EU Cyber Solidarity Act: Regulation 2025/38 in Force

Regulation (EU) 2025/38 of the European Parliament and of the Council — better known as the Cyber Solidarity Act — was adopted on 19 December 2024 and entered into force on 4 February 2025. It is the first horizontal EU legal instrument that funds and structures cross-border incident response capacity, deploying around €1.1 billion across the 2024-2027 horizon. The Act sits in a complementary relationship with NIS2 (which sets obligations for entities) and with the CRA (which sets product requirements). It is the operational layer: a Union-level alert system, a reserve of incident-response services, and a structured review mechanism for major incidents.

What changed in February 2025?

Three new EU-level structures came into legal existence with Regulation 2025/38:

• A European Cybersecurity Alert System, built out of National and Cross-Border Cyber Hubs linked by secure communications and shared detection tooling. National Hubs are existing or new SOC-grade installations operated by Member State authorities; Cross-Border Hubs are consortia of multiple Member States. The European Cybersecurity Industrial, Technology and Research Competence Centre (ECCC) procures, and Member States operate, the platforms.
• A Cybersecurity Emergency Mechanism, including the EU Cybersecurity Reserve — a pool of pre-vetted private incident-response providers that can be deployed at the request of Member States, EU institutions, or DEP-associated third countries to address significant or large-scale incidents.
• A Cybersecurity Incident Review Mechanism, operated by ENISA at the request of the Commission or EU-CyCLONe, to produce post-incident reviews of significant or large-scale cybersecurity incidents with lessons-learned and recommendations.

The Act amends Regulation (EU) 2019/881 (the Cybersecurity Act) in narrowly targeted ways to give ENISA the mandate and resources for the review function, including a confidentiality framework that protects the data shared by affected entities.

Who is in scope?

The Cyber Solidarity Act does not impose new obligations on private regulated entities. It is a regulation about Union capacity. Three categories interact with it directly:

• Member States and EU institutions, who request and consume the services.
• Trusted providers — private companies pre-vetted to provide incident response services under the Reserve. Pre-qualification requirements include track record, EU-based capacity, and contractual willingness to operate under Union confidentiality terms.
• ENISA and the European Cybersecurity Competence Centre (ECCC), which administer the mechanisms.

Indirectly, every operator of essential services, important entity under NIS2, financial entity under DORA, and CRA-regulated manufacturer is in scope because they may be the affected entity at the centre of an incident that triggers the Solidarity Act mechanisms.

How does the Cybersecurity Reserve work in practice?

The Reserve is a contract framework. ENISA and the Commission (through the ECCC) maintain a pool of pre-qualified incident response service providers under multi-year framework contracts. Member States or EU institutions facing a significant or large-scale incident can request deployment through a structured procedure.

The procedure has four stages:

| Stage | Actor | Timeline | |---|---|---| | Request | National competent authority, EU institution, or third-country authority under association arrangement | Day 0 | | Assessment | ENISA and Commission services validate eligibility and severity | < 24 hours | | Activation | Trusted provider mobilised under framework contract | Hours | | Closure | After-action report to ENISA; data retained under Article 14 confidentiality | Within 60 days |

Significance and scale thresholds are defined consistently with NIS2 Article 6: an incident is "significant" if it has caused or is capable of causing severe operational disruption or financial loss, and "large-scale" if it affects multiple Member States or cross-border services.

How does the Incident Review Mechanism work?

ENISA conducts the review at the request of the Commission or EU-CyCLONe — the latter being the EU-level operational cooperation network that has existed since 2020 and was formalised by NIS2. The Mechanism is deliberately distinct from incident reporting under NIS2 or under the CRA: those are mandatory notifications from affected entities to regulators. The Review Mechanism is a post-hoc, expert-led analysis with the explicit purpose of producing recommendations to improve Union-wide preparedness.

Outputs include a confidential technical analysis (with restricted distribution), a redacted public report where appropriate, and structured recommendations to Member States and Union institutions. ENISA can request information from affected entities, but the requests are subject to Article 14 confidentiality and a legal basis derived from the Regulation itself, not from the entities' NIS2 obligations.

