Annexes to COM(2023)208 - Amendment of Regulation (EU) 2019/881 as regards managed security services

Please note

This page contains a limited version of this dossier in the EU Monitor.

ANNEX

The Annex to Regulation (EU) 2019/881 is amended as follows:

(1)points 2 to 5 are replaced by the following:

‘2.A conformity assessment body shall be a third-party body that is independent of the organisation or the ICT products, ICT services, ICT processes or managed security services that it assesses.

3.A body that belongs to a business association or professional federation representing undertakings involved in the design, manufacturing, provision, assembly, use or maintenance of ICT products, ICT services, ICT processes or managed security services which it assesses may be considered to be a conformity assessment body, provided that its independence and the absence of any conflict of interest are demonstrated.

4.The conformity assessment bodies, their top level management and the persons responsible for carrying out the conformity assessment tasks shall not be the designer, manufacturer, supplier, installer, purchaser, owner, user or maintainer of the ICT product, ICT service, ICT process or managed security service which is assessed, or the authorised representative of any of those parties. That prohibition shall not preclude the use of the ICT products assessed that are necessary for the operations of the conformity assessment body or the use of such ICT products for personal purposes.

5.The conformity assessment bodies, their top level management and the persons responsible for carrying out the conformity assessment tasks shall not be directly involved in the design, manufacture or construction, the provision, the marketing, installation, use or maintenance of the ICT products, ICT services, ICT processes or managed security services which are assessed, or represent parties engaged in those activities. The conformity assessment bodies, their top level management and the persons responsible for carrying out the conformity assessment tasks shall not engage in any activity that may conflict with their independence of judgement or integrity in relation to their conformity assessment activities. That prohibition shall apply, in particular, to consultancy services.’;

(2)point 10 is amended as follows:

(a)the introductory wording is replaced by the following:

‘10.At all times and for each conformity assessment procedure and each type, category or sub-category of ICT products, ICT services, ICT processes or managed security services, a conformity assessment body shall have at its disposal the necessary:’;

(b)point (c) is replaced by the following:

‘(c)procedures for the performance of activities which take due account of the size of an undertaking, the sector in which it operates, its structure, the degree of complexity of the technology of the ICT product, ICT service, ICT process or managed security service in question and the mass or serial nature of the production process.’;

(3)points 19 and 20 are replaced by the following:

‘19.Conformity assessment bodies shall meet the requirements of the relevant harmonised standard as defined in Article 2, point (9), of Regulation (EC) No 765/2008 for the accreditation of conformity assessment bodies performing the certification of ICT products, ICT services, ICT processes or managed security services.

20.Conformity assessment bodies shall ensure that testing laboratories used for conformity assessment purposes meet the requirements of the relevant harmonised standard as defined in Article 2, point (9), of Regulation (EC) No 765/2008 for the accreditation of laboratories that perform testing.’.

A statement has been made with regard to this act and can be found in OJ C, C/2025/307, 15.1.2025, ELI: http://data.europa.eu/eli/C/2025/307/oj.



ELI: http://data.europa.eu/eli/reg/2025/37/oj

ISSN 1977-0677 (electronic edition)