Who should read this: Crisis Managers, National Cybersecurity Officials, Chief Risk Officers, Critical Infrastructure Operators.
The cybersecurity landscape includes not only routine incidents that organisations must detect and respond to, but also large-scale crises that transcend individual organisations and demand coordinated response across entire sectors and national borders. NIS2 recognises this reality and establishes comprehensive frameworks for managing large-scale cybersecurity incidents and crises. Articles 9 and 16 create institutional structures (national cyber crisis management authorities and the European cyber crisis liaison organisation network, EU-CyCLONe) designed to ensure that when major incidents occur, the response is coordinated, effective, and proportionate to the scale of the threat.
Large-scale incidents are fundamentally different from ordinary security events. An ordinary incident might affect a single organisation’s systems or services and be managed through that organisation’s incident response procedures. A large-scale incident affects multiple essential entities, crosses sector and national boundaries, and threatens the continuity of critical services at a scale that demands government-level coordination. If a sophisticated threat actor compromised multiple European hospitals’ surgical scheduling systems simultaneously, that would be a large-scale incident. If a vulnerability in critical telecommunications infrastructure affected networks across multiple Member States, that would be a large-scale incident. These scenarios require responses that transcend any individual organisation’s capability.
National Cyber Crisis Management Frameworks
Article 9 requires each Member State to establish a national cyber crisis management framework. This framework is the foundation of crisis response. It starts with the appointment or establishment of one or more competent authorities responsible for managing large-scale cybersecurity incidents and crises. These cyber crisis management authorities have several key responsibilities.
First, they must have adequate resources to discharge their tasks effectively and efficiently. This is not vague language; it means staffing, budget, technical capability, and authority proportionate to the mission of managing national-scale cybersecurity incidents. A Member State cannot adequately manage large-scale cybersecurity crises through a small team with minimal budget. This obligation recognises that crisis management is a demanding function requiring sustained investment.
Second, they must ensure coherence with existing frameworks for general national crisis management. Cybersecurity incidents, particularly at large scale, do not occur in isolation from other crises. A ransomware attack on hospitals might occur during a pandemic. A compromise of power grid management systems might occur during extreme weather. The national cyber crisis management framework must integrate with existing mechanisms for managing national emergencies and coordinating government response.
Article 9(2) requires that if a Member State establishes more than one cyber crisis management authority (a realistic scenario in larger Member States where multiple agencies might have relevant responsibilities), the Member State must clearly designate which authority serves as coordinator. This ensures that there is a single identified leader for crisis response, preventing confusion or duplication of effort during a crisis when coordination is critical.
Article 9(3) requires each Member State to identify capabilities, assets, and procedures that can be deployed in a crisis. This is essentially a capability audit and planning exercise. Which government agencies have cybersecurity experts? Which critical infrastructure operators have response resources that could be mobilised for a government-coordinated response? What technical infrastructure exists to support crisis coordination? This inventory must be in place before a crisis occurs; there is no time to create it during one.
Article 9(4) requires the adoption of a national large-scale cybersecurity incident and crisis response plan. This plan must include several elements:
- Objectives of national preparedness: what is the nation trying to achieve in preventing and preparing for large-scale cybersecurity crises?
- Tasks and responsibilities of cyber crisis management authorities: which authority does what, who decides to activate crisis procedures, and what chain of command applies during a crisis?
- Cybersecurity crisis management procedures, including how they integrate into general national crisis management and what information exchange channels exist for crisis communication.
- National preparedness measures, including exercises and training. Preparing for a crisis means testing your response before you face a real one. Member States must conduct exercises to test whether their crisis coordination procedures actually work, and training ensures that designated personnel know their roles and responsibilities before a crisis requires them to execute.
- Public and private stakeholders and infrastructure involved. Large-scale cybersecurity crises cannot be managed by government alone. Critical infrastructure operators, telecommunications providers, and essential service providers must be coordinated. The plan should identify these stakeholders and describe how they are engaged.
- National procedures and arrangements to ensure the Member State’s effective participation in coordinated management of large-scale incidents at the Union level, coordinated through EU-CyCLONe and the CSIRT network.
EU-CyCLONe: Coordinating Crisis Response Across Europe
Article 16 establishes EU-CyCLONe, the European cyber crisis liaison organisation network. This is not an operational crisis response team; it is a coordination mechanism through which Member States manage large-scale incidents that affect multiple countries.
EU-CyCLONe is composed of representatives of Member States’ cyber crisis management authorities and, when a large-scale incident occurs with significant potential impact on essential and important entities, representatives of the Commission. When no ongoing crisis affects the Directive’s scope, the Commission participates as an observer rather than a full member. ENISA (the EU Agency for Cybersecurity) provides the secretariat and supports secure information exchange.
The operational purpose of EU-CyCLONe is to support the coordinated management of large-scale cybersecurity incidents and crises at the operational level and to ensure regular exchange of relevant information among Member States and Union institutions. This is demanding work. When an incident affects multiple Member States, EU-CyCLONe provides the forum through which Member States share information, coordinate response, and ensure that actions taken by one Member State do not undermine actions by another.
Article 16(3) sets out the specific tasks of EU-CyCLONe:
- Coordinate response to large-scale cybersecurity incidents and crises, including determining the measures needed to address the incident and how response efforts are distributed among Member States.
