EU Cybersecurity Crisis Management Blueprint

Questions and Answers

Which of the following principles should guide the revised Cybersecurity Blueprint, according to the Council?

• Proportionality, subsidiarity, complementarity, and confidentiality of information (correct)
• Proportionality, subsidiarity, and independence
• Complementarity, transparency, and scalability
• Exclusivity, autonomy, and discretion

What is the primary objective of the draft Council Recommendation on the Union Blueprint for cybersecurity crisis management?

• To present, in a clear manner, the EU framework for cyber crisis management. (correct)
• To allocate additional funding for cybersecurity initiatives in Member States
• To establish a new agency responsible for managing cyber crises across the EU
• To create a binding legal framework for EU cybersecurity incident response

According to the document, what constitutes a large-scale cybersecurity incident?

• Any cyberattack targeting EU institutions, regardless of its impact
• A minor data breach affecting a small number of citizens within a single Member State
• An incident causing disruption exceeding a Member State's capacity to respond or significantly impacting at least two Member States (correct)
• An event impacting only one Member State's critical infrastructure

Which article of the Treaty on the Functioning of the European Union (TFEU) serves as the legal basis for the proposal?

Article 292 (B)

What is the role of the Commission, the High Representative, and ENISA in the revised Blueprint?

Their role focuses on supporting horizontal coordination. (C)

Which instrument does the Cyber Blueprint update?

Commission Recommendation (EU) 2017/1584 (A)

What type of instrument is the Cyber Blueprint?

A non-binding instrument which identifies specific actions for relevant actors in a cyber crisis (A)

Which of the following best describes the relationship between the Cyber Blueprint and NATO?

The Cyber Blueprint aims to foster structured cooperation between civilian and military actors, including cooperation with NATO. (C)

According to the document, what can malicious cyber activities be a part of?

Multidimensional hybrid threats or military operations (A)

The proposal complements the whole cybersecurity legislative framework established at Union level, but what does the proposal NOT address?

The management of major incidents affecting Union entities within the meaning of Regulation 2023/2841 (A)

What is the role of coordinated responses at Union level in the event of disruptions of critical infrastructure with cross-border effect?

To support Member States' responses through shared situational awareness, coordinated public communication, and mitigating the consequences of the disruption on the internal market. (B)

To achieve the objectives relating to the proposal, what does the TFEU provide for?

The adoption, by the Council, of Recommendations, notably in its Article 292. (B)

Which of the following is NOT a component of the Union's management of cyber crises, as articulated in the document?

The EU Rapid Alert System for Cybersecurity Incidents (EURASI) (C)

What is the purpose of the EU Joint Cyber Assessment Report (EU-JCAR)?

To provide situational awareness based on an analysis of incidents and cyber threats, strengthening Union preparedness. (D)

Why is close cooperation between public and private entities considered important for safeguarding critical infrastructure against large-scale cyber incidents?

Because private companies own and operate most key critical infrastructure. (C)

What does Directive (EU) 2022/2555 encourage stakeholders to adopt regarding the Domain Name System (DNS)?

A DNS resolution diversification strategy. (B)

To detect malicious activity in increasingly complex global supply chains, what kind of approach is necessary?

A coordinated approach (D)

Which entities play an essential role in detecting incidents, cyber threats and vulnerabilities, supporting technical attributions, and recovering from cyberattacks at the technical level?

CSIRTs, law enforcement authorities, as well as the National and Cross-Border Cyber Hubs (cyber hubs) (D)

What mechanisms can Member States utilize for immediate response, according to the document?

The EU Cybersecurity Reserve, NATO aligned support, and actions supporting mutual assistance. (D)

Why is coordination essential when combating cybercrime?

Deterrence cannot be achieved solely through resilience, but also requires identification, prosecution of and response to offenders, therefore cooperation is essential.. (C)

In the event of a cyber crisis established under the IPCR, what should the affected Member State(s) and the CSIRTs Network do?

Cooperate to rapidly restore compromised systems, ensuring minimal operational disruption. (D)

What is the intended role of the future EU Cyber Defence Coordination Centre?

To develop common situational awareness between civilian and military actors. (C)

In order to strengthen security and availability of critical Internet Infrastructure, especially during crises, what should Member States promote?

Actively promote the participation of all relevant stakeholders in the mandated multistakeholder forum tasked with identifying best available standards and deployment techniques, also engaging and adopting the guidelines themselves. (B)

What is the purpose of implementing threat-informed detection strategies across digital infrastructures?

To identify possible pre-positioning that may that may be leveraged subsequently for disruption purposes. (D)

Flashcards

Cyber Blueprint

The EU framework for cyber crisis management.

Large-scale cybersecurity incident

An incident exceeding a Member State's capacity or significantly impacting at least two Member States, potentially affecting internal market or public safety.

