Chapter III – Cybersecurity Emergency Mechanism (Art. 10-20)

1. A Cybersecurity Emergency Mechanism is established to support the improvement of the Union’s resilience to cyber threats and the preparation for and mitigation of, in a spirit of solidarity, the short-term impact of significant cybersecurity incidents, large-scale cybersecurity incidents and large-scale-equivalent cybersecurity incidents.
2. In the case of the Member States, actions under the Cybersecurity Emergency Mechanism shall be provided upon request and shall be complementary to Member States’ efforts and actions to prepare for, respond to and recover from incidents.
3. The actions implementing the Cybersecurity Emergency Mechanism shall be supported by funding from the DEP and shall be implemented in accordance with Regulation (EU) 2021/694, in particular Specific Objective 3 thereof.
4. The actions under the Cybersecurity Emergency Mechanism shall be implemented primarily through the ECCC in accordance with Regulation (EU) 2021/887. However, actions implementing the EU Cybersecurity Reserve as referred to in Article 11, point (b), of this Regulation shall be implemented by the Commission and ENISA.

The Cybersecurity Emergency Mechanism shall support the following types of action:

1. 1. preparedness actions, namely:
      1. the coordinated preparedness testing of entities operating in sectors of high criticality across the Union as specified in Article 12;
      2. other preparedness actions for entities operating in sectors of high criticality or entities operating in other critical sectors, as specified in Article 13;
   2. actions supporting response to and initiating recovery from significant cybersecurity incidents, large-scale cybersecurity incidents and large-scale-equivalent cybersecurity incidents, to be provided by trusted managed security service providers participating in the EU Cybersecurity Reserve established under Article 14;
   3. actions supporting mutual assistance as referred to in Article 18.

1. The Cybersecurity Emergency Mechanism shall support the voluntary coordinated preparedness testing of entities operating in sectors of high criticality.
2. The coordinated preparedness testing may consist of preparedness activities, such as penetration testing, and threat assessment.
3. Support for preparedness actions under this Article shall be provided to Member States primarily in the form of grants and subject to the conditions provided for in the relevant work programmes as referred to in Article 24 of Regulation (EU) 2021/694.
4. For the purpose of supporting the coordinated preparedness testing of entities referred to in Article 11, point (a)(i), of this Regulation across the Union, the Commission shall, after consulting the NIS Cooperation Group, EU-CyCLONe and ENISA, identify the sectors or sub-sectors concerned from the sectors of high criticality listed in Annex I to Directive (EU) 2022/2555 for which a call for proposals to award grants may be issued. The participation of Member States in those calls for proposals is voluntary.
5. When identifying the sectors or sub-sectors referred to in paragraph 4, the Commission shall take into account coordinated risk assessments and resilience testing at Union level and the results thereof.
6. The NIS Cooperation Group in cooperation with the Commission, the High Representative of the Union for Foreign Affairs and Security Policy (the ‘High Representative’) and ENISA, and, within the remit of its mandate, EU-CyCLONe, shall develop common risk scenarios and methodologies for the coordinated preparedness testing referred to in Article 11, point (a)(i), and, where appropriate, for other preparedness actions referred to in point (a)(ii) of that Article.
7. Where an entity operating in a sector of high criticality participates voluntarily in coordinated preparedness testing and that testing results in recommendations for specific measures, which the participating entity could integrate into a remediation plan, the Member State authority responsible for the coordinated preparedness testing shall, where appropriate, review the follow-up of those measures by the participating entities with a view to reinforcing preparedness.

1. The Cybersecurity Emergency Mechanism shall support preparedness actions not covered by Article 12. Such actions shall include preparedness actions for entities in sectors not identified for coordinated preparedness testing pursuant to Article 12. Such actions may support vulnerability monitoring, risk monitoring, exercises and training.
2. Support for preparedness actions under this Article shall be provided to Member States upon request and primarily in the form of grants and subject to the conditions provided for in the relevant work programmes as referred to in Article 24 of Regulation (EU) 2021/694.

