(fra europaparlaments- og rådsforordningen)

(1) The use of and dependence on information and communication technologies have become fundamental aspects in all sectors of economic activity and society in light of the ever increasing interconnectedness and interdependence of Member State public administrations, businesses and citizens across sectors and borders, simultaneously introducing possible vulnerabilities.

(2) The magnitude, frequency and impact of cybersecurity incidents, including supply chain attacks for the purposes of cyberespionage, ransomware or disruption, are increasing at Union and global level. They represent a major threat to the functioning of network and information systems. In view of the fast-evolving threat landscape, the threat of possible large-scale cybersecurity incidents causing significant disruption or damage to critical infrastructure demands a heightened preparedness of the Union’s cybersecurity framework. That threat goes beyond Russia’s war of aggression against Ukraine, and is likely to persist given the multiplicity of actors involved in current geopolitical tensions. Such incidents can impede the provision of public services as cyberattacks are frequently targeted at local, regional or national public services and infrastructure, with local authorities being particularly vulnerable, including due to their limited resources. They can also impede the pursuit of economic activities, including in sectors of high criticality or other critical sectors, generate substantial financial losses, undermine user confidence, cause major damage to the economy and the democratic systems of the Union, and could even have health or life-threatening consequences. Moreover, cybersecurity incidents are unpredictable, as they often emerge and evolve quickly, not contained within any specific geographical area, and occurring simultaneously or spreading instantly across many countries. It is important to have close cooperation between the public sector, the private sector, academia, civil society and the media.

(3) It is necessary to strengthen the competitive position of industry and services in the Union across the digital economy and support their digital transformation, by reinforcing the level of cybersecurity in the Digital Single Market as recommended in three different proposals of the Conference on the Future of Europe. It is necessary to increase the resilience of citizens, businesses, including microenterprises, small and medium-sized enterprises and startups, and entities operating critical infrastructure, against increasing cyber threats, which can have a devastating societal and economic impact. Therefore, investment is needed in infrastructure and services and building capabilities to develop cybersecurity skills that will support a faster detection of and a faster response to cyber threats and incidents. In addition, Member States need assistance in better preparing for and responding to, as well as assistance in the initial recovery from, significant cybersecurity incidents and large-scale cybersecurity incidents. Building on the existing structures and in close cooperation with them, the Union should also increase its capacities in those areas, in particular as regards the collection and analysis of data on cyber threats and incidents.

(4) The Union has already taken a number of measures to reduce vulnerabilities and increase the resilience of critical infrastructure and entities against risks, in particular Regulation (EU) 2019/881 of the European Parliament and of the Council (5), Directives 2013/40/EU (6) and (EU) 2022/2555 (7) of the European Parliament and of the Council and Commission Recommendation (EU) 2017/1584 (8). In addition, the Council Recommendation of 8 December 2022 on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure invites Member States to take measures, and to cooperate with each other, the Commission and other relevant public authorities as well as the entities concerned, to enhance the resilience of critical infrastructure used to provide essential services in the internal market.

(5) The growing cybersecurity risks and an overall complex threat landscape, with a clear risk of rapid spillover of incidents from one Member State to others and from a third country to the Union, require the strengthening of solidarity at Union level to better detect, prepare for, respond to, and recover from, cyber threats and incidents, in particular by reinforcing the capabilities of existing structures. Moreover, the Council conclusions of 23 May 2022 on the development of the European Union’s cyber posture invited the Commission to present a proposal on a new Emergency Response Fund for Cybersecurity.

(6) The Joint Communication of the Commission and the High Representative of the Union for Foreign Affairs and Security Policy of 10 November 2022 to the European Parliament and the Council on EU Policy on Cyber Defence announced an EU Cyber Solidarity Initiative with the objectives of strengthening of common EU detection, situational awareness and response capabilities by promoting the deployment of an EU infrastructure of Security Operation Centres (SOCs), supporting gradual building of an EU-level cyber reserve with services from trusted private providers and testing of critical entities for potential vulnerabilities based on EU risk assessments.

(7) It is necessary to strengthen the detection and situational awareness of cyber threats and incidents throughout the Union and to strengthen solidarity by enhancing Member States’ and the Union’s preparedness and capabilities to prevent and respond to significant cybersecurity incidents and large-scale cybersecurity incidents. Therefore a pan-European network of cyberhubs (the ‘European Cybersecurity Alert System’) should be established to build coordinated detection and situational awareness capabilities, reinforcing the Union’s threat detection and information-sharing capabilities; a Cybersecurity Emergency Mechanism should be established to support Member States upon their request in preparing for, responding to, mitigating the impact of and initiating recovery from significant cybersecurity incidents and large-scale cybersecurity incidents and to support other users in responding to significant cybersecurity incidents and large-scale-equivalent cybersecurity incidents; and a European Cybersecurity Incident Review Mechanism should be established to review and assess specific significant cybersecurity incidents or large-scale cybersecurity incidents. The actions taken pursuant to this Regulation should be conducted with due respect for Member States’ competences and should complement and not duplicate the activities conducted by the CSIRTs network, the European cyber crisis liaison organisation network (EU-CyCLONe) or the Cooperation Group (NIS Cooperation Group), all established pursuant to Directive (EU) 2022/2555. Those actions are without prejudice to Articles 107 and 108 of the Treaty on the Functioning of the European Union (TFEU).

