The Belgian Presidency of the European Council on March 6 informally agreed on the Cyber Solidarity Act (CSoA), aiming to build a more resilient, collective EU response against cyber-threats.
The legislative proposal seeks to bolster the European Union’s ability to detect, prepare for, and respond to cybersecurity threats and incidents, the European Parliament’s Committee on Industry, Research, Telecoms & Energy said, adding that the proposal’s key objectives include strengthening EU-wide detection and situational awareness of cyber threats, enhancing preparedness and response capabilities for significant cybersecurity incidents, and fostering European technological sovereignty in cybersecurity.
These objectives would be primarily achieved through a pan-European network of National Cyber Hubs and by establishing a Cyber Emergency Mechanism and a European Cybersecurity Incident Review Mechanism.
During negotiations, MEPs advocated for sufficient funding for the EU Cybersecurity Reserve, which could play an important role in supporting member states and EU institutions in dealing with large-scale cybersecurity incidents. They also pushed to ensure adequate support for the development of cybersecurity skills across the EU. This budget line will allow Cybersecurity competence centres to help member States prepare against cyber threats.
“This agreement on the Cyber Solidarity Act is a victory for our democracies in an increasingly digitised world,” lead MEP on cyber solidarity Lina Galvez Munoz from Spain said on March 6. “This regulation will protect our institutions and critical infrastructure by strengthening our capabilities to detect, prepare and respond to cyber threats and cyber attacks through cooperation between member states,” she added.
Lead MEP on managed security services, Josianne Cutajar from Malta said the agreement paves the way for a democratic and transparent cybersecurity certification scheme for managed security services that avoids market fragmentation.
“This provisional agreement recognises the importance of supporting SMEs in light of the implementation of the new act, such as through more financial and technical support, a clearer definition of managed security services, and acknowledging the challenges posed by the existing skills gap,” she said. By setting up this clear framework, we are increasing transparency in the process of the certification of the schemes, ensuring the participation of the European Parliament and strengthening security within the EU for the many, not just the few,” Cutajar added.
A separate legislative proposal on managed security services, also agreed upon with Council in the evening, aims to introduce EU cybersecurity certification schemes for outsourced services that support an organization’s cybersecurity risk management.
The law comes in response to the increasing importance of managed security services in preventing and mitigating cybersecurity incidents, ITRE said, adding that the law seeks to prevent market fragmentation due to varying national certification schemes by establishing a unified European certification framework. The goal is to enhance trust in managed security services across the EU, supporting the overall cybersecurity posture and ensuring a high level of cybersecurity across member states.
Both legislations will now have to be formally endorsed by both Parliament and Council in order to become law. The Industry, Research and Energy committee will hold a vote on the texts in the coming weeks. Parliament as a whole will then hold its vote during the plenary session on April 22-25 in Strasbourg.
The Cyber Solidarity Act ranks alongside the Cyber Resilience Act (CRA) as one of the most recent proposals in the European Commission’s cyber resilience package.
Lessons learned from cyber-attacks in Russia’s war against Ukraine
An earlier report for the Security and Defence Sub-Committee at the European Parliament, co-authored by Pavlina Pavlova, Public Policy Advisor at CyberPeace Institute, and Stéphane Duguin, CEO CyberPeace Institute, assessed the lessons learned from the use of cyber in the Russian war against Ukraine.
The report position the CRA as an important regulatory answer to the cyber threat landscape that is increasing in the scope, sophistication, and severity of cyber attacks and operations. In this regard, the report, published in September 2023 states that: “Important lessons can be learned from the war in Ukraine and the cyber preparedness of the country’s infrastructure, which has adopted horizontal approaches to cybersecurity. Cross-ecosystem consistency and coherence are crucial to avoid fragmentation of the EU’s cyber ecosystem, and strengthen the cybersecurity of interconnected ICT products, services, and components. Vulnerability disclosure is an important part of both the proposed CRA and the adopted NIS2 Directive (on measures for a high common level of cybersecurity across the Union)”.
Notably, vulnerability disclosure requirements in the earlier drafts of CRA were criticised in a joint letter of experts in October 2023.