Cyber Solidarity Act
 Verordnung (EU) 2025/38 | |
|---|---|
| Titel: | Verordnung (EU) 2025/38 des Europäischen Parlaments und des Rates vom 19. Dezember 2024 über Maßnahmen zur Stärkung der Solidarität und der Kapazitäten in der Union für die Erkennung von, Vorsorge für und Bewältigung von Cyberbedrohungen und Sicherheitsvorfällen und zur Änderung der Verordnung (EU) 2021/694 |
| Kurztitel: | Cyber Solidarity Act |
| Geltungsbereich: | EWR |
| Rechtsmaterie: | Binnenmarkt, Cybersicherheit |
| Grundlage: | AEUV, insbesondere Art. 173
Para 3 and Art. 322 Para 1 lit a
|
| Volltext | Konsolidierte Fassung (nicht amtlich) Grundfassung |
| Hinweis zur geltenden Fassung von Rechtsakten der Europäischen Union | |
Introduction
Regulation (EU) 2025/38 (Cyber Solidarity Act)[1] is an EU initiative to detect, prepare for, and respond to significant and large-scale cybersecurity threats and attacks. The Act includes a European Cybersecurity Warning System, consisting of interconnected Security Operations Centers across the EU, and a comprehensive Cybersecurity Emergency Mechanism to improve the EU's cyber resilience.[2]
Scope of Application
The Cyber Solidarity Act refers to Art. 6 Para 38 NIS II Directive (Art. 2 Para 4. CSA) as well as activities of entities in Annex I or II of the NIS2-RL, which are designated as critical or highly critical sectors. (Art. 2 Para 5. CSA)
A general reference to Art 3 NIS II-RL is not present, which means that the size-independent scope of application of the NIS2 II-RL is not covered in the basic concept. However, with regard to the use of support from the EU Cybersecurity Reserve, entities are mentioned again in Art. 14 Para 2 CSA. This systematically creates the legally questionable impression that the entities of Art. 3 NIS-II-RL are only covered by the CSA within this narrow framework and, for example, are not intended to participate in the Cybersecurity Shield.
Core Content
European Cyber Shield
The European Cyber Shield consists of a pan-European infrastructure of National Security Operations Centers (National SOCs) and Cross-border Security Operations Centers (Cross-border SOCs). The SOCs are interconnected and form an EU-wide cybersecurity infrastructure.
Functionality
The European Cyber Shield operates as follows (Art 3 CSA):
Detection of cyber threats and incidents by the networked SOCs
Analysis of collected data using AI and data analytics Issuance of cross-border warnings for identified threats Enabling faster and more efficient response to major cyber incidents by authorities and relevant entities
Obligations for data provision by entities or regulations of the relationship with the provisions of the GDPR are not recognizable. The decision of several institutions to share data on cyber threats is voluntary and trust-based. If Member States wish to benefit from the system, they must make the institutions concerned in this context as attractive as possible.
Obligations for data provision by entities or regulations of the relationship with the provisions of the GDPR are not recognizable. The decision of several institutions to share data on cyber threats is voluntary and trust-based. If Member States wish to benefit from the system, they must make the institutions concerned in this context as attractive as possible.
Assessment of Critical Entities for Potential Vulnerabilities
The coordinated readiness tests serve to identify potential vulnerabilities in critical infrastructures that could make them susceptible to cyber threats. The tests are conducted in a coordinated manner to assess the cybersecurity readiness of the selected entities. According to Art. 2 Para 9. in conjunction with Art 11 CSA, potential vulnerabilities are identified, responsiveness to cyber threats is tested, and potential for improvement is examined. Since no obligations for entities to cooperate are stipulated, participation in the tests by the tested entities is likely to be voluntary.
Synergies
Cybersecurity Risk Management
CSA
Strengthens the EU's ability to respond to major cyberattacks by promoting a network of national and cross-border Security Operations Centers (SOCs) and strengthening cooperation in cyber crises. Through the planned network of SOCs, threat data should be exchanged in real-time.
NIS2-D
Requires organizations in critical sectors to implement robust cybersecurity measures to increase resilience against cyber threats.
Synergy
The strengthened security infrastructure (e.g., through SOCs) supports companies and public institutions in better complying with the standards required under NIS-II RL, especially through early threat detection and information exchange.
Consequences/Penalties
The CSA contains no sanction mechanisms.
Further Reading
Sources
- ↑ https://eur-lex.europa.eu/eli/reg/2025/38/oj
- ↑ European Commission: The EU Cyber Solidarity Act https://digital-strategy.ec.europa.eu/en/policies/cyber-solidarity 08.08.2024
