On February 4, 2025, the European Union’s (EU) Cyber Solidarity Act (CSA) entered into force. The CSA aims to harmonize and strengthen the cooperation between EU authorities to improve their capacity to detect and address large-scale cyber threats.

While the CSA does not impose any obligations on companies, those operating in “highly critical” sectors can participate in coordinated preparedness testing to increase their cyber resilience. Companies can also apply to join the EU Cybersecurity Reserve as trusted cybersecurity response service providers. Additionally, companies may benefit from information exchanges with the European Union Agency for Cybersecurity (ENISA), gaining insights into known vulnerabilities and emerging threats.

What You Need to Know

The CSA introduces the following mechanisms to improve the preparedness, detection, and response to cybersecurity incidents across the EU:

  • European Cybersecurity Alert System: EU countries are encouraged to voluntarily participate in a newly established European Cybersecurity Alert System. Participating EU countries must designate National Cyber Hubs, which should work together to exchange information and improve their detection, analysis, and prevention of cyber threats capabilities. The National Cyber Hubs will work alongside the private sector, facilitating the exchange of data to combat cyber threats. These efforts should complement harmonization efforts taken under NIS2. For more information about NIS2, refer to our blog post on NIS2 here.
  • Cybersecurity Emergency Mechanism: The CSA establishes a Cybersecurity Emergency Mechanism to support EU countries and private sector entities in preparing for, responding to, and recovering from large-scale cybersecurity incidents. It will include voluntary coordinated preparedness testing of entities in highly critical and other critical sectors (i.e., entities classified as “essential” or “important” under NIS2, such as cloud services and data center providers, airlines, banks), mutual assistance programs, and support in response to significant cyber threats.
  • EU Cybersecurity Reserve: The CSA also establishes an EU Cybersecurity Reserve, composed of trusted response service providers, to support Member States’ cyber crisis management authorities in responding to significant cybersecurity incidents that affect entities operating in sectors of high criticality or entities operating in other critical sectors and EU institutions. To ensure the selection of qualified private service providers, the CSA sets out minimum criteria and requirements that must be included in the call for tenders (e.g., language requirements).
  • European Cybersecurity Incident Review Mechanism: The ENISA will review and report on large-scale cybersecurity incidents to understand their impact and to improve future responses by EU countries (“lessons learned” reports). Reports can be redacted or anonymized as needed depending on the sensitivity of the information (e.g., actively exploited vulnerabilities that remain unpatched).

Impact on Companies

While the CSA does not impose direct obligations on companies, it may still be relevant to them in several ways:

  1. Companies in (highly) critical sectors may voluntarily participate in coordinated preparedness testing, which could include penetration testing and threat assessments.
  2. Companies can apply to join the EU Cybersecurity Reserve as trusted cybersecurity response service providers.
  3. Companies may benefit from information exchanges with ENISA, gaining insights into known vulnerabilities and emerging threats.

Wilson Sonsini clients who believe they may be experiencing any kind of cybersecurity incident anywhere in the world can contact our experts 24/7 at our incident response hotline, which can be reached at either 32-2-2745777 or 1-650-849-3030.

Wilson Sonsini Goodrich & Rosati routinely advises clients on privacy and cybersecurity issues. For further inquiries about the EU’s cybersecurity regulations, please contact Cédric Burton, Demian Ahn, Laura Brodahl, or any attorney from Wilson Sonsini’s EU data, privacy, and cybersecurity practice.

Matthew Nuding contributed to the preparation of this post.