The EU Cybersecurity Reserve - FAQ

The EU Cybersecurity Reserve consists of services from trusted managed security service providers to support response and initiate recovery actions in the case of significant cybersecurity incidents, large-scale cybersecurity incidents or large-scale-equivalent cybersecurity incidents affecting Member States, Union institutions, bodies, offices or agencies, or third countries associated to the Digital Europe Programme (DEP).  

The users of the services provided by the EU Cybersecurity Reserve shall consist of the following: 

1. Member States’ cyber crisis management authorities and CSIRTs as per the NIS2 Directive;
2. CERT-EU;
3. Xompetent authorities such as computer security incident response teams and cyber crisis management authorities of DEP-associated third countries. 
    

The services from the EU Cybersecurity Reserve should serve to support national authorities in providing assistance to affected entities operating in sectors of high criticality or to affected entities operating in other critical sectors (as listed in Annex I and Annex II of the NIS2 Directive) as a complement to their own actions at national level. The services from the EU Cybersecurity Reserve should also be able to serve to support Union institutions, bodies, offices and agencies, under similar conditions. 

Given the extensive experience gained by ENISA with cybersecurity Support Action, law-makers decided that ENISA is the most suitable agency to implement the EU Cybersecurity Reserve. Thus, under the EU Contribution Agreement signed between the Commission and ENISA in August 2025, the later was entrusted with administration and operationalisation of the EU Cybersecurity Reserve and became its contracting authority. In practice, this means that ENISA will procure services of the Reserve, assess and respond to requests for support from Member States’ cyber crisis management authorities and CSIRTs, and from CERT-EU on behalf of Union institutions, bodies, offices, and agencies. 

ENISA is in regular contact with NIS2 national Single Points of Contact (SPoC), as well as CERT-EU and SPoC of the Republic of Moldova, which can request services from the EU Cybersecurity Reserve. Physical meetings of this network take place twice a year, online meetings are organised on a monthly basis.  

It is up to the users of the Reserve to decide what services should be delivered to which entity, provided that it is an entity operating in sectors of high criticality or to affected entities operating in other critical sectors (as listed in Annex I and Annex II of the NIS2 Directive). ENISA serves with its expertise and advice.  
 

Given that cyberspace has no borders and significant cyber incidents pose high risk of spillover effect, boosting of cyber resilience of EU's partner countries is of utmost importance to maintaining security in the region. This is why, the EU Cyber Solidarity Act lays down that DEP-associated third countries should be able to request support from the EU Cybersecurity Reserve, in all or part of their territories, where this is provided for in the agreement through which the third country is associated to the DEP. So far, the Republic of Moldova is the first and only DEP-associated third country that is eligible to receive such support. The EU Cybersecurity Reserve was first deployed to Moldova in September 2025.  

In order to ensure the effective use of Union funding, pre-committed services under the EU Cybersecurity Reserve should be convertible, in accordance with the relevant contract, into preparedness services related to incident prevention and response in the event that those pre-committed services are not used for incident response during the time for which they are pre-committed. Such services include Cybersecurity Capacity Building Services - Trainings & Exercises, Cybersecurity Posture Evaluation Services, Risk Monitoring and Cyber Readiness Services. The full catalogue of services is to be found here [LINK]. 

The European Commission has entrusted ENISA administration and operation of the EU Cybersecurity Reserve through a Contribution Agreement signed by both sides in August 2025. This new agreement provides, over three years, 36 million Euro earmarked from DEP for this important task.  

Trusted cybersecurity services providers are selected on the basis of open procurement procedure.  

The list of trusted cybersecurity services providers forming the Reserve is being regularly updated. To find new calls for tenders relevant to the EU Cybersecurity Reserve, we invite you to visit ENISA public procurement webpage on a regular basis. 

Each call for tenders contains a list of technical and professional capacity criteria. Evidence of the technical and professional capacity of the tenderers shall be provided on the basis of specific requirements. In addition, each user of the EU Cybersecurity Reserve may request additional minimum selection criteria. These are also clearly described in each call for tenders.  

Furthermore, under the new Multiannual Financial Framework (MFF) 2021-2027, participation in certain calls for proposals launched under the Digital Europe Programme may be restricted to legal entities established in Member States (or in specified eligible third countries). In accordance with the relevant basic acts, in certain cases, legal entities established in Member States (or in specified eligible third countries) can participate in the calls for proposals only if they are directly or indirectly controlled by Member States or by nationals of Member States (or by entities or nationals of specified eligible countries). For such restricted calls, the ownership control assessment (OCA) will be conducted to determine control. This is the case of the EU Cybersecurity Reserve.