1. An EU Cybersecurity Reserve is established in order to assist, upon request, users as referred to in paragraph 3, in responding to, or providing support for a response to, significant cybersecurity incidents, large-scale cybersecurity incidents or large-scale-equivalent cybersecurity incidents, and initiating recovery from such incidents.
2. The EU Cybersecurity Reserve shall consist of response services from trusted managed security service providers selected in accordance with the criteria laid down in Article 17(2). The EU Cybersecurity Reserve may include pre-committed services. The pre-committed services of a trusted managed security service provider shall be convertible into preparedness services related to incident prevention and response where those pre-committed services are not used for incident response during the time for which those services are pre-committed. The EU Cybersecurity Reserve shall be deployable, upon request, in all Member States, in Union institutions, bodies, offices and agencies, and in DEP-associated third countries as referred to in Article 19(1).
3. The users of the services provided by the EU Cybersecurity Reserve shall consist of the following:
1. Member States’ cyber crisis management authorities and CSIRTs as referred to, respectively, in Article 9(1) and (2) and Article 10 of Directive (EU) 2022/2555;
2. CERT-EU in accordance with Article 13 of Regulation (EU, Euratom) 2023/2841;
3. competent authorities such as computer security incident response teams and cyber crisis management authorities of DEP-associated third countries in accordance with Article 19(8).
4. The Commission shall have overall responsibility for the implementation of the EU Cybersecurity Reserve. The Commission shall determine the priorities and the evolution of the EU Cybersecurity Reserve in coordination with the NIS Cooperation Group and, in line with the requirements of the users referred to in paragraph 3, shall supervise its implementation and shall ensure complementarity, consistency, synergies and links with other support actions under this Regulation as well as with other Union actions and programmes. Those priorities shall be reviewed and, if appropriate, revised every 2 years. The Commission shall inform the European Parliament and the Council of those priorities and any revisions thereof.
5. Without prejudice to the Commission’s overall responsibility for the implementation of the EU Cybersecurity Reserve referred to in paragraph 4 of this Article and subject to a contribution agreement as defined in Article 2, point (19), of Regulation (EU, Euratom) 2024/2509, the Commission shall entrust the operation and administration of the EU Cybersecurity Reserve, in full or in part, to ENISA. Aspects not entrusted to ENISA shall remain subject to direct management by the Commission.
6. ENISA shall prepare, at least every 2 years, a mapping of the services needed by the users referred to in paragraph 3, points (a) and (b), of this Article. The mapping shall also include the availability of such services, including from legal entities established or deemed to be established in Member States and controlled by Member States or by nationals of Member States. In mapping that availability, ENISA shall assess the skills and capacity of the Union cybersecurity workforce relevant to the objectives of the EU Cybersecurity Reserve. When preparing the mapping, ENISA shall consult the NIS Cooperation Group, EU-CyCLONe, the Commission and, where applicable, the Interinstitutional Cybersecurity Board established pursuant to Article 10 of Regulation (EU, Euratom) 2023/2841 (IICB). In mapping the availability of services, ENISA shall also consult relevant cybersecurity industry stakeholders, including managed security service providers. ENISA shall prepare a similar mapping, after informing the Council and after consulting EU-CyCLONe, the Commission and, where relevant, the High Representative, to identify the needs of users referred to in paragraph 3, point (c), of this Article.
7. The Commission is empowered to adopt delegated acts in accordance with Article 23 to supplement this Regulation by specifying the types and the number of response services required for the EU Cybersecurity Reserve. When preparing those delegated acts, the Commission shall take into account the mapping referred to in paragraph 6 of this Article and may exchange advice and cooperate with the NIS Cooperation Group and ENISA.

