shutterstock 1966111930 450x300 o2zELX

EU auditors highlight risks in Cyber Solidarity Act

​ ​ 

The European Court of Auditors (ECA) warned on Thursday (5 October) that the Cyber Solidarity Act could increase member state reliance on EU funding, as well as create troubles in information sharing and add complexity to the European cybersecurity landscape.

The Cyber Solidarity Act, proposed by the European Commission in April, seeks to strengthen EU-wide cybersecurity solidarity and capacities, as well as respond to cyber threats. In June, the European Parliament and the Council formally asked the court to provide their opinion as part of a mandatory process.

While the ECA welcomes the proposal’s objectives to strengthen the EU’s collective cyber resilience, “some risks need to be addressed, in particular when it comes to funding and implementation,” Hannu Takkula, ECA Member, told Euractiv.

“In particular, we highlight the risks that the operation of the European Cyber Shield and its sustainability become dependent on EU financing, that its functioning is impeded by a lack of information sharing, and that the measures introduced by the proposal make the whole EU cybersecurity galaxy more complex,” reads the opinion.

Lina Galvez Munoz, rapporteur and vice president of the ITRE (Industry, Research and Energy) committee, told Euractiv she welcomed the opinion from the court.

“We are working to ensure sustainable financing in the medium and long term for this initiative, to improve and promote information sharing between the different actors involved, and to create an efficient cybersecurity structure in the EU and not duplicate efforts, to ensure the resilience and the open strategic autonomy of the Union,” the rapporteur added.

Funding, Impact Assessment and Performance

The auditors criticised the lack of impact assessment, funding information, performance tracking, and policy evaluation.

According to the opinion, “this proposed Regulation was not subject to an impact assessment” since the Commission introduced the Act as an urgent proposal, thereby limiting information on policy options and costs.

Also lacking are cost estimates for the implementations under the Cyber Solidarity Act, including the Cyber Shield, the Cyber Emergency Mechanism and the Cybersecurity Incident Review Mechanism, the ECA said, as the regulation fails to specify the length of the co-funding by the EU for national and cross-border Security Operations Centres (SOCs).

“As the proposal is not accompanied by an impact assessment, we suggest that the Commission makes these cost estimates available to enhance transparency,” the ECA said.

Another aspect of concern is the newly introduced indicator for cyber incident responsiveness, as it lacks information on measuring the effectiveness of the European Cyber Shield and Cyber Emergency Mechanism.

The ECA also considers the period for the review report on the Cyber Solidarity Act, which is to be submitted four years after its date of application, as “too late” due to the fast-changing cyber threat landscape.

Cyber Shield Assessment

Part of the act is the European Cyber Shield, a measure to improve coordination for cyber threat detection by setting up national and cross-border SCOs.

Fearing a potential overlap with existing structures such as the Computer Security Incident Response Team (CSIRTs), “we note that some of the tasks and objectives of national SOCs, cross-border SOCs, CSIRTs, and the CSIRTs network are similar” reads the opinion, stating that threat detection and response, cyber threat intelligence and situational awareness are overlapping areas.

Auditors called for “clear governance arrangements” on the SOCs’ structures to guarantee effective coordination and criticise the lack of reporting requirements at the EU level for public and private organisations.

“Such a lack of information sharing could undermine the effectiveness and added value of the European Cyber Shield,” states the ECA.

To reduce costs and ensure the compatibility of systems, auditors emphasised the need for swift agreement on interoperability conditions and a high level of security for data infrastructure.

Reviewing the Cyber Emergency Mechanism

The second component of the regulation is the Cyber Emergency Mechanism, a crisis response measure to prepare for adequate reaction to vulnerabilities in critical infrastructures and to ensure recovery from large-scale cyber attacks.

The EU Cybersecurity Reserve can request support, which the Commission will assess with additional help from the EU’s Cybersecurity Agency ENISA.

While in theory, a response upon assessment will be sent “without delay”, the ECA points out that a “pre-defined deadline” and steps for achieving this deadline are lacking in the Act.

Additionally, the funding of actions under the Cyber Emergency Mechanism derogates from the principle of annuality applicable to the EU budget, which states that “unused commitments and payment appropriations are not automatically carried over to the following financial year”.

The auditors only consider this rationale applicable “in response to unpredictable events” and that a limit should restrict the automatic carry-over to the following year.

Evaluation of the Incident Review Mechanism

The third pillar of the Act is the Cybersecurity Incident Review Mechanism, which lays down the framework to analyse large-scale cyber incidents.

Upon request of the Commission, cybersecurity bodies, including ENISA, can be asked to review cyber incidents and vulnerabilities. However, the regulation does not provide for a specific feedback deadline or incentives to comply with the recommendations.

“We suggest that the proposed Regulation should specify a maximum deadline for the delivery of ENISA’s report after any incident”, the report of the auditors read.

With regard to the next steps, the proposal for the Cyber Solidarity Act will be discussed, if needed to be amended, and adopted at the EU Parliament and Council. The ECA estimates this process to be completed “by the end of the year”.

[Edited by Alice Taylor/Nathalie Weatherald]

Read more with EURACTIV

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *