Following the request of the European Commission for the development of a candidate certification scheme for Managed Security Services, the EU Agency for Cybersecurity (ENISA) launches a call for expression of interest to participate in the relevant Ad Hoc Working Group.
Managed Security Services (MSS) are of increasing interest as means to support the enhancement of the cybersecurity level across all sectors and infrastructures, whether public or private, small or large, commercial or critical. Rapid developments and the complexity of the evolving cyber threat landscape lead all kinds of entities to outsource a considerable part of their security functions to Managed Security Service Providers (MSSP) to effectively safeguard their operations. This makes MSSP essential for the cybersecurity of organisations but also renders them prime targets of cyberattacks.
The EU Agency for Cybersecurity (ENISA) Executive Director, Juhan Lepassaar, highlighted: “It is of utmost importance that the Agency, with assistance of trusted managed services providers, can support Member States to prepare as well as respond to an incident. Certifying Managed Security Services is essential to ensure a certain level of quality and security of services offered in the Single Market. Taking this step will not only foster confidence and trust within the Union but it can also significantly facilitate the selection of trusted providers for the EU Cybersecurity Reserve.”
Developing the EUMSS Certification Scheme
Their expanding relevance for the Single Market is reflected in the dedicated amendment to the Cybersecurity Act, regarding their definition and the development of a candidate certification scheme, which entered into force in February 2025. This strategic step is part of the EU’s efforts to prioritise cybersecurity and advance prevention, detection, response, and recovery from cybersecurity incidents with the development of trusted services based on a common approach.
ENISA received a request from the European Commission at the end of April 2025 to prepare a candidate European cybersecurity certification scheme on MSS. The development will address current diversity and fragmentation in the approach and requirements that apply to the delivery of MSS in EU Member States. Additionally, it will further support and align with provisions of the cybersecurity legislation through complementing existing technical, operational and organisation obligations for MSS security.
ENISA welcomes the Commission’s request, as the certification of such services is a significant advancement in effectively ensuring quality and building trust towards digital products and services within the Union. The request recognised the feasibility study’s valuable input towards the establishment of a comprehensive and adaptable certification scheme.
At its core, the EUMSS certification scheme should address the delivery of MSS through a comprehensive yet flexible model that will set out service-oriented requirements. Structure-wise, it should be eventually comprised of two-dimension layers: one horizontal layer including minimum requirements for all MSS and various vertical layers that group specific technical requirements tailored for the different type of MSS. Under the Cybersecurity Solidarity Act, for the EU Cybersecurity Reserve, providers will be expected to certify their services in two years’ time, after the scheme is in place.
The first vertical under the forthcoming MSS certification scheme will focus on Incident Management Lifecycle, which comprises several distinct service components. Work will begin with the Incident Response Service Profile, with additional profiles such as detection and recovery to follow.
Call for participation to the dedicated Ad Hoc Working Group
ENISA will establish an Ad Hoc Working Group (AHWG) to support the preparation of the candidate EUMSS certification scheme. The Agency is inviting experts with extensive knowledge and experience in the areas of cybersecurity certification. Members will be expected to actively participate in meetings and contribute throughout all phases leading to the development of the candidate scheme.
The call for expression of interest will remain open until 20/07/2025, by 23.59 EET (Athens time).
Click here, to download the Terms of Reference.
You may apply using the following link: EUSurvey - Survey
Managed Security Services Market Analysis
To gain a better insight on the current MSS Market and deliver market-related data in support of the legislation, ENISA has produced a preliminary MSS Market Analysis to assess its characteristics from both the demand and supply side.
The MSS Market Analysis identifies MSS usage patterns, compliance and skills certification, threats, requirements, incidents and challenges relating to MSS, along with MSS market and research trends.
Contact
For press questions and interviews, please contact: [email protected].
Content written for: National / EU authorities | Private Sector
