Cyber Solidarity Act

On December 2, 2024, the Council of the European Union adopted two pivotal legislative measures aimed at bolstering the European Union’s (“EU”) cybersecurity framework, namely (1) the introduction of the Cyber Solidarity Act and (2) a targeted amendment to the Cybersecurity Act. Together, these laws represent a comprehensive approach to enhancing the EU’s collective resilience against escalating cyber threats whilst fostering an even stronger collaboration among Member States.

Key Features of the Cyber Solidarity Act

The Cyber Solidarity Act (the “Act”) introduces robust mechanisms designed to ensure the EU is better equipped to “detect, prepare for, and respond to cyber threats and incidents.”[1]

European Cybersecurity Alert System

Chief among the initiatives is the novel ‘European Cybersecurity Alert System’ (“Alert System”), an EU-wide network of national and cross-border ‘cyber hubs’. These hubs, supported by advanced technologies such as Artificial Intelligence (“AI”) and data analytic tools,[2] aim to implement real-time threat detection systems, pool and analyse cyber threat data, and facilitate information sharing across borders.[3] In addition to complementing and reinforcing the capabilities of key entities like CSIRTs and the EU-CyCLONe, the Alert System aims to produce high-quality, actionable cyber threat intelligence and aims to provide concrete recommendations to improve future responses.[4]

The Cybersecurity Emergency Mechanism

Another facet of the Act is the ‘Cybersecurity Emergency Mechanism’ (“Mechanism”)which is aimed to complement the Alert System and the cyber hubs, by enhancing the EU’s preparedness and response capabilities to cyber threats. Notably, a main component of the Mechanism is the inclusion of stress testing upon critical sectors such as healthcare, energy, and transport to identify and address potential vulnerabilities.[5] This is not the first instance of stress testing being introduced, as it has also been implemented under the Digital Operational Resilience Act, capturing Financial Entities within its scope (Read more here).

Additionally, the Mechanism establishes the ‘EU Cybersecurity Reserve’, a resource of private-sector incident response teams ready for deployment solely during significant, large-scale or large-scale-equivalent cybersecurity incidents.[6] The Mechanism also promotes ‘technical mutual assistance’, aimed at facilitating coordinated responses among Member States during emergencies. Furthermore, the ‘Incident Review Mechanism’ provides a structured evaluation process to assess the efficacy of response actions and the contributions of the cybersecurity reserve, cultivating a culture of continuous improvement in addressing cyber threats.

Amendments to the Cybersecurity Act

The targeted updates to the Cybersecurity Act reflect the increasing role of managed security services in the digital ecosystem. Key changes include:

Certification Framework for Managed Security Services

The new provisions pave the way for EU-wide certification of services such as penetration testing, security audits, and incident handling. These certifications aim to standardise and elevate the quality of services across Member States. Most importantly, fragmentation within the internal market will be reduced, given that some Member States have initiated the adoption of national certification schemes for managed security services.

Support for SMEs

Recognising the critical role of small and medium enterprises within the EU’s economy, the amendments ensure accessible European Certification Schemes and resources to encourage their participation in the cybersecurity ecosystem.

Concluding Remarks

It is to be noted that the dual legislative measures fall squarely within broader EU strategies, including:

1. Enhanced EU Cyber Posture: As detailed in recent Council conclusions, the emphasis on solidarity and shared capabilities reinforces the EU’s geopolitical and digital resilience​;
2. Alignment with the NIS2 Directive: The acts complement existing directives aimed at ensuring a high-level of cybersecurity across sectors critical to the EU’s economy and infrastructure​; and
3. Innovation and Research: Evidenced through mechanisms such as the ‘European Cybersecurity Competence Centre and Network’, the EU seeks to leverage cutting-edge technologies, including quantum computing and AI, to maintain its strategic edge.

The legislative acts are expected to come into effect 20 days post-publication in the EU’s Official Journal. Undoubtedly, their implementation marks a significant stride toward fortifying the EU’s digital resilience against an evolving cyberthreat landscape.

The Council of the European Union’s press release can be accessed here.