Required cookies

This website uses cookies necessary for its operation in order to provide the user with content and certain functionalities (e.g. language selection). You have no control over the use of these cookies.

Website visitor statistics

We collect visitor statistics on the use of the site. The data is not personally identifiable and is only stored in the Matomo visitor analytics tool managed by CSC.

By accepting visitor statistics, you allow Matomo to use various technologies, such as analytics cookies and web beacons, to collect statistics about your use of the site.

Change your cookie choices and read more about visitor statistics and cookies


CSC considers cybersecurity as one of the key issues of the digital decade and welcomes the Commission’s intention to strengthen EU action in the sector and support it with an adequate regulatory framework. A key issue to keep in mind when developing the EU cybersecurity policy is to avoid creating incoherences or overlaps when establishing new regulations and governance structures.

The new Cyber Solidarity Act proposal addresses some very important questions related to e.g. pooling and sharing of data on cyber threats and incidents as well as strengthening the cooperation between public and private sector actors. However, it is questionable whether the creation of a new regulation with new governance structures and competent authorities is necessary to improve the current situation.

For example, the creation of separate national Security Operations Centres (SOCs) seems superfluous as the tasks foreseen for the SOCs could be performed by the CSIRTs established by the Cybersecurity Directive. Also, the use of the term SOC for a public function may lead to confusion as this term is already well-established for private sector actors.

As a positive example of relying on existing structures, we welcome the reference to EuroHPC as a partner in developing advanced artificial intelligence and data analytics technologies for the cybersecurity sector. On the other hand, a separate certification scheme for the trusted providers in the framework of the EU Cybersecurity Reserve seems unnecessary considering that existing certification schemes (e.g. ISO/IEC 27001) could be applied instead.

As a general rule, any cybersecurity policy must be mindful of the fact that all actors are responsible for managing their own cybersecurity incidents. Regulation must not create situations where organisations think national or European public authorities will take care of the management of incidents on their behalf. Cooperation and information sharing can and must be strengthened but responsibility cannot be outsourced.