- Exchange information among Member States and with relevant EU institutions about large-scale incidents, including assessments of the incident’s scope and impact.
- Facilitate support and assistance to Member States affected by incidents. If one Member State is particularly severely affected, others may offer technical expertise, tools, or other resources through the EU-CyCLONe coordination process.
- Coordinate with the CSIRT network (the network of national computer security incident response teams that handle routine incidents under Article 15). During a large-scale crisis, both the CSIRT network and EU-CyCLONe are active. CSIRTs handle the technical incident details; EU-CyCLONe manages the strategic, operational, and political coordination.
- Provide strategic guidance to the CSIRT network on emerging issues affecting large-scale incidents.
- Exchange views on policy responses to large-scale incidents, drawing lessons from incidents to improve future preparedness.
- Discuss national large-scale incident response plans and review them to ensure coherence across the Union.
The Role of the CSIRTs Network in Crisis Response
The CSIRT network (the network of national computer security incident response teams established and supervised under Article 10 and 11) plays a critical supporting role to EU-CyCLONe during large-scale incidents. Article 15(4) requires that the CSIRTs network cooperate with EU-CyCLONe on a basis of agreed procedural arrangements.
This cooperation takes several forms. CSIRTs provide technical incident handling expertise. When EU-CyCLONe is coordinating response to an incident, the technical teams at national CSIRTs are often doing the actual investigative work, including identifying affected systems, determining attack vectors, and developing mitigations. CSIRTs provide regular operational updates to EU-CyCLONe on the technical progress of incident response.
CSIRTs also facilitate information exchange among Member States. If a vulnerability is being actively exploited across multiple countries, CSIRTs exchange indicators of compromise and technical details that help other countries detect whether their organisations have been affected. This information sharing can accelerate incident detection and response.
CSIRTs coordinate with essential and important entities within their Member States. When a large-scale incident affects multiple entities, the national CSIRT ensures that all affected entities receive consistent guidance and that their incident reporting is coordinated. This prevents organisations from receiving conflicting information or different remediation guidance.
Activation and Escalation
Article 9 and 16 establish frameworks, but they do not specify precisely when a crisis response should be activated or what criteria determine whether an incident is “large-scale.” This is intentionally flexible because the scale and significance of incidents varies. However, Member States should establish clear criteria for activation.
An incident typically becomes large-scale when it affects multiple essential entities across different sectors or crosses national borders. An attack affecting one hospital is serious but not large-scale; an attack affecting hospitals in three different Member States is. A vulnerability affecting a particular vendor’s products might be serious, but if it affects critical infrastructure across multiple countries, it becomes large-scale.
The Directive anticipates that during large-scale incidents, escalation occurs dynamically. An incident might begin with routine national CSIRT handling and be escalated to EU-CyCLONe as its scale becomes apparent. Alternatively, if intelligence suggests an imminent attack of large-scale significance, EU-CyCLONe might be activated preemptively.
Preparedness and Exercises
Large-scale crisis management frameworks are only effective if organisations and teams actually understand their roles and the procedures work in practice. Article 9(4)(d) requires that national large-scale incident response plans include preparedness measures, including exercises and training.
Effective crisis preparation includes regular exercises in which Member States, essential entities, and other stakeholders practice responding to realistic large-scale incidents. These exercises test whether communication channels work, whether decision-making processes function under stress, whether information exchange is effective, and whether coordination across sectors and countries actually happens. Exercises reveal gaps in planning or capability that can be addressed before a real crisis.
Exercises also build relationships. Crisis response depends on trust and informal relationships. When officials from different agencies have worked together in exercises, they know each other and have established working relationships. During an actual crisis, these relationships facilitate faster, more effective coordination.
Member States should conduct large-scale incident response exercises at least annually, involving relevant government agencies, critical infrastructure operators, and international partners. ENISA and the Cooperation Group should provide guidance on exercise design and coordination across Member States.
Reporting and Transparency
EU-CyCLONe must report on its work. Article 16(7) requires that EU-CyCLONe submit a report to the European Parliament and Council every 18 months assessing its work, including information about large-scale incidents managed, lessons learned, and recommendations for improved crisis management.
This reporting requirement creates accountability and transparency. The European Parliament and Council can assess whether the crisis management framework is working, whether resources are adequate, and whether amendments to the framework are needed.
Key Takeaways
-
Article 9 requires each Member State to establish a national cyber crisis management framework, including designation of competent authorities, identification of available capabilities, and adoption of a national crisis response plan with clear objectives, responsibility assignments, procedures, and stakeholder identification.
-
EU-CyCLONe, established under Article 16, coordinates large-scale cybersecurity incident response across Member States. It brings together national cyber crisis management authorities and facilitates information sharing, resource sharing, and unified response strategy.
-
The CSIRT network supports EU-CyCLONe by providing technical incident handling expertise, facilitating information exchange among Member States, and coordinating with affected entities. Technical incident response and crisis-level coordination are complementary functions.
-
National crisis management frameworks must integrate with existing national emergency management structures. Cybersecurity crises do not occur in isolation; they must be managed as part of broader national resilience.
-
Preparedness requires regular exercises and training. Member States and stakeholders should conduct annual or more frequent exercises testing crisis procedures to identify gaps and build relationships before an actual crisis occurs.