Regulation on measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents
In “A Europe Fit for the Digital Age”
European Commission proposed on 18 April 2023 a regulation on the EU Cyber Solidarity Act to reinforce capacities in the EU to detect, prepare for and respond to the growing cybersecurity threats and attacks across the EU.
The proposal introduces:
- A European Cyber Shield - a platform of national and cross-border Security Operations Centres (SOCs), aimed to improve the detection, analysis and response to cyber threats.
- A Cyber Emergency Mechanism to improve the preparedness and response to cybersecurity incidents by
- testing preparedness in critical sectors for potential vulnerabilities;
- creating an EU Cybersecurity Reserve, with incident response services from trusted providers, which can be deployed by Member States in case of significant or large-scale cybersecurity incidents;
- providing financial support for mutual support between Member States.
- A Cybersecurity Incident Review Mechanism to assess and review significant or large-scale incidents.
The European Cyber Shield and Cyber Emergency Mechanism will be funded by the Digital Europe Programme (DEP). To allow this, the Cyber Solidarity Act would amend the DEP Regulation. The Total budget for the Cyber Solidarity Act, including Member States contributions, could amount to € 1.1 billion.
In the Parliament, the file has been assigned to the Committee on Industry, Research and Energy (ITRE) and Lina Gálvez Muñoz (S&D, Spain) has been appointed rapporteur.
The rapporteur published the Committee draft report in September 2023.
The report was adopted in ITRE Committee in December 2023. Committee's decision to enter into negotiations with the Council was confirmed by Parliament during the December plenary.
The ITRE committee report, inter alia:
- adds, to the objectives of the regulation, support for industrial capacity in the cybersecurity sector, particularly for microenterprises and SMEs, including start-ups, to contribute to open strategic autonomy and technological sovereignty, competitiveness, and resilience in the sector and ensure strong Union capabilities, also in cooperation with international partners. To the specific objectives, it adds development of skills and competencies of the workforce;
- adds clarity to the text by expanding certain definitions. For example, it includes a definition for a national SOC;
- requests that national SOCs should be incorporated into existing cybersecurity infrastructures and governance, when possible;
- excludes entities established in countries that are not part of the Agreement on Government Procurement from participation in joint procurement on tools and infrastructures with a Hosting Consortium;
- promotes the exchange of cyber threat intelligence between public and private entities;
- requests that the Commission assess the working of the cybersecurity emergency mechanism annually;
- introduces flexibility to the provision of services through the EU cybersecurity reserve by allowing conversion of unused procured incident response services from trusted providers into exercises or training for dealing with incidents;
- empowers the Commission to adopt delegated acts to supplement the regulation, rather than giving it the prerogative of adopting implementing acts;
- limits the amount for the establishment and implementation of the EU Cybersecurity Reserve to €27 million to reduce the impact of the reduction of funding on other DEP priorities;
- requests more resources for ENISA to carry out additional tasks, without jeopardising other Union programmes, particularly the DEP;
- details the evaluation and review process for the regulation, which should take place every two years.
The Council adopted the negotiating mandate at the Coreper meeting in December 2023. The Council clarified the terminology and adapted it to the requests of Member States (in particular on SOCs, which are renamed 'Cyber Hubs', and the Cyber Shield, which is renamed the 'Cybersecurity Alert System'). The Council also revised the definitions, to bring them into line with the NIS2 Directive. The Council clarified the interaction between the entities defined in the proposal and the existing structures, underlining that actions under the regulation will be complementary to the activities carried out by the CSIRTs network, the NIS Cooperation Group, and EU-CyCLONe. In particular, the Council stressed the voluntary nature of Member States' involvement throughout the text, stressing that national security remains the responsibility of the Member States. The Council also stressed the importance of confidentiality in the exchange of information for all three pillars.
The co-legislators reached a provisional agreement in March 2024.
The agreed text maintains the components of the initial Commission proposal: a European cybersecurity alert system, consisting of a network of national and cross-border ‘cyber hubs’ which will share information on cyber incidents; a cyber emergency mechanism containing a cybersecurity reserve - a pool of private companies (including non-EU actors) offering support upon request, to assist in the event of a significant cyber incident (available also to DEP-associated third countries); and a cybersecurity incidence review mechanism. Parliament secured adding development of skills, capabilities and competencies of the workforce to the specific objectives of the proposal, and increasing the role and resources for ENISA, in particular with regard to the EU cybersecurity reserve. Parliament secured as well a reduction of the relocation of funds foreseen for the cybersecurity reserve from DEP specific objectives for digital skills and artificial intelligence, while assuring a sufficient budget.
The provisional agreement was adopted by the ITRE committee in March 2024. The text was approved by Parliament in April 2024 with 470 votes in favour, 23 against and 86 abstentions. In November 2024 Parliament approved a corrigendum to the text. It still needs to be formally adopted by the Council before it can enter into force.
- EP Legislative Observatory, Procedure file on measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023/0109(COD)
- European Parliament, Committee on Industry, Research and Energy report on the proposal for a regulation laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023/0109(COD)
- European Parliament legislative resolution of 24 April 2024 on the proposal for a regulation of the European Parliament and of the Council laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents; Corrigendum to the position of the European Parliament adopted at first reading on 24 April 2024
- European Commission, Proposal for a Regulation of the European Parliament and of the Council laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, COM(2023) 209
- Council of the European Union, Mandate for negotiations with the European Parliament, 20 December 2023
- Council, Letter sent to the European Parliament with agreement on the compromise text, 20 March 2024
- European Economic and Social Committee, EESC Opinion: Cyber Solidarity Act, 13 July 2023
- Committee of the Regions, EU Cyber Solidarity Act and Digital Resilience, 29 November 2023
Further reading:
- European Parliament, Cyber solidarity act, legislative briefing, EPRS, February 2024
- European Parliament, Cyber solidarity act, at a glance, EPRS, April 2024
Author: Polona Car, Members' Research Service, legislative-train@europarl.europa.eu