2023/0108(COD) | [ParlTrack]

2023/0108(COD) Managed security services

Progress: Awaiting Parliament's position in 1st reading

Role	Committee	Rapporteur	Shadows
Lead	ITRE	CUTAJAR Josianne ( S&D)	NIEBLER Angelika ( EPP), GROOTHUIS Bart ( Renew), NIINISTÖ Ville ( Verts/ALE), TOŠENOVSKÝ Evžen ( ECR)
Committee Opinion	IMCO	CAVAZZINI Anna ( Verts/ALE)
Committee Opinion	LIBE

Lead committee dossier:

ITRE/9/11804

Legal Basis:

TFEU 114

Subjects

Events

2024/04/24

Vote scheduled

2024/03/21

CSL - Coreper letter confirming interinstitutional agreement

Documents

GEDA/A/(2024)001687

2024/03/20

EP - Text agreed during interinstitutional negotiations

Documents

PE760.887

2024/03/20

EP - Approval in committee of the text agreed at 1st reading interinstitutional negotiations

Documents

PE760.887

2023/11/09

EP - Committee decision to enter into interinstitutional negotiations confirmed by plenary (Rule 71)

2023/11/08

EP - Committee decision to enter into interinstitutional negotiations announced in plenary (Rule 71)

2023/10/26

EP - Committee report tabled for plenary, 1st reading

Details

The Committee on Industry, Research and Energy adopted the report by Josianne CUTAJAR (S&D, MT) on the proposal for a regulation of the European Parliament and of the Council amending Regulation (EU) 2019/881 as regards managed security services.

The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows:

Changes to the definition of managed security service

The report stated that managed security services, which are services consisting of carrying out, or providing assistance for, activities relating to their customers’ cybersecurity risk management, including detection, response to or recovery from incidents, have gained increasing importance in the prevention and mitigation of cybersecurity incidents. The activities of the providers of managed security services consist of services relating to prevention, identification, protection, detection, analysis, containment, response and recovery, including, but not limited to, cyber threat intelligence provision, real time threat monitoring through proactive techniques, including security-by-design, risk assessment, extended detection, remediation and response.

The Union rolling work programme for European cybersecurity certification

According to Members, the Union rolling work programme should include a list of ICT products, ICT services and ICT processes or categories thereof, and managed security services, that are capable of benefiting from being included in the scope of a European cybersecurity certification scheme. In that context, the Commission should include an in-depth assessment of existing training paths to bridge identified skills gaps and a list of proposals for addressing the needs for skilled employees and types of skills.

SMEs

Members considered that the Commission should ensure appropriate financial support in the regulatory framework of existing Union programmes, in particular in order to ease the financial burden on microenterprises and SMEs, including start-ups acting in the field of managed security services.

Evaluation and review

By 28 June 2024, and every three years thereafter, the Commission should assess the impact, effectiveness and efficiency of ENISA and of its working practices, the possible need to modify ENISA’s mandate and the financial implications of any such modification. The evaluation should assess: (i) the efficiency and effectiveness of the procedures leading to consultation, preparation and adoption of European cybersecurity certification schemes, as well as ways to improve and accelerate those procedures; (ii) whether essential cybersecurity requirements for access to the internal market are necessary in order to prevent ICT products, ICT services, ICT processes and managed security services which do not meet basic cybersecurity requirements from entering the Union market.

Documents

A9-0307/2023

2023/10/25

EP - Vote in committee, 1st reading

2023/10/25

EP - Committee decision to open interinstitutional negotiations with report adopted in committee

2023/09/21

EP - Amendments tabled in committee

Documents

PE753.562

2023/09/21

EP - Specific opinion

Documents

PE749.983

2023/09/07

EP - Committee draft report

Documents

PE752.802

2023/08/01

CZ_SENATE - Contribution

Documents

COM(2023)0208

2023/07/20

PT_PARLIAMENT - Contribution

Documents

COM(2023)0208

2023/07/13

ESC - Economic and Social Committee: opinion, report

Documents

CES2408/2023

2023/06/29

CZ_CHAMBER - Contribution

Documents

COM(2023)0208

2023/06/01

EP - Committee referral announced in Parliament, 1st reading

2023/05/23

EP - CAVAZZINI Anna (Verts/ALE) appointed as rapporteur in IMCO

2023/05/02

EP - CUTAJAR Josianne (S&D) appointed as rapporteur in ITRE

2023/04/18

EC - Legislative proposal published

Details

PURPOSE: to create European cybersecurity certification schemes for managed security services.

PROPOSED ACT: Regulation of the European Parliament and of the Council.

ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.

BACKGROUND: Regulation (EU) 2019/881 of the European Parliament and of the Council on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification sets up a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity for ICT products, ICT services and ICT processes in the Union, as well as for the purpose of avoiding the fragmentation of the internal market with regard to cybersecurity certification schemes in the Union.

Managed security services , which are services consisting of carrying out, or providing assistance for, activities relating to their customers’ cybersecurity risk management, have gained increasing importance in the prevention and mitigation of cybersecurity incidents. Accordingly, the providers of those services are considered as essential or important entities belonging to a sector of high criticality pursuant to Directive (EU) 2022/2555 of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union.

Managed security service providers in areas such as incident response, penetration testing, security audits and consultancy, play a particularly important role in assisting entities in their efforts to prevent, detect, respond to or recover from incidents. They have however also themselves been the target of cyberattacks and pose a particular risk because of their close integration in the operations of their customers.

Some Member States have already begun adopting certification schemes for managed security services. There is therefore a growing risk of fragmentation of the internal market for managed security services owing to inconsistencies in cybersecurity certification schemes across the Union. This proposal aims to prevent such fragmentation.

CONTENT: the proposed targeted amendment to amend the scope of the European cybersecurity certification framework in the Cybersecurity Act aims to enable, by means of Commission implementing acts, the adoption of European cybersecurity certification schemes for ‘managed security services’ , in addition to information and technology (ICT) products, ICT services and ICT processes, which are already covered under the Cybersecurity Act.

The proposal also introduces a definition of those services, which is very closely aligned to the definition of ‘managed security services providers’ under the NIS 2 Directive (Article 2 of the Cybersecurity Act). It also adds new provisions on the security objectives of European cybersecurity certification adapted to ‘managed security services’.

Lastly, a number of technical amendments are made to ensure that the relevant articles apply also to ‘managed security services’.

Documents

COM(2023)0208
EUR-Lex

Documents

Coreper letter confirming interinstitutional agreement: GEDA/A/(2024)001687
Text agreed during interinstitutional negotiations: PE760.887
Approval in committee of the text agreed at 1st reading interinstitutional negotiations: PE760.887
Committee report tabled for plenary, 1st reading: A9-0307/2023
Amendments tabled in committee: PE753.562
Specific opinion: PE749.983
Committee draft report: PE752.802
Contribution: COM(2023)0208
Contribution: COM(2023)0208
Economic and Social Committee: opinion, report: CES2408/2023
Contribution: COM(2023)0208
Legislative proposal published: COM(2023)0208
Legislative proposal published: EUR-Lex
Economic and Social Committee: opinion, report: CES2408/2023
Committee draft report: PE752.802
Amendments tabled in committee: PE753.562
Specific opinion: PE749.983
Text agreed during interinstitutional negotiations: PE760.887
Coreper letter confirming interinstitutional agreement: GEDA/A/(2024)001687
Contribution: COM(2023)0208
Contribution: COM(2023)0208
Contribution: COM(2023)0208

