Next event: Indicative plenary sitting date 2024/04/22 more...
- Coreper letter confirming interinstitutional agreement 2024/03/21
- Text agreed during interinstitutional negotiations 2024/03/20
- Approval in committee of the text agreed at 1st reading interinstitutional negotiations 2024/03/20
- Committee decision to enter into interinstitutional negotiations confirmed by plenary (Rule 71) 2023/11/09
- Committee decision to enter into interinstitutional negotiations announced in plenary (Rule 71) 2023/11/08
- Committee report tabled for plenary, 1st reading 2023/10/26
- Vote in committee, 1st reading 2023/10/25
- Committee decision to open interinstitutional negotiations with report adopted in committee 2023/10/25
- Amendments tabled in committee 2023/09/21
- Specific opinion 2023/09/21
- Committee draft report 2023/09/07
Progress: Awaiting Parliament's position in 1st reading
Role | Committee | Rapporteur | Shadows |
---|---|---|---|
Lead | ITRE | CUTAJAR Josianne ( S&D) | NIEBLER Angelika ( EPP), GROOTHUIS Bart ( Renew), NIINISTÖ Ville ( Verts/ALE), TOŠENOVSKÝ Evžen ( ECR) |
Committee Opinion | IMCO | CAVAZZINI Anna ( Verts/ALE) | |
Committee Opinion | LIBE |
Lead committee dossier:
Legal Basis:
TFEU 114
Legal Basis:
TFEU 114Subjects
Events
The Committee on Industry, Research and Energy adopted the report by Josianne CUTAJAR (S&D, MT) on the proposal for a regulation of the European Parliament and of the Council amending Regulation (EU) 2019/881 as regards managed security services.
The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows:
Changes to the definition of managed security service
The report stated that managed security services, which are services consisting of carrying out, or providing assistance for, activities relating to their customers’ cybersecurity risk management, including detection, response to or recovery from incidents, have gained increasing importance in the prevention and mitigation of cybersecurity incidents. The activities of the providers of managed security services consist of services relating to prevention, identification, protection, detection, analysis, containment, response and recovery, including, but not limited to, cyber threat intelligence provision, real time threat monitoring through proactive techniques, including security-by-design, risk assessment, extended detection, remediation and response.
The Union rolling work programme for European cybersecurity certification
According to Members, the Union rolling work programme should include a list of ICT products, ICT services and ICT processes or categories thereof, and managed security services, that are capable of benefiting from being included in the scope of a European cybersecurity certification scheme. In that context, the Commission should include an in-depth assessment of existing training paths to bridge identified skills gaps and a list of proposals for addressing the needs for skilled employees and types of skills.
SMEs
Members considered that the Commission should ensure appropriate financial support in the regulatory framework of existing Union programmes, in particular in order to ease the financial burden on microenterprises and SMEs, including start-ups acting in the field of managed security services.
Evaluation and review
By 28 June 2024, and every three years thereafter, the Commission should assess the impact, effectiveness and efficiency of ENISA and of its working practices, the possible need to modify ENISA’s mandate and the financial implications of any such modification. The evaluation should assess: (i) the efficiency and effectiveness of the procedures leading to consultation, preparation and adoption of European cybersecurity certification schemes, as well as ways to improve and accelerate those procedures; (ii) whether essential cybersecurity requirements for access to the internal market are necessary in order to prevent ICT products, ICT services, ICT processes and managed security services which do not meet basic cybersecurity requirements from entering the Union market.
PURPOSE: to create European cybersecurity certification schemes for managed security services.
PROPOSED ACT: Regulation of the European Parliament and of the Council.
ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.
BACKGROUND: Regulation (EU) 2019/881 of the European Parliament and of the Council on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification sets up a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity for ICT products, ICT services and ICT processes in the Union, as well as for the purpose of avoiding the fragmentation of the internal market with regard to cybersecurity certification schemes in the Union.
Managed security services , which are services consisting of carrying out, or providing assistance for, activities relating to their customers’ cybersecurity risk management, have gained increasing importance in the prevention and mitigation of cybersecurity incidents. Accordingly, the providers of those services are considered as essential or important entities belonging to a sector of high criticality pursuant to Directive (EU) 2022/2555 of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union.
Managed security service providers in areas such as incident response, penetration testing, security audits and consultancy, play a particularly important role in assisting entities in their efforts to prevent, detect, respond to or recover from incidents. They have however also themselves been the target of cyberattacks and pose a particular risk because of their close integration in the operations of their customers.
Some Member States have already begun adopting certification schemes for managed security services. There is therefore a growing risk of fragmentation of the internal market for managed security services owing to inconsistencies in cybersecurity certification schemes across the Union. This proposal aims to prevent such fragmentation.
CONTENT: the proposed targeted amendment to amend the scope of the European cybersecurity certification framework in the Cybersecurity Act aims to enable, by means of Commission implementing acts, the adoption of European cybersecurity certification schemes for ‘managed security services’ , in addition to information and technology (ICT) products, ICT services and ICT processes, which are already covered under the Cybersecurity Act.
The proposal also introduces a definition of those services, which is very closely aligned to the definition of ‘managed security services providers’ under the NIS 2 Directive (Article 2 of the Cybersecurity Act). It also adds new provisions on the security objectives of European cybersecurity certification adapted to ‘managed security services’.
Lastly, a number of technical amendments are made to ensure that the relevant articles apply also to ‘managed security services’.
Documents
- Coreper letter confirming interinstitutional agreement: GEDA/A/(2024)001687
- Text agreed during interinstitutional negotiations: PE760.887
- Approval in committee of the text agreed at 1st reading interinstitutional negotiations: PE760.887
- Committee report tabled for plenary, 1st reading: A9-0307/2023
- Amendments tabled in committee: PE753.562
- Specific opinion: PE749.983
- Committee draft report: PE752.802
- Contribution: COM(2023)0208
- Contribution: COM(2023)0208
- Economic and Social Committee: opinion, report: CES2408/2023
- Contribution: COM(2023)0208
- Legislative proposal published: COM(2023)0208
- Legislative proposal published: EUR-Lex
- Economic and Social Committee: opinion, report: CES2408/2023
- Committee draft report: PE752.802
- Amendments tabled in committee: PE753.562
- Specific opinion: PE749.983
- Text agreed during interinstitutional negotiations: PE760.887
- Coreper letter confirming interinstitutional agreement: GEDA/A/(2024)001687
- Contribution: COM(2023)0208
- Contribution: COM(2023)0208
- Contribution: COM(2023)0208
Activities
- Josianne CUTAJAR
Plenary Speeches (0)
History
(these mark the time of scraping, not the official date of the change)
docs/6 |
|
events/8 |
|
forecasts |
|
procedure/stage_reached |
Old
Awaiting Parliament's position in 1st readingNew
Awaiting Council's 1st reading position |
forecasts/0 |
|
forecasts/0 |
|
forecasts/0 |
|
forecasts/0 |
|
forecasts/0 |
|
forecasts/0 |
|
forecasts/0 |
|
forecasts/0 |
|
forecasts/0 |
|
forecasts/0 |
|
forecasts/0 |
|
forecasts/0 |
|
docs/4 |
|
events/7/docs |
|
docs/4 |
|
events/7/docs |
|
docs/4 |
|
events/7/docs |
|
docs/4 |
|
events/7/docs |
|
docs/4 |
|
events/7/docs |
|
docs/4 |
|
events/7/docs |
|
docs/4 |
|
events/7 |
|
docs/4 |
|
events/7 |
|
docs/4 |
|
events/7 |
|
docs/4 |
|
events/7 |
|
docs/4 |
|
events/7 |
|
forecasts/0/date |
Old
2024-03-11T00:00:00New
2024-04-22T00:00:00 |
forecasts/0/date |
Old
2024-04-10T00:00:00New
2024-03-11T00:00:00 |
forecasts/0/date |
Old
2024-02-05T00:00:00New
2024-04-10T00:00:00 |
forecasts |
|
links |
|
docs/4 |
|
events/4/summary |
|
events/6 |
|
events/5 |
|
docs/4 |
|
docs/4 |
|
docs/5 |
|
docs/5 |
|
docs/5/date |
Old
2023-06-28T00:00:00New
2023-06-29T00:00:00 |
docs/6 |
|
docs/6 |
|
docs/6/date |
Old
2023-07-19T00:00:00New
2023-07-20T00:00:00 |
docs/7 |
|
docs/7/date |
Old
2023-07-31T00:00:00New
2023-08-01T00:00:00 |
events/4 |
|
procedure/stage_reached |
Old
Awaiting committee decisionNew
Awaiting Parliament's position in 1st reading |
events/2 |
|
events/3 |
|
procedure/Other legal basis |
Rules of Procedure EP 159
|
docs/2 |
|
docs/3 |
|
docs/1 |
|
docs/3 |
|
docs/0 |
|
docs/2 |
|
committees/0/shadows/3 |
|
committees/0/shadows/2 |
|
docs/0 |
|
docs/0 |
|
committees/0/shadows/1 |
|
committees/0/shadows |
|
committees/1/rapporteur |
|
committees/2/opinion |
False
|
commission |
|
events/1 |
|
procedure/dossier_of_the_committee |
|
procedure/stage_reached |
Old
Preparatory phase in ParliamentNew
Awaiting committee decision |
events/0/summary |
|
committees/0/rapporteur |
|
docs/0/docs/1 |
|
events/0/docs/1 |
|