The European Union (EU) has agreed new rules to strengthen cyber incident response and recovery across member states, which has been dubbed the ‘cyber solidarity act.’

The provisional regulation aims to make the EU more resilient and reactive to cyber threats via new cooperation mechanisms.

This includes the establishment of an EU-wide cybersecurity alert system, designed to rapidly share information on cyber-threats throughout the region.

This pan-European infrastructure will be composed of national and cross-border cyber hubs, which will be in charge of detecting and acting on cyber threats, helping authorities respond more effectively to major incidents.

Additionally, the new regulation paves the way for the creation of a cybersecurity emergency mechanism. This mechanism will support:

  • Preparedness actions, including testing entities in highly critical sectors, such as healthcare, transport and energy
  • Mutual financial assistance for impacted entities
  • A ‘cybersecurity reserve’ made up of incident response services from the private sector that are ready to intervene at the request of a member state or EU institutions, bodies, and agencies as well as associated third countries during a large-scale cybersecurity incident

An evaluation and review mechanism will assess the effectiveness of the cybersecurity mechanism.

Certification Schemes for Managed Security Services

Alongside the cyber solidarity act, the EU Council and Parliament have also agreed on a targeted amendment to the 2019 Cybersecurity Act.

This amendment plans to establish European certification schemes for managed security services. This aims to boost the quality and comparability of these service providers and avoid fragmentation of the internal market.

The announcement comes shortly after the EU adopted its first Cybersecurity Certification scheme for digital products in January 2024.

Mathieu Michel, Belgian Secretary of State for digitisation, administrative simplification, privacy protection and the building regulation, commented: “Today’s agreements set new milestones for Europe’s cyber resilience. These rules will strengthen the EU’s and member states’ capabilities to prepare, prevent, respond, and recover from large-scale cyber threats or incidents.

“Moreover, creating the possibility for the certification of managed security services will help to ensure a high common level of these cybersecurity services across the EU by facilitating their cross-border provision to the benefit of our citizens and businesses.”

When Will the Cyber Solidarity Rules Come Into Force?

Following the provisional agreements, the two texts will need to be endorsed by the Council and Parliament in view for their formal adoption.

The Council’s Belgian presidency will now submit the texts to the member states’ representatives for approval as soon as possible.

Once approved, the draft acts will be submitted to a legal/linguistic review before formal adoption.

Boosting cyber response capabilities across the EU has long been on the radar of the EU. It was reported in 2022 that the EU undertook a major supply chain cyber-attack simulation.

In January 2024, the European Central Bank (ECB) announced that over 100 European banks will be tested on their cyber-attack response and recovery capabilities this year.