Member states agree common position on a targeted amendment to the cybersecurity act
To enhance EU’s cyber resilience by enabling the future adoption of European certification schemes for ‘managed security services’, member states’ representatives (Coreper) reached a common position on the proposed targeted amendment of the EU’s cybersecurity act (CSA) of 2019.
‘Managed security services’, provided to customers by specialised companies, are crucial for the prevention, detection, response, and recovery from cybersecurity incidents. They can consist of, for example, detection or response to incidents, penetration testing or security audits, or consultancy.
Main objectives of the Commission proposal
Submitted together with a proposal for an EU cyber solidarity act to strengthen cybersecurity capacities in the EU, the targeted amendment to the CSA aims to include European cybersecurity certification schemes for ‘managed security services’ in the scope of the 2019 CSA regulation.
This amendment will therefore enable the establishment of European certification schemes for such services. It will help to increase their quality and comparability, foster the emergence of trusted cybersecurity service providers, and avoid fragmentation of the internal market given that some member states have already started the adoption of national certification schemes for managed security services.
The Council’s amendments
The Council’s position contains the following main amendments to the Commission proposal:
- it clarifies the definition of ‘managed security services’ and the alignment with the revised network information systems (‘NIS 2’) directive
- the text aligns the security objectives of these certification schemes with the security objectives of other schemes under the current cybersecurity act
- the text includes modifications in the annex to the cybersecurity act, which contains a list of requirements to be met by conformity assessment bodies
- a number of technical and drafting modifications have been introduced to make sure that all the relevant provisions of the current CSA regulation apply also to managed security services
Next steps
Today’s agreement on the Council’s common position (“negotiating mandate”) will allow the Spanish presidency to enter into negotiations with the European Parliament (“trilogues”) on the final version of the proposed legislation.
Background
The Cybersecurity Act, adopted in 2019, established the first cybersecurity certification framework for all the member states. The cybersecurity certification is voluntary, unless otherwise specified by Union or member state law.
The Commission’s proposal, adopted on 18 April 2023, aims at a targeted amendment of the scope of the cybersecurity act, which would enable the Commission to adopt implementing acts on European cybersecurity certification schemes for ‘managed security services’, in addition to information and technology (ICT) products, ICT services and ICT processes, which are covered by the current cybersecurity act.
The proposal introduces a definition of ‘managed security services’, in line with the definition of ‘managed security service providers’ under the ‘NIS 2’ directive. It also adds a new article (art. 51a) on the security objectives of European cybersecurity certification schemes, adapted to the managed security services. Finally, the proposal contains a number of technical amendments to ensure that relevant provisions of the cybersecurity act apply also to managed security services.
The proposal is based on Art. 114 TFEU (internal market) since it aims to avoid fragmentation of the internal market for managed security services by enabling the adoption of European cybersecurity certification schemes for these services.