(8) To achieve those objectives, it is necessary to amend Regulation (EU) 2021/694 of the European Parliament and of the Council (9) in certain areas. In particular, this Regulation should amend Regulation (EU) 2021/694 as regards the addition of new operational objectives related to the European Cybersecurity Alert System and the Cybersecurity Emergency Mechanism under Specific Objective 3 of the Digital Europe Programme (DEP), which aims to guarantee the resilience, integrity and trustworthiness of the Digital Single Market, at strengthening capacities to monitor cyberattacks and cyber threats and to respond to them, and at reinforcing cross-border cooperation and coordination on cybersecurity. The European Cybersecurity Alert System could play an important role in supporting Member States in anticipating and protecting against cyber threats, and the EU Cybersecurity Reserve could play an important role in supporting Member States, Union institutions, bodies, offices and agencies, and DEP-associated third countries in responding to and mitigating the impact of significant cybersecurity incidents, large-scale cybersecurity incidents and large-scale-equivalent cybersecurity incidents. That impact could include considerable material or non-material damage and serious public security and safety risks. In light of the specific roles that the European Cybersecurity Alert System and the EU Cybersecurity Reserve could play, this Regulation should amend Regulation (EU) 2021/694 as regards the participation of legal entities that are established in the Union but are controlled from third countries, where there is a real risk that the necessary and sufficient tools, infrastructure and services, or technology, expertise and capacity, are not available in the Union and the benefits of including such entities outweigh the security risk. The specific conditions under which financial support may be granted for actions implementing the European Cybersecurity Alert System and the EU Cybersecurity Reserve should be established and the governance and coordination mechanisms necessary in order to achieve the intended objectives should be defined. Other amendments to Regulation (EU) 2021/694 should include descriptions of proposed actions under the new operational objectives, as well as measurable indicators to monitor the implementation of those new operational objectives.

(9) To strengthen the Union’s response to cyber threats and incidents, cooperation with international organisations as well as with trusted, like-minded international partners is vital. In that context, trusted, like-minded international partners should be understood to be the countries that share the principles that inspired the Union’s creation, namely democracy, the rule of law, the universality and indivisibility of human rights and fundamental freedoms, respect for human dignity, the principles of equality and solidarity, and respect for the principles of the United Nations Charter and international law, and that do not undermine the essential security interests of the Union or its Member States. Such cooperation could also be beneficial with regard to the actions taken pursuant to this Regulation, in particular the European Cybersecurity Alert System and the EU Cybersecurity Reserve. Regulation (EU) 2021/694 should provide, subject to certain availability and security conditions, for tenders for the European Cybersecurity Alert System and the EU Cybersecurity Reserve to be open to legal entities controlled from third countries, subject to security requirements. When assessing the security risk of opening the procurement in this way, it is important to take into account the principles and values which the Union shares with like-minded international partners, where those principles and values are related to essential security interests of the Union. Additionally, where such security requirements are under consideration under Regulation (EU) 2021/694, several elements could be taken into account, such as an entity’s corporate structure and decision-making process, the security of data and classified or sensitive information and ensuring that the action’s results are not subject to control or restrictions by non-eligible third countries.

(10) The financing of actions under this Regulation should be provided for in Regulation (EU) 2021/694, which should remain the relevant basic act for the actions enshrined within Specific Objective 3 of the DEP. Specific conditions for participation concerning each action are to be provided for in the relevant work programmes, in accordance with Regulation (EU) 2021/694.

(11) Horizontal financial rules adopted by the European Parliament and by the Council on the basis of Article 322 TFEU apply to this Regulation. Those rules are laid down in Regulation (EU, Euratom) 2024/2509 of the European Parliament and of the Council (10) and determine, in particular, the procedure for establishing and implementing the Union budget, and provide for checks on the responsibility of financial actors. Rules adopted on the basis of Article 322 TFEU also include a general regime of conditionality for the protection of the Union budget as established in Regulation (EU, Euratom) 2020/2092 of the European Parliament and of the Council (11).

(12) While prevention and preparedness measures are essential to enhance the resilience of the Union in addressing significant cybersecurity incidents, large-scale cybersecurity incidents and large-scale-equivalent cybersecurity incidents, the occurrence, timing and magnitude of such incidents are, by their nature, unpredictable. The financial resources required to ensure an adequate response can vary significantly from year to year and should be capable of being made available immediately. Reconciling the budgetary principle of predictability with the necessity to react rapidly to new needs therefore requires adaptation of the financial implementation of the work programmes. Consequently, it is appropriate to authorise the carry-over of unused appropriations, but only to the following year and only to the EU Cybersecurity Reserve and the actions supporting mutual assistance, in addition to the carry-over of appropriations authorised pursuant to Article 12(4) of Regulation (EU, Euratom) 2024/2509.

(13) To more effectively prevent, assess, respond to and recover from cyber threats and incidents, it is necessary to develop more comprehensive knowledge about the threats to critical assets and infrastructure on the territory of the Union, including their geographical distribution, interconnection and potential effects in case of cyberattacks affecting that infrastructure. A proactive approach to identifying, mitigating and preventing cyber threats includes an increased capacity of advanced detection capabilities. The European Cybersecurity Alert System should consist of several interoperating Cross-Border Cyber Hubs, each grouping together three or more National Cyber Hubs. That infrastructure should serve national and Union cybersecurity interests and needs, leveraging state-of-the-art technology for advanced collection of relevant data and information, anonymised where appropriate, and analytics tools, enhancing coordinated cyber detection and management capabilities and providing real-time situational awareness. That infrastructure should serve to improve the cyber posture, by increasing detection, aggregation and the analysis of data and information with the aim of preventing cyber threats and incidents and thus complementing and supporting Union entities and networks responsible for cyber crisis management in the Union, in particular EU-CyCLONe.

