European Commission proposed on 18 April 2023 a regulation on the EU Cyber Solidarity Act to reinforce capacities in the EU to detect, prepare for and respond to the growing cybersecurity threats and attacks across the EU.

The proposal introduces:

• A  European Cyber Shield - a platform of national and cross-border Security Operations Centres (SOCs), aimed to improve the detection, analysis and response to cyber threats.
• A Cyber Emergency Mechanism to improve the preparedness and response to cybersecurity incidents by
  • testing preparedness in critical sectors for potential vulnerabilities;
  • creating an EU Cybersecurity Reserve, with incident response services from trusted providers, which can be deployed by Member States in case of significant or large-scale cybersecurity incidents;
  • providing financial support for mutual support between Member States.
• A Cybersecurity Incident Review Mechanism to assess and review significant or large-scale incidents. The EU Cybersecurity Agency (ENISA) should review such incidents at the request of the Commission or national authorities and report on lessons learned and recommendations.

The European Cyber Shield and Cyber Emergency Mechanism will be funded by the Digital Europe Programme (DEP). To allow this, the Cyber Solidarity Act would amend the Digital Europe Programme Regulation. The Total budget for the Cyber Solidarity Act, including Member States contributions, could amount to  € 1.1 billion.

In the Parliament, the file has been assigned to the Committee on Industry, Research and Energy (ITRE) and Lina Gálvez Muñoz (S&D, Spain) has been appointed as rapporteur. 

The European Economic and Social Committee (EESC) adopted its opinion on the Cyber Solidarity Act on 13 July 2023.

The Rapporteur published the Committee draft report on 4 September 2023. The draft report includes inter-alia:

• the importance of the proposal in achieving open strategic autonomy;
• the need for a coordinated governance and alignment with the NIS2 directive;
• importance of building trust among Member States to increase their participation and cooperation to allow exchange of information;
• budget should be ensured from the upcoming MFFs, to assure continuity of activities beyond 2027;
• there should be a clear governance definition, which should be aligned with the existing legislation;
• a need for better coordination among Member States and enhanced contribution of ENISA in coordination;
• Cyber Security Reserve could contribute to the development of industrial capacities in the EU. In this respect the criteria for  participation of the industry in the reserve should be clarified and technological sovereignty should be defined;
• for Cyber Emergency Mechanism there should be a certification scheme to be used for private providers;
• as far as incident review mechanism in concerned, the draft proposes to strengthen the role of ENISA and the private sector in the SOCs to verify if the industry supports the lessons-learned. Furthermore, ENISA funding should increase;
• the external dimension of the act should be subject to public scrutiny;
• there should be a stronger link with the EU Cybersecurity Skills Academy and more investment in skills in the sector, taking into consideration a balance between Member States, to avoid brain drain from one part of the EU into the other as a cause of salary differences. There should be special focus on women in this respect to narrow the gender gap and an increased role of the industry in skills development. 
• the importance of public awareness and increasing the Cybersecurity Culture;
• the urgency of the proposal and the need that it becomes operational as soon as possible.

The report is expected to be voted in ITRE Committee in November 2023.

In the Council, the Horizontal Working Party on Cyber Issues is examining the proposal. 

• EP Legislative Observatory, Procedure file on measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023/0109(COD)
• European Parliament, Committee on Industry, Research and Energy draft report on the proposal for a regulation laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023/0109(COD)
• European Commission, Proposal for a Regulation of the European Parliament and of the Council laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, COM(2023) 209
• European Economic and Social Committee, EESC Opinion: Cyber Solidarity Act, 13 July 2023

Author: Polona Car, Members' Research Service, legislative-train@europarl.europa.eu