Article 14, Implementation of the support from the EU Cybersecurity Reserve
1. Requests for support from the EU Cybersecurity Reserve, shall be assessed by the Commission, with the support of ENISA or as defined in contribution agreements under Article 12(6), and a response shall be transmitted to the users referred to in Article 12(3) without delay.
2. To prioritise requests, in the case of multiple concurrent requests, the following criteria shall be taken into account, where relevant:
(a) the severity of the cybersecurity incident;
(b) the type of entity affected, with higher priority given to incidents affecting essential entities as defined in Article 3(1) of Directive (EU) 2022/2555;
(c) the potential impact on the affected Member State(s) or users;
(d) the potential cross-border nature of the incident and the risk of spill over to other Member States or users;
(e) the measures taken by the user to assist the response, and immediate recovery efforts, as referred in Article 13(2) and Article 13(5), point (b).
3. The EU Cybersecurity Reserve services shall be provided in accordance with specific agreements between the service provider and the user to which the support under the EU Cybersecurity Reserve is provided. Those agreements shall include liability conditions.
4. The agreements referred to in paragraph 3 may be based on templates prepared by ENISA, after consulting Member States.
5. The Commission and ENISA shall bear no contractual liability for damages caused to third parties by the services provided in the framework of the implementation of the EU Cybersecurity Reserve.
6. Within one month from the end of the support action, the users shall provide Commission and ENISA with a summary report about the service provided, results achieved and the lessons learned. When the user is from a third country as set out in Article 17, such report shall be shared with the High Representative.
7. The Commission shall report to the NIS Cooperation Group about the use and the results of the support, on a regular basis.
Note: This is the Proposal for a Regulation of the European Parliament and the Council laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents of 18.4.2023 (proposal for the EU Cyber Solidarity Act). This is NOT the final text of the EU Cyber Solidarity Act.