Explanatory Memorandum to COM(2023)208 - Amendment of Regulation (EU) 2019/881 as regards managed security services - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2023)208 - Amendment of Regulation (EU) 2019/881 as regards managed security services. |
|---|---|
| source | COM(2023)208  |
| date | 18-04-2023 |
1. CONTEXT OF THE PROPOSAL
• Reasons for and objectives of the proposal
This explanatory memorandum accompanies the proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) 2019/8811 as regards managed security services.
The proposed targeted amendment aims to enable, by means of Commission implementing acts, the adoption of European cybersecurity certification schemes for ‘managed security services’, in addition to information and technology (ICT) products, ICT services and ICT processes, which are already covered under the Cybersecurity Act. Managed security services play an increasingly important role in the prevention and mitigation of cybersecurity incidents.
In its conclusions of 23 May 20222 on the development of the European Union’s cyber posture, the Council called upon the Union and its Member States to reinforce efforts to raise the overall level of cybersecurity, for example by facilitating the emergence of trusted cybersecurity service providers, and stressed that encouraging the development of such providers should be a priority for the industrial policy of the Union in the cybersecurity field. It also invited the Commission to propose options to encourage the emergence of a trusted cybersecurity service industry. The certification of managed security services is an effective means of building trust in the quality of those services and thereby facilitating the emergence of a trusted European cybersecurity service industry.
The Joint Communication ‘EU Policy on Cyber Defence’ adopted by the Commission and the High Representative on 10 November 20223, announced that the Commission would explore the development of EU-level cybersecurity certification schemes for cybersecurity industry and private companies. Managed security services providers will also play an important role in the EU-level cybersecurity reserve, the gradual set-up of which is supported by the Cyber Solidarity Act, proposed in parallel to this Regulation. The EU-level cybersecurity reserve is to be used to support response and immediate recovery actions in the event of significant and large-scale cybersecurity incidents. The relevant cybersecurity services provided by ‘trusted providers’ referred to in the Cyber Solidarity Act, correspond to ‘managed security services’ in this proposal.
Some Member States have already begun adopting certification schemes for managed security services. There is therefore a growing risk of fragmentation of the internal market for managed security services owing to inconsistencies in cybersecurity certification schemes across the Union. This proposal enables the creation of European cybersecurity certification schemes for those services to prevent such fragmentation.
• Consistency with existing policy provisions in the policy area
This proposal is consistent with the Cybersecurity Act, which it amends. It builds on the provisions of that Regulation and adapts them to also include managed security services. The proposed amendments are limited to what is strictly necessary and do not alter the characteristics or the functioning of the Cybersecurity Act.
This proposal is also consistent with Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)4. The providers of managed security services are considered to be essential or important entities belonging to a sector of high criticality under Directive (EU) 2022/2555. Recital 86 of that Directive states that managed security service providers, in areas such as incident response, penetration testing, security audits and consultancy, play a particularly important role in assisting entities in their efforts to prevent, detect, respond to or recover from incidents. Managed security service providers have however also themselves been the target of cyberattacks and pose a particular risk because of their close integration in the operations of their customers. Essential and important entities within the meaning of Directive (EU) 2022/2555 should therefore exercise increased diligence in selecting a managed security service provider.
This proposal aims to improve the quality of managed security services and to increase their comparability. It thereby enables essential and important entities to exercise the increased diligence in selecting a managed security service provider as required under Directive (EU) 2022/2555. Moreover, the definition of ‘managed security services’ in this proposal is derived from and very similar to the definition of ‘managed security services providers’ in Directive (EU) 2022/2555. For these reasons, the proposal is highly complementary with the NIS 2 Directive.
Finally, this proposal is complementary with the proposed Cyber Solidarity Act. The proposed Cyber Solidarity Act lays down a process to select the providers to form an EU‑level cybersecurity reserve, which should, inter alia, take into account whether those providers have obtained European or national cybersecurity certification. Future certification schemes for managed security services will thus play a significant role in the implementation of the Cyber Solidarity Act.
• Consistency with other Union policies
This proposal does not affect the Cybersecurity Act’s consistency with Regulation (EU) 2016/679 (the General Data Protection Regulation, ‘GDPR’)5 and its provisions on establishing certification mechanisms and data protection seals and marks for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The Cybersecurity Act remains without prejudice to the certification of data processing operations, including when such operations are embedded in products and services, under the GDPR.
