On 18 April 2023, the European Commission adopted a Proposal for a Regulation laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents (Proposal for an EU Cyber Solidarity Act) along with a Commission Communication setting up a Cybersecurity Skills Academy. The EU Cyber Solidarity Act is the Commission’s response to the Member States’ call to strengthen resilience and cybersecurity capacities.
The actions proposed under the Cyber Solidarity Act cover situational awareness, information sharing, as well as support for preparedness and response to cyber incidents.
In light of an increased threat landscape, hostile cyber operations and the threat of large-scale incidents, the proposed act aims at strengthening the cybersecurity capacities in the EU by supporting the detection and awareness of cybersecurity threats and incidents, while also bolstering the preparedness of critical entities. Further, the act seeks to reinforce solidarity, concerted crisis management and response capabilities across Member States.
In a Nutshell: Objectives and Actions
Similar to the Proposal for the NIS 2 Directive, the Commission stresses the importance of information exchange about threats and incidents, noting that although many cybersecurity threats and incidents have a cross-border dimension, information exchange among Member States remains limited. In order to address the remaining limited information exchange, the Act foresees building a network of cross-border Security Operations Centres (SOCs) to enhance detection and response capabilities. Addressing the limited support at Union level and solidarity between Member States, the Act will implement a European Cyber Shield as a pan-European infrastructure composed of these national and cross-border SOCs across the EU. The creation of a European Cyber Shield has already been announced in the EU Cybersecurity Strategy of December 2020, while the Joint Cyber Defence Communication of November 2022 also addressed the commitment for an EU Cyber Solidarity Initiative.
Chapter I of the Act sets out the general objectives, the subject matter, definitions and the actions through which the objectives will be achieved.
The main actions under the Cyber Solidarity Act are:
- Deployment of a European Cyber Shield (see Chapter II of the Act)
- to build and enhance common detection and situational awareness capabilities
- consisting of national SOCs and cross-border SOCs
- Overall objective: to develop advanced capabilities for the EU to detect, analyse and process data on cyber threats and incidents in the EU
- Creation of a Cyber Emergency Mechanism (see Chapter III of the Act)
- to support Member States in preparing for, responding to and immediate recovery from significant and large-scale cybersecurity incidents
- to support European institutions, bodies, offices and agencies of the Union (EUIBAs) in incident response
- Establishment of a European Cybersecurity Incident Review Mechanism (see Chapter IV of the Act)
- to review and assess specific significant or large-scale incidents in order to enhance Union resilience
- Review and assessment to be delivered by ENISA in the form of an incident review report to the CSIRTs network, the EU-CyCLONe and the Commission
Chapter V contains amendments to the DEP Regulation.
The Role of the Act in the Existing Cybersecurity Regulatory Framework
The Act complements the NIS 2 Directive in that it builds upon the existing operational cooperation and crisis management frameworks, in particular the European cyber crisis liaison organization network (EU-CyCLONe) and the computer security incident response teams (CSIRTs) network. The cross-border SOCs platforms are intended to complement the CSIRTs network by pooling and sharing data on cybersecurity threats from public and private entities, enhancing the value of such data through expert analysis and state of the art tools and contributing to the development of Union capabilities and technological sovereignty.
Legal basis for the Cyber Solidarity Act
Other than for the NIS 1 and 2 Directive, the legal basis for the Cyber Solidarity Act is Art. 173(3) and Art. 322(1)(a) TFEU. Art. 173 TFEU provides that the Union and the Member States ensure that the conditions necessary for the competitiveness of the Union’s industry exists. In that regard, reinforcing the level of cybersecurity in the Digital Single Market is deemed to strengthen the competitive position of industry and service sector in the EU. Art. 322(1)(a) TFEU relates to the financing of the Act’s deliverables. Art. 322(1)(a) TFEU contains carry-over rules derogating from the principle of annuality set out in the Financial Regulation 2018/1046. Considering the unpredictable, exceptional and specific nature of the cybersecurity landscape, the Commission considers that the Cybersecurity Emergency Mechanism should benefit from some flexibility in relation to budgetary management – this new rule will be addressed in the Financial Regulation recast.