The EU Cyber Solidarity Act Is Coming: Here’s What it Means
Table Of Contents:
The EU is not short on cybersecurity legislation. Over the past year, it has introduced laws covering smart devices, AI safety, financial services, “important” and “essential” entities, and security certifications. Yet, up until now, there’s been no continent-wide strategy to help prepare, detect, and respond to large-scale cyber incidents across the EU. Enter the EU Cyber Solidarity Act, which is set to gain significant momentum in 2025.
It promises a lot, but fortunately for most UK organisations, it will demand little from them.
Why We Need It
Although the European Commission proposed the Cyber Solidarity Act in April 2023, the seeds of its creation were planted a year ago when three consortia of cross-border Security Operations Centres (SOCs) were selected. It’s no coincidence that earlier that year, Russia invaded Ukraine. The menace of state-backed digital incursions and well-funded cybercrime groups operating with impunity from out-of-reach jurisdictions will indeed have solidified plans for the act.
As recognised by NIS 2, DORA, the Cybersecurity Act, the Cyber Resilience Act, the AI Act and other statutes, cyber-attacks represent a growing societal and economic threat to the EU. They could threaten the stability of the financial system and life-saving healthcare services, as witnessed by ransomware-related IT outages at hospitals across the region. They also threaten to spread misinformation and undermine elections, not to mention national security. And data breaches are fueling a fraud epidemic. Payment fraud alone was worth €2bn in the first half of 2023, while the EU estimates cybercrime in general to cost €5.5 trillion annually. The latter is over a quarter of the EU’s total GDP.
According to Microsoft, these trends are converging. In its recent Digital Defense Report 2024, the tech giant warned that the lines between nation-state and cybercrime activity are increasingly blurring. This means more state actors motivated by financial gain, as per North Korea and Iran. And state-sponsored groups using cybercrime tactics, techniques and procedures (TTPs). Perhaps most worrying, it also means state-backed hackers outsourcing operations to cybercrime groups, presumably for plausible deniability. Microsoft has already observed Kremlin hackers enlist the help of Storm-0593 to target Ukrainian organisations.
As the threat landscape becomes more fluid and opaque as geopolitical tensions rise, it’s only right that the EU looks to build a region-wide incident response and cyber-resilience apparatus.
What Will the Act Mandate?
There are three main elements to the act. It seeks to introduce:
A European Cybersecurity Shield: Also known as the European Cybersecurity Alert System, this will comprise a series of national and transnational Security Operations Centres (SOCs) across the bloc, designed to tap the power of AI and analytics to detect and share threat warnings.
A Cyber Emergency Mechanism: designed to enhance incident preparedness and response, primarily through an EU Cybersecurity Reserve. This will be composed of pre-selected “trusted providers” from the private sector that can be deployed at the request of the EU or member states to help out with major security incidents.
The Cyber Emergency Mechanism also promises to support the idea of mutual assistance between member states impacted by incidents. And the selection and periodic vulnerability testing of critical infrastructure sectors such as healthcare and finance. The sectors to test will be selected according to an EU-level common risk assessment.
A Cybersecurity Incident Review Mechanism: designed to assess and review serious incidents at the European Commission’s or national authorities’ request. Security agency ENISA will conduct the review and deliver a lessons learned document containing recommendations for improvement of the bloc’s security posture.
Jeff Le, VP of global government affairs and public policy at third-party risk platform SecurityScorecard, tells ISMS.online that the initiative may need more than the €1.1bn (£920m) currently assigned to it.
“In the US, the mutual aid system is more mature and deserves significant consideration in the EU in the event of a catastrophic incident that cripples member states,” he adds.
“ENISA should take a role that is bolstered beyond programmes and look to increase its share of thought leadership. In particular, deeper partnerships with NIST and other global standard bodies to focus on supply chain resilience metrics, standards, and security frameworks are needed as a push for harmonisation comes into focus.”
Le adds that EU incident reporting could also benefit from closer alignment with global critical infrastructure incident reporting regimes such as the US CIRCIA process.
“Reporting should be more aligned, and a clear focus on what information is essential should be spelt out for policymakers and CISOs,” he argues. “Given recent issues with Volt and Salt Typhoon in critical infrastructure, there should also be a deeper emphasis on assessing telecommunications. While other sectors are mentioned, this vulnerable space is not.”
How to Get Ready for It
The act will demand little of most UK firms.
“Following Brexit, the UK will not be part of the cooperation mechanisms introduced by the Cyber Solidarity Act,” Sarah Pearce and David Dumont, partners at Hunton Andrews Kurth, tell ISMS.online.
“The act will not apply to all organisations, only those operating in highly critical sectors. At a minimum, organisations should stay up to date with developments and assess whether or not they fall within the scope of the legislation. Those that are within scope may be subject to ‘coordinated preparedness testing,’ so the CISO and other relevant internal teams will need to accommodate such testing within their governance programmes.”
However, the understanding of ISMS.online is that only critical infrastructure organisations with operations in the EU could be subject to these requirements.
Edward Machin, counsel at Ropes & Gray, also warns that if these tests reveal critical vulnerabilities to cyber threats, such organisations may be exposed to “wider enforcement and reputational risks” related to non-compliance with other EU cyber laws.
“CISOs in critical industry sectors that have been preparing for the EU’s other cyber laws should find that those preparations hold them in good stead for responding to potential testing requests that are made under the Cyber Solidarity Act,” he tells ISMS.online.
“Given that other EU cyber laws do and will have a greater impact for CISOs on a day-to-day basis, I would suggest focusing on those laws for the time being while keeping a watching brief on the act.”
The European Parliament and Council reached a provisional agreement on the legislation in March 2024, and the provisional text was published that same month. However, it’s unclear when lawmakers may formally adopt it. Expect plenty more to come in 2025.
