EU Commission entrusts ENISA with €36 Million EU Cybersecurity Reserve

The European Union is taking another step to strengthen its defences against cyberattacks. On 26 August, the European Commission and the EU Agency for Cybersecurity (ENISA) signed a contribution agreement that entrusts the agency with the operation of the newly created EU Cybersecurity Reserve. The agreement provides €36 million in funding over the next three years, adding to ENISA’s annual budget of €26.9 million for 2025.

The Cybersecurity Reserve is one of the cornerstones of the EU Cyber Solidarity Act, which entered into force in February this year. It will act as a support mechanism for Member States and EU institutions facing significant or large-scale cyber incidents.

The Reserve will be accessible to national authorities responsible for cyber crisis management, CSIRTs, and to CERT-EU acting on behalf of Union institutions, bodies, offices and agencies. Beyond the EU, certain countries associated with the Digital Europe Programme will also be able to request support if their agreements include access to the Reserve.

ENISA will handle requests, assessing them together with the Commission and the European cyber crisis liaison network (EU-CyCLONe). To make the mechanism flexible, unused incident response capacity can be redirected to preparedness and prevention measures.

The creation of the Reserve also comes with an industrial dimension. The managed security service providers chosen to deliver its services are expected to meet strict trust requirements, including an ownership control assessment to verify EU or eligible-country control. ENISA is already working on a European certification scheme for MSS providers, starting with incident response services. Two years after the scheme enters into force, providers delivering services through the Reserve will be expected to certify them.

This move, according to the Commission, will not only support immediate crisis response but also stimulate investment, innovation, and competitiveness in Europe’s cybersecurity sector, including SMEs and start-ups. The Cyber Solidarity Act has already proven to be a source of new opportunities for industry players, reinforcing the connection between public initiatives and private expertise.

The Reserve is expected to be fully operational by the end of 2025. Its launch is timed to follow on from the ENISA Cybersecurity Support Action, which is set to conclude in 2026, giving Member States a transition period to adjust and prepare for requesting services under the new mechanism.

By entrusting ENISA with the Reserve, the EU is effectively boosting the agency’s operational profile. Until now, ENISA’s role has often been more about coordination, policy support and awareness. With this agreement, the agency takes on a more proactive function in managing resources and services aimed at countering cyber threats in real time.

Read the full article here.