Political agreement reached on the Cyber Solidarity Act proposed by European Commission

The Cyber Solidarity Act includes three actions: the setting up of a European Cybersecurity Alert System, the creation of a Cybersecurity Emergency Mechanism and establishing a European Cybersecurity Incident Review Mechanism.

The Commission welcomes the political agreement reached last night between the European Parliament and the Council on the Cyber Solidarity Act, proposed by the Commission in April 2023.

„The Cyber Solidarity Act will strengthen solidarity at EU level to better detect, prepare and respond to cyberthreats and incidents. It comes at a crucial time for EU cybersecurity, as the cyber threat landscape in the EU continues to be impacted by geopolitical events.” – according to the press release.

The Cyber Solidarity Act includes three actions:

Firstly, the setting up of a European Cybersecurity Alert System, consisting of a network of National and Cross-border Cyber Hubs, which will leverage state-of-the-art tools and infrastructures, such as Artificial Intelligence and advanced data analytics, to swiftly detect cyber threats and incidents. This infrastructure will provide real-time situational awareness to authorities and other relevant entities, enabling them to effectively respond to such threats and incidents. In April 2023, two Member State consortia were formed to jointly procure and receive grants to operate and launch a pilot phase of such tools and infrastructures under the Digital Europe Programme.

Secondly, the Act also creates a Cybersecurity Emergency Mechanism that will enhance preparedness and response capabilities to significant and large-scale cyber incidents. The mechanism will support three main areas:

1. Preparedness actions: to coordinate preparedness testing of entities operating in critical sectors, including health or energy, for potential vulnerabilities.
2. A new EU Cybersecurity Reserve: to consist of incident response services from trusted providers ready to intervene at the request of Member States, European Union institutions, bodies or agencies or a third country associated to this specific action under the Digital Europe Programme, in case of significant or large-scale cybersecurity incidents.
3. Financial support for mutual assistance: to support one Member State providing technical assistance to another Member State affected by a significant or large-scale cybersecurity incident.

Thirdly, the proposal also establishes a European Cybersecurity Incident Review Mechanism to review and assess significant or large-scale incidents after they have occurred with the aim of providing recommendations to improve the EU’s cybersecurity standing.

The European Parliament and the Council also reached an agreement on the amendment to the Cybersecurity Act. This amendment opens up the possibility of adopting European certification schemes for managed security services. It will help provide a framework for establishing trusted providers in the EU Cybersecurity Reserve under the Cyber Solidarity Act.

Managed security services play an important role in preventing and responding to cybersecurity incidents. However, they are also themselves a target for malicious actors who seek to gain access to the sensitive environments of their clients. The certification of such services will strengthen cybersecurity across the Union, promoting trust and transparency in the supply chain. This is crucial for businesses and critical infrastructure operators, who will have a clear benchmark when procuring cybersecurity services.

„I am pleased that we have an agreement on the Cyber Solidarity Act, which will allow us to better detect and respond to cyber threats across our Union. It represents the next step in building a collective resilience to the growing cyberthreats in the current geopolitical landscape.” – said Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age.

„The European way to a full Security Union requires going beyond cybersecurity preparedness to a fully operational cyber defence capacity. This is what we are achieving with the Cyber Solidarity Act, particularly with the EU Cyber Reserve, which will bring the best possible experts to manage large-scale cyberattacks.” – said Margaritis Schinas, Vice-President for Promoting our European Way of Life.

„The Cyber Solidarity Act is a crucial step to establish a European cyber shield. I welcome the agreement reached yesterday evening. Europe will now rely on a European Cybersecurity Alert System to detect cyber threats more quickly, and on a European cyber solidarity mechanism to support any Member States attacked, including through a European cyber reserve. With the European Cyber Solidarity Act we are enhancing the cyber operational cooperation at European level. For the security of our citizens.” – said Thierry Breton, Commissioner for Internal Market.

Next Steps

The agreement reached yesterday evening is now subject to formal approval by the European Parliament and the Council. Once formally adopted, the Cyber Solidarity Act will enter into force on the 20^th day following its publication in the Official Journal.

The Cyber Solidarity Act will increase funding for Cybersecurity actions under Digital Europe Programme for the period 2025-2027.

Background

With the proposed EU Cyber Solidarity Act, the Commission responds to Member States’ calls to strengthen EU cyber resilience, and delivers on its commitment expressed in the 2022 Joint Cyber Defence Communication to prepare an EU Cyber Solidarity Initiative. 

The Cyber Solidarity Act is one building block towards this goal, along with the Cyber Resilience Act and the NIS2 Directive. It builds on the 2020 EU Cybersecurity Strategy and the 2020 EU Security Union Strategy.  

Alongside the Cyber Solidarity Act, the Commission published a proposal for a targeted amendment to the Cybersecurity Act to allow for the adoption of European cybersecurity certification schemes for managed security services.

The Commission also announced the Communication on the Cybersecurity Skills Academy, to close the cybersecurity talent gap as part of the 2023 European year of Skills. The Academy will bring together various existing initiatives aimed at promoting cybersecurity skills and will make them available on an online platform, thereby increasing their visibility and boosting the number of skilled cybersecurity professionals in the EU.

_____________

For More Information

Cyber Solidarity Act web page

Proposal for a Cyber Solidarity Act

Factsheet: Cyber Solidarity Act