Brussels – Solidarity and joint management of cyber incidents and attacks on member states’ critical infrastructure. The Council of the European Union gave today (Dec. 2) the final green light to the Cyber Solidarity Act to strengthen coordination and capacity to detect, prepare for, and respond to increasingly frequent cyber threats.
The new law—proposed by the European Commission on April 18 2023—focuses on establishing mechanisms for cooperation between national authorities and cross-border security hubs. First, a “cybersecurity alert system,” a pan-European infrastructure composed of national and cross-border cyber hubs across the EU, a sort of European cyber shield, which will have leading-edge technologies, such as artificial intelligence and advanced data analytics, at its disposal to detect and share early warnings about cross-border cyber threats and incidents.
The new regulation also provides for the creation of a cybersecurity contingency mechanism to increase preparedness and improve incident response capabilities in the community. The mechanism will support preparedness actions, including testing potential vulnerabilities of entities in highly critical sectors ( such as health, transportation, and energy) based on common risk scenarios and methodologies. That’s not all: the mechanism will establish an EU cybersecurity reserve, which member states—but also EU institutions, bodies and agencies, and associated third countries—will be able to call to the rescue in the event of a significant or large-scale cybersecurity incident.
To evaluate the effectiveness of the cyber emergency mechanism and the use of the security reserve, the Cyber Solidarity Act puts in place an incident review mechanism, which will also oversee the contribution of this legislation to strengthening the competitive position of industry and service sectors. Member countries also gave the okay to a targeted amendment to the Cybersecurity Act, which will allow the future adoption of European certification schemes for so-called “managed security services.” Services that may consist, for example, of incident management, penetration testing, security audits, and consulting related to technical support.
After signature by the presidents of the Council of the EU and the European Parliament, both pieces of legislation will be published in the Official Journal of the EU in the coming weeks and will enter into force 20 days after publication.
English version by the Translation Service of Withub
