Considerations on COM(2025)66 - Proposal for a COUNCIL RECOMMENDATION for an EU Blueprint on cybersecurity crisis management - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
dossier | COM(2025)66 - Proposal for a COUNCIL RECOMMENDATION for an EU Blueprint on cybersecurity crisis management. |
---|---|
document | COM(2025)66 ![]() |
date | June 6, 2025 |
(2) A large-scale cybersecurity incident can cause a level of disruption that exceeds a Member State’s capacity to respond to it or has a significant impact on more than one Member State. Such an incident, depending on its cause and impact, could escalate and turn into a fully-fledged crisis, affecting the proper functioning of the internal market or posing serious public security and safety risks for entities or citizens in several Member States or the Union as a whole. Effective crisis management is essential for maintaining economic stability and protecting European governments, critical infrastructure, citizens and businesses, as well contributing to international security and stability in cyberspace. Cyber crisis management is accordingly an integral part of the overarching EU crisis management framework.
(3) In accordance with the procedures set out in Council Implementing Decision (EU) 2018/1993 2 , a decision to activate and deactivate the EU Integrated Political Crisis Response (IPCR) is taken by the Presidency of the Council which consults (except where in the solidarity clause has been invoked) the affected Member States, the Commission and the High Representative (HR). In addition, according to the IPCR procedures, the General Secretariat of the Council, Commission services and EEAS may also agree, in consultation with the Presidency, to activate IPCR in information-sharing mode. Discussions under the IPCR are informed by Integrated Situational Awareness and Analysis reports developed by Commission services and the European External Action Service (‘EEAS’).
(4) While Member States have a primary responsibility in the management of national cyber crises, the potential cross-border and cross-sectoral nature of cybersecurity incidents requires Member States and the relevant Union entities to cooperate at technical, operational and political level to coordinate effectively across the Union. At the same time, crisis response and recovery are costly for the affected entities and sectors. Full-lifecycle crisis management, therefore, includes preparedness and shared situational awareness to anticipate cybersecurity incidents, the necessary detection capabilities to identify and the needed response and recovery tools to mitigate, deter and contain cybersecurity incidents.
(5) Commission Recommendation (EU) 2017/1584 3 on coordinated response to large-scale cybersecurity incidents and crises set out the objectives and modes of cooperation between Member States and Union entities in responding to large-scale cybersecurity incidents and crises. It mapped the relevant actors at technical, operational and political level, and explained how they were integrated into the broader Union crisis management, such as the IPCR arrangements. The core principles set out in Recommendation (EU) 2017/1584 remain valid, namely, subsidiarity, complementarity and confidentiality of information as well as the three-level approach (technical, operational and political).
(6) Since 2017, the Union has developed its cybersecurity framework through several instruments that contain provisions relevant for cybersecurity crisis management: Regulation (EU) 2019/881 of the European Parliament and of the Council 4 , Directive (EU) 2022/2555 of the European Parliament and of the Council 5 , Commission Implementing Regulation 2024/2690 6 , Regulation (EU, Euratom) 2023/2841 of the European Parliament and of the Council 7 , Regulation (EU) 2021/887 of the European Parliament and of the Council 8 , Regulation (EU) 2024/2847 of the European Parliament and of the Council 9 , and Regulation (EU) 2025/38 of the European Parliament and of the Council (‘Cyber Solidarity Act’) 10 . Specific sectoral cybersecurity crisis measures include Commission Delegated Regulation (EU) 2024/1366 11 and the forthcoming systemic cyber incident coordination framework (EU-SCICF) in the context of Regulation (EU) 2022/2554 of the European Parliament and of the Council 12 . Directive 2013/40 13 provides the reference for the definition of criminal activities related to cyberattacks and Union rules on cross-border access to electronic evidence, in particular Regulation (EU) 2023/1543 of the European Parliament and of the Council 14 , once implemented, will significantly facilitate law enforcement action in this domain. The EU Policy on Cyber Defence 15 outlines the roles of an EU network of Military Computer Emergency Response Teams Operational Network (MICNET) and the EU Cyber Commanders Conference and envisages the establishment of an EU Cyber Defence Coordination Centre (EUCDCC). Other, non-cyber related situational awareness and crisis response mechanisms exist in some of the critical sectors listed in the Annexes I and II to Directive (EU) 2022/2555. The ‘Council Recommendation on a Blueprint to coordinate a response at Union level to disruptions of critical infrastructure with significant cross-border relevance’ 16 provides for cooperation between relevant actors where an incident affects both physical aspects and the cybersecurity of critical infrastructure.
