Cyber Solidarity Act

About

Recitals

Chapter V – Final provisions (Art. 22-26)

  • Art. 22 CSol – Amendments to Regulation (EU) 2021/694

    Regulation (EU) 2021/694 is amended as follows:

    1. Article 6 is amended as follows:(a) paragraph 1 is amended as follows:(i) the following point is inserted:

      ‘(aa) support the development of the European Cybersecurity Alert System established by Article 3 of Regulation (EU) 2025/38 of the European Parliament and of the Council(*1) (the “European Cybersecurity Alert System”), including the development, deployment and operation of National Cyber Hubs and Cross-Border Cyber Hubs that contribute to situational awareness in the Union and to enhancing the cyber threat intelligence capacities of the Union;

      (*1) Regulation (EU) 2025/38 of the European Parliament and of the Council of 19 December 2024 laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cyber threats and incidents and amending Regulation (EU) 2021/694 (Cyber Solidarity Act) (OJ L, 2025/38, 15.1.2025, ELI: http://data.europa.eu/eli/reg/2025/38/oj).’;”

      (ii) the following point is added:

      ‘(g) establish and operate the Cybersecurity Emergency Mechanism established by Article 10 of Regulation (EU) 2025/38, including the EU Cybersecurity Reserve established by Article 14 of that Regulation (the “EU Cybersecurity Reserve”), to support Member States in preparing for and responding to significant cybersecurity incidents and large-scale cybersecurity incidents that is complementary to national resources and capabilities and other forms of support available at Union level, and to support other users in responding to significant cybersecurity incidents and large-scale-equivalent cybersecurity incidents;’

      ;

      (b) paragraph 2 is replaced by the following:

      ‘2. The actions under Specific Objective 3 shall be implemented primarily through the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres in accordance with Regulation (EU) 2021/887 of the European Parliament and of the Council(*2). However, the EU Cybersecurity Reserve shall be implemented by the Commission and, in accordance with Article 14(6) of Regulation (EU) 2025/38, by ENISA.

      (*2)Regulation (EU) 2021/887 of the European Parliament and of the Council of 20 May 2021 establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres (OJ L 202, 8.6.2021, p. 1).’.”

    2. Article 9 is amended as follows:(a) in paragraph 2, points (b), (c) and (d) are replaced by the following:‘(b) EUR 1 760 806 000 for Specific Objective 2 – Artificial Intelligence;

      (c) EUR 1 372 020 000 for Specific Objective 3 – Cybersecurity and Trust;

      (d) EUR 482 640 000 for Specific Objective 4 – Advanced Digital Skills;’

      ;

      (b) the following paragraph is added:

      ‘8. By way of derogation from Article 12(1) of the Financial Regulation, unused commitment and payment appropriations for actions in the context of the implementation of the EU Cybersecurity Reserve and the actions supporting mutual assistance pursuant to Regulation 2025/38, pursuing the objectives set out in Article 6(1), point (g), of this Regulation shall be automatically carried over and may be committed and paid up to 31 December of the following financial year. The European Parliament and the Council shall be informed of appropriations carried over pursuant to Article 12(6) of the Financial Regulation.’

      ;

    3. Article 12 is amended as follows:(a) the following paragraphs are inserted:

      ‘5a. Paragraph 5 shall not apply, insofar as concerns legal entities that are established in the Union but are controlled from third countries, to any action implementing the European Cybersecurity Alert System where both of the following conditions are fulfilled in respect of the action concerned:

      (a) there is a real risk, taking into account the results of the mapping carried out pursuant to Article 9(4) of Regulation (EU) 2025/38, that the tools, infrastructure or services necessary and sufficient for that action to adequately contribute to the objective of the European Cybersecurity Alert System will not be available from legal entities established or deemed to be established in Member States and controlled by Member States or by nationals of Member States;

      (b) the security risk of procuring from such legal entities within the European Cybersecurity Alert System is proportionate to the benefits and does not undermine the essential security interests of the Union and its Member States.

      5b. Paragraph 5 shall not apply, insofar as concerns legal entities that are established in the Union but are controlled from third countries, to any action implementing the EU Cybersecurity Reserve where both of the following conditions are fulfilled in respect of the action concerned:

      (a) there is a real risk, taking into account the results of the mapping carried out pursuant to Article 14(6) of Regulation (EU) 2025/38, that the technology, expertise or capacity necessary and sufficient for the EU Cybersecurity Reserve to adequately perform its functions will not be available from legal entities established or deemed to be established in Member States and controlled by Member States or by nationals of Member States;

      (b) the security risk of including such legal entities within the EU Cybersecurity Reserve is proportionate to the benefits and does not undermine the essential security interests of the Union and its Member States.’

