The European Union has taken a significant step forward in its cybersecurity framework with the adoption of the Cyber Solidarity Act[1] on 2 December 2024. This landmark regulation – which entered into force on 4 February 2025 – represents a comprehensive approach to strengthening the Union’s collective resilience against the increasingly sophisticated cyber threats that endanger critical infrastructure, essential services, and the digital economy as a whole.
The Context: Rising Cyber Threats in a Connected Europe
The magnitude, frequency, and impact of cybersecurity incidents across the European Union have been steadily increasing, with attacks often targeted at public services and critical infrastructure. As noted in the regulation, these incidents „can impede the provision of public services… impede the pursuit of economic activities… generate substantial financial losses, undermine user confidence, cause major damage to the economy and the democratic systems of the Union, and could even have health or life-threatening consequences”[2].
The unpredictable and fast-evolving nature of these cyber threats, coupled with their ability to spread instantly across borders, necessitates a coordinated European response. The Cyber Solidarity Act establishes this response through three primary mechanisms that enhance detection capabilities, emergency response, and post-incident learning.
The Three Pillars of Cyber Solidarity
The European Cybersecurity Alert System
The first pillar establishes a pan-European network of cyber hubs designed to build and enhance coordinated detection and common situational awareness capabilities. This system will consist of National Cyber Hubs in participating Member States, connected through Cross-Border Cyber Hubs that bring together at least three countries.
The European Cybersecurity Alert System aims to pool relevant data and information on cyber threats from various sources, enhance the coordinated detection of threats, and contribute to a common situational awareness across the Union. By leveraging state-of-the-art technology for advanced collection of relevant data and analytics tools, this infrastructure will significantly improve the EU’s ability to detect and prevent cyber threats before they cause widespread damage.
The Cybersecurity Emergency Mechanism
The second pillar addresses the need for rapid and effective response when significant incidents do occur. The Cybersecurity Emergency Mechanism will support Member States in preparing for, responding to, mitigating the impact of, and initiating recovery from significant cybersecurity incidents and large-scale cybersecurity incidents.
A central component of this mechanism is the EU Cybersecurity Reserve, which will consist of response services from trusted managed security service providers. This reserve can be deployed upon request in all Member States, EU institutions, and associated third countries to assist in incident response and recovery.
The Emergency Mechanism also supports coordinated preparedness testing of entities operating in sectors of high criticality, ensuring that critical infrastructure across the Union is regularly assessed for vulnerabilities and readiness.
The European Cybersecurity Incident Review Mechanism
The third pillar establishes a framework for learning from significant incidents. At the request of the Commission or EU-CyCLONe (the EU Cyber Crisis Liaison Organisation Network), ENISA will review and assess cyber threats, known exploitable vulnerabilities, and mitigation actions with respect to specific significant or large-scale cybersecurity incidents.
These reviews will result in incident reports that analyze the causes, impacts, and lessons learned, helping to improve the Union’s overall cyber posture and prevent similar incidents in the future.
Building on Previous Legislation: An Evolving Framework
The Cyber Solidarity Act does not exist in isolation but builds upon and complements the existing EU cybersecurity framework. It enhances the capabilities established by the NIS2 Directive (Directive (EU) 2022/2555)[3], which already requires Member States to designate competent authorities, establish CSIRTs, and ensure that entities in critical sectors implement appropriate risk management measures.
Similarly, it works in conjunction with the Cybersecurity Act (Regulation (EU) 2019/881)[4], which strengthened ENISA’s mandate and established a framework for European cybersecurity certification. The new regulation amends the Digital Europe Programme (Regulation (EU) 2021/694)[5] to support the implementation of these new cyber solidarity measures with appropriate funding.
As noted in the regulation, „The Union has already taken a number of measures to reduce vulnerabilities and increase the resilience of critical infrastructure and entities against risks”[6]. The Cyber Solidarity Act represents the next evolutionary step in this ongoing effort, focusing particularly on cross-border cooperation and solidarity.
Practical Implementation and Impact
The implementation of the Cyber Solidarity Act involves several practical aspects that will significantly enhance the EU’s cybersecurity posture:
Cross-Border Cooperation Through Cyber Hubs
The establishment of Cross-Border Cyber Hubs represents a new model of international cooperation in cybersecurity. Each hub will bring together at least three Member States to share information, tools, and capabilities in a trusted environment. Participating in these hubs is voluntary for Member States, but the regulation creates strong incentives for participation by making certain funding conditional on joining a Cross-Border Cyber Hub.
These hubs will facilitate the exchange of relevant information such as data from networks and sensors, threat intelligence feeds, indicators of compromise, and information about incidents, threats, and vulnerabilities. This shared intelligence will significantly improve the ability of all Member States to detect and respond to threats.
The EU Cybersecurity Reserve
The EU Cybersecurity Reserve establishes a mechanism for rapid deployment of cybersecurity expertise and services when significant incidents occur. This reserve will include pre-committed services from trusted managed security service providers that can be quickly mobilized to assist Member States, EU institutions, or eligible third countries.
To ensure the quality and reliability of these services, providers must demonstrate the highest degree of professional integrity, independence, and technical competence. They must also comply with strict security requirements and have appropriate clearances for handling sensitive information.
Funding and Resources
The actions under the Cyber Solidarity Act will be supported by funding from the Digital Europe Programme[7], specifically under its Specific Objective 3, which aims to guarantee the resilience, integrity, and trustworthiness of the Digital Single Market.
Given the unpredictable nature of cybersecurity incidents, the regulation allows for flexibility in financial implementation, including the carry-over of unused appropriations to ensure that resources are available when needed for emergency response.
Conclusion: A Stronger, More Resilient Digital Europe
The Cyber Solidarity Act represents a significant advancement in the EU’s approach to cybersecurity. By establishing robust mechanisms for detection, response, and learning, and by fostering greater solidarity and cooperation among Member States, the regulation addresses the transnational nature of cyber threats in the digital age.
As stated in the regulation itself, the objectives of „reinforcing the competitive position of industry and services in the Union across the digital economy”[8] and „contributing to the Union’s technological sovereignty and open strategic autonomy in the area of cybersecurity”[9] cannot be achieved by Member States acting alone. The Cyber Solidarity Act provides the framework for the collective action needed to protect Europe’s digital future.
As cyber threats continue to evolve in sophistication and impact, this regulation ensures that the European Union’s response evolves as well, maintaining the resilience and security of the digital infrastructure that underpins modern European society.
[1] https://eur-lex.europa.eu/eli/reg/2025/38/oj/eng (Cyber Solidarity Act)
[2] Regulation (EU) 2025/38 (Cyber Solidarity Act), Recital (2)
[3] https://eur-lex.europa.eu/eli/dir/2022/2555
[4] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32019R0881&qid=1742201096784
[5] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021R0694&qid=1742201153416
[6] Regulation (EU) 2025/38 (Cyber Solidarity Act), Recital (4)
[7] https://digital-strategy.ec.europa.eu/en/activities/digital-programme
[8] Regulation (EU) 2025/38 (Cyber Solidarity Act), Article 1(2)
[9] Id.