Amendments	Dossier
36	2023/0108(COD) 2023/09/21 ITRE 36 amendments... Amendment 17 # Evžen TOŠENOVSKÝ Proposal for a regulation Recital 2 (2) Managed security services~~, which ar~~ are services provided by the managed security service providers pursuant to point (40) of Article 6 of Directive (EU) 2022/2555 of the European Parliament and of the Council. Those services consist~~ing~~ of carrying out, or providing assistance for, activities relating to their customers’ cybersecurity risk management, have gained increasing importance in the prevention and mitigation of cybersecurity incidents. Accordingly, the ~~providers of those service~~managed security service providers are considered as essential or important entities belonging to a sector of high criticality pursuant to point 10 of Annex I of Directive (EU) 2022/2555 ~~of the European Parliament and of the Council8~~ . Pursuant to Recital 86 of that Directive, managed security service providers in areas such as incident response, penetration testing, security audits and consultancy, play a particularly important role in assisting entities in their efforts to prevent, detect, respond to or recover from incidents. Managed security service providers have however also themselves been the target of cyberattacks and pose a particular risk because of their close integration in the operations of their customers. Essential and important entities within the meaning of Directive (EU) 2022/2555 should therefore exercise increased diligence in selecting a managed security service provider. __________________ 8 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80). Amendment 18 # Angelika NIEBLER, Pilar del CASTILLO VERA, Tomas TOBÉ, Maria da Graça CARVALHO, Sara SKYTTEDAL, Ivan ŠTEFANEC, Cristian-Silviu BUŞOI, Ioan-Rareş BOGDAN Proposal for a regulation Recital 2 (2) Managed security services, which are services consisting of carrying out, or providing assistance for, activities relating to their customers’ cybersecurity risk management, including incident prevention, detection, responce or recovery, have gained increasing importance in the prevention and mitigation of cybersecurity incidents. Accordingly, the providers of those services are considered as essential or important entities belonging to a sector of high criticality pursuant to Directive (EU) 2022/2555 of the European Parliament and of the Council8 . Pursuant to Recital 86 of that Directive, managed security service providers in areas such as incident response, penetration testing, security audits and consultancy, play a particularly important role in assisting entities in their efforts to prevent, detect, respond to or recover from incidents. Managed security service providers have however also themselves been the target of cyberattacks and pose a particular risk because of their close integration in the operations of their customers. Essential and important entities within the meaning of Directive (EU) 2022/2555 should therefore exercise increased diligence in selecting a managed security service provider. __________________ 8 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80). Amendment 19 # Evžen TOŠENOVSKÝ Proposal for a regulation Recital 3 (3) Managed security services providers also play an important role in the EU Cybersecurity Reserve whose gradual set-up is supported by Regulation (EU) …/…. [laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents] The EU Cybersecurity Reserve is to be used to support response and immediate recovery actions in case of significant and large- scale cybersecurity incidents. Regulation (EU) …/…[laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents] lays down a selection process for the trusted managed security service providers forming the EU Cybersecurity Reserve, which should, inter alia, take into account whether the provider concerned has obtained a European or national cybersecurity certification. The relevant services provided by ‘trusted providers’ according to Regulation (EU) …./…..[laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents] correspond to ‘managed security services’ in accordance with this RegulationMoreover, once an European cybersecurity certification scheme for managed security service is in place, which would also replace all relevant national cybersecurity certification schemes, a compulsory certificication in accordance with that certification scheme should apply for inclusion of the trusted managed security service providers in the EU Cybersecurity Reserve. Amendment 20 # Johan NISSINEN Proposal for a regulation Recital 4 (4) Certification of managed security services is not only relevant in the selection process for the EU Cybersecurity Reserve but it is also an essential quality indicator for private and public entities that intend to purchase such services. In light of the criticality of the managed security services and the sensitivity of the data they process, certification could provide potential customers with important guidance and assurance about the trustworthiness of these services. European certification schemes for managed security services contribute to avoiding fragmentation of the single market. This Regulation therefore aims at enhancing the functioning of the internal market. At the same time, these multiple purposes of the regulation should strike a balance with the potential regulatory burden and costs associated with certification, given that compliance with certification requirements will involve additional expenses and administrative efforts, which could be a concern for smaller providers. Amendment 21 # Ville NIINISTÖ Proposal for a regulation Recital 4 a (new) (4 a) As the market and the educational systems offer variety of educational resources and formal trainings, it must be underlined that knowledge is also aquired in non-formal ways and skills can be demonstrated via degrees and certification but not exclusively. Especially in the curent fast evolving threat landscape, Member States and the beneficiaries of managed security services should take into account the highly skilled vulnerability researchers. Moreover entities and natural persons researching vulnerabilities may in some Member States be exposed to criminal and civil liability therefore Member States are encouraged to issue guidelines for non- prosecution of information security research and an exception for civil liability for those activities. Amendment 22 # Josianne CUTAJAR Proposal for a regulation Recital 4 a (new) (4 a) The Union certification scheme for managed security services should ensure the availability of secure and high quality services which guarantee a safe digital transition and contribute to the achievement of targets set up in the Path to the Digital Decade Policy Programme8a, especially with regards to the goal that 75% of EU companies start using Cloud/AI/Big Data, that more than 90% of SMEs reach at least a basic level of digital intensity and that key public services are offered online. __________________ 8a Decision (EU) 2022/2481 of the European Parliament and of the Council of 14 December 2022 establishing the Digital Decade Policy Programme 2030 Amendment 23 # Angelika NIEBLER, Pilar del CASTILLO VERA, Tomas TOBÉ, Maria da Graça CARVALHO, Sara SKYTTEDAL, Ivan ŠTEFANEC, Cristian-Silviu BUŞOI, Ioan-Rareş BOGDAN Proposal for a regulation Recital 4 a (new) (4 a) European certification schemes for managed security services should facilitate the use of these services, particularly for smaller entities, including local and regional authorities or SMEs, which often do not have the financial and human capacity to conduct these services by themselves, but are vulnerable to cyber attacks with potentially significant consequences. Amendment 24 # Josianne CUTAJAR Proposal for a regulation Recital 5 (5) In addition to the deployment of ICT products, ICT services or ICT processes, managed security services often provide additional service features that rely on the competences, expertise and experience of their personnel. A very high level of these competences, expertise and experience as well as appropriate internal procedures should be part of the security objectives in order to ensure a very high quality of the managed security services provided. In order to ensure that all aspects of a managed security service can be covered by a certification scheme, it is therefore necessary to amend Regulation (EU) 2019/881. The certification scheme established under this Regulation should also take into account the results and recommendations of the evaluation and review provided for under Article 67 thereof. The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council and delivered an opinion on [DD/MM/YYYY Amendment 25 # Angelika NIEBLER, Pilar del CASTILLO VERA, Tomas TOBÉ, Maria da Graça CARVALHO, Sara SKYTTEDAL, Ivan ŠTEFANEC, Cristian-Silviu BUŞOI, Ioan-Rareş BOGDAN Proposal for a regulation Recital 5 (5) In addition to the deployment of ICT products, ICT services or ICT processes, managed security services often provide additional service features that rely on the competences, expertise and experience of their personnel. A very high level of these competences, expertise and experience as well as appropriate internal procedures should be part of the security objectives in order to ensure a very high quality and reliability of the managed security services provided. In order to ensure that all aspects of a managed security service can be covered by a certification scheme, it is therefore necessary to amend Regulation (EU) 2019/881. The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council and delivered an opinion on [DD/MM/YYYY Amendment 26 # Evžen TOŠENOVSKÝ Proposal for a regulation Recital 5 (5) In addition to the deployment of ICT products, ICT services or ICT processes, managed security services often provide additional service features that rely on the competences, expertise and experience of their personnel. A very high level of these competences, expertise and experience as well as appropriate internal procedures should be part of the security objectives in order to ensure a very high quality of the managed security services provided. In order to ensure that all aspects of a managed security service can be covered by a dedicated certification scheme, it is therefore necessary to amend Regulation (EU) 2019/881. The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council and delivered an opinion on [DD/MM/YYYY Amendment 27 # Angelika NIEBLER, Pilar del CASTILLO VERA, Tomas TOBÉ, Maria da Graça CARVALHO, Sara SKYTTEDAL, Ivan ŠTEFANEC, Cristian-Silviu BUŞOI, Ioan-Rareş BOGDAN Proposal for a regulation Recital 5 a (new) (5 a) Given that the European cybersecurity schemes should certifiy that managed security services are provided by highly-skilled personnel that is able to reliably deliver these services and ensure the highest standards of cybersecurity, it is imperative that there is sufficient availability of highly-qualified personnel in the Union. Yet, the Union is faced with a talent gap, characterized by a shortage of skilled professionals, and a rapidly evolving threat landscape as acknowledged in the Commission communication of 18 April 2023 on the Cybersecurity Skills Academy. It is important to bridge this talent gap by strengthening cooperation and coordination among the different stakeholders, including the private sector, academia, Member States, the Commission and ENISA to scale up and create synergies for the investment in education and training, the development of public-private partnerships, support of research and innovation initiatives, the development and mutual recognition of common standards and certification of cybersecurity skills, including through the European Cyber Security Skills Framework. This should also facilitate the mobility of cybersecurity professionals within the Union. Amendment 28 # Johan NISSINEN Proposal for a regulation Recital 5 a (new) (5 a) Given that, certification schemes will add complexity to an already complex regulatory landscape, it is of critical importance to prevent potential overlaps or conflicts with existing cybersecurity regulations and standards. Stresses further the need for careful consideration and proportionality in the implementation of the regulation, in order to reduce negative effects on market freedom and innovation. Amendment 29 # Josianne CUTAJAR Proposal for a regulation Recital 5 a (new) (5 a) Appropriate funding and resources should be considered to accompany the additional tasks entrusted to ENISA by this Act. Amendment 30 # Evžen TOŠENOVSKÝ Proposal for a regulation Article 1 – paragraph 1 – point 2 – point a – introductory part (a) points 7, 9, 10 and 11 are replaced by the following: Amendment 31 # Evžen TOŠENOVSKÝ Proposal for a regulation Article 1 – paragraph 1 – point 2 – point a Regulation (EU) 2019/881 Article 2 – point 7 (7) ‘incident handling’ means incident handling as defined in point (8) of Article 6 of Directive (EU) 2022/2555; Amendment 32 # Evžen TOŠENOVSKÝ Proposal for a regulation Article 1 – paragraph 1 – point 2 – point b – introductory part (b) the following point iss are inserted: Amendment 33 # Evžen TOŠENOVSKÝ Proposal for a regulation Article 1 – paragraph 1 – point 2 – point b Regulation (EU) 2019/881 Article 2 – point 7a (7a) ‘risk’ means risk as defined in point (9) of Article 6 of Directive (EU) 2022/2555; Amendment 34 # Evžen TOŠENOVSKÝ Proposal for a regulation Article 1 – paragraph 1 – point 2 – point b Regulation (EU) 2019/881 Article 2 – point 14a (14a) ‘managed security service’ means a ~~service consisting of carrying out, or providing assistance for, activities relat~~managed security service withing t~~o cybersecurity risk management, including incident response, penetration testing, security audits and consultancy~~he meaning of point (40) of Article 6 of Directive (EU) 2022/2555; Amendment 35 # Angelika NIEBLER, Pilar del CASTILLO VERA, Tomas TOBÉ, Maria da Graça CARVALHO, Sara SKYTTEDAL, Ivan ŠTEFANEC, Cristian-Silviu BUŞOI, Ioan-Rareş BOGDAN Proposal for a regulation Article 1 – paragraph 1 – point 2 – point b (14a) ‘managed security service’ means a managed service consisting of carrying out, or providing assistance for, activities relating to cybersecurity risk management, including incident pre~~sponse, penetration~~ vention, detescti~~ng, security audits and consultanc~~on, response, or recovery; Amendment 36 # Evžen TOŠENOVSKÝ Proposal for a regulation Article 1 – paragraph 1 – point 2 – point b Regulation (EU) 2019/881 Article 2 – point 14aa (14aa) ‘managed security service provider’ means managed a security service provider as defined in point (40) of Article 6 of Directive (EU) 2022/2555; Amendment 37 # Ville NIINISTÖ Proposal for a regulation Article 1 – paragraph 1 – point 6 Regulation (EU) 2019/881 Article 47 – paragraph 2 2. The Union rolling work programme shall in particular include a list of ICT products, ICT services and ICT processes or categories thereof, and managed security services, that are capable of benefiting from being included in the scope of a European cybersecurity certification scheme. Support measures to asses the needs for skilled employees, types of skills, existing training paths must be included along with measures to bridge any identified gaps. Amendment 38 # Bart GROOTHUIS, Alin MITUȚA, Ivars IJABS, Andrus ANSIP, Morten LØKKEGAARD Proposal for a regulation Article 1 – paragraph 1 – point 6 Regulation (EU) 2019/881 Article 47 – paragraph 3 – point a (a) the availability and the development of national cybersecurity certification schemes and international and industry standards covering a specific category of ICT products, ICT services, or ICT processes or managed security services and, in particular, as regards the risk of fragmentation; Amendment 39 # Angelika NIEBLER, Pilar del CASTILLO VERA, Tomas TOBÉ, Maria da Graça CARVALHO, Sara SKYTTEDAL, Ivan ŠTEFANEC, Cristian-Silviu BUŞOI, Ioan-Rareş BOGDAN Proposal for a regulation Article 1 – paragraph 1 – point 7 Regulation (EU) 2019/881 Article 49 – paragraph 7 (7) in Article 49, paragraph 7 is replaced by the following: 7. The Commission, based on the candidate scheme prepared by ENISA, may adopt implementing acts providing for a European cybersecurity certification scheme for ICT products, ICT services, ICT processes and managed security services which meets the requirements set out in Articles 51, 52 and 54. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 66(2).;deleted Amendment 40 # Bart GROOTHUIS, Alin MITUȚA, Ivars IJABS, Andrus ANSIP, Morten LØKKEGAARD, Nicola DANTI Proposal for a regulation Article 1 – paragraph 1 – point 7 Regulation (EU) 2019/881 Article 49 – paragraph 7 7. The Commission, based on the candidate scheme prepared by ENISA, may adopt ~~implementing~~delegated acts providing for a European cybersecurity certification scheme for ICT products, ICT services, ICT processes and managed security services which meets the requirements set out in Articles 51, 52 and 54. (Th~~ose implementing acts shall be adopted in accordance with the examination procedure referred to in Article 66(2).;~~is amendment applies throughout the text. Adopting it will necessitate corresponding changes throughout.) Amendment 41 # Bart GROOTHUIS, Alin MITUȚA, Ivars IJABS, Andrus ANSIP, Morten LØKKEGAARD, Nicola DANTI Proposal for a regulation Article 1 – paragraph 1 – point 7 Regulation (EU) 2019/881 Article 49 – paragraph 7a (new) 7 a. Prior to adopting such delegated acts, the Commission, in cooperation with ENISA, shall carry out and publish an impact assessment of the proposed European cybersecurity certiciation scheme. While preparing the impact assessment, the Commission shall carry out public consultations and consultations with the SCCG and ECCG. Amendment 42 # Angelika NIEBLER, Pilar del CASTILLO VERA, Tomas TOBÉ, Maria da Graça CARVALHO, Sara SKYTTEDAL, Ivan ŠTEFANEC, Cristian-Silviu BUŞOI, Ioan-Rareş BOGDAN Proposal for a regulation Article 1 – paragraph 1 – point 7 a (new) Regulation (EU) 2019/881 Article 49 – paragraph 7a (new) (7 a) the following paragraph is inserted: '7a. The Commission, based on the candidate scheme prepared by ENISA, may adopt delegated acts providing for a European cybersecurity certification scheme for managed security services which meets the requirements set out in Articles 51, 52, and 54. Those delegated acts shall be adopted in accordance with the procedure referred to in Article 66a.' Amendment 43 # Angelika NIEBLER, Pilar del CASTILLO VERA, Tomas TOBÉ, Maria da Graça CARVALHO, Sara SKYTTEDAL, Ivan ŠTEFANEC, Cristian-Silviu BUŞOI, Ioan-Rareş BOGDAN Proposal for a regulation Article 1 – paragraph 1 – point 9 Regulation (EU) 2019/881 Article 51a – paragraph 1 – point b (b) ensure that the provider has appropriate internal procedures in place to ensure that the managed security services are provided at a very high level of quality and reliability at all times ; Amendment 44 # Angelika NIEBLER, Pilar del CASTILLO VERA, Tomas TOBÉ, Maria da Graça CARVALHO, Sara SKYTTEDAL, Ivan ŠTEFANEC, Cristian-Silviu BUŞOI, Ioan-Rareş BOGDAN Proposal for a regulation Article 1 – paragraph 1 – point 9 Regulation (EU) 2019/881 Article 51a – paragraph 1 – point g (g) ensure that the ICT products, ICT services and ICT processes [and the hardware] deployed in the provision of the managed security services are secure by default and by design, are provided with up-to-date software and hardware, do not contain known vulnerabilities and include the latest security updates;; Amendment 45 # Evžen TOŠENOVSKÝ Proposal for a regulation Article 1 – paragraph 1 – point 9 Regulation (EU) 2019/881 Article 51a – paragraph 1 – point g (g) ensure that the ICT products, ICT services and ICT processes ~~[and the hardware]~~ deployed in the provision of the managed security services are secure by default and by design, do not contain known vulnerabilities and include the latest security updates;; Amendment 46 # Angelika NIEBLER, Pilar del CASTILLO VERA, Tomas TOBÉ, Maria da Graça CARVALHO, Sara SKYTTEDAL, Ivan ŠTEFANEC, Cristian-Silviu BUŞOI, Ioan-Rareş BOGDAN Proposal for a regulation Article 1 – paragraph 1 – point 13 – point b – point ii – point aa Regulation (EU) 2019/881 Article 56 – paragraph 3 – third subparagraph – point a (a) take into account the impact of the measures on the manufacturers or providers of such ICT products, ICT services, ICT processes or managed security services and on the users in terms of the cost of those measures and the societal or economic benefits stemming from the anticipated enhanced level of security for the targeted ICT products, ICT services, ICT processes or managed security services;, , including SMEs. The Commission shall ensure that SMEs have access to appropriate financial support in the implementation of the measures through already existing Union programmes; Amendment 47 # Bart GROOTHUIS, Alin MITUȚA, Ivars IJABS, Andrus ANSIP, Morten LØKKEGAARD, Nicola DANTI Proposal for a regulation Article 1 – paragraph 1 – point 14 1. Without prejudice to paragraph 3 of this Article, national cybersecurity certification schemes, and the related procedures for the ICT products, ICT services, ICT processes and managed security services that are covered by a European cybersecurity certification scheme shall cease to produce effects from the date established in the ~~implementing act adopted pursuant to Article 49(7)~~delegated act. National cybersecurity certification schemes and the related procedures for the ICT products, ICT services, ICT processes and managed security services that are not covered by a European cybersecurity certification scheme shall continue to exist. (This amendment applies throughout the text. Adopting it will necessitate corresponding changes throughout.) Amendment 48 # Angelika NIEBLER, Pilar del CASTILLO VERA, Tomas TOBÉ, Maria da Graça CARVALHO, Sara SKYTTEDAL, Ivan ŠTEFANEC, Cristian-Silviu BUŞOI, Ioan-Rareş BOGDAN Proposal for a regulation Article 1 – paragraph 1 – point 16 a (new) Regulation (EU) 2019/881 Article 66a (new) (16 a) The following Article is inserted: Article 66a (new) Exercise of the delegation 1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article. 2. The power to adopt delegated acts referred to in Article 49 (7a) shall be conferred on the Commission for a period of 5 years from … [date of entry into force of the basic legislative act or any other date set by the co-legislators]. The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the 5 year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period. 3. The delegation of power referred to in Article 49 (7a) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force 4. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making. 5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council. 6. A delegated act adopted pursuant to Article 49 (7a) shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by [two months] at the initiative of the European Parliament or of the Council. Amendment 49 # Evžen TOŠENOVSKÝ Proposal for a regulation Article 1 – paragraph 1 – point 17 – introductory part Regulation (EU)2019/881 Article 67 (17) in Article 67, paragraphs 21, 2, 3 and 34 are replaced by the following: Amendment 50 # Evžen TOŠENOVSKÝ Proposal for a regulation Article 1 – paragraph 1 – point 17 Regulation (EU) 2019/881 Article 67 – paragraph 1 1 By 28 June 2024, and every four years thereafter, the Commission shall evaluate the impact, effectiveness and efficiency of ENISA and of its working practices, the possible need to modify ENISA’s mandate and the financial implications of any such modification. The evaluation shall take into account any feedback provided to ENISA in response to its activities. Where the Commission considers that the continued operation of ENISA is no longer justified in light of the objectives, mandate and tasks assigned to it, the Commission may propose that this Regulation be amended with regard to the provisions related to ENISA. Amendment 51 # Evžen TOŠENOVSKÝ Proposal for a regulation Article 1 – paragraph 1 – point 17 Regulation (EU) 2019/881 Article 67 – paragraph 2 2. The evaluation shall also assess the impact, effectiveness and efficiency of the provisions of Title III of this Regulation with regard to the objectives of ensuring an adequate level of cybersecurity of ICT products, ICT services, ICT processes and managed security services in the Union and improving the functioning of the internal market, including assessment of the procedure and timelines leading to preparation and adoption of the first European cybersecurity certification schemes and how this procedure could be improved and accelerated for subsequent certification schemes. Amendment 52 # Evžen TOŠENOVSKÝ Proposal for a regulation Article 1 – paragraph 1 – point 17 Regulation (EU) 2019/881 Article 67 – paragraph 4 4. By 28 June 2024, and every four years thereafter, the Commission shall transmit a report on the evaluation together with its conclusions to the European Parliament, to the Council and to the Management Board. The findings of that report shall be made public. The report shall be accompanied, where necessary, by a legislative proposal. source: 753.562

