The European Parliament adopted by 470 votes to 23, with 90 abstentions, a legislative resolution on the proposal for a regulation of the European Parliament and of the Council laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents.

The European Parliament’s position adopted at first reading under the ordinary legislative procedure amends the proposal as follows:

Subject-matter and objectives

The proposed Regulation lays down measures to strengthen capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents , in particular through the following actions:

- the establishment of a pan-European network of Cyber Hubs (‘European Cybersecurity Alert System’) to build and enhance coordinated detection and common situational awareness capabilities;

- the establishment of a Cybersecurity Emergency Mechanism to support Member States and other users in preparing for, responding to, mitigating the impact of and initiating recovery from significant, large-scale and large-scale equivalent cybersecurity incidents;

- the establishment of a European Cybersecurity Incident Review Mechanism to review and assess significant or large-scale incidents.

This Regulation pursues the general objectives of reinforcing the competitive position of industry and service sectors in the Union across the digital economy, including microenterprises and small and medium-sized enterprises as well as start-ups, and of contributing to the Union’s technological sovereignty and open strategic autonomy in the area of cybersecurity, including by boosting innovation in the Digital Single Market. It pursues those objectives by strengthening solidarity at Union level , reinforcing the cybersecurity ecosystem, enhancing Member States' cyber resilience and developing the skills, know-how, abilities and competencies of the workforce in relation to cybersecurity.

This Regulation is without prejudice to the Member States’ essential State functions, including ensuring the territorial integrity of the State, maintaining law and order and safeguarding national security. In particular, national security remains the sole responsibility of each Member State.

Establishment of the European Cybersecurity Alert System

A pan-European network of infrastructure that consists of National Cyber Hubs and Cross-Border Cyber Hubs joining on a voluntary basis, the European Cybersecurity Alert System should be established to support the development of advanced capabilities for the Union to enhance detection, analysis and data processing capabilities in relation to cyber threats and the prevention of incidents in the Union.

Where a Member State decides to participate in the European Cybersecurity Alert System, it should designate or, where applicable, establish a National Cyber Hub.

National Cyber Hubs may cooperate with private sector entities to exchange relevant data and information for the purpose of detecting and preventing cyber threats and incidents, including with sectoral and cross-sectoral communities of essential and important entities. Where appropriate and in accordance with national and Union law, the information requested or received by National Cyber Hubs may include telemetry, sensor and logging data.

Cross-Border Cyber Hubs

Where at least three Member States are committed to ensuring that their National Cyber Hubs work together to coordinate their cyber-detection and threat monitoring activities, those Member States may establish a Hosting Consortium.

A Cross-Border Cyber Hub should be a multi-country platform established by a written consortium agreement. It should bring together in a coordinated network structure the National Cyber Hubs of the Hosting Consortium’s Member States. It should be designed to enhance the monitoring, detection and analysis of cyber threats, to prevent incidents and to support the production of cyber threat intelligence, notably through the exchange of relevant and, where appropriate, anonymised data and information, as well as through the sharing of state-of-the-art tools and jointly developing cyber detection, analysis and prevention and protection capabilities in a trusted environment.

Emergency mechanism

A Cybersecurity Emergency Mechanism should be established to support improvement of the Union’s resilience to cyber threats and prepare for and mitigate, in a spirit of solidarity, the short-term impact of significant, large-scale and large-scale-equivalent cybersecurity incidents.

The Cybersecurity Emergency Mechanism should support the following types of actions: (i) preparedness actions, namely the coordinated preparedness testing of entities operating in sectors of high criticality across the Union ; (ii) other preparedness actions for entities operating in sectors of high criticality and other critical sectors; (iii) actions supporting response to and initiating recovery from significant, large-scale and large-scale-equivalent cybersecurity incidents, to be provided by trusted managed security service providers participating in the EU Cybersecurity Reserve; (iv) mutual assistance actions granted in the form of grants and under the conditions defined in the relevant work programmes referred to in the Digital Europe Programme.

