As global cyber threats have gone from affecting companies to impacting nations and economies, the European Commission decided to double-down on cyber defense across the EU. On February 4, 2025, the European Union’s (EU) Cyber Solidarity Act (CSA) came into effect.
For those keeping up with other recent EU-based cyber law improvements (DORA, The Cyber Resilience Act, NIS 2 Directive), the EU’s Cyber Solidarity Act may seem like just another compliance tool aimed at gradual gains. While it is mandatory for government entities and those within “highly critical sectors,” it should be widely considered and adopted by private sector organizations as well.
Here’s why.
What Is the Purpose Behind the EU’s Cyber Solidarity Act?
The Cyber Solidarity Act is in direct response to growing geopolitical tensions and the new “game-changing” reality of nation-state cyber warfare. According to the Commission, “cyber operations are increasingly integrated in hybrid and warfare strategies, with significant effects on the target.” Particularly noted was the fact that “Russia’s military aggression against Ukraine was preceded and is being accompanied by a strategy of hostile cyber operations, which is a game changer for the perception and assessment of the EU’s collective cybersecurity crisis management preparedness and a call for urgent action.”
Given that these cyber tensions are currently confined to the countries in question, why make an EU-wide regulatory change? Because, as the Commission states, “That threat goes beyond Russia’s military aggression on Ukraine and includes continuous cyber threats from state and non-state actors, which are likely to persist, given the multiplicity of state-aligned, criminal and hacktivist actors involved in current geopolitical tensions.”
With that in mind, EU-based organizations of all types, private or public, would do well to learn the fundamentals of the EU’s latest regulation and adopt the principles of the CSA into their current cyber strategies.
What Are the Objectives of the EU’s Cyber Solidarity Act?
As noted in the Act’s Explanatory Memorandum, “As regards detection of cyber threats and incidents, there is an urgent need to increase the exchange of information and improve our collective capacities in order to reduce drastically the time needed to detect cyber threats, before they can cause large-scale damage and costs.” Seeing the effect that Russian cyberwarfare attacks had on Ukrainian stability and infrastructure, along with other concerning cyber trends (AI-driven attacks, RaaS, polymorphic malware), the need to decrease detection times and increase response with the Act is a sensible priority.
To that end, the Cyber Solidarity Act seeks to accomplish three major objectives:
1. “The deployment of a pan-European infrastructure of SOCs (European Cyber Shield) to build and enhance common detection and situational awareness capabilities.
2. Creation of a Cyber Emergency Mechanism to support Member States in preparing for, responding to, and immediate recovery from significant and large-scale cybersecurity incidents. Support for incident response shall also be made available to European institutions, bodies, offices and agencies of the Union (EUIBAs).
3. Establishment of a European Cybersecurity Incident Review Mechanism to review and assess specific significant or large-scale incidents.”
In other words, to …
- Create a (newly minted) “European Cyber Shield” to improve cyber threat awareness.
- Centralize preparedness for critical cyber catastrophes across the EU with a network of trusted incident response providers (the “Cyber Emergency Mechanism”)
- Have all major cybersecurity incidents assessed by a central agency (ENISA in this case)
Essentially, the EU’s CSA seeks to put something “in charge” of overseeing, mitigating, and managing cyber incidents that may occur on a massive, EU-wide scale (or at least on a scale large enough to have repercussions that reverberate throughout Member States). In other words, a “common shield” against cyberattacks. It’s like a city putting in a central fire station, hospital, and police force where neighborhoods were previously given a rule book and left to fend on their own.
What Are the Main Components of the Act?
To advance its above aims, the Cyber Solidarity Act will rely on the creation and work of a few new “mechanisms.” These include:
European Cybersecurity Alert System
Under the European Cybersecurity Alert System, countries that choose to participate will designate National Cyber Hubs that will serve as points of information exchange. These will work side by side with the private sector with the joint goal of improving the detection, analysis, and prevention of cyber incidents, and should harmonize with NIS 2.
