The European Parliament adopted by 53 votes to 5, with 33 abstentions, a legislative resolution on the proposal for a regulation of the European Parliament and of the Council amending Regulation (EU) 2019/881 as regards managed security services.

The European Parliament’s position adopted at first reading under the ordinary legislative procedure amends the proposal as follows:

Subject matter

The proposed Regulation aims to enable the adoption of European cybersecurity certification schemes for managed security services. The definition of managed security services under this Regulation includes a non-exhaustive list of managed security services that could qualify for certification schemes, such as incident handling, penetration testing, security audits, and consulting related to technical support.

European certification schemes for managed security services should lead to the uptake of those services and to increased competition between providers offering managed security services. Without prejudice for the objective of ensuring sufficient and appropriate levels of relevant technical knowledge and professional integrity of such providers, certification schemes should, therefore, facilitate market entry and the offering of managed security services, by simplifying, to the extent possible, the potential regulatory, administrative and financial burden that providers, especially microenterprises or small and medium-sized enterprises (SMEs), could encounter when offering managed security services.

Additionally, in order to encourage the uptake of, and stimulate the demand for, managed security services, the schemes should contribute to the accessibility thereof, especially for smaller actors, such as microenterprises and SMEs, as well as local and regional authorities which have limited capacity and resources, but which are more prone to cybersecurity breaches with financial, legal, reputational, and operational implications.

The Union certification scheme for managed security services should contribute to the availability of secure and high-quality services which guarantee a safe digital transition and to the achievement of targets set up in the Digital Decade Policy Programme, especially with regard to the goal that 75% of Union undertakings start using Cloud, AI or Big Data, that more than 90% of microenterprises and SMEs reach at least a basic level of digital intensity and that key public services are offered online.

Preparation, adoption and review of a European cybersecurity certification scheme

Following a request from the Commission, ENISA will prepare a candidate scheme that meets the applicable requirements set out in the Regulation. Following a request from the European Cybersecurity Certification Group (ECCG) may prepare a candidate scheme that meets the applicable requirements. If ENISA rejects such a request, it will have to give reasons for its refusal. Any decision to reject such an application will be taken by the Management Board.

When preparing a candidate scheme, ENISA should consult all relevant stakeholders in a timely manner through a formal, open, transparent and inclusive consultation process. For each candidate scheme, ENISA should set up an ad hoc working group to provide specific advice and expertise. The ad hoc working groups set up for this purpose should include, where appropriate, experts from Member States' public administrations, EU institutions, bodies, offices and agencies and the private sector.

Information and consultation on the European cybersecurity certification schemes

The Commission should make the information on its request to ENISA to prepare a candidate scheme. During the preparation of a candidate scheme by ENISA, the European Parliament as well as the Council may request the Commission in its capacity as chair of the European Cybersecurity Certification Group (ECCG) and ENISA to present relevant information on a draft candidate scheme on a quarterly basis. Upon the request of the European Parliament or the Council, ENISA, in agreement with the Commission, may make available to the European Parliament and to the Council relevant parts of a draft candidate scheme in a manner appropriate to the confidentiality level required, and where appropriate in a restricted manner.

In order to enhance the dialogue between the Union institutions and to contribute to a formal, open, transparent and inclusive consultation process, the European Parliament as well as the Council may invite the Commission and ENISA to discuss matters concerning the functioning of European cybersecurity certification schemes for ICT products, ICT services, ICT processes or managed security services.

A new annex contains the requirements to be met by conformity assessment bodies wishing to be accredited.

In a statement , the Commission recalled that it is recognised that a thorough review of the Cybersecurity Regulation is of the utmost importance, including the evaluation of the procedures leading to the development, adoption and review of European cybersecurity certification schemes.

This review should be based on a deep analysis and broad consultation on the impact, effectiveness and efficiency of the functioning of the European cybersecurity certification framework. The analysis carried out as part of the evaluation established in Article 67 of the Cybersecurity Act should include on-going scheme development activities, such as the one concerning European cybersecurity certification scheme for cloud services (EUCS) as well as those of adopted schemes such as the one concerning the European Common Criteria-based cybersecurity certification scheme (EUCC).