Cyber Blueprint instrument

A non-binding document identifying specific actions for relevant actors in a cyber crisis to enhance the effectiveness of cyber crisis management.

Cyber Crisis

An incident affecting critical infrastructure, internal markets, or posing public safety risks in multiple Member States or the EU as a whole

Communicating during a crisis

Ensure clear and coherent public communication, coordinate strategic communication, and support diplomatic actions to counter disinformation during crisis situations.

Cyber Crisis Task Force

An informal group of Commission services and other EU services for high-level discussions at meetings

Cybersecurity crisis Management

An up-to-date clear, simple operational document to understand the framework for cybercrisis management

CSIRTs Network and EU-CyCLONe

Established procedural arrangements in the case of a potential or ongoing large-scale cybersecurity incident, to ensure technical-operational coordination and timely information.

International Co-operation

Promote good practices and responsible state behaviour in cyberspace and ensure rapid and coordinated reaction in the case of potential or large-scale cyber incidents.

Threat implemented detection strategies

A way to improve detection of possible pre-positioning that may be leveraged subsequently for distruption purposes.

All Hazards- All Threats Risk Assessment

A shared Union situational awareness among Member States and Union entities to enable a coordinated and informed response.

European Cyber Security Alert Mechanism

Enhance the development of ways to enhance detection with the cyber threats.

EU law Enforcement Emergency Response Protocol (LEERP)

Supports the EU law enforcement authorities immediate response to major cross-border cyber attack

Secure Communications

An interoperable set of secure communication solutions that should cover the full range of communications and data needed

EU Critical Communication System (EUCCS)

Works with member states on establishing the european critical communication system

Multi-stakeholder Forum

Identify the best avaialable of standards and deployment techniques amongst the security.

Study Notes

• The document is a proposal for a Council Recommendation regarding an EU Blueprint on cybersecurity crisis management, drafted in Brussels on February 24, 2025.
• The goal is to present the EU framework for managing cybersecurity crises clearly and simply.
• The recommendation aims to enable Union-level actors to understand how to interact and best use available mechanisms throughout a crisis.
• It will explain what constitutes a cyber crisis, what triggers a crisis mechanism at the EU level, and the use of mechanisms like the Cybersecurity Emergency Mechanism and the EU Cybersecurity Reserve.

Policy Context and Consistency

• The revised Blueprint aligns with time-tested cooperation principles, expanding them to the full crisis management lifecycle.
• Ensures compatibility with frameworks like IPCR, EU Cyber Diplomacy Toolbox, and the Law Enforcement Emergency Response Protocol (LERP).
• The Cyber Blueprint is a non-binding instrument identifying specific actions for relevant actors in a cyber crisis.

Large-Scale Cybersecurity Incident Definition

• A large-scale cybersecurity incident is defined as one causing disruption exceeding a Member State's response capacity or significantly impacting at least two Member States, based on Directive (EU) 2022/2555 (NIS 2 Directive).

Legal Basis and Subsidiarity

• The proposal is based on Article 292 TFEU, which governs the adoption of Recommendations.
• The proposal complements the existing cybersecurity legislative framework at the Union level. Coordinated Union-level responses will support Member States' responses through shared awareness, communication, and mitigating consequences.

Proportionality and Instrument Choice

• The proposal conforms to the principle of proportionality under Article 5(4) of the Treaty on the European Union.
• A Council Recommendation is an appropriate instrument, signaling Member State commitment and providing a basis for cooperation.

Stakeholder Consultations

• The Commission consulted Member States, relevant Union entities, and the private sector.

Key Considerations and Background

• Digital technology and global connectivity are essential to the Union's economy and critical infrastructure but increase cyber risks.
• Rising geopolitical tensions and conflicts contribute to the surge in the impact, volume, and sophistication of malicious cyber activities.
• Effective crisis management is crucial for economic stability, protecting governments, critical infrastructure, citizens, and businesses, as well as contributing to international security in cyberspace.
• IPCR (Integrated Political Crisis Response) activation involves consulting affected Member States, the Commission, and the High Representative (HR).

Union Cybersecurity Framework Development

• Since 2017, the Union has developed its cybersecurity framework through instruments, including Regulations (EU) 2019/881, (EU) 2024/2847, Directive (EU) 2022/2555 et al.
• Specific cybersecurity crisis measures include Commission Delegated Regulation (EU) 2024/1366.
• Directive 2013/40 provides a reference for the definition of criminal cyber activities and EU rules on cross-border access to electronic evidence.

Roles and Responsibilities

• Relevant Union actors with cyber crisis management roles include the Commission, EEAS (including SIAC), ENISA, CERT-EU, Europol (via EC3), EU-CyCLONe, the CSIRTs Network, SATCEN, the Galileo Security Monitoring Centre, and Union delegations.
• Actors work together within applicable laws to determine cooperation for implementing the EU cyber crisis management framework.

