This document is an excerpt from the EUR-Lex website
Document 32025R0037
Regulation (EU) 2025/37 of the European Parliament and of the Council of 19 December 2024 amending Regulation (EU) 2019/881 as regards managed security services (Text with EEA relevance)
Regulation (EU) 2025/37 of the European Parliament and of the Council of 19 December 2024 amending Regulation (EU) 2019/881 as regards managed security services (Text with EEA relevance)
Regulation (EU) 2025/37 of the European Parliament and of the Council of 19 December 2024 amending Regulation (EU) 2019/881 as regards managed security services (Text with EEA relevance)
PE/93/2024/REV/1
OJ L, 2025/37, 15.1.2025, ELI: http://data.europa.eu/eli/reg/2025/37/oj (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)
In force
|
Official Journal |
EN L series |
|
2025/37 |
15.1.2025 |
REGULATION (EU) 2025/37 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 19 December 2024
amending Regulation (EU) 2019/881 as regards managed security services
(Text with EEA relevance)
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Having regard to the opinion of the European Economic and Social Committee (1),
After consulting the Committee of the Regions,
Acting in accordance with the ordinary legislative procedure (2),
Whereas:
|
(1) |
Regulation (EU) 2019/881 of the European Parliament and of the Council (3) sets up a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity for information and communications technology (ICT) products, ICT services and ICT processes in the Union, as well as for the purpose of avoiding the fragmentation of the internal market with regard to cybersecurity certification schemes in the Union. |
|
(2) |
In order to ensure the Union’s resilience to cyberattacks and to prevent any vulnerabilities in the internal market, this Regulation is intended to complement the horizontal regulatory framework establishing comprehensive cybersecurity requirements for products with digital elements pursuant to Regulation (EU) 2024/2847 of the European Parliament and of the Council (4) by providing for security objectives for managed security services as well as the application and trustworthiness of those services. |
|
(3) |
Managed security services are provided by managed security service providers as defined in Article 6, point (40), of Directive (EU) 2022/2555 of the European Parliament and of the Council (5). The definition of managed security services in this Regulation should therefore be consistent with that of managed security service providers in Directive (EU) 2022/2555. Those services consist of carrying out, or providing assistance for, activities relating to their customers’ cybersecurity risk management, and have gained increasing importance in the prevention and mitigation of incidents. Accordingly, the providers of those services are considered to be essential or important entities belonging to a sector of high criticality pursuant to Directive (EU) 2022/2555. As stated in recital 86 of that Directive, managed security service providers in areas such as incident response, penetration testing, security audits and consultancy, play a particularly important role in assisting entities in their efforts to prevent, detect, respond to or recover from incidents. However, managed security service providers have also themselves been the target of cyberattacks and pose a particular risk because of their close integration in the operations of their customers. It is therefore important that essential and important entities within the meaning of Directive (EU) 2022/2555 exercise increased diligence in selecting managed security service providers. |
|
(4) |
The definition of managed security services under this Regulation includes a non-exhaustive list of managed security services that could qualify for European cybersecurity certification schemes, such as incident handling, penetration testing, security audits, and consulting related to technical support. Managed security services could encompass cybersecurity services that support the preparedness for, prevention, detection, analysis and mitigation of, response to, and recovery from incidents. Cyber threat intelligence provision and risk assessment related to technical support could also qualify as managed security services. There could be separate European cybersecurity certification schemes for different managed security services. The European cybersecurity certificates issued in accordance with such schemes should refer to specific managed security services of a specific provider of those services. |
|
(5) |
Managed security service providers can also play an important role in relation to Union actions supporting response and initial recovery in cases of significant incidents and large-scale cybersecurity incidents, relying on services from trusted private providers and on testing of critical entities for potential vulnerabilities based on Union level coordinated security risk assessments. The certification of managed security services could play a role in the selection of trusted managed security service providers as defined in Regulation (EU) 2025/38 of the European Parliament and of the Council (6). |
|
(6) |
The certification of managed security services is not only relevant in the selection process for the EU Cybersecurity Reserve established by Regulation (EU) 2025/38 but it is also an essential quality indicator for private and public entities that intend to purchase such services. In light of the criticality of managed security services and the sensitivity of the data processed, certification could provide potential customers with important guidance and assurance about the trustworthiness of those services. European cybersecurity certification schemes for managed security services are intended to contribute to avoiding the fragmentation of the internal market. This Regulation therefore aims to enhance the functioning of the internal market. |
|
(7) |
