Explanatory Memorandum to COM(2025)66 - Proposal for a COUNCIL RECOMMENDATION for an EU Blueprint on cybersecurity crisis management

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier COM(2025)66 - Proposal for a COUNCIL RECOMMENDATION for an EU Blueprint on cybersecurity crisis management.
source COM(2025)66 EN
date 24-02-2025


1. CONTEXT OF THE PROPOSAL

Reasons for and objectives of the proposal

The Council, in its Conclusions on the Future of Cybersecurity of 22 May 2024,

“call[ed] upon the Commission to swiftly evaluate the current cybersecurity Blueprint and, on this basis, propose a revised Cybersecurity Blueprint in the form of a Council recommendation that will address the current challenges and complex cyber threat landscape, strengthen existing networks, enhance cooperation, and break silos between organisations, utilising to this end first and foremost existing structures. Furthermore, the revised Blueprint should rely on time-tested guiding principles of cooperation (proportionality, subsidiarity, complementarity and confidentiality of information) and expand them to the full crisis management lifecycle and should contribute to aligning and enhancing secure communication in the cybersecurity field. The revised Blueprint should ensure its compatibility with existing frameworks such as the IPCR, the EU Cyber Diplomacy Toolbox, the EU Hybrid Toolbox, the Law Enforcement Emergency Response Protocol (LERP), emerging frameworks such as the Critical Infrastructure Blueprint, sectoral procedures, and overall crisis management structures within Union entities, involving also the High Representative and Europol. In this revised Blueprint, the role of the Commission, the High Representative and ENISA, in line with their competences, should focus in particular on supporting horizontal coordination.”

The objective of this draft Council Recommendation on the Union Blueprint for cybersecurity crisis management (Cyber Blueprint) is to present, in a clear, simple and accessible manner, the European Union (EU) framework for cyber crisis management. This should enable relevant Union-actors (meaning Union-level individual entities and networks of entities) to understand how to interact and make the best use of available mechanisms across the full crisis management lifecycle. It aims to explain what a cyber crisis is and what triggers a cyber crisis mechanism at Union level. It explains the use of available mechanisms like the Cybersecurity Emergency Mechanism, including the EU Cybersecurity Reserve, in preparing how to manage, respond to and recover from a crisis arising from a large-scale cybersecurity incident. It furthermore aims to foster a more structured cooperation between civilian and military actors, including cooperation with North Atlantic Treaty Organisation (NATO), given that a large-scale cyber incident affecting Union civilian infrastructure on which the military rely may also activate NATO response mechanisms.

The Cyber Blueprint is a non-binding instrument which identifies specific actions for relevant actors in a cyber crisis and which can enhance the overall effectiveness of the cyber crisis management framework. It updates the blueprint set out in Commission Recommendation (EU) 2017/1584 on coordinated response to large-scale cybersecurity incidents and crises, and it is informed by the outcomes and lessons learned from Union-level exercises since that recommendation was adopted. It is part of wider political priorities in the areas of preparedness and security.

As defined in Directive (EU) 2022/2555 (NIS 2 Directive), a large-scale cybersecurity incident is an incident which causes a level of disruption that exceeds a Member State’s capacity to respond to it or has a significant impact on at least two Member States. Such an incident, depending on its cause and impact, may escalate and turn into fully-fledged crises affecting the proper functioning of the internal market or posing serious public security and safety risks for entities or citizens in several Member States or the Union as a whole.

Consistency with existing policy provisions in the policy area

The proposal is consistent with relevant Union instruments in the cybersecurity domain, notably the NIS 2 Directive and Regulation (EU) 2023/2841 laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union. It is also consistent with the framework of the Union Civil Protection Mechanism (UCPM), established by Decision No 1313/2013/EU of the European Parliament and of the Council, the Implementing Decision (EU) 2018/1993 on the EU Integrated Political Crisis Response (IPCR) Arrangements, and sectoral instruments for situational awareness and crisis management including in the electricity sector.

