ENISA Will Operate the EU Cybersecurity Reserve. What This Means for Managed Security Service Providers

The European Union is building a new line of defense. 

On 26 August 2025, the European Commission and the EU Agency for Cybersecurity (ENISA) signed a contribution agreement that hands ENISA the keys to the EU Cybersecurity Reserve.  

The deal comes with funding: €36 million over three years. ENISA's mission is straightforward, if not simple. It will administer, operate, and monitor the bloc’s emergency cyber response capabilities. 

Juhan Lepassaar, ENISA’s executive director, said: “Being entrusted with such prominent project, puts ENISA in the limelight as a dependable partner to the European cybersecurity community and it allows ENISA to break new ground towards an even more cyber secure digital single market.” 

The Cybersecurity Reserve is written into Article 14 of the Cyber Solidarity Act that sets out how Europe will prepare for and withstand large-scale cyberattacks.  

The Reserve is designed as a pool of pre-contracted services from trusted managed security providers. When a major incident hits, Member States, EU institutions, or even associated countries can call on those services. 

That matters. Europe’s digital economy is wide, interconnected, and vulnerable. Attacks don’t stop at borders. When hospitals in one member state are locked down by ransomware, or when the energy grid in another is breached, the impact ripples.  

The Reserve offers a way to respond faster and with more weight than national resources alone. 

How the Cybersecurity Reserve Works 

ENISA will run the procurement process and will sign contracts with managed security service providers (MSSPs).  

These providers, vetted through public tenders, will stand ready to deploy incident response teams, forensic expertise, and recovery services. Their clients won’t be ordinary companies, but operators of essential services in critical sectors defined by the NIS2 Directive (energy, transport, health, finance) as well as EU institutions and agencies. 

In practice, if a Member State faces a major cyber crisis, its national Computer Security Incident Response Team (CSIRT) or crisis authority can send a request to ENISA. For EU institutions, CERT-EU can do the same. And for third countries tied into the Digital Europe Programme (which includes the UK and Ukraine), ENISA will channel requests through the Commission. 

A request doesn’t mean instant action. ENISA, working with the Commission and EU-CyCLONe (the network of national cyber crisis managers), will assess the situation, match it against the scope of the Reserve, and trigger the appropriate services. 

One important detail: services won’t sit idle if Europe is lucky enough not to face a major breach. Under the Cyber Solidarity Act, unused capacity can be redirected into preparedness projects, like training, simulations, or preventive measures.  

The aim is efficiency. Money spent should strengthen resilience, whether or not the alarm bells ring. 

The Money and the Mandate 

Contribution agreements like this aren’t new. ENISA has received similar top-up funding for special projects: the Cybersecurity Support Action, the Single Reporting Platform under the Cyber Resilience Act, and work feeding into the EU’s Cyber Analysis and Situation Centre. What makes this agreement stand out is the scale and visibility. 

The €36 million comes on top of ENISA’s annual budget of nearly €27 million for 2025. It is earmarked specifically for operating the Reserve for three years.  

The Commission’s choice to put ENISA in charge reflects its trust in the Agency. Over the past decade, the agency has shifted from being a policy shop to playing a more operational role, supporting Member States, coordinating during crises, and building Europe-wide capacity. 

Timing and Transition 

The EU Cybersecurity Reserve is set to be fully operational by the end of 2025, a timeline that isn’t accidental. The current ENISA Cybersecurity Support Action, which provides ad hoc assistance to Member States, is due to wind down in 2026. The Reserve is designed to take over, offering a more structured and funded framework for help. 

That gives Member States time to prepare. Those still relying on the Support Action can plan their transition, line up requests, and adjust their national systems to plug into the Reserve. 

Managed Security Services and Certification 

The Reserve also fits into a broader push to professionalize and certify cybersecurity services in Europe. At the request of the Commission, ENISA has begun work on a candidate European certification scheme for managed security services. The first focus: incident response.  

Under the Cyber Solidarity Act, MSS providers delivering services through the Reserve must certify within two years of the scheme's implementation. 

Certification matters for trust. If the Reserve is to work, Member States need confidence that the providers they’re relying on meet consistent standards. It also pushes Europe closer to a genuine single market for cybersecurity services, where providers can compete and operate across borders without fragmented national rules. 

Why it Matters 

Cyber incidents have grown in frequency, scale, and impact. Two years ago, Denmark experienced the most wide-reaching cyberattack in its history, targeting critical infrastructure. Then there’s the ransomware attack on Ireland’s health service in 2021, which paralyzed hospitals nationwide. And who could forget the NotPetya ransomware in 2017 that caused billions in damages, spilling far beyond its initial targets.  

Every major crisis has highlighted the same problem: national systems often can’t cope alone. 

The Cybersecurity Reserve is Europe’s answer. It won’t stop attacks, but it can shorten downtime, limit damage, and provide the kind of cross-border solidarity that the EU was built on. 

The idea is simple. When the next big incident comes (and it will) Europe won’t just be a collection of isolated responders scrambling in parallel. It will have a shared reserve, standing by, coordinated through ENISA. 

That is the promise of this week’s agreement. Not just more money for ENISA, but a signal that Europe wants to back words with action, and turn solidarity from a slogan into a working system.