(14) Participation in the European Cybersecurity Alert System is voluntary for Member States. Each Member State should designate a single entity at national level tasked with coordinating cyber threat detection activities in that Member State. Those National Cyber Hubs should act as a reference point and gateway at national level for participation in the European Cybersecurity Alert System and should ensure that cyber threat information from public and private entities is shared and collected at national level in an effective and streamlined manner. National Cyber Hubs could strengthen the cooperation and information sharing between public and private entities and could also support the exchange of relevant data and information with relevant sectoral and cross-sectoral communities, including relevant industry Information Sharing and Analysis Centers (ISACs). Close and coordinated cooperation between public and private entities is central to strengthening the Union’s cyber resilience. Such cooperation is particularly valuable in the context of sharing cyber threat intelligence to improve active cyber protection. As part of such cooperation and information sharing, National Cyber Hubs could request and receive specific information. Those National Cyber Hubs are neither obliged nor empowered by this Regulation to enforce such requests. Where appropriate and in accordance with Union and national law, the information requested or received could include telemetry, sensor and logging data from entities, such as managed security service providers, that operate in sectors of high criticality or other critical sectors within that Member State, in order to enhance rapid detection of potential cyber threats and incidents at an earlier stage, thereby improving situational awareness. If the National Cyber Hub is not the competent authority designated or established by the relevant Member State pursuant to Article 8(1) of (EU) 2022/2555, it is crucial that it coordinates with that competent authority in respect of requests for and receipt of such data.

(15) As part of the European Cybersecurity Alert System, a number of Cross-Border Cyber Hubs should be established. Those Cross-Border Cyber Hubs should bring together National Cyber Hubs from at least three Member States to ensure that the benefits of cross-border threat detection and information sharing and management can be fully achieved. The general objective of Cross-Border Cyber Hubs should be to strengthen capacities to analyse, prevent and detect cyber threats and to support the production of high-quality cyber threat intelligence, in particular through the sharing of relevant information, anonymised where appropriate, in a trusted and secure environment, from various sources, public or private, as well as through the sharing and joint use of state-of-the-art tools, and the joint development of detection, analysis and prevention capabilities in a trusted and secure environment. Cross-Border Cyber Hubs should provide new additional capacity, building upon and complementing existing SOCs, CSIRTs and other relevant actors, including the CSIRTs network.

(16) A Member State selected by the European Cybersecurity Industrial, Technology and Research Competence Centre (ECCC) established by Regulation (EU) 2021/887 of the European Parliament and of the Council (12) following a call for expressions of interest to set up, or enhance the capabilities of, a National Cyber Hub, should, jointly with the ECCC, purchase relevant tools, infrastructure or services. Such a Member State should be eligible to receive a grant to operate the tools, infrastructure or services. A Hosting Consortium, consisting of at least three Member States, which has been selected by the ECCC following a call for expressions of interest to set up or enhance the capabilities of a Cross-Border Cyber Hub should purchase relevant tools, infrastructure or services jointly with the ECCC. The Hosting Consortium should be eligible to receive a grant to operate the tools, infrastructure or services. The procurement procedure to purchase the relevant tools, infrastructure or services should be carried out jointly by the ECCC and relevant contracting authorities of the Member States selected, following such calls for expressions of interest. Such procurement should comply with Article 168(2) of Regulation (EU, Euratom) 2024/2509, and the ECCC’s Financial Rules. Private entities should not therefore be eligible to participate in the calls for expressions of interest to purchase tools, infrastructure or services jointly with the ECCC, or to receive grants to operate those tools, infrastructure or services. However, the Member States should be able to involve private entities in the setting up, enhancement and operation of their National Cyber Hubs and Cross-Border Cyber Hubs in other ways which they deem appropriate, in accordance with Union and national law. Private entities could also be eligible to receive Union funding pursuant to Regulation (EU) 2021/887 for the purpose of providing support to National Cyber Hubs.

(17) In order to enhance the detection of cyber threats and situational awareness in the Union, a Member State which, following a call for expressions of interest, is selected to set up, or enhance the capabilities of, a National Cyber Hub should commit to applying to participate in a Cross-Border Cyber Hub. If a Member State is not a participant in a Cross-Border Cyber Hub within two years of the date on which the tools, infrastructure or services are acquired or on which it receives grant funding, whichever occurs sooner, it should not be eligible to participate in further Union support actions within the framework of the European Cybersecurity Alert System to enhance the capabilities of its National Cyber Hub. In such cases, entities from Member States could still participate in calls for proposals on other topics under the DEP or other Union funding programmes, including calls on capacities for cyber detection and information sharing, provided that those entities meet the eligibility criteria established in those programmes.

(18) CSIRTs exchange information within the CSIRTs network in accordance with Directive (EU) 2022/2555. The European Cybersecurity Alert System should constitute a new capability that is complementary to the CSIRTs network by contributing to building a Union situational awareness allowing the reinforcement of the capabilities of the CSIRTs network. Cross-Border Cyber Hubs should coordinate and cooperate closely with the CSIRTs network. They should act by pooling data and sharing relevant information, anonymised where appropriate, on cyber threats from public and private entities, enhancing the value of such data and information through expert analysis and jointly acquired infrastructure and state-of-the-art tools, and contributing to the Union’s technological sovereignty, its open strategic autonomy, competitiveness and resilience and to the development of Union capabilities.

(19) Cross-Border Cyber Hubs should act as central points allowing for a broad pooling of relevant data and cyber threat intelligence, and enable the spreading of threat information among a large and diverse set of stakeholders, such as Computer Emergency Response Teams (CERTs), CSIRTs, ISACs and operators of critical infrastructure. The members of a Hosting Consortium should specify in the consortium agreement the relevant information to be shared among the participants of the Cross-Border Cyber Hub concerned. The information exchanged among participants in a Cross-Border Cyber Hub could include, for instance, data from networks and sensors, threat intelligence feeds, indicators of compromise, and contextualised information about incidents, cyber threats, near misses, vulnerabilities, techniques and procedures, adversarial tactics, threat-actor-specific information, cybersecurity alerts and recommendations regarding the configuration of cybersecurity tools to detect cyberattacks. In addition, Cross-Border Cyber Hubs should also enter into cooperation agreements with each other. Such cooperation agreements should, in particular, specify information-sharing principles and interoperability. Their clauses concerning interoperability, in particular information-sharing formats and protocols, should be guided by and therefore take as their starting point interoperability guidelines issued by the European Union Agency for Cybersecurity established by Regulation (EU) 2019/881 (ENISA). Those guidelines should be issued swiftly to ensure that they can be taken into account by Cross-Border Cyber Hubs at an early stage. They should take into account international standards and best practices, and the functioning of any established Cross-Border Cyber Hubs.