      ;

      (b) paragraph 6 is replaced by the following:

      ‘6. If duly justified for security reasons, the work programme may also provide that legal entities established in associated countries and legal entities that are established in the Union but are controlled from third countries may be eligible to participate in all or some actions under Specific Objectives 1 and 2 only if they comply with the requirements to be fulfilled by those legal entities to guarantee the protection of the essential security interests of the Union and the Member States and to ensure the protection of classified documents information. Those requirements shall be set out in the work programme.

      The first subparagraph shall also apply, insofar as concerns legal entities that are established in the Union but are controlled from third countries, to actions under Specific Objective 3:

      (a) to implement the European Cybersecurity Alert System where paragraph 5a applies; and

      (b) to implement the EU Cybersecurity Reserve where paragraph 5b applies.’

      ;

    4. in Article 14, paragraph 2 is replaced by the following:‘2. The Programme may provide funding in any of the forms laid down in the Financial Regulation, including in particular through procurement as a primary form, or grants and prizes.

      Where the achievement of the objective of an action requires the procurement of innovative goods and services, grants may be awarded only to beneficiaries that are contracting authorities or contracting entities as defined in Directives 2014/24/EU(*3) and 2014/25/EU(*4) of the European Parliament and of the Council.

      Where the supply of innovative goods or services that are not yet available on a large-scale commercial basis is necessary to achieve the objectives of an action, the contracting authority or the contracting entity may authorise the award of multiple contracts within the same procurement procedure.

      For duly justified reasons of public security, the contracting authority or the contracting entity may require that the place of performance of the contract be situated within the territory of the Union.

      When implementing procurement procedures for the EU Cybersecurity Reserve, the Commission and ENISA may act as a central purchasing body to procure on behalf of or in the name of third countries associated to the Programme in accordance with Article 10 of this Regulation. The Commission and ENISA may also act as wholesaler, by buying, stocking and reselling or donating supplies and services, including rentals, to those third countries. By way of derogation from Article 168(3) of Regulation (EU, Euratom) 2024/2509 of the European Parliament and of the Council(*5), the request from a single third country shall be sufficient to mandate the Commission or ENISA to act.

      When implementing procurement procedures for the EU Cybersecurity Reserve, the Commission and ENISA may act as a central purchasing body to procure on behalf of or in the name of Union institutions, bodies, offices or agencies. The Commission and ENISA may also act as a wholesaler, by buying, stocking and reselling or donating supplies and services, including rentals, to Union institutions, bodies, offices or agencies. By way of derogation from Article 168(3) of Regulation (EU, Euratom) 2024/2509, a request from a single Union institution, body, office or agency shall be sufficient to mandate the Commission or ENISA to act.

      The Programme may also provide financing in the form of financial instruments within blending operations.

      (*3) Directive 2014/24/EU of the European Parliament and of the Council of 26 February 2014 on public procurement and repealing Directive 2004/18/EC (OJ L 94, 28.3.2014, p. 65).
      (*4) Directive 2014/25/EU of the European Parliament and of the Council of 26 February 2014 on procurement by entities operating in the water, energy, transport and postal services sectors and repealing Directive 2004/17/EC (OJ L 94, 28.3.2014, p. 243).
      (*5) Regulation (EU, Euratom) 2024/2509 of the European Parliament and of the Council of 23 September 2024 on the financial rules applicable to the general budget of the Union (OJ L, 2024/2509, 26.9.2024, ELI: http://data.europa.eu/eli/reg/2024/2509/oj).’;”

    5. the following article is inserted:

      ‘Article 16a

      Conflicts of rules

      In the case of actions implementing the European Cybersecurity Alert System, the applicable rules shall be those set out in Articles 4, 5 and 9 of Regulation (EU) 2025/38. In the case of a conflict between the provisions of this Regulation and Articles 4, 5 and 9 of Regulation (EU) 2025/38, the latter shall prevail and apply to those specific actions.

      In the case of EU Cybersecurity Reserve, specific rules for the participation of third countries associated to the Programme are laid down in Article 19 of Regulation (EU) 2025/38. In the case of a conflict between the provisions of this Regulation and Article 19 of Regulation (EU) 2025/38, the latter shall prevail and apply to those specific actions.’

