Draft:Cyber Solidarity Act

The EU Cybersecurity Strategy, approved on 16 December 2020, highlighted the establishment of a European Cyber Shield to solidify cyber threat detection and information sharing capabilities within the European Union. Two years later, on 23 May 2022, the European Council Conclusions were released regarding the cyber posture and emphasising the necessity of addressing the deficiencies present in the responses and preparedness to cyber-attacks. They urged the European Commission to propose a new Emergency Response Fund for Cybersecurity. The following year, on 18 April 2023, the European Commission officially implemented the proposal for a new Regulation, known as the EU Cyber Solidarity Act. This new proposal outlined measures to enhance solidarity and capacities within the European Union to detect, prepare for, and address cybersecurity incidents and threats.

Legal Basis
This proposal is grounded on two distinct legal bases, namely, Article 173(3) on competitiveness of the Union's industry; and Article 322(1), point (a) of the Treaty on the Functioning of the European Union ("TFEU") on carry-over rules derogating from the principle of budget annuality.

The main purpose of Article 173(3) TFEU is to enhance the competitive position of European service and industry sectors and promote their digital transformation by elevating cybersecurity levels in the Digital Single Market. Specifically, it seeks to bolster the resilience of entities and citizens that operate in critical sectors against the current escalation of cybersecurity threats that can provoke profound economic and societal repercussions. Moreover the proposal is complemented with Article 322(1) point (a) TFEU, which by considering the unpredictable nature of the cybersecurity realm, will allow for a certain degree of flexibility to be in place when dealing with financial management of the Cybersecurity Emergency Mechanism.

Objectives and Actions
In essence, the Cyber Solidarity Act aims to enhance solidarity in the Union through the following objectives:

Furthermore, the Cyber Solidarity Act seeks to reinforce the EU capacities to detect, prepare for and respond to cybersecurity incidents and threats through three unique actions:
 * 1) ﻿﻿﻿Contribute to the EU technological sovereignty, namely its cybersecurity, by reinforcing common European situational awareness and detection of cyber incidents and threats.
 * 2) ﻿﻿﻿Enhance preparedness and solidarity in the EU by forming common response capacities to address serious cybersecurity incidents. This includes providing incident response support to third countries associated with the Digital Europe Programme.
 * 3) ﻿﻿﻿Reinforce EU resilience by contributing with effective responses by reviewing significant incidents.


 * 1) Deployment of the European Cybersecurity Alert System;
 * 2) Creation of the Cybersecurity Emergency Mechanism;
 * 3) Establishment of the European Cybersecurity Incident Review Mechanism.

European Cybersecurity Alert System
The first Foundational Element corresponds to the formation of a European Cybersecurity Alert System which aims to particularly develop and reinforce common detection and situational awareness capabilities by forming a vast amount of interoperating Cross-border Cyber Hubs, each grouping together several National Cyber Hubs.

Accordingly, the European Cybersecurity Alert System shall pool, share and produce a series of high-quality data regarding cyber incidents by utilising Artificial Intelligence and advanced data analytics. Thereby, its primary objective is to provide real-time situational awareness to authorities and other pertinent entities by enabling them to respond effectively to such threats and incidents.

Cybersecurity Emergency Mechanism
The second Foundational Element corresponds to the creation of the Cybersecurity Emergency Mechanism, which aims to enhance the Union's resilience against serious cybersecurity threats and "to prepare for and mitigate, in a spirit of solidarity, the short-term impact of significant and large-scale cybersecurity incidents" Subsequently, the Cybersecurity Emergency Mechanism supports three main areas, namely: (a)Preparedness Actions; (b)EU Cybersecurity Reserve; (c)Mutual Assistance Actions.

When dealing with Preparedness Actions, the European Commission (only after consulting both ENISA and the NIS Cooperation Group) must identify highly critical sectors (energy, healthcare etc.) and conduct coordinated testing exercises for potential vulnerabilities, based on common risk practices.

The new EU Cybersecurity Reserve will comprise incident response services from the private sector, which will intervene upon request of a Member State or EU entities, as well as third countries associated with the Digital Europe Programme, in the event of a significant or large-scale cybersecurity incident.

The implementation of Mutual Assistance Actions, in financial terms, aims to assist Member States that have provided support to other Member State affected by a significant or large-scale cybersecurity incidents.

European Cybersecurity Incident Review Mechanism
The third Foundational Element corresponds to the establishment of the Cybersecurity Incident Review Mechanism, where ENISA, (at the request of the EU-CyCLONe, the European Commission or the CSIRTs network), must review and assess mitigation actions, vulnerabilities and threats concerning a particular large-scale or significant cybersecurity incident.

The Joint Cyber Unit
When analysing the 2020 EU Cybersecurity Strategy, under Section 2, which is aimed at "building operational capacity to prevent, deter and respond", it is possible observe the intention to create a Joint Cyber Unit. Ultimately, the Joint Cyber Unit would become a platform to foster cooperation between several cybersecurity communities in the EU and would mainly focus on technical and operational coordination towards the formation of a European Cybersecurity Crisis Management Framework that would deal with critical cyber threats and incidents. Eventually, in 2021, in consultation with Member States, the European Commission decided to adopt the "Recommendation on building a Joint Cyber Unit".

The Joint cyber Unit aimed to achieve three primary goals:


 * 1) ensure preparedness across cybersecurity communities;
 * 2) provide continuous shared situational awareness through information sharing;
 * 3) reinforce coordinated response and recovery.

However, the European Council decided to eliminate all mentions of the Joint Cyber Unit. Nowadays, when analysing recent pieces of EU legislation regarding cybersecurity, such as the NIS2 Directive, the Cyber Solidarity Act or even the new 2022 Cyber Defence Strategy, there is not a single mention about the further implementation of the Joint Cyber Unit.

Nevertheless, the similarities between the Cyber Solidarity Act and the Joint Cyber Unit are striking. Despite the European Council previously approving the Joint Cyber Unit initiative, its Conclusions clearly indicate a scaling down of the project. However, this time, the Cyber Solidarity Act is 'supported' by a Legislative Proposal (contrary to the Joint Cyber Unit), which will be debated by the European Council and European Parliament.