What to expect from the EU’s Cyber Solidarity Act
The legislative initiative made its first appearance on Tuesday (28 February) in the updated version of the European Commission’s work programme but has been in the making for one year. Here is what to expect.
In March 2022, with Europe still reeling from the news of Russia’s aggression in Ukraine, EU ministers gathered in Nevers, France, and discussed the idea of boosting European countries’ capacity to face large-scale cyber-attacks for the first time.
The then-French presidency proposed the creation of a cybersecurity emergency fund, accessible by national governments, to employ trusted cybersecurity companies to conduct audits and incident response.
This is the premise of the Cyber Solidarity Act, a draft regulation the Commission is expected to present on 5 April. According to a source informed on the matter, the model follows Ukraine’s approach of public institutions and private companies partnering up to ensure cybersecurity.
EU countries to call for the establishment of a cybersecurity emergency fund
European governments are to adopt a declaration to reinforce the EU’s cybersecurity capacities, including establishing a new fund and increasing EU funding to support national efforts.
The idea made its way into the EU Cyber Defence Policy, which was subsequently rebranded as the European Cyber Solidarity initiative. Its purpose is to establish a ‘cyber reserve’ made of private trusted providers that would qualify with certification and would support responses to significant cyber-attacks.
The criteria for selecting these trusted providers are still not known, but European security giants like Atos, Thales, WithSecure, and BitDefender are the most likely candidates. The big question is if access to the reserve will be restricted to US companies like Microsoft.
Given the issue’s sensitivity and the Commission’s recent tendency to privilege European companies in cybersecurity certification, some limitations to foreign companies are to be expected – at the very least, the exclusion of companies deemed too close to hostile powers, as was the case with Huawei and the 5G Toolbox.
A significant indication of how the project might be run is a pilot project dubbed the Trusted Partners Programme that ENISA, the EU’s cybersecurity agency, has worked on since last summer.
The pilot issued a public tender worth €28 million divided into 28 lots for the EU27 plus one at the European level. In several countries, eligible candidates must receive national, NATO or EU security clearance, certification or accreditation.
EU countries seek way out of impasse on sovereignty requirements for cloud services
A joint paper obtained by EURACTIV details six possible scenarios to deal with the controversial sovereignty requirements in the upcoming certification scheme for cloud providers.
Until late January, the EU executive still had not made up its mind on whether the initiative required legislation, a Commission spokesperson told EURACTIV at the time.
Proposing new legislation at this late stage of the mandate is bound to not go down well with the EU Council of Ministers, where national representatives lament they already have stretched capacity and wish to concentrate on the Cyber Resilience Act.
At the national level, EU countries are also busy implementing the revised Networks and Information Security (NIS2) and Critical Entities Resilience directive and the implementation of regional Security Operation Centres (SOCs), for which a call for funding closed two weeks ago.
The Commission’s vision is that regional SOCs would be federated to share threat intelligence at the EU level and form a ‘Cyber Shield’. The Cyber Solidarity initiative is set to establish the underpinning European Detection Infrastructure.
Another political question is whether the Commission will try to mandate threat intelligence sharing, a measure opposed by EU countries as this might contain sensitive information that could compromise national security if it falls into the wrong hands.
But the real reason for a legislative proposal is that there is no legal framework for allocating this funding, a Commission spokesperson confirmed to EURACTIV.
A recent precedent can be seen with the Chips Act, which defined under which conditions companies that contribute to boosting Europe’s semiconductor capacity can receive state aid.
The organisations set to be eligible to receive the support of the trusted vendors are the critical entities identified under NIS2. Nevertheless, charging EU countries with distributing the funding might be at odds with EU state aid rules.
However, the question of governance is rather sensitive as it brings into cause the role of the European Cybersecurity Competence Centre.
The EU body was established in 2021 precisely to enhance Europe’s cybersecurity capacity. However, the Commission had hoped to keep the Competence Centre in Brussels under its wing, but Romania managed to obtain its first EU body in Bucharest.
As EURACTIV revealed last April, the EU executive consequently delayed the appointment of the Centre’s new executive director to retain patronage over it. Two years after its establishment, the EU body continues to lack its top post and to be severely understaffed.
However, the Commission is reluctant to give the Competence Centre complete independence precisely because it is meant to manage EU funding dedicated to cybersecurity capacity-building.
In other words, excluding the EU body from the initiative would discredit its reason for existing. At the same time, ENISA appears to be the only one able to run a project like this.
Commission delays giving new cybersecurity centre full autonomy
The European Commission has been postponing the appointment of a permanent executive director of its new cybersecurity body in order to retain partial control over the organisation, several EU diplomatic sources told EURACTIV.
The funding for the Cyber Solidarity Initiative is set to come from the Digital Europe Programme. However, just like the Chips Act, the project will likely clash with the hard reality of an already stretched EU budget and member states’ unwillingness to invest additional resources.
Remarkably, the Cyber Defence Policy anticipates these budgetary constraints stating that “while the scope of action and allocation of costs of specific interventions would depend on the EU funding available, the EU would also add value by ensuring the availability and readiness of such an EU-level reserve”.