Cyber Solidarity Act

Regulation laying down measures to detect, prepare for and respond to cybersecurity threats and incidents (Regulation 2025/38)

Background and Scope

As cybersecurity threats increase in their complexity and volume, the Cyber Solidarity Act aims to create a unified approach to it across the European Union. The Act recognizes the necessity to enhance the resilience of citizens, businesses and entities operating in critical infrastructure against cyber threats, stating that no single Member State or critical body can or should have to defend itself in isolation.

The Cyber Solidarity Act follows a list of recent cyber legislations to help improve cyber resilience throughout Europe. The passing of other major cyber regulations, such as NIS2, DORA and Cyber Resilience Act, are all examples of the EU aiming to secure European nations against digital threats and cybercrime.

Outside of government and government agencies, the Cyber Solidarity Act doesn’t directly apply to private sector organizations, except those in sectors of “high criticality”, such as healthcare, transport, and energy. Entities operating in such sectors can participate in coordinated testing to increase their cyber resilience and undergo preparedness assessments.

Key Obligations

• Establish a European Cybersecurity Alert System: The system is designed to detect cyber threats and incidents and to provide real-time situational awareness to relevant authorities and entities, thereby enabling effective response measures.
• Create a Cybersecurity Emergency Mechanism: The Act established a mechanism to enhance preparedness and response capabilities in relation to significant and large-scale cyber incidents.
• Set up a European Cybersecurity Incident Review Mechanism: The Act provides for a mechanism to review and assess significant or large-scale incidents after they have occurred.