Jump to content

Draft:Cyber Solidarity Act

From Wikipedia, the free encyclopedia

The EU Cybersecurity Strategy, approved on 16 December 2020, highlighted the establishment of a European Cyber Shield to solidify cyber threat detection and information sharing capabilities within the European Union.[1] Two years later, on 23 May 2022, the European Council Conclusions were released regarding the cyber posture and emphasising the necessity of addressing the deficiencies present in the responses and preparedness to cyber-attacks.[2] They urged the European Commission to propose a new Emergency Response Fund for Cybersecurity. The following year, on 18 April 2023, the European Commission officially implemented the proposal for a new Regulation, known as the EU Cyber Solidarity Act. This new proposal outlined measures to enhance solidarity and capacities within the European Union to detect, prepare for, and address cybersecurity incidents and threats.[3]

[edit]

This proposal is grounded on two distinct legal bases, namely, Article 173(3) on competitiveness of the Union's industry; and Article 322(1), point (a) of the Treaty on the Functioning of the European Union ("TFEU") on carry-over rules derogating from the principle of budget annuality.[4]

The main purpose of Article 173(3) TFEU is to enhance the competitive position of European service and industry sectors and promote their digital transformation by elevating cybersecurity levels in the Digital Single Market. Specifically, it seeks to bolster the resilience of entities and citizens that operate in critical sectors against the current escalation of cybersecurity threats that can provoke profound economic and societal repercussions. Moreover the proposal is complemented with Article 322(1) point (a) TFEU, which by considering the unpredictable nature of the cybersecurity realm, will allow for a certain degree of flexibility to be in place when dealing with financial management of the Cybersecurity Emergency Mechanism.[5]

Objectives and Actions

[edit]

In essence, the Cyber Solidarity Act aims to enhance solidarity in the Union through the following objectives:

  1. Contribute to the EU technological sovereignty, namely its cybersecurity, by reinforcing common European situational awareness and detection of cyber incidents and threats.
  2. Enhance preparedness and solidarity in the EU by forming common response capacities to address serious cybersecurity incidents. This includes providing incident response support to third countries associated with the Digital Europe Programme.
  3. Reinforce EU resilience by contributing with effective responses by reviewing significant incidents.[6]

Furthermore, the Cyber Solidarity Act seeks to reinforce the EU capacities to detect, prepare for and respond to cybersecurity incidents and threats through three unique actions:

  1. Deployment of the European Cybersecurity Alert System;
  2. Creation of the Cybersecurity Emergency Mechanism;
  3. Establishment of the European Cybersecurity Incident Review Mechanism.

European Cybersecurity Alert System

[edit]

The first Foundational Element corresponds to the formation of a European Cybersecurity Alert System which aims to particularly develop and reinforce common detection and situational awareness capabilities by forming a vast amount of interoperating Cross-border Cyber Hubs, each grouping together several National Cyber Hubs.[7]

Accordingly, the European Cybersecurity Alert System shall pool, share and produce a series of high-quality data regarding cyber incidents by utilising Artificial Intelligence and advanced data analytics. Thereby, its primary objective is to provide real-time situational awareness to authorities and other pertinent entities by enabling them to respond effectively to such threats and incidents.[8]

Cybersecurity Emergency Mechanism

[edit]

The second Foundational Element corresponds to the creation of the Cybersecurity Emergency Mechanism, which aims to enhance the Union's resilience against serious cybersecurity threats and "to prepare for and mitigate, in a spirit of solidarity, the short-term impact of significant and large-scale cybersecurity incidents"[9] Subsequently, the Cybersecurity Emergency Mechanism supports three main areas, namely: (a)Preparedness Actions; (b)EU Cybersecurity Reserve; (c)Mutual Assistance Actions.

When dealing with Preparedness Actions, the European Commission (only after consulting both ENISA and the NIS Cooperation Group) must identify highly critical sectors (energy, healthcare etc.) and conduct coordinated testing exercises for potential vulnerabilities, based on common risk practices.[10]

The new EU Cybersecurity Reserve will comprise incident response services from the private sector, which will intervene upon request of a Member State or EU entities, as well as third countries associated with the Digital Europe Programme, in the event of a significant or large-scale cybersecurity incident.[7][8][10]

The implementation of Mutual Assistance Actions, in financial terms, aims to assist Member States that have provided support to other Member State affected by a significant or large-scale cybersecurity incidents.[5]

European Cybersecurity Incident Review Mechanism

[edit]

