Executive Summary

The European Union has taken a landmark step in fortifying its collective cybersecurity posture with the entry into force of the EU Cyber Solidarity Act on February 4, 2025, and the subsequent launch of the EU Cybersecurity Reserve. On August 26, 2025, the European Commission signed an agreement with ENISA, the European Union Agency for Cybersecurity, for the operation and administration of the EU Cybersecurity Reserve, contributing €36 million from the Digital Europe Programme (DEP) over three years to create a continent-wide cyber incident response capability. [

EU cybersecurity policies

The European Union works on various fronts to promote cyber resilience, safeguarding our communication and data and keeping online society and economy secure.

Shaping Europe’s digital future

](https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-policies)

The EU Cybersecurity Reserve will support the response to and recovery from significant and large-scale cyber incidents, consisting of incident response services from trusted service providers that can be deployed to help address cybersecurity incidents faced by EU Member States, EU institutions, bodies and agencies, and where applicable, DEP-associated third countries. The reserve can be utilized for entities operating in critical and highly critical sectors under the NIS2 Directive, such as the health or energy sectors.

This ambitious initiative represents a fundamental shift from national-level cyber defense to a coordinated, solidarity-based approach that recognizes cyber threats as challenges requiring collective European response.

The Genesis of Digital Solidarity

The EU Cyber Solidarity Act emerged from the harsh realities of modern cyber warfare and the recognition that no single Member State can effectively defend against sophisticated, large-scale cyber attacks in isolation. The EU Cyber Solidarity Act entered into force on 4 February 2025. It aims to strengthen capacities in the EU to detect, prepare for and respond to significant and large-scale cybersecurity threats and attacks.

The legislative framework was significantly influenced by escalating geopolitical tensions and the emergence of nation-state cyber warfare as a primary security concern. The Cyber Solidarity Act is in direct response to growing geopolitical tensions and the new “game-changing” reality of nation-state cyber warfare.

Three Pillars of Cyber Defense

The Cyber Solidarity Act establishes a comprehensive framework built on three foundational pillars:

European Cybersecurity Alert System (European Cyber Shield)

The European Cybersecurity Alert System will be composed of national and cross-border Security Operations Centres (SOCs) across the EU, who will use advanced technology such as Artificial Intelligence (AI) and data analytics to detect and share warnings on threats with authorities across borders.

This system leverages cutting-edge technology to create real-time threat intelligence sharing capabilities, ensuring that cyber threats detected in one Member State can immediately inform defensive measures across the entire Union.

Cybersecurity Emergency Mechanism

The emergency mechanism operates through three critical areas:

Preparedness Testing: Supporting preparedness actions: Testing entities in crucial sectors such as finance, energy and healthcare for potential weaknesses that could make them vulnerable to cyber threats.

EU Cybersecurity Reserve: The EU Cybersecurity Reserve will consist of incident response services from private service providers (‘trusted providers’), that can be deployed at the request of Member States or Union Institutions, bodies and agencies to help them address significant or large-scale cybersecurity incidents.

Mutual Assistance: Financial and technical support mechanisms for Member States providing assistance to other affected nations during cybersecurity crises.

Cybersecurity Incident Review Mechanism

At the request of the Commission or of national authorities (the EU-CyCLONe or the CSIRTs network), the EU Cybersecurity Agency (ENISA) will be responsible for the review of specific significant or large-scale cybersecurity incident and should deliver a report that includes lessons learned.

ENISA’s Expanded Role and Capabilities

The selection of ENISA to operate the EU Cybersecurity Reserve represents a significant expansion of the agency’s mandate and capabilities. ENISA will be procuring services for the EU Cybersecurity Reserve. The Agency will also be assessing requests received for such support from Member States’ cyber crisis management authorities and/or CSIRTs, or CERT-EU on behalf of Union entities.

Financial Resources and Timeline

This new contribution agreement provides €36 million over three years, to implement these services. ENISA will effectively be added on top of its annual budget of €26.9 million for 2025, representing a significant expansion of the agency’s operational capacity. This substantial financial commitment demonstrates the EU’s serious approach to cybersecurity preparedness.

The implementation timeline is ambitious yet realistic: The EU Cybersecurity Reserve is expected to be fully operational at the end of 2025.

Certification and Quality Assurance

ENISA is developing robust quality standards for service providers. Following a request from the European Commission, ENISA has started to prepare a candidate European cybersecurity certification scheme on Managed Security Services (MSS). With the Cyber Solidarity Act being in force since February 2025, the first focus of the MSS scheme will be on incident response services.

Operational Framework and Eligibility

Trusted Provider Selection

Trusted managed security services providers selected to be included in the EU Cybersecurity Reserve have all successfully passed the ownership control assessment (OCA) conducted to determine whether they are directly or indirectly controlled by Member States or by nationals of Member States.