Amendments

Dossier

2023/0108(COD)

2023/09/21 ITRE 36 amendments...

Amendment 17 #

Evžen TOŠENOVSKÝ

Proposal for a regulation
Recital 2

(2) Managed security services~~, which ar~~ are services provided by the managed security service providers pursuant to point (40) of Article 6 of Directive (EU) 2022/2555 of the European Parliament and of the Council. Those services consist~~ing~~ of carrying out, or providing assistance for, activities relating to their customers’ cybersecurity risk management, have gained increasing importance in the prevention and mitigation of cybersecurity incidents. Accordingly, the ~~providers of those service~~managed security service providers are considered as essential or important entities belonging to a sector of high criticality pursuant to point 10 of Annex I of Directive (EU) 2022/2555 ~~of the European Parliament and of the Council8~~ . Pursuant to Recital 86 of that Directive, managed security service providers in areas such as incident response, penetration testing, security audits and consultancy, play a particularly important role in assisting entities in their efforts to prevent, detect, respond to or recover from incidents. Managed security service providers have however also themselves been the target of cyberattacks and pose a particular risk because of their close integration in the operations of their customers. Essential and important entities within the meaning of Directive (EU) 2022/2555 should therefore exercise increased diligence in selecting a managed security service provider. __________________ 8 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80).

Amendment 18 #

Angelika NIEBLER, Pilar del CASTILLO VERA, Tomas TOBÉ, Maria da Graça CARVALHO, Sara SKYTTEDAL, Ivan ŠTEFANEC, Cristian-Silviu BUŞOI, Ioan-Rareş BOGDAN

Proposal for a regulation
Recital 2

(2) Managed security services, which are services consisting of carrying out, or providing assistance for, activities relating to their customers’ cybersecurity risk management, including incident prevention, detection, responce or recovery, have gained increasing importance in the prevention and mitigation of cybersecurity incidents. Accordingly, the providers of those services are considered as essential or important entities belonging to a sector of high criticality pursuant to Directive (EU) 2022/2555 of the European Parliament and of the Council8 . Pursuant to Recital 86 of that Directive, managed security service providers in areas such as incident response, penetration testing, security audits and consultancy, play a particularly important role in assisting entities in their efforts to prevent, detect, respond to or recover from incidents. Managed security service providers have however also themselves been the target of cyberattacks and pose a particular risk because of their close integration in the operations of their customers. Essential and important entities within the meaning of Directive (EU) 2022/2555 should therefore exercise increased diligence in selecting a managed security service provider. __________________ 8 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80).

Amendment 19 #

Evžen TOŠENOVSKÝ

Proposal for a regulation
Recital 3

(3) Managed security services providers also play an important role in the EU Cybersecurity Reserve whose gradual set-up is supported by Regulation (EU) …/…. [laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents] The EU Cybersecurity Reserve is to be used to support response and immediate recovery actions in case of significant and large- scale cybersecurity incidents. Regulation (EU) …/…[laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents] lays down a selection process for the trusted managed security service providers forming the EU Cybersecurity Reserve, which should, inter alia, take into account whether the provider concerned has obtained a European or national cybersecurity certification. The relevant services provided by ‘trusted providers’ according to Regulation (EU) …./…..[laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents] correspond to ‘managed security services’ in accordance with this RegulationMoreover, once an European cybersecurity certification scheme for managed security service is in place, which would also replace all relevant national cybersecurity certification schemes, a compulsory certificication in accordance with that certification scheme should apply for inclusion of the trusted managed security service providers in the EU Cybersecurity Reserve.

Amendment 20 #

Johan NISSINEN

Proposal for a regulation
Recital 4

(4) Certification of managed security services is not only relevant in the selection process for the EU Cybersecurity Reserve but it is also an essential quality indicator for private and public entities that intend to purchase such services. In light of the criticality of the managed security services and the sensitivity of the data they process, certification could provide potential customers with important guidance and assurance about the trustworthiness of these services. European certification schemes for managed security services contribute to avoiding fragmentation of the single market. This Regulation therefore aims at enhancing the functioning of the internal market. At the same time, these multiple purposes of the regulation should strike a balance with the potential regulatory burden and costs associated with certification, given that compliance with certification requirements will involve additional expenses and administrative efforts, which could be a concern for smaller providers.

Amendment 21 #

Ville NIINISTÖ

Proposal for a regulation
Recital 4 a (new)

(4 a) As the market and the educational systems offer variety of educational resources and formal trainings, it must be underlined that knowledge is also aquired in non-formal ways and skills can be demonstrated via degrees and certification but not exclusively. Especially in the curent fast evolving threat landscape, Member States and the beneficiaries of managed security services should take into account the highly skilled vulnerability researchers. Moreover entities and natural persons researching vulnerabilities may in some Member States be exposed to criminal and civil liability therefore Member States are encouraged to issue guidelines for non- prosecution of information security research and an exception for civil liability for those activities.

