The Commission’s proposal for a Cyber Solidarity Act is languishing in the EU Council of Ministers, where the scarce enthusiasm is evidenced by the slow progress at the technical level – despite there being no major political hurdle.
The Cyber Solidarity Act (CSA) is a legislative proposal that seeks to establish a ‘Cyber Reserve’ of certified trusted providers to be on standby to help European countries respond and prepare for large-scale cyber-attacks.
However, the file has not been enthusiastically received by EU countries, as the Spanish presidency’s report published earlier this week laid out.
“On the basis of the progress made under the Spanish Presidency, the incoming Belgian Presidency plans to continue the work with the Parliament on this important file,” reads the report.
On Wednesday, EU ambassadors discussed the Cyber Solidarity Act at the Permanent Representatives Committee (COREPER), the Council’s main preparatory body.
Germany, Italy, France, the Czech Republic, Croatia, Ireland, Luxembourg, Denmark, Slovakia, Hungary, and Greece, among others, welcomed the progress made on the draft regulation but also highlighted that further discussions would be needed at the technical level before a consensus on a mandate could be agreed.
What to expect from the EU’s Cyber Solidarity Act
The legislative initiative made its first appearance on Tuesday (28 February) in the updated version of the European Commission’s work programme but has been in the making for one year. Here is what to expect.
Hold-ups
The topics of discussion included the accessibility of the Cyber Reserve to third countries, the role of the Computer Security Incident Response Team (CSIRTs), risks of duplications of national and cross-border Security Operations Centres (SOCs) and CSIRTs, and the question of liability.
Six weeks prior, the European Court of Auditors (ECA) warned that the CSA could add complexity to the European cybersecurity landscape.
The Spanish Council presidency presented a second proposal on the CSA three weeks ago, following a workshop with the Commission that resulted in the need to clarify practical aspects of the Cyber Reserve.
“Suggestions on trusted providers and the support to third countries have been integrated to the extent possible,” the report reads regarding the amendments to the second compromised text.
The Working Party on Cyber Issues, a Council technical body, then discussed the second version. The concerns here included the role of ENISA, the EU’s Cybersecurity Agency, the functioning and management of the Cyber Reserve, and support action to third countries.
During Wednesday’s COREPER session, the Spanish presidency also highlighted that more work was needed to clarify elements, particularly in clarifying the role of the new operational centres and Cyber Reserve in the already complex EU cybersecurity architecture.
Another aspect raised was the Commission’s emphasis on making the Cyber Reserve accessible to third countries, such as Ukraine and Moldova, to strengthen their cyber capacities.
Supported by Italy, France suggested the extension to the European political community – a pet project of French President Emmanuel Macron to engage with extra EU countries like the United Kingdom and Turkey following Russia’s war of aggression on Ukraine.
In addition, Germany, Ireland and Luxembourg emphasised the need to avoid the Cyber Solidarity Act duplicating existing administrative structures and initiatives, pushing for a complementary approach with clear responsibilities for EU countries.
In particular, the idea advanced was for the regional Security Operation Centres to be replaced by the Computer Security Incident Response Team established under the revised Networks and Information Security Directive (NIS2).
However, Italy opposed this approach, stressing that the two bodies should complement rather than oppose each other.
For Poland, Slovakia and Hungary, the quality of the provisions ought to take precedence over speeding up the adoption process, while Denmark argued in favour of a balanced approach. Hungary noted that further technical work was needed on the scope of liability.
[Edited by Luca Bertuzzi/Nathalie Weatherald]