The European Commission has signed a €36 million agreement with the European Union Agency for Cybersecurity (ENISA) to establish and administer the EU Cybersecurity Reserve. Funded through the Digital Europe Programme (DEP) under the Cyber Solidarity Act, the initiative aims to strengthen the cyber resilience of the EU, its Member States, and, under certain conditions, third countries associated with DEP.
Announced on Tuesday, the EU Cybersecurity Reserve will support the response to and recovery from significant and large-scale cyber incidents. It will consist of incident response services from trusted service providers that can be deployed to help address such cybersecurity incidents faced by EU Member States, EU institutions, bodies, and agencies, where applicable, and DEP-associated third countries. In responding to or supporting responses to cybersecurity incidents, it will cover ex-post services.
The reserve can be utilised for entities operating in critical and highly critical sectors under the NIS2 Directive, such as the health or energy sectors.
The EU Cybersecurity Reserve is expected to be fully operational at the end of this year. With the ENISA Cybersecurity Support Action due to end in 2026, the upcoming launch of the EU Cybersecurity Reserve emerges at the right time. Member States still running the current programme will have time ahead to prepare and request Cybersecurity Reserve services.
The Cyber Solidarity Act provides that the European Commission shall entrust the operation and administration of the EU Cybersecurity Reserve, in full or in part, to ENISA. The fact that this critical task was entrusted to ENISA underscores the high level of cooperation between the Commission and ENISA and the Commission’s confidence that ENISA delivers operational capacity to the cybersecurity stakeholders involved.
Through this agreement, ENISA will spend the €36 million contribution over three years on incident response services, procuring services for the reserves through public procurement calls, and assessing requests for services from the reserve. The EU Cybersecurity Reserve will provide cybersecurity services to support EU entities in responding to and recovering from major cyber incidents.
“Being entrusted with such prominent project puts ENISA in the limelight as a dependable partner to the European cybersecurity community and it allows ENISA to break new ground towards an even more cyber secure digital single market,” Juhan Lepassaar, executive director at ENISA, said in a media statement.
The EU Cybersecurity Reserve, outlined in Article 14 of the EU Cyber Solidarity Act, provides incident response services through trusted managed security service providers. It is designed to be activated during major cybersecurity incidents to support response efforts and accelerate recovery. To ensure the effective use of Union funding, pre-committed services under the EU Cybersecurity Reserve should be convertible, in accordance with the relevant contract, into preparedness services related to incident prevention and response if those pre-committed services are not used for incident response.
Once appointed as the contracting authority, ENISA will be responsible for procuring services for the EU Cybersecurity Reserve, as well as assessing requests for support from Member States’ cyber crisis management authorities and CSIRTs, or from CERT-EU on behalf of Union institutions, bodies, offices, and agencies.
The EU Cybersecurity Reserve could also contribute to strengthening the competitive position of industry and services in the Union across the digital economy, including microenterprises, SMEs, and start-ups, by providing incentives for investment in research and innovation.
ENISA looks forward to cooperating with such companies to increase the competitiveness of the EU cybersecurity market. Trusted managed security services providers selected to be included in the EU Cybersecurity Reserve have all successfully passed the ownership control assessment (OCA) conducted to determine whether they are directly or indirectly controlled by Member States or by nationals of Member States (or by entities or nationals of specified eligible countries).
The EU Cybersecurity Reserve is included in the Digital Europe Work Programme 2025-2027, which earmarks €36 million to strengthen response and reporting to cyber threats and incidents across the EU, including through the creation of the Reserve. The action fits within the mandate of the Agency, further contributing to boosting the cyber resilience of the Union through supervision of the provision of high-quality cybersecurity services.
Over the past years, ENISA has been receiving funds through contribution agreements on top of its yearly budget to specifically implement flagship projects concerning cybersecurity in the EU under the DEP Work Programmes. This has been the case for activities such as the ENISA Support Action, the Single Reporting Platform under the Cyber Resilience Act, and contributing to the Cyber Analysis and Situation Centre.
Such contributions are typically allocated for three-year periods to match the duration of services to be provided. This new contribution agreement provides €36 million over three years to implement these services. ENISA will effectively be added on top of its annual budget of €26.9 million for 2025, and it will serve the specific operational purpose of monitoring the services to be offered for three consecutive years.
ENISA will be procuring services for the EU Cybersecurity Reserve. The Agency will also be assessing requests received for such support from Member States’ cyber crisis management authorities and/or CSIRTs, or CERT-EU on behalf of Union entities in seeking support from the EU Cybersecurity Reserve. For DEP-associated third countries, ENISA will transmit requests to the Commission.
In cooperation with the Commission and the EU-CyCLONe, ENISA has developed a mechanism to facilitate the submission of requests for support in relation to the EU Cybersecurity Reserve.
The pre-committed services under the EU Cybersecurity Reserve will be convertible, in accordance with the Cyber Solidarity Act and the relevant contract, into preparedness services related to incident prevention and response. This is in case the pre-committed services will not be used for incident response. This provision seeks to ensure the effective use of Union funding. The flexibility of the use of the Reserve to meet the real needs is of utmost importance.
