Legal provisions of COM(2023)208 - Amendment of Regulation (EU) 2019/881 as regards managed security services - Main contents

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier	COM(2023)208 - Amendment of Regulation (EU) 2019/881 as regards managed security services.
document	COM(2023)208
date	December 19, 2024

Article 1

Amendments to Regulation (EU) 2019/881

Regulation (EU) 2019/881 is amended as follows:

(1)

in Article 1(1), first subparagraph, point (b) is replaced by the following:

‘(b)

a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity for ICT products, ICT services, ICT processes, and managed security services in the Union, as well as for the purpose of avoiding the fragmentation of the internal market with regard to cybersecurity certification schemes in the Union.’

;

(2)

Article 2 is amended as follows:

(a)

points 9, 10 and 11 are replaced by the following:

‘(9)

“European cybersecurity certification scheme” means a comprehensive set of rules, technical requirements, standards and procedures that are established at Union level and that apply to the certification or conformity assessment of specific ICT products, ICT services, ICT processes or managed security services;

(10)

“national cybersecurity certification scheme” means a comprehensive set of rules, technical requirements, standards and procedures developed and adopted by a national public authority and that apply to the certification or conformity assessment of ICT products, ICT services, ICT processes or managed security services falling under the scope of the specific scheme;

(11)

“European cybersecurity certificate” means a document issued by a relevant body, attesting that a given ICT product, ICT service, ICT process or managed security service has been evaluated for compliance with specific security requirements laid down in a European cybersecurity certification scheme;’

;

(b)

the following point is inserted:

‘(14a)

“managed security service” means a service provided to a third party consisting of carrying out, or providing assistance for, activities relating to cybersecurity risk management, such as incident handling, penetration testing, security audits and consulting, including expert advice, related to technical support;’

;

(c)

points 20, 21 and 22 are replaced by the following:

‘(20)

“technical specification” means a document that prescribes the technical requirements to be met by, or conformity assessment procedures relating to, an ICT product, ICT service, ICT process or managed security service;

(21)

“assurance level” means a basis for confidence that an ICT product, ICT service, ICT process or managed security service meets the security requirements of a specific European cybersecurity certification scheme, and indicates the level at which an ICT product, ICT service, ICT process or managed security service has been evaluated but as such does not measure the security of the ICT product, ICT service, ICT process or managed security service concerned;

(22)

“conformity self-assessment” means an action carried out by a manufacturer or provider of ICT products, ICT services, ICT processes or managed security services, which evaluates whether those ICT products, ICT services, ICT processes or managed security services meet the requirements of a specific European cybersecurity certification scheme.’

;

(3)

in Article 4, paragraph 6 is replaced by the following:

‘6. ENISA shall promote the use of European cybersecurity certification with a view to avoiding the fragmentation of the internal market. ENISA shall contribute to the establishment and maintenance of a European cybersecurity certification framework in accordance with Title III of this Regulation with a view to increasing the transparency of the cybersecurity of ICT products, ICT services, ICT processes and managed security services, thereby strengthening trust in the digital internal market and its competitiveness.’

;

(4)

Article 8 is amended as follows:

(a)

paragraph 1 is amended as follows:

(i)

the introductory wording is replaced by the following:

‘1. ENISA shall support and promote the development and implementation of Union policy on the cybersecurity certification of ICT products, ICT services, ICT processes and managed security services, as established in Title III of this Regulation, by:’

;

(ii)

point (b) is replaced by the following:

‘(b)	preparing candidate European cybersecurity certification schemes (candidate schemes) for ICT products, ICT services, ICT processes and managed security services in accordance with Article 49;’

;

(b)

paragraph 3 is replaced by the following:

‘3. ENISA shall compile and publish guidelines and develop good practices, concerning the cybersecurity requirements for ICT products, ICT services, ICT processes and managed security services, in cooperation with national cybersecurity certification authorities and industry in a formal, structured and transparent way.’

;

(c)	paragraph 5 is replaced by the following: ‘5. ENISA shall facilitate the establishment and take-up of European and international standards for risk management and for the security of ICT products, ICT services, ICT processes and managed security services.’ ;

(5)

Article 46 is replaced by the following:

‘Article 46

European cybersecurity certification framework

1. The European cybersecurity certification framework shall be established in order to improve the conditions for the functioning of the internal market by increasing the level of cybersecurity within the Union and enabling a harmonised approach at Union level to European cybersecurity certification schemes, with a view to creating a digital single market for ICT products, ICT services, ICT processes and managed security services.

