CyberItalia: The proposed Cyber Solidarity Act to strengthen European cooperation in the fight against cross-border cyber attacks

The Cyber Solidarity Act ranks alongside the Cyber Resilience Act as one of the most recent proposals in the European Commission's cyber resilience package. The package aims to enhance cooperation between Member States by establishing European law enforcement mechanisms against cross-border cyber attacks.

With the eighth article in the CyberItalia column, we delve into the main provisions and mechanisms for European solidarity that the Cyber Solidarity Act proposes to introduce following its approval.

As anticipated, the Cyber Solidarity Act (CSA) is an instrument aimed at strengthening the EU's capabilities to prevent, detect and respond to large-scale cyber threats and attacks with a cohesive and shared approach between states, especially when attacks affect several countries. Unlike other pieces of legislation (eg NIS2, DORA, CRA proposal) that include cross-border cooperation provisions in an incidental manner, in the CSA creating a European cooperation system becomes the central objective of the regulation.

When?

The proposal was presented by the EU Commission on 18 April 2023. Discussions within the EU Council and the Parliament on a first compromise text are still at a preliminary stage.

Who is it aimed at?

The proposal for a regulation is primarily aimed at introducing new mechanisms and infrastructures at the European level that support the strengthening of cybersecurity expertise in the EU, expanding the tasks and roles of the competent bodies already active in the field.

What does it provide for?

The proposed Cyber Solidarity Act aims to introduce:

• European Cyber Shield – the Cyber Shield is a pan-European infrastructure of national and cross-border SOCs (Security Operations Centres), which, working together, should ensure a uniform framework for monitoring and analysing possible cyber threats, speeding up alert and response times between different states.
  
  
• Cyber Emergency Mechanism – an emergency mechanism aims to:
• support preparatory actions, ie offering support in checking particular critical issues in crucial sectors such as health, transport, energy;
• establish an EU Cybersecurity Reserve, ie offering support and incident response services from trusted providers ready to intervene at the request of a Member State, EU institutions or bodies to support them in handling large-scale cyber incidents;
• promote mutual assistance between Member States in the event of a cyber attack.
  
  
• Cybersecurity Incident Review Mechanism – the Cybersecurity Incident Review Mechanism aims to review and assess ex-post significant or large-scale incidents by the EU-CyCLONe (Cyber Crisis Liaison Organisation Network), the network of CSIRTs and ENISA.

In parallel to the CSA, a Cybersecurity Skill Academy will also be established with the aim of increasing the number of qualified experts, bridging the skills gap between Member States.

On 5 October 2023, the European Court of Auditors (ECA) issued its opinion on the CSA, highlighting the risk that the envisaged mechanisms would not be economically viable in the long run, as well as making information sharing more difficult and the European cybersecurity landscape more complex.

The SCA could then undergo a new round of discussions and amendments, which should be concluded by the end of this year.