Explanatory Memorandum to COM(2023)209 - Measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
dossier | COM(2023)209 - Measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats ... |
---|---|
source | COM(2023)209 |
date | 18-04-2023 |
1. CONTEXT OF THE PROPOSAL
• Reasons for and objectives of the proposal
This explanatory memorandum accompanies the proposal for a Cyber Solidarity Act. The use of and dependence on information and communication technologies have become fundamental aspects in all sectors of economic activity as our public administrations, companies and citizens are more interconnected and interdependent across sectors and borders than ever before. This higher uptake of digital technologies increases exposure to cyber security incidents and their potential impacts. At the same time, Member States are facing growing cybersecurity risks and an overall complex threat landscape, with a clear risk of rapid spill-over of cyber incidents from one Member State to others.
What is more, cyber operations are increasingly integrated in hybrid and warfare strategies, with significant effects on the target. In particular, Russia’s military aggression against Ukraine was preceded and is being accompanied by a strategy of hostile cyber operations, which is a game changer for the perception and assessment of the EU’s collective cybersecurity crisis management preparedness and a call for urgent action. The threat of a possible large-scale incident causing significant disruption and damage to critical infrastructures demands heightened preparedness at all levels of the EU’s cybersecurity ecosystem. That threat goes beyond Russia’s military aggression on Ukraine and includes continuous cyber threats from state and non-state actors, which are likely to persist, given the multiplicity of state-aligned, criminal and hacktivist actors involved in current geopolitical tensions. In recent years, the number of cyberattacks has increased dramatically, including supply chain attacks aiming at cyberespionage, ransomware or disruption. In 2020, the SolarWinds supply chain attack affected more than 18,000 organisations globally, including government agencies, major companies. Significant cybersecurity incidents can be too disruptive for a single or several affected Member States to handle alone. For that reason, strengthened solidarity at Union level is required to better detect, prepare and respond to cybersecurity threats and incidents.
As regards detection of cyber threats and incidents, there is an urgent need to increase the exchange of information and improve our collective capacities in order to reduce drastically the time needed to detect cyber threats, before they can cause large-scale damage and costs1. While many cybersecurity threats and incidents have a potential cross-border dimension, due to the interconnection of digital infrastructures, the sharing of relevant information among Member States remains limited. Building a network of cross-border Security Operations Centres (SOCs) to enhance detection and response capabilities aims to help address this issue.
As regards preparedness and response to cybersecurity incidents, there is currently limited support at Union level and solidarity between Member States. The Council Conclusions of October 2021 highlighted the need to address these gaps, by calling for the Commission to present a proposal on a new Emergency Response Fund for Cybersecurity2.
This Regulation also implements the EU Cybersecurity Strategy adopted in December 20203 that announced the creation of a European Cyber Shield, reinforcing the cyber threat detection and information sharing capabilities in the European Union through a federation of national and cross-border SOCs.
This Regulation builds upon first steps already developed in closed collaboration with the main stakeholders and supported by the Digital Europe Programme (DEP). In particular, on SOCs, a Call for Expression of Interest to jointly procure tools and infrastructure to establish Cross-border SOCs, and a call for grants to enable capacity building of SOCs serving public and private organisations, were held under DEP cybersecurity work programme 2021-2022. As regards preparedness and incident response, the Commission has set up a short-term programme to support Member States, through additional funding allocated to the European Union Agency for Cybersecurity (ENISA), in order to immediately reinforce preparedness and capacities to respond to major cyber incidents. Both actions have been prepared in close coordination with Member States. This Regulation addresses shortcomings and integrates insights from those actions.
Finally, this proposal delivers on the commitment in line with the Joint Cyber Defence Communication4 adopted on 10 November, to prepare a proposal for an EU Cyber Solidarity Initiative with the following objectives: strengthen common EU detection, situational awareness, and response capabilities, to gradually build an EU-level cybersecurity reserve with services from trusted private providers and to support testing of critical entities.
Against this background, the Commission is putting forward the present Cyber Solidarity Act to strengthen solidarity at Union level in order to better detect, prepare and respond to cybersecurity threats and incidents through the following specific objectives:
- to strengthen common EU detection and situational awareness of cyber threats and incidents, and thus contribute to European technological sovereignty in the area of cybersecurity;
- to reinforce preparedness of critical entities across the EU and strengthen solidarity by developing common response capacities against significant or large-scale cybersecurity incidents, including by making incident response support available for third countries. associated to DEP;
- to enhance Union resilience and contribute to effective response by reviewing and assessing significant or large-scale incidents, including drawing lessons learned and, where appropriate, recommendations.