Cybersecurity Emergency Mechanism
The Cybersecurity Emergency Mechanism is designed to provide resources and support to bolster interested EU organizations against a cyberattack. Again, participation is voluntary, but those entities – private sector companies or EU Member States – will be provided access to coordinated preparedness testing, mutual assistance programs, and incident response support.
EU Cybersecurity Reserve
This is the muscle behind the operation and consists of a network of “trusted response service providers” capable of helping Member States respond to major cybersecurity attacks on their critical infrastructure or other “important” sectors. There are minimum standards set out by the Act to be one of these ‘emergency responders,’ as it were.
European Cybersecurity Incident Review Mechanism
Not a drop of learning will be wasted thanks to the European Cybersecurity Incident Review Mechanism, or ENISA’s “lesson learned” reports. These will be assessed and written by ENISA and distributed to Member States following significant cybersecurity attacks so all EU participants can benefit and avoid the same challenges next time. These reports are more about sharing key bits of helpful information than calling out specific entities and can be anonymized or redacted as needed.
Thanks to the CSA, Member States have the support of something “bigger than themselves” when it comes to taking on potentially catastrophic (or at least highly impactful) cybersecurity events. They will have voluntary access to testing and resources before the fact; a network of threat intelligence sharing to participate in and benefit from if they so choose; a team of pre-qualified cyber incident “first responders” if need be, both during the attack and after; and a chance to learn from the experiences of others as attacks are assessed and reported on.
What Challenges May Arise in Implementing the Act?
In theory, the EU’s Cyber Solidarity Act promises to be highly beneficial to all involved (all except the threat actors). However, a few challenges could arise that might prevent the full benefits from being realized.
Threat intelligence sharing: Setting competition aside
A threat intelligence sharing network (National Cyber Hubs) is only as good as the amount of information that goes into them. Private companies, public organizations, and competing sectors alike will need to set aside differences and be forthcoming with their threat intelligence in order to make this worthwhile. This also requires a certain level of vulnerability and honesty about attacks faced and how they can impact others as the party in question has been impacted. This may require a shift in mindset from a competitive one to a collaborative one.
Voluntary participation
The fact that many of the helpful support resources (testing, assistance programs, etc.) are voluntary can mean that many organizations will leave the benefits on the table. As often happens, once a cybersecurity incident hits close to home, those numbers might rise.
Meeting Cyber Solidarity Standards for MSPs & MSSPs
While not a challenge to EU Member States (who will benefit from this), cybersecurity providers may or may not have a challenge meeting the requirements put forth by the Act to be one of the “trusted response service providers” on the job. However, if they need to make improvements to be considered, this only creates a stronger cyber defense ecosystem that directly benefits EU organizations.
There will be logistical challenges in securely coordinating the exchange of threat intelligence information among various countries and entities. These challenges include addressing disparities in cybersecurity expertise and resources, aligning public and private sector efforts, and navigating data privacy and sovereignty concerns.
How does the EU’s Cyber Solidarity Act Stack Up Against DORA, Cyber Resilience Act, & NIS 2?
Again, many in the EU may be experiencing whiplash from the rapid pace of cybersecurity improvements in 2025 and may be wondering how they all connect. Or, to which they must adhere. Holding the CSA up to other current pieces of cyber legislation – DORA, The Cyber Resilience Act, and NIS 2 – may help organizations get their bearings.
The Cyber Solidarity Act vs. DORA
DORA (The Digital Operational Resilience Act) applies only to financial institutions in the EU, whereas the CSA applies to critical and highly important organizations in all sectors of the EU. DORA focuses on the third-party risk incurred by ICTs (Information Communication Technologies) supporting the financial sector, and the CSA provides guidance and guidelines for preventing cyber risks of all sorts, regardless of their origin. The same differences can be drawn between the information sharing guidelines between DORA and the CSA (financial vs. all entities).
