ENISA to Manage €36 Million EU Cybersecurity Reserve
The European Union Agency for Cybersecurity (ENISA) and the European Commission signed a contribution agreement, through which the Commission entrusts ENISA with the administration and operation of the EU Cybersecurity Reserve, and provides ENISA with financial contribution to that end.
The EU Cybersecurity Reserve foreseen in Article 14 of the EU Cyber Solidarity Act, consists of incident response services from trusted managed security service providers. This support mechanism will be used, should significant and large-scale cybersecurity incidents occur for the purpose of responding to and recovering from such incidents.
Procured by ENISA, services offered will be contracted from trusted managed service providers. Such providers were selected by means of public procurement calls, such as this call.
The services are intended for users representing critical sectors of EU Member States as described in the NIS2 Directive, as well as EU Institutions, Bodies, Offices and Agencies. The services may also be requested by third countries that have been associated with the Digital Europe Programme (DEP) and whose Association Agreements include provisions for granting access to the EU Cybersecurity Reserve.
When operating the EU Cybersecurity Reserve, ENISA will rely on its extensive experience built over the years by successfully managing the ENISA Cybersecurity Support Action.
The Cyber Solidarity Act provides that the European Commission shall entrust the operation and administration of the EU Cybersecurity Reserve, in full or in part, to ENISA. The fact that this critical task was entrusted to ENISA underscores the high level of cooperation between Commission and ENISA and the Commission's confidence that ENISA delivers operational capacity to the cybersecurity stakeholders involved.
How do Contribution Agreements work?
Over the past years, ENISA has been receiving funds through contribution agreements on top of its yearly budget to specifically implement flagship projects concerning cybersecurity in the EU under the DEP Work Programmes. This has been the case for activities such the ENISA Support Action, the Single Reporting Platform under the Cyber Resilience Act and contributing to the Cyber Analysis and Situation Centre.
Contributions such as this one announced today, are typically allocated for three-year periods to match the duration of services to be provided. This new contribution agreement provides 36 million Euro over three years, to implement these services. ENISA will effectively be added on top of its annual budget of 26,9 million for 2025 and it will serve the specific operational purpose of monitoring the services to be offered for three consecutive years.
How will the EU Cybersecurity Reserve work?
ENISA will be procuring services for the EU Cybersecurity Reserve. The Agency will also be assessing requests received for such support from Member States’ cyber crisis management authorities and/or CSIRTs, or CERT-EU on behalf of Union entities in seeking support from the EU Cybersecurity Reserve. For DEP-associated third countries, ENISA will transmit requests to the Commission.
In cooperation with the Commission and the EU-CyCLONe, ENISA has developed a mechanism to facilitate the submission of requests for support in relation to the EU Cybersecurity Reserve.
The pre-committed services under the EU Cybersecurity Reserve will be convertible, in accordance with the Cyber Solidarity Act and the relevant contract, into preparedness services related to incident prevention and response. This is in case the pre-committed services will not be used for incident response. This provision seeks to ensure the effective use of Union funding. The flexibility of the use of the Reserve to meet the real needs is of utmost importance.
Next steps
The EU Cybersecurity Reserve is expected to be fully operational at the end of 2025. With the ENISA Cybersecurity Support Action due to end in 2026, the upcoming launch of the EU Cybersecurity Reserve emerges at the right time. Member States still running the current programme will have time ahead to prepare and request Cybersecurity Reserve services.
Managed Security Services
Following a request from the European Commission, ENISA has started to prepare a candidate European cybersecurity certification scheme on Managed Security Services (MSS). With the Cyber Solidarity Act being in force since February 2025, the first focus of the MSS scheme will be on incident response services which MSS providers will deliver through the EU Cybersecurity Reserve. MSS providers will be expected to certify their services two years after the scheme has been in place.