Consistency with other Union policies

The Cyber Blueprint complements and is consistent with the recently adopted Council Recommendation on a Blueprint to coordinate a response at Union level to address disruptions of critical infrastructure with significant cross-border relevance since the latter covers disruptions related to non-cyber physical resilience. It closely interacts with the Common Foreign and Security Policy (CFSP) and Common Security and Defence Policy (CSDP) crisis management mechanisms and tools, as set out in the Council’s Strategic Compass for Security and Defence. Moreover, Union initiatives to fight cybercrime can support the objectives pursued by the present Recommendation.

2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

Legal basis

The proposal is based on Article 292 TFEU, which lays down the relevant rules regarding the adoption of Recommendations.

The proposal would complement the whole cybersecurity legislative framework established at Union level. The proposal does not address the management of major incidents affecting Union entities within the meaning of Regulation 2023/2841, adopted on the basis of Article 298 TFEU. It does however address information exchange between Union entities and Member States, including the provisions in Regulation 2023/2841 for the Commission representative in the Institutional Cybersecurity Board (IICB) to be the point of contact to facilitate the IICB’s sharing of relevant information in relation to major incidents with the European cyber crisis liaison organisation network EU-CyCLONe, as a contribution to the shared situational awareness.

Subsidiarity (for non-exclusive competence)

Whereas responding to disruptions of critical infrastructure or of the services provided by essential and important entities is first and foremost the responsibility of Member States, certain malicious cyber activities of a cross-border nature can disrupt and damage critical information infrastructures on which the smooth functioning of the internal market depends. Therefore, the Union plays an important role in the event of a significant incident or crisis. Such disruption can impact several or even all sections of economic activity within the single market, and it could affect the security and international relations of the Union. With the aim of securing the functioning of the internal market, coordinating at Union level in case of disruptions of critical infrastructure with significant cross-border effect is not only appropriate but also necessary. Coordinated responses at Union level will support Member States’ responses to the disruption through shared situational awareness, coordinated public communication and mitigating the consequences of the disruption on the internal market.

Proportionality

The present proposal is in conformity with the principle of proportionality as provided for in Article 5 i of the Treaty on the European Union. Neither the content nor the form of this proposed Council Recommendation exceeds what is necessary to achieve its objectives. The actions proposed are proportional to the pursued objectives, which focus on ensuring a coordinated Union management of cyber crises.

Choice of the instrument

To achieve the objectives referred to above, the TFEU provides for the adoption, by the Council, of Recommendations, notably in its Article 292, based on a proposal from the Commission. In accordance with Article 288 TFEU, Recommendations do not have binding force. A Council Recommendation is an appropriate instrument in this case since it signals the commitment of Member States to the measures included therein and provides a strong basis for cooperation in coordinating the management of large-scale cybersecurity incidents and crises. In this manner, the proposed Recommendation would complement the binding legal framework (in particular, the NIS 2 Directive).

3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

Stakeholder consultations

In developing this proposal, the Commission consulted on the review of the Cyber Blueprint and invited input from Member States and relevant Union entities. It considered the views of the Member States experts, as well as ENISA, expressed at the workshop co-organised in Karpacz on 5 September 2024 by the Commission and Poland.

The Commission consulted Member States representatives in the CSIRTs Network, EU‑CyCLONe and the NIS Cooperation Group in meetings in September 2024 and invited written contributions.

The Commission presented and gathered feedback from the Council during two dedicated discussions at the Horizontal Working Party on Cyber Issues held in October and November 2024.

The Commission consulted representatives of the private sector, as well as Member States, the European External Action Service (EEAS) and ENISA, at a workshop hosted by the Polish Permanent Representation to the EU in Brussels in November 2024.

The Commission consulted relevant Union entities, namely the EEAS, ENISA, Europol and CERT-EU, including through high-level discussions at the Cyber Crisis Task Force 1 meetings held in July and November 2024.

Consensus emerged on the need for an up-to-date clear, simple and operational document which enables relevant actors to understand the framework for cyber crisis management and use available mechanisms effectively. There was also consensus on the need to avoid duplication of instruments and make good use of existing Union-level mechanisms for coordination, information-sharing and response, without creating new structures, or interfering with the internal standard operating procedures of existing networks and of existing sectoral mechanisms.