On 18 April 2023, the European Commission adopted a proposal for the EU Cyber Solidarity Act to strengthen cybersecurity capabilities in the EU. The proposed act will support detection and awareness of cybersecurity threats, bolster preparedness of critical entities, reinforce solidarity, and improve crisis management and response capabilities across member states. Additionally, the Commission presented the Cybersecurity Skills Academy, which will ensure a more coordinated approach to closing the cybersecurity talent gap. The act is a stepping stone toward the second iteration of the Network and Information Security Directive (NIS2) implementation, which is already in the offing. It covers these key themes:
- Critical infrastructure resilience to be improved. In the Forrester report European Cybersecurity Threats, 2022, we highlighted increased reconnaissance against operational technology (OT) systems, and security leaders also share this perspective, as over a quarter of them had OT security planned or a top priority. The Solidarity Act aims to prepare critical infrastructure for attacks by placing an increased focus on vulnerability testing and risk modelling for critical infrastructure.
- Certification for managed security services providers (MSSPs). There have been proposed amendments to the Cybersecurity Act to provide certification schemes for MSSPs. The certifications are a means to evaluate companies in line with NIS2 guidelines to establish a baseline of cybersecurity across the European Union. Security leaders should anticipate additional regulation that limits how much they can leverage the services of providers outside the EU. This Forrester report provides practical advice on how security leaders can navigate European cybersecurity regulation.
- Improved threat detection and coordination across the EU. European organisations have seen increased cybersecurity attacks in recent times. The Russian invasion of Ukraine also brought unwanted attention to European entities, as highlighted in this Forrester report. The European Union seeks to leverage existing policies to build the European Cyber Shield, an international cooperative effort to increase visibility by sharing data among security operations centres (SOCs) across the EU. The participating centres are expected to start operating in 2024.
- Improvements in organisations’ response and resilience capabilities. The act proposes a “cybersecurity incident review mechanism” focused on resilience in order to assess large-scale security incidents and use the lessons learned to improve security. A proposed EU Cybersecurity Reserve comprising incident response services from preapproved providers would also provide support for large-scale incidents. European security leaders can leverage The Forrester Wave™: European Managed Security Services Providers, Q3 2022 when choosing a services provider. The act also aims to enable the provision of financial support between member states toward cybersecurity initiatives. This is topical in light of the current economic climate.
- Closing the European cyber skills and talent shortages. The cybersecurity skills gap appears to be widening in Europe, and the EU is taking steps, from immigration to funding, to close it. As part of the Solidarity Act, a public/private partnership called the Cybersecurity Skills Academy has been set up to provide funding and training to interested candidates. Additional initiatives such as the European Cybersecurity Challenge for students are geared toward this goal. Forrester’s guide to navigating European skill clusters will be invaluable to security leaders facing workforce shortages.
The Act Overlooks Tangential Factors
The act does not deliberate on third-party risk and strengthening cybersecurity for emerging economies, let alone what kind of impact it would have on applications to join the EU. With third-party vulnerabilities becoming an increasingly frequent European threat vector, national cybersecurity should also be a priority when it comes to joining the European Union. In addition, while the act aims to use the lessons learned to improve the EU’s security posture, there is no clear direction on how this influences reporting requirements. Regional differences in data-sharing regulation could hinder collaboration of cross-border teams and the SOC.
Regulation and collaboration are top of mind in the EU, but this often has the unintended effect of stifling innovation. Customers often have to go with what meets “compliance” rather than what is effective. While the efforts of the Solidarity Act are laudable, it is important that the EU does not use the act as another tool to enforce protectionist policies and arm-twist international vendors. We all know how the Gaia-X experiment went.