EU Cyber package:

Proposal for an EU Cyber Solidarity Act

Background

On Tuesday 18 April the European Commission presented the final cybersecurity package of its term.

After Russia invaded Ukraine in February 2022, EU ministers decided Europe needed to do more to withstand large-scale cyberattacks. The ambition is to give more powers to EU and national cyber response groups to counter attacks and to better train cyber professionals.

This package including the EU Cyber Solidarity Act is backed with €1.1 billion in funding, two-thirds of which will come from its research and innovation program, Digital Europe.

Overview of the initiative

This “EU Cybersolidarity Act” package includes:

• A European Cybershield enhancing cross-border Security Operations Centres (SOCs)
• A Cyber Emergency Mechanism and Cybersecurity Incident Review Mechanism based on the EU-CyCLONe cooperation network, the CSIRTs Network.
• A virtual academy to gather funding programmes and trainings
• Amendment to the Cyber Security Act (CSA) for highly critical and sensitive services

Brief analysis

EU Cyber Shield

The proposal for an EU Cyber Solidarity Act, will introduce a European Cyber Shield, comprising national and cross-border Security Operations Centres (SOCs) to monitor cyber threats using artificial intelligence and provide timely warnings. As a preparatory phase of the European Cyber Shield, in April 2023 the Commission has selected, under the Digital Europe Programme, three consortia of cross-border Security Operations Centres (SOC).

This EU Cyber Shield will be supported through the Digital Europe program and will be supplemented by national funding for the SOCs.

Moreover, according to the Commission artificial intelligence can support the early identification of cyberattacks. The European Cybersecurity Competence Center (ECCC) would be tasked to procure AI to provide to the national SOCs.

Cyber Emergency Mechanism

It also proposed a Cyber Emergency Mechanism, which will create an EU Cybersecurity Reserve consisting of incident response services from trusted providers pre-contracted and ready to intervene, at the request of a Member State or Union Institutions, bodies and agencies, in case of a significant or large-scale cybersecurity incident.

The proposal aims at selecting providers based on criteria like professional competence, how they protect sensitive information, whether they provide services in a local language and whether they obtain a EU CSA certificate for their services. ENISA is to map the services needed after consulting with Member states and the Commission.

Cybersecurity Incident Review Mechanism

It will gather the EU-CyCLONe cooperation network, the CSIRTs Network or the cyber agency ENISA to review cybersecurity incidents and their responses. ENISA could be requested by the Commission to deliver a report on lessons learned.

EU Cybersecurity Skills Academy

The proposal intends to tackle the cybersecurity skills gap by launching a “virtual” academy, which will bring together existing initiatives on a virtual platform, initially hosted on the Commission’s Digital Skills and Jobs platform. This would evolve to include a space for academia, training providers and industry to coordinate on education programs and funding, as well as monitor the evolution of the cybersecurity job market.

The Commission also plans to finance specific cybersecurity courses through Erasmus+.

Certification Schemes for Managed Security Services

The Commission's proposal plans to amend the Cybersecurity Act so that it can manage EU certification scheme for “highly critical and sensitive services” provided by cybersecurity companies, such as incident response, penetration testing, security audits and consultancies.

Certification of services was debated but not retained during the adoption phase of the Cybersecurity act in 2019. The co-legislators will now have time to delve into this option in light of the Cyber Solidarity Act.