These objectives shall be implemented through the following actions:
- The deployment of a pan-European infrastructure of SOCs (European Cyber Shield) to build and enhance common detection and situational awareness capabilities.
- The creation of a Cyber Emergency Mechanism to support Member States in preparing for, responding to and immediate recovery from significant and large-scale cybersecurity incidents. Support for incident response shall also be made available to European institutions, bodies, offices and agencies of the Union (EUIBAs).
- The establishment of a European Cybersecurity Incident Review Mechanism to review and assess specific significant or large-scale incidents.
The European Cyber Shield and the Cyber Emergency Mechanism will be supported by funding from the DEP, which this legislative instrument will amend in order to establish the above-mentioned actions, provide for financial support for their development and clarify the conditions for benefitting from the financial support.
•Consistency with existing policy provisions in the policy area
The EU framework comprises several legislations already in place or proposed at Union level to reduce vulnerabilities, increase the resilience of critical entities against cybersecurity risks and support the coordinated management of large-scale cybersecurity incidents and crises, notably the Directive on measures for a high common level of security of network and information systems across the Union (NIS2)5, the Cybersecurity Act6, the Directive on attacks against information systems7 the Commission Recommendation (EU) 2017/1584 on coordinated response to large-scale cybersecurity incidents and crises8.
The actions proposed under the Cyber Solidarity Act cover situational awareness, information sharing, as well as support for preparedness and response to cyber incidents. These actions are consistent with and support the objectives of the regulatory framework in place at Union level, notably under Directive (EU) 2022/2555 (‘the NIS2 Directive’). The Cyber Solidarity Act will especially build on and support the existing cybersecurity operational cooperation and crisis management frameworks, in particular European cyber crisis liaison organisation network (EU-CyCLONe) and the computer security incident response teams (CSIRTs) network.
The cross-border SOCs platforms should constitute a new capability that is complementary to the CSIRTs network, by pooling and sharing data on cybersecurity threats from public and private entities, enhancing the value of such data through expert analysis and state of the art tools, and contributing to the development of Union capabilities and technological sovereignty.
Finally, this proposal is consistent with the Council Recommendation on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure9 that invites Member States to take urgent and effective measures, and to cooperate loyally, efficiently, in solidarity and in a coordinated manner with each other, the Commission and other relevant public authorities as well as the entities concerned, to enhance the resilience of critical infrastructure used to provide essential services in the internal market.
• Consistency with other Union policies
The proposal is consistent with other crisis emergency mechanisms and protocols, such as the Integrated Political Crisis Response Mechanism (IPCR). The Cyber Solidarity Act will complement these crisis management frameworks and protocols by providing dedicated support for preparedness and response to cybersecurity incidents. The proposal will also be consistent with the EU’s external action in response to large-scale incidents in the framework of the Common Foreign and Security Policy (CFSP), including through the EU Cyber Diplomacy Toolbox. The proposal will complement actions implemented in the context of Article 42 i of the Treaty on the European Union or in situations defined in Article 222 of the Treaty on the Functioning of the European Union.
It also complements the Union Civil Protection Mechanism (UCPM)10established in December 2013 and completed with a new legislation adopted in May 202111, that strengthens the prevention, preparedness and response pillars of the UCPM and gives the EU additional capacities to respond to new risks in Europe and the world and boosts the rescEU reserve.
2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY
• Legal basis
The legal basis for this proposal is Article 173(3) and Article 322 i, point (a) of the Treaty on the Functioning of the European Union (TFEU). Article 173 TFEU provides that the Union and the Member States shall ensure that the conditions necessary for the competitiveness of the Union’s industry exists. This Regulation aims at strengthening the competitive position of industry and service sectors in Europe across the digitised economy and supporting their digital transformation, by reinforcing the level of cybersecurity in the Digital Single Market. In particular, it aims at increasing the resilience of citizens, businesses and entities operating in critical and highly critical sectors against the growing cybersecurity threats, which can have devastating societal and economic impacts.
The proposal is based also on Article 322 i, point (a) TFEU because it contains specific carry-over rules derogating from the principle of annuality set out in Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council (the ‘Financial Regulation’)1. For the purpose of sound financial management and considering the unpredictable, exceptional and specific nature of the cybersecurity landscape and cyber-threats, the Cybersecurity Emergency Mechanism should benefit from a certain degree of flexibility in relation to budgetary management, and in particular by allowing unused commitment and payment appropriations for actions pursuing the objectives set out in the Regulation to be automatically carried over to the following financial year. As this new rule raises issues with the Financial Regulation, this matter could be addressed in the context of the current negotiations of the Financial Regulation recast.
