19.9.2017
EN
Official Journal of the European Union
L 239/37
cooperation mechanisms and to enhance cross-border cooperation related to preparedness for a large-scale cyber
incident. It added that a coordinated approach to crisis cooperation across the various elements of the cyber
ecosystem to be set out in a ‘blueprint’ would increase preparedness and that such a blueprint should also ensure
synergies and coherence with existing crisis management mechanisms.
(8)
In the Council Conclusions (1) on the aforementioned Communication, Member States called on the Commission
to submit such a blueprint for consideration by the bodies and other relevant stakeholders. However the NIS
Directive does not provide for a Union cooperation framework in case of large-scale cybersecurity incidents and
crises.
(9)
The Commission, consulted with Member States in two separate consultation workshops held in Brussels on
5 April and 4 July 2017 with Member States representatives from Computer Security Incident Response Teams
(CSIRTs), the Cooperation Group established by the NIS Directive and the Council Horizontal Working Party on
Cyber Issues as well as representatives from the European External Action Service (EEAS), ENISA, Europol/EC3
and the General Secretariat of the Council (GSC).
(10)
The present Blueprint for coordinated response to large-scale cybersecurity incidents and crises at the Union level,
annexed to this Recommendation, is the outcome of the aforementioned consultations and complements the
Communication on ‘Strengthening Europe's Cyber Resilience System and Fostering a Competitive and Innovative
Cybersecurity Industry’.
(11)
The Blueprint describes and sets out the objectives and modes of cooperation between the Member States and EU
institutions, bodies, offices and agencies (hereafter referred to as ‘EU institutions’) in responding to large-scale
cybersecurity incidents and crises and how existing Crisis Management mechanisms can make full use of existing
cybersecurity entities at EU level.
(12)
In responding to a cybersecurity crisis in the sense of recital 2, coordination of the response at political Union
level in the Council will use the Integrated Political Crisis Response (IPCR) arrangements (2); the Commission will
use the ARGUS (3) high-level cross-sectoral crisis coordination process. If the crisis entails an important external
or Common Security and Defence Policy (CSDP) dimension, the European External Action Service (EEAS) Crisis
Response Mechanism (CRM) (3) will be activated.
(13)
In certain areas, sectoral crisis management mechanisms at EU level provide for cooperation in case of cyberse
curity incidents or crisis. For example, in the framework of the European Global Navigation Satellite System
(GNSS), Council Decision 2014/496/CFSP (4) already defines the respective roles of the Council, the High Rep
resentative, the Commission, the European GNSS Agency and the Member States within the chain of operational
responsibilities set up in order to react to a threat to the Union, to the Member States or to the GNSS, including
in case of cyber-attacks. Therefore, this recommendation should be without prejudice to such mechanisms.
(14)
Member States have the primary responsibility for the response in case of large-scale cybersecurity incidents or
crises affecting them. The Commission, the High Representative and other EU institutions or services have
however an important role, stemming from Union law or from the fact that cybersecurity incidents and crises
may impact all sections of economic activity within the single market, the security and international relations of
the Union, as well as the institutions themselves.
(15)
At Union level, the key actors involved in response to cybersecurity crises include the newly established NIS
Directive structures and mechanisms, namely the Computer Security Incident Response Teams (CSIRTs) network,
as well as the relevant agencies and bodies namely the European Union Agency for Network and Information
Security (ENISA), the European Cybercrime Centre at Europol (Europol/EC3), the EU Intelligence Analysis Centre
(INTCEN), EU Military Staff Intelligence Directorate (EUMS INT) and Situation Room (Sitroom) working together
as SIAC (the Single Intelligence Analysis Capacity), the EU Hybrid Fusion Cell (based in INTCEN), the Computer
Emergency Response Team for the EU institutions (CERT-EU) and the Emergency Response Coordination Centre
in the European Commission.
(16)
Cooperation amongst Member States in responding to cybersecurity incidents at technical level is provided by the
CSIRTs Network established by the NIS Directive. ENISA provides the secretariat for the Network and actively
(1)
(2)
(3)
(4)
Document 14540/16, 15 November 2016.
Further information can be found in Section 3.1 of the Appendix on Crisis management, cooperation mechanisms and actors at EU level.
Ibid.
Council Decision 2014/496/CFSP of 22 July 2014 on aspects of the deployment, operation and use of the European Global Navigation
Satellite System affecting the security of the European Union and repealing Joint Action 2004/552/CFSP (OJ L 219, 25.7.2014, p. 53).