(20) Cross-Border Cyber Hubs and the CSIRTs network should cooperate closely to ensure synergies and complementarity of activities. For that purpose, they should agree on procedural arrangements on cooperation and the sharing of relevant information. This could include the sharing of relevant information on cyber threats and significant cybersecurity incidents and ensuring that experience with state-of-the-art tools, in particular artificial intelligence and data analytics technology, used within the Cross-Border Cyber Hubs, is shared with the CSIRTs network.

(21) Shared situational awareness among relevant authorities is an indispensable prerequisite for Union-wide preparedness and coordination with regards to significant cybersecurity incidents and large-scale cybersecurity incidents. Directive (EU) 2022/2555 established EU-CyCLONe to support the coordinated management of large-scale cybersecurity incidents and crises at operational level and to ensure the regular exchange of relevant information among Member States and Union institutions, bodies, offices and agencies. Directive (EU) 2022/2555 also established the CSIRTs network to promote swift and effective operational cooperation among all Member States. To ensure situational awareness and strengthen solidarity, in situations where Cross-Border Cyber Hubs obtain information related to a potential or ongoing large-scale cybersecurity incident, they should provide relevant information to the CSIRTs network and inform, as an early warning, EU-CyCLONe. In particular, depending on the situation, information to be shared could include technical information, information about the nature and motives of the attacker or potential attacker, and higher-level, non-technical information about a potential or ongoing large-scale cybersecurity incident. In that context, due regard should be paid to the need-to-know principle and to the potentially sensitive nature of the information shared. Directive (EU) 2022/2555 also reiterates the Commission’s responsibilities in the Union Civil Protection Mechanism (UCPM) established by Decision 1313/2013/EU of the European Parliament and of the Council (13), and its responsibility for providing the analytical reports for the EU Integrated Political Crisis Response Arrangements (IPCR Arrangements) pursuant to Council Implementing Decision (EU) 2018/1993 (14). Where Cross-Border Cyber Hubs share relevant information and early warnings related to a potential or ongoing large-scale cybersecurity incident with EU-CyCLONe and the CSIRTs network, it is imperative that that information be shared through those networks with Member States’ authorities as well as with the Commission. In that respect, Directive (EU) 2022/2555 provides that EU-CyCLONe’s purpose is to support the coordinated management of large-scale cybersecurity incidents and crises at operational level and to ensure the regular exchange of relevant information among Member States and Union institutions, bodies, offices and agencies. EU-CyCLONe’s tasks include developing a shared situational awareness of such incidents and crises. It is of paramount importance that EU-CyCLONe ensure, in line with that purpose and its tasks, that such information is provided immediately to the relevant Member State representatives and to the Commission. To that end, it is crucial that EU-CyCLONe’s rules of procedure include appropriate provisions.

(22) Entities participating in the European Cybersecurity Alert System should ensure a high level of interoperability among themselves including, as appropriate, as regards data formats, taxonomy, data handling and data analytics tools. They should also ensure secure communications channels, a minimum level of application layer security, a situational awareness dashboard, and indicators. The adoption of a common taxonomy and the development of a template for situational reports to describe the causes of detected cyber threats and risks, should take into account existing work done in the context of the implementation of Directive (EU) 2022/2555.

(23) In order to enable the exchange of relevant data and information on cyber threats from various sources, on a large-scale basis, in a trusted and secure environment, entities participating in the European Cybersecurity Alert System should be equipped with state-of-the-art, highly secure tools, equipment and infrastructure, as well as skilled personnel. This should make it possible to improve collective detection capacities and timely warnings to authorities and relevant entities, in particular by using the latest artificial intelligence and data analytics technologies.

(24) By collecting, analysing, sharing and exchanging relevant data and information, the European Cybersecurity Alert System should enhance the Union’s technological sovereignty and open strategic autonomy in the area of cybersecurity, competitiveness and resilience. The pooling of high-quality, curated data could also contribute to the development of advanced artificial intelligence and data analytics technologies. Human oversight and, to that end, a skilled labour force remains essential for the effective pooling of high-quality data.

(25) While the European Cybersecurity Alert System is a civilian project, the cyber defence community could benefit from stronger civilian detection and situational awareness capabilities developed for the protection of critical infrastructure.

(26) Information sharing among participants of the European Cybersecurity Alert System should comply with existing legal requirements and in particular Union and national data protection law, as well as the Union rules on competition governing the exchange of information. The recipient of the information should implement, insofar as the processing of personal data is necessary, technical and organisational measures that safeguard the rights and freedoms of data subjects, and destroy the data as soon as they are no longer necessary for the stated purpose and inform the entity making the data available that the data have been destroyed.

(27) Preserving confidentiality and information security are of paramount importance for all three pillars of this Regulation, whether for encouraging the sharing or exchange of information in the context of the European Cybersecurity Alert System, preserving the interests of the entities applying for support under the Cybersecurity Emergency Mechanism, or ensuring that reports under the European Cybersecurity Incident Review Mechanism can yield useful lessons learned without having a negative impact on the entities affected by the incidents. The participation of Member States and entities in those mechanisms depend on relationships of trust between their components. Where information is confidential pursuant to Union or national rules, its sharing or exchange under this Regulation should be limited to that which is relevant and proportionate to the purpose of the sharing or exchange. That sharing or exchange should also preserve the confidentiality of that information, including protecting the security and commercial interests of any entities concerned. Information sharing or exchange pursuant to this Regulation could take place using non-disclosure agreements, or guidance on information distribution such as the traffic light protocol (TLP). The TLP is to be understood as a means to provide information about any limitations with regard to the further spreading of information. It is used in almost all CSIRTs and in some ISACs. In addition to those general requirements, when it comes to the European Cybersecurity Alert System, Hosting Consortia agreements should lay down specific rules regarding the conditions for information sharing within the Cross-Border Cyber Hub concerned. Those agreements could, in particular, require that information be shared only in accordance with Union and national law.

