Today, the Commission has adopted a proposal for the EU Cyber Solidarity Act to strengthen cybersecurity capacities in the EU.
It will support detection and awareness of cybersecurity threats and incidents, bolster preparedness of critical entities, as well as reinforce solidarity, concerted crisis management and response capabilities across Member States.
The Cyber Solidarity Act establishes EU capabilities to make Europe more resilient and reactive in front of cyber threats, while strengthening existing cooperation mechanism. It will contribute to ensuring a safe and secure digital landscape for citizens and businesses and to protecting critical entities and essential services, such as hospitals and public utilities.
The Commission has also presented a Cybersecurity Skills Academy, as part of the 2023 European Year of Skills, to ensure a more coordinated approach towards closing the cybersecurity talent gap, a pre-requisite to boosting Europe’s resilience. The Academy will bring together various existing initiatives aimed at promoting cybersecurity skills and will make them available on an online platform, thereby increasing their visibility and boosting the number of skilled cybersecurity professionals in the EU.
Under the European Security Union, the EU is committed to ensuring that all European citizens and businesses are well protected, both online and offline, and to promoting an open, secure and stable cyberspace. Yet, the increasing magnitude, frequency and impact of cybersecurity incidents represent a major threat to the functioning of network and information systems and to the European Single Market. Russia’s military aggression against Ukraine has further exacerbated this threat, along with the multiplicity of state-aligned, criminal and hacktivist actors involved in current geopolitical tensions.
Building on a strong strategic, policy and legislative framework that is already in place, the proposed EU Cyber Solidarity Act and the Cybersecurity Skills Academy will further contribute to enhancing detection of cyber threats, resilience and preparedness at all levels of the EU’s cybersecurity ecosystem.
EU Cyber Solidarity Act
The EU Cyber Solidarity Act will strengthen solidarity at Union level to better detect, prepare for and respond to significant or large-scale cybersecurity incidents, by creating a European Cybersecurity Shield and a comprehensive Cyber Emergency Mechanism.
To detect major cyber threats quickly and effectively, the Commission proposes the establishment of a European Cyber Shield, which is a pan-European infrastructure of composed of national and cross-border Security Operations Centres (SOCs) across the EU. These are entities tasked with detecting and acting on cyber threats. They will use state-of-the-art technology, such as artificial intelligence (AI) and advanced data analytics, to detect and share timely warnings on cyber threats and incidents across borders. In turn, authorities and relevant entities will be able to respond more efficiently and effectively to major incidents.
These centres could be operational by early 2024. As a preparatory phase of the European Cyber Shield, in April 2023 the Commission has selected, under the Digital Europe Programme, three consortia of cross-border Security Operations Centres (SOC), bringing together public bodies from 17 Member States and Iceland.
The EU Cyber Solidarity Act also includes the creation of a Cyber Emergency Mechanism to increase preparedness and enhance incident response capabilities in the EU. It will support:
- Preparedness actions, including testing entities in highly critical sectors (healthcare, transport, energy, etc.) for potential vulnerabilities, based on common risk scenarios and methodologies.
- Creating a new EU Cybersecurity Reserve consisting of incident response services from trusted providers pre-contracted and therefore ready to intervene, at the request of a Member State or Union Institutions, bodies and agencies, in case of a significant or large-scale cybersecurity incident.
- Providing financial support for mutual assistance, where a Member State could offer support to another Member State.
Moreover, the proposed Regulation establishes the Cybersecurity Incident Review Mechanism to enhance Union resilience by reviewing and assessing significant or large-scale cybersecurity incidents after they have taken place, drawing lessons learned and where appropriate, issuing recommendations to improve Union’s cyber posture.
The total budget for all actions under the EU Cyber Solidarity Act is of EUR 1.1 billion, of which about 2/3 will be financed by the EU through the Digital Europe Programme.
EU Cybersecurity Skills Academy
The EU Cybersecurity Skills Academy will bring together private and public initiatives aimed at boosting cybersecurity skills at European and national levels, making them more visible and helping to close the cybersecurity talent gap of cybersecurity professionals.
The Academy will initially be hosted online on the Commission’s Digital Skills and Jobs platform. Citizens interested in pursuing a career in cybersecurity will be able to find training and certifications from across the EU in a single place online. Stakeholders will also be able to pledge their support to improve cybersecurity skills in the EU by initiating specific actions, such as to offering cybersecurity trainings and certifications.
The Academy will evolve to include a common space for academia, training providers and industry helping them to coordinate education programmes, trainings, funding, and monitor the evolution of the cybersecurity job market.
Certification Schemes for Managed Security Services
The Commission has also proposed today a targeted amendment to the Cybersecurity Act, to enable the future adoption of European certification schemes for ‘managed security services’. These are highly critical and sensitive services provided by cybersecurity service providers, such as incident response, penetration testing, security audits and consultancy, to assist companies and other organisations prevent, detect, respond or recover from cyber incidents.
Certification is key and can play an important role in the context of the EU Cybersecurity Reserve and the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive), facilitating also the cross-border provision of these services.
The European Parliament and the Council will now examine the proposed Regulation on the EU Cyber Solidarity Act, as well as the targeted amendment to the Cybersecurity Act.
The European Cybersecurity Competence Centre will organise a joint procurement of tools and infrastructures with the selected cross-border Security Operations Centres to build cyber detection capabilities.
The EU Cybersecurity Agency (ENISA) and the European Cybersecurity Competence Centre will continue working on cybersecurity skills, contributing to the implementation of the Cybersecurity Skills Academy, in line with their respective mandates, and in close cooperation with the Commission and the Member States.
The Commission proposes that the Academy takes the shape of a European digital infrastructure consortium (EDIC), a new legal framework to implement multi-country projects. This possibility will now be discussed with Member States.
It is also necessary to ensure that professionals undertake required quality trainings. In this regard, ENISA will develop a pilot project, exploring the set-up of a European attestation scheme for cybersecurity skills.
With the proposed EU Cyber Solidary Act, the Commission responds to the Member States’ call to strengthen EU cyber resilience, and delivers on its commitment expressed in the recent Joint Cyber Defence Communication to prepare an EU Cyber Solidarity Initiative.
The EU Cyber Solidary Act and the Cybersecurity Skills Academy build upon the EU Cybersecurity strategy as well as the EU’s legislative framework to bolster the EU’s collective resilience against increasing cybersecurity threats. This includes the Directive on measures for a high common level of cybersecurity across the Union (NIS 2) and the Cybersecurity Act.