This rigorous vetting process ensures that only trustworthy entities with appropriate national connections can participate in critical cyber incident response activities.

Service Scope and Flexibility

The Reserve is designed with operational flexibility in mind: To ensure the effective use of Union funding, pre-committed services under the EU Cybersecurity Reserve should be convertible, in accordance with the relevant contract, into preparedness services related to incident prevention and response if those pre-committed services are not used for incident response.

Investment and Funding Architecture

The financial architecture supporting EU cybersecurity extends far beyond the €36 million allocated to the Cybersecurity Reserve. The total budget includes an increase of €100 million that this Regulation proposes to re-allocate from other Strategic Objectives of DEP. This will bring the new total amount available for Cybersecurity actions under DIGITAL to €842.8 million.

Multi-Program Funding Approach

The Digital Europe Programme, for the period 2021-2027, is an ambitious programme that plans to invest €1.9 billion into cybersecurity capacity and the wide deployment of cybersecurity infrastructures and tools across the EU for public administrations, businesses and individuals.

This substantial commitment is complemented by:

  • Horizon Europe: Cybersecurity is part of the ‘Civil Security for Society’ cluster, continuing the research and innovation focus established under Horizon 2020
  • Recovery Plan for Europe: Cybersecurity is one of the Commission’s priorities in its response to the coronavirus crisis, with additional investments allocated for enhanced cyber resilience
  • InvestEU: The strategic investment facility will support key value chains in cybersecurity as part of the recovery package

European Cybersecurity Competence Network

The European cybersecurity industrial, technology and research competence centre will pool expertise and align European development and deployment of cybersecurity technology. It works with industry, the academic community and others to build a common agenda for investments into cybersecurity, and decide on funding priorities for research, development and roll-out of cybersecurity solutions.

When including Member State contributions, the overall budget for the Cyber Solidarity Act could amount up to €1.109 billion, representing one of the largest coordinated cybersecurity investments in European history.

The Broader EU Cybersecurity Ecosystem

The EU Cybersecurity Reserve and Cyber Solidarity Act operate within a comprehensive cybersecurity policy framework that has evolved significantly over recent years. The European Union works on various fronts to promote cyber resilience, safeguarding our communication and data and keeping online society and economy secure.

Strategic Context and Legislative Foundation

The European Commission and the High Representative of the Union for Foreign Affairs and Security Policy presented a new EU Cybersecurity Strategy at the end of 2020. This strategy provides the overarching framework within which the Cyber Solidarity Act operates, covering the security of essential services such as hospitals, energy grids and railways, as well as the security of connected objects in homes, offices and factories.

The legislative landscape includes several complementary instruments:

NIS2 Directive: Member States had until 18 October 2024 to fully transpose and implement NIS2. This directive establishes cybersecurity obligations for essential and important entities, creating the foundation upon which the Cyber Solidarity Act builds.

Cybersecurity Act: The Cybersecurity Act was adopted in 2019 and strengthened the role of the European Union Agency for Cybersecurity (ENISA). It gave the agency a permanent mandate and empowered it to contribute to stepping up both operational cooperation and crisis management across the EU.

Cyber Resilience Act: The Cyber Resilience Act entered into force on 10 December 2024. It establishes common standards for products with digital elements, including hardware and software.

ENISA’s Evolving Role

ENISA is the European Union Agency for Cybersecurity, which was established in 2005. The mandate was revised in 2019 and since then, the Agency has a permanent mandate. The assignment of the EU Cybersecurity Reserve to ENISA represents yet another expansion of the agency’s responsibilities, building on its existing work supporting Member States, EU institutions and businesses in implementing cybersecurity legislation.

Recent Policy Developments

The cybersecurity policy landscape continues to evolve rapidly. On 15 January 2025, the Commission presented a European action plan on the cybersecurity of hospitals and healthcare providers, demonstrating the sector-specific approach that complements the broader solidarity framework.

Additionally, on 11 April 2025, the Commission launched a public consultation for input to evaluate and revise the Cybersecurity Act, indicating ongoing refinements to the foundational cybersecurity legislation.

Implementation Challenges and Considerations

Resource and Expertise Disparities

These challenges include addressing disparities in cybersecurity expertise and resources, aligning public and private sector efforts, and navigating data privacy and sovereignty concerns.

The success of the Act will depend significantly on bridging these gaps through coordinated capacity building and knowledge sharing initiatives.

Skills Development and Workforce Challenges

The Cybersecurity Skills Gap

The successful implementation of the Cyber Solidarity Act faces a critical challenge: the shortage of qualified cybersecurity professionals. Cybersecurity skills, which fall under the Commission’s general agenda on digital skills, will remain high on the Commission political agenda, with the Union of Skills foreseen in the Commission’s political guidelines for 2024-2029.

