Regulation 2025/37 - Amendment of Regulation (EU) 2019/881 as regards managed security services - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
Contents
official title
Regulation (EU) 2025/37 of the European Parliament and of the Council of 19 December 2024 amending Regulation (EU) 2019/881 as regards managed security services| Legal instrument | Regulation |
|---|---|
| Number legal act | Regulation 2025/37 |
| Original proposal | COM(2023)208  |
| CELEX number i | 32025R0037 |
| Document | 19-12-2024; Date of signature |
|---|---|
| Signature | 19-12-2024 |
| Effect | 04-02-2025; Entry into force Date pub. +20 See Art 2 |
| End of validity | 31-12-9999 |
Official Journal of the European Union |
EN L series |
2025/37 |
15.1.2025 |
REGULATION (EU) 2025/37 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 19 December 2024
amending Regulation (EU) 2019/881 as regards managed security services
(Text with EEA relevance)
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Having regard to the opinion of the European Economic and Social Committee (1),
After consulting the Committee of the Regions,
Acting in accordance with the ordinary legislative procedure (2),
Whereas:
(1) |
Regulation (EU) 2019/881 of the European Parliament and of the Council (3) sets up a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity for information and communications technology (ICT) products, ICT services and ICT processes in the Union, as well as for the purpose of avoiding the fragmentation of the internal market with regard to cybersecurity certification schemes in the Union. |
(2) |
In order to ensure the Union’s resilience to cyberattacks and to prevent any vulnerabilities in the internal market, this Regulation is intended to complement the horizontal regulatory framework establishing comprehensive cybersecurity requirements for products with digital elements pursuant to Regulation (EU) 2024/2847 of the European Parliament and of the Council (4) by providing for security objectives for managed security services as well as the application and trustworthiness of those services. |
(3) |
Managed security services are provided by managed security service providers as defined in Article 6, point (40), of Directive (EU) 2022/2555 of the European Parliament and of the Council (5). The definition of managed security services in this Regulation should therefore be consistent with that of managed security service providers in Directive (EU) 2022/2555. Those services consist of carrying out, or providing assistance for, activities relating to their customers’ cybersecurity risk management, and have gained increasing importance in the prevention and mitigation of incidents. Accordingly, the providers of those services are considered to be essential or important entities belonging to a sector of high criticality pursuant to Directive (EU) 2022/2555. As stated in recital 86 of that Directive, managed security service providers in areas such as incident response, penetration testing, security audits and consultancy, play a particularly important role in assisting entities in their efforts to prevent, detect, respond to or recover from incidents. However, managed security service providers have also themselves been the target of cyberattacks and pose a particular risk because of their close integration in the operations of their customers. It is therefore important that essential and important entities within the meaning of Directive (EU) 2022/2555 exercise increased diligence in selecting managed security service providers. |
(4) |
The definition of managed security services under this Regulation includes a non-exhaustive list of managed security services that could qualify for European cybersecurity certification schemes, such as incident handling, penetration testing, security audits, and consulting related to technical support. Managed security services could encompass cybersecurity services that support the preparedness for, prevention, detection, analysis and mitigation of, response to, and recovery from incidents. Cyber threat intelligence provision and risk assessment related to technical support could also qualify as managed... |
More
This text has been adopted from EUR-Lex.
This dossier is compiled each night drawing from aforementioned sources through automated processes. We have invested a great deal in optimising the programming underlying these processes. However, we cannot guarantee the sources we draw our information from nor the resulting dossier are without fault.
This page is also available in a full version containing the legal context, de Europese rechtsgrond, other dossiers related to the dossier at hand and the related cases of the European Court of Justice.
The full version is available for registered users of the EU Monitor by ANP and PDC Informatie Architectuur.
The EU Monitor enables its users to keep track of the European process of lawmaking, focusing on the relevant dossiers. It automatically signals developments in your chosen topics of interest. Apologies to unregistered users, we can no longer add new users.This service will discontinue in the near future.