Regulation (EU) 2025/38 of the European Parliament and of the Council of 19 December 2024 laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cyber threats and incidents and amending Regulation (EU) 2021/694 (Cyber Solidarity Act)

CHAPTER I

GENERAL PROVISIONS

Article 1

Subject-matter and objectives

This Regulation lays down measures to strengthen capacities in the Union to detect, prepare for and respond to cyber threats and incidents, in particular by establishing:

(a) a pan-European network of cyber hubs (European Cybersecurity Alert System) to build and enhance coordinated detection and common situational awareness capabilities;

(b) a Cybersecurity Emergency Mechanism to support Member States in preparing for, responding to, mitigating the impact of and initiating recovery from significant cybersecurity incidents and large-scale cybersecurity incidents and to support other users in responding to significant cybersecurity incidents and large-scale-equivalent cybersecurity incidents;

(c) a European Cybersecurity Incident Review Mechanism to review and assess significant cybersecurity incidents or large-scale cybersecurity incidents.

The achievement of the general objectives referred to in paragraph 2 shall be pursued through the following specific objectives:

(a) to strengthen common coordinated Union detection capacities and common situational awareness of cyber threats and incidents;

(b) to reinforce preparedness of entities operating in sectors of high criticality or entities operating in other critical sectors across the Union and strengthen solidarity by developing coordinated preparedness testing and enhanced response and recovery capacities to handle significant cybersecurity incidents, large-scale cybersecurity incidents or large-scale-equivalent cybersecurity incidents, including the possibility of making Union cybersecurity incident response support available for DEP-associated third countries;

(c) to enhance the Union’s resilience and contribute to effective incident response by reviewing and assessing significant cybersecurity incidents or large-scale cybersecurity incidents, including drawing lessons learned and, where appropriate, recommendations.

Article 2

Definitions

For the purposes of this Regulation, the following definitions apply:

(1) ‘Cross-Border Cyber Hub’ means a multi-country platform, established by a written consortium agreement that brings together in a coordinated network structure National Cyber Hubs from at least three Member States, and that is designed to enhance the monitoring, detection and analysis of cyber threats to prevent incidents and to support the production of cyber threat intelligence, in particular through the exchange of relevant data and information, anonymised where appropriate, as well as through the sharing of state-of-the-art tools and the joint development of cyber detection, analysis, and prevention and protection capabilities in a trusted environment;

(2) ‘Hosting Consortium’ means a consortium composed of participating Member States, that have agreed to establish and to contribute to the acquisition of tools, infrastructure or services for, and the operation of, a Cross-Border Cyber Hub;

(3) ‘CSIRT’ means a CSIRT designated or established pursuant to Article 10 of Directive (EU) 2022/2555;

(4) ‘entity’ means an entity as defined in Article 6, point (38), of Directive (EU) 2022/2555;

(5) ‘entities operating in sectors of high criticality’ means the types of entity listed in Annex I to Directive (EU) 2022/2555;

(6) ‘entities operating in other critical sectors’ means the types of entity listed in Annex II to Directive (EU) 2022/2555;

(7) ‘risk’ means risk as defined in Article 6, point (9), of Directive (EU) 2022/2555;

(8) ‘cyber threat’ means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;

(9) ‘incident’ means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;

(10) ‘significant cybersecurity incident’ means an incident fulfilling the criteria set out in Article 23(3) of Directive (EU) 2022/2555;

(11) ‘major incident’ means a major incident as defined in Article 3, point (8), of Regulation (EU, Euratom) 2023/2841 of the European Parliament and the Council (¹);

(12) ‘large-scale cybersecurity incident’ means a large-scale cybersecurity incident as defined in Article 6, point (7), of Directive (EU) 2022/2555;

(13) ‘large-scale-equivalent cybersecurity incident’ means, in the case of Union institutions, bodies, offices and agencies, a major incident and, in the case of DEP-associated third countries, an incident which causes a level of disruption that exceeds the capacity of the DEP-associated third country concerned to respond to it;

(14) ‘DEP-associated third country’ means a third country which is party to an agreement with the Union allowing for its participation in the Digital Europe Programme pursuant to Article 10 of Regulation (EU) 2021/694;

(15) ‘contracting authority’ means the Commission or, to the extent that the operation and administration of the EU Cybersecurity Reserve has been entrusted to ENISA pursuant to Article 14(5), ENISA;

(16) ‘managed security service provider’ means a managed security service provider as defined in Article 6, point (40), of Directive (EU) 2022/2555;

(17) ‘trusted managed security service providers’ means managed security service providers selected to be included in the EU Cybersecurity Reserve in accordance with Article 17.