Cyber Blueprint Objectives

• An updated Cyber Blueprint aims to provide clear guidance on what constitutes a Union-level cyber crisis.
• It clarifies how the crisis management framework is triggered, the roles of actors and mechanisms involved, and the interaction between them.
• The Blueprint exists within the broader context of civilian-military and EU-NATO relations.

Crisis Response and Coordination

• This Recommendation complements other instruments such as the Integrated Political Crisis Response (IPCR), Commission’s ARGUS and CRM
• A Blueprint exists to coordinate Union level response to critical infrastructure disruptions, covering non-cyber physical resilience as well

Comprehensive Crisis Management

• Cross-sectoral crisis management should be reinforced for integrated responses, especially when cyber incidents cause real-life consequences.
• The Cybersecurity Directive (EU) 2022/2555, includes the security of critical digital infrastructure, including undersea communications cables.

Preparedness and Information Sharing

• Crisis preparedness require comprehensive all-hazards risk assessment, plus a common EU situational awareness
• Preparedness is defined as Union-level cyber exercises for testing procedures and cooperation mechanisms

Technical Aspects and Infrastructure

• European digital infrastructures have many technical dependencies.
• Implementation of the EU's 2024/2690 regulation to identify standards and deployment techniques in a timely fashion.
• Coordinated approaches are needed to detect supply chain malicious activity.
• EU relies on tech from high-risk suppliers requiring vulnerability reporting.

Union Framework and Cooperation

• CSIRTs, law enforcement, and the cyber hubs play a role for detecting incidents/threats/vulnerabilities, plus recovering from attacks
• Mutual Assistance actions supporting such established under Regulation (EU) 2025/38 Cybercrime deterrence requires cooperation to identify and prosecute offenders for a comprehensive understanding.

Crisis Communication and Military Synergies

• Clear public communication combats disinformation during crises.
• Secure internal channels required, including for classified levels.
• EU will establish more robust, whole-of-government civilian and military security, as per EU Policy on Cyber Defense.

International Cooperation

• Cooperation with international strategic partner countries and groups bolsters the Union's cyber capabilities.
• Must ensure situational awareness, coherence, and robust cooperation contributing to a global, open, sable, secure and resilient cyberspace.

Cyber Crisis Management Framework: Aims and Principles

• The document will establish a cyber crisis management framework across members, and EU level actors
• Member states will follow the cyber blueprint in line with Directive (EU) 2022/2555
• Proportionality, subsidiarity, cooperation and existing mechanisms are to be used. All shared procedures need to be agreed and documented.

Union-Level Cyber Crisis, Situational Awareness

• Verified intel and data from trend incidents is to become a common data awareness between parties
• Key sectors are Communications, energy, transport, finance, space and health
• Cooperation between the EU-Cyclne and the CSIRT networks is required. As is private sector information sharing and analysis

Harmonization of Response and Preparation

• EU is aiming to advance the cybersecurity arrangements of Directive (EU) 2022/2555 and EU cyber hubs to encourage collaboration
• EU members need to develop a common taxonomy on managing cybercrises, handling exchanges of information and security
• Exercises should be run based on scenarios concerning multi-sectoral crisis. These should account for EU level response mechanisms

DNS and Cyber Capacity

• Members must enhance Domain Name System (DNS) , ensure reliable DNS resolution during major crisis involving Union based DNS infrastructure (DNS4EU)
• National cyber hubs and cross-border cyber hubs are to share treat information

Addressing and Detecting Cyber Crises

• EU must implement cyber-threat detection strategies across digital infrastructures
• All actors, in accordance with their mandates, must contribute information on cyber risk
• The CSIRTs Network and EU-CyCLONe should establish procedural information, and ensure technical coordination

Responding To A Cyber Crisis

• Actors responding in close coordination with entities responding to hybrid threats
• Members and CSIRTs Network to reduce the compromise, restore systems and minimal disruption
• Council will then coordinate communications to prevent disinformation while in cooperation of EU-CyCLONe
• Economic levels like trade bans will need to be leveraged

Communications and Space Systems

• EU will ensure cordination with the Hybrid Toolbox
• Regarding the case of military dimension cyber activity, the corresponding state should inform the Union Cyber Commanders Conference for help
• Communications channels should all be secured, specifically concerning space systems.
• EU will establish methods for high level communication

Secure Information and Tools

• In order to prevent hybrid campaigns EU is establishing frameworks for response and communication to mitigate incidents
• Mechanisms in the Cyber Toolbox should be established for effective crises response.
• The High Representative and Commission the flow of information with EU and other relevant EU partners

Military and Cyber Crises

• In order to mitigate military and cyber crises
• EU-CyCLONe and EU Cyber Commanders Conference (plus CSIRTS Network) should cooperate, in order to encourage more aware civilian and military actors
• Union and NATO agreed to establish response and agreements