1. The users referred to in Article 14(3) may request services from the EU Cybersecurity Reserve to support response to and initiate recovery from significant cybersecurity incidents, large-scale cybersecurity incidents or large-scale-equivalent cybersecurity incidents.
2. To receive support from the EU Cybersecurity Reserve, the users referred to in Article 14(3) shall take all appropriate measures to mitigate the effects of the incident for which the support is requested, including, where relevant, the provision of direct technical assistance, and other resources to assist the response to the incident, and recovery efforts.
3. Requests for support shall be transmitted to the contracting authority as follows:
   1. in the case of the users referred to in Article 14(3), point (a), of this Regulation, via the single point of contact designated or established pursuant to Article 8(3) of Directive (EU) 2022/2555;
   2. in the case of the user referred to in Article 14(3), point (b), by that user;
   3. in the case of the users referred to in Article 14(3), point (c), via the single point of contact referred to in Article 19(9).
4. In the case of requests from the users referred to in Article 14(3), point (a), Member States shall inform the CSIRTs network, and, where appropriate, EU-CyCLONe, about their users’ requests for incident response and initial recovery support pursuant to this Article.
5. Requests for incident response and initial recovery support shall include:
   1. appropriate information regarding the entity affected and the potential impact of the incident on:
      1. in the case of users referred to in Article 14(3), point (a), the Member States and users affected, including the risk of spillover to another Member State;
      2. in the case of the user referred to in Article 14(3), point (b), the Union institutions, bodies, offices or agencies affected,
      3. in the case of users referred to in Article 14(3), point (c), the DEP-associated countries affected;
   2. information regarding the requested service, together with the planned use of the requested support, including an indication of the estimated needs;
   3. appropriate information about measures taken to mitigate the incident for which the support is requested, as referred to in paragraph 2;
   4. where relevant, available information about other forms of support available to the entity affected.
6. ENISA, in cooperation with the Commission and EU-CyCLONe, shall develop a template to facilitate the submission of requests for support from the EU Cybersecurity Reserve.
7. The Commission may, by means of implementing acts, specify further the detailed procedural arrangements for the way in which the EU Cybersecurity Reserve support services are to be requested and the way in which those requests are to be responded to pursuant to this Article, to Article 16(1) and to Article 19(10), including arrangements for submitting such requests and delivering the responses and templates for the reports referred to in Article 16(9). Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 24(2).

