Main elements of the cyber solidarity act

The new law establishes EU capabilities to make Europe more resilient in front of cyber threats, while strengthening cooperation mechanisms. It establishes inter alia a ‘cyber security alert system’, a pan-European infrastructure composed of national and cross-border cyber hubs across the EU. These are entities in charge of sharing information and tasked with detecting and acting on cyber threats. The cyber hubs will use state-of-the-art technology, such as artificial intelligence (AI) and advanced data analytics, to detect and share timely warnings on cyber threats and incidents across borders. They will strengthen the existing European framework and, in turn, authorities and relevant entities will be able to respond more efficiently and effectively to cybersecurity incidents.

The new regulation also provides for the creation of a cybersecurity emergency mechanism to increase preparedness and enhance incident response capabilities in the EU. It will support:

• preparedness actions, including testing entities in highly critical sectors (healthcare, transport, energy, etc.) for potential vulnerabilities, based on common risk scenarios and methodologies
• a new EU cybersecurity reserve consisting of incident response services from the private sector ready to intervene at the request of a member state or EU institutions, bodies, and agencies, as well as associated third countries, in case of a significant or large-scale cybersecurity incident
• technical mutual assistance

Finally, the new law establishes an incident review mechanism to assess, amongst others, the effectiveness of the actions under the cyber emergency mechanism and the use of the cyber security reserve, as well as the contribution of this regulation to strengthening the competitive position of the industry and service sectors.

The targeted amendment to the cybersecurity act of 2019

This targeted amendment aims to enhance EU’s cyber resilience by enabling the future adoption of European certification schemes for the so-called ‘managed security services’. The new law recognises the increasing importance of managed security services in the prevention, detection, response, and recovery from cybersecurity incidents. These services can consist of, for example, incident handling, penetration testing, security audits, and consulting related to technical support.

Awaiting the results of the evaluation of the CSA, this targeted amendment will enable the establishment of European certification schemes for these managed security services. It will help to increase their quality and comparability, foster the emergence of trusted cybersecurity service providers, and avoid fragmentation of the internal market given that some member states have already started the adoption of national certification schemes for managed security services.

Next steps

Following their signature by the presidents of the Council and of the European Parliament, both legislative acts will be published in the EU’s official journal in the coming weeks and enter into force 20 days after this publication.

Background

On 18 April 2023, the Commission adopted the proposal for a regulation laying down measures to strengthen solidarity and capacities in the EU to detect, prepare for and respond to cybersecurity threats and incidents, the so-called ‘Cyber solidarity act’, together with a proposal for a targeted amendment to the cybersecurity act (CSA). The CSA, adopted in 2019, established the first cybersecurity certification framework for all the member states.

The first Commission proposal introduces a ‘European cyber shield’, composed of operations centres (SOCs), brought together in several multi-country SOC platforms financed by the Digital Europe programme. The second proposal aims at a targeted amendment of the scope of the CSA enabling the Commission to adopt implementing acts on European cybersecurity certification schemes for managed security services, in addition to information and technology (ICT) products, ICT services and ICT processes, which are covered by the current CSA. On 6 March 2024, the co-legislators reached a provisional agreement on both proposals altering the notions of the ‘European cyber shield’ and ‘SOCs’ compared to the initial Commission proposal.