Guilherme.Marques.UCP (talk | contribs) added new footnotes to complement and sustain the work. Tag: Visual edit |
Guilherme.Marques.UCP (talk | contribs) Submitting using AfC-submit-wizard |
||
Line 1: | Line 1: | ||
{{Short description|The upcoming Cyber Solidarity Act and its predecessor, The Joint Cyber Unit. }} |
|||
{{Draft topics|software|politics-and-government|computing|technology}} |
|||
{{AfC topic|other}} |
|||
{{AfC submission|||ts=20240412111926|u=Guilherme.Marques.UCP|ns=118}} |
|||
{{AfC submission/draft}} |
{{AfC submission/draft}} |
||
Revision as of 11:19, 12 April 2024
The conflict between Russia and Ukraine has exposed vulnerabilities within Europe, particularly emphasising the reliance on digital technology and exposing the fragility of the digital space. This scenario has led to a surge in cyberattacks, particularly impactful when targeting critical infrastructures such as health, finance, or energy, which are highly susceptible due to their extensive reliance on information technology.
Accordingly, the EU Cybersecurity Strategy, approved in 2020, highlighted the establishment of a European Cyber Shield to solidify cyber threat detection and information sharing capabilities within the European Union.[1] Two years later, in 2022, the European Council Conclusions were released regarding the cyber posture and emphasising the necessity of addressing the deficiencies present in the responses and preparedness to cyber-attacks.[2] They urged the European Commission to propose a new Emergency Response Fund for Cybersecurity. The following year, in 2023, the European Commission officially implemented the proposal for a new Regulation, known as the EU Cyber Solidarity Act. Accordingly, this new proposal outlined measures to enhance solidarity and capacities within the European Union to detect, prepare for, and address cybersecurity incidents and threats.[3]
LEGAL BASIS
This proposal is grounded on two distinct legal bases, namely, Article 173(3) on competitiveness of the Union's industry; and Article 322(1), point (a) of the Treaty on the Functioning of the European Union ("TFEU") on carry-over rules derogating from the principle of budget annuality defined in Regulation (EU, Euratom) 2018/1046.[4]
The main purpose of Article 173(3) TFEU is to enhance the competitive position of European service and industry sectors and promote their digital transformation by elevating cybersecurity levels in the Digital Single Market. Specifically, it seeks to bolster the resilience of entities and citizens that operate in critical sectors against the current escalation of cybersecurity threats that can provoke profound economic and societal repercussions. Moreover the proposal is complemented with Article 322(1) point (a) TFEU, which by considering the unpredictable nature of the cybersecurity realm, will allow for a certain degree of flexibility to be in place when dealing with financial management of the Cybersecurity Emergency Mechanism.[4]
In essence, the Cyber Solidarity Act aims to enhance solidarity in the Union through the following objectives:
- Contribute to the EU technological sovereignty, namely its cybersecurity, by reinforcing common European situational awareness and detection of cyber incidents and threats.
- Enhance preparedness and solidarity in the EU by forming common response capacities to address serious cybersecurity incidents. This includes providing incident response support to third countries associated with the Digital Europe Programme (DEP).
- Reinforce EU resilience by contributing with effective responses by reviewing significant incidents.[5]
Furthermore, the Cyber Solidarity Act seeks to reinforce the EU capacities to detect, prepare for and respond to cybersecurity incidents and threats through three unique foundations:
- Deployment of the European Cyber Shield:
- Creation of the Cybersecurity Emergency Mechanism;
- Establishment of the European Cybersecurity Incident Review Mechanism.[6]
First Foundational Element - THE EUROPEAN CYBER SHIELD
The first Foundational Element corresponds to the formation of a European Cyber Shield which aims to particularly develop and reinforce common detection and situatIonal awareness capabilities by forming a vast amount of interoperating Cross-border Security Operations Centres ("Cross-border SOCs"), each grouping together several National Security Operation Centres ("SOCs").[7]
Accordingly, the European Cyber Shield shall pool, share and produce a series of high-quality data regarding cyber incidents and threats from several SOCs.[8]
It becomes relevant to note, that each Member State shall appoint at least one National SOC, which must be an official public body, and have the capability to act as a gateway to other national organisations (being them private or public) when dealing with collection and analysis of data regarding cybersecurity incidents and threats.[9]
