EU: Council agrees common position on proposed Cybersecurity Act targeted amendment
The Council of the European Union announced, on November 15, 2023, that the Committee of the Permanent Representatives of the Governments of the Member States to the European Union (Coreper) reached a common position on the targeted amendment of Regulation (EU) 2019/881 (Cybersecurity Act) proposed by the European Commission.
In particular, the proposed targeted amendment aims to include European cybersecurity certification schemes for managed security services in the scope of the Cybersecurity Act. The Council explains that 'managed security services' provided to customers by specialized companies consist of detection or response to incidents, penetration testing or security audits, or consultancy, among other services.
What changes does the Coreper seek to make to the Commission's proposal?
Compared to the Commission's proposal, the Coreper put forward various changes to the targeted amendments, including:
- a clarified definition of 'managed security services' and the alignment with the Directive on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 (NIS2 Directive);
- the alignment with the security objectives of other schemes under the Cybersecurity Act; and
- modifications in the annex to the Cybersecurity Act, which contains a list of requirements to be met by conformity assessment bodies.
The agreement on the Council's common position allows the Spanish presidency of the Council to enter into negotiations with the European Parliament on the final version of the proposed targeted amendments.
You can read the press release here.