EU agrees amendments to Cyber Solidarity Act in bid to create ‘cyber shield’ for member states
The EU’s Cyber Solidarity Act will provide new mechanisms for authorities to bolster union-wide security practices
EU member states have reached a common position on the planned Cyber Solidarity Act, aimed at making Europe more resilient and reactive in the face of cyber threats.
The aim of the draft legislation is to support the detection and awareness of significant or large-scale cyber security threats and incidents, to bolster preparedness, and to protect critical infrastructure and essential services such as hospitals and public utilities.
It's also intended to boost cooperation between member states in the event of a union-wide security incident and improve coordinated crisis management and response capabilities.
EU lawmakers hailed the announcement as a vital piece of legislation that will create a more robust security landscape for member states and organizations across the union.
"Today’s agreement is another step to improve cyber resilience in Europe," said José Luis Escrivá, Spanish minister for digital transformation.
"It will certainly strengthen EU’s and member states’ capabilities to prepare, prevent, respond, and recover from large-scale cyber threats and attacks in a more efficient and effective manner."
Cyber Solidarity Act looks to ‘shield’ EU from threats
A major feature of the draft legislation is the creation of a 'European cyber shield', a pan-European infrastructure composed of national and cross-border security operations centers (SOCs) across the EU.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
These will use artificial intelligence (AI) and advanced data analytics to detect and share warnings on cyber threats and incidents across borders. There are also plans for the creation of a cyber emergency mechanism to increase preparedness and enhance incident response capabilities.
This will include testing entities in highly critical sectors, such as healthcare, transport, and energy, to probe for potential vulnerabilities based on common risk scenarios, lawmakers said.
Similarly, a new EU ‘cyber security reserve’ will be set up consisting of incident response services from trusted private sector providers, all of which pre-contracted so they're ready to intervene at the request of a member state or EU institution, body, or agency.
There are also plans for a mutual financial assistance fund aimed at enabling member states to offer financial aid to others in the event of a serious security incident.
Achieve your zero trust goals and gain a solid SASE architecture
As part of the legislation, new mechanisms will be introduced to conduct reviews and assessments of large-scale cyber security incidents after they have taken place.
ENISA, the EU’s cyber security agency, will play a key role in supporting this aspect of the legislation, lawmakers said.
At the request of the European Commission or of national authorities, the security agency will conduct reviews of certain incidents and deliver reports to relevant governmental departments.
Cyber Solidarity Act changes align with NIS2
The new common position introduces a few, mostly minor, changes to the draft legislation. In particular, it clarifies terminology and adapts the text to member states’ specificities, particularly around the SOCs and the cyber shield.
Meanwhile, definitions have been modified and aligned with other legislation, such as the recently-revised Network and Information Security Directive (NIS2).
ENISA’s role has also been reinforced and clarified throughout the text, and improvements have been introduced around procurement, funding, information sharing, and the incident review mechanism.
The next step in the process is for the incoming presidency to start negotiating with the European Parliament on a final version of the proposed legislation.
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.