The EU Cyber Solidarity Act, was officially published on January 15, 2025. It is a new key step in strengthening Europe’s cybersecurity. Set to take effect in February, this legislation aims to help EU countries, including Belgium, better detect, prepare for, and respond to serious cyber incidents that can affect businesses and citizens alike, and to foster solidarity between Member States in times of crisis. It’s all about making sure Europe is more resilient in today’s digital world. Contrary to the NIS2 Directive or Cyber Resilience Act, the Cyber Solidarity Act does not introduce obligations on providers. It is a purely voluntary legislation that sets up tools and especially funding. Member States can make use of these if so desired, to support their detection, information sharing or crisis response capabilities, especially for NIS2 entities.

Belgium, and specifically the Centre for Cybersecurity Belgium, played a pivotal role in the development and adoption of the Cyber Solidarity Act during its Presidency of the Council of the EU in the first half of 2024. The Centre for Cybersecurity Belgium will keep on playing a central role in implementing the Act’s provisions. Click here for more information on the Belgian Presidency.

What is the Cyber Solidarity Act?

The Cyber Solidarity Act is built on three main pillars:

• A European Cybersecurity Alert system, to improve detection & warning
• A Cybersecurity Emergency Mechanism, to improve response – including setting up a cyber Reserve
• An incident Review mechanism, allowing ENISA to analyze and learn from large-scale incidents .

1. The European Cybersecurity Alert System (ECAS)

Purpose and Establishment

The Solidarity Act sets up the ECAS, which will be a network that connects National Cyber Hubs via Cross-Border Cyber Hubs across the EU. It will help to improve the EU’s ability to detect, analyze, and respond to cyber threats, using advanced technologies and collaboration. While participation by Member States is voluntary, the system will enhance awareness and helps prevent incidents across the Union. 

Core Functions

The European Cybersecurity Alert System is designed to enhance protection against and responses to cyber threats by strengthening collaboration with key entities, including CSIRTs, the CSIRTs network, EU-CyCLONe, and other relevant authorities. The ECAS pools and analyzes data on cyber threats and incidents from Cross-Border Cyber Hubs, sharing actionable insights and intelligence with these entities to improve situational awareness and detection capabilities across the EU.

The system also issues alerts and provides concrete recommendations, while supporting the development of cutting-edge cybersecurity solutions for the Union’s cybersecurity community. 

National Cyber Hubs

Each Member State in the EU that wishes to participate in the ECAS, appoints a National Cyber Hub, a single entity acting under the authority of the Member State. In Belgium, this is the Centre for Cybersecurity Belgium. National Cyber Hubs can act as reference point and gateway to other public and private organisations at national level for collecting and analysing information on cyber threats and incidents. They are capable of detecting, aggregating, and analysing data and information relevant to cyber threats and incidents, such as cyber threat intelligence, by using state-of-the-art technologies, and with the aim to prevent incidents. These hubs can also join forces with other countries through Cross-Border Cyber Hubs to improve coordination and response to cyber threats. 

Cross-Border Cyber Hubs

Cross-Border Cyber Hubs are multi-country platforms where at least three EU countries work together to monitor and detect cyber threats. These hubs connect national cybersecurity centers, share data, and use advanced tools to prevent cyber incidents and improve response capabilities. They aim to strengthen cybersecurity by exchanging information and resources in a trusted way, with a group, the Hosting Consortium, overseeing the operations and allowing other countries to join if agreed.

ENISA

ENISA (the EU Agency for Cybersecurity) can ensure the interoperability of Cross-Border Cyber Hubs by issuing guidelines for information-sharing protocols and formats. 

Funding

The Digital Europe Programme (DEP) provides the funding for the National Cyber Hubs and the Cross-Border Cyber Hubs and is managed by the European Cybersecurity Competence Centre (ECCC). This funding has a capacity-building aim and covers costs related to the setup of processes, tools, and services, as well as the acquisition of equipment, tools, processes and data feeds. This funding also covers costs related to data analysis, interconnection with Cross-Border Cyber Hubs, etc. To achieve this aim, a call for expression of interest is launched to select entities in Member States that provide the necessary facilities to host and operate national Cyber Hubs. If successful, a joint Procurement Action will be set up with the Member State, and a grant will be available to cover the costs and procurement of the main infrastructure, tools, and services.

Pilot project and existing Cross-border cybersecurity hubs

The Cyber Solidarity Act institutionalizes a pilot project launched in 2021 by the European Commission, as well as the two cross-border cyber hubs that have emerged from it. This pilot project aimed to establish cross-border connected Security Operation Centers (SOCs) across EU member states. These hubs were designed to enhance cybersecurity across Europe through rapid threat detection, the use of AI, and efficient information sharing. To support this initiative, the Commission allocated funding through the Digital Europe Plan (DEP), tasking consortia of member states with its implementation under the supervision of the newly established European Cybersecurity Competence Centre (ECCC).

