INFORMATION TECHNOLOGY
Regulation 2025/35 (Cyber Solidarity Act) comes into force.
On 4 February 2025, Regulation 2025/35, which establishes measures to strengthen the Union's solidarity and its capacity to detect cyber threats and incidents and to prepare for and respond to cyber incidents, was officially published in the Official Journal of the European Union, Regulation 2025/35 establishing measures to strengthen the Union's solidarity and capacity to detect, prepare for and respond to cyber threats and incidents, and amending Regulation (EU) 2021/694 (Cyber Solidarity Act).
The new regulation establishes the EU's capabilities to make Europe more resilient and responsive to cyber threats, while strengthening cooperation mechanisms.
It mainly aims to:
support the detection of and knowledge about significant or large-scale cybersecurity threats and incidents
strengthen preparedness and protect critical entities and essential services, such as hospitals and utilities
reinforce EU-wide solidarity, concerted crisis management and response capacities across Member States
help ensure a secure digital landscape for citizens and businesses
To detect serious cyber threats quickly and effectively, the new regulation establishes a ‘cyber security alert system’, a pan-European infrastructure consisting of national and cross-border computer centres throughout the EU. These centres are responsible for sharing information and detecting and responding to cyber threats. They will strengthen the existing European framework, while the relevant authorities and entities will in turn be able to respond more efficiently and effectively to serious incidents.
The new regulation also provides for the creation of a cybersecurity emergency mechanism to increase preparedness and strengthen incident response capabilities in the EU. This mechanism will support:
preparedness actions, including audits of entities operating in highly critical sectors (health, transport, energy, etc.) to detect potential vulnerabilities based on risk scenarios and common methodologies
A new EU Cybersecurity Reserve consisting of private-sector incident response services that are ready to intervene at the request of a Member State or EU institutions, bodies, offices and agencies, as well as associated third countries, in the event of significant or large-scale cybersecurity incidents.
Mutual financial assistance.
Finally, the new regulation establishes an evaluation and review mechanism to assess, among other things, the effectiveness of actions under the cybersecurity emergency mechanism and the use of the cybersecurity reserve, as well as the contribution of the regulation to strengthening the competitive position of the industrial and services sector.
Targeted amendment of the 2019 Cybersecurity Act.
The targeted amendment aims to strengthen the EU's cyber resilience by enabling the future adoption of European certification schemes for ‘managed security services’. Managed security services, offered to clients by specialised companies, are essential for the prevention, detection, response and recovery from cybersecurity incidents. They can consist of, for example, incident management, penetration testing, security audits and technical assistance advice.
The amendment will enable the introduction of European certification schemes for managed security services. It will help to increase their quality and comparability, promote the emergence of reliable cybersecurity service providers and avoid fragmentation of the internal market, given that some Member States have already started to adopt national certification schemes for managed security services. Pending the regular review of the Cybersecurity Act, due by 28 June 2024, the provisional agreement:
clarifies the definition of ‘managed security services’ and ensures alignment with the revised Directive on Networks and Information Systems (NIS 2)
aligns the security objectives of these certification schemes with the security objectives of other schemes under the current Cybersecurity Act
contains amendments to the annex of the cybersecurity regulation, which includes a list of requirements that conformity assessment bodies must fulfil
specifies that consultation of all relevant stakeholders by ENISA should take place in a timely manner and provides for the possibility of ENISA or the Commission presenting quarterly briefings to the co-legislators on the functioning of the certification schemes.
The new regulation establishes the EU's capabilities to make Europe more resilient and responsive to cyber threats, while strengthening cooperation mechanisms.
It mainly aims to:
support the detection of and knowledge about significant or large-scale cybersecurity threats and incidents
strengthen preparedness and protect critical entities and essential services, such as hospitals and utilities
reinforce EU-wide solidarity, concerted crisis management and response capacities across Member States
help ensure a secure digital landscape for citizens and businesses
To detect serious cyber threats quickly and effectively, the new regulation establishes a ‘cyber security alert system’, a pan-European infrastructure consisting of national and cross-border computer centres throughout the EU. These centres are responsible for sharing information and detecting and responding to cyber threats. They will strengthen the existing European framework, while the relevant authorities and entities will in turn be able to respond more efficiently and effectively to serious incidents.
The new regulation also provides for the creation of a cybersecurity emergency mechanism to increase preparedness and strengthen incident response capabilities in the EU. This mechanism will support:
preparedness actions, including audits of entities operating in highly critical sectors (health, transport, energy, etc.) to detect potential vulnerabilities based on risk scenarios and common methodologies
A new EU Cybersecurity Reserve consisting of private-sector incident response services that are ready to intervene at the request of a Member State or EU institutions, bodies, offices and agencies, as well as associated third countries, in the event of significant or large-scale cybersecurity incidents.
Mutual financial assistance.
Finally, the new regulation establishes an evaluation and review mechanism to assess, among other things, the effectiveness of actions under the cybersecurity emergency mechanism and the use of the cybersecurity reserve, as well as the contribution of the regulation to strengthening the competitive position of the industrial and services sector.
Targeted amendment of the 2019 Cybersecurity Act.
The targeted amendment aims to strengthen the EU's cyber resilience by enabling the future adoption of European certification schemes for ‘managed security services’. Managed security services, offered to clients by specialised companies, are essential for the prevention, detection, response and recovery from cybersecurity incidents. They can consist of, for example, incident management, penetration testing, security audits and technical assistance advice.
The amendment will enable the introduction of European certification schemes for managed security services. It will help to increase their quality and comparability, promote the emergence of reliable cybersecurity service providers and avoid fragmentation of the internal market, given that some Member States have already started to adopt national certification schemes for managed security services. Pending the regular review of the Cybersecurity Act, due by 28 June 2024, the provisional agreement:
clarifies the definition of ‘managed security services’ and ensures alignment with the revised Directive on Networks and Information Systems (NIS 2)
aligns the security objectives of these certification schemes with the security objectives of other schemes under the current Cybersecurity Act
contains amendments to the annex of the cybersecurity regulation, which includes a list of requirements that conformity assessment bodies must fulfil
specifies that consultation of all relevant stakeholders by ENISA should take place in a timely manner and provides for the possibility of ENISA or the Commission presenting quarterly briefings to the co-legislators on the functioning of the certification schemes.
