EU Cybersecurity Reserve for Ukraine: what it means for certified providers in 2026

Key data

Cybersecurity providers certified by the EU face a new reality: their contracts with the Cybersecurity Reserve can now be activated to operate in Ukraine. Council Implementing Decision 2026/1354, published on 16 June 2026 and in force since 15 June, makes operational a mechanism that until now only covered Member States.

This is the first formal deployment of the EU's Cybersecurity Reserve outside Community territory, and sets a direct precedent for how cybersecurity is integrated into European foreign and defense policy.

What does this regulation establish?

Decision 2026/1354 authorizes the provision of support from the EU Cybersecurity Reserve to Ukraine in the face of significant cyberattacks. This mechanism was created by the European Cyber Solidarity Regulation and works as follows:

• The Reserve consists of incident response services contracted with private trusted providers, previously certified by the EU.
• These providers can be mobilized in an agile manner when a significant cyberattack occurs against an authorized beneficiary.
• Until this decision, the mechanism could only be activated in favor of EU Member States. It now extends to Ukraine.
• The measure is part of the EU's continued support for Ukraine and reinforces the strategic role of cybersecurity in European foreign policy.

The precedent is relevant: this decision opens the door for the mechanism to be extended in the future to other allied third countries or those in conflict situations, under express authorization from the Council.

Economic and operational impact

For companies in the cybersecurity sector, this decision has direct and immediate operational consequences:

• Activation of existing contracts: Providers certified as "trusted providers" have contracts in force with the Reserve. This decision may result in the effective activation of those contracts to provide services in Ukraine.
• High operational demand context: Operating within an active conflict implies requirements for availability, response times and technical capacity higher than usual.
• Opportunity for strategic positioning: Participating in this type of deployment reinforces the profile of providers as reference actors in critical cybersecurity at the European level.
• Reputational and operational risk: Exposure to high-visibility incidents requires rigorous management of the subcontracting chain, confidentiality and response protocols.

For European institutions and bodies managing the Reserve, the decision implies coordinating deployment with Ukrainian authorities and ensuring traceability of services provided.

Who does it affect?

• Cybersecurity providers certified by the EU as "trusted providers" under the Cyber Solidarity Regulation: these are directly mobilizable.
• Cybersecurity companies seeking to be certified as Reserve providers: this decision raises the strategic value of that certification.
• European institutions responsible for managing and coordinating the Cybersecurity Reserve.
• Ukraine and its critical infrastructure, as direct beneficiary of the activated mechanism.
• CFOs and executives of technology companies with active contracts in the Reserve, who must assess available operational capacity for this type of deployment.

Practical example

A Spanish cybersecurity company certified as a "trusted provider" of the EU Cybersecurity Reserve has a framework contract to provide incident response services. Until 15 June 2026, that contract could only be activated if a Member State suffered a significant cyberattack.

With Decision 2026/1354 in force, the EU can now mobilize that provider to deploy teams and response capabilities in the event of a cyberattack against Ukrainian critical infrastructure. This implies immediately reviewing: the availability of personnel with the necessary clearances, action protocols in conflict environments, and contractual clauses relating to deployments outside EU territory.

What should companies do now?

1. Verify your certification status: If your company is certified as a "trusted provider" of the Reserve, review whether your contract includes clauses for deployment outside the EU and under what conditions.
2. Assess available operational capacity: Analyze whether you have personnel, tools and protocols prepared to operate in a high-demand environment such as the conflict in Ukraine.
3. Review the subcontracting chain: Ensure that your subcontractors meet the confidentiality and security requirements demanded in this type of deployment.
4. Explore certification if you don't have it yet: This decision raises the strategic value of being a certified Reserve provider. If your company operates in cybersecurity, analyze the requirements of the Cyber Solidarity Regulation to access this status.
5. Monitor future deployments: This is the first precedent for extending the mechanism to third countries. Following regulatory developments allows you to anticipate new opportunities or contractual requirements.

Official source

Consult full regulation at official source

Notice: This article is for informational purposes only and does not constitute legal advice. For specific decisions, consult a qualified professional. Source: https://eur-lex.europa.eu/./legal-content/AUTO/?uri=OJ:L_202601354