Geopolitical unrest amid the Russia-Ukraine war has created an increased need for EU-wide resilience from cyber-threats. Enter the EU Cyber Solidarity Act, which aims to improve preparedness, detection and response to cybersecurity incidents across the bloc. 

Proposed by the European Commission (EC) in 2023 and provisionally agreed in March, the Act includes a European alert system comprised of security operation centres (SOCs) interconnected across the EU. 

An emergency process will be introduced to improve cyber resilience, in addition to a mechanism to review and assess large scale incidents and provide recommendations to boost cybersecurity in the aftermath of attacks. 

“Russia’s military aggression against Ukraine was preceded and is being accompanied by a strategy of hostile cyber operations,” the EC said when proposing the Act.  

The EC called the Act “a game changer for the perception and assessment of [its] collective cybersecurity crisis management preparedness and a call for urgent action”.  

Currently, the Act is awaiting formal approval by the EU Council before being adopted by the 27 affected countries. So what is the EU Cyber Solidarity Act, who does it impact, and what do CISOs need to do to prepare? 

The EU Cyber Solidarity Act’s aims 

The EU Cyber Solidarity Act proposes the creation of a “European cyber shield” – an infrastructure consisting of SOCs across member states. This will enable “faster and more effective” detection of cyber threats, says Marco Eggerling, global CISO at Check Point Software.  

The Act builds on existing regulation the European Cyber Resilience Act (CRA), the Network and Information System Directive (NIS2) and the Digital Operational Resilience Act (DORA). 

The additional security proposed by the Act is much-needed: It was introduced in response to the “escalating frequency and sophistication” of cyber-attacks targeting critical national infrastructure (CNI) within the EU, says Julian Brownlow Davies, global vice president of advanced services at Bugcrowd. 

“High-profile incidents such as ransomware attacks on hospitals, energy grids and supply chains have highlighted significant vulnerabilities,” he says. 

A fragmented approach among member states has proven “insufficient so far” at tackling threats, Brownlow Davies says. This has made it necessary to implement a “unified and collaborative strategy”, he explains. 

Who the Act impacts

The regulation and enforcement of the Act are performed by the European Union Agency for Cybersecurity (ENISA) in collaboration with member states.  

Compliance is obligatory for organisations working across CNI. This includes government institutions, digital service providers and certain private sector companies operating within the EU. 

Sectors such as energy, healthcare, finance, transportation and digital infrastructure are “particularly susceptible” to cyber threats, Brownlow Davies says. “These sectors will face stringent cybersecurity requirements, information-sharing initiatives and potentially, collaborative response efforts.”  

The Act is applicable in the EU only. Post-Brexit, it doesn’t have a direct legislative impact on the UK, says Javvad Malik, lead security awareness advocate at KnowBe4. However, the global nature of cybersecurity threats coupled with the UK's economic and digital entwinement with the EU will still affect the UK, he says. 

UK companies engaged in business with EU partners or operating within EU markets must adhere to the new regulations, says Brownlow Davies. 

In addition, he says the new Act could influence the UK’s own cybersecurity policies, prompting it to adopt similar measures to align with EU standards.  

Not a complete solution

The Act certainly has ambitious aims, but despite this, it “may not be a complete solution”, says Eggerling.  

One challenge is the need for additional cybersecurity staff, he says. “The demand for qualified cybersecurity professionals in the EU is already high, and finding the personnel to run SOCs and respond to incidents in a 24/7 environment will be difficult.” 

The technology involved in cybersecurity and the operational technology that underpins many CNI environments also requires a level of consistency. Linguistic and procedural differences across countries could complicate this, he adds. 

One criticism of the Act is that it places “a disproportionate emphasis” on coordination and response “rather than prevention and building resilience”, Brownlow Davies says.  

To effectively address this, he says the Act “should incorporate stronger provisions that encourage innovation in cybersecurity technologies and foster a culture of security”. 

At the same time, additional resources and funding may be needed to support smaller member states with fewer resources and “ensure an equal level of protection across all EU countries”, says Adam Brown, managing security consultant at Black Duck. 

In the end, it will all boil down to the actual implementation of the measures outlined by the Act, says Dirk Schrader, field CISO (EMEA)  and VP of security research at Netwrix. 

Another important aspect is how “effective and fast” the information exchange will be, he says. “Details about attacks in other organisations will be the best learning material for firms to identify vulnerabilities and proactively address similar risks in their own systems.” 

What CISOs should do

While there may be issues with its current form, the Cyber Solidarity Act is on its way, so what should CISOs be doing to prepare? 

First, ask compliance teams to review the Act to determine if you are affected and, if so, what changes are needed to align with its standards, says Brown. “Largely, this will be an investment into tools and services to improve detection, response and resilience against cyber threats.” 

Much of this will already be in place due to other acts, such as the DORA, he points out. However, because the EU Cyber Solidarity Act focuses on collaboration, it would make sense to foster relationships with other companies and government bodies, Brown advises. 

At the same time, CISOs should conduct thorough assessments of their current cybersecurity posture and ensure they’re investing in staff training and awareness programmes, says Brownlow Davies. 

As part of this, CISOs should advocate for cybersecurity to be a board-level priority, ensuring that adequate resources are allocated, Brownlow Davies adds. “While the compliance demands may be challenging, companies that embrace these changes can mitigate risks and gain a competitive advantage by demonstrating robust security practices to clients and partners.”

Kate O'Flaherty Cybersecurity and privacy journalist