For a decade, every European ransomware crisis has followed the same script. A hospital, port, or municipality wakes up to encrypted servers. Local IT staff, who have never negotiated with a ransomware crew, dial whichever incident-response firm answers first. Hours pass. Sometimes the firm has the right forensic playbook for the specific strain; often it does not. Member States with deeper procurement budgets — Germany, France, the Netherlands — can call in elite responders. Smaller economies improvise.
Regulation (EU) 2025/38, the Cyber Solidarity Act, is Brussels' attempt to end that improvisation. In force since February 2025, the regulation creates the EU Cybersecurity Reserve: a standing pool of pre-vetted private incident-response providers that Member States, EU institutions and certain partner countries can call on when a major cyber incident hits. Through 2025 and into 2026, the European Union Agency for Cybersecurity (ENISA) has been operationalising the Reserve, alongside the European Cybersecurity Alert System — a federation of national and cross-border Security Operations Centres — and a new Cybersecurity Incident Review Mechanism. Ransomware is the explicit primary trigger scenario.
What the Reserve actually changes
The premise is straightforward and overdue. Rather than 27 Member States each running fragmented bilateral retainers with private responders — at wildly different prices and quality bars — the Reserve pools demand at Union level. ENISA pre-qualifies trusted providers, negotiates framework contracts, and dispatches them when an eligible incident is declared. Cost-sharing falls partly on the EU budget, partly on the requesting Member State.
For a healthcare network in Latvia or a water utility in Croatia, the practical effect is enormous. These entities now fall under the NIS2 Directive's expanded scope of "essential" and "important" entities, with a 24-hour early warning and 72-hour incident notification obligation. NIS2 tells them what to report; until now, nothing told them who would actually show up with imaging tools and ransomware-strain expertise. The Reserve closes that gap.
It also addresses a less-discussed pathology: response inequality. Ransomware operators, particularly the Russia-linked Conti, LockBit and BlackCat lineages and their successors, have long understood that softer targets in smaller European economies pay out faster precisely because their response capacity is thinner. A Union-level retainer flattens that asymmetry, which is a defensible use of EU money.
The sovereignty trap
The risk is in the eligibility rules. The Cyber Solidarity Act and its implementing acts include provisions that allow Member States and the Commission to require the use of EU-headquartered providers or providers meeting strict "technological sovereignty" criteria, mirroring debates that played out around the EU Cloud Services Cybersecurity Scheme (EUCS).
Here Brussels should tread carefully. The global ransomware response market is led, by a wide margin, by firms headquartered outside the EU: Mandiant (Google Cloud), CrowdStrike, Microsoft's DART, Palo Alto Networks Unit 42, Secureworks, and Kroll. Their telemetry advantage is not ideological — it is the simple fact that they instrument tens of millions of endpoints worldwide and see ransomware variants the moment they emerge. European specialists like Orange Cyberdefense, Thales, S2 Grupo, NCC Group and WithSecure have genuine excellence in specific niches, but no European firm matches the global incident-response footprint of the American leaders.
A Reserve that prefers EU providers for ideological reasons rather than capability reasons will, in a serious cross-border ransomware event, deliver slower and less informed responses than a hospital director could buy on the open market today. That is not technological sovereignty. That is sovereignty as a self-inflicted wound.
A proportionate path forward
The pro-innovation answer is not to abandon screening — incident responders see everything inside a victim's network and must be trustworthy. It is to screen on the right things:
- Security clearance and personnel vetting for staff deployed on Reserve missions, not corporate nationality.
- Data residency commitments for forensic artefacts and victim data, enforceable by contract.
- Mandatory threat intelligence sharing with ENISA and CSIRTs Network after each engagement — turning every response into a Union-wide learning event.
- Capacity-building obligations: Reserve providers should mentor and rotate with European responders, so domestic capability grows rather than atrophies.
This is the model the United States runs through CISA's Joint Cyber Defense Collaborative and the United Kingdom runs through NCSC's industry partnerships. Both lean heavily on the private sector — including non-domestic firms — while keeping operational control public. Neither has collapsed into vassalage.
How the pieces fit
The Reserve does not stand alone. It is the operational arm of a layered framework: NIS2 generates the incident notifications; the Cybersecurity Alert System's SOCs provide the early detection; the Cyber Resilience Act pushes secure-by-design obligations upstream onto product manufacturers; and the EU's cyber sanctions regime (Council Decision (CFSP) 2019/797 and follow-on designations) targets the ransomware operators themselves. The Cybersecurity Incident Review Mechanism is meant to close the loop — extracting cross-border lessons from each major event.
Built well, this is a coherent stack: detect, respond, learn, deter. Built defensively, with capability sacrificed to a narrow reading of sovereignty, it becomes another paper architecture that ransomware crews will read and ignore.
Brussels has, for once, recognised that incident response is a continental public good and acted accordingly. The next twelve months — as ENISA publishes Reserve eligibility criteria and the first major call-off contracts go out — will determine whether the EU has built genuine ransomware defence, or merely a more expensive way to keep the best responders out of the room.