Source: OJ L 333, 27.12.2022, p. 80–152Current language: EN
- High common level of cybersecurity for entities
Basic legislative acts
- NIS 2 directive
Article 9 National cyber crisis management frameworks
Summary What does Article 9 of the NIS 2 directive say?
This article deals with how Member States must organise themselves to handle large-scale cybersecurity incidents and crises at a national level.
It requires each Member State to designate or establish dedicated cyber crisis management authorities, ensure they are adequately resourced, and align their operation with existing national crisis management frameworks.
The article also mandates that each Member State produce a formal national response plan covering preparedness, roles, procedures, and coordination at Union level — effectively building the national infrastructure needed to feed into the broader EU-level crisis coordination mechanisms, such as EU-CyCLONe, which is established under Article 16.
Important points:
- Member States are required to designate at least one cyber crisis management authority and, where multiple are designated, must clearly identify which one serves as the lead coordinator.
- Adopt a national large-scale cybersecurity incident and crisis response plan that covers preparedness objectives, authority responsibilities, crisis procedures, training activities, and arrangements for Union-level coordination.
- Member States must notify the Commission of their designated authority within three months of its establishment, and submit relevant details of their response plans to both the Commission and EU-CyCLONe within three months of those plans being adopted.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Each Member State shall designate or establish one or more competent authorities responsible for the management of large-scale cybersecurity incidents and crises (cyber crisis management authorities). Member States shall ensure that those authorities have adequate resources to carry out, in an effective and efficient manner, the tasks assigned to them. Member States shall ensure coherence with the existing frameworks for general national crisis management.
Where a Member State designates or establishes more than one cyber crisis management authority pursuant to paragraph 1, it shall clearly indicate which of those authorities is to serve as the coordinator for the management of large-scale cybersecurity incidents and crises.
Each Member State shall identify capabilities, assets and procedures that can be deployed in the case of a crisis for the purposes of this Directive.
Each Member State shall adopt a national large-scale cybersecurity incident and crisis response plan where the objectives of and arrangements for the management of large-scale cybersecurity incidents and crises are set out. That plan shall lay down, in particular:
the objectives of national preparedness measures and activities;
the tasks and responsibilities of the cyber crisis management authorities;
the cyber crisis management procedures, including their integration into the general national crisis management framework and information exchange channels;
national preparedness measures, including exercises and training activities;
the relevant public and private stakeholders and infrastructure involved;
national procedures and arrangements between relevant national authorities and bodies to ensure the Member State’s effective participation in and support of the coordinated management of large-scale cybersecurity incidents and crises at Union level.
Within three months of the designation or establishment of the cyber crisis management authority referred to in paragraph 1, each Member State shall notify the Commission of the identity of its authority and of any subsequent changes thereto. Member States shall submit to the Commission and to the European cyber crisis liaison organisation network (EU-CyCLONe) relevant information relating to the requirements of paragraph 4 about their national large-scale cybersecurity incident and crisis response plans within three months of the adoption of those plans. Member States may exclude information where and to the extent that such exclusion is necessary for their national security.
Relevant recitals
Recital 68 Crisis management
Member States should contribute to the establishment of the EU Cybersecurity Crisis Response Framework as set out in Commission Recommendation (EU) 2017/1584(15) through the existing cooperation networks, in particular the European cyber crisis liaison organisation network (EU-CyCLONe), the CSIRTs network and the Cooperation Group. EU-CyCLONe and the CSIRTs network should cooperate on the basis of procedural arrangements that specify the details of that cooperation and avoid any duplication of tasks. EU-CyCLONe’s rules of procedure should further specify the arrangements through which that network should function, including the network’s roles, means of cooperation, interactions with other relevant actors and templates for information sharing, as well as means of communication. For crisis management at Union level, relevant parties should rely on the EU Integrated Political Crisis Response arrangements under Council Implementing Decision (EU) 2018/1993(16) (IPCR arrangements). The Commission should use the ARGUS high-level cross-sectoral crisis coordination process for that purpose. If the crisis entails an important external or Common Security and Defence Policy dimension, the European External Action Service Crisis Response Mechanism should be activated.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
incident
Definition
large-scale cybersecurity incident
Definition
network and information system
- an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;
- any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or
- digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;
Definition
cybersecurity
Footnote 16
Footnote 15