European cybersecurity certification schemes for managed security services should lead to the uptake of those services and to increased competition between managed security service providers. Without prejudice to the objective of ensuring sufficient and appropriate levels of relevant technical knowledge and professional integrity of such providers, such certification schemes should, therefore, facilitate market entry and the offering of managed security services by simplifying, to the extent possible, the potential regulatory, administrative and financial burden that providers, in particular small and medium-sized enterprises (SMEs), including microenterprises, could encounter when offering managed security services. Additionally, in order to encourage the uptake of, and stimulate the demand for, managed security services, European cybersecurity certification schemes should contribute to the accessibility thereof, in particular for smaller actors, such as SMEs, including microenterprises, as well as local and regional authorities which have limited capacity and resources, but which are more prone to cybersecurity breaches with financial, legal, reputational, and operational implications. |
|
(8) |
It is important to provide support to SMEs, including microenterprises, in the implementation of this Regulation and in recruiting the specialised cybersecurity skills and expertise necessary to provide managed security services in accordance with the requirements laid down in this Regulation. The Digital Europe Programme established by Regulation (EU) 2021/694 of the European Parliament and of the Council (7) and other relevant Union programmes provide for the Commission to establish financial and technical support that enables those enterprises to contribute to the growth of the Union’s economy and to strengthen the common level of cybersecurity in the Union, including by streamlining the financial support from the Digital Europe Programme and other relevant Union programmes and by supporting SMEs, including microenterprises. |
|
(9) |
European cybersecurity certification schemes for managed security services should contribute to the availability of secure and high-quality services which guarantee a safe digital transition and to the achievement of targets set up in the Digital Decade Policy Programme 2030 established by Decision (EU) 2022/2481 of the European Parliament and of the Council (8), in particular with regard to the goal that 75 % of Union undertakings start using cloud computing services, big data or artificial intelligence, that more than 90 % of SMEs, including microenterprises, reach at least a basic level of digital intensity and that key public services are accessible online. |
|
(10) |
In addition to the deployment of ICT products, ICT services or ICT processes, managed security services often provide additional service features that rely on the competences, expertise and experience of the personnel of the providers of such services. A very high level of those competences, expertise and experience as well as appropriate internal procedures should be part of the security objectives in order to ensure a very high quality of the managed security services provided. In order to ensure that all aspects of managed security services can be covered by dedicated European cybersecurity certification schemes, it is therefore necessary to amend Regulation (EU) 2019/881. The results and recommendations of the evaluation and review provided for in Regulation (EU) 2019/881 should be taken into account. |
|
(11) |
With a view to facilitating the growth of a reliable internal market, whilst also creating partnerships with like-minded third countries, the certification process established within the European cybersecurity certification framework provided for by Regulation (EU) 2019/881 should be implemented in a manner that facilitates international recognition and alignment with international standards. |
|
(12) |
The Union is faced with a talent gap, characterised by a shortage of skilled professionals, and a rapidly evolving threat landscape as acknowledged in the Commission communication of 18 April 2023 entitled ‘Closing the cybersecurity talent gap to boost the EU’s competitiveness, growth and resilience (“The Cybersecurity Skills Academy”)’. Educational resources and forms of formal training differ and knowledge can be acquired in various ways: formally, for example through university or courses or informally, for example through on-the-job training or work experience in the relevant field. Therefore, in order to facilitate the emergence of high-quality managed security services and to have a better overview of the composition of the Union cybersecurity workforce, it is important that cooperation between Member States, the Commission, the European Union Agency for Cybersecurity established by Regulation (EU) 2019/881 (ENISA) and stakeholders, including from the private sector and academia, be strengthened through the development of public-private partnerships, support for research and innovation initiatives, the development and mutual recognition of common standards and the certification of cybersecurity skills, including through the European Cybersecurity Skills Framework. Such cooperation would also facilitate the mobility of cybersecurity professionals within the Union as well as the integration of cybersecurity knowledge and training in education programmes, while ensuring access to apprenticeships and traineeships for young people, including persons living in disadvantaged regions, such as islands, sparsely populated, rural and remote areas. It is important that such cooperation aims to attract more women and girls in the field and contributes towards addressing the gender gap in science, technology, engineering, and mathematics, and that the private sector aim to deliver on-the-job training addressing the most in-demand skills, involving public administration and start-ups, as well as SMEs, including microenterprises. It is also important that providers and Member States collaborate and contribute to the collection of data on the situation and the evolution of the cybersecurity labour market. |
|
(13) |
