Actul privind solidaritatea cibernetică și reziliența digitală
Opinion factsheet
Pe această pagină
- Cercetare, inovare și sectorul digital
- Politica digitală și conectivitatea
Opinion number:
CDR-2191-2023
Status:
Adoptat
Objective
to build up a narrative of digital resilience as a key factor in the sustainability of public services in an era of growing reliance on digital technologies, cloud computing, data and interoperable information systems and develop policy recommendations on how LRAs should increase their digital resilience.
to support the CoR being involved in ongoing discussions on strategic resilience of the EU, including its active involvement in drawing up the 2024 Global Trends Report, taking into account the ongoing Russian aggression on Ukraine and growing concerns regarding China 's increasing strategic influence in the EU.
to support the CoR being involved in ongoing discussions on strategic resilience of the EU, including its active involvement in drawing up the 2024 Global Trends Report, taking into account the ongoing Russian aggression on Ukraine and growing concerns regarding China 's increasing strategic influence in the EU.
Impact
The European Parliament, in its Plenary sitting on 24 April 2024, adopted a legislative resolution on the proposal for a regulation of the European Parliament and of the Council laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents. It thereby adopted its position at first reading and instructed the President to forward its position to the Council.
Amendments of the CoR were largely not taken into consideration. The Parliament, in first recitals to the legislative act, takes into account the CoR opinion by mentioning vulnerabilities linked to the use and increased dependence on information and communication technologies and makes reference to local authorities being particularly vulnerable, including due to their limited resources.
However, legislative amendments put forward by the CoR, making a clear reference to subnational authorities regardless of whether they are considered highly critical under national law (pursuant to NIS2 Directive), were not taken on board and the Parliament's position does not allow LRAs being directly affected and supported by the proposed regulation.
The only way subnational authorities could be supported is through "Other preparedness actions" under the Cybersecurity Emergency Mechanism, covering vulnerability monitoring, exercises and trainings, where the Parliament has suggested to include also entities in sectors not identified for coordinated testing pursuant to Article 11 of the proposed regulation (sectors of high criticality according to NIS2 Directive.)
Amendments of the CoR were largely not taken into consideration. The Parliament, in first recitals to the legislative act, takes into account the CoR opinion by mentioning vulnerabilities linked to the use and increased dependence on information and communication technologies and makes reference to local authorities being particularly vulnerable, including due to their limited resources.
However, legislative amendments put forward by the CoR, making a clear reference to subnational authorities regardless of whether they are considered highly critical under national law (pursuant to NIS2 Directive), were not taken on board and the Parliament's position does not allow LRAs being directly affected and supported by the proposed regulation.
The only way subnational authorities could be supported is through "Other preparedness actions" under the Cybersecurity Emergency Mechanism, covering vulnerability monitoring, exercises and trainings, where the Parliament has suggested to include also entities in sectors not identified for coordinated testing pursuant to Article 11 of the proposed regulation (sectors of high criticality according to NIS2 Directive.)
Essential points
THE EUROPEAN COMMITTEE OF THE REGIONS
• welcomes the specific objectives of the draft Regulation and the measures proposed therein. It finds it regrettable, however, that despite increasing cyber-attacks, local and regional authorities are not sufficiently covered by the current proposal and therefore proposes a number of legislative changes to address these shortcomings;
• notes that even within countries, there are significant differences between, for example, national authorities and smaller local authorities in terms of both their capabilities and their ambition in the field of cybersecurity. The CoR therefore considers it important for the Regulation to aim to reduce these differences and to ensure that all players involved have relatively equal abilities and ambitions;
• urges the Member States, the Commission and all local authorities to join together to raise awareness of the need for action, including the need to increase investments in digital resilience, particularly on local and regional levels, and to consider developing protective policy instruments targeting financial ransomware attacks. This will require appropriate financial, technical and upskilling efforts;
• requests that, in order to avoid a situation where local authorities responsible for essential operations in some Member States fall outside the scope of the Cyber Solidarity Act, it should be made clear in the legal text that such authorities are considered to be included whether or not they are covered by NIS 2;
• recommends that, within the framework of the European Cyber Shield, indicators should be developed to determine how development and maturity are increasing in connection with the introduction of the Regulation. In the long term, the indicators can feed into a data-based risk-map, demonstrating where the greatest need for action is;
• sees a risk that the Regulation will create more work, stretching already tight resources. It is therefore important to ensure that the Regulation does not become a burden, but rather that it increases the capacity of each organisation by means of concrete tools, methods and support.