5 March 2024 – the Council presidency and European Parliament’s negotiators reached a provisional agreement on a targeted amendment to the Cybersecurity Act.
18 April 2023 – the Commission proposed a targeted amendment to the EU Cybersecurity Act to enable the adoption of European certification schemes for ‘managed security services’.
27 June 2019 – the EU Cybersecurity Act became effective. Some provisions of the EU Cybersecurity Act entered into force on 28 June 2021
In June 2019, the EU adopted Regulation (EU) 2019/881 (“EU Cybersecurity Act”) which both strengthened the ENISA mandate and established an EU-wide cybersecurity certification framework for ICT products, services and processes.
This framework provides a system to regulate the issue of European cybersecurity certificates and statements of conformity to security standards for ICT products, services, and processes.
The targeted amendment proposed in April 2023 aims to enable, by means of Commission implementing acts, the adoption of European cybersecurity certification schemes for ‘managed security services’, in addition to ICT products, services and processes, which are already covered under the Cybersecurity Act. Managed security service providers (i.e., managed service providers that carry out or provide assistance for activities relating to cybersecurity risk management) play an increasingly important role in the prevention and mitigation of cybersecurity incidents. This proposal aims to improve the quality of managed security services and to increase their comparability.
The Cybersecurity Act provides an opportunity for businesses supplying digital products, services and processes as well as providing managed security services to market them certified as meeting EU cybersecurity standards. While certification will be voluntary, at least initially, the European Commission will keep under consideration whether to make it mandatory.
Businesses should evaluate the potential benefits from certification of their products.
As regards the targeted amendment, following the provisional agreement reached in March 2024, the text will have to be endorsed by the Council and the European Parliament in view of their formal adoption. Once approved, the draft legislative act will be submitted to a legal/linguistic review before being formally adopted by the co-legislators, published in the EU’s Official Journal, and entering into force 20 days after this publication.