(7) At Union level, the relevant actors that have cyber crisis management responsibilities include the Commission, the EEAS including the Single Intelligence and Analysis Capacity (SIAC), the European Union Agency for Cybersecurity (ENISA), the Cybersecurity Service for the Union institutions, bodies, offices and agencies (CERT-EU), Europol through its European Cybercrime Centre (EC3), the European Cyber Liaison Officers Network (EU-CyCLONe), the Computer Security Incident Response Teams (CSIRTs) Network, the EU Satellite Centre (SATCEN), the Galileo Security Monitoring Centre, and the Union’s network of delegations. These Union actors should together determine areas for cooperation and contributing to the implementation the Union cyber crisis management framework, in accordance with their competences under applicable laws.
(8) An updated Recommendation setting out a blueprint on cybersecurity (‘Cyber Blueprint’) is necessary to provide clear and accessible guidance explaining what a Union-level cyber crisis is, how the crisis management framework is triggered and what the roles of relevant Union level actors and mechanisms, and the interaction between these actors and mechanisms throughout the entire cyber crisis lifecycle. The Cyber Blueprint is to be seen within the wider context of civilian-military and EU- NATO relations.
(9) This Recommendation complements the arrangements on an Integrated Political Crisis Response (IPCR) and wider Union crisis mechanisms, including the Commission’s general rapid alert system ARGUS, the Union Civil Protection Mechanism (UCPM) supported by the Emergency Response Coordination Centre (ERCC), the European External Action Service’s Crisis Response Mechanism (CRM), as well as other processes, such as those described in the EU Hybrid Toolbox 17 and in the revised EU Protocol for countering hybrid threats. It also complements and should be coherent with the Council Recommendation on a blueprint to coordinate a response at Union level to disruptions of critical infrastructure with significant cross-border relevance (‘Critical Infrastructure Blueprint’) which covers non-cyber physical resilience, and which aims at improving coordination of response at Union level in this area.
(10) A comprehensive and integrated approach to crisis management should be fostered across all sectors and levels of governance. Cross-sectoral crisis management at Union level should be reinforced to enable an integrated crisis response, particularly in cases where cyber incidents cause real-life consequences. Where cybersecurity incidents are part of a wider hybrid campaign or crisis, the relevant actors should support efforts to develop a unified situational picture across several sectors and domains. The Recommendation contributes to wider preparedness actions required for the Union in the face of multi-dimensional hybrid threats [in line with the principles embedded in the Preparedness Union Strategy].
(11) The security of critical digital infrastructure is fundamental for the resilience of the Union’s economy, society and defence. Entities falling into the scope of Directive (EU) 2022/2555, including those providing undersea communications cables, need to take measures to protect the physical and environmental security of network and information systems based on an all-hazards approach, such as system failures, human error, malicious acts or natural phenomena. In addition, those entities should report incidents, including those related to the submarine communication cables to the CSIRTs or, where applicable, to the competent authority. Although the fundamental principles underpinning the Cyber Blueprint are relevant to the security of submarine cables, the mechanisms it lays out are not sufficiently comprehensive to cover the full crisis resilience cycle. Its specific nature warrants a concerted and tailormade effort to address the needs for integrated threat surveillance and situational awareness for the sea basins around the EU, strategic investments to create redundancies and a common European approach to step up repair and recovery capabilities. The EU Maritime Security Strategy comprises actions to enhance cyber security in the maritime domain, and to enhance surveillance and protection of critical maritime infrastructure, including submarine cables. For Union level crisis management, a specific network of national points of contacts and close civilian-military interactions, including with NATO would be an avenue to consider.