Establishment of the EU Cybersecurity Reserve

An EU Cybersecurity Reserve should be established, in order to assist, upon request, in responding or providing support for responding to significant, large-scale, or large-scale-equivalent cybersecurity incidents, and initiating recovery from such incidents.

ENISA should prepare, at least every two years, a mapping of the services needed by the users. ENISA should prepare a similar mapping, after informing the Council and consulting EU-CyCLONe and the Commission. A response should be transmitted to the users without delay and in any event no later than 48 hours from the submission of the request to ensure effectiveness of the support action. The contracting authority should inform the Council and the Commission of the results of the process.

A third country associated with the Digital Europe Programme should apply for support from the EU Cybersecurity Pool where the agreement by which it is associated with the Digital Europe Programme provides for its participation in the Pool.

Evaluation and review

By two years from the date of application of this Regulation and at least every four years thereafter, the Commission should carry out an evaluation of the functioning of the measures laid down in this Regulation and should submit a report to the European Parliament and to the Council.

The Committee on Industry, Research and Energy adopted the report by Lina GÁLVEZ MUÑOZ (S&D, ES) on the proposal for a regulation of the European Parliament and of the Council laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents.

The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows:

Coordinated governance

Members stressed that close and coordinated cooperation is needed between the public sector, the private sector, academia, civil society and the media. Moreover, the Union's response needs to be coordinated with international institutions as well as trusted and like-minded international partners. To ensure cooperation with trusted and like-minded international partners and protection against systemic rivals, entities established in third countries that are not parties to the WTO Agreement on Government Procurement (GPA) should not be allowed to participate in procurement under this Regulation.

Cybersecurity reserve

Regarding the new cybersecurity reserve, Members believe it has the potential of developing industrial capacities in the EU, including for SMEs , with investments in research and innovation to develop state of the art technologies, such as cloud and artificial intelligence technologies. In addition, the report proposed to maintain the participation of the industry, enhance the criteria and trust of their participation (i.e. connecting their participation to a national or local company) by clarifying the criteria and the definition of technological sovereignty and to guarantee a balance between non-EU and EU actors. In addition, Members proposed for the Cyber Emergency Mechanism a certification scheme to be used for private providers to build a longstanding and trusted partnership.

To support the establishment of the EU Cybersecurity Reserve, the Commission could consider requesting ENISA to prepare a candidate certification scheme for managed security services in the areas covered by the Cybersecurity Emergency Mechanism. To fulfil the additional tasks deriving from this provision, ENISA should receive adequate, additional funding .

Funding

Considering geopolitical developments and the growing cyber threat landscape and in order to ensure continuity and further development of the measures laid down in this Regulation beyond 2027, particularly the European Cyber Shield and the Cybersecurity Emergency Mechanism, it is necessary to ensure a specific budget line in the multiannual financial framework for the period 2028-2034. According to the report, Member States should endeavour to commit themselves to supporting all necessary measures to reduce cyber threats and incidents throughout the Union and to strengthen solidarity.

Strengthening R&I in cybersecurity

The amended text called for enhanced research and innovation (R&I) in cybersecurity to increase the resilience and the open strategic autonomy of the Union. Similarly, it is important to create synergies with R&I programmes and with existing instruments and institutions and to strengthen cooperation and coordination among the different stakeholders, including the private sector, civil society, academia, Member States, the Commission and ENISA.

Evaluation and Review

The amended text stated that by two years from the date of application of this Regulation and every two years thereafter, the Commission should carry out an evaluation concerning, inter alia : (i) both the positive and the negative working of the Cybersecurity Emergency Mechanism; (ii) the contribution of this Regulation to reinforce the Union’s resilience and open strategic autonomy, to improve the competitiveness of the relevant industry sectors, microenterprises, SMEs including start-ups, and the development of cybersecurity skills in the Union; (iii) the use and added value of the EU Cybersecurity Reserve.

