EU member states have reached a common position on the planned Cyber Solidarity Act, aimed at making Europe more resilient and reactive in the face of cyber threats.
The aim of the draft legislation is to support the detection and awareness of significant or large-scale cyber security threats and incidents, to bolster preparedness, and to protect critical infrastructure and essential services such as hospitals and public utilities.
It's also intended to boost cooperation between member states in the event of a union-wide security incident and improve coordinated crisis management and response capabilities.
EU lawmakers hailed the announcement as a vital piece of legislation that will create a more robust security landscape for member states and organizations across the union.
"Today’s agreement is another step to improve cyber resilience in Europe," said José Luis Escrivá, Spanish minister for digital transformation.
"It will certainly strengthen EU’s and member states’ capabilities to prepare, prevent, respond, and recover from large-scale cyber threats and attacks in a more efficient and effective manner."
Cyber Solidarity Act looks to ‘shield’ EU from threats
A major feature of the draft legislation is the creation of a 'European cyber shield', a pan-European infrastructure composed of national and cross-border security operations centers (SOCs) across the EU.
These will use artificial intelligence (AI) and advanced data analytics to detect and share warnings on cyber threats and incidents across borders. There are also plans for the creation of a cyber emergency mechanism to increase preparedness and enhance incident response capabilities.
This will include testing entities in highly critical sectors, such as healthcare, transport, and energy, to probe for potential vulnerabilities based on common risk scenarios, lawmakers said.
Similarly, a new EU ‘cyber security reserve’ will be set up consisting of incident response services from trusted private sector providers, all of which pre-contracted so they're ready to intervene at the request of a member state or EU institution, body, or agency.
There are also plans for a mutual financial assistance fund aimed at enabling member states to offer financial aid to others in the event of a serious security incident.
RELATED RESOURCE
Achieve your zero trust goals and gain a solid SASE architecture
As part of the legislation, new mechanisms will be introduced to conduct reviews and assessments of large-scale cyber security incidents after they have taken place.
ENISA, the EU’s cyber security agency, will play a key role in supporting this aspect of the legislation, lawmakers said.
At the request of the European Commission or of national authorities, the security agency will conduct reviews of certain incidents and deliver reports to relevant governmental departments.
Cyber Solidarity Act changes align with NIS2
The new common position introduces a few, mostly minor, changes to the draft legislation. In particular, it clarifies terminology and adapts the text to member states’ specificities, particularly around the SOCs and the cyber shield.
Meanwhile, definitions have been modified and aligned with other legislation, such as the recently-revised Network and Information Security Directive (NIS2).
ENISA’s role has also been reinforced and clarified throughout the text, and improvements have been introduced around procurement, funding, information sharing, and the incident review mechanism.
The next step in the process is for the incoming presidency to start negotiating with the European Parliament on a final version of the proposed legislation.
-
Apple, Meta hit back at EU after landmark DMA finesNews The European Commission has issued its first penalties under the EU Digital Markets Act (DMA), fining Apple €500 million and Meta €200m.
-
‘Europe could do it, but it's chosen not to do it’: Eric Schmidt thinks EU regulation will stifle AI innovation – but Britain has a huge opportunityNews Former Google CEO Eric Schmidt believes EU AI regulation is hampering innovation in the region and placing enterprises at a disadvantage.
-
The EU just shelved its AI liability directive
News The European Commission has scrapped plans to introduce the AI Liability Directive aimed at protecting consumers from harmful AI systems.
-
A big enforcement deadline for the EU AI Act just passed – here's what you need to know
News The first set of compliance deadlines for the EU AI Act passed on the 2nd of February, and enterprises are urged to ramp up preparations for future deadlines.
-
The EU's 'long-arm' regulatory approach could create frosty US environment for European tech firmsAnalysis US tech firms are throwing their toys out of the pram over the EU’s Digital Markets Act, but will this come back to bite European companies?
-
EU AI Act risks collapse if consensus not reached, experts warnAnalysis Industry stakeholders have warned the EU AI Act could stifle innovation ahead of a crunch decision
-
Three quarters of UK firms unprepared for NIS2 regulations, study findsNews Senior management can be held personally liable for non-compliance under NIS2 rules
-
US-UK data bridge: Everything you need to knowNews The US-UK data bridge will ease the complexity of transatlantic data transfers