      ;

    6. Article 19 is replaced by the following:

      ‘Article 19

      Grants

      Grants under the Programme shall be awarded and managed in accordance with Title VIII of the Financial Regulation and may cover up to 100 % of the eligible costs, without prejudice to the co-financing principle as laid down in Article 190 of the Financial Regulation. Such grants shall be awarded and managed as specified for each specific objective.

      Support in the form of grants may be awarded directly by the ECCC without a call for proposals to the Member States selected pursuant to Article 9 of Regulation (EU) 2025/38 and the Hosting Consortium referred to in Article 5 of Regulation (EU) 2025/38, in accordance with Article 195(1), point (d), of the Financial Regulation.

      Support in the form of grants for the Cybersecurity Emergency Mechanism may be awarded directly by the ECCC to Member States without a call for proposals, in accordance with Article 195(1), point (d), of the Financial Regulation.

      With regard to actions supporting mutual assistance provided for in Article 18 of Regulation (EU) 2025/38, the ECCC shall inform the Commission and ENISA about Member States’ requests for direct grants without a call for proposals.

      With regard to actions supporting mutual assistance provided for in Article 18 of Regulation (EU) 2025/38, and in accordance with Article 193(2), second subparagraph, point (a), of the Financial Regulation, the costs may, in duly justified cases, be considered to be eligible even if they were incurred before the grant application was submitted.’

      ;

    7. (7) Annexes I and II are amended in accordance with the Annex to this Regulation.
  • Art. 23 CSol – Exercise of the delegation
    1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.
    2. The power to adopt delegated acts referred to in Article 14(7) shall be conferred on the Commission for a period of 5 years from 5 February 2025. The Commission shall draw up a report in respect of the delegation of power not later than 9 months before the end of the 5-year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than 3 months before the end of each period.
    3. The delegation of power referred to in Article 14(7) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following that of the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
    4. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.
    5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.
    6. A delegated act adopted pursuant to Article 14(7) shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of 2 months of the notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by 2 months at the initiative of the European Parliament or of the Council.
  • Art. 24 CSol – Committee procedure
    1. The Commission shall be assisted by the Digital Europe Programme Coordination Committee referred to in Article 31(1) of Regulation (EU) 2021/694. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.
    2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.
  • Art. 25 CSol – Evaluation and review
    1. By 5 February 2027 and at least every 4 years thereafter, the Commission shall evaluate the functioning of the measures provided for in this Regulation and shall submit a report to the European Parliament and to the Council.
    2. The evaluation referred to in paragraph 1 shall assess, in particular:
      1. the number of National Cyber Hubs and Cross-Border Cyber Hubs established, the extent of information shared, including, if possible, the impact on the work of the CSIRTs network, and the extent to which those have contributed to strengthening common Union detection and situational awareness of cyber threats and incidents and to the development of state-of-the-art technologies; the use of DEP funding for cybersecurity tools, infrastructure, or services jointly procured; and, if the information is available, the level of cooperation between National Cyber Hubs and sectoral and cross-sectoral communities of essential and important entities as referred to in Article 3 of Directive (EU) 2022/2555;
      2. the use and effectiveness of actions under the Cybersecurity Emergency Mechanism supporting preparedness, including training, response to and initial recovery from significant cybersecurity incidents, large-scale cybersecurity incidents and large-scale-equivalent cybersecurity incidents, including the use of DEP funding and the lessons learned and recommendations from the implementation of the Cybersecurity Emergency Mechanism;
      3. the use and effectiveness of the EU Cybersecurity Reserve in relation to types of user, including the use of DEP funding, the uptake of services, including their type, the average time for responding to the requests and for the EU Cybersecurity Reserve to be deployed, the percentage of services converted into preparedness services related to incident prevention and response and the lessons learned and recommendations from the implementation of the EU Cybersecurity Reserve;
      4. the contribution of this Regulation to strengthening the competitive position of the industry and services in the Union across the digital economy, including microenterprises and small and medium-sized enterprises as well as start-ups, and the contribution to the overall objective of reinforcing the cybersecurity skills and capacities of the workforce.
    3. On the basis of the reports referred to in paragraph 1, the Commission shall, where appropriate, submit a legislative proposal to the European Parliament and to the Council to amend this Regulation.
  • Art. 26 CSol – Entry into force

    This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

Previous article

Chapter IV – European Cybersecurity Incident Review Mechanism (Art. 21)

Next article

Annexes

Read More About AI
AI News
Read More About Consumer & E-commerce
Consumer & E-commerce News
Read More About Cybersecurity
Cybersecurity News
Read More About Data
Data News
Read More About Digital Privacy
Digital Privacy News
Read More About Digital Services
Digital Services News