(12) Preparedness for a crisis requires a comprehensive all-hazards and all-threats risk assessment, given the convergence of the EU’s economic and security interests. A shared Union situational awareness among Member States and Union entities, facilitated by agreeing on a common taxonomy and secure communications channels, should enable a coordinated and informed response to potential and large-scale cybersecurity incidents, as well as deterrence of persistent threat actors. Based on the need-to-know principle and considering the importance of trust in information sharing, groups of Member States in various configurations, and, where appropriate, relevant Union entities, might wish to cooperate and share information relevant for cyber incident management. Member States and Union entities sharing on threats, risks and maturity gaps should enable the identification of the right priorities for sound investment and tangible actions that would lead to better cyber resilience.
(13) In accordance with Article 6 of Regulation (EU) 2019/881, ENISA, in close cooperation with the Member States, prepares a regular in-depth EU Cybersecurity Technical Situation Report on incidents and cyber threats. That report is referred to as the EU Joint Cyber Assessment Report (EU-JCAR) and is prepared with Europol/EC3 and CERT-EU, with the aim of strengthening Union preparedness, as it provides situational awareness based on an analysis of incidents and cyber threats.
(14) Key critical infrastructure, such as energy, transport, digital infrastructure, health or financial services, as well as the security solutions deployed to protect it, are usually operated by private companies. Safeguarding this infrastructure against large-scale cyber incidents requires close cooperation between public and private entities, including manufacturers and open-source developers, built on trust and clear and dedicated procedures for information sharing, dissemination and coordination of response.
(15) Union-level cyber exercises are a highly effective tool for testing procedures and cooperation mechanisms and thereby enhancing preparedness. As exercises are resource-intensive, the exercise agenda needs to be as streamlined and consolidated as possible and needs to consider the scenarios developed in Union coordinated risk assessments and other relevant initiatives.
(16) European digital infrastructures have many deeply embedded technical dependencies. These should be addressed to ensure business continuity of operations in a crisis. This concerns for instance, the Domain Name System (DNS), which is a crucial component that underpins the Internet’s operations. DNS resolvers are essential for accessing the Internet, including during a major cyber crisis, as they translate Internet domain names into IP addresses. Directive (EU) 2022/2555 encourages relevant stakeholders to adopt a DNS resolution diversification strategy. It also encourages Member States to foster the development and use of a public and secure European DNS resolver service as a key measure to ensure crisis preparedness and resilience.
(17) Furthermore, to enhance the resilience of other critical components, such as the routing system, and ensure their functionality during major cyber crises, it is essential to implement corresponding best practices and latest available standards in a timely manner. Consequently, Implementing Regulation (EU) 2024/2690 mandates establishing a multistakeholder forum to identify the best available standards and deployment techniques for essential cybersecurity elements and encourages participation from relevant entities.
(18) To effectively detect malicious activity in the increasingly complex global supply chains that can have a Union-wide impact, a coordinated approach is necessary. This is especially relevant for areas where the Union relies on technology from high-risk suppliers subject to the jurisdiction of a third country that requires reporting information on software or hardware vulnerabilities to its authorities prior to their being known to be exploited. States-sponsored actors may also preposition themselves in critical infrastructure with the intention of causing disruption at a later time, for example during a conflict. This is difficult to detect using traditional methods, since threat actors disguise their activities by blending in with legitimate traffic and fusing 'living off the land' techniques which rely on legitimate tools and processes to hide malicious activities. The same is true for third countries where, according to public statements of the Union or its Member States, threat actors operating out of the territories of those countries have carried out malicious cyber activities against the Union. Supply chains should become more resilient and diversified, while maintaining a common baseline of preparedness.
(19) At the technical level, CSIRTs, law enforcement authorities, as well as the National and Cross-Border Cyber Hubs (cyber hubs) to be established under the Regulation (EU) 2025/38, play an essential role in detecting incidents, cyber threats and vulnerabilities, supporting technical attributions, and recovering from cyberattacks. Effective procedural arrangements for cooperation between the CSIRTs Network and EU-CyCLONe, as required by Directive (EU) 2022/2555 are essential. The European Cyber Security Alert Mechanism aims to support the development of advanced capabilities for the Union to enhance detection, analysis and data processing capabilities in relation to cyber threats and the prevention of incidents in the Union.
