Legislative Observatory
European Parliament
Please fill in this field to find a procedure

Managed security services

2023/0108(COD)

The Committee on Industry, Research and Energy adopted the report by Josianne CUTAJAR (S&D, MT) on the proposal for a regulation of the European Parliament and of the Council amending Regulation (EU) 2019/881 as regards managed security services.

The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows:

Changes to the definition of managed security service

The report stated that managed security services, which are services consisting of carrying out, or providing assistance for, activities relating to their customers’ cybersecurity risk management, including detection, response to or recovery from incidents, have gained increasing importance in the prevention and mitigation of cybersecurity incidents. The activities of the providers of managed security services consist of services relating to prevention, identification, protection, detection, analysis, containment, response and recovery, including, but not limited to, cyber threat intelligence provision, real time threat monitoring through proactive techniques, including security-by-design, risk assessment, extended detection, remediation and response.

The Union rolling work programme for European cybersecurity certification

According to Members, the Union rolling work programme should include a list of ICT products, ICT services and ICT processes or categories thereof, and managed security services, that are capable of benefiting from being included in the scope of a European cybersecurity certification scheme. In that context, the Commission should include an in-depth assessment of existing training paths to bridge identified skills gaps and a list of proposals for addressing the needs for skilled employees and types of skills.

SMEs

Members considered that the Commission should ensure appropriate financial support in the regulatory framework of existing Union programmes, in particular in order to ease the financial burden on microenterprises and SMEs, including start-ups acting in the field of managed security services.

Evaluation and review

By 28 June 2024, and every three years thereafter, the Commission should assess the impact, effectiveness and efficiency of ENISA and of its working practices, the possible need to modify ENISA’s mandate and the financial implications of any such modification. The evaluation should assess: (i) the efficiency and effectiveness of the procedures leading to consultation, preparation and adoption of European cybersecurity certification schemes, as well as ways to improve and accelerate those procedures; (ii) whether essential cybersecurity requirements for access to the internal market are necessary in order to prevent ICT products, ICT services, ICT processes and managed security services which do not meet basic cybersecurity requirements from entering the Union market.