This Regulation amends Regulation (EU) 2019/881 (Cybersecurity Act) to include managed security services in the European cybersecurity certification framework. The key aspects are:The Regulation expands the scope of EU cybersecurity certification to cover managed security services, which are services provided to third parties for cybersecurity risk management, including incident handling, penetration testing, security audits and consulting.The main provisions include:
- New security objectives specifically for managed security services certification schemes, focusing on staff competence, internal procedures, data protection, and service quality
- Requirements that managed security services must be provided with appropriate expertise, experience and professional integrity
- Three assurance levels (basic, substantial, high) for certification of managed security services based on risk levels
- Rules for conformity assessment, monitoring compliance, and market surveillance of certified managed security services
The Regulation aims to improve cybersecurity in the EU by ensuring managed security services meet high security standards through certification, while avoiding market fragmentation. It establishes clear requirements for service providers and creates a harmonized approach to certification across the EU.
