|
Expected impact on other regulations
Cyber Solidarity Act
Managed security services providers will play an important role in the EU-level cybersecurity reserve, as provided by the Cyber Solidarity Act, proposed in parallel to this Regulation (view previous newsletter). The EU-level cybersecurity reserve is to be used to support response and immediate recovery actions in the event of significant and large-scale cybersecurity incidents. The relevant cybersecurity services provided by ‘trusted providers’ referred to in the Cyber Solidarity Act, correspond to ‘managed security services’ in this proposal.
NIS 2
The providers of managed security services are considered to be essential or important entities belonging to a sector of high criticality under Directive (EU) 2022/2555 (NIS2).
Recital 86 of that Directive states that managed security service providers, in areas such as incident response, penetration testing, security audits and consultancy, play a particularly important role in assisting entities in their efforts to prevent, detect, respond to or recover from incidents.
Moreover, the Commission may specify which categories of essential and important entities are to be required to use certain certified ICT products, ICT services and ICT processes or obtain a certificate under a European cybersecurity certification scheme. Managed security services certification schemes are directly addressing this NIS provision.
Brief analysis
Definition:
The proposal introduces a definition of those services, which is very closely aligned to the definition of ‘managed security services providers’ under the NIS 2 Directive (Article 2 of the Cybersecurity Act).
Article 2 (14a) (new) ‘managed security service’ means a service consisting of carrying out, or providing assistance for, activities relating to cybersecurity risk management, including incident response, penetration testing, security audits and consultancy’;
Security objectives
New Article 51a on the security objectives of European cybersecurity certification adapted to ‘managed security services’.
‘A European cybersecurity certification scheme for managed security services shall be designed to achieve, as applicable, at least the following security objectives:
(a) ensure that the managed security services are provided with the requisite competence, expertise and experience, including that the staff in charge of providing these services has a very high level of technical knowledge and competence in the specific field, sufficient and appropriate experience, and the highest degree of professional integrity;
(b) ensure that the provider has appropriate internal procedures in place to ensure that the managed security services are provided at a very high level of quality at all times ;
(c) protect data accessed, stored, transmitted or otherwise processed in relation to the provision of managed security services against accidental or unauthorised access, storage, disclosure, destruction, other processing, or loss or alteration or lack of availability;
(d) ensure that the availability and access to data, services and functions is restored in a timely manner in the event of a physical or technical incident;
(e) ensure that authorised persons, programs or machines are able only to access the data, services or functions to which their access rights refer;
(f) record, and enable to assess, which data, services or functions have been accessed, used or otherwise processed, at what times and by whom;
(g) ensure that the ICT products, ICT services and ICT processes [and the hardware] deployed in the provision of the managed security services are secure by default and by design, do not contain known vulnerabilities and include the latest security.
|