2. The European cybersecurity certification framework shall provide for a mechanism to establish European cybersecurity certification schemes and to attest that the ICT products, ICT services and ICT processes that have been evaluated in accordance with such schemes comply with specified security requirements for the purpose of protecting the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, services and processes throughout their life cycle. In addition, it shall attest that managed security services that have been evaluated in accordance with such schemes comply with specified security requirements for the purpose of protecting the availability, authenticity, integrity and confidentiality of data which are accessed, processed, stored or transmitted in relation to the provision of those services, and that those services are provided continuously with the requisite competence, expertise and experience by staff with a sufficient and appropriate level of relevant technical knowledge and professional integrity.’

;

(6)

Article 47 is amended as follows:

(a)

paragraph 2 is replaced by the following:

‘2. The Union rolling work programme shall in particular include a list of ICT products, ICT services, ICT processes and managed security services, or categories thereof, that are capable of benefiting from being included in the scope of a European cybersecurity certification scheme.’

;

(b)

paragraph 3 is amended as follows:

(i)	the introductory wording is replaced by the following: ‘3. Inclusion in the Union rolling work programme of specific ICT products, ICT services, ICT processes, or managed security services, or categories thereof, shall be justified on the basis of one or more of the following grounds:’ ;

(ii)

point (a) is replaced by the following:

‘(a)	the availability and the development of national cybersecurity certification schemes covering a specific category of ICT products, ICT services, ICT processes or managed security services and, in particular, as regards the risk of fragmentation;’

;

(iii)

the following point is inserted:

‘(ca)

technological developments and the availability and development of international cybersecurity certification schemes and international standards and standards used by the industry;’

;

(7)

Article 49 is amended as follows:

(a)

paragraphs 1 to 4 are replaced by the following:

‘1. Following a request from the Commission pursuant to Article 48, ENISA shall prepare a candidate scheme that meets the applicable requirements set out in Articles 51, 51a, 52 and 54.

2. Following a request from the ECCG pursuant to Article 48(2), ENISA may prepare a candidate scheme that meets the applicable requirements set out in Articles 51, 51a, 52 and 54. If ENISA refuses such a request, it shall give reasons for its refusal. Any decision to refuse such a request shall be taken by the Management Board.

3. When preparing a candidate scheme, ENISA shall consult all relevant stakeholders in a timely manner by means of a formal, open, transparent and inclusive consultation process. When transmitting the candidate scheme to the Commission pursuant to paragraph 6, ENISA shall provide information on the manner in which it has complied with this paragraph.

4. For each candidate scheme, ENISA shall establish an ad hoc working group in accordance with Article 20(4) for the purpose of providing ENISA with specific advice and expertise. Those ad hoc working groups shall, as appropriate and without prejudice to the procedures and discretion provided for in Article 20(4), include experts from the public administrations of the Member States, the Union institutions, bodies, offices and agencies, and the private sector.’

;

(b)

paragraph 7 is replaced by the following:

‘7. The Commission may, on the basis of the candidate scheme prepared by ENISA, adopt implementing acts providing for a European cybersecurity certification scheme for ICT products, ICT services, ICT processes and managed security services which meets the relevant requirements set out in Articles 51, 51a, 52 and 54. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 66(2).’

;

(8)

the following article is inserted:

‘Article 49a

Information and consultation on the European cybersecurity certification schemes

1. The Commission shall make the information on its request to ENISA to prepare a candidate scheme or to review an existing European cybersecurity certification scheme as referred to in Article 48 publicly available.

2. During the preparation of a candidate scheme by ENISA pursuant to Article 49, the European Parliament, the Council or both may request the Commission, in its capacity as chair of the ECCG, and ENISA to present relevant information on a draft candidate scheme on a quarterly basis. Upon the request of the European Parliament or the Council, ENISA, in agreement with the Commission and without prejudice to Article 27, may make available to the European Parliament and to the Council relevant parts of a draft candidate scheme in a manner appropriate to the confidentiality level required, and where appropriate in a restricted manner.

3. In order to enhance the dialogue between the Union institutions and to contribute to a formal, open, transparent and inclusive consultation process, the European Parliament, the Council or both may invite the Commission and ENISA to discuss matters concerning the functioning of European cybersecurity certification schemes for ICT products, ICT services, ICT processes or managed security services.

