• Reasons for and objectives of the proposal

This explanatory memorandum accompanies the proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) 2019/881 [Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act); OJ L 151/15, 7.6.2019.] as regards managed security services.

The proposed targeted amendment aims to enable, by means of Commission implementing acts, the adoption of European cybersecurity certification schemes for 'managed security services', in addition to information and technology (ICT) products, ICT services and ICT processes, which are already covered under the Cybersecurity Act. Managed security services play an increasingly important role in the prevention and mitigation of cybersecurity incidents.

In its conclusions of 23 May 2022 [9364/22.] on the development of the European Union's cyber posture, the Council called upon the Union and its Member States to reinforce efforts to raise the overall level of cybersecurity, for example by facilitating the emergence of trusted cybersecurity service providers, and stressed that encouraging the development of such providers should be a priority for the industrial policy of the Union in the cybersecurity field. It also invited the Commission to propose options to encourage the emergence of a trusted cybersecurity service industry. The certification of managed security services is an effective means of building trust in the quality of those services and thereby facilitating the emergence of a trusted European cybersecurity service industry.