Amendment 22 #

Josianne CUTAJAR

Proposal for a regulation
Recital 4 a (new)

(4 a) The Union certification scheme for managed security services should ensure the availability of secure and high quality services which guarantee a safe digital transition and contribute to the achievement of targets set up in the Path to the Digital Decade Policy Programme8a, especially with regards to the goal that 75% of EU companies start using Cloud/AI/Big Data, that more than 90% of SMEs reach at least a basic level of digital intensity and that key public services are offered online. __________________ 8a Decision (EU) 2022/2481 of the European Parliament and of the Council of 14 December 2022 establishing the Digital Decade Policy Programme 2030

Amendment 23 #

Angelika NIEBLER, Pilar del CASTILLO VERA, Tomas TOBÉ, Maria da Graça CARVALHO, Sara SKYTTEDAL, Ivan ŠTEFANEC, Cristian-Silviu BUŞOI, Ioan-Rareş BOGDAN

Proposal for a regulation
Recital 4 a (new)

(4 a) European certification schemes for managed security services should facilitate the use of these services, particularly for smaller entities, including local and regional authorities or SMEs, which often do not have the financial and human capacity to conduct these services by themselves, but are vulnerable to cyber attacks with potentially significant consequences.

Amendment 24 #

Josianne CUTAJAR

Proposal for a regulation
Recital 5

(5) In addition to the deployment of ICT products, ICT services or ICT processes, managed security services often provide additional service features that rely on the competences, expertise and experience of their personnel. A very high level of these competences, expertise and experience as well as appropriate internal procedures should be part of the security objectives in order to ensure a very high quality of the managed security services provided. In order to ensure that all aspects of a managed security service can be covered by a certification scheme, it is therefore necessary to amend Regulation (EU) 2019/881. The certification scheme established under this Regulation should also take into account the results and recommendations of the evaluation and review provided for under Article 67 thereof. The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council and delivered an opinion on [DD/MM/YYYY

Amendment 25 #

Angelika NIEBLER, Pilar del CASTILLO VERA, Tomas TOBÉ, Maria da Graça CARVALHO, Sara SKYTTEDAL, Ivan ŠTEFANEC, Cristian-Silviu BUŞOI, Ioan-Rareş BOGDAN

Proposal for a regulation
Recital 5

(5) In addition to the deployment of ICT products, ICT services or ICT processes, managed security services often provide additional service features that rely on the competences, expertise and experience of their personnel. A very high level of these competences, expertise and experience as well as appropriate internal procedures should be part of the security objectives in order to ensure a very high quality and reliability of the managed security services provided. In order to ensure that all aspects of a managed security service can be covered by a certification scheme, it is therefore necessary to amend Regulation (EU) 2019/881. The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council and delivered an opinion on [DD/MM/YYYY

Amendment 26 #

Evžen TOŠENOVSKÝ

Proposal for a regulation
Recital 5

(5) In addition to the deployment of ICT products, ICT services or ICT processes, managed security services often provide additional service features that rely on the competences, expertise and experience of their personnel. A very high level of these competences, expertise and experience as well as appropriate internal procedures should be part of the security objectives in order to ensure a very high quality of the managed security services provided. In order to ensure that all aspects of a managed security service can be covered by a dedicated certification scheme, it is therefore necessary to amend Regulation (EU) 2019/881. The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council and delivered an opinion on [DD/MM/YYYY

Amendment 27 #

Angelika NIEBLER, Pilar del CASTILLO VERA, Tomas TOBÉ, Maria da Graça CARVALHO, Sara SKYTTEDAL, Ivan ŠTEFANEC, Cristian-Silviu BUŞOI, Ioan-Rareş BOGDAN

Proposal for a regulation
Recital 5 a (new)

(5 a) Given that the European cybersecurity schemes should certifiy that managed security services are provided by highly-skilled personnel that is able to reliably deliver these services and ensure the highest standards of cybersecurity, it is imperative that there is sufficient availability of highly-qualified personnel in the Union. Yet, the Union is faced with a talent gap, characterized by a shortage of skilled professionals, and a rapidly evolving threat landscape as acknowledged in the Commission communication of 18 April 2023 on the Cybersecurity Skills Academy. It is important to bridge this talent gap by strengthening cooperation and coordination among the different stakeholders, including the private sector, academia, Member States, the Commission and ENISA to scale up and create synergies for the investment in education and training, the development of public-private partnerships, support of research and innovation initiatives, the development and mutual recognition of common standards and certification of cybersecurity skills, including through the European Cyber Security Skills Framework. This should also facilitate the mobility of cybersecurity professionals within the Union.

Amendment 28 #

Johan NISSINEN

Proposal for a regulation
Recital 5 a (new)

(5 a) Given that, certification schemes will add complexity to an already complex regulatory landscape, it is of critical importance to prevent potential overlaps or conflicts with existing cybersecurity regulations and standards. Stresses further the need for careful consideration and proportionality in the implementation of the regulation, in order to reduce negative effects on market freedom and innovation.

Amendment 29 #

Josianne CUTAJAR

Proposal for a regulation
Recital 5 a (new)

(5 a) Appropriate funding and resources should be considered to accompany the additional tasks entrusted to ENISA by this Act.

Amendment 30 #

Evžen TOŠENOVSKÝ

Proposal for a regulation
Article 1 – paragraph 1 – point 2 – point a – introductory part

(a) points 7, 9, 10 and 11 are replaced by the following:

Amendment 31 #

Evžen TOŠENOVSKÝ

Proposal for a regulation
Article 1 – paragraph 1 – point 2 – point a

Regulation (EU) 2019/881
Article 2 – point 7

(7) ‘incident handling’ means incident handling as defined in point (8) of Article 6 of Directive (EU) 2022/2555;

Amendment 32 #

Evžen TOŠENOVSKÝ

Proposal for a regulation
Article 1 – paragraph 1 – point 2 – point b – introductory part

(b) the following point iss are inserted:

Amendment 33 #

Evžen TOŠENOVSKÝ

Proposal for a regulation
Article 1 – paragraph 1 – point 2 – point b

Regulation (EU) 2019/881
Article 2 – point 7a

(7a) ‘risk’ means risk as defined in point (9) of Article 6 of Directive (EU) 2022/2555;

Amendment 34 #

Evžen TOŠENOVSKÝ

Proposal for a regulation
Article 1 – paragraph 1 – point 2 – point b

Regulation (EU) 2019/881
Article 2 – point 14a

(14a) ‘managed security service’ means a ~~service consisting of carrying out, or providing assistance for, activities relat~~managed security service withing t~~o cybersecurity risk management, including incident response, penetration testing, security audits and consultancy~~he meaning of point (40) of Article 6 of Directive (EU) 2022/2555;

Amendment 35 #

Angelika NIEBLER, Pilar del CASTILLO VERA, Tomas TOBÉ, Maria da Graça CARVALHO, Sara SKYTTEDAL, Ivan ŠTEFANEC, Cristian-Silviu BUŞOI, Ioan-Rareş BOGDAN

Proposal for a regulation
Article 1 – paragraph 1 – point 2 – point b

(14a) ‘managed security service’ means a managed service consisting of carrying out, or providing assistance for, activities relating to cybersecurity risk management, including incident pre~~sponse, penetration~~ vention, detescti~~ng, security audits and consultanc~~on, response, or recovery;

Amendment 36 #

Evžen TOŠENOVSKÝ

Proposal for a regulation
Article 1 – paragraph 1 – point 2 – point b

Regulation (EU) 2019/881
Article 2 – point 14aa

(14aa) ‘managed security service provider’ means managed a security service provider as defined in point (40) of Article 6 of Directive (EU) 2022/2555;

Amendment 37 #

Ville NIINISTÖ

Proposal for a regulation
Article 1 – paragraph 1 – point 6

Regulation (EU) 2019/881
Article 47 – paragraph 2

2. The Union rolling work programme shall in particular include a list of ICT products, ICT services and ICT processes or categories thereof, and managed security services, that are capable of benefiting from being included in the scope of a European cybersecurity certification scheme. Support measures to asses the needs for skilled employees, types of skills, existing training paths must be included along with measures to bridge any identified gaps.

Amendment 38 #

Bart GROOTHUIS, Alin MITUȚA, Ivars IJABS, Andrus ANSIP, Morten LØKKEGAARD

Proposal for a regulation
Article 1 – paragraph 1 – point 6

Regulation (EU) 2019/881
Article 47 – paragraph 3 – point a

(a) the availability and the development of national cybersecurity certification schemes and international and industry standards covering a specific category of ICT products, ICT services, or ICT processes or managed security services and, in particular, as regards the risk of fragmentation;

Amendment 39 #

Angelika NIEBLER, Pilar del CASTILLO VERA, Tomas TOBÉ, Maria da Graça CARVALHO, Sara SKYTTEDAL, Ivan ŠTEFANEC, Cristian-Silviu BUŞOI, Ioan-Rareş BOGDAN

Proposal for a regulation
Article 1 – paragraph 1 – point 7

Regulation (EU) 2019/881
Article 49 – paragraph 7

(7) in Article 49, paragraph 7 is replaced by the following: 7. The Commission, based on the candidate scheme prepared by ENISA, may adopt implementing acts providing for a European cybersecurity certification scheme for ICT products, ICT services, ICT processes and managed security services which meets the requirements set out in Articles 51, 52 and 54. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 66(2).;deleted

Amendment 40 #

Bart GROOTHUIS, Alin MITUȚA, Ivars IJABS, Andrus ANSIP, Morten LØKKEGAARD, Nicola DANTI

Proposal for a regulation
Article 1 – paragraph 1 – point 7

Regulation (EU) 2019/881
Article 49 – paragraph 7

7. The Commission, based on the candidate scheme prepared by ENISA, may adopt ~~implementing~~delegated acts providing for a European cybersecurity certification scheme for ICT products, ICT services, ICT processes and managed security services which meets the requirements set out in Articles 51, 52 and 54. (Th~~ose implementing acts shall be adopted in accordance with the examination procedure referred to in Article 66(2).;~~is amendment applies throughout the text. Adopting it will necessitate corresponding changes throughout.)