PURPOSE: to lay down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents (EU Cyber solidarity act).

PROPOSED ACT: Regulation of the European Parliament and of the Council.

ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.

BACKGROUND: the magnitude, frequency and impact of cybersecurity incidents are increasing, including supply chain attacks aiming at cyberespionage, ransomware or disruption. They represent a major threat to the functioning of network and information systems. In view of the fast-evolving threat landscape, the threat of possible large-scale incidents causing significant disruption or damage to critical infrastructures demands heightened preparedness at all levels of the Union’s cybersecurity framework. That threat goes beyond Russia’s military aggression on Ukraine and is likely to persist given the multiplicity of state-aligned, criminal and hacktivist actors involved in current geopolitical tensions.

CONTENT: with this proposal, the Commission aims to set up Cyber Solidarity Act which establishes EU capabilities to make Europe more resilient and reactive in front of cyber threats, while strengthening existing cooperation mechanism. It will contribute to ensuring a safe and secure digital landscape for citizens and businesses and to protecting critical entities and essential services, such as hospitals and public utilities.

This Regulation lays down measures to strengthen capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, in particular through the following actions:

European Cyber Shield

An interconnected pan-European infrastructure of Security Operations Centres (European Cyber Shield) will be established to develop advanced capabilities for the Union to detect, analyse and process data on cyber threats and incidents in the Union. It will be composed of Security Operations Centres (SOCs) across the EU, brought together in several multi-country SOC platforms, built with support from the Digital Europe Programme (DEP) to supplement national funding. The Cyber Shield will be tasked with improving the detection, analysis and response to cyber threats. These SOCs will use advanced technology such as Artificial Intelligence (AI) and data analytics to detect and share warnings on such threats with authorities across borders. They will allow for a more timely and efficient response to major threats.

Cyber Emergency Mechanism

The Cyber Emergency Mechanism will improve the Union’s resilience to major cybersecurity threats and prepare for and mitigate, in a spirit of solidarity, the short-term impact of significant and large-scale cybersecurity incidents. It provides for actions to support preparedness, including coordinated testing of entities operating in highly critical sectors, response to and immediate recovery from significant or large-scale cybersecurity incidents or mitigate significant cyber threats and mutual assistance actions.

Also set to be created is an EU Cybersecurity Reserve made up of trusted and certified private companies ready to respond to major incidents.

European Cybersecurity Incident Review Mechanism

The proposed Regulation would also establish the Cybersecurity Incident Review Mechanism to assess and review specific cybersecurity incidents. At the request of the Commission or of national authorities (the EU-CyCLONe or the CSIRTs network), the EU Cybersecurity Agency (ENISA) will be responsible for the review of specific significant or large-scale cybersecurity incident and should deliver a report that includes lessons learned, and where appropriate, recommendations to improve Union’s cyber response.

Budgetary implications

The EU Cybersecurity Shield and the Cybersecurity Emergency Mechanism of this Regulation will be supported by funding under Strategic Objective ‘Cybersecurity’ of Digital Europe Programme (DEP).

The total budget includes an increase of EUR 100 million that this Regulation proposes to re-allocate from other Strategic Objectives of DEP. This will bring the new total amount available for Cybersecurity actions under DEP to EUR 842.8 million. Part of the additional EUR 100 million will reinforce the budget managed by the ECCC to implement actions on SOCs and preparedness as part of their Work Programme(s). Moreover, the additional funding will serve to support the establishment of the EU Cybersecurity Reserve.

It complements the budget already foreseen for similar actions in the main DEP and Cybersecurity DEP WP from the period 2023-2027 which could bring the total to 551 million for 2023-2027, while 115 million were dedicated already in the form of pilots for 2021-2022. Including Member States contributions, the overall budget could amount up to EUR 1.109 billion.