The EU Cyber Solidarity Act
What is the EU Cyber Solidarity Act?
The Cyber Solidarity Act is a step forward after the Joint Cyber Defence Communication (JOIN(2022) 49), for an EU Cyber Solidarity Initiative with the following objectives:
1. To strengthen common EU detection, situational awareness, and response capabilities,
2. To gradually build an EU-level cybersecurity reserve with services from trusted private providers, and
3. To support testing of critical entities.
According to the European Commission, "cyber operations are increasingly integrated in hybrid and warfare strategies, with significant effects on the target. In particular, Russia’s military aggression against Ukraine was preceded and is being accompanied by a strategy of hostile cyber operations, which is a game changer for the perception and assessment of the EU’s collective cybersecurity crisis management preparedness and a call for urgent action."
"The threat of a possible large-scale incident causing significant disruption and damage to critical infrastructures demands heightened preparedness at all levels of the EU’s cybersecurity ecosystem. That threat goes beyond Russia’s military aggression on Ukraine and includes continuous cyber threats from state and non-state actors, which are likely to persist, given the multiplicity of state-aligned, criminal and hacktivist actors involved in current geopolitical tensions."
The objectives of the EU Cyber Solidarity Act will be implemented through the following actions:
1. The deployment of a pan-European infrastructure of Security Operations Centres (European Cyber Shield) to build and enhance common detection and situational awareness capabilities.
2. The creation of a Cyber Emergency Mechanism to support Member States in preparing for, responding to and immediate recovery from significant and large-scale cybersecurity incidents. Support for incident response shall also be made available to European institutions, bodies, offices and agencies of the Union (EUIBAs).
3. The establishment of a European Cybersecurity Incident Review Mechanism to review and assess specific significant or large-scale incidents.
According to the European Commission:
March 6, 2024 - The Council and the European Parliament reached a provisional agreement on the cyber solidarity act.
Next step: From the Council’s side, the Belgian presidency will submit the texts to the member states’ representatives (Coreper) for approval. Once approved, the draft legislative acts will be submitted to a legal/linguistic review before being formally adopted by the co-legislators, published in the EU’s Official Journal, and entering into force 20 days after the publication.
To detect major cyber threats quickly and effectively, the new regulation establishes a ‘cyber security alert system’, which is a pan-European infrastructure composed of national and cross-border cyber hubs across the EU. These are entities in charge of sharing information and tasked with detecting and acting on cyber threats. They will strengthen the existing European framework and in turn, authorities and relevant entities will be able to respond more efficiently and effectively to major incidents.
December 20, 2023 - Member States’ representatives (Coreper) reached a common position on the Cyber Solidarity Act.
The Permanent Representatives Committee (or Coreper) is responsible for preparing the work of the Council of the European Union.
Coreper coordinates and prepares the work of all meetings of the Council and attempts to find, at its level, an agreement which will be subsequently submitted for adoption by the Council.
The Commission proposal for a Cyber Solidarity Act aims to:
- support detection and awareness of significant or large-scale cybersecurity threats and incidents
- bolster preparedness and protect critical entities and essential services, such as hospital and public utilities
- strengthen solidarity at EU level, concerted crisis management and response capabilities across member states
- contribute to ensuring a safe and secure digital landscape for citizens and businesses.
To detect major cyber threats quickly and effectively, the draft regulation establishes a 'European cyber shield', which is a pan-European infrastructure composed of national and cross-border security operations centres (SOCs) across the EU.
These are entities in charge of sharing information and tasked with detecting and acting on cyber threats. They will use state-of-the-art technology, such as artificial intelligence (AI) and advanced data analytics, to detect and share timely warnings on cyber threats and incidents across borders. In turn, authorities and relevant entities will be able to respond more efficiently and effectively to major incidents.
The draft regulation also provides for the creation of a cyber emergency mechanism to increase preparedness and enhance incident response capabilities in the EU.
