Digital threats: EU Council approves cyber shield and early warning system

The EU Council of Ministers adopted the final draft of a cyber solidarity law on Monday. The aim is to establish and network national and cross-border security operation centers ("hubs") throughout the EU to better identify digital threats, for example with the help of artificial intelligence (AI) and advanced data analysis. The aim is to exchange information on threats such as cyberattacks via the new operations centers and to respond to them "appropriately". According to the EU Commission's original proposal, this early warning system should provide authorities and other competent bodies with "a real-time picture of the situation".

Negotiators from the committee of member states and the EU Parliament agreed on the regulation in principle back in March. According to this, the countries will also establish a mechanism for cyber emergencies. It is intended to improve preparedness and the ability to respond to significant and large-scale IT attacks. The main focus here is on precautionary measures, including tests of facilities in highly critical sectors such as health, transport and energy, with a focus on potential vulnerabilities. To this end, governments must draw up joint risk scenarios. In addition, an EU cybersecurity reserve with emergency services from trusted certified providers should act as a rapid response force. These can be mobilized by EU states, institutions, bodies or agencies as well as third countries if they have joined the "Digital Europe" programme.

EU auditors have serious concerns

At the request of the Commission or national authorities, the EU Agency for Cybersecurity (Enisa) will also be able to investigate certain cybersecurity incidents more closely in the future. It must then submit a report with its findings and recommendations. Member states that provide technical assistance to another EU country in the event of a "significant or large-scale cybersecurity incident" are to receive financial support from EU funds. The Council also gave the green light for an amendment to the Cybersecurity Act of 2019, which will enable the introduction of European certification systems for security services. These include penetration tests, security checks, advice and support. This should help to create a framework for the appointment of trustworthy providers for the planned security reserve.

Parliament has already approved the package. Following the signature of the Presidents of both chambers, both legal acts will now be promulgated in the EU Official Journal in the coming weeks. They will then enter into force on the 20th day following their publication. Last year, the European Court of Auditors warned that the Cybersolidarity Act would make the EU's already confusing "cybersecurity galaxy" even more complex, with numerous overlapping bodies and regulations. The function of the virtual umbrella was also at risk of being impaired by a lack of information exchange between EU countries.

(vbr)