(28) In respect of the deployment of the EU Cybersecurity Reserve, specific confidentiality rules are necessary. Support will be requested, assessed and provided in a crisis context and in respect of entities operating in sensitive sectors. For the EU Cybersecurity Reserve to function effectively, it is essential that users and entities are able to share, and provide access, without delay, to all information that is necessary for each entity to play its part in the assessment of requests and the deployment of support. Accordingly, this Regulation should provide that all such information is to be used or shared only where necessary for the operation of the EU Cybersecurity Reserve, and that information that is confidential or classified pursuant to Union and national law is to be used and shared only in accordance with that law. Additionally, users should be able, where appropriate, to use information-sharing protocols such as the TLP to further specify limitations. Whilst users have discretion in this regard, it is important that when applying such limitations, they take into account the possible consequences, in particular with regard to delayed assessment or delivery of the requested services. In order to have an efficient EU Cybersecurity Reserve, it is important that the contracting authority clarify those consequences to the user before it submits a request. Those safeguards are limited to the request and provision of EU Cybersecurity Reserve services and do not affect information exchange in other contexts, such as in the procurement of the EU Cybersecurity Reserve.

(29) In view of the increasing risks and number of incidents affecting Member States, it is necessary to set up a crisis support instrument, namely the Cybersecurity Emergency Mechanism, to improve the Union’s resilience to significant cybersecurity incidents, large-scale cybersecurity incidents and large-scale-equivalent cybersecurity incidents and complement Member States’ actions through emergency financial support for preparedness, incident response and initial recovery of essential services. As the full recovery from an incident is a comprehensive process of restoring the functioning of the entity affected by the incident to the state from before the incident and could be a long process that entails significant costs, the support from the EU Cybersecurity Reserve should be limited to the initial stage of the recovery process, leading to the restoration of basic functionalities of the systems. The Cybersecurity Emergency Mechanism should enable the rapid and effective deployment of assistance in defined circumstances and under clear conditions and allow for a careful monitoring and evaluation of how resources have been used. Whilst the primary responsibility for preventing, preparing for and responding to incidents and crises lies with the Member States, the Cybersecurity Emergency Mechanism promotes solidarity between Member States in accordance with Article 3(3) of the Treaty on European Union (TEU).

(30) The Cybersecurity Emergency Mechanism should provide support to Member States complementing their own measures and resources, and other existing support options in the case of response to, and initial recovery from, significant cybersecurity incidents and large-scale cybersecurity incidents, such as the services provided by ENISA in accordance with its mandate, the coordinated response and the assistance from the CSIRTs network, the mitigation support from EU-CyCLONe, as well as mutual assistance between Member States including in the context of Article 42(7) TEU and the permanent structured cooperation (PESCO) Cyber Rapid Response Teams established pursuant to Council Decision (CFSP) 2017/2315 (15). It should address the need to ensure that specialised means are available to support preparedness for, response to and recovery from such incidents across the Union and in DEP-associated third countries.

(31) This Regulation is without prejudice to procedures and frameworks to coordinate crisis responses at Union level, in particular Directive (EU) 2022/2555, the Union Civil Protection Mechanism established by Decision No 1313/2013/EU of the European Parliament and of the Council (16), the IPCR Arrangements and Commission Recommendation (EU) 2017/1584 (17). Support provided under the Cybersecurity Emergency Mechanism can complement assistance provided in the context of the common foreign and security policy and the common security and defence policy, including through the Cyber Rapid Response Teams, taking into account the civilian nature of the Cybersecurity Emergency Mechanism. Support provided under the Cybersecurity Emergency Mechanism can complement actions implemented in the context of Article 42(7) TEU, including assistance provided by one Member State to another Member State, or form part of the joint response between the Union and Member States or in situations referred to in Article 222 TFEU. The implementation of this Regulation should also be coordinated with the implementation of measures under the Cyber Diplomacy Toolbox, where appropriate.

(32) Assistance provided under this Regulation should be in support of, and complementary to, the actions taken by Member States at national level. To that end, close cooperation and consultation between the Commission, ENISA, the Member States and, where relevant, the ECCC should be ensured. When requesting support under the Cybersecurity Emergency Mechanism, Member States should provide relevant information justifying the need for support.

(33) Directive (EU) 2022/2555 requires Member States to designate or establish one or more cyber crisis management authorities and ensure that they have adequate resources to carry out their tasks in an effective and efficient manner. It also requires Member States to identify capabilities, assets and procedures that can be deployed in the case of a crisis as well as to adopt a national large-scale cybersecurity incident and crisis response plan where the objectives of and arrangements for the management of large-scale cybersecurity incidents and crises are set out. Member States are also required to establish one or more CSIRTs tasked with incident-handling responsibilities in accordance with a well-defined process and covering at least the sectors, subsectors and types of entity under the scope of that Directive, and to ensure that they have adequate resources to carry out effectively their tasks. This Regulation is without prejudice to the Commission’s role in ensuring the compliance by Member States with the obligations of Directive (EU) 2022/2555. The Cybersecurity Emergency Mechanism should provide assistance for actions aiming to reinforce preparedness as well as incident response actions to mitigate the impact of significant cybersecurity incidents and large-scale cybersecurity incidents, to support initial recovery or to restore the basic functionalities of the services provided by entities operating in sectors of high criticality or entities operating in other critical sectors.

