Considerations on COM(2023)208 - Amendment of Regulation (EU) 2019/881 as regards managed security services - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2023)208 - Amendment of Regulation (EU) 2019/881 as regards managed security services. |
|---|---|
| document | COM(2023)208  |
| date | December 19, 2024 |
| (2) | In order to ensure the Union’s resilience to cyberattacks and to prevent any vulnerabilities in the internal market, this Regulation is intended to complement the horizontal regulatory framework establishing comprehensive cybersecurity requirements for products with digital elements pursuant to Regulation (EU) 2024/2847 of the European Parliament and of the Council (4) by providing for security objectives for managed security services as well as the application and trustworthiness of those services. |
| (3) | Managed security services are provided by managed security service providers as defined in Article 6, point (40), of Directive (EU) 2022/2555 of the European Parliament and of the Council (5). The definition of managed security services in this Regulation should therefore be consistent with that of managed security service providers in Directive (EU) 2022/2555. Those services consist of carrying out, or providing assistance for, activities relating to their customers’ cybersecurity risk management, and have gained increasing importance in the prevention and mitigation of incidents. Accordingly, the providers of those services are considered to be essential or important entities belonging to a sector of high criticality pursuant to Directive (EU) 2022/2555. As stated in recital 86 of that Directive, managed security service providers in areas such as incident response, penetration testing, security audits and consultancy, play a particularly important role in assisting entities in their efforts to prevent, detect, respond to or recover from incidents. However, managed security service providers have also themselves been the target of cyberattacks and pose a particular risk because of their close integration in the operations of their customers. It is therefore important that essential and important entities within the meaning of Directive (EU) 2022/2555 exercise increased diligence in selecting managed security service providers. |
| (4) | The definition of managed security services under this Regulation includes a non-exhaustive list of managed security services that could qualify for European cybersecurity certification schemes, such as incident handling, penetration testing, security audits, and consulting related to technical support. Managed security services could encompass cybersecurity services that support the preparedness for, prevention, detection, analysis and mitigation of, response to, and recovery from incidents. Cyber threat intelligence provision and risk assessment related to technical support could also qualify as managed security services. There could be separate European cybersecurity certification schemes for different managed security services. The European cybersecurity certificates issued in accordance with such schemes should refer to specific managed security services of a specific provider of those services. |
| (5) | Managed security service providers can also play an important role in relation to Union actions supporting response and initial recovery in cases of significant incidents and large-scale cybersecurity incidents, relying on services from trusted private providers and on testing of critical entities for potential vulnerabilities based on Union level coordinated security risk assessments. The certification of managed security services could play a role in the selection of trusted managed security service providers as defined in Regulation (EU) 2025/38 of the European Parliament and of the Council (6). |
| (6) | The certification of managed security services is not only relevant in the selection process for the EU Cybersecurity Reserve established by Regulation (EU) 2025/38 but it is also an essential quality indicator for private and public entities that intend to purchase such services. In light of the criticality of managed security services and the sensitivity of the data processed, certification could provide potential customers with important guidance and assurance about the trustworthiness of those services. European cybersecurity certification schemes for managed security services are intended to contribute to avoiding the fragmentation of the internal market. This Regulation therefore aims to enhance the functioning of the internal market. |
| (7) | European cybersecurity certification schemes for managed security services should lead to the uptake of those services and to increased competition between managed security service providers. Without prejudice to the objective of ensuring sufficient and appropriate levels of relevant technical knowledge and professional integrity of such providers, such certification schemes should, therefore, facilitate market entry and the offering of managed security services by simplifying, to the extent possible, the potential regulatory, administrative and financial burden that providers, in particular small and medium-sized enterprises (SMEs), including microenterprises, could encounter when offering managed security services. Additionally, in order to encourage the uptake of, and stimulate the demand for, managed security services, European cybersecurity certification schemes should contribute to the accessibility thereof, in particular for smaller actors, such as SMEs, including microenterprises, as well as local and regional authorities which have limited capacity and resources, but which are more prone to cybersecurity breaches with financial, legal, reputational, and operational implications. |
| (8) | It is important to provide support to SMEs, including microenterprises, in the implementation of this Regulation and in recruiting the specialised cybersecurity skills and expertise necessary to provide managed security services in accordance with the requirements laid down in this Regulation. The Digital Europe Programme established by Regulation (EU) 2021/694 of the European Parliament and of the Council (7) and other relevant Union programmes provide for the Commission to establish financial and technical support that enables those enterprises to contribute to the growth of the Union’s economy and to strengthen the common level of cybersecurity in the Union, including by streamlining the financial support from the Digital Europe Programme and other relevant Union programmes and by supporting SMEs, including microenterprises. |