It will support:
- preparedness actions, including testing entities in highly critical sectors (healthcare, transport, energy, etc.) for potential vulnerabilities, based on common risk scenarios and methodologies
- a new EU cybersecurity reserve consisting of incident response services from private sector trusted providers pre-contracted and therefore ready to intervene, at the request of a member state or EU institutions, bodies, and agencies, in case of a significant or large-scale cybersecurity incident
- mutual assistance in financial terms, where a member state could offer support to another member state.
Which is the next step?
The agreement on the Council's common position ('negotiating mandate') will allow the incoming presidency to enter negotiations with the European Parliament ('trilogues') on the final version of the proposed legislation.
April 18, 2023 - No impact assessment due to the “urgent nature of the proposal”!
In our opinion, the urgent nature of the proposal is a direct result of Russia's unprovoked and unjustified attack on Ukraine. Ursula Gertrud von der Leyen, president of the European Commission after 2019, has said: "This war changes everything. After this war, you cannot be in between anymore."
According to the proposed EU Cyber Solidarity Act (April 18, 2023):
"Due to the urgent nature of the proposal, no impact assessment was carried out. The actions of this Regulation will be supported by the Digital Europe Programme (DEP), and are in line with those set in the DEP Regulation, which was subject to a dedicated impact assessment.
This Regulation will not entail any significant administrative or environmental impacts beyond those already assessed in the impact assessment of the DEP Regulation.
Furthermore, it builds on first actions developed in closed collaboration with the main stakeholders, as set out above, and follow up on Member States’ call for the Commission to present a proposal on a new Emergency Response Fund for Cybersecurity by the end of Q3 2022.
Specifically, regarding situational awareness and detection under the European Cyber Shield, a Call for Expression of Interest to jointly procure tools and infrastructure to establish Crossborder SOCs, and a call for grants to enable capacity building of SOCs serving public and private organisations, were held under DEP cybersecurity work programme 2021-2022.
In the area of preparedness and incident response, as mentioned above the Commission has set up a short-term programme to support Member States from DEP, being implemented by ENISA. Services covered include preparedness actions, such as penetration testing of critical entities in order to identify vulnerabilities.
It also strengthens possibilities to assist Member States in case of a major incident affecting critical entities. The implementation by ENISA of this short-term programme is under way and has already provided relevant insights that have been taken into account in the preparation of this Regulation."
You can find the above (page 8/58) at:
https://digital-strategy.ec.europa.eu/en/library/proposed-regulation-cyber-solidarity-act
In our opinion, this urgency is justified. Unfortunately, this will be challenged by the European Court of Auditors (ECA), as even in the "Better Regulation Guidelines" from the European Commission, the phrase "impact assessment" is repeated 119 times in 43 pages. "Stakeholder consultation" is repeated 28 times.
October 5, 2023 - Warnings (in Opinion 02/2023) from the European Court of Auditors (ECA) about the Cyber Solidarity Act.
According to the European Court of Auditors (ECA):
"Our opinion highlights some risks that we have identified and how the measures laid down in the proposal might be implemented. In particular, we highlight the risks that the operation of the European Cyber Shield and its sustainability become dependent on EU financing; that its functioning is impeded by a lack of information sharing; and that the measures introduced by the proposal make the whole EU cybersecurity galaxy more complex."
"The Commission’s better regulation guidelines suggest using impact assessments and stakeholder consultations as part of a comprehensive analysis of policy design and implementation options. We consider comprehensive impact assessments as an essential tool to consider whether EU action is needed and analyse the potential impacts of available solutions before any proposal is adopted.
This proposed Regulation was not subject to an impact assessment. In section 3 of the accompanying explanatory memorandum, the Commission explained that it had opted not to carry out such an assessment due to the “urgent nature of the proposal”.
