EU Cyber Solidarity Act (Regulation (EU) 2025/38)
The EU Cyber Solidarity Act builds collective EU capabilities to detect, prepare for, and respond to large-scale cyber incidents, including a cross-border alert system and emergency mechanism. It complements NIS2 and supports critical-sector resilience.
What the EU Cyber Solidarity Act Is
The Cyber Solidarity Act, Regulation (EU) 2025/38, strengthens the EU's collective ability to detect, prepare for, and respond to significant and large-scale cybersecurity incidents. It exists because cyberattacks increasingly cross borders and target critical sectors, and individual member states cannot always respond effectively alone. The regulation establishes shared capabilities to improve situational awareness and mutual assistance across the Union.
Its main components include a European Cybersecurity Alert System (a network of cross-border detection hubs), a Cybersecurity Emergency Mechanism, and an incident review mechanism, supported by ENISA and EU bodies.
Who It Applies To
The regulation primarily creates obligations and capabilities for member states, EU institutions, ENISA, and designated national and cross-border infrastructure. It indirectly affects operators in critical and highly critical sectors that participate in detection, preparedness, and response activities, and it complements obligations under other laws such as NIS2. Private cybersecurity providers may participate, for example, through the EU Cybersecurity Reserve.
Key Requirements
- Detection infrastructure — Support and connect national and cross-border Security Operations Centres to improve early threat detection.
- Information sharing — Share relevant threat intelligence and incident information to build common situational awareness.
- Preparedness — Conduct coordinated preparedness actions, including testing of entities in critical sectors.
- Emergency mechanism — Enable mutual assistance and access to incident response support, including the EU Cybersecurity Reserve.
- Incident review — Support post-incident review to capture lessons and improve resilience.
- Coordination — Cooperate across member states and EU bodies during large-scale incidents.
Penalties for Non-Compliance
The Cyber Solidarity Act is primarily a cooperation and capability-building instrument rather than a penalty-driven obligation on private firms. Enforcement and sanctions for security failures generally flow from related laws such as NIS2 and sector regulations. The practical consequence of non-participation is reduced protection and missed access to shared response support.
How to Comply
Organizations in critical sectors should align their detection and response capabilities with national and EU coordination structures, participate in information sharing where applicable, and prepare to engage with preparedness testing and emergency support mechanisms. Cybersecurity providers can seek participation in the EU Cybersecurity Reserve. Above all, integrate these capabilities with existing NIS2 and incident response obligations so the organization can both contribute to and benefit from collective defense.