Safeguard
Policy

EU Cybersecurity Reserve: Trusted Providers Under the Cyber Solidarity Act

The EU Cybersecurity Reserve under Regulation (EU) 2025/38 mobilises trusted private incident-response providers to support Member States facing significant cyber incidents.

Alex
Security Analyst
6 min read

The Cyber Solidarity Act — Regulation (EU) 2025/38 — entered into force on 4 February 2025 after publication in the Official Journal on 15 January 2025. The Regulation creates three operational pillars: the European Cybersecurity Alert System (a network of National and Cross-Border Cyber Hubs), the Cybersecurity Emergency Mechanism (which establishes the EU Cybersecurity Reserve), and the Cybersecurity Incident Review Mechanism (under which ENISA reviews significant or large-scale incidents and reports lessons learned). The Reserve is the operational element most directly relevant to organisations providing incident response services in the EU. It builds a pre-qualified pool of private "trusted providers" that ENISA can mobilise on request from a Member State, Union institution, or third country associated with the Digital Europe Programme (DEP).

What is the EU Cybersecurity Reserve?

Article 14 of Regulation (EU) 2025/38 establishes the Reserve as a pool of incident response services from private trusted providers, available for deployment in response to significant or large-scale cybersecurity incidents. ENISA manages procurement, contracting, and activation. The Reserve is not staffed by EU-employed responders; it is a framework agreement structure under which pre-qualified private firms agree to terms and conditions in advance, allowing rapid mobilisation when an incident is declared. The model echoes existing national arrangements — such as the UK NCSC's Cyber Incident Response (CIR) scheme and Germany's BSI provider register — but operates at EU scale and with cross-border deployment by design. The European Commission announced activation of an initial €36 million budget tranche for the Reserve under ENISA's management in 2025.

Who qualifies as a trusted provider?

The Regulation requires trusted providers to meet several criteria, set out in Article 14 and refined through ENISA's procurement documentation:

# Trusted provider qualification criteria (Article 14, Regulation 2025/38)

1. Cybersecurity expertise
   - Demonstrated track record in incident response
   - Qualified incident handlers with verified certifications
   - Documented methodologies aligned with ENISA guidance

2. Legal and operational status
   - Established in a Member State or DEP-associated third country
   - Adequate professional indemnity coverage
   - Conflict-of-interest controls

3. Security clearance and trust
   - Personnel security clearances where Member State sensitive
     information may be handled
   - Compliance with EU Restrictive Measures (sanctions framework)
   - No effective control by entities subject to non-EU jurisdictions
     incompatible with EU values

4. Availability and capacity
   - Defined response times for activation
   - Sufficient bench depth to handle concurrent activations
   - Multi-language capability for cross-border deployment

5. Quality and reporting
   - Compliance with ENISA quality standards for incident response
   - Structured incident reporting back to ENISA
   - Lessons-learned contribution to the Review Mechanism

ENISA's first call for expressions of interest opened in 2025 with a framework agreement structure that allows providers to be reactivated for specific incidents through mini-tender procedures.

Who can activate the Reserve?

Activation requests come from Member States (typically through their national CSIRT or competent authority for cybersecurity), Union institutions, bodies, and agencies (where they face a significant incident affecting Union assets or services), and DEP-associated third countries subject to specific conditions. The trigger is a significant or large-scale incident — terms defined in NIS2 Article 6 — meaning an incident with serious operational disruption or financial loss, or affecting other persons by causing considerable material or non-material damage. ENISA assesses the activation request against eligibility criteria and matches the response need with available trusted providers. The deployed providers operate under ENISA contracting but report to the requesting authority for incident-specific direction.

What about the Alert System pillar?

The first pillar of the Cyber Solidarity Act — the European Cybersecurity Alert System under Articles 4-9 — is the longer-term capacity-building dimension. It establishes National Cyber Hubs in each Member State and Cross-Border Cyber Hubs that interconnect them. The Hubs are equipped with state-of-the-art detection technology — including AI-augmented threat intelligence and SOC capabilities — co-financed by the EU and the relevant Member States. The objective is to build an EU-wide shared situational awareness picture that surfaces emerging threats early enough to enable preparation rather than just response. The architecture is independent of NIS2's national CSIRT network but coordinates with it.

