European Union: Adopted Council position on amendments to the Cybersecurity Act (EU) 2019/881

On 15 November 2023, the Council of the European Union (EU) adopted its position on the EU Commission's proposal amending the Cybersecurity Act (EU) 2019/881 as regards managed security services. The intended amendments proposed by the EU Commission seek to facilitate the introduction of European cybersecurity certification schemes specifically for managed security services. The amendment is an extension to the existing coverage of the Cybersecurity Act, which already includes certification for information and technology (ICT) products, ICT services, and ICT processes. Under the Council position, the definition of managed security services and alignment with the revised Network Information Systems (NIS 2) directive is clarified, as well as the alignment of the security objectives of these certification schemes with the security objectives of other schemes under the existing Cybersecurity Act. It further advocates for modifications in the annexe to the Cybersecurity Act, specifying requirements for conformity assessment bodies and an introduction of various technical and drafting modifications to ensure that all relevant provisions of the current Cybersecurity Act regulation also apply to managed security services.