Certification for Managed Security Services: EU Takes Next Step to Build Trust in MSS Providers

On 25 June 2025, ENISA published a press release announcing a call for expression of interest to form an Ad-Hoc Working Group tasked with developing the candidate European cybersecurity certification scheme for Managed Security Services (MSS). certification.enisa.europa.eu+1This initiative follows a

Picture of JURCOM GRC

JURCOM GRC

On 25 June 2025, ENISA published a press release announcing a call for expression of interest to form an Ad-Hoc Working Group tasked with developing the candidate European cybersecurity certification scheme for Managed Security Services (MSS). certification.enisa.europa.eu+1
This initiative follows a request from the European Commission (Commission) and an amendment to the Cybersecurity Act in February 2025 to extend the certification framework to services such as MSS.

Key details

  • The scheme aims to address fragmentation in how MSS are defined and regulated across EU Member States — standardising requirements, enhancing trust and quality assurance. enisa.europa.eu

  • The first vertical under the forthcoming scheme will focus on the Incident Management Lifecycle — primarily incident response services delivered by MSS providers. enisa.europa.eu

  • The certification effort is also tied to the EU Cybersecurity Reserve (managed by ENISA) — MSS providers may become trusted providers for EU-level incident response readiness. enisa.europa.eu+1

  • The call for participation (by 20 July 2025) invites experts with experience in cybersecurity certification to help shape the scheme. enisa.europa.eu

Implications for your services & clients

For companies providing compliance, cybersecurity advisory, DPO or data protection services:

  • MSS certification will become a market differentiator: clients will increasingly demand certified MSS providers.

  • Organisations outsourcing security functions should evaluate whether their provider will align with the forthcoming scheme (or has a roadmap to compliance).

  • Data protection (for DPO services) must be integrated into MSS-provider assessments — a certified provider will have to demonstrate governance, data processing controls, incident handling, continuity.

  • For companies in regulated sectors (critical infrastructure, finance, public sector) that might rely on MSS, selecting providers aligned with EU certification will reduce vendor risk and support regulatory compliance.

  • Your advisory offering could include vendor-risk assessments, gap-analysis of providers vs the forthcoming EUMSS scheme, or roadmap services for MSS providers themselves aiming to become certified.

Recommended actions

  • Map your client base: highlight those that outsource security to MSS providers; prepare a vendor-risk checklist incorporating the upcoming certification scheme.

  • For MSS providers (or clients offering MSS), offer a “pre-certification readiness assessment” aligned with the draft EUMSS scheme.

  • Help clients review service-contracts: ensure that incident management lifecycle services meet anticipated EU standards (detection, response, recovery).

  • Monitor future developments: track public drafts of the scheme, ENISA guidance, timeline for finalisation — enable timely advisory services.

Source

ENISA, “EU Managed Security Services Certification to drive the cybersecurity market” — official press release 25 June 2025. enisa.europa.eu+1

Picture of JURCOM GRC

JURCOM GRC

Suggestions