In April 2023, the European Union (EU) officialized the text of its USD 1.2 billion Cyber Solidarity Act (CSA), regulations designed to strengthen common EU detection, situational awareness, and response to cyber incidents, particularly as cyber operations are increasingly integrated into state-driven hybrid warfare activities.  With a goal to be operationalized in early 2024, text of the CSA must still be debated in the European Parliament.  Referred to as a “cyber shield,” the CSA will rely on the coordination and cooperation of security operation centers to provide timely and relevant threat intelligence for regional defenders.  It will establish training, mutual assistance procedures, and create a “cyber reserve” recruited from trusted private sector service providers.  In November 2022, approximately 17 EU member states and three SOCs are already engaged in testing during the first phase under the Digital Europe Programme.  The CSA appears to be structured around three pillars:  promoting the ability to information share across platforms; test certain highly critical entities in sectors deemed essential under the EU’s NIS2 Directive; and require private providers of managed security services to help EU member states in incident response and recovery from impactful cyber incidents.

The CSA comes at a time when Europe is in the front row of the ongoing Russia-Ukraine war whose cyber activities from state and nonstate proxy groups have spilled into other countries on the European continent, demonstrating how geopolitical conflict will not be limited to state participants in cyberspace.  Cyber resilience is an important underpinning of the CSA, highlighting the ability for the EU to be able to function in a contested cyber environment.  One key component of the CSA is the establishment of the Cybersecurity Incident Review Mechanism  to assess and review specific cyber incidents and serve as a complement to other EU cybersecurity organizations.  The services that the Mechanism will provide will include incident analysis and response coordination, and in the case of large-scale cyber attacks, support Member States with immediate remediation and recovery.

However, as with any ambitious piece of cyber legislation, the CSA is not without its detractors.  Recently, the European Court of Auditors (ECA) raised concerns that the CSA could substantial raise EU member states’ reliance on EU funding, and the financial consequences of prolonged sustainability.  Specifically, the ECA brought up the challenges associated with ensuring sustainable financing in the medium and long term, suggesting that long term needs have not been fully considered.  The ECA also brought attention to the fact that while information sharing was a pivotal mechanism in the CSA, its full implementation could be difficult to achieve due to the complexities across the European cybersecurity landscape.  The ECA criticized the absence of an impact assessment to provide better context as to the potential drawbacks of CSA implementation, and the as-of-now lack of a mechanism to track performance, record milestones, and evaluate policy.

However, the EU institution isn’t the only source of apprehension.  More than 50 cybersecurity experts signed an open letter and sent it to EU policymakers expressing worry about several aspects of the CSA, especially that part governing vulnerabilities which forces disclosure whether there is a fix available or not.  They argue that the requirements that mandate organizations to notify government agencies about software vulnerabilities within 24 hours could undermine “the security of digital products and the individuals that use them.”  Because government agencies would have access to a real-time database containing these unpatched vulnerabilities, potentially risking their misuse and discouraging threat researchers from finding and reporting these flaws, according to the former head of the United Kingdom’s National Cyber Security Centre.  In this way, government pressure to compel organizations to tell them about vulnerabilities prior to vendors being able to patch them is perceived as a counterintuitive endeavor to the spirit of cybersecurity.

Finally, while the intent behind the CSA is to drive cybersecurity and cyber resilience via common cybersecurity standards for digital products, there is concern about how the CSA could affect open source developers thereby impacting projects across various sectors, including critical infrastructure.  Open source code accounts for nearly 70-90% of modern applications, and under the current CSA draft, there is a noticeable absence of exemptions for open source that could pose a risk to EU innovation as well as global collaboration, according to one supply chain company.  Apparently, the CSA attempts to draw a line between commercial and non-commercial use of open source software, relying on “commercial benefit” to make it subject to CSA compliance.  The troubling ambiguity rests in its development and supply outside the parameters of commercial activity that raises several questions with respect to its applicability.

Nevertheless, the CSA is a much needed first step in promoting cyber resilience – the clarion call for the cyber security industry.  To be fair, there is much to be optimistic about with the proposed legislation, especially the recognition of strengthening public-private partnerships.  It’s difficult to advocate that cybersecurity is everyone’s responsibility if everyone is not elevated to the security tables as equals.  But this includes not just companies but other developers of technology, as well.  The Ukraine war has aptly demonstrated that cyber resiliency is extremely effective when these partnerships have been leveraged congruously across several state stakeholders in a multi-pronged approach to sustain cyber resilience.  What’s more, the EU is perfectly positioned to build on these successes within their own tested European ecosystem.

As the cyber environment is increasingly abused during periods of geopolitical conflict, there is great potential for regions like the EU to leverage laws like the CSA as protectionist measures.  While this may certainly help bolster cybersecurity in the form of a “cyber shield,” such regulations if enacted risk harming other areas that might benefit the EU such as technological innovation and foreign vendor contributions.  There needs to be more consideration and clarification with respect to how the CSA is implemented to avoid unnecessary misinterpretation.  Ultimately, shields certainly provide protection, but used improperly can unintentionally isolate those that they were created to protect.