Member State representatives (Coreper) have reached a common position on an amendment to the 2019 Cybersecurity Regulation. This should allow European certification schemes for "managed security services" to increase EU cyber resilience.
These managed security services, provided by specialized companies, are critical in preventing, detecting, responding to and recovering from cybersecurity incidents. In addition to incident detection or response, these services can include penetration testing, security auditing and consulting services.
The proposed amendment was tabled together with a proposal for an EU cyber solidarity law - which also aims to increase cybersecurity in the EU - and should include European cybersecurity certification schemes for managed security services in the scope of the 2019 cybersecurity regulation.
It should thus enable the establishment of European certification schemes for such services. This could improve their quality and comparability: with more trusted providers of cybersecurity services, the internal market - where some member states have already begun to adopt national certification schemes for managed security services - will become less fragmented.
The Council's position changes the Commission's proposal in a few ways:
it clarifies the definition of "managed security services" and alignment with the revised cybersecurity directive (the NIS 2 directive)
it aligns the security objectives of certification schemes with the security objectives of other schemes under the current cybersecurity regulation
it contains an annex listing the requirements that conformity assessment bodies must meet
a number of technical and editorial changes ensure that all relevant provisions of the current cybersecurity regulation also apply to managed security services
With the agreement on the Council's common position (its "negotiating mandate"), the Spanish presidency can now enter into negotiations ("trialogues") with the European Parliament on the final regulation.
The Cybersecurity Regulation, adopted in 2019, provides the first framework for cybersecurity certification for all member states. Cybersecurity certification is voluntary, unless otherwise provided by Union or Member State law.
Adopted on April 18, 2023, the Commission's proposal aims to make targeted changes to the scope of the Cybersecurity Regulation. It allows the Commission to adopt implementing acts on European cybersecurity certification schemes for managed security services, in addition to information and technology products, services and processes covered by the current cybersecurity regulation.
The proposal comes up with a definition of these managed security services, which is consistent with the definition of "managed security service providers" in the NIS 2 Directive. It also adds a new article (Article 51a) on the security objectives of European cybersecurity certification adapted to "managed security services." Finally, the proposal includes a number of technical changes that will extend the relevant provisions of the Cybersecurity Regulation to managed security services.
The proposal is based on Article 114 TFEU (internal market), as it aims to avoid fragmentation of the internal market for managed security services by enabling the establishment of European cybersecurity certification schemes for these services.
Commission proposal to amend cybersecurity regulation
