Cyber Solidarity Act enters into force

The European Union’s Cyber Solidarity Act (CSA) came into force on February 4, 2025 aiming to enhance cooperation among EU authorities to address large-scale cyber threats. Although the CSA does not mandate obligations on companies, those in highly critical sectors can engage in coordinated preparedness testing to bolster cyber resilience. Additionally, companies can apply to join the EU Cybersecurity Reserve as trusted response service providers and benefit from information exchanges with the European Union Agency for Cybersecurity (ENISA) to gain insights into vulnerabilities and threats.

The CSA introduces several mechanisms to improve cybersecurity preparedness, detection, and response across the EU. The European Cybersecurity Alert System encourages EU countries to participate voluntarily, designating National Cyber Hubs to exchange information and enhance threat detection and prevention capabilities. The Cybersecurity Emergency Mechanism supports EU countries and private entities in preparing for and recovering from significant cyber incidents through coordinated testing, mutual assistance programs, and response support.

An EU Cybersecurity Reserve is established to support Member States’ crisis management authorities during significant incidents affecting highly critical sectors. The CSA outlines criteria for selecting qualified private service providers for this reserve. Furthermore, the European Cybersecurity Incident Review Mechanism enables ENISA to review large-scale incidents to improve future responses, with reports that may be anonymized based on sensitivity.

While the CSA does not impose direct obligations on companies, it remains relevant to those in critical sectors. Companies can voluntarily participate in preparedness testing, apply to join the Cybersecurity Reserve, and benefit from ENISA’s information exchanges. Legal experts, including Wilson Sonsini Goodrich & Rosati, offer guidance on navigating these regulations.