The advocacy work of ISC2 has directly contributed to several elements of the final act, including a reference to the European Cyber Security Skills Framework, highlighting the critical importance of workforce development in implementing these measures effectively.

The Cybersecurity Skills Academy

The Cybersecurity Skills Academy, launched as part of the 2023 European Year of Skills, pools together private and public initiatives at European and national levels to address the growing gap in the cybersecurity workforce. The Academy, hosted online on the Commission’s digital jobs and skills platform, is seeing support from all stakeholders, notably industry through a mechanism of pledges, and academia.

Projects will continue to be funded under various programmes, notably Digital Europe Programme and Erasmus+, to close the workforce gap in the European Union. This skills development imperative is essential for the effective operation of the EU Cybersecurity Reserve, which requires qualified professionals to deliver incident response services.

Gender Diversity Initiatives

The Commission recognizes the importance of addressing gender gaps in cybersecurity. The Women4Cyber Registry, established in cooperation with ECSO’s Women4Cyber initiative, makes it easier for the media, event organisers and others to find talented women working in cybersecurity, increasing their visibility in the cyber community and public debate.

ENISA’s Capacity Concerns

Recent analysis suggests potential challenges for ENISA’s expanded role. With ENISA’s role under review as part of the European Commission’s ongoing evaluation mandated by the Cybersecurity Act, 2025 marks a pivotal moment for reassessing the agency’s capacity and clarifying its strategic direction.

Strategic Implications and Future Outlook

Digital Sovereignty and Competitiveness

The EU Cybersecurity Reserve could also contribute to strengthening the competitive position of industry and services in the Union across the digital economy, including microenterprises, SMEs and start-ups, by providing incentives for investment in research and innovation.

International Cooperation and Diplomatic Engagement

Cyber Dialogues and Global Partnerships

The EU’s approach to cybersecurity extends beyond its borders through comprehensive diplomatic engagement. The EU works with partners to advance shared interests in cybersecurity policy through bilateral Digital Partnerships and Digital Dialogues, as well as the EU-LAC Digital Alliance, the EU-Western Balkans Regulatory Dialogue, and structured dialogues with NATO.

Recent diplomatic activities include:

  • The EU-UK Cyber Dialogue, with the second session held on December 6, 2024
  • The sixth EU-Japan Cyber Dialogue held in Tokyo on November 11, 2024
  • The eighth EU-India Cyber Dialogue held in New Delhi on March 20, 2025
  • The seventh EU-Korea Cyber Dialogue held in Seoul on May 20, 2025

These dialogues facilitate information sharing on the cyber threat landscape, policy developments, and coordinate responses to emerging challenges.

Third Country Participation

The EU Cybersecurity Reserve extends its protective capabilities beyond Member States to DEP-associated third countries under certain conditions, demonstrating the Union’s commitment to broader regional cybersecurity resilience. For DEP-associated third countries, ENISA will transmit requests to the Commission, ensuring appropriate oversight while maintaining the solidarity principle.

Practical Impact for Organizations

For Government Entities

Government agencies and critical infrastructure operators in highly critical sectors should prepare for potential coordinated preparedness testing and ensure their cyber crisis management authorities understand the procedures for requesting Reserve support.

For Private Sector

Companies may benefit from information exchanges with ENISA, gaining insights into known vulnerabilities and emerging threats. Organizations should evaluate opportunities to participate either as service providers in the Reserve or as beneficiaries of the enhanced threat intelligence sharing capabilities.

Conclusion: A New Era of Cyber Solidarity

The launch of the EU Cybersecurity Reserve under ENISA’s stewardship represents more than a policy initiative—it embodies a fundamental recognition that cybersecurity in the 21st century requires collective action, shared resources, and coordinated response capabilities.

With ENISA being entrusted with such prominent project, puts ENISA in the limelight as a dependable partner to the European cybersecurity community and it allows ENISA to break new ground towards an even more cyber secure digital single market.

The success of this ambitious undertaking will depend on effective implementation, adequate resource allocation, and the continued commitment of Member States to the principles of cyber solidarity. As the Reserve becomes fully operational by the end of 2025, it will serve as a critical test case for the EU’s ability to translate legislative ambition into operational cyber resilience.

The EU Cyber Solidarity Act and its associated mechanisms represent Europe’s most comprehensive attempt to date at creating a unified, coordinated approach to cybersecurity. As cyber threats continue to evolve and intensify, this framework may well become a model for other regions seeking to enhance their collective cyber defense capabilities in an increasingly interconnected world.

This analysis is based on information available as of August 2025. Organizations should consult current official sources and legal counsel for the most up-to-date guidance on compliance and participation requirements.