The European Union has enacted two new laws to bolster its cybersecurity defenses and coordination mechanisms. The measures, part of the cybersecurity legislative package, include the Cyber Solidarity Act and amendments to the Cybersecurity Act (CSA).These steps aim to improve the EU’s ability to detect, prepare for, and respond to cyber threats while fostering uniformity in managed security services, the Council of the EU said in a statement.”In view of the fast-evolving threat landscape, the threat of possible large-scale cybersecurity incidents causing significant disruption or damage to critical infrastructure demands a heightened preparedness of the Union’s cybersecurity framework,” the Council’s statement read.The legislation will come into effect 20 days after publication in the EU’s official journal. The Cyber Solidarity Act introduces a new cybersecurity alert system, creating a network of national and cross-border cyber hubs across the EU. These hubs will monitor and act on cyber threats using advanced technologies like AI and data analytics. This coordinated infrastructure is designed to share warnings and actionable insights across borders, ensuring a more unified response to cyber incidents.”These cyber hubs will use state-of-the-art technology to detect and share timely warnings on cyber threats across borders,” the statement explained.Analysts noted that while the Act is a positive step, the EU should not stop at regional collaboration.”Cybersecurity challenges are inherently cross-border and require collaboration to address effectively,” said Faisal Kawoosa, Founder and lead analyst at Techarc. “The Solidarity Act is a positive step toward fostering information-sharing and collective learning across the EU. However, its impact could be limited if it doesn’t extend collaboration beyond the region. Threats often originate outside the EU, and working as a single block under the Act could streamline and expedite such efforts within the EU, but broader partnerships may be necessary to achieve global effectiveness.”To address vulnerabilities in critical sectors such as healthcare, energy, and transport, the act also establishes an emergency mechanism. This includes preparedness measures such as stress testing entities for potential weaknesses and developing common risk scenarios and methodologies.
Streamlining incident response
A key component of the act is the creation of a cybersecurity reserve composed of private-sector response teams. These teams will be on standby to assist member states and EU institutions during significant cyber incidents. The reserve is supported by technical mutual assistance measures that promote collaboration among member states.Additionally, an incident review mechanism will evaluate the efficacy of these emergency responses, ensuring continuous improvement in the EU’s cybersecurity strategies.This feedback loop will help refine response efforts and identify gaps in preparedness, the statement added.
Addressing practical hurdles
While the unified SOC and enhanced information-sharing mechanisms are pivotal elements of the Cyber Solidarity Act, implementing such a system may encounter challenges.”Two key challenges stand out,” Kawoosa said. “First, the hybrid system’s effectiveness hinges on extensive information sharing among member nations while balancing compliance with varying domestic data privacy and security laws. Despite having umbrella regulations, nuanced differences persist across countries. Second, establishing a unified Security Operations Center (SOC) will require clear definitions of its functions, limitations, and scope. Coordination with multiple law enforcement agencies across the region will further add complexity.”These issues underscore the complexities involved in ensuring cross-border cybersecurity collaboration without undermining national regulations or operational efficiency.
Standardizing managed security services
A targeted amendment to the 2019 Cybersecurity Act complements the primary legislation by recognizing the growing importance of managed security services. This provision will enable the development of European certification schemes for specialized cybersecurity interventions, including incident handling, penetration testing, security audits, and technical consulting, the statement added.The move addresses a critical gap in the current cybersecurity landscape. By creating standardized certification processes, the EU aims to foster trust, increase service quality, and prevent market fragmentation. Some member states had already begun developing national certification schemes, and this legislation provides a unified, comprehensive framework.”This targeted amendment will enable the establishment of European certification schemes for these managed security services,” the Council’s statement read. “It will help to increase their quality and comparability, foster the emergence of trusted cybersecurity service providers, and avoid fragmentation of the internal market given that some member states have already started the adoption of national certification schemes for managed security services.”These certifications are expected to help businesses evaluate service providers more effectively, improving confidence in outsourcing critical cybersecurity functions.”This will create a unified and standardized framework across the region,” Kawoosa noted, highlighting how the framework simplifies compliance, making it easier for businesses to navigate varying regulations in different member states.The proposals originated from the European Commission on April 18, 2023, and underwent extensive collaborative refinement. On March 6, 2024, co-legislators reached a provisional agreement, marking a significant milestone in digital policy development.Both legislative acts are set to be published in the EU’s official journal in the coming weeks.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3616165/eu-enacts-new-laws-to-strengthen-cybersecurity-defenses-and-coordination.html
