The European Commission unveiled on Monday a proposal aimed at ensuring a robust and efficient response to large-scale cyber incidents, thereby enhancing EU cyber crisis coordination. The updated cybersecurity blueprint refines the comprehensive EU framework for Cybersecurity Crisis Management, detailing the roles of relevant EU actors throughout the entire crisis lifecycle. The draft Council Recommendation on the EU Blueprint for cybersecurity crisis management also seeks to present the EU framework in a clear, straightforward, and accessible manner.
A non-binding instrument that identifies specific actions in a cyber crisis and which can enhance the overall effectiveness of the cyber crisis management framework, the cybersecurity blueprint includes preparedness and shared situational awareness to anticipate cyber incidents, and the necessary detection capabilities to identify them, including the response and recovery tools needed to mitigate, deter, and contain cybersecurity incidents.
The proposed plan builds on the existing frameworks, such as the Integrated Political Crisis Response and the EU Cyber Diplomacy Toolbox, while aligning with recently adopted initiatives, such as the Critical Infrastructure Blueprint and the network code on cybersecurity for the EU electricity sector. It proposes measures to strengthen collaboration between civilian and military entities, including NATO, while reflecting the objectives of the forthcoming EU preparedness strategy.
Furthermore, the proposal promotes secure communication and strategic efforts to counter disinformation. It complements the Joint Communication of the Commission and the HRVP to strengthen the security and resilience of submarine cables.
“In an increasingly interdependent Union economy, disruptions from cybersecurity incidents can have far-reaching impacts across various sectors,” Henna Virkkunen, executive vice president for tech sovereignty, security, and democracy, said in a media statement. “The proposed cybersecurity blueprint reflects our commitment to ensuring a coordinated approach, leveraging existing structures to protect the internal market and uphold vital societal functions. This Recommendation is a crucial step forward in reinforcing our collective cyber resilience.”
The cybersecurity blueprint should enable relevant Union-level individual entities and networks of entities to understand how to interact and make the best use of available mechanisms across the full crisis management lifecycle. It aims to explain what a cyber crisis is and what triggers a cyber crisis mechanism at the Union level. It explains the use of available mechanisms like the Cybersecurity Emergency Mechanism, including the EU Cybersecurity Reserve, in preparing how to manage, respond to, and recover from a crisis arising from a large-scale cybersecurity incident.
It, furthermore, aims to foster a more structured cooperation between civilian and military actors, including cooperation with the North Atlantic Treaty Organisation (NATO), given that a large-scale cyber incident affecting Union civilian infrastructure on which the military relies may also activate NATO response mechanisms.
The cybersecurity blueprint outlines that when a cybersecurity incident, detected at the technical level by a CSIRT or a cyber hub, results in escalation under the internal procedures of the CSIRTs network, appropriate information should be shared with EU-CyCLONe according to relevant procedural arrangements, in turn, should consider whether it represents a potential or ongoing large-scale incident. The determination of whether a cyber crisis exists or ceases to exist as a result of this large-scale incident should be appropriately carried out.
According to the principles of proportionality, subsidiarity, complementarity, and confidentiality of information, Member States and Union entities should deepen their cooperation on cyber crisis management, fostering mutual trust and building on existing networks and mechanisms. While the cybersecurity blueprint does not interfere with how entities define their internal procedures, each entity should clearly define the interfaces used for working with other entities. These interfaces should be jointly agreed upon between the entities concerned and documented.
The European Commission added that the cybersecurity blueprint should be applied in coherence with the critical infrastructure blueprint, in particular in the case of incidents affecting both the physical resilience and the cybersecurity of critical infrastructure. Where there are sector-specific crisis management measures that cover cybersecurity incidents, those measures should be implemented coherently with the recommendation.
Member states and relevant union entities can establish voluntary collaborative clusters to enhance cooperation and trust in cybersecurity, building on existing information-sharing frameworks. These clusters should focus on common threats while respecting the mandates of involved actors.
Additionally, within twelve months of adopting the cybersecurity blueprint, member states must develop a common taxonomy for cyber crisis management and guidelines for securely handling cybersecurity information. They should also be mindful of the risks of over-classification, promoting the sharing of non-classified information through existing cooperation platforms.
Also, member states and relevant Union entities should establish a continuous cycle of cyber exercises to prepare for crises and improve organizational efficiency. These exercises must be based on scenarios from EU-coordinated risk assessments and should align with existing crisis response mechanisms.
Additionally, smaller exercises can be conducted to test interactions during escalating incidents. Within eighteen months of adopting the cybersecurity blueprint, the Commission services, EEAS, and ENISA are tasked with organizing an exercise to evaluate the blueprint, involving all relevant stakeholders, including the private sector.
Member States, relevant Union entities, and private critical infrastructure operators should improve their Domain Name System (DNS) resolution strategies by incorporating at least one Union-based DNS infrastructure, like DNS4EU, to ensure reliable service during crises. ENISA and EU-CyCLONe are tasked with creating emergency failover guidelines for switching to Union-based DNS in case of service failures.
Additionally, national and cross-border cyber hubs should share threat information to enhance protection against Union-specific threats. To bolster the security of critical Internet infrastructure, Member States should encourage participation in a multistakeholder forum to identify best practices and standards for network security measures.
To tackle the increasing complexity of cyber incidents, both public and private entities should adopt threat-informed detection strategies to identify potential disruptions. They must proactively share information about covert operations with partners before crises escalate. All actors should report potential cyber crises to relevant networks, while the CSIRTs Network and EU-CyCLONe need to establish coordination procedures for large-scale incidents.
Cross-border cyber hubs should contribute information to Union-level mechanisms, and the Commission should facilitate communication among relevant entities to assess the impact of detected incidents.
EU-CyCLONe, the EU Cyber Commanders Conference, MICNET, and the CSIRTs Network should collaborate to enhance situational awareness between civilian and military entities. The Union aims to establish coordination points with NATO for information exchange during cyber crises, improving sharing capabilities through potential system interconnections. Additionally, if a member state employs defense initiatives during a cybersecurity incident, it must inform EU-CyCLONe and the EU Cyber Commanders Conference.
The High Representative, in collaboration with the Commission and relevant union entities, should facilitate information flow with strategic partners during identified incidents and enhance coordination against malicious cyber activities using the cyber diplomacy toolbox. Member states and union entities must work with strategic partners to promote responsible behavior in cyberspace and ensure a coordinated response to large-scale cyber incidents.
Additionally, joint exercises should be organized to test cooperation between civilian and military components during significant incidents, including those affecting NATO allies and candidate countries.