Cyber Solidarity Act mechanisms (high-level)

  +---------------------+         large-scale incident       +-----------------+
  | Member State /      | ---- request ------------------->  | EU Cybersecurity|
  | EU institution      |                                    | Reserve         |
  +---------------------+                                    +-----------------+
            |
            | observation / alert
            v
  +---------------------+   detection / sharing   +---------------------+
  | National Cyber Hub  | <---------------------> | Cross-Border Hubs   |
  +---------------------+                         +---------------------+

  +---------------------+   significant /         +---------------------+
  | Commission /        |   large-scale event ---> ENISA Incident Review|
  | EU-CyCLONe          |   request                                     |
  +---------------------+                         +---------------------+

How does it relate to NIS2 and the CRA?

Three explicit linkages:

• NIS2 incident reporting feeds the Alert System. National competent authorities receiving 24/72-hour reports from essential and important entities can elevate to EU-CyCLONe and the Alert System for cross-border coordination.
• CRA reporting of actively exploited vulnerabilities (effective from 11 September 2026) flows through ENISA's Single Reporting Platform, which is operationally distinct from the Alert System but architecturally adjacent. ENISA is expected to publish guidance on how the two streams correlate, with shared situational-awareness dashboards.
• The Incident Review Mechanism can examine incidents that triggered both NIS2 and CRA reporting, producing the Union-level lessons-learned analysis that neither directive alone provides.

What are the operational implications for security teams?

For NIS2-regulated entities, four implications matter:

• Expect coordination requests from national CSIRTs that are themselves coordinating with the Alert System. The 24-hour NIS2 notification is no longer a single bilateral interaction.
• Pre-position legal and operational arrangements to accept assistance from a Reserve-deployed trusted provider during a major incident. This includes data-sharing terms, on-site access protocols, and chain-of-custody for forensic artefacts.
• Maintain incident artefacts to a standard sufficient for a future ENISA review. The Mechanism's confidentiality protections apply, but artefact quality determines the value of the review.
• Engage with the Reserve trusted-provider list during procurement of incident response retainers. Several providers on the Reserve also offer commercial retainers and can transition seamlessly if the entity becomes an Alert System case.

What are the budget and capacity numbers?

The Act re-allocates €100 million from other Strategic Objectives of the Digital Europe Programme, bringing the total available for cybersecurity actions under DIGITAL to €842.8 million. Member State contributions and other instruments push the headline total for the Cyber Solidarity Act envelope to approximately €1.1 billion across 2024-2027. The Reserve element accounts for the largest single line; the Alert System hubs receive substantial co-financing. The exact disbursement schedule is set through the DEP work programmes adopted annually by the Commission.

What should defenders do now?

Three steps cover most of the gap:

• Establish a bilateral relationship with your national CSIRT and confirm the escalation path from NIS2 reporting to Alert System activation. The path differs between Member States and is rarely documented for in-house security teams.
• Identify whether your incident response retainer provider is on the Reserve. If yes, validate the contractual interaction model for a Reserve activation. If no, consider redundancy with a Reserve provider for major incidents.
• Update your incident response plan to accept third-party reviewers (ENISA Incident Review Mechanism) post-incident, with pre-agreed information-sharing terms.

How Safeguard Helps

Safeguard's incident response workflow generates the structured artefacts — affected versions, dependency graphs, exploitation evidence, mitigations applied — that both NIS2 reporting and the ENISA Incident Review Mechanism require, eliminating the post-incident scramble to reconstruct what happened. TPRM workflows track Reserve-qualified incident response providers as part of your retainer inventory, with current status against Reserve qualification criteria. Griffin AI reachability narrows the blast-radius reporting that the Alert System cross-border hubs increasingly request, so when a member state CSIRT asks "what does this affect," the answer is in minutes. Policy gates and compliance automation produce the audit trail that demonstrates due diligence in supplier and dependency selection — the data ENISA's reviewers expect from any large-scale incident.