Cyber Solidarity Act
The EU Cyber Solidarity Act is a Regulation proposed by the European Commission that would outline various measures to strengthen cyber solidarity and improve coordinated preparedness, detection and response to cybersecurity threats and incidents within the Union. The Act specifically covers situational awareness, information sharing, and support for cybersecurity incident preparedness and response measures. The proposal consists of three main reforms: European Cybersecurity Alert System (European Cyber Shield), Cybersecurity Emergency Mechanism, and European Cybersecurity Incident Review Mechanism.
What does this mean?
- The European Cybersecurity Alert System (or European Cyber Shield as used in the Commission’s proposal) would be a platform consisting of national and cross-border cyber hubs (security operation centers). These hubs would utilize state-of-the-art technology to detect, analyze and process data on cybersecurity threats and incidents across the Union and provide real-time information to authorities and other relevant entities. EU Member States would designate national cyber hubs, and the cross-border hubs would consist of three or more national hubs.
- The Cybersecurity Emergency Mechanism would be established to support EU Member States and other users in the preparation, response, mitigation, and recovery relating to significant, large-scale, and large-scale equivalent cybersecurity incidents. The Mechanism would provide support in three main areas:
- preparedness actions, such as voluntary coordinated preparedness testing of entities operating in highly critical sectors;
- EU Cybersecurity Reserve, consisting of incident response services from trusted providers in case of significant, large-scale, or large-scale-equivalent cybersecurity incidents; and
- financial support for mutual assistance between national authorities in cross-border situations.
- The European Cybersecurity Incident Review Mechanism would mandate ENISA, upon request, to review and assess threats, known exploitable vulnerabilities and mitigation actions with respect to a specific significant or large-scale cybersecurity incident. Following the review and assessment, ENISA would prepare an incident review report and submit it to the relevant parties.
Who?
- Especially entities in critical sectors could benefit from the support and resources that would be made available under the cybersecurity framework proposed in the Act
Timeline
- The European Commission proposed the new Regulation on 18 April 2023. The legislative process is currently ongoing, and the Act still needs to be formally adopted before it enters into force.