€36 million over 3 years: this will be the EU’s cybersecurity reserve budget.
The mechanism sits within the “cyber emergency mechanism” established by the Cyber Solidarity Regulation (see our article about it). It should be “fully operational” by the end of 2025, ENISA announces, which oversees it.
The agency will procure incident response services that it can grant to three recipient types:
- Entities active in critical or highly critical sectors
- Institutions, bodies and agencies of the European Union
- Third countries participating in the Digital Europe programme
The Cyber Solidarity Regulation prioritizes the use of European providers to constitute the reserve. It however leaves, in case of insufficient supply, the door open to non-European solutions.
The initial list includes 45 suppliers, all born and based in the EU. Most are SMEs. France is represented by Airbus Protect, the security and (cyber)security subsidiary of the aerospace and defence group.
| Member States | Providers |
| Germany | Spike Reply |
| Belgium | NVISO |
| Cyprus | ADACOM Cyber Security* IANUS Technologies Logicom Solutions QSecure |
| Croatia | Cyber Security Incubator Infigo IS Span |
| Spain | CSA (Centro Regional de Servicios Avanzados) GMV s2grupo |
| Estonia | CybExer |
| Finland | Reversec WithSecure |
| France | Airbus Protect |
| Greece | ADACOM CENSUS Cyber Noesis Pronet Uni Systems |
| Hungary | Alverad Technology Focus Andrews IT Engineering Balasys IT ITSec Area Ukatemi Technologies White Hat IT Security |
| Italy | aizoOn Consulting CINI (Consorzio Interuniversitario Nazionale per l’Informatica) CY4GATE NEXT Ingegneria dei Sistemi Security Reply Tinexta Cyber |
| Latvia | Tet |
| Lithuania | NRD |
| Luxembourg | Uni Systems** |
| Romania | Bit Sentinel Security certSIGN CybrOps InQbit Innovations |
| Slovakia | IstroSec |
| Slovenia | ICS (Institut za korporativne varnostne studije) SSRD Telekom Slovenije Viris |
Response services… convertible into preparedness services
The reserve is intended to respond to “important” or “major” incidents in the sense of NIS2. The support is expected to be limited to the initial recovery phase, “leading to the restoration of the basic functionalities of the systems”. For non-third-country participants, the response time for requests is 48 hours. Within two months of the end of assistance, beneficiaries must provide a synthesis report.
Pre-allocated services that are not ultimately used can be converted into preparedness services—taking care to avoid a duplication with the preparedness measures managed by the ECCC (European Cybersecurity Competence Centre).
When implementing procurement procedures for the reserve, the European Commission and ENISA can act as a purchasing central or wholesaler on behalf of EU institutions, bodies or agencies. The same applies to third countries.
These can seek access to the reserve by joining the Digital Europe programme only partially. Including solely the objective—as integrated into the programme audit by the Cyber Solidarity Regulation—of “establishing and operating the emergency mechanism […] including the reserve.” Access is granted for a maximum of 1 year (renewable).
* Subsidiary of the Greek company ADACOM
** Subsidiary of the Greek company Uni Systems.
On the same topic
See all Cybersecurity articles
{ Expert Column } – Vibe coding: good or bad vibe?
By
Martyn Ditchburn *
5 min.
The Salesloft flaw claims multiple victims in the IT sector
By
Clément Bohic
Firewalls: the market from the perspective of hybrid cloud
By
Clément Bohic
The Salesloft flaw did not only affect Salesforce
By
Clément Bohic
The Ministry of the Armed Forces launches the CND, a new pillar of the […]
By
Philippe Leroy