CHAPTER II

THE EUROPEAN CYBERSECURITY ALERT SYSTEM

Article 3

Establishment of the European Cybersecurity Alert System

The European Cybersecurity Alert System shall:

(a) contribute to better protection from and responses to cyber threats by supporting and cooperating with, and reinforcing the capabilities of, relevant entities, in particular CSIRTs, the CSIRTs network, EU-CyCLONe and competent authorities designated or established pursuant to Article 8(1) of Directive (EU) 2022/2555;

(b) pool relevant data and information on cyber threats and incidents from various sources within the Cross-Border Cyber Hubs and share analysed or aggregated information through Cross-Border Cyber Hubs, where relevant with the CSIRTs network;

(c) collect and support the production of high-quality, actionable information and cyber threat intelligence, through the use of state-of-the art tools and advanced technologies, and share that information and cyber threat intelligence;

(d) contribute to enhancing the coordinated detection of cyber threats and common situational awareness across the Union, and to the issuing of alerts, including, where relevant, by providing concrete recommendations to entities;

(e) provide services and activities for the cybersecurity community in the Union, including contributing to the development of advanced tools and technologies, such as artificial intelligence and data analytics tools.

Article 4

National Cyber Hubs

A National Cyber Hub shall be a single entity acting under the authority of a Member State. It may be a CSIRT or, where applicable, a national cyber crisis management authority or other competent authority designated or established pursuant to Article 8(1) of Directive (EU) 2022/2555, or another entity. The National Cyber Hub shall:

(a) have the capacity to act as a reference point and gateway to other public and private organisations at national level for collecting and analysing information on cyber threats and incidents and to contribute to a Cross-Border Cyber Hub as referred to in Article 5; and

(b) be capable of detecting, aggregating, and analysing data and information relevant to cyber threats and incidents, such as cyber threat intelligence, by using in particular state-of-the-art technologies, with the aim of preventing incidents.

Article 5

Cross-Border Cyber Hubs

Where a Hosting Consortium is selected in accordance with Article 9(3), its members shall conclude a written consortium agreement which:

(a) sets out the internal arrangements for implementing the hosting and usage agreement referred to in Article 9(3);

(b) establishes the Hosting Consortium’s Cross-Border Cyber Hub; and

(c) includes the specific clauses required pursuant to Article 6(1) and (2).

Article 6

Cooperation and information sharing within and between Cross-Border Cyber Hubs

Members of a Hosting Consortium shall ensure that their National Cyber Hubs share, in accordance with the written consortium agreement referred to in Article 5(3), relevant information, anonymised where appropriate, such as information relating to cyber threats, near misses, vulnerabilities, techniques and procedures, indicators of compromise, adversarial tactics, threat-actor-specific information, cybersecurity alerts and recommendations regarding the configuration of cybersecurity tools to detect cyberattacks, among themselves within the Cross-Border Cyber Hub where such information sharing:

(a) fosters and enhances the detection of cyber threats and reinforces the capabilities of the CSIRTs network to prevent and respond to incidents or to mitigate their impact;

(b) enhances the level of cybersecurity, for example through raising awareness in relation to cyber threats, limiting or impeding the ability of such threats to spread, supporting a range of defensive capabilities, vulnerability remediation and disclosure, threat detection, containment and prevention techniques, mitigation strategies, response and recovery stages or promoting collaborative threat research between public and private entities.

The written consortium agreement referred to in Article 5(3) shall establish:

(a) a commitment to share among the members of the Hosting Consortium information as referred to in paragraph 1 and the conditions under which that information is to be shared;

(b) a governance framework clarifying and incentivising the sharing by all participants of relevant information, anonymised where appropriate, as referred to in paragraph 1;

(c) targets for contribution to the development of advanced tools and technologies, such as artificial intelligence and data analytics tools.

The written consortium agreement may specify that the information referred to in paragraph 1 is to be shared in accordance with Union and national law.

Article 7

Cooperation and information sharing with Union-level networks

Article 8

Security

Article 9

Funding of the European Cybersecurity Alert System

CHAPTER III

CYBERSECURITY EMERGENCY MECHANISM

Article 10

Establishment of the Cybersecurity Emergency Mechanism

Article 11

Types of action

The Cybersecurity Emergency Mechanism shall support the following types of action:

(a) preparedness actions, namely: (i) the coordinated preparedness testing of entities operating in sectors of high criticality across the Union as specified in Article 12; (ii) other preparedness actions for entities operating in sectors of high criticality or entities operating in other critical sectors, as specified in Article 13;

(b) actions supporting response to and initiating recovery from significant cybersecurity incidents, large-scale cybersecurity incidents and large-scale-equivalent cybersecurity incidents, to be provided by trusted managed security service providers participating in the EU Cybersecurity Reserve established under Article 14;

(c) actions supporting mutual assistance as referred to in Article 18.

Article 12

Coordinated preparedness testing of entities

Article 13

Other preparedness actions

Article 14

Establishment of the EU Cybersecurity Reserve

The users of the services provided by the EU Cybersecurity Reserve shall consist of the following:

(a) Member States’ cyber crisis management authorities and CSIRTs as referred to, respectively, in Article 9(1) and (2) and Article 10 of Directive (EU) 2022/2555;

(b) CERT-EU in accordance with Article 13 of Regulation (EU, Euratom) 2023/2841;

(c) competent authorities such as computer security incident response teams and cyber crisis management authorities of DEP-associated third countries in accordance with Article 19(8).