By early 2023, the pilot project had led to the creation of two consortia, which currently remain the only cross-border cyber hubs and which are now institutionalized through the Cyber Solidarity Act. Currently, the ENSOC consortium is led by Spain and Italy, and includes Luxembourg, the Netherlands, Austria, Portugal and Romania as members. The ATHENA consortium is comprised of Cyprus, Bulgaria, Greece, and Malta.

2. The Cybersecurity Emergency Mechanism

Purpose

The Cybersecurity Emergency Mechanism is designed to enhance the EU's resilience to cyber threats by providing financial support for the preparation, mitigation, and response to significant and large-scale cybersecurity incidents. It operates in a spirit of solidarity, complementing Member States' efforts to handle cyber incidents. The mechanism is primarily implemented through the European Cybersecurity Competence Centre (ECCC).

The mechanism funds several types of actions:

• Preparedness Actions: These involve coordinated testing of entities in critical sectors, such as penetration testing and threat assessments. Support for these actions is provided in the form of grants and is voluntary for Member States.
• Incident Response and Recovery: The mechanism includes actions to support the response and recovery from significant cybersecurity incidents. Trusted managed security service providers, part of the EU Cybersecurity Reserve, offer these services.
• Mutual Assistance: This refers to cooperative actions among Member States to assist each other during cyber crises. The Mechanism enables EU Member States to provide technical assistance to one another in the event of significant cybersecurity incidents. This support is granted through specific work programmes.

The EU Cybersecurity Reserve

The EU Cybersecurity Reserve is a key part of this mechanism. It will consist of pre-acquired response services from trusted private providers which can be deployed to support response efforts during large-scale incidents. The reserve is available to all Member States, Union institutions, and DEP-associated third countries, meaning countries that are not part of the EU but are associated with the DEP, such as Ukraine for example, could also be supported through this Reserve. The European Commission oversees the reserve, while ENISA handles its operation and administration. 

How does it work?

ENISA will establish needs of all Member States, and procure incident response services from private operators, who will be held on retainer in the ‘Reserve’. Whenever national authorities, or Union Institutions, or third countries would be in need of extra support to help their NIS2 operators deal will a significant incident, they can request support from the reserve . These entities will then come help. After support, users must submit a summary report within two months, and regular reports are made to ensure the reserve's effectiveness. Services that were pre-acquired but never used can be at the end of every year turned into preparedness actions, such as pentesting.

Criteria for Service Providers

To be eligible for the EU Cybersecurity Reserve, service providers must meet strict criteria, such as the necessary security clearances for personnel, technical resources, and expertise to perform the required tasks, while also comply with relevant regulations, including those on the protection of classified information, and have secure IT systems in place. 

Most importantly, the amendment to the EU Cybersecurity Act enables the establishment of European certification schemes for managed security services as part of the Cybersecurity Reserve initiative. These certification schemes will help increase the quality and comparability of cybersecurity service providers and will build trust in the system by requiring external providers in the Reserve to adhere to the certification frameworks.

Sectors covered

The Mechanism focuses mainly on critical sectors such as energy, healthcare, finance, water, digital infrastructure, ICT service management, public administration, space, and transport. These are sectors where cybersecurity incidents could have significant societal or economic impacts. It can also apply to other entities essential to the functioning of the digital infrastructure, such as digital providers, manufacturing, waste management, postal and courrier services, food and research.

Funding

The Cybersecurity Emergency Mechanism is supported by funding under the Strategic Objective ‘Cybersecurity’ of the DEP and is managed by the ECCC. Voluntary grants through the DEP can be allocated to Member States to fund coordinated preparedness testing, such as penetration testing or threat assessments, as well as mutual assistance actions and other preparedness actions, such as vulnerability or risk monitoring, exercises, trainings. The EU Cybersecurity Reserve will be funded primarily through procurement, complemented mostly by grants.

3. European Cybersecurity Incident Review Mechanism 

This mechanism aims to assess significant and large-scale cybersecurity incidents by reviewing cyber threats, vulnerabilities, and mitigation actions. At the request of the Commission or of national authorities (the EU-CyCLONe or the CSIRTs network), the EU Cybersecurity Agency (ENISA) will be responsible for the review of specific significant or large-scale cybersecurity incident and should deliver a report that includes lessons learned, and where appropriate, recommendations to improve Union’s cyber response. The report will analyze the incident's causes, vulnerabilities, and lessons learned, while ensuring legal compliance, anonymizing data if needed, and offering recommendations and best practices to enhance EU cybersecurity.