(34) As part of the preparedness actions, to promote a consistent approach and strengthen security across the Union and its internal market, support should be provided for testing and assessing cybersecurity of entities operating in sectors of high criticality identified pursuant to Directive (EU) 2022/2555 in a coordinated manner, including through exercise and training. For that purpose, the Commission, after consulting ENISA, the NIS Cooperation Group and EU-CyCLONe, should regularly identify relevant sectors or subsectors, which should be eligible to receive financial support for coordinated preparedness testing at Union level. The sectors or subsectors should be selected from the sectors of high criticality listed in Annex I to Directive (EU) 2022/2555. The coordinated preparedness testing should be based on common risk scenarios and methodologies. The selection of sectors and development of risk scenarios should take into account relevant Union-wide risk assessments and risk scenarios, including the need to avoid duplication, such as the risk evaluation and risk scenarios called for in the Council conclusions on the development of the European Union’s cyber posture conducted by the Commission, the High Representative of the Union for Foreign Affairs and Security Policy (the ‘High Representative’) and the NIS Cooperation Group, in coordination with relevant civilian and military bodies and agencies and established networks, including EU-CyCLONe, as well as the risk assessment of communications networks and infrastructure requested by the Joint Ministerial Call of Nevers and conducted by the NIS Cooperation Group, with the support of the Commission and ENISA, and in cooperation with the Body of European Regulators for Electronic Communications established by Regulation (EU) 2018/1971 of the European Parliament and of the Council (18), the Union level coordinated security risk assessments of critical supply chains to be conducted pursuant to Article 22 of Directive (EU) 2022/2555 and digital operational resilience testing as provided for in Regulation (EU) 2022/2554 of the European Parliament and of the Council (19). The selection of sectors should also take into account the Council Recommendation on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure.

(35) In addition, the Cybersecurity Emergency Mechanism should provide support for other preparedness actions and support preparedness in other sectors, not covered by the coordinated preparedness testing of entities operating in sectors of high criticality or entities operating in other critical sectors. Those actions could include various types of national preparedness activity.

(36) When Member States receive grants to support preparedness actions, entities in sectors of high criticality can participate in those actions on a voluntary basis. It is good practice that following such actions, participating entities draw up a remediation plan to implement any resulting recommendations of specific measures to benefit to the fullest extent from the preparedness action. While it is important that Member States request as part of the actions, that participating entities draw up and implement such remediation plans, Member States are neither obliged nor empowered by this Regulation to enforce such requests. Such requests are without prejudice to requirements for entities and supervisory powers for competent authorities in accordance with Directive (EU) 2022/2555.

(37) The Cybersecurity Emergency Mechanism should also provide support for incident response actions to mitigate the impact of significant cybersecurity incidents, large-scale cybersecurity incidents and large-scale-equivalent cybersecurity incidents, to support initial recovery or restore the functioning of essential services. Where appropriate, it should complement the UCPM to ensure a comprehensive approach to respond to the impact of incidents on citizens.

(38) The Cybersecurity Emergency Mechanism should support technical assistance provided by one Member State to another Member State that is affected by a significant cybersecurity incident or large-scale cybersecurity incident, including by CSIRTs as referred to in Article 11(3), point (f), of Directive (EU) 2022/2555. Member States providing such assistance should be allowed to submit requests to cover costs related to dispatching of expert teams in the framework of mutual assistance. The eligible costs could include travel, accommodation and daily allowance expenses of cybersecurity experts.

(39) Given the essential role that private undertakings play in the detection of, preparedness for and response to large-scale cybersecurity incidents and large-scale-equivalent cybersecurity incidents, it is important to recognise the value of voluntary pro bono cooperation with such undertakings, whereby they offer services without remuneration in the case of large-scale cybersecurity incidents and crises and large-scale-equivalent cybersecurity incidents and crises. ENISA, in cooperation with EU-CyCLONe could monitor the evolution of such pro bono initiatives and promote their compliance with the criteria applicable to trusted managed security service providers under this Regulation, including in relation to the trustworthiness of private undertakings, their experience as well as the ability to handle sensitive information in a secure manner.

(40) As part of the Cybersecurity Emergency Mechanism, an EU Cybersecurity Reserve should gradually be set up, consisting of services from trusted managed security service providers to support response and initiate recovery actions in the case of significant cybersecurity incidents, large-scale cybersecurity incidents or large-scale-equivalent cybersecurity incidents affecting Member States, Union institutions, bodies, offices or agencies, or DEP-associated third countries. The EU Cybersecurity Reserve should ensure the availability and readiness of services. It should therefore include services that are committed in advance, including for instance capacities that are on stand-by and deployable at short notice. The services from the EU Cybersecurity Reserve should serve to support national authorities in providing assistance to affected entities operating in sectors of high criticality or to affected entities operating in other critical sectors as a complement to their own actions at national level. The services from the EU Cybersecurity Reserve should also be able to serve to support Union institutions, bodies, offices and agencies, under similar conditions. The EU Cybersecurity Reserve could also contribute to strengthening the competitive position of industry and services in the Union across the digital economy, including microenterprises and small and medium-sized enterprises as well as start-ups, including by providing incentives for investment in research and innovation. It is important to take into account ENISA’s European cybersecurity skills framework when procuring the services for the EU Cybersecurity Reserve. When requesting support from the EU Cybersecurity Reserve, users should include in their application appropriate information regarding the affected entity and potential impact, information about the requested service from the EU Cybersecurity Reserve, and the support provided to the affected entity at the national level, which should be taken into account when assessing the request from the applicant. To ensure complementarity with other forms of support available to the affected entity, the request should also include, where available, information on contractual arrangements in place for incident response and initial recovery services, as well as insurance contracts potentially covering such a type of incident.

(41) In order to ensure the effective use of Union funding, pre-committed services under the EU Cybersecurity Reserve should be convertible, in accordance with the relevant contract, into preparedness services related to incident prevention and response in the event that those pre-committed services are not used for incident response during the time for which they are pre-committed. Those services should be complementary to and should not duplicate the preparedness actions to be managed by the ECCC.

