To strengthen EU’s solidarity and capacities to detect, prepare for and respond to cybersecurity threats and incidents and enhance its cyber resilience, the European Council presidency and European Parliament’s negotiators reached a provisional agreement on the so-called ‘cyber solidarity act’, as well as on a targeted amendment to the cybersecurity act (CSA).
“Today’s agreements set new milestones for Europe’s cyber resilience. These rules will strengthen the EU’s and member states’ capabilities to prepare, prevent, respond, and recover from large-scale cyber threats or incidents. Moreover, creating the possibility for the certification of managed security services will help to ensure a high common level of these cybersecurity services across the EU by facilitating their cross-border provision to the benefit of our citizens and businesses.”
Mathieu Michel, Belgian Secretary of State for digitisation, administrative simplification, privacy protection and the building regulation
Main elements of the cyber solidarity act
The new regulation establishes EU capabilities to make Europe more resilient and reactive in front of cyber threats, while strengthening cooperation mechanisms. It mainly aims to:
- support detection and awareness of significant or large-scale cybersecurity threats and incidents
- bolster preparedness and protect critical entities and essential services, such as hospital and public utilities
- strengthen solidarity at EU level, concerted crisis management and response capabilities across member states
- contribute to ensuring a safe and secure digital landscape for citizens and businesses
To detect major cyber threats quickly and effectively, the new regulation establishes a ‘cyber security alert system’, which is a pan-European infrastructure composed of national and cross-border cyber hubs across the EU. These are entities in charge of sharing information and tasked with detecting and acting on cyber threats. They will strengthen the existing European framework and in turn, authorities and relevant entities will be able to respond more efficiently and effectively to major incidents.
The new regulation also provides for the creation of a cybersecurity emergency mechanism to increase preparedness and enhance incident response capabilities in the EU. It will support:
- preparedness actions, including testing entities in highly critical sectors (healthcare, transport, energy, etc.) for potential vulnerabilities, based on common risk scenarios and methodologies
- a new EU cybersecurity reserve consisting of incident response services from the private sector ready to intervene at the request of a member state or EU institutions, bodies, and agencies as well as associated third countries in case of a significant or large-scale cybersecurity incident
- mutual assistance in financial terms
Finally, the new regulation establishes an evaluation and review mechanism to assess, amongst others, the effectiveness of the actions under the cyber emergency mechanism and the use of the cyber security reserve, as well as the contribution of this regulation to strengthening the competitive position of the industry and service sectors.
The targeted amendment to the cybersecurity act of 2019
This targeted amendment aims to enhance EU’s cyber resilience by enabling the future adoption of European certification schemes for ‘managed security services’. Managed security services, provided to customers by specialised companies, are crucial for the prevention, detection, response, and recovery from cybersecurity incidents. They can consist of, for example, incident handling, penetration testing, security audits, and consulting related to technical support.
The amendment will enable the establishment of European certification schemes for managed security services. It will help to increase their quality and comparability, foster the emergence of trusted cybersecurity service providers, and avoid fragmentation of the internal market given that some member states have already started the adoption of national certification schemes for managed security services. Awaiting the regular review of the CSA, due by 28 June 2024, the provisional agreement:
- clarifies the definition of ‘managed security services’ and ensures alignment with the revised network information systems (‘NIS 2’) directive
- aligns the security objectives of these certification schemes with the security objectives of other schemes under the current CSA regulation
- includes modifications in the annex to the CSA, which contains a list of requirements to be met by conformity assessment bodies
- specifies that ENISA’s consultation of all relevant actors should be carried in a timely manner and provides a possibility for quarterly briefings by ENISA or by the Commission to the co-legislators on the functioning of the certification schemes.