Therefore, financial institutions in the EU must still comply with DORA, while adhering to additional CSA mandates as well (which are complementary rather than competing).
The Cyber Solidarity Act vs. The Cyber Resilience Act
The main difference between the Cyber Solidarity Act and the Cyber Resilience Act is the latter focuses on hardware and software security requirements, while the CSA homes in on operational response. Aiming to enhance the EU’s digital infrastructure, the Cyber Resilience Act prioritizes security-by-design features to help prevent cyberattacks. The Cyber Solidarity Act focuses on widespread response and handling cybersecurity crises at scale.
Digital product security falls under the Cyber Resilience Act, while the CSA addresses response measures, allowing EU entities subject to both regulations to comply without conflict.
The Cyber Solidarity Act vs. NIS 2
The EU’s NIS 2 Directive differs from the Cyber Solidarity Act in purpose and scope. On the surface, the two seem similar. NIS 2 is the EU’s framework for cybersecurity risk management and incident reporting and the CSA is another overarching, EU-wide piece of legislation generally strengthening cybersecurity – but the two go about it in completely different ways.
The key difference? The Cyber Solidarity Act creates emergency response and preparedness mechanisms; those are different from compliance guidelines that can be adhered to by any one company. The CSA calls for overarching oversight by entities like ENISA, Member State implementation of National Cyber Hubs. It will organize a pool of vetted cyber responders (the EU Cybersecurity Reserve) made up of qualifying security service providers that can support Member States’ cyber crisis management efforts.
Entities that must comply with NIS 2 are essentially the same ones that must comply with the Cyber Solidarity Act (see the list above). However, both are open to adoption by other organizations as well. These entities are subject to both regulations, each addressing different aspects. NIS 2 focuses on cyber preparedness, while the CSA governs cyber incident response.
Why Comply with the EU’s Cyber Solidarity Act?
For entities listed above and EU government agencies, it’s the law. For everyone else, failing to do so could cause several negative repercussions and exclude you from significant digital benefits.
First of all, failing to meet CSA guidelines could negatively impact your ability to land contracts. If the choice is between your entity and other, in today’s highly volatile and dangerous cybersecurity climate, chances are a company that adopts CSA regulations (even voluntarily) will have an advantage. When evaluating the risks of supply chain attacks—both software-related and otherwise—it’s always beneficial to partner with an organization that has implemented comprehensive precautions. Furthermore, voluntarily adhering to the principles of the Cyber Solidarity Act can enhance your reputation, reinforcing your commitment to cybersecurity.
Additionally, it helps to have more information than less. Participating in the National Cyber Hubs of the European Cyber Alert System, for example, not only benefits others when you contribute threat research, but allows you to benefit as well. Attackers always target different companies within the same sector, and often with the same exact ploy. Plugging into those networks can help you see what’s coming before you otherwise might. And when the average cost of a data breach is $4.88 million, that could make a huge difference.
Moving Forward
A crippling cybersecurity attack on a critical sector could reverberate across the entire digital landscape of the EU. What happens when a power outage occurs in a central European metropolis, or a swath of servers goes offline, undermining government services, or the water supply gets hacked and poisoned – or a national oil pipeline gets compromised, influencing gas prices and destabilizing economies? The consequences are significant enough that the European Commission decided it was worth the investment to solidify centralized oversight.
With so much at stake, the European Commission seems to be reticent to take chances with the stability of EU markets. In today’s world, the stability of digital infrastructures primarily determines their success. The Cyber Solidarity Act seeks to finally leverage the EU’s collective cybersecurity resources in an effort to head these attacks in a way previously unseen before. So much latent potential rests in the individual perspectives of EU entities, public and private, and with the CSA, the European Commission seeks to harness that, along with other collective resources, to improve the security stance of the whole.
For help complying with the Cyber Solidarity Act requirements, or any of the latest data protection regulations, speak with a Fortra expert today.
