The European Union Agency for Cybersecurity (ENISA) and the European Commission have signed a landmark contribution agreement to establish and operate the EU Cybersecurity Reserve. This initiative, backed by a €36 million investment over three years, was officially announced on August 26.
The agreement entrusts ENISA with full administrative and operational responsibilities for the EU Cybersecurity Reserve, a major step forward under the framework of the EU Cyber Solidarity Act.
The Reserve is designed to provide incident response services through trusted Managed Security Service Providers (MSSPs), helping Member States and EU institutions swiftly respond to and recover from large-scale cyberattacks.
A Strategic Partnership for Cyber Resilience
Juhan Lepassaar, Executive Director of ENISA, hailed the agreement as a milestone for the agency. “Being entrusted with such a prominent project puts ENISA in the limelight as a dependable partner to the European cybersecurity community and allows ENISA to break new ground towards an even more cyber-secure digital single market,” Lepassaar said.
The decision by the European Commission to entrust ENISA with such a vital task underscores the high level of trust in the agency’s operational capabilities. Over the years, ENISA has proven its value through initiatives like the ENISA Cybersecurity Support Action, the Single Reporting Platform under the Cyber Resilience Act, and its contributions to the Cyber Analysis and Situation Centre, all funded via similar contribution agreements.
Functionality and Scope of the EU Cybersecurity Reserve
Outlined in Article 14 of the EU Cyber Solidarity Act, the EU Cybersecurity Reserve comprises a set of pre-procured, high-trust incident response services. These services will be made available during cybersecurity crises. The MSSPs offering these services have been selected through competitive public procurement procedures, ensuring both quality and transparency.
The Reserve will cater primarily to critical sectors across EU Member States, as defined in the NIS2 Directive. EU institutions, bodies, agencies, and offices will also be eligible for support. Additionally, third countries associated with the Digital Europe Programme (DEP) may access the Reserve, provided their agreements include provisions for such access.
Operational Mechanics
ENISA will oversee the procurement and monitoring of services under the Reserve. It will assess support requests submitted by national cyber crisis management authorities, CSIRTs (Computer Security Incident Response Teams), and CERT-EU on behalf of Union entities. For DEP-associated third countries, ENISA will pass on the requests to the European Commission.
In collaboration with the European Commission and EU-CyCLONe, ENISA has also developed a dedicated mechanism to streamline the submission and handling of support requests. This ensures rapid mobilization in the face of cyber emergencies.
Importantly, unused pre-committed services can be reallocated for preparedness activities such as incident prevention and response training. This flexibility ensures that the Reserve’s resources are fully utilized, aligning with the responsible use of EU funding.
Budget and Timeline
The newly signed contribution agreement brings an additional €36 million to ENISA’s budget over three years—supplementing the agency’s annual 2025 budget of €26.9 million. This funding will support the Reserve’s implementation and operational monitoring until at least the end of 2028.
The EU Cybersecurity Reserve is expected to become fully operational by the end of 2025. Its launch will coincide with the winding down of the ENISA Cybersecurity Support Action in 2026, providing a seamless transition for Member States already engaged with the existing support framework.
In anticipation of the Reserve’s operation, ENISA has also begun work on a candidate European cybersecurity certification scheme for Managed Security Services. Requested by the European Commission, the first focus of the scheme will be incident response services delivered through the Reserve. Under the Cyber Solidarity Act, which came into force in February 2025, MSSPs will be expected to certify their services within two years of the scheme’s adoption.
