Cyber Solidarity Act, EU Council ready to negotiate with European Parliament

The ambassadors of the Member States to the EU (Coreper) adopted, on Wednesday 20 December, their position for the forthcoming interinstitutional negotiations (‘trilogues’) on the EU Cyber Solidarity Act.

“Today’s agreement is another step to improve cyber resilience in Europe. It will certainly strengthen EU’s and member states’ capabilities to prepare, prevent, respond, and recover from large-scale cyber threats and attacks in a more efficient and effective manner”, commented Spain’s Minister for Digital Transformation, José Luis Escrivá.

For example, the EU27 will approach future negotiations with the European Parliament with a mandate for the EU’s cybersecurity agency (ENISA) to examine certain cybersecurity incidents and present reports containing lessons learned and recommendations. The European Parliament wants to see ENISA’s role further strengthened, while on 5 December several Member States called for the avoidance of duplication with existing legislation or structures (see EUROPE 13307/2).

In addition, always with a view to avoiding overlap, the EU Council has revised the definitions to bring them into line with other texts, in particular the recently revised directive on networks and information systems (‘NIS 2’) (see EUROPE 13297/25).

The Member States also returned to the issue of setting up a network of Security Operations Centres (SOCs). Over and above the importance, once again, of avoiding duplication, the voluntary nature of Member States’ participation in the mechanisms established by the Commission’s proposal is emphasised throughout the text, which will serve as a basis for the EU Council in future negotiations.

While a number of Member States had pushed for this, the European Commissioner for the Internal Market, Thierry Breton, tempered this on 5 December, pointing out the need, in the Commission’s view, for collective responses in the field of cybersecurity.

The EU Council clarified as well the terminology and adapted the text to the specificities of the Member States, in particular with regard to ‘SOCs’ and the cyber shield. Changes have also been made to procurement, funding, information sharing and the incident review mechanism.

The trilogues can now get underway, with the European Parliament having already adopted its position on 7 December (see EUROPE 13309/4). The Commission presented its ‘Cyberspace’ package - which includes the Cyber Solidarity Act - last 18 April (see EUROPE 13164/1). (Original version in French by Thomas Mangin)