• Subsidiarity (for non-exclusive competence)
The strong cross-border nature of cybersecurity threats and the growing number of risks and incidents, which have spill-over effects across borders, sectors, and products, mean that the objectives of the present intervention cannot effectively be achieved by Member States alone and require common action and solidarity at Union level.
The experience of countering cyber-threats stemming from the war against Ukraine, together with the lessons learned from a cybersecurity exercise conducted under the French Presidency (EU CyCLES), showed that concrete mutual support mechanisms, notably cooperation with the private sector, should be developed to achieve solidarity at EU level. Against this background, the Council Conclusions of 23 May 2022 on the development of the European Union’s cyber posture calls upon the Commission to present a proposal on a new Emergency Response Fund for Cybersecurity.
Support and actions at Union level to better detect cybersecurity threats, and to increase preparedness and response capacities provide added value because it avoids duplication of efforts across the Union and Member States. It would lead to a better exploitation of existing assets and to greater coordination and exchange of information on lessons learned. The Cyber Emergency Mechanism also envisages providing support to third countries associated to DEP from the EU Cybersecurity Reserve.
The support provided through the various initiatives to be established and funded at Union level will complement and not duplicate national capabilities as regards detection, situational awareness, preparedness and response to cyber threats and incidents.
• Proportionality
The actions do not go beyond what is needed to achieve the general and specific objectives of the Regulation. The actions in this Regulation do not affect Member States’ responsibilities for national security, public security, the prevention, investigation, detection, and prosecution of criminal offences. Nor do they affect the legal obligations of entities operating in critical and highly critical sectors to adopt cybersecurity measures, in accordance with the NIS 2 Directive.
The actions covered by this Regulation are complementary to such efforts and measures, by supporting the creation of infrastructures for better detection and analysis of threats and providing support for preparedness and response actions in case of significant or large-scale incidents.
• Choice of the instrument
The proposal takes the form of a Regulation of the European Parliament and of the Council. This is the most suitable legal instrument, as only a Regulation, with its directly applicable legal provisions, can provide the necessary degree of uniformity needed for the establishment and operation of a European Cyber Shield and Cyber Emergency Mechanism, by providing for support from DEP for their establishment as well as clear conditions for using and allocating this support.
3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS
• Stakeholder consultations
The actions of this Regulation will be supported by DEP, which was subject to wide consultation. In addition, they will build on first steps that have been prepared in close cooperation with the main stakeholders. As regards SOCs, the Commission has developed a concept paper on the development of cross-border SOCs platforms and a Call for Expression of Interest in close cooperation with Member States in the framework of the European Cybersecurity Competence Centre (ECCC). In this context, a survey of national SOCs capacities was conducted and common approaches and technical requirements have been discussed within the technical working group of the ECCC that gathers representatives of Member States. In addition, exchanges took place with industry, notably through the expert group on SOCs created by ENISA and the European Cyber Security Organisation (ECSO).
Secondly, as regards preparedness and incident response, the Commission has set up a short-term programme to support Member States, through additional funding allocated to ENISA from DEP, to immediately reinforce preparedness and capacities to respond to major cyber incidents. Member States’ and industry’s feedback gathered during the implementation of this short-term programme is already providing valuable insights that have fed into the preparation of the proposed Regulation to address identified shortcomings. This was a first step in line with the Council conclusions on the Cyber posture requesting the Commission to come forward with a proposal for a new Emergency Response Fund for Cybersecurity.
In addition, a workshop with Member States experts on the Cyber Emergency Mechanism was held on 16 February 2023, on the basis of a discussion paper. All Member States participated in this workshop and eleven Member States provided further contributions in writing.
• Impact assessment
Due to the urgent nature of the proposal, no impact assessment was carried out. The actions of this Regulation will be supported by the DEP and are in line with those set in the DEP Regulation, which was subject to a dedicated impact assessment. This Regulation will not entail any significant administrative or environmental impacts beyond those already assessed in the impact assessment of the DEP Regulation.
Furthermore, it builds on first actions developed in closed collaboration with the main stakeholders, as set out above, and follow up on Member States’ call for the Commission to present a proposal on a new Emergency Response Fund for Cybersecurity by the end of Q3 2022.
Specifically, regarding situational awareness and detection under the European Cyber Shield, a Call for Expression of Interest to jointly procure tools and infrastructure to establish Cross-border SOCs, and a call for grants to enable capacity building of SOCs serving public and private organisations, were held under DEP cybersecurity work programme 2021-2022.
