On February 5, 2014, the Member States of the EU and European Free Trade Association (“EFTA”) as well as the European Network and Information Security Agency (“ENISA”) issued Standard Operational Procedures (“SOPs”) to provide guidance on how to manage cyber incidents that could escalate to a cyber crisis.
Background In 2009, the European Commission’s Communication on Critical Information Infrastructure Protection invited EU Member States to develop national contingency plans and organize regular exercises to enhance a closer pan-European Network and Information Security (“NIS”) cooperation plan.
In February 2013, the European Commission, together with the High Representative of the Union for Foreign Affairs and Security Policy, launched their cybersecurity strategy (“Strategy”) for the European Union. As part of this Strategy, the European Commission also proposed a draft directive on measures to ensure a common level of NIS across the EU (the “Directive”). The Directive introduces a number of measures, including the creation of a network to enable the national NIS authorities, the European Commission and, in certain cases, ENISA and the Europol Cybercrime Center, to share early warnings on risks and incidents, and to cooperate on further steps and organize exercises at the European level.
In this context, the EU/EFTA Member States developed the SOPs in collaboration with ENISA. The draft SOPs were tested during the pan-European cyber exercises organized by ENISA.
The SOPs The SOPs include a list of contact points, guidelines, templates, workflows, tools and best practices to help European public authorities better understand the causes and impacts of multinational cyber crises and identify effective action plans. In particular, the SOPs emphasize the need to establish direct links to the decision makers at the strategic and political level in order to successfully manage multinational cyber crises.
ENISA continues to work with EU Member States to develop information security best practices and assist the Member States with the implementation of relevant EU legislation.