Article 15

Requests for support from the EU Cybersecurity Reserve

Requests for support shall be transmitted to the contracting authority as follows:

(a) in the case of the users referred to in Article 14(3), point (a), of this Regulation, via the single point of contact designated or established pursuant to Article 8(3) of Directive (EU) 2022/2555;

(b) in the case of the user referred to in Article 14(3), point (b), by that user;

(c) in the case of the users referred to in Article 14(3), point (c), via the single point of contact referred to in Article 19(9).

Requests for incident response and initial recovery support shall include:

(a) appropriate information regarding the entity affected and the potential impact of the incident on: (i) in the case of users referred to in Article 14(3), point (a), the Member States and users affected, including the risk of spillover to another Member State; (ii) in the case of the user referred to in Article 14(3), point (b), the Union institutions, bodies, offices or agencies affected, (iii) in the case of users referred to in Article 14(3), point (c), the DEP-associated countries affected;

(b) information regarding the requested service, together with the planned use of the requested support, including an indication of the estimated needs;

(c) appropriate information about measures taken to mitigate the incident for which the support is requested, as referred to in paragraph 2;

(d) where relevant, available information about other forms of support available to the entity affected.

Article 16

Implementation of the support from the EU Cybersecurity Reserve

As regards information shared in the course of requesting and providing the services of the EU Cybersecurity Reserve, all parties involved in the application of this Regulation shall:

(a) limit the use and sharing of that information to what is necessary to discharge their obligations or functions under this Regulation;

(b) use and share any information that is confidential or classified pursuant to Union and national law only in accordance with that law; and

(c) ensure effective, efficient and secure information exchange, where appropriate by using and respecting relevant information-sharing protocols including the traffic light protocol.

In assessing individual requests under Article 16(1) and Article 19(10), the contracting authority or the Commission, as applicable, shall first assess whether the criteria referred to in Article 15(1) and (2) are fulfilled. If that is the case, it shall assess the duration and nature of support that is appropriate, having regard to the objective referred to in Article 1(3), point (b), and the following criteria, where relevant:

(a) the scale and severity of the incident;

(b) the type of entity affected, with higher priority given to incidents affecting essential entities as referred to in Article 3(1) of Directive (EU) 2022/2555;

(c) the potential impact of the incident on the affected Member States, Union institutions, bodies, offices or agencies, or DEP-associated third countries;

(d) the potential cross-border nature of the incident and the risk of spillover to other Member States, Union institutions, bodies, offices or agencies, or DEP-associated third countries;

(e) the measures taken by the user to assist the response, and initial recovery efforts, as referred in Article 15(2).

Users may use the EU Cybersecurity Reserve services provided in response to a request under Article 15(1) only in order to support response to and initiate recovery from significant cybersecurity incidents, large-scale cybersecurity incidents or large-scale-equivalent cybersecurity incidents. They may use those services only in respect of:

(a) entities operating in sectors of high criticality or entities operating in other critical sectors, in the case of users referred to in Article 14(3), point (a), and equivalent entities in the case of users referred to in Article 14(3), point (c); and

(b) Union institutions, bodies, offices and agencies, in the case of the user referred to in Article 14(3), point (b).

Within 2 months of the end of a support, users that have received support shall provide a summary report about the service provided, the results achieved and the lessons learned, to:

(a) the Commission, ENISA, the CSIRTs network and EU-CyCLONe in the case of users referred to in Article 14(3), point (a);

(b) the Commission, ENISA and the IICB in the case of the user referred to in Article 14(3), point (b);

(c) the Commission in the case of users referred to in Article 14(3), point (c).

The Commission shall transmit any summary report received from users referred to in Article 14(3) pursuant to the first subparagraph, point (c), of this paragraph, to the Council and the High Representative.

Article 17

Trusted managed security service providers

In procurement procedures for the purpose of establishing the EU Cybersecurity Reserve, the contracting authority shall act in accordance with the principles laid down in Regulation (EU, Euratom) 2024/2509 and in accordance with the following principles:

(a) ensure that the services included in the EU Cybersecurity Reserve, when taken as a whole, are such that the EU Cybersecurity Reserve includes services that may be deployed in all Member States, taking into account in particular national requirements for the provision of such services, including on languages, certification or accreditation;

(b) ensure the protection of the essential security interests of the Union and its Member States;

(c) ensure that the EU Cybersecurity Reserve brings Union added value, by contributing to the objectives set out in Article 3 of Regulation (EU) 2021/694, including promoting the development of cybersecurity skills in the Union.

When procuring services for the EU Cybersecurity Reserve, the contracting authority shall include in the procurement documents the following criteria and requirements:

(a) the provider shall demonstrate that its personnel has the highest degree of professional integrity, independence, responsibility, and the requisite technical competence to perform the activities in their specific field, and ensures the permanence and continuity of expertise as well as the required technical resources;

(b) the provider, and any relevant subsidiaries and subcontractors, shall comply with applicable rules on the protection of classified information and shall have in place appropriate measures, including, where relevant, agreements between one another, to protect confidential information relating to the service, and in particular evidence, findings and reports;