1. In the case of requests from users referred to in Article 14(3), points (a) and (b), requests for support from the EU Cybersecurity Reserve shall be assessed by the contracting authority. A response shall be transmitted to the users referred to in Article 14(3), points (a) and (b), without delay and in any event no later than 48 hours from the submission of the request to ensure effectiveness of the support. The contracting authority shall inform the Council and the Commission of the results of the process.
2. As regards information shared in the course of requesting and providing the services of the EU Cybersecurity Reserve, all parties involved in the application of this Regulation shall:
   1. limit the use and sharing of that information to what is necessary to discharge their obligations or functions under this Regulation;
   2. use and share any information that is confidential or classified pursuant to Union and national law only in accordance with that law; and
   3. ensure effective, efficient and secure information exchange, where appropriate by using and respecting relevant information-sharing protocols including the traffic light protocol.
3. In assessing individual requests under Article 16(1) and Article 19(10), the contracting authority or the Commission, as applicable, shall first assess whether the criteria referred to in Article 15(1) and (2) are fulfilled. If that is the case, it shall assess the duration and nature of support that is appropriate, having regard to the objective referred to in Article 1(3), point (b), and the following criteria, where relevant:
   1. the scale and severity of the incident;
   2. the type of entity affected, with higher priority given to incidents affecting essential entities as referred to in Article 3(1) of Directive (EU) 2022/2555;
   3. the potential impact of the incident on the affected Member States, Union institutions, bodies, offices or agencies, or DEP-associated third countries;
   4. the potential cross-border nature of the incident and the risk of spillover to other Member States, Union institutions, bodies, offices or agencies, or DEP-associated third countries;
   5. the measures taken by the user to assist the response, and initial recovery efforts, as referred in Article 15(2).
4. To prioritise requests, in the case of concurrent requests from users referred to in Article 14(3), the criteria referred to in paragraph 3 of this Article shall be taken into account, where relevant, without prejudice to the principle of sincere cooperation between Member States and Union institutions, bodies, offices and agencies. Where two or more requests are assessed as equal under those criteria, higher priority shall be given to requests from Member State users. Where the operation and administration of the EU Cybersecurity Reserve has been entrusted, in full or in part, to ENISA pursuant to Article 14(5), ENISA and the Commission shall closely cooperate to prioritise requests in accordance with this paragraph.
5. The EU Cybersecurity Reserve services shall be provided in accordance with specific agreements between the trusted managed security service provider and the user to which the support under the EU Cybersecurity Reserve is provided. Those services may be provided in accordance with specific agreements between the trusted managed security service provider, the user and the entity affected. All agreements referred to in this paragraph shall include, inter alia, liability conditions.
6. The agreements referred to in paragraph 5 shall be based on templates prepared by ENISA, after consulting Member States and, where appropriate, other users of the EU Cybersecurity Reserve.
7. The Commission, ENISA and the users of the EU Cybersecurity Reserve shall bear no contractual liability for damage caused to third parties by the services provided in the framework of the implementation of the EU Cybersecurity Reserve.
8. Users may use the EU Cybersecurity Reserve services provided in response to a request under Article 15(1) only in order to support response to and initiate recovery from significant cybersecurity incidents, large-scale cybersecurity incidents or large-scale-equivalent cybersecurity incidents. They may use those services only in respect of:
   1. entities operating in sectors of high criticality or entities operating in other critical sectors, in the case of users referred to in Article 14(3), point (a), and equivalent entities in the case of users referred to in Article 14(3), point (c); and
   2. Union institutions, bodies, offices and agencies, in the case of the user referred to in Article 14(3), point (b).
9. Within 2 months of the end of a support, users that have received support shall provide a summary report about the service provided, the results achieved and the lessons learned, to:
   1. the Commission, ENISA, the CSIRTs network and EU-CyCLONe in the case of users referred to in Article 14(3), point (a);
   2. the Commission, ENISA and the IICB in the case of the user referred to in Article 14(3), point (b);
   3. the Commission in the case of users referred to in Article 14(3), point (c).

   The Commission shall transmit any summary report received from users referred to in Article 14(3) pursuant to the first subparagraph, point (c), of this paragraph, to the Council and the High Representative.

10. Where the operation and administration of the EU Cybersecurity Reserve has been entrusted, in full or in part, to ENISA pursuant to Article 14(5) of this Regulation, ENISA shall report to and consult the Commission on a regular basis in that respect. In that context, ENISA shall immediately send to the Commission any requests it receives from users referred to in Article 14(3), point (c), of this Regulation and, where required for the purposes of prioritisation under this Article, any requests it has received from users referred to in Article 14(3), point (a) or (b), of this Regulation. The obligations in this paragraph shall be without prejudice to Article 14 of Regulation (EU) 2019/881.
11. In the case of users referred in Article 14(3), points (a) and (b), the contracting authority shall report to the NIS Cooperation Group, on a regular basis and at least twice per year, about the use and the results of the support.
12. In the case of users referred to in Article 14(3), point (c), the Commission shall report to the Council and inform the High Representative on a regular basis and at least twice per year, about the use and the results of the support.

