The European Parliament and the Council adopted two new laws under the cybersecurity legislative package to bolster the EU's ability to detect, prepare for, and respond to cyber threats and incidents:

• The Cyber Solidarity Act (Regulation 2025/38);
• The targeted amendment to the Cybersecurity Act (CSA) (Regulation 2025/37).

Both legal acts were published in the EU's Official Journal of 15 January 2025.

These initiatives build on the 2019 CSA, which established the EU's first cybersecurity certification framework (→eucrim 2/2019, 98-99). A provisional agreement on both proposals was reached on 6 March 2024, paving the way for their adoption. The measures were based on proposals introduced by the European Commission on 18 April 2023, which included the European Cyber Shield concept and updates to the CSA (→eucrim 1/2023, 12).

Key Elements of the Cyber Solidarity Act

The legislation established new EU capabilities to enhance resilience against cyber threats and improve cooperation mechanisms. Among its measures is the creation of a cybersecurity alert system, consisting of national and cross-border cyber hubs across the EU. These hubs, using advanced technologies like artificial intelligence and data analytics, will be tasked with detecting and responding to cyber threats while facilitating timely information sharing across borders.

The law also introduced a cybersecurity emergency mechanism to support preparedness and incident response within the EU, such as testing critical sectors (healthcare, transport, energy) for vulnerabilities and creating a new EU cybersecurity reserve. The reserve includes private-sector incident response services ready to assist Member States and EU institutions during significant cybersecurity incidents. Additionally, mutual technical assistance and an incident review mechanism have been established to assess the effectiveness of these measures and their impact on industry competitiveness.

Amendments to the 2019 Cybersecurity Act

The targeted amendment to the CSA aimed to enhance the EU’s cyber resilience by enabling European certification schemes for managed security services. Recognizing the growing importance of services like incident handling, penetration testing, and security audits, the amendment sought to ensure the quality and comparability of these services while preventing market fragmentation. By supporting the development of trusted cybersecurity service providers, this amendment reinforces the EU’s commitment to building a robust cybersecurity framework.

For the EU's work on promoting cyber resilience and ensuring a safe online society and economy, an overview can be found at the European Commission's website "Cybersecurity Policies.