European cybersecurity policy must avoid incoherences and overlaps – CSC gave feedback on the Cyber Solidarity Act proposal
CSC welcomes the intention to strengthen EU policy on cybersecurity and considers that the proposed Cyber Solidarity Act addresses a number of important questions. However, instead of creating new regulation and new governance structures, existing ones should be fully leveraged, including certification schemes. It must also be made clear that all actors remain responsible for managing their own cybersecurity incidents. Regulation must not create the impression that responsibility can be outsourced to public authorities.
CSC considers cybersecurity as one of the key issues of the digital decade and welcomes the Commission’s intention to strengthen EU action in the sector and support it with an adequate regulatory framework. A key issue to keep in mind when developing the EU cybersecurity policy is to avoid creating incoherences or overlaps when establishing new regulations and governance structures.
The new Cyber Solidarity Act proposal addresses some very important questions related to e.g. pooling and sharing of data on cyber threats and incidents as well as strengthening the cooperation between public and private sector actors. However, it is questionable whether the creation of a new regulation with new governance structures and competent authorities is necessary to improve the current situation.
For example, the creation of separate national Security Operations Centres (SOCs) seems superfluous as the tasks foreseen for the SOCs could be performed by the CSIRTs established by the Cybersecurity Directive. Also, the use of the term SOC for a public function may lead to confusion as this term is already well-established for private sector actors.
As a positive example of relying on existing structures, we welcome the reference to EuroHPC as a partner in developing advanced artificial intelligence and data analytics technologies for the cybersecurity sector. On the other hand, a separate certification scheme for the trusted providers in the framework of the EU Cybersecurity Reserve seems unnecessary considering that existing certification schemes (e.g. ISO/IEC 27001) could be applied instead.
As a general rule, any cybersecurity policy must be mindful of the fact that all actors are responsible for managing their own cybersecurity incidents. Regulation must not create situations where organisations think national or European public authorities will take care of the management of incidents on their behalf. Cooperation and information sharing can and must be strengthened but responsibility cannot be outsourced.