1. In procurement procedures for the purpose of establishing the EU Cybersecurity Reserve, the contracting authority shall act in accordance with the principles laid down in Regulation (EU, Euratom) 2024/2509 and in accordance with the following principles:
   1. ensure that the services included in the EU Cybersecurity Reserve, when taken as a whole, are such that the EU Cybersecurity Reserve includes services that may be deployed in all Member States, taking into account in particular national requirements for the provision of such services, including on languages, certification or accreditation;
   2. ensure the protection of the essential security interests of the Union and its Member States;
   3. ensure that the EU Cybersecurity Reserve brings Union added value, by contributing to the objectives set out in Article 3 of Regulation (EU) 2021/694, including promoting the development of cybersecurity skills in the Union.
2. When procuring services for the EU Cybersecurity Reserve, the contracting authority shall include in the procurement documents the following criteria and requirements:
   1. the provider shall demonstrate that its personnel has the highest degree of professional integrity, independence, responsibility, and the requisite technical competence to perform the activities in their specific field, and ensures the permanence and continuity of expertise as well as the required technical resources;
   2. the provider, and any relevant subsidiaries and subcontractors, shall comply with applicable rules on the protection of classified information and shall have in place appropriate measures, including, where relevant, agreements between one another, to protect confidential information relating to the service, and in particular evidence, findings and reports;
   3. the provider shall provide sufficient proof that its governing structure is transparent, not likely to compromise its impartiality and the quality of its services or to cause conflicts of interest;
   4. the provider shall have appropriate security clearance, at least for personnel intended for service deployment, where required by a Member State;
   5. the provider shall have the relevant level of security for its IT systems;
   6. the provider shall be equipped with the hardware and software necessary to support the requested service, which shall not contain known exploitable vulnerabilities, shall include the latest security updates and shall in any case comply with any applicable provision of Regulation (EU) 2024/2847 of the European Parliament and of the Council⁽²³⁾;
   7. the provider shall be able to demonstrate that it has experience in delivering similar services to relevant national authorities, entities operating in sectors of high criticality or entities operating in other critical sectors;
   8. the provider shall be able to provide the service within a short timeframe in the Member States where it can deliver the service;
   9. the provider shall be able to provide the service in one or more official languages of the Union institutions or of a Member State as required, if any, by the Member States or users referred to in Articles 14(3), points (b) and (c), where the provider can deliver the service;
   10. once an European cybersecurity certification scheme for managed security services pursuant to Regulation (EU) 2019/881 is in place, the provider shall be certified in accordance with that scheme within 2 years from the date of application of the scheme;
   11. the provider shall include in the tender the conversion conditions for any unused incident response service that could be converted into preparedness services closely related to incident response, such as exercises or training.
3. For the purpose of procuring services for the EU Cybersecurity Reserve, the contracting authority may, where appropriate, develop criteria and requirements in addition to those referred to in paragraph 2, in close cooperation with Member States.

^{(23) Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (OJ L, 2024/2847, 20.11.2024, ELI: http://data.europa.eu/eli/reg/2024/2847/oj).}

1. The Cybersecurity Emergency Mechanism shall provide support for technical assistance from one Member State to another Member State affected by a significant cybersecurity incident or a large-scale cybersecurity incident, including in cases referred to in Article 11(3), point (f), of Directive (EU) 2022/2555.
2. The support for the technical mutual assistance referred to in paragraph 1 of this Article shall be provided in the form of grants and subject to the conditions provided for in the relevant work programmes as referred to in Article 24 of Regulation (EU) 2021/694.

1. A DEP-associated third country may request support from the EU Cybersecurity Reserve where the agreement through which it is associated to the DEP provides for participation in the EU Cybersecurity Reserve. That agreement shall include provisions requiring the DEP-associated third country concerned to comply with the obligations set out in paragraphs 2 and 9 of this Article. For the purposes of the participation of a third country in the EU Cybersecurity Reserve, the partial association of a third country to the DEP may include an association limited to the operational objective referred to in Article 6(1), point (g), of Regulation (EU) 2021/694.
2. Within 3 months of the conclusion of the agreement referred to in paragraph 1 and in any event prior to receiving any support from the EU Cybersecurity Reserve, the DEP-associated third country shall provide to the Commission information about its cyber resilience and risk management capabilities, including at least information on national measures taken to prepare for significant cybersecurity incidents or large-scale-equivalent cybersecurity incidents, as well as information on responsible national entities, including computer security incident response teams or equivalent entities, their capabilities and the resources allocated to them. The DEP-associated third country shall provide updates of that information on a regular basis and at least once a year. The Commission shall provide the High Representative and ENISA with that information for the purposes of facilitating the application of paragraph 11.
3. The Commission shall assess regularly, and at least once a year, the following criteria in respect of each DEP-associated third country referred to in paragraph 1:
   1. whether that country is complying with the terms of the agreement referred to in paragraph 1, insofar as those terms relate to participation in the EU Cybersecurity Reserve;
   2. whether that country has taken adequate steps to prepare for significant cybersecurity incidents or large-scale-equivalent cybersecurity incidents, based on the information referred to in paragraph 2; and
   3. whether the provision of support is consistent with the Union’s policy towards and overall relations with that country and whether it is consistent with other Union policies in the field of security.