(42) Requests for support from the EU Cybersecurity Reserve from Member States’ cyber crisis management authorities and CSIRTs, or CERT-EU on behalf of Union institutions, bodies, offices and agencies, should be assessed by the contracting authority. Where ENISA has been entrusted with the administration and operation of the EU Cybersecurity Reserve, that contracting authority is ENISA. Requests for support from DEP-associated third countries should be assessed by the Commission. To facilitate the submission and assessment of requests for support, ENISA could set up a secure platform.

(43) Where multiple concurrent requests are received, those requests should be prioritised in accordance with criteria laid down in this Regulation. In light of the general objectives of this Regulation, those criteria should include the scale and severity of the incident, the type of entity affected, the potential impact of the incident on the Member States and users affected, the potential cross-border nature of the incident and risk of spillover, and the measures already taken by the user to assist the response and initial recovery. In light of those objectives and given that requests from Member State users are exclusively intended to support, across the Union, entities operating in sectors of high criticality or entities operating in other critical sectors, it is appropriate to give higher priority to requests from Member State users where those criteria lead to two or more requests being assessed as equal. This is without prejudice to any obligations that Member States may have under relevant hosting agreements to take measures to protect and assist Union institutions, bodies, offices and agencies.

(44) The Commission should have overall responsibility for the implementation of the EU Cybersecurity Reserve. Given the extensive experience gained by ENISA with cybersecurity support action, ENISA is the most suitable agency to implement the EU Cybersecurity Reserve. Therefore, the Commission should entrust ENISA, partially or, where the Commission considers it to be appropriate, entirely with the operation and administration of the EU Cybersecurity Reserve. The entrustment should be carried out in accordance with the applicable rules under Regulation (EU, Euratom) 2024/2509 and in particular should be subject to the relevant conditions for signing a contribution agreement being fulfilled. Any aspects of the operation and administration of the EU Cybersecurity Reserve not entrusted to ENISA should be subject to direct management by the Commission, including prior to the signing of the contribution agreement.

(45) Member States should have a key role in the constitution, deployment and post-deployment of the EU Cybersecurity Reserve. As Regulation (EU) 2021/694 is the relevant basic act for actions implementing the EU Cybersecurity Reserve, the actions under the EU Cybersecurity Reserve should be provided for in the work programmes referred to in Article 24 of Regulation (EU) 2021/694. Pursuant to paragraph 6 of that Article, those work programmes are to be adopted by the Commission by means of implementing acts in accordance with the examination procedure. Furthermore, the Commission, in coordination with the NIS Cooperation Group, should determine the priorities and the evolution of the EU Cybersecurity Reserve.

(46) The contracts established within the framework of the EU Cybersecurity Reserve should not affect the business-to-business relationship and existing obligations between the affected entity or users and the service provider.

(47) For the purpose of selecting private service providers to provide services in the context of the EU Cybersecurity Reserve, it is necessary to establish a set of minimum criteria and requirements that should be included in the call for tenders to select those providers, so as to ensure that the needs of Member States’ authorities, entities operating in sectors of high criticality and entities operating in other critical sectors are met. In order to address the specific needs of Member States, when procuring services for the EU Cybersecurity Reserve, the contracting authority should, where appropriate, develop selection criteria and requirements additional to those laid down in this Regulation. It is important to encourage the participation of smaller providers, active at regional and local level.

(48) When selecting providers for inclusion in the EU Cybersecurity Reserve, the contracting authority should aim to ensure that the EU Cybersecurity Reserve, when taken as a whole, contains providers that are able to accommodate users’ language requirements. To that end, the contracting authority should, before preparing tender specifications, inquire whether the potential users of the EU Cybersecurity Reserve have specific language requirements, so that EU Cybersecurity Reserve support services can be provided in a language from among the official languages of the Union institutions or of the Member States, likely to be understood by the user or affected entity. In the case that more than one language is required by a user for the provision of EU Cybersecurity Reserve support services and those services have been procured in those languages for that user, the user should be able to specify, in the request for EU Cybersecurity Reserve support, in which of those languages the services should be provided in relation to the specific incident giving rise to the request.

(49) To support the establishment of the EU Cybersecurity Reserve, it is important that the Commission requests ENISA to prepare a candidate cybersecurity certification scheme for managed security services pursuant to Regulation (EU) 2019/881, in the areas covered by the Cybersecurity Emergency Mechanism.

(50) In order to support the objectives of this Regulation of promoting shared situational awareness, enhancing the Union’s resilience and enabling effective response to significant cybersecurity incidents and large-scale cybersecurity incidents, the Commission or EU-CyCLONe should be able to request ENISA, with the support of the CSIRTs network and with the approval of the Member States concerned, to review and assess cyber threats, known exploitable vulnerabilities and mitigation actions with respect to a specific significant cybersecurity incident or large-scale cybersecurity incident. Following the completion of a review and assessment of an incident, ENISA should prepare an incident review report, in collaboration with the Member State concerned, relevant stakeholders, including representatives from the private sector, the Commission and other relevant Union institutions, bodies, offices and agencies. Building on the collaboration with stakeholders, including from the private sector, the review report on specific incidents should aim to assess the causes, impact and mitigation of an incident, after it has occurred. Particular attention should be paid to the input and lessons shared by the managed security service providers that fulfil the conditions of highest professional integrity, impartiality and requisite technical expertise as required by this Regulation. The report should be delivered to EU-CyCLONe, the CSIRTs network and the Commission and should be used to inform their work as well as that of ENISA. Where the incident relates to a DEP-associated third country, the Commission should also provide the report to the High Representative.

