Mon. Sep 16th, 2024

Cyber resilience: EU wants to increase capabilities for effective cooperation and solidarity

Apr 18, 2023 , , , ,
hacker, cybersecurity, hoodie
The EU wants to strengthens its cyber resilience. Photo by TheDigitalArtist on Pixabay

Strasbourg, 18 April 2023

Today, the Commission has adopted a proposal for the EU Cyber Solidarity Act to strengthen cybersecurity capacities in the EU. It will support detection and awareness of cybersecurity threats and incidents, bolster preparedness of critical entities, as well as reinforce solidarity, concerted crisis management and response capabilities across Member States. The Cyber Solidarity Act establishes EU capabilities to make Europe more resilient and reactive in front of cyber threats, while strengthening existing cooperation mechanism.  It will contribute to ensuring a safe and secure digital landscape for citizens and businesses and to protecting critical entities and essential services, such as hospitals and public utilities.

The Commission has also presented a Cybersecurity Skills Academy, as part of the 2023 European Year of Skills, to ensure a more coordinated approach towards closing the cybersecurity talent gap, a pre-requisite to boosting Europe’s resilience. The Academy will bring together various existing initiatives aimed at promoting cybersecurity skills and will make them available on an online platform, thereby increasing their visibility and boosting the number of skilled cybersecurity professionals in the EU.

Under the European Security Union, the EU is committed to ensuring that all European citizens and businesses are well protected, both online and offline, and to promoting an open, secure and stable cyberspace. Yet, the increasing magnitude, frequency and impact of cybersecurity incidents represent a major threat to the functioning of network and information systems and to the European Single Market. Russia’s military aggression against Ukraine has further exacerbated this threat, along with the multiplicity of state-aligned, criminal and hacktivist actors involved in current geopolitical tensions.

Building on a strong strategic, policy and legislative framework that is already in place, the proposed EU Cyber Solidarity Act and the Cybersecurity Skills Academy will further contribute to enhancing detection of cyber threats, resilience and preparedness at all levels of the EU’s cybersecurity ecosystem.

EU Cyber Solidarity Act

The EU Cyber Solidarity Act will strengthen solidarity at Union level to better detect, prepare for and respond to significant or large-scale cybersecurity incidents, by creating a European Cybersecurity Shield and a comprehensive Cyber Emergency Mechanism.

To detect major cyber threats quickly and effectively, the Commission proposes the establishment of a European Cyber Shield, which is a pan-European infrastructure of composed of national and cross-border Security Operations Centres (SOCs) across the EU. These are entities tasked with detecting and acting on cyber threats. They will use state-of-the-art technology, such as artificial intelligence (AI) and advanced data analytics, to detect and share timely warnings on cyber threats and incidents across borders. In turn, authorities and relevant entities will be able to respond more efficiently and effectively to major incidents.

These centres could be operational by early 2024. As a preparatory phase of the European Cyber Shield, in April 2023 the Commission has selected, under the Digital Europe Programme, three consortia of cross-border Security Operations Centres (SOC), bringing together public bodies from 17 Member States and Iceland.

The EU Cyber Solidarity Act also includes the creation of a Cyber Emergency Mechanism to increase preparedness and enhance incident response capabilities in the EU. It will support:

  • Preparedness actions, including testing entities in highly critical sectors (healthcare, transport, energy, etc.) for potential vulnerabilities, based on common risk scenarios and methodologies.
  • Creating a new EU Cybersecurity Reserve consisting of incident response services from trusted providers pre-contracted and therefore ready to intervene, at the request of a Member State or Union Institutions, bodies and agencies, in case of a significant or large-scale cybersecurity incident.
  • Providing financial support for mutual assistance, where a Member State could offer support to another Member State.

Moreover, the proposed Regulation establishes the Cybersecurity Incident Review Mechanism to enhance Union resilience by reviewing and assessing significant or large-scale cybersecurity incidents after they have taken place, drawing lessons learned and where appropriate, issuing recommendations to improve Union’s cyber posture.

The total budget for all actions under the EU Cyber Solidarity Act is of EUR 1.1 billion, of which about 2/3 will be financed by the EU through the Digital Europe Programme.

EU Cybersecurity Skills Academy

The EU Cybersecurity Skills Academy will bring together private and public initiatives aimed at boosting cybersecurity skills at European and national levels, making them more visible and helping to close the cybersecurity talent gap of cybersecurity professionals.