It also said that the measures introduced by the proposed Regulation would be supported by the Digital Europe Programme (DEP), and were in line with the DEP Regulation, which had undergone a specific impact assessment in 2018. Additionally, the Commission explained that the proposed measures were built upon previous actions prepared in close coordination with the main stakeholders and member states, integrating lessons learned.
However, we note that the DEP impact assessment does not cover the new measures introduced by the proposed Regulation. There is thus limited information on available policy options and the costs related to the proposal."
"As a result of our review of the legislative proposal, we suggest that the Commission and legislators should consider:
— making the cost estimates related to establishing and implementing the proposed measures available to enhance transparency (see paragraph 10);
— clarifying how national SOCs, cross-border SOCs, CSIRTs, and the CSIRTs network should interact by laying down clear governance arrangements and responsibilities in order to ensure effective coordination and achieve synergies (paragraph 20);
— ensuring that that the timelapse between the request to receive support services from the EU Cybersecurity Reserve and the response by the Commission is not delayed by the timing of the request (paragraph 29);
— limiting the derogation to the annuality principle to response actions and mutual assistance and clarifying that the automatic carry-over of unused commitments should be limited to the following year (paragraphs 32-34);
— specifying a maximum deadline for the delivery of ENISA’s report after any incident, in order to ensure that feedback is provided in good time (paragraph 36);
— advancing the timing for submission by the Commission of a report on the evaluation and review of the Regulation (paragraph 40)."
You can find the above at:
https://www.eca.europa.eu/ECAPublications/OP-2023-02/OP-2023-02_EN.pdf
Understanding the EU Cyber Solidarity Act.
April 18, 2023 - The European Commission introduced a proposal for a Cyber Solidarity Act, in an effort to improve the preparedness, detection and response to cybersecurity incidents across the EU. The full name of the Act is "Proposal for a Regulation of the European Parliament and the Council laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents".
The EU framework comprises several legislations already in place or proposed at Union level to reduce vulnerabilities, increase the resilience of critical entities against cybersecurity risks and support the coordinated management of large-scale cybersecurity incidents and crises, notably:
- the Directive on measures for a high common level of security of network and information systems across the Union (NIS 2),
- the Cybersecurity Act (Regulation (EU) 2019/881),
- the Directive on attacks against information systems (Directive 2013/40/EU),
- the Commission Recommendation (EU) 2017/1584 on coordinated response to large-scale cybersecurity incidents and crises.
The actions proposed under the Cyber Solidarity Act cover situational awareness, information sharing, as well as support for preparedness and response to cyber incidents. These actions are consistent with and support the objectives of the regulatory framework in place at Union level, notably under Directive (EU) 2022/2555 (the NIS 2 Directive).
The Cyber Solidarity Act will especially build on and support the existing cybersecurity operational cooperation and crisis management frameworks, in particular the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe) and the Computer Security Incident Response Teams (CSIRTs) network.
The cross-border Security Operations Centres (SOC) will constitute a new capability that is complementary to the CSIRTs network, by pooling and sharing data on cybersecurity threats from public and private entities, enhancing the value of such data through expert analysis and state of the art tools, and contributing to the development of Union capabilities and technological sovereignty.
The Cyber Solidarity Act is consistent with the Council Recommendation on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure (2023/C 20/01) that invites Member States to take urgent and effective measures, and to cooperate loyally, efficiently, in solidarity and in a coordinated manner with each other, the Commission and other relevant public authorities as well as the entities concerned, to enhance the resilience of critical infrastructure used to provide essential services in the internal market.
Chapter I of the EU Cyber Solidarity Act.
Chapter I sets out the objectives of the Regulation, to strengthen solidarity at Union level in order to better detect, prepare and respond to cybersecurity threats and incidents and in particular, to strengthen common Union detection and situational awareness of cyber threats and incidents, to reinforce preparedness of entities operating in critical and highly critical sectors across the Union and strengthen solidarity by developing common response capacities against significant or large-scale cybersecurity incidents and to enhance Union resilience by reviewing and assessing significant or large-scale-incidents.