Amendment 41 #

Bart GROOTHUIS, Alin MITUȚA, Ivars IJABS, Andrus ANSIP, Morten LØKKEGAARD, Nicola DANTI

Proposal for a regulation
Article 1 – paragraph 1 – point 7

Regulation (EU) 2019/881
Article 49 – paragraph 7a (new)

7 a. Prior to adopting such delegated acts, the Commission, in cooperation with ENISA, shall carry out and publish an impact assessment of the proposed European cybersecurity certiciation scheme. While preparing the impact assessment, the Commission shall carry out public consultations and consultations with the SCCG and ECCG.

Amendment 42 #

Angelika NIEBLER, Pilar del CASTILLO VERA, Tomas TOBÉ, Maria da Graça CARVALHO, Sara SKYTTEDAL, Ivan ŠTEFANEC, Cristian-Silviu BUŞOI, Ioan-Rareş BOGDAN

Proposal for a regulation
Article 1 – paragraph 1 – point 7 a (new)

Regulation (EU) 2019/881
Article 49 – paragraph 7a (new)

(7 a) the following paragraph is inserted: '7a. The Commission, based on the candidate scheme prepared by ENISA, may adopt delegated acts providing for a European cybersecurity certification scheme for managed security services which meets the requirements set out in Articles 51, 52, and 54. Those delegated acts shall be adopted in accordance with the procedure referred to in Article 66a.'

Amendment 43 #

Angelika NIEBLER, Pilar del CASTILLO VERA, Tomas TOBÉ, Maria da Graça CARVALHO, Sara SKYTTEDAL, Ivan ŠTEFANEC, Cristian-Silviu BUŞOI, Ioan-Rareş BOGDAN

Proposal for a regulation
Article 1 – paragraph 1 – point 9

Regulation (EU) 2019/881
Article 51a – paragraph 1 – point b

(b) ensure that the provider has appropriate internal procedures in place to ensure that the managed security services are provided at a very high level of quality and reliability at all times ;

Amendment 44 #

Angelika NIEBLER, Pilar del CASTILLO VERA, Tomas TOBÉ, Maria da Graça CARVALHO, Sara SKYTTEDAL, Ivan ŠTEFANEC, Cristian-Silviu BUŞOI, Ioan-Rareş BOGDAN

Proposal for a regulation
Article 1 – paragraph 1 – point 9

Regulation (EU) 2019/881
Article 51a – paragraph 1 – point g

(g) ensure that the ICT products, ICT services and ICT processes [and the hardware] deployed in the provision of the managed security services are secure by default and by design, are provided with up-to-date software and hardware, do not contain known vulnerabilities and include the latest security updates;;

Amendment 45 #

Evžen TOŠENOVSKÝ

Proposal for a regulation
Article 1 – paragraph 1 – point 9

Regulation (EU) 2019/881
Article 51a – paragraph 1 – point g

(g) ensure that the ICT products, ICT services and ICT processes ~~[and the hardware]~~ deployed in the provision of the managed security services are secure by default and by design, do not contain known vulnerabilities and include the latest security updates;;

Amendment 46 #

Angelika NIEBLER, Pilar del CASTILLO VERA, Tomas TOBÉ, Maria da Graça CARVALHO, Sara SKYTTEDAL, Ivan ŠTEFANEC, Cristian-Silviu BUŞOI, Ioan-Rareş BOGDAN

Proposal for a regulation
Article 1 – paragraph 1 – point 13 – point b – point ii – point aa

Regulation (EU) 2019/881
Article 56 – paragraph 3 – third subparagraph – point a

(a) take into account the impact of the measures on the manufacturers or providers of such ICT products, ICT services, ICT processes or managed security services and on the users in terms of the cost of those measures and the societal or economic benefits stemming from the anticipated enhanced level of security for the targeted ICT products, ICT services, ICT processes or managed security services;, , including SMEs. The Commission shall ensure that SMEs have access to appropriate financial support in the implementation of the measures through already existing Union programmes;

Amendment 47 #

Bart GROOTHUIS, Alin MITUȚA, Ivars IJABS, Andrus ANSIP, Morten LØKKEGAARD, Nicola DANTI

Proposal for a regulation
Article 1 – paragraph 1 – point 14

1. Without prejudice to paragraph 3 of this Article, national cybersecurity certification schemes, and the related procedures for the ICT products, ICT services, ICT processes and managed security services that are covered by a European cybersecurity certification scheme shall cease to produce effects from the date established in the ~~implementing act adopted pursuant to Article 49(7)~~delegated act. National cybersecurity certification schemes and the related procedures for the ICT products, ICT services, ICT processes and managed security services that are not covered by a European cybersecurity certification scheme shall continue to exist. (This amendment applies throughout the text. Adopting it will necessitate corresponding changes throughout.)

Amendment 48 #

Angelika NIEBLER, Pilar del CASTILLO VERA, Tomas TOBÉ, Maria da Graça CARVALHO, Sara SKYTTEDAL, Ivan ŠTEFANEC, Cristian-Silviu BUŞOI, Ioan-Rareş BOGDAN

Proposal for a regulation
Article 1 – paragraph 1 – point 16 a (new)

Regulation (EU) 2019/881
Article 66a (new)

(16 a) The following Article is inserted: Article 66a (new) Exercise of the delegation 1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article. 2. The power to adopt delegated acts referred to in Article 49 (7a) shall be conferred on the Commission for a period of 5 years from … [date of entry into force of the basic legislative act or any other date set by the co-legislators]. The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the 5 year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period. 3. The delegation of power referred to in Article 49 (7a) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force 4. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making. 5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council. 6. A delegated act adopted pursuant to Article 49 (7a) shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by [two months] at the initiative of the European Parliament or of the Council.

Amendment 49 #

Evžen TOŠENOVSKÝ

Proposal for a regulation
Article 1 – paragraph 1 – point 17 – introductory part

Regulation (EU)2019/881
Article 67

(17) in Article 67, paragraphs 21, 2, 3 and 34 are replaced by the following:

Amendment 50 #

Evžen TOŠENOVSKÝ

Proposal for a regulation
Article 1 – paragraph 1 – point 17

Regulation (EU) 2019/881
Article 67 – paragraph 1

1 By 28 June 2024, and every four years thereafter, the Commission shall evaluate the impact, effectiveness and efficiency of ENISA and of its working practices, the possible need to modify ENISA’s mandate and the financial implications of any such modification. The evaluation shall take into account any feedback provided to ENISA in response to its activities. Where the Commission considers that the continued operation of ENISA is no longer justified in light of the objectives, mandate and tasks assigned to it, the Commission may propose that this Regulation be amended with regard to the provisions related to ENISA.

Amendment 51 #

Evžen TOŠENOVSKÝ

Proposal for a regulation
Article 1 – paragraph 1 – point 17

Regulation (EU) 2019/881
Article 67 – paragraph 2

2. The evaluation shall also assess the impact, effectiveness and efficiency of the provisions of Title III of this Regulation with regard to the objectives of ensuring an adequate level of cybersecurity of ICT products, ICT services, ICT processes and managed security services in the Union and improving the functioning of the internal market, including assessment of the procedure and timelines leading to preparation and adoption of the first European cybersecurity certification schemes and how this procedure could be improved and accelerated for subsequent certification schemes.