The Academy will initially be hosted online on the Commission’s Digital Skills and Jobs platform. Citizens interested in pursuing a career in cybersecurity will be able to find training and certifications from across the EU in a single place online. Stakeholders will also be able to pledge their support to improve cybersecurity skills in the EU by initiating specific actions, such as to offering cybersecurity trainings and certifications.

The Academy will evolve to include a common space for academia, training providers and industry helping them to coordinate education programmes, trainings, funding, and monitor the evolution of the cybersecurity job market.

Certification Schemes for Managed Security Services

The Commission has also proposed today a targeted amendment to the Cybersecurity Act, to enable the future adoption of European certification schemes for ‘managed security services’. These are highly critical and sensitive services provided by cybersecurity service providers, such as incident response, penetration testing, security audits and consultancy, to assist companies and other organisations prevent, detect, respond or recover from cyber incidents.

Certification is key and can play an important role in the context of the EU Cybersecurity Reserve and the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive), facilitating also the cross-border provision of these services.

Next Steps

The European Parliament and the Council will now examine the proposed Regulation on the EU Cyber Solidarity Act, as well as the targeted amendment to the Cybersecurity Act.

The European Cybersecurity Competence Centre will organise a joint procurement of tools and infrastructures with the selected cross-border Security Operations Centres to build cyber detection capabilities.

The EU Cybersecurity Agency (ENISA) and the European Cybersecurity Competence Centre will continue working on cybersecurity skills, contributing to the implementation of the Cybersecurity Skills Academy, in line with their respective mandates, and in close cooperation with the Commission and the Member States.

The Commission proposes that the Academy takes the shape of a European digital infrastructure consortium (EDIC), a new legal framework to implement multi-country projects. This possibility will now be discussed with Member States.

It is also necessary to ensure that professionals undertake required quality trainings. In this regard, ENISA will develop a pilot project, exploring the set-up of a European attestation scheme for cybersecurity skills.

Background

With the proposed EU Cyber Solidary Act, the Commission responds to the Member States’ call to strengthen EU cyber resilience, and delivers on its commitment expressed in the recent Joint Cyber Defence Communication to prepare an EU Cyber Solidarity Initiative.

The EU Cyber Solidary Act and the Cybersecurity Skills Academy build upon the EU Cybersecurity strategy as well as the EU’s legislative framework to bolster the EU’s collective resilience against increasing cybersecurity threats. This includes the Directive on measures for a high common level of cybersecurity across the Union (NIS 2) and the Cybersecurity Act.

For More Information
Quote(s)

With the cyber package presented today, we show how by acting in solidarity, we can build up the infrastructure, skills and capacities that we need to face our common growing cybersecurity threat.

Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age – 18/04/2023

The EU Cyber Solidarity Act and the Cybersecurity Skills Academy are our two new tangible instruments to address the EU’s operational cybersecurity needs: the Act brings forward concrete measures that will allow the EU to respond to threats and attacks; and the Academy aims at reinforcing our skills base so that we have the people we need for this purpose.

Margaritis Schinas, Vice-President for Promoting our European Way of Life – 18/04/2023

Today marks the proposal of a European cyber shield. To effectively detect, respond, and recover from large-scale cybersecurity threats, it is imperative that we invest substantially and urgently in cybersecurity capabilities. The Cyber Solidarity Act is a critical milestone in our journey towards achieving this objective.

Thierry Breton, Commissioner for Internal Market – 18/04/2023

Questions and Answers: Cyber: towards stronger EU capabilities for effective operational cooperation, solidarity and resilience

EU Cyber Solidarity Act

What are the objectives of the proposal for a Cyber Solidarity Act?

In line with the Council Conclusions on the EU’s Cyber Posture of May 2022 and as announced in the Joint Cyber Defence Communication, the Commission has proposed an EU Cyber Solidarity Act.

The EU Cyber Solidarity Act includes a series of actions to strengthen solidarity and enhance coordinated EU detection and situational awareness, while at the same time supporting Member States’ preparedness and response capabilities to significant or large-scale cybersecurity incidents, through:

  • The European Cyber Shield, which will consist of a pan-European infrastructure of Security Operation Centers (SOCs), to build and enhance coordinated detection and situational awareness capabilities.
  • The Cybersecurity Emergency Mechanism to support Member States in preparing for and responding to major or large-scale cybersecurity incidents.
  • The Cybersecurity Incident Review Mechanism to review and assess significant or large-scale incidents.

