Report on cyber crisis cooperation and management : common practices of EU-level crisis management and applicability to cyber crises

Despite a number of initiatives within the European Network and Information Security community to establish frameworks and standard operating procedures, the EU-level response to cyber incidents, and in particular those which lead to responding to crisis situations, lack consistency. Today, should a crisis arise from a largescale cyber incident, Member States would need a harmonised framework to effectively respond to the challenges posed by such an incident. Based on a detailed analysis of five different EU-level crisis management frameworks, this report highlights lessons learnt from years of crisis management in five different sectors which would be applicable to the cyber domain, and provides a series of key recommendations regarding EU-level priorities to alter the outcome of the next cyber crisis. In recent years, the need for a robust EU-level response mechanism to manage cross-border threats has become overwhelmingly apparent within several sectors. The challenges faced by the EU in coordinating a common response have been highlighted following a number of crises, notably the volcanic ash cloud over Iceland in 2010, pandemics such as the influenza virus in 2009 [2], and, with increasing frequency, terrorist attacks on European soil [3]. These crises have all sparked EU-level action, and indeed prompted the emergence of common legal and operational frameworks. EU-level crisis situations originating in one or more cyber incidents are not commonplace: so far only the 2007 crisis in Estonia was ever called a "cyber crisis" [1]. This single event sparked, just like the volcanic ash cloud or the influenza virus, various initiatives at European level to improve the response against such incidents. The 2009 CIIP Communication, the Telecom Package, the EU Cybersecurity Strategy, the Digital Agenda for Europe and the Cyber Europe exercise series: all followed this event. Yet as the latter has shown repeatedly, crisis management at EU-level still lacks the proper mechanisms to support effectively the EU-wide cybersecurity community in the event of another cyber crisis.