This Chapter also sets out the actions through which these objectives will be achieved: the deployment of a European Cyber Shield, the creation of a Cyber Emergency Mechanism and the establishment of a Cybersecurity Incident Review Mechanism. It also sets out the definitions used throughout the instrument.
Article 1, Subject-matter and objectives
1. This Regulation lays down measures to strengthen capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, in particular through the following actions:
(a) the deployment of a pan-European infrastructure of Security Operations Centres (‘European Cyber Shield’) to build and enhance common detection and situational awareness capabilities;
(b) the creation of a Cybersecurity Emergency Mechanism to support Member States in preparing for, responding to, and immediate recovery from significant and large-scale cybersecurity incidents;
(c) the establishment of a European Cybersecurity Incident Review Mechanism to review and assess significant or large-scale incidents.
2. This Regulation pursues the objective to strengthen solidarity at Union level through following specific objectives:
(a) to strengthen common Union detection and situational awareness of cyber threats and incidents thus allowing to reinforce the competitive position of industry and services sectors in the Union across the digital economy and contribute to the Union’s technological sovereignty in the area of cybersecurity;
(b) to reinforce preparedness of entities operating in critical and highly critical sectors across the Union and strengthen solidarity by developing common response capacities against significant or large-scale cybersecurity incidents, including by making Union cybersecurity incident response support available for third countries associated to the Digital Europe Programme (‘DEP’);
(c) to enhance Union resilience and contribute to effective response by reviewing and assessing significant or large-scale incidents, including drawing lessons learned and, where appropriate, recommendations.
3. This Regulation is without prejudice to the Member States’ primary responsibility for national security, public security, and the prevention, investigation, detection and prosecution of criminal offences.
Chapter II of the EU Cyber Solidarity Act.
Chapter II establishes the European Cyber Shield and sets out its various elements and the conditions for participation.
Firstly, it announces the overall objective of the European Cyber Shield, which is to develop advanced capabilities for the Union to detect, analyse and process data on cyber threats and incidents in the Union, as well as the specific operational objectives. It specifies that Union funding for the European Cyber Shield shall be implemented in accordance with the DEP Regulation.
Further, the chapter describes the type of entities that shall form the European Cyber Shield. The shield shall consist of National Security Operations Centres (‘National SOCs’) and Cross-border Security Operations Centres (‘Cross-border SOCs’).
A National SOC shall be designated by each participating Member State. This shall act as a reference point and gateway to other public and private organisations at national level for collecting and analysing information on cybersecurity threats and incidents and contributing to a Cross-border SOC.
Following a Call for Expression of Interest, a National SOC may be selected by the ECCC to participate in a joint procurement of tools and infrastructures with the ECCC and to receive a grant for running the tools and infrastructures. If a National SOC benefits from Union support, it shall commit to apply participate in a Cross-border SOC within two years.
Cross-border SOCs shall consist of a consortium of at least three Member States, represented by National SOCs, who are committed to work together to coordinate their cyber detection and threat monitoring activities. Following an initial Call for Expression of Interest, a Hosting Consortium may be selected by the ECCC to participate in a joint procurement of tools and infrastructures with the ECCC and to receive a grant for running the tools and infrastructures. Members of the Hosting Consortium shall conclude a written consortium agreement which sets out their internal arrangements.
This chapter then details the requirements for sharing information among the participants in a Cross-border SOC, and for sharing information between a Cross-border SOC and other Cross-border SOCs, as well as with relevant EU entities. National SOCs participating in a Cross-border SOC shall share relevant cyber threat related information with one another, and the details, including the commitment to share significant amount of data and the conditions thereof should be defined in a consortium agreement.