The Cyber Security Act will be supported by a total of €1.1 billion, of which about 2/3 will come from the EU budget.

How will the European Cyber Shield work?

The European Cyber Shield will consist of a pan-European infrastructure that connects Security Operations Centres (SOCs) spread across the EU.

It will strengthen capacities to analyse, detect and prevent cyber threats and to support the production of high-quality intelligence on cyber threats. This will be done using state-of-the-art tools, such as artificial intelligence (AI) and advanced data analytics. These tools will be jointly procured by the European Cybersecurity Competence Centre (ECCC) in collaboration with national or cross-border SOCs.

National SOCs will make up the building blocks of the European Cyber Shield. These will be public bodies, designated by Member States, acting as gateways to other public and private organisations at national level for collecting and analysing information on cybersecurity threats and incidents.

The European Cyber Shield will ultimately be made up of several cross-border SOC platforms, each grouping together national SOCs from at least three Member States. Support from the Digital Europe Programme (DEP) will supplement national funding for the SOCs.

The first phase of establishing the European Cyber Shield is ongoing following a Call for Expression of Interest for cross-border SOCs under the DEP Cybersecurity Work Programme 2021-2022.

The European Cyber Shield will build upon and complement the work of existing SOCs, Computer Security Incident Response Teams (CSIRTs) and other relevant actors.

What is a Security Operations Centre (SOC)?

The EU Cybersecurity Strategy proposes to build, strengthen and interconnect cyber threat intelligence (CTI) capabilities across the European Union. Such capabilities involve monitoring, detection and analysis to prevent cyber threats and provide timely warnings to authorities and all relevant stakeholders.

These capabilities are typically ensured by public or private Security Operations Centres (SOCs). These centres work together with Computer Emergency Response Teams/Computer Security Incident Response Teams (CERTs/CSIRTs) and they are supported by external, specialised sources of intelligence on cyber threats.

SOCs may include any entity or team tasked with detecting and acting on cyber threats.

The European Cyber Shield will be made up of National SOCs, which are public bodies designated by Member States to fill this role at national level, as well as cross-border SOCs consisting of at least three national SOCs working together to pool cyber threat intelligence.

How will the Cybersecurity Emergency Mechanism work?

The Cybersecurity Emergency Mechanism will strengthen the EU’s preparedness and response to cybersecurity incidents. The support from the Mechanism is complementary to national resources and capabilities and other forms of support available at Union level.

The Mechanism includes:

  • Preparedness actions, including testing entities operating in highly critical sectors (healthcare, transport, energy, etc.) for potential vulnerabilities. The Commission, after consulting the NIS Cooperation Group and ENISA, the EU Agency for Cybersecurity, will identify sectors and sub-sectors from which entities should be eligible to receive financial support for coordinated testing. EU funding will also support other preparedness actions not covered by coordinated testing.
  • Support for incident response and immediate recovery from significant and large-scale cybersecurity incidents. Support will be provided through the EU Cybersecurity Reserve with services from trusted private providers. Such services include, among others, incident analysis or incident response coordination. In case of significant or large-scale cyber-incidents, at the request of Member States, these actions will support the response and immediate recovery of essential services.
  • Mutual assistance between national authorities for situations when a Member State dispatches experts to assist another Member State in mitigating a cybersecurity incident.
What is preparedness under the Cyber Solidarity Act?

Cybersecurity preparedness means a state of readiness and capability enabling an effective rapid response to a significant or large-scale cybersecurity incident. This can be ensured through risk assessment for potential vulnerabilities and monitoring actions taken in advance.

The increasing impact of cybersecurity incidents represents a major threat to the functioning of technology and to the Single Market as whole. The quickly evolving threat landscape demands stronger preparedness at all levels of the EU’s cybersecurity ecosystem.

The preparedness actions proposed in the Regulation promote a consistent approach and the strengthening of security across the EU and its internal market. Member States would receive support for testing and assessing entities operating in highly critical sectors. The sectors or subsectors will be selected at the EU level to ensure coordinated action.

In addition, the Regulation proposes support for other preparedness actions, not covered by the coordinated testing of entities operating in highly critical sectors. Those actions could cover support to various types of other national preparedness activities.

