EU proposes a comprehensive blueprint for cybersecurity crisis management to safeguard the Union from large-scale cyber incidents.
.png?width=1920&height=1080&name=EU%20Cyber%20Crisis%20Proposal%20(1).png)
On February 24, 2025 the European Union (EU) Commission shared a proposal to bolster their ability to respond to large-scale cyber attacks through an easily accessed “blueprint on cybersecurity crisis management.” The proposal comes a few months after the release of their first-ever report on the State of Cybersecurity in the Union, which was published in December 2024. While the EU may not yet be in a cybersecurity crisis, the report assessed their cyber threat level to be “substantial”, due to the number of denial of service, ransomware, and data attacks that occurred from July 2023 to June 2024. With this context in mind, it seems imperative to build a clear plan that could guide the relevant EU parties in the not-unlikely case of a crisis.
The proposal uses the 2022 NIS 2 Directive’s definition of a large-scale cybersecurity incident when describing a cybersecurity crisis: “a large-scale cybersecurity incident is an incident which causes a level of disruption that exceeds a Member State’s capacity to respond to it or has a significant impact on at least two Member States.” A large enough cyber incident could snowball into a crisis, which could damage the EU’s economy and endanger the security of entities and citizens living in the affected nations - and in the worst case scenario, citizens of the entire Union.
The aim, scope, and principles of the EU cyber crisis management framework are outlined in the proposal. The other sections of the plan are:
- Preparing for a Union level cyber crisis: Situational awareness will be informed by verified, reliable data on cyber incident trends, tactics, and actively exploited vulnerabilities. This awareness should cover all critical sectors and be updated frequently. The European cyber crisis liaison organisation network (EU-CyCLONe) and the Computer Security Incident Response Teams (CSIRTs) Network should work together to support information sharing, situational awareness, and trust between their organizations. EU entities should set up a system to roll out cyber exercises in preparation of a crisis, improve their Domain Name Systems (DNS) resolution diversification approach, and use the funding set apart for cybersecurity to meet these goals.
- Detecting an incident that could escalate to a cyber crisis: When a cyber incident is discovered, entities will share relevant intelligence with their partners, the CSIRTs Network and EU-CyCLONe. The last two groups should set up a process for fast information sharing, and determine the threat-level of the incident. If the incident has the potential to be a crisis, the EU will facilitate information sharing to the points of contact in the crisis mechanisms, and relevant Union entities will help EU-CyCLONe understand the implications for the populations and sectors affected.
- Responding to a cyber crisis at Union level: If the incident is determined to be a cyber crisis, there will be serious collaboration between the affected groups and several government agencies - the Member states should work with the CSIRTs Network should limit changes to operations, EU-CyCLONe and CSIRTs Network should report on the political impact and implications, the Commission will work with the High Representative to push coordination across the Union, the Council should work with EU-CyCLONe to communicate accurate information with the public, and the Commission should work with the High Representative and Member States to use economic tools to respond to malicious cyber events.
- Recovery from a cyber crisis: The recovery stage will require collaboration from the member states, relevant union entities and networks as they use lessons from the cyber exercises and incident reports to respond to the crisis.
- Secure communication: By the end of 2026, the Commission, High Representative, EU-CyCLONe, CSIRTs Network and relevant Union entities should set up protected communication channels for a crisis, based on the Matrix protocol for live communication. There should be emergency means of communication in the case that typical telecommunication channels or the internet are affected by the crisis.
- Coordination of cyber crises with military actors: EU-CyCLONe, the EU Cyber Commanders Conference, the Military Computer Emergency Response Team Operational Network (MICNET), and the EU Cyber Defence Coordination Centre (not yet established, but called for in the Cyber Solidarity Act) and civilian Union counterparts will collaborate to build up situational awareness for civilian and military parties. The EU will also set up contacts to work and share information with NATO during a cyber crisis.
- Cooperation with strategic partners: The High Representative will support coordination and information flow. States of the EU, the Representative, the Commission will work with strategic partners and international groups to encourage good behavior in cyberspace and set up a network that can respond quickly to a cyber crisis. The EU should think about connecting with NATO, and neighboring countries, to run joint cyber crisis exercises.
In the press release, the Executive Vice-President for Tech Sovereignty, Security and Democracy, Henna Virkkunen, said: "In an increasingly interdependent Union economy, disruptions from cybersecurity incidents can have far-reaching impacts across various sectors. The proposed cybersecurity blueprint reflects our commitment to ensuring a coordinated approach, leveraging existing structures to protect the internal market and uphold vital societal functions. This Recommendation is a crucial step forward in reinforcing our collective cyber resilience."
The proposal shares a lot of similarities with the US’s Cybersecurity Infrastructure and Security Agency’s (CISA’s) latest National Cyber Incident Response Plan (NCIRP), which was released for public comment just over a year after the original update was announced. The NCIRP was created with four main principles in mind - unification, shared responsibility, learning from the past, keeping pace with evolutions in cybersecurity - which are only possible with the same level of collaboration and prompt information sharing that was emphasized in the EU’s cyber crisis proposal. While the NCIRP’s commenting period closed on February 14, the EU’s plan may still inspire more changes - like allying with NATO - in the US’s incident response plan.
In any case, developing a strategy for cyber crises before a serious one emerges shows the foresight of both the US and the EU.