What is the Incident Review Mechanism?

The third pillar, under Article 21 of the Regulation, establishes the European Cybersecurity Incident Review Mechanism. At the request of the Commission or national authorities through the EU-CyCLONe network, ENISA reviews specific significant or large-scale incidents and produces a report including lessons learned, with recommendations for prevention and improved response. The reports are not regulatory determinations of fault — they are operational reviews intended to feed back into the broader EU cybersecurity policy framework. ENISA's experience with NIS2 threat landscape reporting and the existing CSIRT Network's incident exchange feeds into this mechanism naturally.

How does this interact with NIS2 and DORA?

The Cyber Solidarity Act is operational, not regulatory in the substantive sense. It does not impose obligations on private-sector entities equivalent to NIS2 risk management duties or DORA ICT third-party requirements. It does not create a new reporting endpoint that competes with the NIS2 24/72-hour incident reporting cadence. Instead, it builds operational capacity that NIS2 entities and DORA financial entities can call upon if they face an incident beyond their own response capability. A Member State competent authority dealing with a national-scale incident in a NIS2 essential entity can request Reserve activation; a financial entity facing a major outage under DORA continues to follow Article 19 reporting but may benefit indirectly from Reserve-supported national response.

What is the budget structure?

Funding flows through the Digital Europe Programme (DEP). The original DEP budget for cybersecurity was €1.6 billion across the 2021-2027 multiannual financial framework. The Cyber Solidarity Act reallocates an additional €100 million from other DEP strategic objectives into cybersecurity, bringing the total DEP cybersecurity budget to approximately €842.8 million for the remainder of the framework period. The €36 million initial Reserve tranche activated under ENISA management in 2025 sits within this envelope, with further tranches expected in subsequent years.

What should incident response providers do?

For private cybersecurity firms operating in the EU, three steps are relevant. First, monitor ENISA's procurement publications for trusted provider calls and assess eligibility. Second, prepare the qualification evidence pack — corporate registration, indemnity coverage, personnel certifications and clearances, incident response methodologies, conflict-of-interest controls. Third, consider participation in adjacent frameworks (national CSIRT panels, CIR/CBEST in the UK, BSI provider register in Germany) where the same evidence pack can serve multiple registrations. Smaller specialist providers can partner with consortium leads to access framework agreements that solo participation may not support.

How Safeguard Helps

Safeguard supports trusted providers and the entities they serve. For providers, the platform consolidates evidence packs — personnel certifications, methodology documentation, incident handling histories, conflict-of-interest registers — into a form suitable for ENISA qualification and parallel national framework registrations. For NIS2 essential entities and DORA financial entities that may need to call on Reserve-supported response, Safeguard maintains the asset inventory, SBOM, and incident triage data that a deployed responder needs as starting context — reducing time-to-context from days to hours when an external team comes in. The platform's incident workflow integrates with the EU-CyCLONe operational picture so that significant incidents are visible across the cooperation channels the Cyber Solidarity Act builds.

cyber-solidarity-actenisaincident-responseeu-policytrusted-providers
Back to all articles

More on #cyber-solidarity-act

View all →
Regulation

EU Cyber Solidarity Act: Regulation 2025/38 in Force

7 min read

Related articles in Policy

Policy

ENISA Threat Landscape 2025: Supply Chain Section Decoded

ENISA's October 2025 report analysed 4,875 incidents from July 2024 to June 2025 and found phishing led at 60% of intrusions, with supply chain and slopsquatting as fast-growing vectors.

November 4, 2025Read
Policy

GPAI Code of Practice: The 2025 Signatory Landscape

The General-Purpose AI Code of Practice was published on 10 July 2025 with three chapters. Most major providers signed, with notable partial signatures from xAI.

September 12, 2025Read
Policy

UK Software Security Code of Practice: The 14 Principles

Launched at CyberUK 2025 on 7 May 2025, the UK's voluntary Software Security Code of Practice sets 14 principles across four thematic areas for vendors and customers.

July 8, 2025Read

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.