What is testing under the Cyber Solidarity Act?

The Cybersecurity Emergency Mechanism includes the cybersecurity testing of entities operating in highly critical sectors (healthcare, energy, transport, etc.) for potential vulnerabilities based on EU risk assessments and methodologies developed by the NIS Cooperation Group in cooperation with the Commission, ENISA, and the High Representative for the Common Foreign and Security Policy.

The selection of sectors and development of risk scenarios should take into account relevant EU-wide risk assessments and risk scenarios.

What are risk assessments and risk scenarios and what is their role?

The assessment of cybersecurity risks is fundamental in order to define the adoption of appropriate security measures to prevent and prepare for a cybersecurity incident.

Risk assessment is a process consisting of risk identification, risk analysis and risk evaluation. A risk scenario is a visualisation of potential sequence of events that might have adverse impact on the functioning of the networks and information systems and on the EU as a whole.

For the purpose of selecting sectors from which entities should be subject to the coordinated preparedness testing, the EU Cyber Solidarity Act builds on a number of relevant EU-wide risk assessments and risk scenarios, such as for example the ongoing risk assessment as regards the communications and networks infrastructure in the Union following the Joint Ministerial Call of Nevers, and the risk evaluation conducted and risk scenarios built following the Council Conclusions on developing the Union’s Cyber Posture.

Which services and entities will make up the EU Cybersecurity Reserve?

The aim of the EU Cybersecurity reserve is to support response actions and provide immediate support to recover from significant and large-scale cybersecurity incidents.

The EU Cybersecurity Reserve will consist of services from a selected pool of trusted private companies providing managed security services, such as incident analysis or incident response coordination. These companies will be ready and can be mobilized to support Member States in case of significant and large-scale cybersecurity incidents affecting entities covered by the Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive).

The providers of these services will be selected in a procurement procedure. The Cyber Solidarity Act sets out a series of principles and selection criteria that should be followed during such procedure. In order to support the Commission in establishing the EU Cybersecurity Reserve, ENISA, after consulting Member States and the Commission, will prepare a mapping of the services needed for the EU Cybersecurity Reserve.

How can the Member States make use of the EU Cybersecurity Reserve?

Upon the request of the Member States, the EU Cybersecurity Reserve will assist competent authorities in responding to significant or large-scale cybersecurity incidents, and in immediately recovering from such incidents.

The support from the EU Cybersecurity Reserve is complementary to national mitigating measures and support actions. Therefore, to receive support, the competent authority should also itself provide to the affected entity direct technical assistance, and other resources to assist the response and immediate recovery efforts.

How will the support for incident response work?

Once the Member State’s request for support from the EU Cybersecurity Reserve is transmitted to the Commission and ENISA, the Commission, with the support of ENISA will assess it without delay. If the support is granted, the trusted service providers that form the EU Cybersecurity Reserve will offer support to Computer Security Incident Response Teams (CSIRTs) and other national competent authorities responsible for cyber crisis management. They will be able to use it to support entities operating in critical or highly critical sectors, according to the NIS 2 Directive, that suffer from the cybersecurity incident. The incident response services will complement the national efforts to respond to significant and large-scale incidents.

Support may also be provided to the EU institutions, bodies and agencies and should be complementary to efforts already made by the EU institutions to respond to a significant or large-scale incident.

What is the procedure for selecting trusted service providers?

The services from trusted private service providers for the Cybersecurity Reserve will be purchased via procurement procedure. The Cyber Solidarity Act provides for certain procurement principles and selection criteria for such providers, including:

  • the highest degree of professional competence to provide the services;
  • a framework to protect sensitive information;
  • proof of transparent governing structure, demonstrating integrity and absence of conflict of interest;
  • security cleared personnel; secure IT systems;
  • attestable previous experience delivering services to national authorities and entities operating in the critical and highly critical sectors in the Union;
  • availability and agility;
  • providing the service in the local language;
  • certification at the EU level once a European cybersecurity certification scheme for managed security service providers is in place.
What is the Incident Review Mechanism?

According to the proposed Cyber Solidarity Act, the Cyber Crisis Liaison Organisation Network (EU-CyCLONe), the CSIRTs network, or the Commission may request that ENISA reviews and assesses a specific potential or ongoing significant or large-scale cybersecurity incident.

When reviewing and assessing a specific incident, ENISA shall collaborate with relevant stakeholders, including representatives from the private sector, Member States and the Commission. ENISA will also consult managed security services providers, entities affected by cybersecurity incidents, and other relevant entities.

After a review and assessment of an incident, ENISA shall deliver an incident review report to EU CyCLONe, the CSIRTs network and the Commission. In the report, ENISA shall address main causes and vulnerabilities of cybersecurity incidents, as well as lessons learned and, where appropriate, recommendations to improve Union’s cyber posture.

Can non-EU countries receive support from the EU Cybersecurity Reserve?

Taking into account the unpredictable nature of cybersecurity attacks and the fact that they are often not contained in a specific geographical area and pose a high-risk of spill-over, the incident response support from the EU Cybersecurity Reserve will be made available to third countries associated to Digital Europe Programme, in accordance with their respective association agreements to the programme.

 

EU Cybersecurity Skills Academy

What are the specific objectives of the Cybersecurity Skills Academy?

The Cybersecurity Skills Academy will increase the visibility of cybersecurity skills initiatives and help boosting numbers of skilled cybersecurity professionals in the EU to tackle the gap in cybersecurity professionals across the Member States.

The Academy will:

  • Work towards a common baseline for cybersecurity career profiles and the associated skills. It will provide clarity on cybersecurity trainings and certifications to increase the number of cybersecurity professionals in Europe. It is also necessary to ensure that professionals undertake required quality trainings. With this in mind, the Commission will launch a pilot project to set up a European attestation system for cybersecurity skills.
  • Ensure a better channelling and visibility of the available funding opportunities for cybersecurity skills-related activities to maximise their impact.
  • Call on stakeholders (e.g., companies, schools, universities and authorities) to take action by making concrete pledges to initiate specific actions, such as to offer cybersecurity trainings and certifications, as well as integrating cybersecurity skills into their strategies.
  • Define indicators to monitor the evolution on the job market for cybersecurity professionals, allowing training providers (such as schools, universities and organisations) to timely adapt their trainings and curricula to the market needs.

The Commission proposes that the Academy takes the shape of a European digital infrastructure consortium (EDIC), a new legal framework to implement multi-country projects. This possibility will now be discussed with Member States.

In the meantime, the Commission will create a single point of entry to the Academy through the Digital Skills and Jobs Platform, giving access to relevant information, activities and stakeholders within the scope of the Academy.

The EU Agency for Cybersecurity (ENISA) and the European Cybersecurity Competence Centre (ECCC) will support the implementation of the Cybersecurity Skills Academy in close cooperation with the Commission and Member States.

What kind of trainings will the Academy showcase?

Initially, the Academy will gather existing education and training opportunities and give them visibility on the Digital Skills and Jobs Platform.

Furthermore, the Commission will finance specific cybersecurity courses, through Erasmus+, joint Bachelor and Master degree programmes, joint courses or modules. As well as well intensive programmes combining online teaching with a short period of physical mobility.

As another example, along Academy’s goals, ENISA will enhance its training offer by expanding its ‘train the trainer’ programme to public and private critical operators in the scope of the NIS2 Directive.

The European Security and Defence Centre will also review its training offer, designed for the cyber defence workforce.

Why it is so important to have one single entry point in EU?

There are numerous initiatives from public and private entities at European and national levels looking to boost the cybersecurity skills job market. Collecting and presenting them together on one page online would greatly increase their visibility and comparability. For one, a student or job seeker wishing to enter the cybersecurity field, or a professional willing to upskill or reskill may find it challenging to know where and how to start. An organisation looking for funding on cybersecurity skills has to navigate on several pages to find the information needed. Giving a single point of entry will make it easier for all those interested to have access to relevant information.

How will the Cybersecurity Skills Academy be funded?

Initially, the Cybersecurity Skills Academy will benefit from €10 million of dedicated EU budget under the Digital Europe Programme work programme 2023-2024.

The Cybersecurity Skills Academy will facilitate the visibility of funding on cyber skills from relevant EU programmes (such as DEP, RRF, InvestEU, the European Social Fund Plus).

Should the Academy take the shape of a European digital infrastructure consortium (EDIC), it will further facilitate pooling national and private resources, in close cooperation with the European Cybersecurity Competence Centre (ECCC) and the national coordination centres (NCCs).

For More Information

Forward to your friends