Cyber Solidarity Act: opportunities for industry stakeholders

On 22 May 2025, DIGITALEUROPE hosted the webinar Cyber Solidarity Act: Opportunities for Industry Stakeholders, where Demosthenes Ikonomou, Head of the Information Security & Data Protection Unit at ENISA, presented the Cyber Solidarity Act, outlining its key mechanisms and the concrete opportunities it opens up for industry involvement.

The Cyber Solidarity Act was introduced against the backdrop of escalating geopolitical tensions and rapidly evolving cyber threats. As emphasized by DIGITALEUROPE’s Director for Digital Resilience and Defense, Constantinos Hadjisavvas, cybersecurity must no longer be treated as an afterthought. Instead, it should be an integral part of strategic planning from the outset.

Reflecting on lessons from the Russia–Ukraine war, and other ongoing conflicts such as those in Sudan and the Israel–Palestine region, it has become clear that while traditional military assets remain important, they are insufficient without the integration of dual-use digital technologies like drones, mobile communications, and AI systems. Cybersecurity underpins all these elements and plays a decisive role on today’s digital battlefield.

The Cyber Solidarity Act, led by the European Commission, responds to these realities by aiming to detect, prepare for, and respond to large-scale cyber incidents. It is part of a broader shift, which includes a proposed €1.1 billion investment under the Digital Europe Programme and a €150 billion “Security for Action” regulation, to ensure cybersecurity and electronic warfare are treated as core European capabilities. This regulatory and financial commitment marks a significant step toward a more secure and digitally resilient Europe.

During his intervention in the webinar, Demosthenes Ikonomou explained that as of January 2025, ENISA has begun transitioning from the temporary Support Action—originally launched in response to the war in Ukraine—to the permanent Cybersecurity Reserve, a core element of the EU Cyber Solidarity Act. While the Support Action served as an agile, short-term measure to assist Member States during cyber crises, it relied on ad-hoc arrangements and limited funding. The Cybersecurity Reserve replaces this model with a structured system that enables rapid incident response through a pre-established pool of trusted cybersecurity service providers. Operated by ENISA, the Reserve ensures all EU Member States—and for the first time, EU institutions, agencies, and selected third countries—can access expert support within 48 hours of a request. Unlike the Support Action, the Reserve is backed by long-term funding through the Digital Europe Programme, features multi-year framework contracts, and covers both incident response (ex-post) and, conditionally, preparedness (ex-ante) services.

ENISA’s focus within the Reserve is primarily on responding to cyber incidents once they occur, but the framework also allows unused funds to be redirected to preparedness activities, such as penetration testing or cyber exercises, as long as they do not overlap with initiatives managed by the European Cybersecurity Competence Centre (ECCC). All procurement is managed centrally by ENISA, with a dedicated €12 million annual budget and a requirement that selected providers meet strict EU ownership and control standards – reinforcing the strategic importance of digital sovereignty.

Together, these developments present a significant opportunity for industry stakeholders. One of the most practical and immediate avenues is through the tendering process established by ENISA. Private cybersecurity companies can apply to join a trusted pool of service providers – both at the Member State and EU-wide levels – by participating in competitive EU tenders. Once selected, these providers are awarded multi-year framework contracts and can be rapidly mobilized to deliver services such as incident response, forensic analysis, penetration testing, risk assessments, and cyber training. This structured retainer model ensures that vetted companies are pre-approved and ready to assist EU countries during cyber emergencies. With additional tenders planned to address service gaps in certain countries, and with an expanded list of eligible beneficiaries – including EU institutions, agencies, and third countries – this initiative opens a significant EU-funded market for companies that meet the necessary technical and ownership criteria.