Amendment 52 #

Evžen TOŠENOVSKÝ

Proposal for a regulation
Article 1 – paragraph 1 – point 17

Regulation (EU) 2019/881
Article 67 – paragraph 4

4. By 28 June 2024, and every four years thereafter, the Commission shall transmit a report on the evaluation together with its conclusions to the European Parliament, to the Council and to the Management Board. The findings of that report shall be made public. The report shall be accompanied, where necessary, by a legislative proposal.

source: 753.562

History

(these mark the time of scraping, not the official date of the change)

2024-04-25Show (2) Changes | Timetravel

forecasts/0	date 2024-04-24T00:00:00 title Vote scheduled
forecasts/0	date 2024-04-22T00:00:00 title Indicative plenary sitting date

2024-04-24Show (2) Changes | Timetravel

forecasts/0	date 2024-04-24T00:00:00 title Vote in plenary scheduled
forecasts/0	date 2024-04-22T00:00:00 title Indicative plenary sitting date

2024-04-23Show (2) Changes | Timetravel

forecasts/0	date 2024-04-24T00:00:00 title Vote in plenary scheduled
forecasts/0	date 2024-04-22T00:00:00 title Indicative plenary sitting date

2024-04-22Show (2) Changes | Timetravel

forecasts/0	date 2024-04-24T00:00:00 title Vote in plenary scheduled
forecasts/0	date 2024-04-22T00:00:00 title Indicative plenary sitting date

2024-04-21Show (2) Changes | Timetravel

forecasts/0	date 2024-04-24T00:00:00 title Vote in plenary scheduled
forecasts/0	date 2024-04-22T00:00:00 title Indicative plenary sitting date

2024-04-20Show (2) Changes | Timetravel

forecasts/0	date 2024-04-24T00:00:00 title Vote in plenary scheduled
forecasts/0	date 2024-04-22T00:00:00 title Indicative plenary sitting date

2024-04-17Show (2) Changes | Timetravel

docs/4	date 2024-03-20T00:00:00 docs url: https://www.europarl.europa.eu/RegData/commissions/itre/inag/2024/03-20/ITRE_AG(2024)760887_EN.docx title: PE760.887 type Text agreed during interinstitutional negotiations body EP
events/7/docs	url: https://www.europarl.europa.eu/RegData/commissions/itre/inag/2024/03-20/ITRE_AG(2024)760887_EN.docx title: PE760.887

2024-04-16Show (2) Changes | Timetravel

docs/4	date 2024-03-20T00:00:00 docs url: https://www.europarl.europa.eu/RegData/commissions/itre/inag/2024/03-20/ITRE_AG(2024)760887_EN.docx title: PE760.887 type Text agreed during interinstitutional negotiations body EP
events/7/docs	url: https://www.europarl.europa.eu/RegData/commissions/itre/inag/2024/03-20/ITRE_AG(2024)760887_EN.docx title: PE760.887

2024-04-15Show (2) Changes | Timetravel

docs/4	date 2024-03-20T00:00:00 docs url: https://www.europarl.europa.eu/RegData/commissions/itre/inag/2024/03-20/ITRE_AG(2024)760887_EN.docx title: PE760.887 type Text agreed during interinstitutional negotiations body EP
events/7/docs	url: https://www.europarl.europa.eu/RegData/commissions/itre/inag/2024/03-20/ITRE_AG(2024)760887_EN.docx title: PE760.887

2024-04-13Show (2) Changes | Timetravel

docs/4	date 2024-03-20T00:00:00 docs url: https://www.europarl.europa.eu/RegData/commissions/itre/inag/2024/03-20/ITRE_AG(2024)760887_EN.docx title: PE760.887 type Text agreed during interinstitutional negotiations body EP
events/7/docs	url: https://www.europarl.europa.eu/RegData/commissions/itre/inag/2024/03-20/ITRE_AG(2024)760887_EN.docx title: PE760.887

2024-04-12Show (2) Changes | Timetravel

docs/4	date 2024-03-20T00:00:00 docs url: https://www.europarl.europa.eu/RegData/commissions/itre/inag/2024/03-20/ITRE_AG(2024)760887_EN.docx title: PE760.887 type Text agreed during interinstitutional negotiations body EP
events/7/docs	url: https://www.europarl.europa.eu/RegData/commissions/itre/inag/2024/03-20/ITRE_AG(2024)760887_EN.docx title: PE760.887

2024-04-11Show (2) Changes | Timetravel

docs/4	date 2024-03-20T00:00:00 docs url: https://www.europarl.europa.eu/RegData/commissions/itre/inag/2024/03-20/ITRE_AG(2024)760887_EN.docx title: PE760.887 type Text agreed during interinstitutional negotiations body EP
events/7/docs	url: https://www.europarl.europa.eu/RegData/commissions/itre/inag/2024/03-20/ITRE_AG(2024)760887_EN.docx title: PE760.887

2024-03-27Show (2) Changes | Timetravel

docs/4	date 2024-03-21T00:00:00 docs title: GEDA/A/(2024)001687 type Coreper letter confirming interinstitutional agreement body CSL
events/7	date 2024-03-20T00:00:00 type Approval in committee of the text agreed at 1st reading interinstitutional negotiations body EP

2024-03-26Show (2) Changes | Timetravel

docs/4	date 2024-03-21T00:00:00 docs title: GEDA/A/(2024)001687 type Coreper letter confirming interinstitutional agreement body CSL
events/7	date 2024-03-20T00:00:00 type Approval in committee of the text agreed at 1st reading interinstitutional negotiations body EP

2024-03-25Show (2) Changes | Timetravel

docs/4	date 2024-03-21T00:00:00 docs title: GEDA/A/(2024)001687 type Coreper letter confirming interinstitutional agreement body CSL
events/7	date 2024-03-20T00:00:00 type Approval in committee of the text agreed at 1st reading interinstitutional negotiations body EP docs title: GEDA/A/(2024)001687

2024-03-24Show (2) Changes | Timetravel

docs/4	date 2024-03-21T00:00:00 docs title: GEDA/A/(2024)001687 type Coreper letter confirming interinstitutional agreement body CSL
events/7	date 2024-03-20T00:00:00 type Approval in committee of the text agreed at 1st reading interinstitutional negotiations body EP docs title: GEDA/A/(2024)001687

2024-03-23Show (2) Changes | Timetravel

docs/4	date 2024-03-21T00:00:00 docs title: GEDA/A/(2024)001687 type Coreper letter confirming interinstitutional agreement body CSL
events/7	date 2024-03-20T00:00:00 type Approval in committee of the text agreed at 1st reading interinstitutional negotiations body EP docs title: GEDA/A/(2024)001687

2024-03-06Show (1) Changes | Timetravel

forecasts/0/date

Old

2024-03-11T00:00:00

New

2024-04-22T00:00:00

2024-02-02Show (1) Changes | Timetravel

forecasts/0/date

Old

2024-04-10T00:00:00

New

2024-03-11T00:00:00

2024-01-31Show (1) Changes | Timetravel

forecasts/0/date

Old

2024-02-05T00:00:00

New

2024-04-10T00:00:00

2024-01-04Show (2) Changes | Timetravel

forecasts	date: 2024-02-05T00:00:00 title: Indicative plenary sitting date
links	Research document title: Briefing url: https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2023)754556

2023-11-17Show (2) Changes | Timetravel

docs/4

date: 2023-10-26T00:00:00

docs: url: https://www.europarl.europa.eu/doceo/document/A-9-2023-0307_EN.html title: A9-0307/2023

type: Committee report tabled for plenary, 1st reading/single reading

body: EP

events/4/summary

The Committee on Industry, Research and Energy adopted the report by Josianne CUTAJAR (S&D, MT) on the proposal for a regulation of the European Parliament and of the Council amending Regulation (EU) 2019/881 as regards managed security services.
The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows:
Changes to the definition of managed security service
The report stated that managed security services, which are services consisting of carrying out, or providing assistance for, activities relating to their customers’ cybersecurity risk management, including detection, response to or recovery from incidents, have gained increasing importance in the prevention and mitigation of cybersecurity incidents. The activities of the providers of managed security services consist of services relating to prevention, identification, protection, detection, analysis, containment, response and recovery, including, but not limited to, cyber threat intelligence provision, real time threat monitoring through proactive techniques, including security-by-design, risk assessment, extended detection, remediation and response.
The Union rolling work programme for European cybersecurity certification
According to Members, the Union rolling work programme should include a list of ICT products, ICT services and ICT processes or categories thereof, and managed security services, that are capable of benefiting from being included in the scope of a European cybersecurity certification scheme. In that context, the Commission should include an in-depth assessment of existing training paths to bridge identified skills gaps and a list of proposals for addressing the needs for skilled employees and types of skills.
SMEs
Members considered that the Commission should ensure appropriate financial support in the regulatory framework of existing Union programmes, in particular in order to ease the financial burden on microenterprises and SMEs, including start-ups acting in the field of managed security services.
Evaluation and review
By 28 June 2024, and every three years thereafter, the Commission should assess the impact, effectiveness and efficiency of ENISA and of its working practices, the possible need to modify ENISA’s mandate and the financial implications of any such modification. The evaluation should assess: (i) the efficiency and effectiveness of the procedures leading to consultation, preparation and adoption of European cybersecurity certification schemes, as well as ways to improve and accelerate those procedures; (ii) whether essential cybersecurity requirements for access to the internal market are necessary in order to prevent ICT products, ICT services, ICT processes and managed security services which do not meet basic cybersecurity requirements from entering the Union market.