(20) In terms of immediate response, mechanisms at the disposal of Member States include the EU Cybersecurity Reserve and actions supporting mutual assistance established under the Regulation (EU) 2025/38, Hybrid Rapid Response Teams and Permanent Structured Cooperation (PESCO) Cyber Rapid Response Teams (CRRTs), as well as mechanisms provided for NATO allies. In addition, the EU Law Enforcement Emergency Response Protocol (LEERP) supports the EU law enforcement authorities in providing immediate response to major cross-border cyber-attacks through rapid assessment, the secure and timely sharing of critical information and effective coordination of the international aspects of their investigations, including deconfliction at law enforcement level and coordination with non-law enforcement partners. Achieving a clear picture of which response options are available in cases of cyber incidents and hybrid activities and how they are used can ensure an efficient allocation of resources and avoid their duplication. Accordingly, under the Regulation (EU) 2025/38, Member States are required to inform the CSIRTs Network and EU-CyCLONe when requesting services of the EU Cybersecurity Reserve.
(21) Effectively combating cybercrime is essential for cybersecurity. Deterrence cannot be achieved solely through resilience, but also requires identification, prosecution of and response to offenders. Cooperation through adapted technical systems and platforms and exchange of relevant information among cybersecurity actors, cyber diplomacy entities, and law enforcement are therefore essential to ensure a comprehensive understanding of the threat landscape and be able to respond in a coherent and coordinated manner.
(22) Crises generate uncertainty which adversaries can easily exploit to spread disinformation and sow distrust. To counter this, clear and coherent public communication about the situation, and what steps are being taken to remedy it, is essential. A coordinated strategic communication can also support diplomatic actions towards persistent threat actors and the development of a narrative on threats to the Union, its deterrence actions and the need to promote responsible State behaviour in cyberspace.
(23) For effective crisis management, it is necessary to identify common secure communication solutions for the cyber domain and implement them across the Union, including where necessary for the exchange of EU classified information. Following the request of the Council, the Commission and other relevant Union entities mapped existing secure communication tools and presented the results in December 2022. There are several existing separate efforts by Union entities to build up secure communications capacities in a crisis that require better coordination and leveraging. This includes the establishment of an EU Critical Communication System (EUCCS) to enhance resilience of public communication infrastructure against malign interference and improve daily operational cooperation, including across borders.
(24) The Union’s security environment demands an all-hazards, whole-of-government and whole-of-society approach to civilian and military preparedness and readiness. Military bodies rely on civilian critical infrastructure, such as communications, energy, health, transport and logistics. Accordingly, and as emphasised in the EU Policy on Cyber Defence 18 , the EU’s cybersecurity requires greater cooperation and synergies between civilian and military networks’ capacities for preparedness and response, including in the case of an armed attack. Cybersecurity actors should work together across institutional and operational silos to anticipate and to address the threat of multisectoral, multidimensional disruption, in line with the principles that [to be embedded] in the Preparedness Union Strategy. Furthermore, malicious cyber activity is playing an increasing role in wider hybrid campaigns against the Union, its Member States and strategic partners. Stronger cooperation between the Union and NATO is therefore required.
(25) In the military community, the future EU Cyber Defence Coordination Centre and the Single Intelligence Analysis Capacity (SIAC) within the European External Action Service, the Military Computer Emergency Response Team Operational Network (MICNET) and the EU Cyber Commanders Conference facilitated by the European Defence Agency (EDA), as well as relevant projects under the Permanent Structured Cooperation (PESCO), represent important actors and initiatives for coordination and cooperation on preparedness for detection, deterrence and defence against, and recovery from, cyber threats affecting the Union and Member States. Therefore, cooperation between civilian and military actors should be encouraged, such as the cooperation between EU-CyCLONe and the EU Cyber Commanders Conference, as well as the potential collaboration between MICNET and the CSIRTs Network.
(26) Cooperation with strategic international partner countries and organisations outside of the Union enhances the Union’s cybersecurity capabilities. By fostering international cooperation, the Union and its partners can ensure shared situational awareness and coherence in cyber crisis management and a robust cyber posture, contributing to a global, open, stable, secure and resilient cyberspace. This collaboration should be based on trust and the shared goal of protecting critical infrastructure and essential services from cyber threats, including by promoting responsible state behaviour in cyberspace grounded in the United Nations (UN) framework and by holding threat actors accountable for their irresponsible and illegal behaviour in cyberspace. Cyber diplomacy measures contribute to the deterrence and response to malicious cyber activities and provide for coordination and cooperation with strategic international partner countries.