From Cyber Security Incident Management to Cyber Security Crisis Management in the European Union
Jukka Ruohonen, Kalle Rindell, Simone Busetti
TL;DR
The paper addresses how the EU defines and manages cyber security crises under new laws, clarifying that large-scale incidents are equated to crises when they exceed a single member state's handling capacity or affect at least two member states, formalized as $LargeScaleIncident \equiv (capacity\_exceeded) \lor (affects \ge 2\ \text{MS})$. It uses policy analysis of enacted laws (NIS2, CRA, CSA, CSOA) and ex post scenario analyses to map incident types, reporting obligations, and crisis governance networks (ENISA, CSIRTs, EU-CyCLONe). It shows that reporting obligations become mandatory for severe, significant, and large-scale incidents and for actively exploited vulnerabilities, while near-miss reporting remains voluntary, revealing coordination challenges. A multi-level framework spanning international to individual levels is used to analyze how incidents may cascade into crises and how EU governance aims to coordinate responses. The study highlights persistent ambiguities in EU-level crisis operations, calls for harmonized reporting guidelines, and outlines directions for theoretical, comparative, and empirical research.
Abstract
Incident management is a classical topic in cyber security. Recently, the European Union (EU) has started to consider also the relation between cyber security incidents and cyber security crises. These considerations and preparations, including those specified in the EU's new cyber security laws, constitute the paper's topic. According to an analysis of the laws and associated policy documents, (i) cyber security crises are equated in the EU to large-scale cyber security incidents that either exceed a handling capacity of a single member state or affect at least two member states. For this and other purposes, (ii) the new laws substantially increase mandatory reporting about cyber security incidents, including but not limited to the large-scale incidents. Despite the laws and new governance bodies established by them, however, (iii) the working of actual cyber security crisis management remains unclear particularly at the EU-level. With these policy research results, the paper advances the domain of cyber security incident management research by elaborating how European law perceives cyber security crises and their relation to cyber security incidents, paving the way for many relevant further research topics with practical relevance, whether theoretical, conceptual, or empirical.