Cyber solidarity act: member states agree common position
To strengthen EU's solidarity and capacities to detect, prepare for and respond to cybersecurity threats and incidents, member states’ representatives (Coreper) reached a common position on the so-called 'cyber solidarity act'.
The draft regulation establishes EU capabilities to make Europe more resilient and reactive in front of cyber threats, while strengthening cooperation mechanisms.
Today’s agreement is another step to improve cyber resilience in Europe. It will certainly strengthen EU’s and member states’ capabilities to prepare, prevent, respond, and recover from large-scale cyber threats and attacks in a more efficient and effective manner.
José Luis Escrivá, Spanish minister for digital transformation
Main objectives of the Commission proposal
The Commission proposal mainly aims to:
- support detection and awareness of significant or large-scale cybersecurity threats and incidents
- bolster preparedness and protect critical entities and essential services, such as hospital and public utilities
- strengthen solidarity at EU level, concerted crisis management and response capabilities across member states
- contribute to ensuring a safe and secure digital landscape for citizens and businesses
To detect major cyber threats quickly and effectively, the draft regulation establishment a 'European cyber shield', which is a pan-European infrastructure composed of national and cross-border security operations centres (SOCs) across the EU. These are entities in charge of sharing information and tasked with detecting and acting on cyber threats. They will use state-of-the-art technology, such as artificial intelligence (AI) and advanced data analytics, to detect and share timely warnings on cyber threats and incidents across borders. In turn, authorities and relevant entities will be able to respond more efficiently and effectively to major incidents.
The draft regulation also provides for the creation of a cyber emergency mechanism to increase preparedness and enhance incident response capabilities in the EU. It will support:
- preparedness actions, including testing entities in highly critical sectors (healthcare, transport, energy, etc.) for potential vulnerabilities, based on common risk scenarios and methodologies
- a new EU cybersecurity reserve consisting of incident response services from private sector trusted providers pre-contracted and therefore ready to intervene, at the request of a member state or EU institutions, bodies, and agencies, in case of a significant or large-scale cybersecurity incident
- mutual assistance in financial terms, where a member state could offer support to another member state
Finally, the proposed regulation establishes the cybersecurity incident review mechanism to enhance EU resilience by reviewing and assessing significant or large-scale cybersecurity incidents after they have taken place, drawing lessons learned and where appropriate, issuing recommendations to improve EU's cyber posture. At the request of the Commission or of national authorities, the EU's cybersecurity agency (ENISA) would review certain cybersecurity incidents and deliver a report with lessons learned and recommendations.
The Council's amendments
The Council’s position maintains the general thrust of the Commission proposal but amends the draft regulation in the following aspects:
- it clarifies terminology and adapts the text to member states' specificities, particularly regarding the SOCs and the cyber shield
- in the subject matter and scope, language was improved on the response measures and recovery, as well as on provisions referring to national security
- definitions have been modified and aligned with other legislation, mainly the recently revised directive on network and information systems ('NIS 2')
- the voluntary nature of member states' involvement in the mechanisms established by the Commission proposal was stressed throughout the text and interactions between existing entities and those defined by the draft regulation have been clarified
- the role of the EU agency for cybersecurity (ENISA) has been reinforced and clarified throughout the text
- improvements have been introduced on procurement, funding, information sharing and the incident review mechanism
Next steps
Today's agreement on the Council's common position ('negotiating mandate') will allow the incoming presidency to enter negotiations with the European Parliament ('trilogues') on the final version of the proposed legislation.
Background
On 18 April 2023, the Commission adopted the proposal for a regulation laying down measures to strengthen solidarity and capacities in the EU to detect, prepare for and respond to cybersecurity threats and incidents, the so-called 'cyber solidarity act'.
The origin of such a legislative proposal is multiple. The EU cybersecurity strategy adopted in December 2020 mentioned the creation of a European cyber shield, reinforcing the cyber threat detection and information sharing capabilities in the EU. On 8 and 9 March 2022, ministers of EU member states in charge of telecommunications met informally in Nevers and expressed the wish for the EU to fully prepare to face large-scale cyberattacks. The Council conclusions of May 2022 on the cyber posture highlighted the need to address gaps in terms of response and preparedness to cyber-attacks, by calling for the Commission to present a proposal on a new emergency response fund for cybersecurity.
The Commission proposal therefore introduces a 'European cyber shield', composed of operations centres (SOCs), brought together in several multi-country SOC platforms financed by the digital Europe programme. The total budget for all actions under the EU cyber solidarity act is of €1.1 billion, of which about 2/3 will be financed by the EU through the digital Europe programme.