Cyber Solidarity Act

KEY POINTS

Scope and purpose

The regulation’s general objective is to strengthen solidarity at the EU level while reinforcing the competitive position of industry and services in the EU across the digital economy and contributing to the EU’s technological sovereignty and open strategic autonomy in the area of cybersecurity.

This objective is implemented via three key pillars.

1. European cybersecurity alert system

This system is designed to improve near real-time situational awareness and detection of cyber threats across the EU and consists of:

• national cyber hubs, designated by EU Member States;
• cross-border cyber hubs, established by consortia involving at least three Member States.

These cyber hubs¹ detect, analyse and exchange cyber threat intelligence and are supported by advanced tools such as artificial intelligence and data analytics. Funding is implemented by the European Cybersecurity Competence Centre (see summary) (joint procurement of tools, infrastructure and services and grants for their operation).

To ensure effective cooperation, the European Union Agency for Cybersecurity (ENISA) was required to develop interoperability guidelines, including common formats and protocols, by 5 February 2026. The cooperation agreements that cross-border cyber hubs conclude between themselves must be based on these guidelines.

2. Cybersecurity Emergency Mechanism

This mechanism enables coordinated EU support to prepare for and to respond to significant², large-scale³ and large-scale-equivalent⁴ incidents, thereby reinforcing the EU’s resilience and solidarity among Member States. It includes the following areas.

1. Preparedness measures, such as:
   • the coordinated preparedness testing of entities operating in sectors of high criticality;
   • support for other preparedness activities for entities in sectors of high criticality and other critical sectors, including vulnerability monitoring, risk assessments, exercises and training.
2. The EU Cybersecurity Reserve, consisting of incident response services provided by trusted managed security service providers selected through EU procurement procedures.

The reserve supports Member States, EU institutions and competent authorities in non-EU countries associated with the digital Europe programme (DEP), if their DEP association agreement provides for such a possibility and whose participation must be authorised by the Council of the European Union in addressing such incidents.

Requests for deployment of the EU Cybersecurity Reserve may be submitted by:

• Member States’ cyber crisis management authorities and national computer security incident response teams;
• the Cybersecurity Service for the Union Institutions, Bodies, Offices and Agencies (see summary);
• competent authorities such as the computer security incident response teams and cyber crisis management authorities of DEP-associated non-EU countries.

The European Commission has overall responsibility for the EU Cybersecurity Reserve’s implementation and entrusts the administration and operation of the Reserve to ENISA. The contracting authority (the Commission or ENISA, where applicable, for requests by Member States and by EU institutions, bodies and agencies) decides whether and to what extent to deploy support based on the incident’s scale and severity, the type of entity affected, the potential impact of the incident on the Member States and users affected, the cross-border nature and risk of spillover, and the mitigation measures already taken. The contracting authority must respond within 48 hours.

The requests from DEP-associated non-EU countries are assessed by the Commission.

3. Mutual assistance, in which Member States provide technical support to each other in response to significant or large-scale cybersecurity incidents, with EU financial support.

3. European Cybersecurity Incident Review Mechanism

After significant or large-scale cybersecurity incidents, the Commission or the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe) may request a structured review to assess causes and impacts, evaluate the response and extract lessons learned. The review:

• is conducted by ENISA with the support of the computer security incident response teams network and with the approval of the Member States concerned;
• results in a report containing findings and, where appropriate, best practices, lessons learned and non-binding recommendations to improve the EU’s cyber posture.

ENISA may publish a public version of the incident review report, containing only reliable public information or other content with the consent of the affected Member States or parties, subject to confidentiality rules.

Implementation and roles

• The Commission oversees the overall implementation of the regulation, including the EU Cybersecurity Reserve. For the Reserve, it should entrust ENISA, fully or in part, with the operation and administration of the Reserve via a contribution agreement.
• The European Cybersecurity Competence Centre manages grant-based preparedness measures and the deployment of national and cross-border cyber hubs. It must update its mapping of necessary tools, infrastructure and services at least every two years.
• ENISA coordinates the European Cybersecurity Incident Review Mechanism, is entrusted, fully or in part, with the administration and operation of the EU Cybersecurity Reserve and should regularly map the services needed for the EU Cybersecurity Reserve.

Funding

The regulation is financed under specific objective 3 (‘Cybersecurity and trust’) of the DEP.

Additional rules

• The Commission may adopt delegated acts to define the types and number of services to be provided under the EU Cybersecurity Reserve, based on evolving threats and available capabilities.
• Information sharing under the regulation must comply with rules on confidentiality and proportionality, and should not be contrary to Member States’ essential interests of national security, public security and defence.
• Procurement from non-EU-controlled entities may be permitted only under strict conditions, where no adequate EU-based alternatives exist and security interests are protected. The DEP work programme provides for conditions and rules regarding eligibility.
• By 5 February 2027, the Commission must report to the European Parliament and the Council on the implementation and effectiveness of the regulation.