Regulation 2025/38 - Measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cyber threats and incidents and amending Regulation (EU) 2021/694 (Cyber Solidarity Act)

Please note

This page contains a limited version of this dossier in the EU Monitor.

1.

Current status

This regulation entered into force on February  4, 2025.

2.

Key information

official title

Regulation (EU) 2025/38 of the European Parliament and of the Council of 19 December 2024 laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cyber threats and incidents and amending Regulation (EU) 2021/694 (Cyber Solidarity Act)
 
Legal instrument Regulation
Number legal act Regulation 2025/38
Original proposal COM(2023)209 EN
CELEX number i 32025R0038

3.

Key dates

Document 19-12-2024; Date of signature
Signature 19-12-2024
Effect 04-02-2025; Entry into force Date pub. +20 See Art 26
Deadline 05-02-2027; Review See Art 25.1
05-02-2030; See Art 23.2
End of validity 31-12-9999

4.

Legislative text

 

Official Journal

of the European Union

EN

L series

 

 

2025/38

15.1.2025

REGULATION (EU) 2025/38 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of 19 December 2024

laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cyber threats and incidents and amending Regulation (EU) 2021/694 (Cyber Solidarity Act)

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 173(3) and Article 322(1), point (a), thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the Court of Auditors (1),

Having regard to the opinion of the European Economic and Social Committee (2),

Having regard to the opinion of the Committee of the Regions (3),

Acting in accordance with the ordinary legislative procedure (4),

Whereas:

 

(1)

The use of and dependence on information and communication technologies have become fundamental aspects in all sectors of economic activity and society in light of the ever increasing interconnectedness and interdependence of Member State public administrations, businesses and citizens across sectors and borders, simultaneously introducing possible vulnerabilities.

 

(2)

The magnitude, frequency and impact of cybersecurity incidents, including supply chain attacks for the purposes of cyberespionage, ransomware or disruption, are increasing at Union and global level. They represent a major threat to the functioning of network and information systems. In view of the fast-evolving threat landscape, the threat of possible large-scale cybersecurity incidents causing significant disruption or damage to critical infrastructure demands a heightened preparedness of the Union’s cybersecurity framework. That threat goes beyond Russia’s war of aggression against Ukraine, and is likely to persist given the multiplicity of actors involved in current geopolitical tensions. Such incidents can impede the provision of public services as cyberattacks are frequently targeted at local, regional or national public services and infrastructure, with local authorities being particularly vulnerable, including due to their limited resources. They can also impede the pursuit of economic activities, including in sectors of high criticality or other critical sectors, generate substantial financial losses, undermine user confidence, cause major damage to the economy and the democratic systems of the Union, and could even have health or life-threatening consequences. Moreover, cybersecurity incidents are unpredictable, as they often emerge and evolve quickly, not contained within any specific geographical area, and occurring simultaneously or spreading instantly across many countries. It is important to have close cooperation between the public sector, the private sector, academia, civil society and the media.

 

(3)

It is necessary to strengthen the competitive position of industry and services in the Union across the digital economy and support their digital transformation, by reinforcing the level of cybersecurity in the Digital Single Market as recommended in three different proposals of the Conference on the Future of Europe. It is necessary to increase the resilience of citizens, businesses, including microenterprises, small and medium-sized enterprises and startups, and entities operating critical infrastructure, against increasing cyber threats, which can have a devastating societal and economic impact. Therefore, investment is needed in infrastructure and services and building capabilities to develop cybersecurity skills that will support a faster detection of and a faster response to cyber threats and incidents. In addition, Member States need...


More

This text has been adopted from EUR-Lex.

5.

Original proposal

 

6.

Sources and disclaimer

For further information you may want to consult the following sources that have been used to compile this dossier:

This dossier is compiled each night drawing from aforementioned sources through automated processes. We have invested a great deal in optimising the programming underlying these processes. However, we cannot guarantee the sources we draw our information from nor the resulting dossier are without fault.

 

7.

Full version

This page is also available in a full version containing de geconsolideerde versie, the legal context, de Europese rechtsgrond, other dossiers related to the dossier at hand and finally the related cases of the European Court of Justice.

The full version is available for registered users of the EU Monitor by ANP and PDC Informatie Architectuur.

8.

EU Monitor

The EU Monitor enables its users to keep track of the European process of lawmaking, focusing on the relevant dossiers. It automatically signals developments in your chosen topics of interest. Apologies to unregistered users, we can no longer add new users.This service will discontinue in the near future.