On April 18, 2023, the European Commission published its proposal for an EU Cyber Solidarity Act (“CSA”).  It aims to strengthen incident detection, situational awareness, and response capabilities, and to ensure that entities providing services critical for day-to-day life can access expert support to manage their cyber risk and respond to incidents.  Specifically, the CSA aims to promote information sharing about cyber incidents and vulnerabilities, to help improve the cyber resilience of critical entities, and to create an EU-wide resource for incident management.

The CSA adds another layer to the increasingly crowded landscape of EU cybersecurity laws.  The proposed law would interact with the revised Network and Information Security Directive (“NIS2”) and certifications issued under the Cybersecurity Act. Private companies in specific sectors will also have to consider potential overlap with the forthcoming Cyber Resilience Act and the financial services-focused Digital Operation Resilience Act.

Below, we set out three striking features of the CSA that are likely to be of particular relevance to private companies.

1. Promoting platforms for information sharing and analysis

The CSA will promote the establishment and deployment of Cross-border Security Operations Centres (“Cross-border SOCs”), which will serve as platforms for the exchange of information and development of cybersecurity tools.

Cross-Border SOCs will be hubs for the collection and analysis of information on cybersecurity threats, incidents and tools from public bodies and private entities.  Ultimately, the CSA aims to establish a “European Cyber Shield,” comprising of several interoperating Cross-Border SOCs, each of which in turn will group together several Member State SOCs.

Importantly, the CSA does not require private entities to share threat or vulnerability intelligence with the SOCs.  However, NIS2 requires Member States to facilitate voluntary information sharing, and it remains to be seen how the CSA will intersect with these requirements.

2. Testing certain entities that are subject to NIS2 for potential vulnerabilities based on EU risk assessments

The CSA establishes a “Cyber Emergency Mechanism”, with the aim of improving cyber resilience against major cyber threats. Article 11 CSA requires the Commission to select certain industry sectors or sub-sectors that are “highly critical”—these sectors or sub-sectors will be selected from the list in Annex 1 of NIS2, i.e., sectors that comprise “essential entities” under NIS2. For more information on these sectors and NIS2 more generally, see our blog post here.

Entities in these sectors will be subject to “coordinated preparedness testing” to examine their exposure to significant cyber threats. The NIS Cooperation Group will develop the methodology for this test, taking into account existing EU-wide risk assessments.

3. Requiring private providers of managed security services to support member states in the response and immediate recovery actions in cases of significant or large-scale cybersecurity incidents

The CSA also establishes, and requires the European Commission to populate[MSY1] , an “EU Cybersecurity Reserve,” comprising a bench of “trusted providers” of private managed security services. We understand from a Commission Q&A on the CSA that ENISA will draw up an inventory of the services needed within the EU Cybersecurity Reserve.

Member States’ Computer Security Incident Response Teams (“CSIRTs”) and crisis management authorities are obliged to make use of these providers’ services when they assist in the management of and recovery from significant or large-scale cyber incidents affecting entities regulated under NIS2. In addition, third countries that receive funding under the Digital Europe Programme can request assistance from the EU Cybersecurity Reserve.

The CSA sets out the criteria for the selection of these trusted providers, including:

  • The need to ensure that the EU Cybersecurity Reserve can provide support across all EU Member States;
  • The need to ensure the “essential security interests” of the EU and the Member States;
  • Security clearance for personnel involved in providing services;
  • Appropriate hardware, software, and technical expertise; and
  • Once a certification scheme for managed security services under the EU Cybersecurity Act has been finalized, certification to that scheme.

The requirements for trusted providers (in particular the requirements to be able to “ensure the protection of the essential security interests” of the EU and Member States, and to obtain a certification approved under the EU Cybersecurity Act) do not explicitly exclude non-EU providers—or providers subject to non-EU legal regimes—from becoming part of the EU Cybersecurity Reserve.

Stakeholders will need to pay close attention to the details, however. Recent reports indicate that certain EU authorities are pushing to include “sovereignty” requirements in a proposed certification scheme for cloud service providers, including requirements to ensure that non-EU government authorities cannot lawfully obtain access to data stored by cloud providers. A certification scheme for managed security providers could contain similar requirements. Equally, the Commission could interpret the requirement for providers to ensure the protection of essential security interests to mean that certain providers should be excluded, if they that could be the subject of non-EU legal process for information they hold about EU critical entities.

*          *          *

The Data Privacy and Cybersecurity Practice at Covington has deep experience advising on privacy and cybersecurity issues across Europe, and will continue to monitor developments. If you have any questions about the CSA, or about developments in the cybersecurity space more broadly, our team would be happy to assist.


 [MSY1]“staff”?

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Paul Maynard Paul Maynard

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.