   The Commission shall consult the High Representative when conducting the assessment referred to in the first subparagraph, with regard to the criterion referred to in point (c) of that subparagraph.

   Where the Commission concludes that a DEP-associated third country meets all of the conditions referred to in the first subparagraph, the Commission shall submit a proposal to the Council to adopt an implementing act in accordance with paragraph 4 authorising the provision of support from the EU Cybersecurity Reserve to that country.

4. The Council may adopt the implementing acts referred to in paragraph 3. Those implementing acts shall apply for a maximum of one year. They may be renewed. They may include a limit of no less than 75 days on the number of days for which support can be provided in response to a single request.

   For the purposes of this Article, the Council shall act expeditiously and shall, as a rule, adopt the implementing acts referred to in this paragraph within eight weeks of the adoption of the relevant Commission proposal pursuant to paragraph 3, third subparagraph.

5. The Council may amend or repeal an implementing act adopted pursuant to paragraph 4 at any time, acting on a proposal of the Commission.

   Where the Council considers there to have been a significant change concerning the criterion referred to in paragraph 3, first subparagraph, point (c), the Council may amend or repeal an implementing act adopted pursuant to paragraph 4 acting on the duly reasoned initiative of one or more Member States.

6. In the exercise of its implementing powers under this Article, the Council shall apply the criteria referred to in paragraph 3, first subparagraph, and shall explain its assessment of those criteria. In particular, where it acts on its own initiative pursuant to paragraph 5, second subparagraph, the Council shall explain the significant change referred to in that subparagraph.
7. Support from the EU Cybersecurity Reserve to a DEP-associated third country shall comply with any specific conditions laid down in the agreement referred to in paragraph 1.
8. Users from DEP-associated third countries eligible to receive services from the EU Cybersecurity Reserve shall include competent authorities such as computer security incident and response teams or equivalent entities and cyber crisis management authorities.
9. Each DEP-associated third country eligible for support from the EU Cybersecurity Reserve shall designate an authority to act as a single point of contact for the purposes of this Regulation.
10. Requests for support from the EU Cybersecurity Reserve under this Article shall be assessed by the Commission. The contracting authority may provide support to a third country only where, and for so long as, a Council implementing act authorising such support in respect of that country adopted pursuant to paragraph 4 of this Article is in force. A response shall be transmitted to the users referred to in Article 14(3), point (c), without undue delay.
11. Upon receipt of a request for support under this Article, the Commission shall immediately inform the Council. The Commission shall keep the Council informed of the assessment of the request. The Commission shall also cooperate with the High Representative about the requests received and the implementation of the support granted to DEP-associated third countries from the EU Cybersecurity Reserve. Additionally, the Commission shall also take into account any views provided by ENISA in respect of those requests.

1. Where a significant cybersecurity incident, a large-scale cybersecurity incident or a large-scale-equivalent cybersecurity incident originates from or results in a disaster as defined in Article 4, point (1), of Decision No 1313/2013/EU, the support provided under this Regulation for responding to such incident shall complement actions under, and be without prejudice to, that Decision.
2. In the event of a large-scale cybersecurity incident or a large-scale-equivalent cybersecurity incident where the EU Integrated Political Crisis Response Arrangements under Implementing Decision (EU) 2018/1993 (IPCR Arrangements) are activated, support provided under this Regulation for responding to such incident shall be handled in accordance with the relevant procedures under the IPCR Arrangements.