(Ordinary legislative procedure: first reading)

The European Parliament,

–  having regard to the Commission proposal to Parliament and the Council (COM(2023)0208),

–  having regard to Article 294(2) and Article 114 of the Treaty on the Functioning of the European Union, pursuant to which the Commission submitted the proposal to Parliament (C9‑0137/2023),

–  having regard to Article 294(3) of the Treaty on the Functioning of the European Union,

–  having regard to the opinion of the European Economic and Social Committee of 13 July 2023(1),

–  having regard to the provisional agreement approved by the committee responsible under Rule 74(4) of its Rules of Procedure and the undertaking given by the Council representative by letter of 21 March 2024 to approve Parliament’s position, in accordance with Article 294(4) of the Treaty on the Functioning of the European Union,

–  having regard to Rule 59 of its Rules of Procedure,

–  having regard to the letter from the Committee on the Internal Market and Consumer Protection,

–  having regard to the report of the Committee on Industry, Research and Energy (A9-0307/2023),

1.  Adopts its position at first reading hereinafter set out;

2.  Takes note of the statement by the Commission annexed to this resolution, which will be published in the C series of the Official Journal of the European Union;

3.  Calls on the Commission to refer the matter to Parliament again if it replaces, substantially amends or intends to substantially amend its proposal;

4.  Instructs its President to forward its position to the Council, the Commission and the national parliaments.

(1) OJ C 349, 29.9.2023, p. 167.

(As an agreement was reached between Parliament and Council, Parliament's position corresponds to the final legislative act, Regulation (EU) 2025/37.)

Political statement by the Commission on the occasion of the adoption of Regulation (EU) 2025/37 of the European Parliament and of the Council of 19 December 2024 amending Regulation (EU) 2019/881 as regards managed security services(1)

This Regulation amending the Cybersecurity Act adds the possibility to develop European certification cybersecurity schemes for managed security services. At the same time, it is acknowledged that a thorough review of the Cybersecurity Act is of utmost importance, including the assessment of the procedures leading to the preparation, adoption and review of European cybersecurity certification schemes. This review should be based on a deep analysis and broad consultation on the impact, effectiveness and efficiency of the functioning of the European cybersecurity certification framework. The analysis carried out as part of the evaluation established in Article 67 of the Cybersecurity Act should include on-going scheme development activities, such as the one concerning European cybersecurity certification scheme for cloud services (EUCS) as well as those of adopted schemes such as the one concerning the European Common Criteria-based cybersecurity certification scheme (EUCC).

In particular, the review should identify the strengths and weaknesses of the procedures leading to cybersecurity certification schemes and formulate recommendations for future improvements. It should also address aspects relating to stakeholder consultations and transparency of the process.

Accordingly, the Commission, which is responsible for the review of the Cybersecurity Act, shall ensure that the review takes into account as appropriate the necessary elements mentioned in light of Article 67 when presenting the review to the co-legislators.

(1) OJ L, 2025/37, 15.1.2025, ELI: http://data.europa.eu/eli/reg/2025/37/oj.