4. The Commission shall take into account, where appropriate, elements arising from the views expressed by the European Parliament and by the Council on the matters referred to in paragraph 3 of this Article when evaluating this Regulation pursuant to Article 67.’

;

(9)

Article 51 is amended as follows:

(a)	the title is replaced by the following: ‘Security objectives of European cybersecurity certification schemes for ICT products, ICT services and ICT processes’ ;

(b)	the introductory sentence is replaced by the following: ‘A European cybersecurity certification scheme for ICT products, ICT services or ICT processes shall be designed to achieve, as applicable, at least the following security objectives:’ ;

(10)

the following article is inserted:

‘Article 51a

Security objectives of European cybersecurity certification schemes for managed security services

A European cybersecurity certification scheme for managed security services shall be designed to achieve, as applicable, at least the following security objectives:

(a)

that the managed security services are provided with the requisite competence, expertise and experience, including that the staff tasked with providing those services have a sufficient and appropriate level of technical knowledge and competence in the specific field, sufficient and appropriate experience, and the highest degree of professional integrity;

(b)	that the provider has appropriate internal procedures in place to ensure that the managed security services are provided at a sufficient and appropriate level of quality at all times;

(c)	that data accessed, stored, transmitted or otherwise processed in relation to the provision of managed security services are protected against accidental or unauthorised access, storage, disclosure, destruction, other processing, or loss or alteration or lack of availability;

(d)	that the availability of, and access to, data, services and functions is restored in a timely manner in the event of a physical or technical incident;

(e)	that authorised persons, programs or machines are able to access only the data, services or functions to which their access rights refer;

(f)	that a record is kept and is available for assessment, of the data, services or functions that have been accessed, used or otherwise processed, at what times and by whom;

(g)	that the ICT products, ICT services and ICT processes deployed in the provision of the managed security services are secure by design and by default and, where applicable, include the latest security updates and do not contain publicly known vulnerabilities.’

;

(11)

Article 52 is amended as follows:

(a)

paragraph 1 is replaced by the following:

‘1. A European cybersecurity certification scheme may specify one or more of the following assurance levels for ICT products, ICT services, ICT processes and managed security services: “basic”, “substantial” or “high”. The assurance level shall be commensurate with the level of the risk associated with the intended use of the ICT product, ICT service, ICT process or managed security service, in terms of the probability and impact of an incident.’

;

(b)

paragraph 3 is replaced by the following:

‘3. The security requirements corresponding to each assurance level shall be provided in the relevant European cybersecurity certification scheme, including the corresponding security functionalities and the corresponding rigour and depth of the evaluation that the ICT product, ICT service, ICT process or managed security service is to undergo.’

;

(c)

paragraphs 5, 6 and 7 are replaced by the following:

‘5. A European cybersecurity certificate or EU statement of conformity that refers to assurance level “basic” shall provide assurance that the ICT products, ICT services, ICT processes or managed security services for which that certificate or that EU statement of conformity is issued meet the corresponding security requirements, including security functionalities, and that they have been evaluated at a level intended to minimise the known basic risks of incidents and cyberattacks. The evaluation activities to be undertaken shall include at least a review of technical documentation. Where such a review is not appropriate, substitute evaluation activities with equivalent effect shall be undertaken.

6. A European cybersecurity certificate that refers to assurance level “substantial” shall provide assurance that the ICT products, ICT services, ICT processes or managed security services for which that certificate is issued meet the corresponding security requirements, including security functionalities, and that they have been evaluated at a level intended to minimise the known cybersecurity risks, and the risk of incidents and cyberattacks carried out by actors with limited skills and resources. The evaluation activities to be undertaken shall include at least the following: a review to demonstrate the absence of publicly known vulnerabilities and testing to demonstrate that the ICT products, ICT services, ICT processes or managed security services correctly implement the necessary security functionalities. Where any such evaluation activities are not appropriate, substitute evaluation activities with equivalent effect shall be undertaken.

7. A European cybersecurity certificate that refers to assurance level “high” shall provide assurance that the ICT products, ICT services, ICT processes or managed security services for which that certificate is issued meet the corresponding security requirements, including security functionalities, and that they have been evaluated at a level intended to minimise the risk of state-of-the-art cyberattacks carried out by actors with significant skills and resources. The evaluation activities to be undertaken shall include at least the following: a review to demonstrate the absence of publicly known vulnerabilities; testing to demonstrate that the ICT products, ICT services, ICT processes or managed security services correctly implement the necessary security functionalities at the state of the art; and an assessment of their resistance to skilled attackers, using penetration testing. Where any such evaluation activities are not appropriate, substitute activities with equivalent effect shall be undertaken.’