| (9) | European cybersecurity certification schemes for managed security services should contribute to the availability of secure and high-quality services which guarantee a safe digital transition and to the achievement of targets set up in the Digital Decade Policy Programme 2030 established by Decision (EU) 2022/2481 of the European Parliament and of the Council (8), in particular with regard to the goal that 75 % of Union undertakings start using cloud computing services, big data or artificial intelligence, that more than 90 % of SMEs, including microenterprises, reach at least a basic level of digital intensity and that key public services are accessible online. |
| (10) | In addition to the deployment of ICT products, ICT services or ICT processes, managed security services often provide additional service features that rely on the competences, expertise and experience of the personnel of the providers of such services. A very high level of those competences, expertise and experience as well as appropriate internal procedures should be part of the security objectives in order to ensure a very high quality of the managed security services provided. In order to ensure that all aspects of managed security services can be covered by dedicated European cybersecurity certification schemes, it is therefore necessary to amend Regulation (EU) 2019/881. The results and recommendations of the evaluation and review provided for in Regulation (EU) 2019/881 should be taken into account. |
| (11) | With a view to facilitating the growth of a reliable internal market, whilst also creating partnerships with like-minded third countries, the certification process established within the European cybersecurity certification framework provided for by Regulation (EU) 2019/881 should be implemented in a manner that facilitates international recognition and alignment with international standards. |
| (12) | The Union is faced with a talent gap, characterised by a shortage of skilled professionals, and a rapidly evolving threat landscape as acknowledged in the Commission communication of 18 April 2023 entitled ‘Closing the cybersecurity talent gap to boost the EU’s competitiveness, growth and resilience (“The Cybersecurity Skills Academy”)’. Educational resources and forms of formal training differ and knowledge can be acquired in various ways: formally, for example through university or courses or informally, for example through on-the-job training or work experience in the relevant field. Therefore, in order to facilitate the emergence of high-quality managed security services and to have a better overview of the composition of the Union cybersecurity workforce, it is important that cooperation between Member States, the Commission, the European Union Agency for Cybersecurity established by Regulation (EU) 2019/881 (ENISA) and stakeholders, including from the private sector and academia, be strengthened through the development of public-private partnerships, support for research and innovation initiatives, the development and mutual recognition of common standards and the certification of cybersecurity skills, including through the European Cybersecurity Skills Framework. Such cooperation would also facilitate the mobility of cybersecurity professionals within the Union as well as the integration of cybersecurity knowledge and training in education programmes, while ensuring access to apprenticeships and traineeships for young people, including persons living in disadvantaged regions, such as islands, sparsely populated, rural and remote areas. It is important that such cooperation aims to attract more women and girls in the field and contributes towards addressing the gender gap in science, technology, engineering, and mathematics, and that the private sector aim to deliver on-the-job training addressing the most in-demand skills, involving public administration and start-ups, as well as SMEs, including microenterprises. It is also important that providers and Member States collaborate and contribute to the collection of data on the situation and the evolution of the cybersecurity labour market. |
| (13) | ENISA plays an important role in the preparation of candidate European cybersecurity certification schemes. The Commission should assess the necessary budgetary resources for ENISA’s establishment plan, in accordance with the procedure set out in Article 29 of Regulation (EU) 2019/881 when preparing the draft general budget of the Union. |
| (14) | This Regulation provides for targeted amendments to Regulation (EU) 2019/881 to enable the establishment of European cybersecurity certification schemes for managed security services. In doing so, it also specifies and clarifies certain provisions of that Regulation concerning the preparation and functioning of all European cybersecurity certification schemes with a view to ensuring their transparency and openness. The latter amendments, which are limited to specifying or clarifying Regulation (EU) 2019/881, in particular the amendments concerning the information ENISA is to provide when transmitting a candidate scheme, the ad hoc working groups established for each candidate scheme, and information and consultation with regard to European cybersecurity certification schemes should not in any way prejudice the broader evaluation and review of that Regulation required pursuant to Article 67 of that Regulation, in particular the evaluation of the impact, effectiveness and efficiency of the title of that Regulation relating to the cybersecurity certification framework. The evaluation and review regarding that title should be based on a broad consultation of stakeholders and a full and thorough analysis of the procedures involved. |
| (15) | Since the objective of this Regulation, namely to enable the establishment of European cybersecurity certification schemes for managed security services, cannot be sufficiently achieved by the Member States but can rather, by reason of its scale and effects, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective. |
| (16) | The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (9) and delivered an opinion on 10 January 2024, |