On April 19, 2023, a new proposed regulation, REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulation (EU) 2019/881 as regards managed security services, was published in the Official Journal (OJ) of the EU. The new regulation is intended to modify Regulation (EU) 2019/881, the so-called Cybersecurity Act, to implement a new Union-wide certification regime for managed security services, or MSS. MSS would be defined as „a service consisting of carrying out, or providing assistance for, activities relating to cybersecurity risk management, including incident response, penetration testing, security audits and consultancy“. The Cybersecurity Act currently „only“ covers information and communications technology (ICT) products and services, but not the significant functions of firms providing MSS.
The key objectives of the proposed regulation are thus to create a common consensus about the requirements of MSS, subsequently foster the trust in MSS, and enable firms and entities to select MSS providers that suit their needs and help them to comply with their cybersecurity obligations as stipulated in Directive (EU) 2022/2555 , the Network and Information Systems Directive 2.0. (NIS 2).
The key provisions are briefly noted below; for more detailed, comprehensive information, please refer to the enclosed legal document. The proposed regulation would
– set out the key objectives of the new European attestation regime for MSS (The regime ensures that MSS have adequate know-how, experience, professional integrity, competence, governance structures, and internal procedures to ensure that their operations, systems, and controls are „secure by default and by design“;
– classify MSS in accordance with the risks they may pose (basic, substantial, high) based upon the services they are providing. Additionally, it would stipulate some key requirements as to cyber security, systems, and technical documentation reviews depending upon such classification;
– mandate ENISA, the European Union Cyber Security Agency, to develop technical standards and guidelines for the EU certification regime for MSS;
– set out the rules for operating – if at all – a legacy certification regime in EU member states or for adopting a new one, so long as the member state regime does not cover the scope of the proposed new European attestation regime; and
– set out the requirements of EU member states to supervise and enforce the new EU certification regime.
2023/0108/COD: Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulation (EU) 2019/881 as regards managed security services
ID
22864
Other Features
companies
cooperation
cyber security
financial stability
governance
notifications
penalties
process
registration
resilience
risk
standard
supervisory practices
Date Published: 2023-04-19
Regulatory Framework: Cybersecurity Act
Regulatory Type: draft
ID 26607
A new consolidated version of Decision (EU) 2015/1814 as regards „the establishment ...
ID 26606
New Commission Delegated Regulation (EU) 2023/2904 as regards the operation of the Union R ...
ID 26604
A new consolidated version of Directive 2008/48/EC, the Consumer Credit Directive, was pub ...
ID 26602
A new consolidated version of Council Regulation (EU) 2019/1716 with respect to sanction m ...
You are on the training version of RISP core with limited functions and data.
Please subscribe to RISP core for professional or academic use. We supply free real time datasets for approved academic research; professional subscriptions start at 950€ plus VAT per annum.