Cross-border SOCs shall ensure a high-level of interoperability between themselves. Cross-border SOCs should also conclude cooperation agreements with other Cross-border SOCs, specifying information sharing principles. Where Cross-border SOCs obtain information relating to a potential or ongoing large-scale cybersecurity incident, they shall provide relevant information to EU CyCLONe, the CSIRTs network and the Commission, in view of their respective crisis management roles in accordance with Directive (EU) 2022/2555. Chapter II concludes by specifying the security conditions for participating in the European Cyber Shield.
Chapter III of the EU Cyber Solidarity Act.
Chapter III establishes the Cyber Emergency Mechanism to improve the Union’s resilience to major cybersecurity threats and prepare for and mitigate, in a spirit of solidarity, the short-term impact of significant and large-scale cybersecurity incidents or crises.
Actions implementing the Cyber Emergency Mechanism shall be supported by funding from DEP. The Mechanism provides for actions to support preparedness, including coordinated testing of entities operating in highly critical sectors, response to and immediate recovery from significant or large-scale cybersecurity incidents or mitigate significant cyber threats and mutual assistance actions.
The Cyber Emergency Mechanism preparedness actions include the coordinated preparedness testing of entities operating in highly critical sectors. The Commission, after consulting ENISA and the NIS Cooperation Group, should regularly identify relevant sectors or subsectors from the Sectors of High Criticality listed in Annex I of Directive (EU) No 2022/2555, from which entities may be subject to the coordinated preparedness testing at EU level.
For the purpose of implementing the proposed incident response actions, this Regulation establishes an EU Cybersecurity Reserve, consisting of incident response services from trusted providers, selected in accordance with the criteria laid down in this Regulation.
Users of the services from the EU Cybersecurity Reserve shall include Member States’ cyber crisis management authorities and CSIRTs and Union institutions, bodies and agencies. The Commission shall have overall responsibility for the implementation of the EU Cybersecurity Reserve and may entrust, in full or in part, ENISA with the operation and administration of the EU Cybersecurity Reserve.
To receive support from the EU Cybersecurity Reserve, the users should take their own measures to mitigate the effects of the incident for which the support is requested. The requests for support from the EU Cybersecurity Reserve should include necessary relevant information about the incident and the measures already taken by the users. The Chapter describes as well the implementation modalities, including assessment of requests to the EU Cybersecurity Reserve.
The Regulation provides as well for the procurement principles and selection criteria regarding trusted providers of the EU Cybersecurity Reserve.
Third countries may request support from the EU Cybersecurity Reserve where Association Agreements concluded regarding their participation in DEP provide for this. This Chapter describes further conditions and modalities of such participation.
Chapter IV of the EU Cyber Solidarity Act.
At the request of the Commission, the EU-CyCLONe or the CSIRTs network, ENISA will review and assess threats, vulnerabilities and mitigation actions with respect to a specific significant or large-scale cybersecurity incident.
The review and assessment will be delivered by ENISA in the form of an incident review report to the CSIRTs network, the EU-CyCLONe and the Commission to support them in carrying out their tasks.
When the incident relates to a third country, the report will be shared by the Commission with the High Representative. The report will include lessons learned and where appropriate, recommendations to improve the Union’s cyber posture.
Chapter IV of the EU Cyber Solidarity Act.
Chapter V contains amendments to the DEP Regulation, and an obligation for the Commission to prepare regular reports for the evaluation and review of the Regulation to the European Parliament and to the Council.
The Commission is empowered to adopt implementing acts in accordance with the examination procedure referred to in Article 21 to: specify the conditions for this interoperability between Cross-border SOCs; determine the procedural arrangements for the information sharing related to a potential or ongoing large-scale cybersecurity incident between Cross-border SOCs and Union entities; laying down technical requirements to ensure a high level of data and physical security of the infrastructure and to protect the security interests of the Union when sharing information with entities that are not Member States public bodies; specify the types and the number of response services required for the EU Cybersecurity Reserve; and, specify further the detailed arrangements for allocating the EU Cybersecurity Reserve support services.