MEPs and Council reach deal on cyber solidarity act and on managed security services

Brussels, 6 March 2024

The “Cyber Solidarity Act”, informally agreed upon with the Belgian Presidency of the Council on Wednesday, aims to build a more resilient, collective EU response against cyber-threats.

The legislative proposal seeks to bolster the European Union’s ability to detect, prepare for, and respond to cybersecurity threats and incidents. The proposal’s key objectives include strengthening EU-wide detection and situational awareness of cyber threats, enhancing preparedness and response capabilities for significant cybersecurity incidents, and fostering European technological sovereignty in cybersecurity.

These objectives would be primarily achieved through a pan-European network of National Cyber Hubs and by establishing a Cyber Emergency Mechanism and a European Cybersecurity Incident Review Mechanism.

During negotiations, MEPs advocated for sufficient funding for the EU Cybersecurity Reserve, which could play an important role in supporting Member States and EU institutions in dealing with large-scale cybersecurity incidents. They also pushed to ensure adequate support for the development of cybersecurity skills across the EU. This budget line will allow Cybersecurity competence centres to help Member States prepare against cyber threats.

Managed security services

A separate legislative proposal on managed security services, also agreed upon with Council in the evening, aims to introduce EU cybersecurity certification schemes for outsourced services that support an organization’s cybersecurity risk management. The law comes in response to the increasing importance of managed security services in preventing and mitigating cybersecurity incidents. It seeks to prevent market fragmentation due to varying national certification schemes by establishing a unified European certification framework. The goal is to enhance trust in managed security services across the EU, supporting the overall cybersecurity posture and ensuring a high level of cybersecurity across Member States.

Quotes

Lead MEP on cyber solidarity Lina Gálvez Muñoz (S&D, ES) said:

“This agreement on the Cybersolidarity Act is a victory for our democracies in an increasingly digitised world. This regulation will protect our institutions and critical infrastructure by strengthening our capabilities to detect, prepare and respond to cyber threats and cyber attacks through cooperation between Member States.”

“I am proud to have led these negotiations with the Council, creating a cooperative tool to defend our citizenship, our democracies and our infrastructures. We have worked tirelessly in Parliament to ensure that this regulation aims at the coordinated development of cybersecurity capabilities and helps to close cybersecurity skills gaps” she added.

Lead MEP on managed security services, Josianne Cutajar (S&D, MT), said:

“This agreement paves the way for a democratic and transparent cybersecurity certification scheme for managed security services that avoids market fragmentation”.

“This provisional agreement recognises the importance of supporting SMEs in light of the implementation of the new act, such as through more financial and technical support, a clearer definition of managed security services, and acknowledging the challenges posed by the existing skills gap. By setting up this clear framework, we are increasing transparency in the process of the certification of the schemes, ensuring the participation of the European Parliament and strengthening security within the EU for the many, not just the few” she added.

Next steps

Both legislations will now have to be formally endorsed by both Parliament and Council in order to become law. The Industry, Research and Energy committee will hold a vote on the texts in the coming weeks. Parliament as a whole will then hold its vote during the 22-25 April plenary session in Strasbourg.

Background

A briefing from the European Parliament’s research service highlights that Russia’s war against Ukraine has revealed the extent of our dependence on digital technology and the fragility of the digital space. It has triggered a surge in cyberattacks that have been particularly disruptive when targeting critical infrastructure – such as energy, health or finance – because of the increasing reliance on information technology, rendering this infrastructure all the more vulnerable. Against this backdrop, the Commission has proposed a regulation on a cyber solidarity act that would address the urgent need to strengthen solidarity and the EU’s capacity to detect, prepare for and respond to cybersecurity threats and incidents.

Source – EU Parliament

EU Commission welcomes political agreement on Cyber Solidarity Act

Brussels, 6 March 2024

The Commission welcomes the political agreement reached last night between the European Parliament and the Council on the Cyber Solidarity Act, proposed by the Commission in April 2023.

The Cyber Solidarity Act will strengthen solidarity at EU level to better detect, prepare and respond to cyberthreats and incidents. It comes at a crucial time for EU cybersecurity, as the cyber threat landscape in the EU continues to be impacted by geopolitical events.

The Cyber Solidarity Act includes three actions:

Firstly, the setting up of a European Cybersecurity Alert System, consisting of a network of National and Cross-border Cyber Hubs, which will leverage state-of-the-art tools and infrastructures, such as Artificial Intelligence and advanced data analytics, to swiftly detect cyber threats and incidents. This infrastructure will provide real-time situational awareness to authorities and other relevant entities, enabling them to effectively respond to such threats and incidents. In April 2023, two Member State consortia were formed to jointly procure and receive grants to operate and launch a pilot phase of such tools and infrastructures under the Digital Europe Programme.

Secondly, the Act also creates a Cybersecurity Emergency Mechanism that will enhance preparedness and response capabilities to significant and large-scale cyber incidents. The mechanism will support three main areas:

Preparedness actions: to coordinate preparedness testing of entities operating in critical sectors, including health or energy, for potential vulnerabilities.
A new EU Cybersecurity Reserve: to consist of incident response services from trusted providers ready to intervene at the request of Member States, European Union institutions, bodies or agencies or a third country associated to this specific action under the Digital Europe Programme, in case of significant or large-scale cybersecurity incidents.
Financial support for mutual assistance: to support one Member State providing technical assistance to another Member State affected by a significant or large-scale cybersecurity incident.

Thirdly, the proposal also establishes a European Cybersecurity Incident Review Mechanism to review and assess significant or large-scale incidents after they have occurred with the aim of providing recommendations to improve the EU’s cybersecurity standing.

The European Parliament and the Council also reached an agreement on the amendment to the Cybersecurity Act. This amendment opens up the possibility of adopting European certification schemes for managed security services. It will help provide a framework for establishing trusted providers in the EU Cybersecurity Reserve under the Cyber Solidarity Act.

Managed security services play an important role in preventing and responding to cybersecurity incidents. However, they are also themselves a target for malicious actors who seek to gain access to the sensitive environments of their clients. The certification of such services will strengthen cybersecurity across the Union, promoting trust and transparency in the supply chain. This is crucial for businesses and critical infrastructure operators, who will have a clear benchmark when procuring cybersecurity services.

Next Steps

The agreement reached yesterday evening is now subject to formal approval by the European Parliament and the Council. Once formally adopted, the Cyber Solidarity Act will enter into force on the 20^th day following its publication in the Official Journal.

The Cyber Solidarity Act will increase funding for Cybersecurity actions under Digital Europe Programme for the period 2025-2027.

Background

With the proposed EU Cyber Solidarity Act, the Commission responds to Member States’ calls to strengthen EU cyber resilience, and delivers on its commitment expressed in the 2022 Joint Cyber Defence Communication to prepare an EU Cyber Solidarity Initiative.

The Cyber Solidarity Act is one building block towards this goal, along with the Cyber Resilience Act and the NIS2 Directive. It builds on the 2020 EU Cybersecurity Strategy and the 2020 EU Security Union Strategy.

Alongside the Cyber Solidarity Act, the Commission published a proposal for a targeted amendment to the Cybersecurity Act to allow for the adoption of European cybersecurity certification schemes for managed security services.

The Commission also announced the Communication on the Cybersecurity Skills Academy, to close the cybersecurity talent gap as part of the 2023 European year of Skills. The Academy will bring together various existing initiatives aimed at promoting cybersecurity skills and will make them available on an online platform, thereby increasing their visibility and boosting the number of skilled cybersecurity professionals in the EU.

For More Information

Cyber Solidarity Act web page

Proposal for a Cyber Solidarity Act

Factsheet: Cyber Solidarity Act

Quotes

I am pleased that we have an agreement on the Cyber Solidarity Act, which will allow us to better detect and respond to cyber threats across our Union. It represents the next step in building a collective resilience to the growing cyberthreats in the current geopolitical landscape.

The European way to a full Security Union requires going beyond cybersecurity preparedness to a fully operational cyber defence capacity. This is what we are achieving with the Cyber Solidarity Act, particularly with the EU Cyber Reserve, which will bring the best possible experts to manage large-scale cyberattacks.

The Cyber Solidarity Act is a crucial step to establish a European cyber shield. I welcome the agreement reached yesterday evening. Europe will now rely on a European Cybersecurity Alert System to detect cyber threats more quickly, and on a European cyber solidarity mechanism to support any Member States attacked, including through a European cyber reserve. With the European Cyber Solidarity Act we are enhancing the cyber operational cooperation at European level. For the security of our citizens.

Source – EU Commission

Cookie	Duration	Description
__stripe_mid		This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
__stripe_sid		This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
_abck		This cookie is used to detect and defend when a client attempt to replay a cookie.This cookie manages the interaction with online bots and takes the appropriate actions.
_wpfuuid		This cookie is used by the WPForms WordPress plugin. The cookie is used to allows the paid version of the plugin to connect entries by the same user and is used for some additional features like the Form Abandonment addon.
ASP.NET_SessionId		Issued by Microsoft's ASP.NET Application, this cookie stores session data during a user's website visit.
AWSALBCORS		This cookie is managed by Amazon Web Services and is used for load balancing.
bm_sz		This cookie is set by the provider Akamai Bot Manager. This cookie is used to manage the interaction with the online bots. It also helps in fraud preventions
cookielawinfo-checbox-analytics		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional		The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary		This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
elementor		This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
JSESSIONID		Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy		The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga		The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_4L7PKQPHHV		This cookie is installed by Google Analytics.
_ga_T50H0MNN9J		This cookie is installed by Google Analytics.
_gat_gtag_UA_12289088_5		Set by Google to distinguish users.
_gcl_au		Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid		Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
_mcid		No description available.
_swa_u		This cookie is set by the provider Sitewit.com. This cookie is used for statistical report and analysis.
ak_bmsc		No description available.
AWSALB		AWSALB is a cookie generated by the Application load balancer in the Amazon Web Services. It works slightly different from AWSELB.
ec_store_chameleon_font		No description available.
FCCDCF		No description available.
issuem_lp		No description available.
lp_us_his		No description
m		No description available.