18.

OJ C 57, 1.3.2008, p. 38.

OJ C 134, 31.5.2008, p. 19.

OJ C 331, 31.12.2008, p. 13.

OJ C 33, 10.2. 2009, p. 1.

OJ C 36, 13.2. 2009, p. 100.

OJ C 37, 14.2.2009, p. 8.

OJ C 98, 29.4.2009, p. 11.

OJ C 35, 12.2.2010, p. 7.

OJ C 304, 10.11.2010, p. 5.

OJ C 24, 26.1.2011, p. 6.

OJ C 157, 27.5.2011, p. 8.

OJ C 203, 9.7.2011, p. 16.

OJ C 11, 13.1.2012, p. 13.

OJ C 72, 10.3.2012, p. 44.

OJ C 199, 7.7.2012, p. 8.

OJ C 298, 04.10.2012, p. 3.

OJ C 56, 26.2.2013, p. 13.

OJ C 98, 05.04.2013, p. 3.

OJ C 269, 18.09.2013, p. 2.

OJ C 57, 28.2.2014, p. 2.

OJ C 152, 20.5.2014, p. 25.

OJ C 224, 15.7.2014, p. 31.

OJ C 434, 4.12.2014, p. 3.

OJ C 447, 13.12.2014, p. 32.

OJ C 38, 4.2.2015, p. 20.

OJ C 96, 11.3.2016, p. 7.

OJ C 146, 26.4.2016, p.12.

OJ C 248, 8.7.2016, p. 12.

OJ C 111, 8.4.2017, p. 11.

OJ C 21, 20.1.2018, p. 3.

OJ C 93, 12.3.2018, p. 4.

OJ C 153, 2.5.2018, p. 8.

OJ C 186, 31.5.2018, p. 10.

OJ C 264, 26.07.2018, p. 6.

OJ C 366, 10.10.2018, p. 12.

OJ C 459, 20.12.2018, p. 38.

OJ C 140, 16.4. 2019, p. 7.

OJ C 178, 28.5. 2020, p. 3.

OJ C 102, 24.3. 2021, p. 8.

OJ C 486, 3.12. 2021, p. 26.

OJ C 139, 29.3. 2022, p. 3.

OJ C 143, 31.3. 2022, p. 6.

(1)  See the list of previous publications at the end of this update.

(2)  OJ L 77, 23.3.2016, p. 1.