On Tuesday 5 December, the Council of Ministers of the Member States responsible for the Digital Agenda discussed the EU Cybersolidarity Act, presented by the European Commission on 18 April (see EUROPE 13164/1).
A major part of the discussions focused on the future cybersecurity reserve, which would have the task of intervening, at the request of a Member State, EU institutions, bodies or agencies, in the event of a major or large-scale cybersecurity incident.
A number of Member States, including France, the Netherlands and Poland, have called for the role of the European Union Agency for Cybersecurity (ENISA) and the Member States to be strengthened as part of this ‘reserve’.
France, for its part, would like to propose a two-tier approach to this issue. The first tier would prioritise European funding for “European entities to foster an incident response ecosystem”, while the second tier would extend the future ‘cyber reserve’ to all Member States of the European Political Community.
“The Member States must be involved at the stage of setting up the reserve, whose governance scheme must be developed within the text, so that the mechanism can be easily ‘activated’”, argued the French Minister for Digital Transition, Jean-Noël Barrot.
“The reserve must be easily accessible and we must also involve third countries”, said Estonian Technology Minister Tiit Riisalo.
Member States call for avoidance of duplication
In addition, a large majority of Member States have also insisted that the future regulation on cyber solidarity should not duplicate existing legislation or structures, in particular as regards the establishment of a network of security operations centres (SOCs) responsible for detecting and countering cyber threats using artificial intelligence, supercomputing and advanced data analysis.
On this point, France would like to retain the voluntary nature of Member States’ participation and “ensure that we do not duplicate the activities of structures that already exist at national level in order to maintain the clarity of governance at national and European level” in the context of the network of ‘SOCs’.
For other Member States, such as Latvia, the issue of ‘SOCs’ currently lacks “clarity”. For Croatia, on the other hand, it is the terminology that will require further discussion and work.
“We need to see how we can consolidate measures, put them in place and avoid duplication”, summarised the Dutch Minister for Digitisation, Alexandra van Huffelen, calling for existing frameworks and structures not to be forgotten.
For his part, while the European Commissioner for the Internal Market, Thierry Breton, acknowledged the importance of respecting “national prerogatives”, he reiterated the need, in the Commission’s view, for collective responses in the field of cybersecurity.
“No single Member State, however powerful, can protect everything that happens on EU territory. (...) When there is a systemic threat, when it crosses borders, we have to intervene together. This is the architecture we need to find. It’s not easy, we’re looking for it and it will have to be put in place within the legislative framework. We need a technical infrastructure, spread across Europe, with ‘SOCs’, supercomputers, algorithms and software developed to assess and detect the threat and respond to it before it arrives”, he declared. (Original version in French by Thomas Mangin)