2023-11-11Show (1) Changes | Timetravel

events/6

date: 2023-11-09T00:00:00

type: Committee decision to enter into interinstitutional negotiations confirmed by plenary (Rule 71)

body: EP

2023-11-10Show (1) Changes | Timetravel

events/5

date: 2023-11-08T00:00:00

type: Committee decision to enter into interinstitutional negotiations announced in plenary (Rule 71)

body: EP

2023-10-28Show (12) Changes | Timetravel

docs/4	date 2023-06-28T00:00:00 docs url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2023)0208 title: COM(2023)0208 type Contribution body CZ_CHAMBER
docs/4	date 2023-10-26T00:00:00 docs url: https://www.europarl.europa.eu/doceo/document/A-9-2023-0307_EN.html title: A9-0307/2023 type Committee report tabled for plenary, 1st reading/single reading body EP
docs/5	date 2023-06-28T00:00:00 docs url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2023)0208 title: COM(2023)0208 type Contribution body CZ_CHAMBER
docs/5	date 2023-07-19T00:00:00 docs url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2023)0208 title: COM(2023)0208 type Contribution body PT_PARLIAMENT
docs/5/date	Old 2023-06-28T00:00:00 New 2023-06-29T00:00:00
docs/6	date 2023-07-19T00:00:00 docs url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2023)0208 title: COM(2023)0208 type Contribution body PT_PARLIAMENT
docs/6	date 2023-07-31T00:00:00 docs url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2023)0208 title: COM(2023)0208 type Contribution body CZ_SENATE
docs/6/date	Old 2023-07-19T00:00:00 New 2023-07-20T00:00:00
docs/7	date 2023-07-31T00:00:00 docs url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2023)0208 title: COM(2023)0208 type Contribution body CZ_SENATE
docs/7/date	Old 2023-07-31T00:00:00 New 2023-08-01T00:00:00
events/4	date 2023-10-26T00:00:00 type Committee report tabled for plenary, 1st reading body EP docs url: https://www.europarl.europa.eu/doceo/document/A-9-2023-0307_EN.html title: A9-0307/2023
procedure/stage_reached	Old Awaiting committee decision New Awaiting Parliament's position in 1st reading

2023-10-26Show (3) Changes | Timetravel

events/2	date 2023-10-25T00:00:00 type Vote in committee, 1st reading body EP
events/3	date 2023-10-25T00:00:00 type Committee decision to open interinstitutional negotiations with report adopted in committee body EP
procedure/Other legal basis	Rules of Procedure EP 159

2023-09-23Show (2) Changes | Timetravel

docs/2	date 2023-09-21T00:00:00 docs url: https://www.europarl.europa.eu/doceo/document/ITRE-AM-753562_EN.html title: PE753.562 type Amendments tabled in committee body EP
docs/3	date 2023-09-21T00:00:00 docs url: https://www.europarl.europa.eu/doceo/document/IMCO-AL-749983_EN.html title: PE749.983 committee IMCO type Specific opinion body EP

2023-09-12Show (1) Changes | Timetravel

docs/1

date: 2023-09-07T00:00:00

docs: url: https://www.europarl.europa.eu/doceo/document/ITRE-PR-752802_EN.html title: PE752.802

type: Committee draft report

body: EP

2023-09-03Show (1) Changes | Timetravel

docs/3

date: 2023-07-31T00:00:00

docs: url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2023)0208 title: COM(2023)0208

type: Contribution

body: CZ_SENATE

2023-09-01Show (2) Changes | Timetravel

docs/0	date 2023-07-13T00:00:00 docs url: https://dmsearch.eesc.europa.eu/search/public?k=(documenttype:AC)(documentnumber:2408)(documentyear:2023)(documentlanguage:EN) title: CES2408/2023 type Economic and Social Committee: opinion, report body ESC
docs/2	date 2023-07-19T00:00:00 docs url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2023)0208 title: COM(2023)0208 type Contribution body PT_PARLIAMENT

2023-07-14Show (1) Changes | Timetravel

committees/0/shadows/3

name: TOŠENOVSKÝ Evžen

group: European Conservatives and Reformists Group

abbr: ECR

2023-07-13Show (1) Changes | Timetravel

committees/0/shadows/2

name: NIINISTÖ Ville

group: Group of the Greens/European Free Alliance

abbr: Verts/ALE

2023-07-07Show (2) Changes | Timetravel

docs/0	date 2023-06-28T00:00:00 docs url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2023)0208 title: COM(2023)0208 type Contribution body CZ_CHAMBER
docs/0	date 2023-04-18T00:00:00 docs url: https://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/com/2023/0208/COM_COM(2023)0208_EN.pdf title: COM(2023)0208 url: https://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!DocNumber&lg=EN&type_doc=COMfinal&an_doc=2023&nu_doc=0208 title: EUR-Lex type Legislative proposal body EC

2023-06-23Show (1) Changes | Timetravel

committees/0/shadows/1

name: GROOTHUIS Bart

group: Renew Europe group

abbr: Renew

2023-06-16Show (1) Changes | Timetravel

committees/0/shadows

name: NIEBLER Angelika group: Group of European People's Party abbr: EPP

2023-06-12Show (1) Changes | Timetravel

committees/1/rapporteur

name: CAVAZZINI Anna date: 2023-05-23T00:00:00 group: Group of the Greens/European Free Alliance abbr: Verts/ALE

2023-06-06Show (1) Changes | Timetravel

committees/2/opinion

False

2023-06-02Show (4) Changes | Timetravel

commission	body: EC dg: Communications Networks, Content and Technology commissioner: BRETON Thierry
events/1	date 2023-06-01T00:00:00 type Committee referral announced in Parliament, 1st reading body EP
procedure/dossier_of_the_committee	ITRE/9/11804
procedure/stage_reached	Old Preparatory phase in Parliament New Awaiting committee decision

2023-05-07Show (1) Changes | Timetravel

events/0/summary

PURPOSE: to create European cybersecurity certification schemes for managed security services.
PROPOSED ACT: Regulation of the European Parliament and of the Council.
ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.
BACKGROUND: Regulation (EU) 2019/881 of the European Parliament and of the Council on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification sets up a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity for ICT products, ICT services and ICT processes in the Union, as well as for the purpose of avoiding the fragmentation of the internal market with regard to cybersecurity certification schemes in the Union.
Managed security services , which are services consisting of carrying out, or providing assistance for, activities relating to their customers’ cybersecurity risk management, have gained increasing importance in the prevention and mitigation of cybersecurity incidents. Accordingly, the providers of those services are considered as essential or important entities belonging to a sector of high criticality pursuant to Directive (EU) 2022/2555 of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union.
Managed security service providers in areas such as incident response, penetration testing, security audits and consultancy, play a particularly important role in assisting entities in their efforts to prevent, detect, respond to or recover from incidents. They have however also themselves been the target of cyberattacks and pose a particular risk because of their close integration in the operations of their customers.
Some Member States have already begun adopting certification schemes for managed security services. There is therefore a growing risk of fragmentation of the internal market for managed security services owing to inconsistencies in cybersecurity certification schemes across the Union. This proposal aims to prevent such fragmentation.
CONTENT: the proposed targeted amendment to amend the scope of the European cybersecurity certification framework in the Cybersecurity Act aims to enable, by means of Commission implementing acts, the adoption of European cybersecurity certification schemes for ‘managed security services’ , in addition to information and technology (ICT) products, ICT services and ICT processes, which are already covered under the Cybersecurity Act.
The proposal also introduces a definition of those services, which is very closely aligned to the definition of ‘managed security services providers’ under the NIS 2 Directive (Article 2 of the Cybersecurity Act). It also adds new provisions on the security objectives of European cybersecurity certification adapted to ‘managed security services’.
Lastly, a number of technical amendments are made to ensure that the relevant articles apply also to ‘managed security services’.

2023-05-02Show (1) Changes | Timetravel

committees/0/rapporteur

name: CUTAJAR Josianne date: 2023-05-02T00:00:00 group: Group of Progressive Alliance of Socialists and Democrats abbr: S&D

2023-04-22Show (2) Changes

docs/0/docs/1	url https://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!DocNumber&lg=EN&type_doc=COMfinal&an_doc=2023&nu_doc=0208 title EUR-Lex
events/0/docs/1	url https://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!DocNumber&lg=EN&type_doc=COMfinal&an_doc=2023&nu_doc=0208 title EUR-Lex

Progress: Awaiting Parliament's position in 1st reading

Lead committee dossier:

ITRE/9/11804

Legal Basis:

Subjects

Links

Events

Documents

History

ParlTrack - 2011-2024