In the area of preparedness and incident response, as mentioned above the Commission has set up a short-term programme to support Member States from DEP, being implemented by ENISA. Services covered include preparedness actions, such as penetration testing of critical entities in order to identify vulnerabilities. It also strengthens possibilities to assist Member States in case of a major incident affecting critical entities. The implementation by ENISA of this short-term programme is under way and has already provided relevant insights that have been taken into account in the preparation of this Regulation.
• Fundamental rights
By contributing to the security of digital information, this proposal will contribute to protecting the right to liberty and security in accordance with Article 6 of the EU Charter of Fundamental Rights, and the right to respect for private and family life in accordance with Article 7 of the EU Charter of Fundamental Rights. By protecting businesses from economically damaging cyberattacks, the proposal will also contribute to the freedom to conduct a business in accordance with Article 16 of the EU Charter of Fundamental Rights, and the right to property in accordance with Article 17 of the EU Charter of Fundamental Rights. Finally, by protecting the integrity of critical infrastructure in the face of cyberattacks, the proposal will contribute to the right to healthcare in accordance with Article 35 of the EU Charter of Fundamental Rights, and the right to access to services of general economic interest in accordance with Article 36 of the EU Charter of Fundamental Rights.
4. BUDGETARY IMPLICATIONS
The actions of this Regulation will be supported by funding under Strategic Objective ‘Cybersecurity’ of DEP.
The total budget includes an increase of EUR 100 million that this Regulation proposes to re-allocate from other Strategic Objectives of DEP. This will bring the new total amount available for Cybersecurity actions under DEP to EUR 842.8 million.
Part of the additional EUR 100 million will reinforce the budget managed by the ECCC to implement actions on SOCs and preparedness as part of their Work Programme(s). Moreover, the additional funding will serve to support the establishment of the EU Cybersecurity Reserve.
It complements the budget already foreseen for similar actions in the main DEP and Cybersecurity DEP WP from the period 2023-2027 which could bring the total amount to 551 million for 2023-2027, while 115 million were dedicated already in the form of pilots for 2021-2022. Including Member States contributions, the overall budget could amount up to 1.109 billion euros.
An overview of the costs involved is included in the ‘Legislative financial statement’ accompanying this proposal.
5. OTHER ELEMENTS
• Implementation plans and monitoring, evaluation and reporting arrangements
The Commission will monitor the implementation, the application, and the compliance with these new provisions with a view to assessing their effectiveness. The Commission shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council by four years after the date of its application.
• Detailed explanation of the specific provisions of the proposal
Contents
Chapter I sets out the objectives of the Regulation to strengthen solidarity at Union level in order to better detect, prepare and respond to cybersecurity threats and incidents and in particular, to strengthen common Union detection and situational awareness of cyber threats and incidents, to reinforce preparedness of entities operating in critical and highly critical sectors across the Union and strengthen solidarity by developing common response capacities against significant or large-scale cybersecurity incidents and to enhance Union resilience by reviewing and assessing significant or large-scaleincidents. This Chapter also sets out the actions through which these objectives will be achieved: the deployment of a European Cyber Shield, the creation of a Cyber Emergency Mechanism and the establishment of a Cybersecurity Incident Review Mechanism. It also sets out the definitions used throughout the instrument.
Chapter II establishes the European Cyber Shield and sets out its various elements and the conditions for participation. Firstly, it announces the overall objective of the European Cyber Shield, which is to develop advanced capabilities for the Union to detect, analyse and process data on cyber threats and incidents in the Union, as well as the specific operational objectives. It specifies that Union funding for the European Cyber Shield shall be implemented in accordance with the DEP Regulation.
Further, the chapter describes the type of entities that shall form the European Cyber Shield. The shield shall consist of National Security Operations Centres (‘National SOCs’) and Cross-border Security Operations Centres (‘Cross-border SOCs’). A National SOC shall be designated by each participating Member State. This shall act as a reference point and gateway to other public and private organisations at national level for collecting and analysing information on cybersecurity threats and incidents and contributing to a Cross-border SOC. Following a Call for Expression of Interest, a National SOC may be selected by the ECCC to participate in a joint procurement of tools and infrastructures with the ECCC and to receive a grant for running the tools and infrastructures. If a National SOC benefits from Union support, it shall commit to apply participate in a Cross-border SOC within two years.
