The EU Council adopted the Cyber Solidarity Act in December 2024, with it due to come into force on February 4th, 2025. We look at what this piece of legislation means for cybersecurity professionals and employers.

When we come across the word “solidarity”, we immediately think of a collective movement. This is exactly what the EU is looking to achieve with the Cyber Solidarity Act, a piece of legislation intended to deliver bloc-wide, consistent responses and mechanisms for cybersecurity incident alerting, response and review.

The Cyber Solidarity Act and the amendment to the Cybersecurity Act on Managed Security Services were both published on January 15th, 2025, coming into force 20 days later.

The central idea behind the Cyber Solidarity Act is to deliver a legislation-backed framework of collective defense, collaboration, and resource-sharing among countries, government agencies and key organizations to strengthen EU-wide cybersecurity.

As cyber threats become more complex and widespread, the need for greater consistency in collaboration, resource sharing and collective defense has never been greater. The Act seeks to create a more secure and resilient digital world both within the EU, as well as impacting some organizations outside the EU that operate within it.

Implementing the Act

The Cyber Solidarity Act mandates three main aspects, the implementation of which will harmonize and produce a consistent EU-wide requirement and response to cybersecurity threats and incidents:

  • The deployment of a European Cybersecurity Alert System, based on a network of national and cross-border security operations centers (SOCs) using analytics and AI technologies. Collectively, this alert system will provide real-time awareness to government agencies and other relevant bodies, enabling them to effectively respond to threats and incidents quickly and effectively.
  • A Cybersecurity Emergency Mechanism, designed to enhance incident preparedness and response, primarily through an EU Cybersecurity Reserve and member states supporting each other in their efforts to prepare for, respond to and recover from cybersecurity incidents. The EU Cybersecurity Reserve will be provided by the so-called ‘trusted providers’, an approved group of private companies that can be deployed as needed at the request of the EU or a member state to provide additional support in the event of an incident.
  • The creation of a European Cybersecurity Incident Review Mechanism, led by ENISA, to review and assess specific significant or large-scale incidents, ensuring that lessons can be learned post-incident by all EU member states.

ISC2 Advocating for Members

Functional support for member states and agencies tasked with addressing cybersecurity threats is something that ISC2 firmly supports. As such, we have been working closely with the EU through the specified processes and channels to support the efforts to create this legislation.

During the development of the Cyber Solidarity Act, ISC2 has been engaged in several activities to advocate for members and ensure their views and concerns helped shape the final legislation. This began with ISC2 submitting feedback during the public consultation phase in July 2023. Further engagement with the European Parliament and EU Council then followed, discussing and highlighting the importance of:

  • Mapping roles to the European Cyber Security Skills Framework (ECSF) for procuring services for the EU Cybersecurity Reserve
  • Acknowledging the existing cybersecurity skills gap within the EU and globally
  • Highlighting the need for investments in cybersecurity skills development to support the aims of the act

The advocacy work of ISC2 has directly contributed to several elements of the final act, including:

  • A reference to the European Cyber Security Skills Framework
  • An emphasis on cybersecurity workforce development as the backbone of successful implementation
  • Recognition of the skills gap and the need to also reduce the gender gap in the cybersecurity workforce as part of a wider effort to increase the addressable skills base

Impact on Organizations

Outside of governments and government agencies, the Cyber Solidarity Act won’t directly apply to all private sector organizations, only those operating in “highly critical sectors” such as healthcare, transport and energy. Those that do fall under this classification may be subject to so called ‘coordinated preparedness testing’ to ensure they meet minimum standards and expectations for critical services and infrastructure.

The Cyber Solidarity Act aims to create a unified approach to cybersecurity across the EU, recognizing that no single member state or critical body can or should have to defend itself in isolation. As cybersecurity threats increase in their complexity and volume, the need for collaboration, resource sharing and collective defense has never been greater. By strengthening international solidarity within the EU, the act seeks to share the burden as well as create a consistent means to both act and share vital information.

Related Insights