Key data
| Regulation | Council Implementing Decision (EU) 2026/1725, of 10 July 2026 |
|---|---|
| Publication | 13 July 2026 |
| Entry into force | 10 July 2026 |
| Affected parties | European and Spanish cybersecurity and ICT companies, national authorities and Moldova |
| Category | European Regulation |
| Legal framework | EU Cyber Solidarity Regulation |
| Beneficiary country | Republic of Moldova (EU accession candidate country) |
European cybersecurity companies that are part of the EU Cybersecurity Reserve have had a new market of operation since 10 July 2026: Moldova. The Council Implementing Decision (EU) 2026/1725 formally authorizes the provision of support from this reserve to the accession candidate country, which in practice means that accredited providers can be mobilized to respond to significant cybersecurity incidents in Moldovan territory, with European financing.
For the Spanish ICT sector business fabric, this decision is not a change in obligations: it is a concrete business opportunity within the framework of the EU Cyber Solidarity Regulation, the instrument that created and regulates this reserve.
What does this regulation establish?
Implementing Decision 2026/1725 has a very specific purpose: to authorize the EU Cybersecurity Reserve to be activated to provide support to the Republic of Moldova.
To understand the scope, it is useful to know what this reserve is:
- It was created within the framework of the EU Cyber Solidarity Regulation, the European instrument designed to strengthen the collective response to serious cyber incidents.
- It consists of a set of technical capabilities and experts provided by accredited private providers (companies in the sector), which can be mobilized quickly in the event of significant incidents.
- Until now, its scope of application focused on Member States. This decision extends geographically that coverage to Moldova as a third associated country.
- Moldova is an EU accession candidate country, which justifies its inclusion in the European digital cooperation framework.
The decision does not create new obligations for companies, but it does expand the operational perimeter of providers already integrated into the reserve and strengthens the EU-Moldova cooperation framework in digital matters, which is particularly relevant in the current geopolitical context.
Economic and operational impact
The impact of this decision is not regulatory compliance, but rather a business opportunity for a specific segment of the Spanish private sector:
- New contracts and missions: Cybersecurity and ICT companies that participate as providers in the EU Cybersecurity Reserve can be activated for missions in Moldova, with corresponding remuneration financed by the EU.
- Geographic market expansion: The extension of the reserve to a third candidate country sets a precedent that could be replicated with other countries in the European environment, increasing the potential volume of activations.
- Strengthening the EU-Moldova digital cooperation framework: This decision is part of a broader trend of digital integration of candidate countries, which can generate a continuous flow of projects and European financing in the sector.
- Favorable geopolitical context: The strategic relevance of Moldova in the current geopolitical environment means that European investment in cybersecurity in that country is a priority, which can translate into frequent activations and larger-scale projects.
For companies that do not yet participate in the reserve, this decision is a clear signal that the EU-financed cybersecurity market is expanding and that becoming an accredited provider has increasing potential returns.
Who does it affect?
- European and Spanish cybersecurity companies already integrated as providers in the EU Cybersecurity Reserve: these are the ones that can be directly mobilized for missions in Moldova.
- Spanish ICT companies that provide incident response services, digital forensic analysis, vulnerability management or security consulting: can apply to become providers of the reserve.
- National cybersecurity authorities (in Spain, INCIBE and CCN-CERT): act as interlocutors within the cooperation framework and can coordinate the participation of national entities.
- Republic of Moldova: as the direct beneficiary of the technical support that the reserve can mobilize in the event of significant incidents in its territory.
- Consultancies and law firms specialized in European public procurement: can advise companies interested in accessing the accreditation procedures as providers of the reserve.
Practical example
A Spanish cybersecurity company, accredited as a provider of the EU Cybersecurity Reserve, receives an activation notification following a significant incident affecting Moldovan critical infrastructure (for example, the energy system or government communications).
Thanks to Implementing Decision 2026/1725, this activation is now legally possible and is backed by European financing. The company's team can travel or act remotely to support the incident response, within the technical and contractual framework of the reserve, with remuneration guaranteed by the EU.
Without this decision, the same company could not have been mobilized to act in Moldova through this mechanism, even if the incident was of great magnitude. The formal authorization from the Council was the essential prerequisite.
What should companies do now?
- Verify if you are already part of the EU Cybersecurity Reserve: If your company provides cybersecurity services, check if it is accredited as a provider. If not, this decision is a clear signal to start the incorporation process.
- Review the EU Cyber Solidarity Regulation: Consult the technical and contractual requirements to participate as a provider in the reserve. The legal framework is the Cyber Solidarity Regulation.
- Contact INCIBE or CCN-CERT: National cybersecurity authorities are the entry point for Spanish companies that want to participate in European incident response mechanisms.
- Monitor the calls from the EU Agency for Cybersecurity (ENISA): Activations and contracts derived from the reserve are channeled through ENISA. Following its publications is key to not missing opportunities.
- Evaluate geographic expansion as part of your business strategy: If your company already operates in the cybersecurity field, the extension of the reserve to candidate countries like Moldova is a trend that should be incorporated into your business plan for 2026-2027.
Frequently asked questions
What is the EU Cybersecurity Reserve and how does it work?
It is a mechanism created by the EU Cyber Solidarity Regulation that brings together technical capabilities and experts provided by accredited private providers. When a significant cybersecurity incident occurs in an authorized country, the reserve can be activated to mobilize these resources quickly. Until Decision 2026/1725, its scope was mainly intra-community; now it formally extends to Moldova.
How can a Spanish company access contracts from the EU Cybersecurity Reserve?
Companies must become accredited as providers of the reserve following the requirements of the Cyber Solidarity Regulation. The national contact point in Spain is INCIBE and CCN-CERT. The EU Agency for Cybersecurity (ENISA) manages the selection and activation procedures at European level.
When did Implementing Decision 2026/1725 enter into force?
Council Implementing Decision (EU) 2026/1725 entered into force on 10 July 2026, the date of its adoption. It was published in the Official Journal of the EU on 13 July 2026.
Why is support authorized for Moldova and not for other countries?
Moldova is an EU accession candidate country, which gives it special status within the European digital cooperation framework. The current geopolitical context reinforces the strategic priority of supporting this country's cybersecurity. The decision is based on the Cyber Solidarity Regulation, which provides for the possibility of extending the reserve to third associated countries.
Does this regulation create new obligations for Spanish ICT companies?
No. Decision 2026/1725 does not impose obligations on private companies. Its effect is to expand the geographic scope of possible activations of the EU Cybersecurity Reserve, which represents a business opportunity for companies already accredited as providers and an incentive for others to begin the accreditation process.
Official source
Consult the complete regulation in the official source
Disclaimer: This article is for informational purposes only and does not constitute legal advice. For specific decisions, consult a qualified professional. Source: https://eur-lex.europa.eu/./legal-content/AUTO/?uri=OJ:L_202601725