EU Cyber Solidarity Act

Purpose: The EU Cyber Solidarity Act seeks to strengthen cybersecurity capacities within the European Union and enhance the EU’s ability to detect, prepare for, respond to and recover from significant or large-scale cybersecurity threats and attacks.  The Act reinforces coordinated actions from the EU by introducing a European Cybersecurity Alert System, a Cybersecurity Emergency Mechanism and a Cybersecurity Incident Review Mechanism. These interconnected systems will improve the detection, analysis and response to cyber threats while minimizing their impact.

Scope: Unlike the NIS 2 Directive (Directive (EU) 2022/2555), which establishes requirements for how service providers must act to prevent, manage, and minimize the consequences of cyberattacks, as well as reporting obligations and responsibilities of management bodies, the Cyber Solidarity Act focuses on operational response at the EU level. The Act is particularly relevant to governments and government agencies, as they are responsible for implementing its three core measures within each member state. As part of the European Cybersecurity Alert System, each member state must designate a cyber crisis managing authority which may collaborate with private sectors. Consequently, the Act is also relevant to private service providers in the security sector.

Additionally, entities in critical sectors, such as healthcare, finance, transport and energy, will be subject to “coordinated preparedness testing” to ensure they meet the minimum requirements for critical services and infrastructure.

Core obligations: Member States are required to designate National Cyber Hubs, which will operate within a pan-European infrastructure to detect and analyze information on cybersecurity threats and incidents in real-time.

Additionally, the Cybersecurity Emergency Mechanism establishes obligations for a pre-selected group of private companies, which will provide incident response services upon request.