FantasticSearch

1. A DEP-associated third country may request support from the EU Cybersecurity Reserve where the agreement through which it is associated to the DEP provides for participation in the EU Cybersecurity Reserve. That agreement shall include provisions requiring the DEP-associated third country concerned to comply with the obligations set out in paragraphs 2 and 9 of this Article. For the purposes of the participation of a third country in the EU Cybersecurity Reserve, the partial association of a third country to the DEP may include an association limited to the operational objective referred to in Article 6(1), point (g), of Regulation (EU) 2021/694.

2. Within 3 months of the conclusion of the agreement referred to in paragraph 1 and in any event prior to receiving any support from the EU Cybersecurity Reserve, the DEP-associated third country shall provide to the Commission information about its cyber resilience and risk management capabilities, including at least information on national measures taken to prepare for significant cybersecurity incidents or large-scale-equivalent cybersecurity incidents, as well as information on responsible national entities, including computer security incident response teams or equivalent entities, their capabilities and the resources allocated to them. The DEP-associated third country shall provide updates of that information on a regular basis and at least once a year. The Commission shall provide the High Representative and ENISA with that information for the purposes of facilitating the application of paragraph 11.

3. The Commission shall assess regularly, and at least once a year, the following criteria in respect of each DEP-associated third country referred to in paragraph 1:

(a) whether that country is complying with the terms of the agreement referred to in paragraph 1, insofar as those terms relate to participation in the EU Cybersecurity Reserve;

(b) whether that country has taken adequate steps to prepare for significant cybersecurity incidents or large-scale-equivalent cybersecurity incidents, based on the information referred to in paragraph 2; and (c) whether the provision of support is consistent with the Union’s policy towards and overall relations with that country and whether it is consistent with other Union policies in the field of security. The Commission shall consult the High Representative when conducting the assessment referred to in the first subparagraph, with regard to the criterion referred to in point (c) of that subparagraph.

Where the Commission concludes that a DEP-associated third country meets all of the conditions referred to in the first subparagraph, the Commission shall submit a proposal to the Council to adopt an implementing act in accordance with paragraph 4 authorising the provision of support from the EU Cybersecurity Reserve to that country.

4. The Council may adopt the implementing acts referred to in paragraph 3. Those implementing acts shall apply for a maximum of one year. They may be renewed. They may include a limit of no less than 75 days on the number of days for which support can be provided in response to a single request. For the purposes of this Article, the Council shall act expeditiously and shall, as a rule, adopt the implementing acts referred to in this paragraph within eight weeks of the adoption of the relevant Commission proposal pursuant to paragraph 3, third subparagraph.

5. The Council may amend or repeal an implementing act adopted pursuant to paragraph 4 at any time, acting on a proposal of the Commission.

Where the Council considers there to have been a significant change concerning the criterion referred to in paragraph 3, first subparagraph, point (c), the Council may amend or repeal an implementing act adopted pursuant to paragraph 4 acting on the duly reasoned initiative of one or more Member States.

6. In the exercise of its implementing powers under this Article, the Council shall apply the criteria referred to in paragraph 3, first subparagraph, and shall explain its assessment of those criteria. In particular, where it acts on its own initiative pursuant to paragraph 5, second subparagraph, the Council shall explain the significant change referred to in that subparagraph.

7. Support from the EU Cybersecurity Reserve to a DEP-associated third country shall comply with any specific conditions laid down in the agreement referred to in paragraph 1.

8. Users from DEP-associated third countries eligible to receive services from the EU Cybersecurity Reserve shall include competent authorities such as computer security incident and response teams or equivalent entities and cyber crisis management authorities.

9. Each DEP-associated third country eligible for support from the EU Cybersecurity Reserve shall designate an authority to act as a single point of contact for the purposes of this Regulation.

10. Requests for support from the EU Cybersecurity Reserve under this Article shall be assessed by the Commission. The contracting authority may provide support to a third country only where, and for so long as, a Council implementing act authorising such support in respect of that country adopted pursuant to paragraph 4 of this Article is in force. A response shall be transmitted to the users referred to in Article 14(3), point (c), without undue delay.

11. Upon receipt of a request for support under this Article, the Commission shall immediately inform the Council. The Commission shall keep the Council informed of the assessment of the request. The Commission shall also cooperate with the High Representative about the requests received and the implementation of the support granted to DEP-associated third countries from the EU Cybersecurity Reserve. Additionally, the Commission shall also take into account any views provided by ENISA in respect of those requests.