By contrast, the Cross-border SOC's are recognised as a Hosting Consortium when they are consisted by at least three Member States and are effectively represented by National SOCs (who must be committed to work together towards monitorization activities and cyber-detection)[10] Additionally, the members of the Hosting Consortium must share pertinent information regarding potential cyber vulnerabilities, procedures and techniques, cyber threats, among others [...][11], within the arrangements defined in the written consortium agreement[12]. As a result of a call for expression of interest, the European Cybersecurity Competence Centre ("ECCC") was designated as the entity responsible for selecting both National SOCs[13] and Hosting Consortium[14] to partake in a joint procurement of infrastructures and tools. Lastly, Cross-border SOCs, in accordance with Directive (EU) 2022/2555, must alert the European Commission, the EU-CyCLONe and CSIRTs network if they have any information about a potential or ongoing cybersecurity incident.[15]
Second Foundational Element - THE CYBER EMERGENCY MECHANISM
The second Foundational Element corresponds to the creation of the Cyber Emergency Mechanism, which aims to enhance the Union's resilience against serious cybersecurity threats and "to prepare for and mitigate, in a spirit of solidarity, the short-term impact of significant and large-scale cybersecurity incidents"[16] Subsequently, the Mechanism implements three types of actions, namely: (a)Preparedness Actions; (b)Response Action; (c)Mutual Assistance Actions.[17]
When dealing with Preparedness Actions, the Commission (only after consulting both ENISA and the NIS Cooperation Group) must identify the sectors (from Directive (EU) 2022/2555, Annex I) from which entities may be subject to the coordinated preparedness testing.[18] Notably, the coordinated testing exercises must follow the risk assessments methodologies previously delineated by the relevant entities involved.[19]
Furthermore, both Response and Mutual Assistance Actions are integrated through the implementation of the EU Cybersecurity Reserve, which will assist the cybersecurity management crisis authorities of the Member States, CSIRTs[20], Union institutions bodies and agencies[21]. It becomes relevant to note that, the above-mentioned entities ("users") are only entitled access to the EU Cybersecurity Reserve when they are responding or providing support to serious cybersecurity incidents and immediate recovering from them[22] or when they are assisting critical sectors that have been affected[23].
Additionally, the users become only entitled to the EU Cybersecurity Reserve services when they implement measures to mitigate the consequences of the incident for which support is requested.[24] These requests must be sent to the Commission and ENISA through the Single Point of Contact[25] and must include several pieces of specific information[26]. Following these requests, the Commission, with ENISA support, will assess[27] and prioritise them by taking into account a series of guidelines[28]. The EU Cybersecurity Reserve services are delivered based on explicit agreements, which encompass liability provisions, between the service provider and the respective user[29] and; within one month following the conclusion of the support action, users are required to provide both to ENISA and the Commission a report about the cooperation provided[30].
Third Foundational Element - THE CYBERSECURITY INCIDENT REVIEW MECHANISM
Lastly, the third Foundational Element corresponds to the establishment of the Cybersecurity Incident Review Mechanism, where ENISA, (at the request of the EU-CyCLONe, the Commission or the CSIRTs network), must review and assess mitigation actions, vulnerabilities and threats concerning a particular large-scale or significant cybersecurity incident.[31] As a result, an incident review report is produced (in collaboration with the relevant stakeholders) and delivered by ENISA to the above-mentioned entities.[32]
The Joint Cyber Unit
When analysing the 2020 EU Cybersecurity Strategy, under Section 2, which is aimed at "building operational capacity to prevent, deter and respond", it is possible observe the intention to create a Joint Cyber Unit.[1] Ultimately, the Unit would become a platform to foster cooperation between several cybersecurity communities in the EU and would mainly focus on technical and operational coordination towards the formation of a European Cybersecurity Crisis Management Framework that would deal with critical cyber threats and incidents.[1] Eventually, in 2021, in consultation with Member States, the Commission decided to adopt the "Recommendation on building a Joint Cyber Unit".[33]
The Joint cyber Unit aimed to achieve three primary goals:
- ensure preparedness across cybersecurity communities;
- provide continuous shared situational awareness through information sharing;
- reinforce coordinated response and recovery.[1]
Nevertheless, in 2021, the Council released a document with conclusions regarding the potential Joint Cyber Unit initiative where it made a clear statement emphasising that Member States bear the primary responsibility to respond to serious cybersecurity crises and incidents that impact them; In addition, the European Council also reiterated the significance of upholding the competences of the Member states and their exclusive responsibility for cybersecurity and national security matters, as outlined in Article 4(2) TEU.[34] Moreover, the European Council concludes by defining that Member States potential contributions to a prospective Joint Cyber Unit are merely voluntary.[35] A year later, in 2022, it is still possible to find multiple references to the Joint Cyber Unit in the proposal released by the European Commission regarding several cybersecurity measures directed at EU entities.
