On April 18, 2023, the European Commission published its proposal for an EU Cyber Solidarity Act (“CSA”).  It aims to strengthen incident detection, situational awareness, and response capabilities, and to ensure that entities providing services critical for day-to-day life can access expert support to manage their cyber risk and respond to incidents.  Specifically, the CSA aims to promote information sharing about cyber incidents and vulnerabilities, to help improve the cyber resilience of critical entities, and to create an EU-wide resource for incident management.

The CSA adds another layer to the increasingly crowded landscape of EU cybersecurity laws.  The proposed law would interact with the revised Network and Information Security Directive (“NIS2”) and certifications issued under the Cybersecurity Act. Private companies in specific sectors will also have to consider potential overlap with the forthcoming Cyber Resilience Act and the financial services-focused Digital Operation Resilience Act.

Below, we set out three striking features of the CSA that are likely to be of particular relevance to private companies.

1. Promoting platforms for information sharing and analysis

The CSA will promote the establishment and deployment of Cross-border Security Operations Centres (“Cross-border SOCs”), which will serve as platforms for the exchange of information and development of cybersecurity tools.

Cross-Border SOCs will be hubs for the collection and analysis of information on cybersecurity threats, incidents and tools from public bodies and private entities.  Ultimately, the CSA aims to establish a “European Cyber Shield,” comprising of several interoperating Cross-Border SOCs, each of which in turn will group together several Member State SOCs.

Importantly, the CSA does not require private entities to share threat or vulnerability intelligence with the SOCs.  However, NIS2 requires Member States to facilitate voluntary information sharing, and it remains to be seen how the CSA will intersect with these requirements.

2. Testing certain entities that are subject to NIS2 for potential vulnerabilities based on EU risk assessments

The CSA establishes a “Cyber Emergency Mechanism”, with the aim of improving cyber resilience against major cyber threats. Article 11 CSA requires the Commission to select certain industry sectors or sub-sectors that are “highly critical”—these sectors or sub-sectors will be selected from the list in Annex 1 of NIS2, i.e., sectors that comprise “essential entities” under NIS2. For more information on these sectors and NIS2 more generally, see our blog post here.

Entities in these sectors will be subject to “coordinated preparedness testing” to examine their exposure to significant cyber threats. The NIS Cooperation Group will develop the methodology for this test, taking into account existing EU-wide risk assessments.

3. Requiring private providers of managed security services to support member states in the response and immediate recovery actions in cases of significant or large-scale cybersecurity incidents

The CSA also establishes, and requires the European Commission to populate[MSY1] , an “EU Cybersecurity Reserve,” comprising a bench of “trusted providers” of private managed security services. We understand from a Commission Q&A on the CSA that ENISA will draw up an inventory of the services needed within the EU Cybersecurity Reserve.

Member States’ Computer Security Incident Response Teams (“CSIRTs”) and crisis management authorities are obliged to make use of these providers’ services when they assist in the management of and recovery from significant or large-scale cyber incidents affecting entities regulated under NIS2. In addition, third countries that receive funding under the Digital Europe Programme can request assistance from the EU Cybersecurity Reserve.

The CSA sets out the criteria for the selection of these trusted providers, including:

  • The need to ensure that the EU Cybersecurity Reserve can provide support across all EU Member States;
  • The need to ensure the “essential security interests” of the EU and the Member States;
  • Security clearance for personnel involved in providing services;
  • Appropriate hardware, software, and technical expertise; and
  • Once a certification scheme for managed security services under the EU Cybersecurity Act has been finalized, certification to that scheme.

The requirements for trusted providers (in particular the requirements to be able to “ensure the protection of the essential security interests” of the EU and Member States, and to obtain a certification approved under the EU Cybersecurity Act) do not explicitly exclude non-EU providers—or providers subject to non-EU legal regimes—from becoming part of the EU Cybersecurity Reserve.

Stakeholders will need to pay close attention to the details, however. Recent reports indicate that certain EU authorities are pushing to include “sovereignty” requirements in a proposed certification scheme for cloud service providers, including requirements to ensure that non-EU government authorities cannot lawfully obtain access to data stored by cloud providers. A certification scheme for managed security providers could contain similar requirements. Equally, the Commission could interpret the requirement for providers to ensure the protection of essential security interests to mean that certain providers should be excluded, if they that could be the subject of non-EU legal process for information they hold about EU critical entities.

*          *          *

The Data Privacy and Cybersecurity Practice at Covington has deep experience advising on privacy and cybersecurity issues across Europe, and will continue to monitor developments. If you have any questions about the CSA, or about developments in the cybersecurity space more broadly, our team would be happy to assist.


 [MSY1]“staff”?

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Paul Maynard Paul Maynard

Paul Maynard is an associate in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is an associate in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.