The European Commission has announced that the European Parliament and Council have reached a political agreement on the Cyber Solidarity Act.
Originally proposed by the Commission in April last year, the Cyber Solidarity Act will enhance the EU’s capabilities to detect, prepare and respond to cyberattacks and threats.
The Cyber Solidarity Act will introduce three key actions:
- European Cybersecurity Alert System
- Cybersecurity Emergency Mechanism
- European Cybersecurity Incident Review Mechanism
The new legislation is pivotal for the EU, with current geopolitical events impacting cybersecurity.
Thierry Breton, Commissioner for Internal Market, explained: “The Cyber Solidarity Act is a crucial step to establish a European cyber shield.
“I welcome the agreement reached yesterday evening. Europe will now rely on a European Cybersecurity Alert System to detect cyber threats more quickly and on a European cyber solidarity mechanism to support any Member States attacked, including through a European cyber reserve.
“With the European Cyber Solidarity Act, we are enhancing cyber operational cooperation at the European level. For the security of our citizens.”
European Cybersecurity Alert System
The Cyber Solidarity Act proposes establishing a European Cybersecurity Alert System. This system will comprise a network of National and Cross-border Cyber Hubs, utilising cutting-edge technologies, including artificial intelligence (AI) and advanced data analytics.
The primary objective is to identify cyber threats and incidents promptly. This infrastructure aims to furnish real-time situational awareness to authorities and pertinent entities, empowering them to respond efficiently to such threats and incidents.
Notably, in April 2023, two Member State consortia were established. Their purpose is to collaboratively procure resources and secure grants for the operation and initiation of a pilot phase for these tools and infrastructures as part of the Digital Europe Programme.
Cybersecurity Emergency Mechanism
The Act also establishes a Cybersecurity Emergency Mechanism designed to bolster readiness and response capabilities in the face of substantial and wide-reaching cyber incidents. This mechanism will focus on three primary areas:
- Preparedness actions: Co-ordinating readiness assessments for entities operating in critical sectors, such as healthcare or energy, to identify and address potential vulnerabilities
- Establishment of a new EU Cybersecurity Reserve: Comprising incident response services from trusted providers prepared to intervene upon request from Member States, European Union institutions, bodies, agencies, or associated third countries within the Digital Europe Programme framework in the event of significant or large-scale cybersecurity incidents
- Financial support for mutual assistance: Providing financial assistance to facilitate technical aid from one Member State to another affected by a significant or large-scale cybersecurity incident
European Cybersecurity Incident Review Mechanism
Furthermore, the proposal introduces a European Cybersecurity Incident Review Mechanism. This mechanism is designed to evaluate and analyse significant or large-scale incidents after their occurrence to offer recommendations to enhance the cybersecurity posture of the EU.
The agreement is now subject to formal approval by the European Parliament and Council.
Amendments made to the Cybersecurity Act
The European Parliament and Council have agreed on amending the Cybersecurity Act to allow for European certification schemes for managed security services.
This paves the way for establishing trusted providers within the EU Cybersecurity Reserve under the Cyber Solidarity Act.
Certifying managed security services enhances cybersecurity by promoting trust and transparency in the supply chain, which is crucial for businesses and critical infrastructure operators when procuring cybersecurity services.