The European Parliament’s Committee on Industry, Research and Energy adopted on Thursday (7 December) the draft report of the Cyber Solidarity Act, while the file keeps languishing in the EU Council of Ministers.
The cybersecurity law is a legislative proposal to strengthen EU cyber resilience capacities to respond to large-scale cyber incidences by establishing a ‘Cyber Reserve’ of certified trusted providers to conduct prevention and incident response activities.
With the adoption of its mandate in the leading committee, parliamentarians hope to start interinstitutional negotiations next year. However, in a ministerial meeting on Tuesday, many EU countries expressed scepticism about the proposal and called to avoid the duplication of existing structures.
“This piece of legislation aims at increasing cooperation between member states, building capabilities and developing skills fast to be more resilient and preserve our democracies and citizen’s well-being,” Lina Gálvez Muñoz, rapporteur and vice president of the ITRE (Industry, Research and Energy) committee who spearheaded the file, told Euractiv.
The latest version of the draft report includes amendments addressing budget issues, stronger links to support public-private threat information sharing, and cross-links with other initiatives.
Other important aspects are the access to cyber threat intel for cross-border Security Operations Centres (SOCs), the exclusion of countries not part of the Government Procurement Agreement, and more concrete measures for evaluation purposes.
“It is good that the Parliament clarified that the Reserve should only consist of trusted providers that are not unduly controlled or influenced by governments of third countries that are not trustworthy partners,” Christian Democrat MEP Angelika Niebler told Euractiv.
Main changes
One of the most significant changes to the original text relates to the budget. New initiatives such as the Cyber Security Mechanism and the Cyber Reserve were not foreseen during the 2021-2027 period of the EU’s long-term budget, the Multiannual Financial Framework (MFF).
“I find it problematic that the Commission proposed re-allocating funding from AI projects and skills development to finance these new measures. A strong and diverse cybersecurity workforce is the basis for a resilient cybersecurity posture,” Niebler emphasised.
By lowering the budget for the Cyber Reserve, the EU Parliament wants to ensure that the new initiatives have as little impact as possible on the reduction of funding for other priorities of the Digital Europe programme (DEP).
“The amount of the financial resources dedicated to the Cyber Security Reserve […] should be primarily drawn from the unallocated margins under the MFF ceilings or mobilised through the non-thematic MFF special instruments,” the draft report reads.
ENISA, the EU’s cybersecurity agency, should receive additional funding to support the establishment of the EU Cyber Reserve without jeopardising the DEP.
A time limit of 24 hours is now imposed on the response to requests from the EU Cyber Reserve. The draft report additionally tasked the Cyber Reserve to ensure the development of microenterprises, SMEs, startups, and investment in research and innovation (R&I) for state-of-the-art technologies.
To avoid duplication of similar Cyber Reserve initiatives, the Commission is in charge of exchanges with national governments and the North Atlantic Treaty Organization (NATO).
Newly-established SOCs should strengthen the cooperation and information sharing between public and private entities. The text includes a stronger link between SOCs and industry-led Information Sharing and Analysis Centers (‘ISACs’) that should improve the exchange of cyber threat intelligence.
To support national SOCs or Computer Security Incident Response Teams (CSIRTs) in threat detection and information sharing capabilities, the amendments now enable them to request telemetry, logging and sensor data relating to national critical infrastructures from the managed security providers.
Cross-border SOCs should be able to acquire cyber threat intel from companies in like-minded countries, excluding third countries that are not parties to the Agreement on Government Procurement (GPA).
Remarkably, China and Russia are currently negotiating accession to the GPA.
To monitor the success of this regulation, the EU Parliament tasked the Commission to evaluate every two years the functioning of the measures and submit a report to the EU Parliament and the Council of the EU.
Work at the Council
During the Transport, Telecommunications and Energy Council (TTE), which took place on Tuesday (6 December), digital ministers took note of the proposal’s progress report, agreeing that more work is needed at a technical level to reach a mandate for negotiations with the EU Parliament.
Two weeks ago, the Council already discussed the file at the ambassador level. Subjects of concern included accessibility of the Cyber Reserve to third countries, the role of the CSIRTs, and risks of duplications of national and cross-border Security SOCs and CSIRTs.
At the technical level, the role of ENISA, the EU’s Cybersecurity Agency, the functioning and management of the Cyber Reserve and duplication with existing administrative structures and initiatives, notably the NIS2 Directive, were topics of discussion.
“We hope to be able to start negotiations with the Council as soon as possible to make this legislation possible, which will reinforce the open strategic autonomy of the EU,” ITRE’s Gálvez Muñoz added.
[Edited by Luca Bertuzzi/Nathalie Weatherald]