Furthermore, this proposal does not affect the Cybersecurity Act’s compatibility with Regulation (EC) No 765/2008 on accreditation and market surveillance requirements6, in particular as regards the framework on national accreditation bodies and conformity assessment bodies, and national certification supervisory authorities.
2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY
• Legal basis
This proposal amends the Cybersecurity Act, which is based on Article 114 of the Treaty on the functioning of the European Union (TFEU). As in the case of the Cybersecurity Act, this proposal aims to avoid fragmentation of the internal market, namely by enabling the adoption of European cybersecurity certification schemes for managed security services. Member States have started to adopt national certification schemes for managed security services. There is thus a concrete risk of fragmentation of the internal market for these services, which the present proposal aims to address. Therefore, Article 114 TFEU is the relevant legal basis for this initiative.
• Subsidiarity (for non-exclusive competence)
The objective of enabling the adoption of European cybersecurity certification schemes for managed security and avoiding fragmentation of the internal market cannot be achieved at national level but only at Union level. Furthermore, managed security services, which are the targeted subject of the proposed amendment, are offered by providers active across the Union, as are their largest potential customers. Action at Union level is therefore both necessary and more effective than action at national level.
• Proportionality
The proposal is a targeted amendment of the Cybersecurity Act. It is limited to what is strictly necessary to achieve its objective, namely to enable the adoption of European cybersecurity certification schemes for managed security services, in addition to ICT products, ICT services and ICT processes. The proposed amendments adapt, in particular, the scope of the European cybersecurity certification framework to include ‘managed security services’, introduce a definition of those services in line with the NIS 2 Directive, and amend the security objectives of European cybersecurity certification in order to adapt it to ‘managed security services’. The other amendments are of a technical nature and are intended to ensure that the relevant articles apply also to ‘managed security services’. The proposed initiative is thus proportionate to the objective.
• Choice of the instrument
As the proposal amends Regulation (EU) 2019/881, the appropriate legal instrument is a Regulation.
3. RESULTS OF EX POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS
• Ex post evaluations/fitness checks of existing legislation
Not applicable.
• Stakeholder consultations
Targeted consultations with Member States and ENISA have been carried out. In these consultations, Member States described their current activities and views as regards certification of managed security services. ENISA explained its views and its findings from discussions with Member States and stakeholders. The comments and information received from Member States and ENISA have fed into this proposal.
• Collection and use of expertise
Not applicable.
• Impact assessment
A waiver from the need for an impact assessment has been requested as the proposal is a very limited and targeted amendment to the Cybersecurity Act. It would empower the Commission to adopt, by means of implementing acts, certification schemes for ‘managed security services’, in addition to ICT products, ICT services and ICT processes, which are already covered by the Act. However, the amendment would only have an effect once such certification schemes are adopted at a later stage. Moreover, the amendment would not change the voluntary character of the certification schemes.
• Regulatory fitness and simplification
Not applicable.
• Fundamental rights
The proposal does not have any foreseeable consequences for the protection of fundamental rights.
4. BUDGETARY IMPLICATIONS
None.
5. OTHER ELEMENTS
• Implementation plans and monitoring, evaluation and reporting arrangements
The provisions to be amended by the proposal will be evaluated as part of the periodic evaluation of the Cybersecurity Act to be carried out by the Commission in accordance with Article 67 thereof. That evaluation assesses, inter alia, the impact, effectiveness and efficiency of the provisions on the Cybersecurity Certification Framework with regard to the objectives of ensuring an adequate level of cybersecurity of ICT products, ICT services and ICT processes in the Union and of improving the functioning of the internal market. The proposal contains an amendment that ensures that the evaluation is also to cover managed security services. The Commission also sends a report on the evaluation and its conclusions to the European Parliament, the Council and the ENISA Management Board and makes the findings of the report public.
• Detailed explanation of the specific provisions of the proposal
The proposal contains two articles. While Article 1 contains the amendments to Regulation (EU) 2019/881, Article 2 concerns the entry into force. Article 1 contains targeted amendments to amend the scope of the European cybersecurity certification framework in the Cybersecurity Act to include ‘managed security services’ (Articles 1 and 46 of the Cybersecurity Act). It introduces a definition of those services, which is very closely aligned to the definition of ‘managed security services providers’ under the NIS 2 Directive (Article 2 of the Cybersecurity Act). It also adds a new Article 51a on the security objectives of European cybersecurity certification adapted to ‘managed security services’. Lastly, the proposal contains a number of technical amendments to ensure that the relevant articles apply also to ‘managed security services’.