The European Union (EU) has issued updated recommendations for its blueprint on cyber security crisis management and incident response, reflecting an increasingly charged security environment and growing potential threats to the 27-state bloc, candidate countries and non-member neighbours such as the UK.
The Cyber Blueprint is a non-binding instrument that does not supersede national cyber security policies in Europe, but is rather designed to enable so-called Union actors – meaning EU-level individual entities and networks – to understand how best to interact and make the best use of available mechanisms in the event of a major cyber incident affecting individual EU member states, or the EU as a whole.
Depending on its cause and impact, such an incident could escalate into a full-blown crisis affecting the workings of the EU internal market, and posing serious public security and safety risks for millions. “In an increasingly interdependent Union economy, disruptions from cyber security incidents can have far-reaching impacts across various sectors,” said executive vice-president for tech sovereignty, security and democracy Hanna Virkkunen.
“The proposed cyber security blueprint reflects our commitment to ensuring a coordinated approach, leveraging existing structures to protect the internal market and uphold vital societal functions,” she said. “This recommendation is a crucial step forward in reinforcing our collective cyber resilience.”
Among other things, the blueprint sets out what a cyber crisis is and what would trigger cyber crisis mechanisms at Union level. It also explains the various available mechanisms, such as the Cybersecurity Emergency Mechanism, that will help prepare incident response, management and recovery operations.
Brussels is increasingly concerned that such an incident would form part of a wider geopolitical crisis – very likely involving Russia and the US, with potential flashpoints around Ukraine, Moldova or the Baltics – that would activate a Nato military response. As such, the revisions additionally aim to promote more structured cooperation between civilian and military organisations.
In this regard, it calls for the European cyber crisis liaison organisation network (EU-CyCLONe), as well as the EU Cyber Commanders Conference, the EU network of Military Computer Emergency Response Teams Operational Network (MICNET), and the Computer Security Incident Response Teams (CSIRTs) Network, as well as a future EU Cyber Defence Coordination Centre, to cooperate to “develop common situational awareness” between the civilian and military cyber spheres.
Such cooperation would take into account pre-existing arrangements, such as the CERT-EU/Nato technical agreement, which dates back nine years, and should endeavour to establish appropriate contact points into Nato in the event of a major cyber crisis, in order to share data and coordinate crisis response mechanisms.
“To this end,” the blueprint reads, “the Union should explore ways to improve information sharing capabilities with Nato, including through possible interconnections between their respective communication and information systems.”
Brussels also wants European Commission services and the European External Action Service (EEAS) to consider organising a joint staff exercise to test collaboration in the event of a large-scale cyber incident affecting Nato states in Europe, including ones in which Articles 4 and 5 of the Nato Treaty are triggered.
Article 5, the cornerstone clause of the Nato Treaty, establishes that a military attack on one member is a military attack on all. It has been invoked once, in the wake of the 9/11 terrorist attacks in the US.
Article 4, which is lesser known, establishes principles for multilateral consultation when a member considers its territorial integrity, political independence and security threatened. It has been invoked seven times in the alliance’s history, and never prior to the year 2000, five times relating to incidents arising from the 2003 invasion of Iraq and the Syrian civil war, and twice in relation to Russia’s continued aggression against Ukraine.
“Given the exposure of candidate countries and the potential of cyber incidents taking place in the Union’s neighbourhood, joint exercises involving candidate countries should be considered,” said the EU.
The EU’s full recommendations can be downloaded here.