Accordingly, the Commission, which is responsible for the review of the Cybersecurity Act, should ensure that the review takes into account as appropriate the necessary elements mentioned in light of Article 67 when presenting the review to the co-legislators.

The Committee on Industry, Research and Energy adopted the report by Josianne CUTAJAR (S&D, MT) on the proposal for a regulation of the European Parliament and of the Council amending Regulation (EU) 2019/881 as regards managed security services.

The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows:

Changes to the definition of managed security service

The report stated that managed security services, which are services consisting of carrying out, or providing assistance for, activities relating to their customers’ cybersecurity risk management, including detection, response to or recovery from incidents, have gained increasing importance in the prevention and mitigation of cybersecurity incidents. The activities of the providers of managed security services consist of services relating to prevention, identification, protection, detection, analysis, containment, response and recovery, including, but not limited to, cyber threat intelligence provision, real time threat monitoring through proactive techniques, including security-by-design, risk assessment, extended detection, remediation and response.

The Union rolling work programme for European cybersecurity certification

According to Members, the Union rolling work programme should include a list of ICT products, ICT services and ICT processes or categories thereof, and managed security services, that are capable of benefiting from being included in the scope of a European cybersecurity certification scheme. In that context, the Commission should include an in-depth assessment of existing training paths to bridge identified skills gaps and a list of proposals for addressing the needs for skilled employees and types of skills.

SMEs

Members considered that the Commission should ensure appropriate financial support in the regulatory framework of existing Union programmes, in particular in order to ease the financial burden on microenterprises and SMEs, including start-ups acting in the field of managed security services.

Evaluation and review

By 28 June 2024, and every three years thereafter, the Commission should assess the impact, effectiveness and efficiency of ENISA and of its working practices, the possible need to modify ENISA’s mandate and the financial implications of any such modification. The evaluation should assess: (i) the efficiency and effectiveness of the procedures leading to consultation, preparation and adoption of European cybersecurity certification schemes, as well as ways to improve and accelerate those procedures; (ii) whether essential cybersecurity requirements for access to the internal market are necessary in order to prevent ICT products, ICT services, ICT processes and managed security services which do not meet basic cybersecurity requirements from entering the Union market.

PURPOSE: to create European cybersecurity certification schemes for managed security services.

PROPOSED ACT: Regulation of the European Parliament and of the Council.

ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.

BACKGROUND: Regulation (EU) 2019/881 of the European Parliament and of the Council on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification sets up a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity for ICT products, ICT services and ICT processes in the Union, as well as for the purpose of avoiding the fragmentation of the internal market with regard to cybersecurity certification schemes in the Union.

Managed security services , which are services consisting of carrying out, or providing assistance for, activities relating to their customers’ cybersecurity risk management, have gained increasing importance in the prevention and mitigation of cybersecurity incidents. Accordingly, the providers of those services are considered as essential or important entities belonging to a sector of high criticality pursuant to Directive (EU) 2022/2555 of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union.

Managed security service providers in areas such as incident response, penetration testing, security audits and consultancy, play a particularly important role in assisting entities in their efforts to prevent, detect, respond to or recover from incidents. They have however also themselves been the target of cyberattacks and pose a particular risk because of their close integration in the operations of their customers.

Some Member States have already begun adopting certification schemes for managed security services. There is therefore a growing risk of fragmentation of the internal market for managed security services owing to inconsistencies in cybersecurity certification schemes across the Union. This proposal aims to prevent such fragmentation.

CONTENT: the proposed targeted amendment to amend the scope of the European cybersecurity certification framework in the Cybersecurity Act aims to enable, by means of Commission implementing acts, the adoption of European cybersecurity certification schemes for ‘managed security services’ , in addition to information and technology (ICT) products, ICT services and ICT processes, which are already covered under the Cybersecurity Act.

The proposal also introduces a definition of those services, which is very closely aligned to the definition of ‘managed security services providers’ under the NIS 2 Directive (Article 2 of the Cybersecurity Act). It also adds new provisions on the security objectives of European cybersecurity certification adapted to ‘managed security services’.

Lastly, a number of technical amendments are made to ensure that the relevant articles apply also to ‘managed security services’.