;

(12)

in Article 53, paragraphs 1, 2 and 3 are replaced by the following:

‘1. A European cybersecurity certification scheme may allow for the conformity self-assessment under the sole responsibility of the manufacturer or provider of ICT products, ICT services, ICT processes or managed security services. Conformity self-assessment shall be permitted only in relation to ICT products, ICT services, ICT processes or managed security services that present a low risk corresponding to assurance level “basic”.

2. The manufacturer or provider of ICT products, ICT services, ICT processes or managed security services may issue an EU statement of conformity stating that the fulfilment of the requirements set out in the scheme has been demonstrated. By issuing such a statement, the manufacturer or provider of ICT products, ICT services, ICT processes or managed security services shall assume responsibility for the compliance of the ICT product, ICT service, ICT process or managed security service with the requirements set out in that scheme.

3. The manufacturer or provider of ICT products, ICT services, ICT processes or managed security services shall make the EU statement of conformity, technical documentation, and all other relevant information relating to the conformity of the ICT products, ICT services, ICT processes or managed security services with the scheme available to the national cybersecurity certification authority designated pursuant to Article 58 for the period provided for in the corresponding European cybersecurity certification scheme. A copy of the EU statement of conformity shall be submitted to the national cybersecurity certification authority and to ENISA.’

;

(13)

in Article 54, paragraph 1 is amended as follows:

(a)

point (a) is replaced by the following:

‘(a)	the subject matter and scope of the certification scheme, including the type or categories of ICT products, ICT services, ICT processes or managed security services covered;’

;

(b)

point (g) is replaced by the following:

‘(g)	the specific evaluation criteria and methods to be used, including types of evaluation, in order to demonstrate that the applicable security objectives referred to in Articles 51 and 51a are achieved;’

;

(c)

point (j) is replaced by the following:

‘(j)

rules for monitoring the compliance of ICT products, ICT services, ICT processes or managed security services with the requirements of the European cybersecurity certificates or the EU statements of conformity, including mechanisms to demonstrate continued compliance with the specified cybersecurity requirements;’

;

(d)

point (l) is replaced by the following:

‘(l)	rules concerning the consequences for ICT products, ICT services, ICT processes or managed security services that have been certified or for which an EU statement of conformity has been issued, but which do not comply with the requirements of the scheme;’

;

(e)

point (o) is replaced by the following:

‘(o)	the identification of national or international cybersecurity certification schemes covering the same type or categories of ICT products, ICT services, ICT processes or managed security services, security requirements, evaluation criteria and methods, and assurance levels;’

;

(f)

point (q) is replaced by the following:

‘(q)	the period of the availability of the EU statement of conformity, technical documentation, and all other relevant information to be made available by the manufacturer or provider of ICT products, ICT services, ICT processes or managed security services;’

;

(14)

Article 56 is amended as follows:

(a)	paragraph 1 is replaced by the following: ‘1. ICT products, ICT services, ICT processes and managed security services that have been certified under a European cybersecurity certification scheme adopted pursuant to Article 49 shall be presumed to comply with the requirements of such scheme.’ ;

(b)

paragraph 3 is amended as follows:

(i)

the first subparagraph is replaced by the following:

‘The Commission shall regularly assess the efficiency and use of the adopted European cybersecurity certification schemes and whether a specific European cybersecurity certification scheme is to be made mandatory through relevant Union law to ensure an adequate level of cybersecurity of ICT products, ICT services, ICT processes and, from 4 February 2025, managed security services in the Union and improve the functioning of the internal market. The first such assessment shall be carried out by 31 December 2023, and subsequent assessments shall be carried out at least every two years thereafter. Based on the outcome of those assessments, the Commission shall identify the ICT products, ICT services, ICT processes and managed security services covered by an existing certification scheme which are to be covered by a mandatory certification scheme.’

