Julio García
The European Council has adopted two new laws that are part of the legislative “package” on cybersecurity, namely the so-called “cyber solidarity law” and a specific amendment to the cybersecurity law.
In a press release, the Council explains that these two new laws aim to strengthen EU solidarity and its capabilities to detect, prepare for and respond to cybersecurity threats and incidents.
The new regulation establishes EU capabilities to make Europe more resilient to cyber threats, while strengthening cooperation mechanisms.
It establishes, among other things, a “cybersecurity alert system” – a pan-European infrastructure composed of national and cross-border cyber centres across the EU. These are entities tasked with sharing information and tasked with detecting and responding to cyber threats.
The cyber centres will use cutting-edge technology, such as artificial intelligence (AI) and advanced data analytics, to detect and share timely alerts on cyber threats and cross-border incidents.
They will also strengthen the existing European framework and, in turn, relevant authorities and entities will be able to respond more efficiently and effectively to cyber security incidents.
The new regulation also provides for the creation of a cyber security emergency mechanism to increase preparedness and improve response capacity to incidents in the EU. This mechanism will support:
- preparedness actions, including testing entities in highly critical sectors (healthcare, transport, energy, etc.) for potential vulnerabilities, based on common risk scenarios and methodologies
- a new EU cybersecurity reserve composed of private sector incident response services ready to intervene at the request of a Member State or EU institutions, bodies and agencies, as well as associated third countries, in the event of a significant or large-scale cybersecurity incident
- mutual technical assistance
Finally, the new law establishes an incident review mechanism to assess, inter alia, the effectiveness of actions under the cyber emergency mechanism and the use of the cybersecurity reserve, as well as the contribution of this regulation to strengthening the competitive position of the industrial and service sectors.
This specific amendment aims to improve the EU’s cyber resilience by allowing the future adoption of European certification schemes for so-called “managed security services”.
The new law also recognises the growing importance of managed security services in the prevention, detection, response and recovery of cybersecurity incidents. These services may consist, for example, of incident management, penetration testing, security audits and consultancy related to technical support.
Pending the results of the CSA assessment, this targeted amendment will allow the establishment of European certification schemes for these managed security services. It will contribute to increasing their quality and comparability, encourage the emergence of trusted cybersecurity service providers and prevent fragmentation of the internal market, given that some Member States have already started to adopt national certification schemes for managed security services.
