On April 18, 2023, the European Commission published its proposal for an EU Cyber Solidarity Act (“CSA”). It aims to strengthen incident detection, situational awareness, and response capabilities, and to ensure that entities providing services critical for day-to-day life can access expert support to manage their cyber risk and respond to incidents. Specifically, the CSA aims to promote information sharing about cyber incidents and vulnerabilities, to help improve the cyber resilience of critical entities, and to create an EU-wide resource for incident management.
The CSA adds another layer to the increasingly crowded landscape of EU cybersecurity laws. The proposed law would interact with the revised Network and Information Security Directive (“NIS2”) and certifications issued under the Cybersecurity Act. Private companies in specific sectors will also have to consider potential overlap with the forthcoming Cyber Resilience Act and the financial services-focused Digital Operation Resilience Act.
Below, we set out three striking features of the CSA that are likely to be of particular relevance to private companies.
1. Promoting platforms for information sharing and analysis
The CSA will promote the establishment and deployment of Cross-border Security Operations Centres (“Cross-border SOCs”), which will serve as platforms for the exchange of information and development of cybersecurity tools.
Cross-Border SOCs will be hubs for the collection and analysis of information on cybersecurity threats, incidents and tools from public bodies and private entities. Ultimately, the CSA aims to establish a “European Cyber Shield,” comprising of several interoperating Cross-Border SOCs, each of which in turn will group together several Member State SOCs.
Importantly, the CSA does not require private entities to share threat or vulnerability intelligence with the SOCs. However, NIS2 requires Member States to facilitate voluntary information sharing, and it remains to be seen how the CSA will intersect with these requirements.
2. Testing certain entities that are subject to NIS2 for potential vulnerabilities based on EU risk assessments
The CSA establishes a “Cyber Emergency Mechanism”, with the aim of improving cyber resilience against major cyber threats. Article 11 CSA requires the Commission to select certain industry sectors or sub-sectors that are “highly critical”—these sectors or sub-sectors will be selected from the list in Annex 1 of NIS2, i.e., sectors that comprise “essential entities” under NIS2. For more information on these sectors and NIS2 more generally, see our blog post here.
Entities in these sectors will be subject to “coordinated preparedness testing” to examine their exposure to significant cyber threats. The NIS Cooperation Group will develop the methodology for this test, taking into account existing EU-wide risk assessments.
3. Requiring private providers of managed security services to support member states in the response and immediate recovery actions in cases of significant or large-scale cybersecurity incidents
The CSA also establishes, and requires the European Commission to populate[MSY1] , an “EU Cybersecurity Reserve,” comprising a bench of “trusted providers” of private managed security services. We understand from a Commission Q&A on the CSA that ENISA will draw up an inventory of the services needed within the EU Cybersecurity Reserve.
Member States’ Computer Security Incident Response Teams (“CSIRTs”) and crisis management authorities are obliged to make use of these providers’ services when they assist in the management of and recovery from significant or large-scale cyber incidents affecting entities regulated under NIS2. In addition, third countries that receive funding under the Digital Europe Programme can request assistance from the EU Cybersecurity Reserve.
The CSA sets out the criteria for the selection of these trusted providers, including:
- The need to ensure that the EU Cybersecurity Reserve can provide support across all EU Member States;
- The need to ensure the “essential security interests” of the EU and the Member States;
- Security clearance for personnel involved in providing services;
- Appropriate hardware, software, and technical expertise; and
- Once a certification scheme for managed security services under the EU Cybersecurity Act has been finalized, certification to that scheme.
The requirements for trusted providers (in particular the requirements to be able to “ensure the protection of the essential security interests” of the EU and Member States, and to obtain a certification approved under the EU Cybersecurity Act) do not explicitly exclude non-EU providers—or providers subject to non-EU legal regimes—from becoming part of the EU Cybersecurity Reserve.
Stakeholders will need to pay close attention to the details, however. Recent reports indicate that certain EU authorities are pushing to include “sovereignty” requirements in a proposed certification scheme for cloud service providers, including requirements to ensure that non-EU government authorities cannot lawfully obtain access to data stored by cloud providers. A certification scheme for managed security providers could contain similar requirements. Equally, the Commission could interpret the requirement for providers to ensure the protection of essential security interests to mean that certain providers should be excluded, if they that could be the subject of non-EU legal process for information they hold about EU critical entities.
* * *
The Data Privacy and Cybersecurity Practice at Covington has deep experience advising on privacy and cybersecurity issues across Europe, and will continue to monitor developments. If you have any questions about the CSA, or about developments in the cybersecurity space more broadly, our team would be happy to assist.