Track MEPs, predict votes and get daily alerts with WMM Pro →

Regulation · CELEX 32025R0037 · Procedure completed

Regulation (EU) 2025/37

Regulation 32025R0037, what it is, who leads it, and the official record behind it. Built only from official EU sources.

CELEX
32025R0037
Type
Regulation
Dated
2024-12-19
Procedure
2023/0108(COD)
Lead committee
ITRE
Stage
Procedure completed

Regulation (EU) 2025/37 is Regulation 32025R0037 dated 2024-12-19; its official text is on EUR-Lex. Source: EUR-Lex and the European Parliament procedure file.

What it is

PURPOSE: to create European cybersecurity certification schemes for managed security services. PROPOSED ACT: Regulation of the European Parliament and of the Council. ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council. BACKGROUND: Regulation (EU) 2019/881 of the European Parliament and of the Council on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification sets up a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity for ICT products, ICT services and ICT processes in the Union, as well as for the purpose of avoiding the fragmentation of the internal market with regard to cybersecurity certification schemes in the Union. The Committee on Industry, Research and Energy adopted the report by Josianne CUTAJAR (S&D, MT) on the proposal for a regulation of the European Parliament and of the Council amending Regulation (EU) 2019/881 as regards managed security services. The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows: The report stated that managed security services, which are services consisting of carrying out, or providing assistance for, activities relating to their customers’ cybersecurity risk management, including detection, response to or recovery from incidents, have gained increasing importance in the prevention and mitigation of cybersecurity incidents. The activities of the providers of managed security services consist of services relating to prevention, identification, protection, detection, analysis, containment, response and recovery, including, but not limited to, cyber threat intelligence provision, real time threat monitoring through proactive techniques, including security-by-design, risk assessment, extended detection, remediation and response. The Union rolling work programme for European cybersecurity certification According to Members, the Union rolling work programme should include a list of ICT products, ICT services and ICT processes or categories thereof, and managed security services, that are capable of benefiting from being included in the scope of a European cybersecurity certification scheme. In that context, the Commission should include an in-depth assessment of existing training paths to bridge identified skills gaps and a list of proposals for addressing the needs for skilled employees and types of skills. Members considered that the Commission should ensure appropriate financial support in the regulatory framework of existing Union programmes, in particular in order to ease the financial burden on microenterprises and SMEs, including start-ups acting in the field of managed security services. By 28 June 2024, and every three years thereafter, the Commission should assess the impact, effectiveness and efficiency of ENISA and of its working practices, the possible need to modify ENISA’s mandate and the financial…

Official title: Regulation (EU) 2025/37 of the European Parliament and of the Council of 19 December 2024 amending Regulation (EU) 2019/881 as regards managed security services (Text with EEA relevance)

Following EU files for work? Track the MEPs who steer them, vote predictions, alerts and conflicts in your portfolio.

Upgrade to WMM Pro →

Frequently asked

What is 32025R0037?

Regulation (EU) 2025/37, Regulation 32025R0037, dated 2024-12-19. The full official text is on EUR-Lex.

What does 32025R0037 do?

PURPOSE: to create European cybersecurity certification schemes for managed security services. PROPOSED ACT: Regulation of the European Parliament and of the Council. ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council. BACKGROUND: Regulation (EU) 2019/881 of the European Parliament and of the Council on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification sets up a framework for the establishment of European cyb

Which committee leads 32025R0037?

The lead European Parliament committee is ITRE.

Primary sources

Summary extracted from the European Parliament's own per-stage procedure record. Data © European Union (Decision 2011/833/EU).

Explore on WheresMyMEP