Cyber solidarity act: Member states agree common position to strengthen cyber security capacities in the EU

Brussels: To strengthen EU’s solidarity and capacities to detect, prepare for and respond to cybersecurity threats and incidents, member states’ representatives (Coreper) reached a common position on the so-called ‘cyber solidarity act’.

The draft regulation establishes EU capabilities to make Europe more resilient and reactive in front of cyber threats, while strengthening cooperation mechanisms.

The agreement is another step to improve cyber resilience in Europe. It will certainly strengthen EU’s and member states’ capabilities to prepare, prevent, respond, and recover from large-scale cyber threats and attacks in a more efficient and effective manner.

The Commission proposal mainly aims to:

support detection and awareness of significant or large-scale cybersecurity threats and incidents

bolster preparedness and protect critical entities and essential services, such as hospital and public utilities

strengthen solidarity at EU level, concerted crisis management and response capabilities across member states

contribute to ensuring a safe and secure digital landscape for citizens and businesses

To detect major cyber threats quickly and effectively, the draft regulation establishment a ‘European cyber shield’, which is a pan-European infrastructure composed of national and cross-border security operations centres (SOCs) across the EU. These are entities in charge of sharing information and tasked with detecting and acting on cyber threats. They will use state-of-the-art technology, such as artificial intelligence (AI) and advanced data analytics, to detect and share timely warnings on cyber threats and incidents across borders. In turn, authorities and relevant entities will be able to respond more efficiently and effectively to major incidents.

The draft regulation also provides for the creation of a cyber emergency mechanism to increase preparedness and enhance incident response capabilities in the EU. It will support:

preparedness actions, including testing entities in highly critical sectors (healthcare, transport, energy, etc.) for potential vulnerabilities, based on common risk scenarios and methodologies

a new EU cybersecurity reserve consisting of incident response services from private sector trusted providers pre-contracted and therefore ready to intervene, at the request of a member state or EU institutions, bodies, and agencies, in case of a significant or large-scale cybersecurity incident

mutual assistance in financial terms, where a member state could offer support to another member state

Finally, the proposed regulation establishes the cybersecurity incident review mechanism to enhance EU resilience by reviewing and assessing significant or large-scale cybersecurity incidents after they have taken place, drawing lessons learned and where appropriate, issuing recommendations to improve EU’s cyber posture. At the request of the Commission or of national authorities, the EU’s cybersecurity agency (ENISA) would review certain cybersecurity incidents and deliver a report with lessons learned and recommendations.

The Council’s position maintains the general thrust of the Commission proposal but amends the draft regulation in the following aspects:

it clarifies terminology and adapts the text to member states’ specificities, particularly regarding the SOCs and the cyber shield

in the subject matter and scope, language was improved on the response measures and recovery, as well as on provisions referring to national security

definitions have been modified and aligned with other legislation, mainly the recently revised directive on network and information systems (‘NIS 2’)

the voluntary nature of member states’ involvement in the mechanisms established by the Commission proposal was stressed throughout the text and interactions between existing entities and those defined by the draft regulation have been clarified

the role of the EU agency for cybersecurity (ENISA) has been reinforced and clarified throughout the text

improvements have been introduced on procurement, funding, information sharing and the incident review mechanism.

Today’s agreement on the Council’s common position (‘negotiating mandate’) will allow the incoming presidency to enter negotiations with the European Parliament (‘trilogues’) on the final version of the proposed legislation.