European Commission adopts proposal for EU Cyber Solidarity Act to strengthen cybersecurity capacities

The European Commission adopted Tuesday a proposal for the EU Cyber Solidarity Act to strengthen cybersecurity capacities in the region. It will support the detection and awareness of cybersecurity threats and incidents, and bolster the preparedness of critical entities, apart from reinforcing solidarity, concerted crisis management, and response capabilities across Member States. The Cyber Solidarity Act establishes EU capabilities to make Europe more resilient and reactive in front of cyber threats while strengthening existing cooperation mechanisms.

Funded by €1.1 billion of which about two-thirds will come from the EU budget, the Cyber Solidarity Act introduces a European Cyber Shield, Cyber Emergency Mechanism, and a Cybersecurity Incident Review Mechanism. The EU Cyber Solidarity Act also includes the creation of a Cyber Emergency Mechanism to increase preparedness and enhance incident response capabilities in the EU, which will support preparedness actions, create a new EU Cybersecurity Reserve, and provide financial support for mutual assistance.

The European Cyber Shield delivers a pan-European infrastructure of national and cross-border SOCs. The Security Operations Centres (SOCs) are entities that monitor and analyze insights on cyber threats. With the Cyber Shield, they will be able to provide timely warnings across borders.

The European Cyber Shield will consist of a pan-European infrastructure that connects Security Operations Centres (SOCs) spread across the EU. It will strengthen capacities to analyze, detect and prevent cyber threats and to support the production of high-quality intelligence on cyber threats. This will be done using ‘state-of-the-art’ tools, such as artificial intelligence (AI) and advanced data analytics. These tools will be jointly procured by the European Cybersecurity Competence Centre (ECCC) in collaboration with national or cross-border SOCs.

National SOCs will make up the building blocks of the European Cyber Shield. These will be public bodies, designated by Member States, acting as gateways to other public and private organizations at the national level for collecting and analyzing information on cybersecurity threats and incidents.

The European Cyber Shield will be made up of several cross-border SOC platforms, each grouping together national SOCs from at least three Member States. Support from the Digital Europe Programme (DEP) will supplement national funding for the SOCs.

The first phase of establishing the European Cyber Shield is ongoing following a Call for Expression of Interest for cross-border SOCs under the DEP Cybersecurity Work Programme 2021-2022. Additionally, the European Cyber Shield will build upon and complement the work of existing SOCs, Computer Security Incident Response Teams (CSIRTs), and other relevant stakeholders.

The Cyber Emergency Mechanism strengthens preparedness by testing entities in highly critical sectors such as healthcare, transport and energy, for potential vulnerabilities. It will also create an EU Cybersecurity Reserve with incident response services from trusted providers ready to intervene, at the request of a Member State, in case of significant and large-scale cybersecurity incidents. It will further provide financial support for mutual assistance between member states’ national authorities.

“Cybersecurity preparedness means a state of readiness and capability enabling an effective rapid response to a significant or large-scale cybersecurity incident. This can be ensured through risk assessment for potential vulnerabilities and monitoring actions taken in advance,” the European Commission said. “The increasing impact of cybersecurity incidents represents a major threat to the functioning of technology and to the Single Market as whole. The quickly evolving threat landscape demands stronger preparedness at all levels of the EU’s cybersecurity ecosystem.”

The preparedness actions proposed in the Regulation promote a consistent approach and the strengthening of security across the EU and its internal market. Member States would receive support for testing and assessing entities operating in highly critical sectors. The sectors or sub-sectors will be selected at the EU level to ensure coordinated action. In addition, the regulation proposes support for other preparedness actions, not covered by the coordinated testing of entities operating in highly critical sectors. Those actions could cover support for various types of other national preparedness activities.

Upon the request of the Member States, the EU Cybersecurity Reserve will assist competent authorities in responding to significant or large-scale cybersecurity incidents, and in immediately recovering from such incidents, the Commission outlined. “The support from the EU Cybersecurity Reserve is complementary to national mitigating measures and support actions. Therefore, to receive support, the competent authority should also itself provide to the affected entity direct technical assistance, and other resources to assist the response and immediate recovery efforts,” it added.

The Cybersecurity Incident Review Mechanism reviews and assesses significant or large-scale incidents. At the request of the Commission, the EU-CyCLONe, or the CSIRTs network, ENISA should review the cybersecurity incident and response. ENISA should then deliver a report on lessons learned and recommendations.

When reviewing and assessing a specific incident, ENISA shall collaborate with relevant stakeholders, including representatives from the private sector, member states, and the Commission. ENISA will also consult managed security services providers, entities affected by cybersecurity incidents, and other relevant entities. 

The Commission said that after a review and assessment of an incident, ENISA shall deliver an incident review report to EU CyCLONe, the CSIRTs network, and the Commission. In the report, “ENISA shall address main causes and vulnerabilities of cybersecurity incidents, as well as lessons learned and, where appropriate, recommendations to improve the Union’s cyber posture,” it added.

The Commission also presented a Cybersecurity Skills Academy, as part of the 2023 European Year of Skills, to ensure a more coordinated approach towards closing the cybersecurity talent gap, a prerequisite to boosting Europe’s resilience. The Academy will bring together various existing initiatives aimed at promoting cybersecurity skills and will make them available on an online platform, increasing their visibility and boosting the number of skilled cybersecurity professionals in the EU.

The Academy will work towards a common baseline for cybersecurity career profiles and the associated skills, ensure a better channeling and visibility of the available funding opportunities, call on stakeholders like companies, schools, universities and authorities to take action and define indicators to monitor the evolution of the job market for cybersecurity professionals.

With the proposed EU Cyber Solidarity Act, the Commission responds to the member states’ call to strengthen EU cyber resilience and delivers on its commitment expressed in the recent Joint Cyber Defence Communication to prepare an EU Cyber Solidarity Initiative.

The EU Cyber Solidarity Act and the Cybersecurity Skills Academy build upon the EU Cybersecurity strategy, as well as the EU’s legislative framework to bolster the EU’s collective resilience against increasing cybersecurity threats. This includes the Directive on measures for a high common level of cybersecurity across the Union (NIS 2) and the Cybersecurity Act.

Margrethe Vestager, executive vice president for a Europe Fit for the Digital Age, said in a media statement that “with the cyber package presented today, we show how by acting in solidarity, we can build up the infrastructure, skills, and capacities that we need to face our common growing cybersecurity threat.”

“The EU Cyber Solidarity Act and the Cybersecurity Skills Academy are our two new tangible instruments to address the EU’s operational cybersecurity needs: the Act brings forward concrete measures that will allow the EU to respond to threats and attacks; and the Academy aims at reinforcing our skills base so that we have the people we need for this purpose,” according to Margaritis Schinas, vice-president for ‘Promoting our European Way of Life.’ 

“Today marks the proposal of a European cyber shield,” Thierry Breton, commissioner for internal market, said. “To effectively detect, respond, and recover from large-scale cybersecurity threats, it is imperative that we invest substantially and urgently in cybersecurity capabilities. The Cyber Solidarity Act is a critical milestone in our journey towards achieving this objective.”

Earlier this year, the European Union rolled out two fundamental directives that work towards augmenting the durability of physical and digital infrastructure against potential cybersecurity threats, risks, and attacks across critical infrastructures that include power grids, the transport network, and information and communication systems.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.