(51) Taking into account the unpredictable nature of cyberattacks and the fact that they are often not contained in a specific geographical area and pose a high risk of spillover, the strengthening of resilience of neighbouring countries and their capacity to respond effectively to significant cybersecurity incidents and large-scale-equivalent cybersecurity incidents contributes to the protection of the Union, and in particular its internal market and industry, as a whole. Such activities could further contribute to the Union’s cyber diplomacy. Therefore, DEP-associated third countries should be able to request support from the EU Cybersecurity Reserve, in all or part of their territories, where this is provided for in the agreement through which the third country is associated to the DEP. The funding for DEP-associated third countries should be supported by the Union in the framework of relevant partnerships and funding instruments for those countries. The support should cover services in the area of response to and initial recovery from significant cybersecurity incidents or large-scale-equivalent cybersecurity incidents.

(52) The conditions set for the EU Cybersecurity Reserve and trusted managed security service providers in this Regulation should apply when providing support to DEP-associated third countries. DEP-associated third countries should be able to request support from the EU Cybersecurity Reserve where the entities targeted and for which they request support from the EU Cybersecurity Reserve are entities operating in sectors of high criticality or entities operating in other critical sectors and where the incidents detected lead to significant operational disruptions or might have spillover effects in the Union. DEP-associated third countries should only be eligible to receive support where the agreement through which they are associated to the DEP specifically provides for such support. In addition, such third countries should remain eligible only so long as three criteria are fulfilled. First, the third country should be complying in full with the relevant terms of that agreement. Second, given the complementary nature of the EU Cybersecurity Reserve, the third country should have taken adequate steps to prepare for significant cybersecurity incidents or large-scale-equivalent cybersecurity incidents. Third, the provision of support from the EU Cybersecurity Reserve should be consistent with the Union’s policy towards and overall relations with that country and with other Union policies in the field of security. In the context of its assessment of the compliance with that third criterion, the Commission should consult the High Representative for the alignment of the granting of such support with the common foreign and security policy.

(53) The provision of support to DEP-associated third countries may affect relations with third countries and the Union’s security policy, including in the context of the common foreign and security policy and the common security and defence policy. Accordingly, it is appropriate for the Council to be granted implementing powers to authorise and specify the period during which such support can be provided. The Council should act on the basis of a Commission proposal, taking due account of the Commission’s assessment of the three criteria. The same should apply to renewals and to proposals to amend or repeal such acts. Where, in exceptional circumstances, the Council considers there to have been a significant change of circumstances in respect of the third criterion, the Council should be able to act on its own initiative to amend or repeal an implementing act, without awaiting a Commission proposal. Such significant changes are likely to require urgent action, to have particularly important implications for relations with third countries, and not to require detailed assessment in advance by the Commission. Moreover, the Commission should cooperate with the High Representative in respect of requests for support from DEP-associated third countries and the implementation of support granted to such third countries. The Commission should also take into account any views provided by ENISA in respect of such requests and support. The Commission should inform the Council about the outcome of the assessment of the requests, including relevant considerations made in that regard, and the services that are deployed.

(54) The Commission communication of 18 April 2023 on the Cyber Skills Academy acknowledged the shortage of skilled professionals. Such skills are needed to pursue the objectives of this Regulation. The Union urgently needs professionals with the skills and competences to prevent, detect and deter cyberattacks and defend the Union, including its most critical infrastructure, against such attacks and ensure its resilience. To that end, it is important to encourage cooperation among stakeholders, including from the private sector, academia and public sector. It is equally important to create synergies, in all territories of the Union, for investment in education and training to promote the creation of safeguards to avoid a brain drain or the widening of the skills gap in some regions more than in others. It is urgent that the cybersecurity skills gap, with a particular focus on reducing the gender gap in the cybersecurity workforce to promote women’s presence and participation in the design of digital governance, be closed.

(55) In order to boost the innovation in the Digital Single Market, strengthening research and innovation in cybersecurity is important, with a view to contributing to increasing the resilience of Member States and the open strategic autonomy of the Union, both of which are objectives of this Regulation. Synergies are essential to strengthen cooperation and coordination among the different stakeholders, including from the private sector, civil society and academia.

(56) This Regulation should take into account the commitment set out in the Joint Declaration of 26 January 2022 of the European Parliament, the Council and the Commission entitled ‘European Declaration on Digital Rights and Principles for the Digital Decade’ to protect the interests of the Union’s democracies, people, businesses and public institutions against cybersecurity risks and cybercrime including data breaches and identity theft or manipulation.

(57) In order to supplement certain non-essential elements of this Regulation, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission to specify the types and number of response services required for the EU Cybersecurity Reserve. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making (20). In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

(58) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission to specify further the detailed procedural arrangements for allocating the EU Cybersecurity Reserve support services. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (21).

(59) Without prejudice to the rules relating to the Union’s annual budget under the Treaties, the Commission should take into account the obligations arising from this Regulation when assessing the budgeting and staffing needs of ENISA.

(60) The Commission should carry out an evaluation of the measures laid down in this Regulation on a regular basis. The first such evaluation should take place in the first 2 years after the date of entry into force of this Regulation and at least every 4 years thereafter, taking into account the timing of the revision of the multiannual financial framework established pursuant to Article 312 TFEU. The Commission should submit a report on progress made to the European Parliament and to the Council. In order to assess the different elements required, including the extent of information shared within the European Cybersecurity Alert System, the Commission should base itself exclusively on information that is readily available or voluntarily provided. Taking into consideration geopolitical developments and in order to ensure continuity and further development of the measures laid down in this Regulation beyond 2027, it is important that the Commission assess the necessity to allocate an appropriate budget in the multiannual financial framework for 2028 to 2034.

(61) Since the objectives of this Regulation, namely to reinforce the competitive position of industry and services in the Union across the digital economy and to contribute to the Union’s technological sovereignty and open strategic autonomy in the area of cybersecurity, cannot be sufficiently achieved by the Member States but can rather, by reason of the scale or effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 TEU. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives,