Negotiators from the EU Parliament, the Council of Ministers and the Commission agreed on the planned cyber solidarity law on Wednesday night. The aim is to establish and network national and cross-border security operations centers (“hubs”) across the EU in order to better detect, exchange information about and respond appropriately to digital threats using artificial intelligence (AI) and advanced data analysis. According to the Commission, this early warning system is intended to provide the authorities and other relevant bodies with “a real-time picture of the situation”. As early as April 2023, two consortia of member states were formed to procure and receive grants for the operation and start of a pilot phase of such instruments.
Advertisement
According to the agreement, the regulation launched by the Commission last year also establishes a mechanism for cyber emergencies. It is intended to improve preparedness and ability to respond to significant and large-scale IT attacks. This primarily involves precautionary measures including testing of facilities in highly critical sectors such as health, transport and energy with a focus on potential vulnerabilities based on common risk scenarios and methods. Furthermore, an EU cybersecurity reserve with emergency services from trusted certified providers should act as a rapid response force. These member states, EU institutions, bodies or agencies or even third countries can mobilize if they are associated with the “Digital Europe” program.
“Milestone for Europe's cyber resilience”
At the request of the Commission or national authorities, the EU Cybersecurity Agency (Enisa) will also be able to review certain cybersecurity incidents. It must then submit a report with findings and recommendations. Member states that provide technical assistance to another EU country in the event of a “significant or large-scale cybersecurity incident” should receive financial support from EU funds. At the same time, the committees agreed on an amendment to the Cybersecurity Act of 2019. It makes it possible to introduce European certification systems for security services. This is intended to help create a framework for establishing trustworthy providers for the security reserve within the framework of the Cyber Solidarity Act.
EU Internal Market Commissioner Thierry Breton welcomed the agreement as a “decisive step towards creating a European cyber shield”. The Belgian State Secretary for Digitalization, Mathieu Michel, spoke on behalf of the Council Presidency of a “new milestone for Europe’s cyber resilience”. The national governments urged in advance that the participation of EU countries in the new emergency system must be of their own free will. Parliamentary rapporteur Lina Gálvez emphasized that the agreement will improve the population's skills to defend against cyber attacks. This regulation is intended to help close skills and capacity gaps, “including gender-specific deficits”, given the low participation of women in the sector.
The agreement reached must now be approved by Parliament and the Council, which is considered a formality. Once adopted, the Cyber Solidarity Regulation will enter into force on the 20th day following its publication in the Official Journal. The European Court of Auditors warned in October that the project would make the EU's already confusing “cybersecurity galaxy” even more complex. In addition, the Council, with the help of the Commission and Enisa, revised and updated the existing manual on protecting the integrity of elections from a cybersecurity perspective. It now includes an updated threat landscape around foreign interference, information manipulation, disinformation and deepfakes, new case studies, and defense best practices such as sharing and awareness.
(mki)