ENISA plays an important role in the preparation of candidate European cybersecurity certification schemes. The Commission should assess the necessary budgetary resources for ENISA’s establishment plan, in accordance with the procedure set out in Article 29 of Regulation (EU) 2019/881 when preparing the draft general budget of the Union. |
|
(14) |
This Regulation provides for targeted amendments to Regulation (EU) 2019/881 to enable the establishment of European cybersecurity certification schemes for managed security services. In doing so, it also specifies and clarifies certain provisions of that Regulation concerning the preparation and functioning of all European cybersecurity certification schemes with a view to ensuring their transparency and openness. The latter amendments, which are limited to specifying or clarifying Regulation (EU) 2019/881, in particular the amendments concerning the information ENISA is to provide when transmitting a candidate scheme, the ad hoc working groups established for each candidate scheme, and information and consultation with regard to European cybersecurity certification schemes should not in any way prejudice the broader evaluation and review of that Regulation required pursuant to Article 67 of that Regulation, in particular the evaluation of the impact, effectiveness and efficiency of the title of that Regulation relating to the cybersecurity certification framework. The evaluation and review regarding that title should be based on a broad consultation of stakeholders and a full and thorough analysis of the procedures involved. |
|
(15) |
Since the objective of this Regulation, namely to enable the establishment of European cybersecurity certification schemes for managed security services, cannot be sufficiently achieved by the Member States but can rather, by reason of its scale and effects, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective. |
|
(16) |
The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (9) and delivered an opinion on 10 January 2024, |
HAVE ADOPTED THIS REGULATION:
Article 1
Amendments to Regulation (EU) 2019/881
Regulation (EU) 2019/881 is amended as follows:
|
(1) |
in Article 1(1), first subparagraph, point (b) is replaced by the following:
; |
|
(2) |
Article 2 is amended as follows:
|
|
(3) |
in Article 4, paragraph 6 is replaced by the following: ‘6. ENISA shall promote the use of European cybersecurity certification with a view to avoiding the fragmentation of the internal market. ENISA shall contribute to the establishment and maintenance of a European cybersecurity certification framework in accordance with Title III of this Regulation with a view to increasing the transparency of the cybersecurity of ICT products, ICT services, ICT processes and managed security services, thereby strengthening trust in the digital internal market and its competitiveness.’ |
|
(4) |
Article 8 is amended as follows:
|
|
(5) |
Article 46 is replaced by the following: ‘Article 46 European cybersecurity certification framework 1. The European cybersecurity certification framework shall be established in order to improve the conditions for the functioning of the internal market by increasing the level of cybersecurity within the Union and enabling a harmonised approach at Union level to European cybersecurity certification schemes, with a view to creating a digital single market for ICT products, ICT services, ICT processes and managed security services. 2. The European cybersecurity certification framework shall provide for a mechanism to establish European cybersecurity certification schemes and to attest that the ICT products, ICT services and ICT processes that have been evaluated in accordance with such schemes comply with specified security requirements for the purpose of protecting the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, services and processes throughout their life cycle. In addition, it shall attest that managed security services that have been evaluated in accordance with such schemes comply with specified security requirements for the purpose of protecting the availability, authenticity, integrity and confidentiality of data which are accessed, processed, stored or transmitted in relation to the provision of those services, and that those services are provided continuously with the requisite competence, expertise and experience by staff with a sufficient and appropriate level of relevant technical knowledge and professional integrity.’ |
|
(6) |
Article 47 is amended as follows:
|
|
(7) |
Article 49 is amended as follows:
|
|
(8) |
the following article is inserted: ‘Article 49a Information and consultation on the European cybersecurity certification schemes 1. The Commission shall make the information on its request to ENISA to prepare a candidate scheme or to review an existing European cybersecurity certification scheme as referred to in Article 48 publicly available. 2. During the preparation of a candidate scheme by ENISA pursuant to Article 49, the European Parliament, the Council or both may request the Commission, in its capacity as chair of the ECCG, and ENISA to present relevant information on a draft candidate scheme on a quarterly basis. Upon the request of the European Parliament or the Council, ENISA, in agreement with the Commission and without prejudice to Article 27, may make available to the European Parliament and to the Council relevant parts of a draft candidate scheme in a manner appropriate to the confidentiality level required, and where appropriate in a restricted manner. 3. In order to enhance the dialogue between the Union institutions and to contribute to a formal, open, transparent and inclusive consultation process, the European Parliament, the Council or both may invite the Commission and ENISA to discuss matters concerning the functioning of European cybersecurity certification schemes for ICT products, ICT services, ICT processes or managed security services. 4. The Commission shall take into account, where appropriate, elements arising from the views expressed by the European Parliament and by the Council on the matters referred to in paragraph 3 of this Article when evaluating this Regulation pursuant to Article 67.’ |