;

(ii)

the third subparagraph is amended as follows:

—

point (a) is replaced by the following:

‘(a)

take into account the impact of the measures on the manufacturers or providers of such ICT products, ICT services, ICT processes or managed security services and on the users in terms of the cost of those measures and the societal or economic benefits stemming from the anticipated enhanced level of security for the targeted ICT products, ICT services, ICT processes or managed security services;’

—

point (d) is replaced by the following:

‘(d)

take into account any implementation deadlines, transitional measures and periods, in particular with regard to the possible impact of the measure on the manufacturers or providers of ICT products, ICT services, ICT processes or managed security services, including the specific interests and needs of SMEs, including microenterprises;’

;

(c)

paragraphs 7 and 8 are replaced by the following:

‘7. The natural or legal person who submits ICT products, ICT services, ICT processes or managed security services for certification shall make available to the national cybersecurity certification authority designated pursuant to Article 58, where that authority is the body issuing the European cybersecurity certificate, or to the conformity assessment body referred to in Article 60 all information necessary to conduct the certification.

8. The holder of a European cybersecurity certificate shall inform the authority or body referred to in paragraph 7 of any subsequently detected vulnerabilities or irregularities concerning the security of the certified ICT product, ICT service, ICT process or managed security service that may have an impact on its compliance with the requirements related to the certification. That authority or body shall forward that information without undue delay to the national cybersecurity certification authority concerned.’

;

(15)

in Article 57, paragraphs 1 and 2 are replaced by the following:

‘1. Without prejudice to paragraph 3 of this Article, national cybersecurity certification schemes, and the related procedures for the ICT products, ICT services, ICT processes and managed security services that are covered by a European cybersecurity certification scheme shall cease to produce effects from the date established in the implementing act adopted pursuant to Article 49(7). National cybersecurity certification schemes and the related procedures for the ICT products, ICT services, ICT processes and managed security services that are not covered by a European cybersecurity certification scheme shall continue to exist.

2. Member States shall not introduce new national cybersecurity certification schemes for ICT products, ICT services, ICT processes and managed security services already covered by a European cybersecurity certification scheme that is in force.’

;

(16)

Article 58 is amended as follows:

(a)

paragraph 7 is amended as follows:

(i)

points (a) and (b) are replaced by the following:

‘(a)

supervise and enforce rules included in European cybersecurity certification schemes pursuant to Article 54(1), point (j), for the monitoring of the compliance of ICT products, ICT services, ICT processes and managed security services with the requirements of the European cybersecurity certificates that have been issued in their respective territories, in cooperation with other relevant market surveillance authorities;

(b)

monitor compliance with and enforce the obligations of the manufacturers or providers of ICT products, ICT services, ICT processes or managed security services that are established in their respective territories and that carry out conformity self-assessment, and shall, in particular, monitor compliance with and enforce the obligations of such manufacturers or providers set out in Article 53(2) and (3) and in the corresponding European cybersecurity certification scheme;’

;

(ii)

point (h) is replaced by the following:

‘(h)

cooperate with other national cybersecurity certification authorities or other public authorities, including by sharing information on the possible non-compliance of ICT products, ICT services, ICT processes or managed security services with the requirements of this Regulation or with the requirements of specific European cybersecurity certification schemes; and’

;

(b)

paragraph 9 is replaced by the following:

‘9. National cybersecurity certification authorities shall cooperate with each other and with the Commission, in particular, by exchanging information, experience and good practices as regards cybersecurity certification and technical issues concerning the cybersecurity of ICT products, ICT services, ICT processes and managed security services.’

;

(17)

in Article 59(3), points (b) and (c) are replaced by the following:

‘(b)	the procedures for supervising and enforcing the rules for monitoring the compliance of ICT products, ICT services, ICT processes and managed security services with European cybersecurity certificates pursuant to Article 58(7), point (a);

(c)	the procedures for monitoring and enforcing the obligations of manufacturers or providers of ICT products, ICT services, ICT processes or managed security services pursuant to Article 58(7), point (b);’

;

(18)

in Article 67, paragraphs 2 and 3 are replaced by the following:

‘2. The evaluation shall also assess the impact, effectiveness and efficiency of the provisions of Title III of this Regulation, including the procedures leading to the adoption of European cybersecurity certification schemes and their evidence bases, with regard to the objectives of ensuring an adequate level of cybersecurity of ICT products, ICT services, ICT processes and managed security services in the Union and improving the functioning of the internal market.

3. The evaluation shall assess whether essential cybersecurity requirements for access to the internal market are necessary in order to prevent ICT products, ICT services, ICT processes and managed security services which do not meet basic cybersecurity requirements from entering the internal market.’

;

(19)	the Annex is amended in accordance with the Annex to this Regulation.

Article 2

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.