The European Parliament calls for a common approach to cybersecurity
Believes that the Union must take the lead on cybersecurity, by means of a common approach based on the effective and efficient use of EU, Member State and industry expertise, since a patchwork of divergent national decisions would be detrimental to the digital single market;
2. Expresses deep concern about the recent allegations that 5G equipment developed by Chinese companies may have embedded backdoors that would allow manufacturers and authorities to have unauthorised access to private and personal data and
telecommunications from the EU;
3. Is equally concerned about the potential presence of major vulnerabilities in the 5G equipment developed by these manufacturers if they were to be installed when rolling out 5G networks in the coming years;
4. Underlines that the implications for the security of networks and equipment are similar around the world and calls for the EU to draw lessons from the experience available, in order to be able to ensure the highest standards of cybersecurity; calls on the Commission to develop a strategy that puts Europe in a leading position in cybersecurity technology and is aimed at reducing Europe’s dependency on foreign technology in the field of cybersecurity; is of the view that whenever compliance with security requirements cannot be guaranteed adequate measures must be applied;
5. Calls on the Member States to inform the Commission of any national measure they intend to adopt in order to coordinate the Union’s response so as to ensure the highest standards of cybersecurity throughout the Union, and reiterates the importance of refraining from introducing disproportionate unilateral measures that would fragment the single market;
6. Reiterates that any entities providing equipment or services in the EU, irrespective of their country of origin, must comply with fundamental rights obligations and with EU and Member State law, including the legal framework as regards privacy, data protection and cybersecurity;
7. Calls on the Commission to assess the robustness of the Union’s legal framework in order to address concerns about the presence of vulnerable equipment in strategic sectors and backbone infrastructure; urges the Commission to present initiatives, including legislative proposals where appropriate, to address in due time any shortfalls detected, since the Union is in a constant process of identifying and addressing cybersecurity challenges and enhancing cybersecurity resilience in the EU;
8. Urges those Member States that have not yet fully transposed the NIS Directive to do so without delay, and calls on the Commission to monitor this transposition closely so as to ensure that its provisions are properly applied and enforced and that European citizens are better protected from external and internal security threats;
9. Urges the Commission and Member States to make sure that the reporting mechanisms introduced by the NIS Directive are properly applied; notes that the Commission and the Member States should follow up thoroughly on any security incidents or inappropriate reactions of suppliers, so as to address detected gaps;
10. Calls on the Commission to assess the need to further enlarge the scope of the NIS Directive to other critical sectors and services that are not covered by sector-specific legislation;
11. Welcomes and supports the agreement reached on the Cybersecurity Act and the reinforcement of the mandate of the EU Agency for Network and Information Security (ENISA), in order to better support Member States in tackling cybersecurity threats and attacks;
12. Urges the Commission to mandate ENISA to make it a priority to work on a
certification scheme for 5G equipment in order to ensure that the rollout of 5G in the Union meets the highest security standards and is resilient to backdoors or major vulnerabilities that would endanger the security of the Union’s telecommunication networks and dependent services; recommends that special attention be given to commonly used processes, products and software that by their sheer scale have a significant impact on the day-to-day life of citizens and the economy;
13. Warmly welcomes the proposals on cybersecurity competence centres and a network of national coordination centres, which are designed to help the EU retain and develop the technological and industrial capacities in cybersecurity that are needed to secure its digital single market; recalls, however, that certification should not exclude competent authorities and operators from scrutinising the supply chain in order to ensure the integrity and security of their equipment that operates in critical environments and telecom networks;
14. Recalls that cybersecurity demands high security standards; calls for a network that is secure by default and by design; urges the Member States, together with the Commission, to explore all available means to ensure a high level of security;
15. Calls on the Commission and the Member States, in cooperation with ENISA, to provide guidance on how to tackle cyber threats and vulnerabilities when procuring 5G equipment, for example by diversifying equipment from different vendors or introducing multi-phase procurement processes;
16. Reaffirms its position on the Digital Europe programme, which imposes security requirements and Commission oversight on entities established in the EU but controlled from third countries, in particular for cybersecurity-related actions;
17. Calls on the Member States to ensure that public institutions and private companies involved in ensuring the proper functioning of critical infrastructure networks such as telecoms, energy, health and social systems, undertake relevant risk assessments that take into account the security threats specifically linked to technical features of the respective system or dependence on external suppliers of hardware and software technologies;
18. Recalls that the current legal framework on telecommunications mandates the Member States to ensure that telecoms operators comply with the integrity and availability of public electronic communication networks, including end-to-end encryption where appropriate; highlights that under the European Electronic Communications Code, Member States have extensive powers to investigate products on the EU market and apply a wide variety of remedies in the event of their non-compliance;
19. Calls on the Commission and the Member States to make security an obligatory aspect in all public procurement procedures for relevant infrastructure at both EU and national level;
20. Reminds Member States of their obligation under the EU legal framework, notably Directive 2013/40/EU on attacks against information systems, to impose sanctions on legal persons that have committed criminal offences such as attacks against such systems; emphasises that Member States should also make use of their ability to impose other sanctions on these legal entities, such as temporary or permanent disqualification
from practicing commercial activities;
21. Calls on the Member States, cybersecurity agencies, telecoms operators, manufacturers and providers of critical infrastructure services to report to the Commission and ENISA any evidence of backdoors or other major vulnerabilities that could compromise the integrity and security of telecoms networks or infringe Union law and fundamental rights; expects national data protection authorities as well as the European Data Protection Supervisor to thoroughly investigate indications of data breaches of personal data by external vendors and to impose appropriate penalties and sanctions in line with European data protection law;
22. Welcomes the upcoming entry into force of a regulation establishing a framework for the screening of foreign direct investments (FDI) for reasons of security and public order, and underlines that this regulation establishes for the first time a list of areas and factors, including communications and cybersecurity, which are relevant for security and public order at EU level;
23. Calls on the Council to speed up its work on the proposed ePrivacy Regulation;
24. Reiterates that the EU needs to support cybersecurity across the entire value chain, from research to the deployment and uptake of key technologies, disseminate relevant information, and promote cyber hygiene and educational curricula including cybersecurity, and believes that, among other measures, the Digital Europe programme will be an efficient tool for that;
25. Urges the Commission and the Member States to take the necessary steps, including robust investment schemes, to create an innovation-friendly environment within the EU, which should be accessible to all businesses in the EU digital economy, including small and medium-sized enterprises (SMEs); urges, furthermore that such an environment should allow European vendors to develop new products, services and technologies which would enable them to be competitive;
26. Urges the Commission and the Member States to take into account the above requests in the framework of the upcoming discussions on the future EU-China strategy, as preconditions for the EU to remain competitive and for ensuring the security of its digital infrastructure;
27. Instructs its President to forward this resolution to the Council and the Commission.
Follow
