ENISA, the European Union Agency for Network and Information Security, analysed the EU-level crisis management frameworks in five different sectors to make recommendations on more efficient cyber crisis cooperation and management. The report resulting from this study highlights the lessons that can be learnt from other sectors and that could be applicable in the cyber domain. The study concludes with a series of recommendations regarding EU-level priorities to alter the impact of potential cyber crises. More recently ENISA published a video related to this study that summarises the conclusions based on testimonials from experts in other sectors.
This ENISA study provides an overview of the current state-of-play of EU-level crisis management and offers an analysis, from a cyber crisis perspective, of numerous lessons learnt and challenges from decades of crisis management in the following sectors: aviation, civil protection, border control, counter-terrorism andhealth and disease control. The study takes a step further by providing five key recommendations on how to raise maturity in EU-level cyber crisis management. The study is based on a thorough review of the key legal and policy documents and interviews with key experts of the sectors in scope.
Currently cyber crisis management at an EU-level lacks the proper mechanisms and consistency to support effectively the EU-wide cyber community in the event of a cyber crisis, despite a number of recent initiatives within the NIS community.
“The message we try to pass with this study is that the effective mitigation of any type of crisis caused by cyber incidents does not only depend on the mitigation of the impacts of that crisis. It depends also very much on the effective mitigation of the cyber incidents which caused it. Today, EU decision-makers are in the privileged position to take action before such a cyber crisis occurs; this study offers insight into what can be done” said Udo Helmbrecht, Executive Director of ENISA.
The key five recommendations by ENISA regarding priorities to reinforce the EU-level capabilities to manage effectively the next cyber crisis are as follows:
- The European Commission together with the EU Member States should revisit the current EU legislation on cyber crisis management to better reflect the distinction between cause and effect and better leverage on the development of the cyber crisis management field as an essential tool for the mitigation of crises caused by cyber incidents.
- The EU Member States should develop and formally adopt an EU-level crisis management plan, specific to the crises induced by cybersecurity incidents.
- The European Commission and the EU Member States should create an EU-level pool of cyber experts with the primary objective to exchange information and best practices.
- The Member States should develop and formally adopt EU-level cyber standard operating procedures (SOPs).
- The European Commission should fund the design and development an EU-level cyber crisis cooperation platform to offer support to cyber crisis management and cooperation activities between the Member States, in conjunction with the Core Service Platform of the Cyber Security Digital Services Infrastructure (of the Connecting Europe Facility funding program).
- Report on Cyber Crisis Cooperation and Management, Common practices of EU-level crisis management and applicability to cyber crises
- Executive summary