The EU adopted two new laws Monday as part of a cyber security legislative package aimed at strengthening EU capacity to detect, prepare for and respond to cybersecurity threats and incidents.
The two laws are the ‘cyber solidarity act’, and a targeted amendment to the cybersecurity act (CSA).
The ‘cyber solidarity act’ establishes a ‘cyber security alert system’, a pan-European infrastructure composed of national and cross-border cyber hubs across the EU. These will share information and detect and act on cyber threats. The cyber hubs will use state-of-the-art technology, such as artificial intelligence (AI) and advanced data analytics, to detect and share warnings on cyber threats and incidents across borders.
A cybersecurity emergency mechanism will be created to increase preparedness and enhance incident response capabilities in the EU. This will support:
- preparedness actions, including testing entities in highly critical sectors (healthcare, transport, energy, etc.) for potential vulnerabilities
- a new EU cybersecurity reserve consisting of incident response services from the private sector ready to intervene in case of a significant or large-scale cybersecurity incident
- technical mutual assistance
The targeted amendment to the cybersecurity act of 2019 aims to enhance the EU’s cyber resilience by enabling the future adoption of European certification schemes for the so-called ‘managed security services’. The new law recognises the increasing importance of managed security services in the prevention, detection, response, and recovery from cybersecurity incidents. These services can consist of, for example, incident handling, penetration testing, security audits, and consulting related to technical support.
Awaiting the results of the evaluation of the CSA, this targeted amendment will enable the establishment of European certification schemes for these managed security services.
Both legislative acts are now set to be published in the EU’s official journal in the coming weeks and enter into force 20 days after this publication.
Amendment to the cybersecurity act regarding managed security services, 2 December 2024