The third Foundational Element corresponds to the establishment of the Cybersecurity Incident Review Mechanism, where ENISA, (at the request of the EU-CyCLONe, the European Commission or the CSIRTs network), must review and assess mitigation actions, vulnerabilities and threats concerning a particular large-scale or significant cybersecurity incident.[5]

The Joint Cyber Unit

[edit]

When analysing the 2020 EU Cybersecurity Strategy, under Section 2, which is aimed at "building operational capacity to prevent, deter and respond", it is possible observe the intention to create a Joint Cyber Unit.[1] Ultimately, the Joint Cyber Unit would become a platform to foster cooperation between several cybersecurity communities in the EU and would mainly focus on technical and operational coordination towards the formation of a European Cybersecurity Crisis Management Framework that would deal with critical cyber threats and incidents.[11] Eventually, in 2021, in consultation with Member States, the European Commission decided to adopt the "Recommendation on building a Joint Cyber Unit".[12]

The Joint cyber Unit aimed to achieve three primary goals:

  1. ensure preparedness across cybersecurity communities;
  2. provide continuous shared situational awareness through information sharing;
  3. reinforce coordinated response and recovery.[1]

However, the European Council decided to eliminate all mentions of the Joint Cyber Unit.[13] Nowadays, when analysing recent pieces of EU legislation regarding cybersecurity, such as the NIS2 Directive[14], the Cyber Solidarity Act or even the new 2022 Cyber Defence Strategy, there is not a single mention about the further implementation of the Joint Cyber Unit.

Nevertheless, the similarities between the Cyber Solidarity Act and the Joint Cyber Unit are striking. Despite the European Council previously approving the Joint Cyber Unit initiative, its Conclusions clearly indicate a scaling down of the project. However, this time, the Cyber Solidarity Act is 'supported' by a Legislative Proposal (contrary to the Joint Cyber Unit), which will be debated by the European Council and European Parliament.[15]

References

[edit]
  1. ^ a b c JOINT COMMUNICATION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL The EU's Cybersecurity Strategy for the Digital Decade, 2020, retrieved 2024-04-12
  2. ^ Council of the European Union, "Council conclusions on the development of the European Union's cyber posture" 9364/22,https://www.consilium.europa.eu/media/56358/st09364-en22.pdf
  3. ^ Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
  4. ^ • Explanatory Memorandum - Section 2 - Legal Basis, Subsidiarity and Proportionality - Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
  5. ^ a b c Chiara, Pier Giorgio, and Bartoli, Laura. "Unveiling EU Cybersecurity Law Turf Battles: The Case of the EU Cyber Solidarity Act Proposal". SSRN. SSRN 4700569.{{cite journal}}: CS1 maint: multiple names: authors list (link)
  6. ^ Article 1(2), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
  7. ^ a b "Cyber Solidarity Act approved by the EU to strengthen European cybersecurity". Innovation News Network.
  8. ^ a b "The European Sting is Your democratic, independent and top quality political newspaper specialized in European Union News. Unique Features: iSting & Harry StingThe European Sting - Critical News & Insights on European Politics, Economy, Foreign Affairs, Business & Technology - europeansting.comCommission welcomes political agreement on Cyber Solidarity Act". The European Sting - Critical News & Insights on European Politics, Economy, Foreign Affairs, Business & Technology - europeansting.com. 2024-03-07. Retrieved 2024-04-14.
  9. ^ Article 9(1), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
  10. ^ a b "Cyber solidarity package: Council and Parliament strike deals to strengthen cyber security capacities in the EU". Council of the European Union.
  11. ^ "EU Boost against cyberattacks: EU Agency for Cybersecurity welcomes proposal for the Joint Cyber Unit". ENISA. Retrieved 2024-04-14.
  12. ^ Recital 7, Commission Recommendation (EU) 2021/1086 of 23 June 2021 on building a Joint Cyber Unit (Report). 2021-06-23.
  13. ^ (Recital 21). (Article 3). (Article 12). (Article 22), Council of the European Union, 'Council Conclusions on exploring the potential of the Joint Cyber Unit initiative complementing the EU Coordinated Response to Large-Scale Cybersecurity Incidents and Crises' (2021), 12534/21.https://data.consilium.europa.eu/doc/document/ST-13048-2021-INIT/en/pdf
  14. ^ "Directive - 2022/2555 - EN - EUR-Lex". eur-lex.europa.eu. Retrieved 2024-04-12.
  15. ^ Clasen, Celina. "Cyber Solidarity Act moves ahead in EU Parliament with key committee vote". Euractiv.