More Cyber-Solidarity!

On 15 January 2025, the Cyber Solidarity Act (Regulation (EU) 2025/38 of 19 December 2024) was published in the Official Journal of the European Union. Its aim is to strengthen the European Union’s solidarity and capabilities in detecting, preparing for, and responding to cyber threats and cybersecurity incidents.

To achieve these objectives, the Regulation establishes a pan-European network for cyberhubs (the European Cybersecurity Alert System) to enhance advanced capabilities for detecting, preventing, and managing data related to cyber threats. The European Cybersecurity Alert System will be based on the voluntary participation of national and cross-border cybersecurity platforms, with their relationships potentially governed by a hosting consortium.

Secondly, “cyber solidarity” will also be promoted through the creation of an cybersecurity emergency mechanism. This mechanism is intended to support the preparation actions, provide assistance in responding to significant cybersecurity incidents, and foster mutual aid.

As part of the support measures package, the establishment of the EU Cybersecurity Reserve is particularly noteworthy. This reserve is designed to assist, among others, Member States’ cyber crisis management authorities and CSIRTs in responding to significant or large-scale cybersecurity incidents or those with equivalent effects.

Users in need of support must submit a request to the contracting entity, which will evaluate it and provide a response within a maximum of 48 hours from the time of submission. The law explicitly excludes any contractual liability on the part of the European Commission, ENISA, or users of the Reserve for damages caused to third parties by services provided under the EU Cybersecurity Reserve.

Finally, a European mechanism for analysing cybersecurity incidents (“European Cybersecurity Incident Review Mechanism”) is also being established. Its purpose is to assess specific significant or large-scale cybersecurity incidents.

The innovations introduced by this Regulation form part of a legislative package aimed at promoting infrastructure resilience. They are intended to complement activities carried out by the CSIRT network, the EU-CyCLONe (Cyber Crisis Liaison Network), and the “NIS Cooperation Group.”

Lastly, amendments are also made to Regulation (EU) 2021/694 of 29 April 2021, which established the Digital Europe Programme.

DOWNLOAD PDF