|
(9) |
Article 51 is amended as follows:
|
|
(10) |
the following article is inserted: ‘Article 51a Security objectives of European cybersecurity certification schemes for managed security services A European cybersecurity certification scheme for managed security services shall be designed to achieve, as applicable, at least the following security objectives:
|
|
(11) |
Article 52 is amended as follows:
|
|
(12) |
in Article 53, paragraphs 1, 2 and 3 are replaced by the following: ‘1. A European cybersecurity certification scheme may allow for the conformity self-assessment under the sole responsibility of the manufacturer or provider of ICT products, ICT services, ICT processes or managed security services. Conformity self-assessment shall be permitted only in relation to ICT products, ICT services, ICT processes or managed security services that present a low risk corresponding to assurance level “basic”. 2. The manufacturer or provider of ICT products, ICT services, ICT processes or managed security services may issue an EU statement of conformity stating that the fulfilment of the requirements set out in the scheme has been demonstrated. By issuing such a statement, the manufacturer or provider of ICT products, ICT services, ICT processes or managed security services shall assume responsibility for the compliance of the ICT product, ICT service, ICT process or managed security service with the requirements set out in that scheme. 3. The manufacturer or provider of ICT products, ICT services, ICT processes or managed security services shall make the EU statement of conformity, technical documentation, and all other relevant information relating to the conformity of the ICT products, ICT services, ICT processes or managed security services with the scheme available to the national cybersecurity certification authority designated pursuant to Article 58 for the period provided for in the corresponding European cybersecurity certification scheme. A copy of the EU statement of conformity shall be submitted to the national cybersecurity certification authority and to ENISA.’ |
|
(13) |
in Article 54, paragraph 1 is amended as follows:
|
|
(14) |
Article 56 is amended as follows:
|
|
(15) |
in Article 57, paragraphs 1 and 2 are replaced by the following: ‘1. Without prejudice to paragraph 3 of this Article, national cybersecurity certification schemes, and the related procedures for the ICT products, ICT services, ICT processes and managed security services that are covered by a European cybersecurity certification scheme shall cease to produce effects from the date established in the implementing act adopted pursuant to Article 49(7). National cybersecurity certification schemes and the related procedures for the ICT products, ICT services, ICT processes and managed security services that are not covered by a European cybersecurity certification scheme shall continue to exist. 2. Member States shall not introduce new national cybersecurity certification schemes for ICT products, ICT services, ICT processes and managed security services already covered by a European cybersecurity certification scheme that is in force.’ |
|
(16) |
Article 58 is amended as follows:
|
|
(17) |
in Article 59(3), points (b) and (c) are replaced by the following:
; |
|
(18) |
in Article 67, paragraphs 2 and 3 are replaced by the following: ‘2. The evaluation shall also assess the impact, effectiveness and efficiency of the provisions of Title III of this Regulation, including the procedures leading to the adoption of European cybersecurity certification schemes and their evidence bases, with regard to the objectives of ensuring an adequate level of cybersecurity of ICT products, ICT services, ICT processes and managed security services in the Union and improving the functioning of the internal market. 3. The evaluation shall assess whether essential cybersecurity requirements for access to the internal market are necessary in order to prevent ICT products, ICT services, ICT processes and managed security services which do not meet basic cybersecurity requirements from entering the internal market.’ |
|
(19) |
the Annex is amended in accordance with the Annex to this Regulation. |
Article 2
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 19 December 2024.
For the European Parliament
The President
R. METSOLA
For the Council
The President
BÓKA J.
(1) OJ C 349, 29.9.2023, p. 167.
(2) Position of the European Parliament of 24 April 2024 (not yet published in the Official Journal) and decision of the Council of 2 December 2024.
(3) Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15).
(4) Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (OJ L, 2024/2847, 20.11.2024, ELI: http://data.europa.eu/eli/reg/2024/2847/oj).
(5) Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80).
(6) Regulation (EU) 2025/38 of the European Parliament and of the Council of 19 December 2024 laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cyber threats and incidents and amending Regulation (EU) 2021/694 (Cyber Solidarity Act) (OJ L, 2025/38, 15.1.2025, ELI: http://data.europa.eu/eli/reg/2025/38/oj).
(7) Regulation (EU) 2021/694 of the European Parliament and of the Council of 29 April 2021 establishing the Digital Europe Programme and repealing Decision (EU) 2015/2240 (OJ L 166, 11.5.2021, p. 1).
(8) Decision (EU) 2022/2481 of the European Parliament and of the Council of 14 December 2022 establishing the Digital Decade Policy Programme 2030 (OJ L 323, 19.12.2022, p. 4).
(9) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
ANNEX
The Annex to Regulation (EU) 2019/881 is amended as follows:
|
(1) |
points 2 to 5 are replaced by the following:
|
|
(2) |
point 10 is amended as follows:
|
|
(3) |
points 19 and 20 are replaced by the following:
|
A statement has been made with regard to this act and can be found in OJ C, C/2025/307, 15.1.2025, ELI: http://data.europa.eu/eli/C/2025/307/oj.
ELI: http://data.europa.eu/eli/reg/2025/37/oj
ISSN 1977-0677 (electronic edition)