However, the Council decided to eliminate all mentions of the Joint Cyber Unit.[36] Nowadays, when analysing recent pieces of EU legislation regarding cybersecurity, such as the NIS2 Directive[37], the Cyber Solidarity Act or even the new 2022 Cyber Defence Strategy, there is not a single mention about the further implementation of the Joint Cyber Unit.
Nevertheless, the similarities between the Cyber Solidarity Act and the Joint Cyber Unit are striking. In essence, the proposal for the Cyber Solidarity Act appears to be a 'rebranded' version of the Joint Cyber Unit. Despite the European Council previously approving the Joint Cyber Unit initiative, its Conclusions clearly indicate a scaling down of the project. However, this time, the Cyber Solidarity Act is 'supported' by a Legislative Proposal (contrary to the Joint Cyber Unit), which will be debated by the European Council and European Parliament.[38]
As previous mentioned, the Joint Cyber Unit also aimed to provide more common EU tools to prevent, deter and respond to cyberattacks. In 2020, the Joint Cyber Unit was announced as "a real cybersecurity shield for the EU"[1] which would provide Member States coordinated assistance. Accordingly, the expected actions similarly intended to provide support in the management serious crises and incidents, facilitate the exchange of crucial data regarding significant cyber incidents and actively involve SOCs in the activities. Moreover, both proposals intended to collaborate with the private sector. The Joint Cyber Unit planned to establish cooperation agreements with entities offering incident response services and threat intelligence; The Cyber Solidarity Act, on its end, would establish the "EU Cybersecurity Reserve", which would be formed by "trusted providers", to aid third countries EU bodies and Member States.
Consequently, under the same Commission mandate, it is possible to encounter two significantly similar proposals that rearrange the terms "shield and "solidarity" and incorporate comparable concepts. This repetition may stem from the perception that the Joint Cyber Unit has faced its challenges and not fully succeeded, but the necessity to explore alternative approaches at the European level persists.
- ^ a b c d e JOINT COMMUNICATION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL The EU's Cybersecurity Strategy for the Digital Decade, 2020, retrieved 2024-04-12
- ^ Council of the European Union, "Council conclusions on the development of the European Union's cyber posture" 9364/22,https://www.consilium.europa.eu/media/56358/st09364-en22.pdf
- ^ Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ a b • Explanatory Memorandum - Section 2 - Legal Basis, Subsidiarity and Proportionality - Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article 1(2), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article 1(1), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article 3(1), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article 3(2), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article 4(1), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article 5(1), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article 6(1), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article 5(3), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article 4(2), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article 5(2), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article 7(1), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article 9(1), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article 10(1), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article 11(1), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article 11(2), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article12(3](a), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article12(3)(b), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article 12(1), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article 12(4), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article 13(2), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article 13(3), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article 13(5), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article 14(1), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article 14(2), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article 14(3), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article 14(6), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article 18(1), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Article 18(2), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, retrieved 2024-04-12
- ^ Recital 7, Commission Recommendation (EU) 2021/1086 of 23 June 2021 on building a Joint Cyber Unit (Report). 2021-06-23.
{{cite report}}
: no-break space character in|title=
at position 47 (help) - ^ Paragraph 5, Council of the European Union, 'Council Conclusions on exploring the potential of the Joint Cyber Unit initiative complementing the EU coordinated Response to Large-scale Cybersecurity Incidents and crises (2021) 12534/21. https://data.consilium.europa.eu/doc/document/ST-13048-2021-INIT/en/pdf
- ^ Paragraph 19, Council of the European Union, 'Council Conclusions on exploring the potential of the Joint Cyber Unit initiative complementing the EU Coordinated Response to Large-Scale Cybersecurity Incidents and Crises' (2021), 12534/21.https://data.consilium.europa.eu/doc/document/ST-13048-2021-INIT/en/pdf
- ^ (Recital 21). (Article 3). (Article 12). (Article 22), Council of the European Union, 'Council Conclusions on exploring the potential of the Joint Cyber Unit initiative complementing the EU Coordinated Response to Large-Scale Cybersecurity Incidents and Crises' (2021), 12534/21.https://data.consilium.europa.eu/doc/document/ST-13048-2021-INIT/en/pdf
- ^ "Directive - 2022/2555 - EN - EUR-Lex". eur-lex.europa.eu. Retrieved 2024-04-12.
- ^ Clasen, Celina. "Cyber Solidarity Act moves ahead in EU Parliament with key committee vote". Euractiv.
{{cite news}}
: CS1 maint: url-status (link)