Cross-border SOCs shall consist of a consortium of at least three Member States, represented by National SOCs, who are committed to work together to coordinate their cyber detection and threat monitoring activities. Following an initial Call for Expression of Interest, a Hosting Consortium may be selected by the ECCC to participate in a joint procurement of tools and infrastructures with the ECCC and to receive a grant for running the tools and infrastructures. Members of the Hosting Consortium shall conclude a written consortium agreement which sets out their internal arrangements. This chapter then details the requirements for sharing information among the participants in a Cross-border SOC, and for sharing information between a Cross-border SOC and other Cross-border SOCs, as well as with relevant EU entities. National SOCs participating in a Cross-border SOC shall share relevant cyber threat related information with one another, and the details, including the commitment to share significant amount of data and the conditions thereof should be defined in a consortium agreement. Cross-border SOCs shall ensure a high-level of interoperability between themselves. Cross-border SOCs should also conclude cooperation agreements with other Cross-border SOCs, specifying information sharing principles. Where Cross-border SOCs obtain information relating to a potential or ongoing large-scale cybersecurity incident, they shall provide relevant information to EU CyCLONe, the CSIRTs network and the Commission, in view of their respective crisis management roles in accordance with Directive (EU) 2022/2555. Chapter II concludes by specifying the security conditions for participating in the European Cyber Shield.
Chapter III establishes the Cyber Emergency Mechanism to improve the Union’s resilience to major cybersecurity threats and prepare for and mitigate, in a spirit of solidarity, the short-term impact of significant and large-scale cybersecurity incidents or crises. Actions implementing the Cyber Emergency Mechanism shall be supported by funding from DEP. The Mechanism provides for actions to support preparedness, including coordinated testing of entities operating in highly critical sectors, response to and immediate recovery from significant or large-scale cybersecurity incidents or mitigate significant cyber threats and mutual assistance actions.
The Cyber Emergency Mechanism preparedness actions include the coordinated preparedness testing of entities operating in highly critical sectors. The Commission, after consulting ENISA and the NIS Cooperation Group, should regularly identify relevant sectors or subsectors from the Sectors of High Criticality listed in Annex I of Directive (EU) No 2022/2555, from which entities may be subject to the coordinated preparedness testing at EU level.
For the purpose of implementing the proposed incident response actions, this Regulation establishes an EU Cybersecurity Reserve, consisting of incident response services from trusted providers, selected in accordance with the criteria laid down in this Regulation. Users of the services from the EU Cybersecurity Reserve shall include Member States’ cyber crisis management authorities and CSIRTs and Union institutions, bodies and agencies. The Commission shall have overall responsibility for the implementation of the EU Cybersecurity Reserve and may entrust, in full or in part, ENISA with the operation and administration of the EU Cybersecurity Reserve.
To receive support from the EU Cybersecurity Reserve, the users should take their own measures to mitigate the effects of the incident for which the support is requested. The requests for support from the EU Cybersecurity Reserve should include necessary relevant information about the incident and the measures already taken by the users. The Chapter describes as well the implementation modalities, including assessment of requests to the EU Cybersecurity Reserve.
The Regulation provides as well for the procurement principles and selection criteria regarding trusted providers of the EU Cybersecurity Reserve.
Third countries may request support from the EU Cybersecurity Reserve where Association Agreements concluded regarding their participation in DEP provide for this. This Chapter describes further conditions and modalities of such participation.
At the request of the Commission, the EU-CyCLONe or the CSIRTs network, ENISA should review and assess threats, vulnerabilities and mitigation actions with respect to a specific significant or large-scale cybersecurity incident. The review and assessment should be delivered by ENISA in the form of an incident review report to the CSIRTs network, the EU-CyCLONe and the Commission to support them in carrying out their tasks. When the incident relates to a third country, the report should be shared by the Commission with the High Representative. The report should include lessons learned and where appropriate, recommendations to improve the Union’s cyber posture.
Chapter V contains amendments to the DEP Regulation, and an obligation for the Commission to prepare regular reports for the evaluation and review of the Regulation to the European Parliament and to the Council. The Commission is empowered to adopt implementing acts in accordance with the examination procedure referred to in Article 21 to: specify the conditions for this interoperability between Cross-border SOCs; determine the procedural arrangements for the information sharing related to a potential or ongoing large-scale cybersecurity incident between Cross-border SOCs and Union entities; laying down technical requirements to ensure a high level of data and physical security of the infrastructure and to protect the security interests of the Union when sharing information with entities that are not Member States public bodies; specify the types and the number of response services required for the EU Cybersecurity Reserve; and, specify further the detailed arrangements for allocating the EU Cybersecurity Reserve support services.