The Cyber Solidarity Act
With the European Parliament elections 6 months away, the EU aims to take actions with the cybersecurity package of measures to implement a robust system. Hence, the EU would be able to respond directly if there is any kind of a signal of a cyberattack. Lukas Mandl, an Austrian MEP emphasises that it is also “important that [the EU] informs citizens about the threats that come along with hate speech and fake news, sometimes from outside the EU, sometimes from the populism within EU”.
With this in mind, the EU Commission has adopted in April 2023 a proposal for the EU Cyber Solidarity Act to strengthen cybersecurity capabilities in the EU. But what is it exactly?
What is the EU Cyber Solidarity Act ?
This Commission latest initiative is presented as a way to step up the EU-wide cooperation to tackle any cyberattacks Member States could face and to make Europe more resilient and reactive in from of cyber threats. Indeed, the EU Cyber Solidarity Act appears in a geopolitical context that sees the increasing use of technologies as a weapon of war, which is considered as “a game changer for the perception and assessment of the EU’s collective cybersecurity crisis management preparedness and a call for urgent action” according the EU Commission.
The objectives are thus the following :
- To strengthen common EU detection, situational awareness and response capacities thanks to the deployment of a “European Cyber Shield”
- To create a comprehensive Cyber Emergency Mechanism. The goal is triple: to support Member States in preparing for, responding to, and recovering from significant and large-scale cybersecurity incidents; to support testing of critical entities; and to build an EU-level cybersecurity reserve with services from trusted private providers
- To establish a European Cybersecurity Incident Review Mechanism to assess specific significant or large-scale incidents
The European Cyber Shield, an essential instrument for better cyber incidents detection
In the effort to fortify the EU against the escalating tide of cyber threats, the European Cyber Shield, built with support from the Digital Europe Program (DEP) represents a central point to this initiative. This sophisticated structure envisions a pan-European infrastructure composed of both national and cross-border Security Operations Centres (SOCs), dedicated to rapidly identifying and addressing cyber threats. They will play a key role in promptly detecting, sharing warnings and acting on cyber incidents across borders leveraging new technologies such as AI and advanced data analytics. Such capability is expected to significantly boost authorities’ responses to major incidents. Preparatory work for this ambitious project is already underway: during a first phase launched in November 2022, the EU Commission has already initiated the formation of 3 cross-border SOC consortia, bringing together public bodies from 17 Member States and Iceland. These 3 centres could be operational for early 2024.
The Cyber Emergency Mechanism, designed to reinforce preparedness and amplify incidents response capabilities
It focuses on conducting preparedness activities such as rigorously testing crucial entities – considered as such under NIS 2, like in the healthcare, transport, energy and finance sectors – for potential weaknesses and vulnerabilities. Such tests will be processed using shared risk scenarios and methodologies.
Additionally, it considers creating an EU Cybersecurity Reserve, a set of ready-to-deploy incident response services, provided by pre-selected “trusted service providers”. In other words, this Cybersecurity Reserve will be made up of trusted and certified private companies ready to respond to major incidents together with the national competent authorities. Any EU Member State, in the event of a significant or large-scale cybersecurity incident, can activate this Reserve at any time upon request.
This Mechanism’s ambition is thus to increase mutual assistance and to enable each Member State to extend financial support one to another in times of need ie. when affected by a cybersecurity incident.
The Cybersecurity Incident Review Mechanism, a predominant new implementation for EU’s resilience
Moreover, the Act proposes the establishment of a Cybersecurity Incident Review Mechanism to enhance EU’s resilience by conducting post-incident analyses of significant and large-scale cybersecurity events, extracting valuable insights and where necessary suggesting recommendations to consolidate the EU’s cybersecurity and defense position. The EU Commission and national authorities (the EU-CyCLONe or the CSIRTs network) pointed out that the EU Cybersecurity Agency, the ENISA, will be the one responsible for such assessment and for delivering such a report that includes lessons learned and recommendations.
This EU Cyber Solidary Act represents a substantial investment in the EU’s cyber defense capabilities and prove once again its commitment to safeguarding its digital infrastructure and the well-being of its Member States in the face of growing cyber challenges with a total budget above 1.1 billion euros.
But the EU Cyber Solidarity Act does not come alone !
The Cybersecurity Skills Academy
Indeed, the Commission has also presented the creation of a Cybersecurity Skills Academy, as part of the 2023 European Year of Skills, to address a true challenge : the cybersecurity talent gap in Europe. Recognizing that a skilled workforce is essential for improving the EU’s resilience against cyber threats, this new Academy aims to coordinate efforts in this area bringing together a range of existing programs and initiatives that focus on promoting and developing cybersecurity skills. By hosting these resources on a single online platform, the Academy will strongly boost their accessibility and visibility. Such a strategy is expected to play a crucial role in increasing the reservoir of qualified European cybersecurity connoisseurs.
As a conclusion, while the European Court of Auditors (ECA) acknowledges the CSA’s fundamental goals, they however highlighted an impact assessment was not conducted because of the “urgent” characteristic of the proposal, among other several areas of concerns.
For instance, they also pointed out a call for clarity on how national SOCs, cross-border SOCs and CSIRTs network will interact, the need to specify a maximum deadline for the delivery of reports from ENISA following cyber incidents to ensure timely feedbacks, clearer guidelines on the Act’s future operationalisation, or even a risk associated with the European Cyber Shield and its potential dependence on EU financing.
Despite these highlighted concerns, this EU Cyber Solidarity Act Proposal appears promising, therefore it is important we closely monitor its developments in the coming stages!
Written by Blandine Lupinacci & Margaux Brusseau