Coordinated preparedness testing and other preparedness actions

The types of deliverables are presented in two parts.

The first part covers:

• Enhanced cooperation, preparedness and cybersecurity resilience in the EU; preparedness support services
• Threat assessment and risk assessment services.

The second part covers:

• Risk monitoring services
• Better compliance, coordinated vulnerability disclosure and monitoring
• Improved skills, via exercises and training courses, organisation of events, workshops. stakeholder consultations and white papers.

As part of the ECCC Work Programme 2025-2027, this topic covers two actions from the Cyber Solidarity Act, dedicated to the Cybersecurity Emergency Mechanism, namely (1) coordinated preparedness testing of entities operating in sectors of high criticality across the Union and (2) other preparedness actions for entities operating in sectors of high criticality and other critical sectors.

Please note that (1) coordinated preparedness testing of entities operating in sectors of high criticality across the Union is subject to the current Call for proposals while (2) other preparedness actions will be covered only in 2026 and 2027 calls for proposals.

For more details on the action (1) covered under the current call for proposals, please consult the Call document accordingly.

These actions aim to complement and not duplicate efforts by Member States and those at Union level to increase the level of protection and resilience to cyber threats, in particular for critical industrial installations and infrastructures, by assisting Member States in their efforts to improve their preparedness for cyber threats and incidents by providing them with knowledge and expertise.

Proposals should contribute to achieving at least one of the following objectives:

• (part 1) Coordinated preparedness testing of entities operating in sectors of high criticality across the Union (including penetration testing and threat assessment) considering ICT as well as Operational Technology/Industrial Control Systems.
• (part 2) Other preparedness actions for entities operating in sectors of high criticality and other critical sectors (i.e. vulnerability monitoring, exercises and training courses).

[Part 1 Coordinated preparedness testing]

The provision of preparedness support services shall include the activities listed below, for entities in the sector or sub-sector as identified by the Commission in accordance with the Cyber Solidarity Act, from the Sectors of High Criticality listed in Annex I to Directive (EU) 2022/2555 and specified in the call for proposal document for each of the calls under this topic:

Support for testing for potential vulnerabilities:

• Development of penetration testing scenarios. The proposed scenarios may cover Networks, Applications, Virtualisation solutions, Cloud solutions, Industrial Control systems, and IoT.
• Support for conducting testing of essential entities operating critical infrastructure for potential vulnerabilities.
• Support for the deployment of digital tools and infrastructures supporting the execution of testing scenarios and for conducting exercises such as the development of standardised cyber-ranges or other testing facilities, able to mimic features of critical sectors (e.g. energy sector, transport sector, etc.) or others affected by NIS 2 to facilitate the execution of cyber-exercises, in particular within cross-border scenarios where relevant.
• Evaluation and/or testing of cybersecurity capabilities of MS entities and MS sectors (including capabilities to prevent, detect and respond to incidents and stress test of the entire sectors), evaluation and compliance activities aimed at increasing maturity, e.g. on the basis of established maturity models and/or relevant evaluation and compliance schemes.
• Evaluation and/or testing of cybersecurity capabilities of entities in scope (including for the evaluation and management of risks concerning the supply chain).
• Consulting services, providing recommendations on how to improve infrastructure security and capabilities.

Support for threat assessment and risk assessment, such as:

• Threat Assessment process implementation and life cycle
• Customised risk scenarios analysis.

The support will target the competent authorities in the Member States, which play a central role in the implementation of the NIS 2 Directive, such as Computer Security Incident Response Teams (CSIRTs) and National Cybersecurity Authorities.

[Part 2 other preparedness actions]

For the second part, in addition to the services already listed for Part 1 (support for testing for potential vulnerabilities and support for threat assessment and risk management), the

provision of preparedness support services included below addresses entities operating in highly critical and other critical sectors as referred to in Annex I and II of the NIS 2 Directive.

Support for threat assessment and risk assessment:

• Supply chain risk management within the risk assessment services.

Risk monitoring service:

• Specific continuous risk monitoring such as attack surface monitoring, risk monitoring of assets and vulnerabilities.

Support coordinated vulnerability disclosure and management:

• Promote the adoption of national CVD Policies¹ and the EU Vulnerability Database.
• Coordinate the disclosure of vulnerabilities and timely dissemination of security patches. Standardisation of the way information is shared between different stakeholders in the vulnerability handling process.
• CVD applications that manage multiple sources of vulnerability information using open standards or technologies. (e.g. researchers, vendors, CSIRTs)
• Raise awareness on the adoption of vulnerability management best practices.

Dedicated exercises and training courses:

• Develop² comprehensive training programmes and workshops, including international ones, for cybersecurity professionals that will cover the latest trends in cyber threats, attack methodologies, and best practices for pre-threat management and prevention. Maturity checks, evaluation of cybersecurity capabilities.
• Encourage the development of cybersecurity continuous learning activities³ to keep up with all cybersecurity requirements driven by EU cybersecurity-related regulations and directives, including the NIS 2 Directive, CSA, CSoA, DORA, EECC, GDPR, CRA.

The support will target the competent authorities in the Member States, which play a central role in the implementation of the NIS 2 Directive, Computer Security Incident Response Teams (CSIRTs) including sectorial CSIRTs, Security Operation Centres (SOC)/Cyber Hubs, highly critical and other critical sectors, industry stakeholders (including Information Sharing and Analysis Centres- ISACs) and any other actors within the scope of the NIS 2 Directive, DORA, CSA, etc.

Support may be provided, among others, for the on boarding to the CEF Cybersecurity Core Service Platforms of public and private organisations which are working on the implementation of the NIS 2 Directive and are potential users of the CEF Cybersecurity Core Service Platforms.

The action may also support industry, with a particular focus on start-ups and SMEs, to seize the industrial and market uptake opportunities created by the Cyber Resilience Act and may support the implementation of the NIS 2 Directive.

¹Coordinated Vulnerability Disclosure Policies in the EU, ENISA, 2022, available at: https://www.enisa.europa.eu/publications/coordinated-vulnerability-disclosure-policies-in-the-eu

²Based on the European Cybersecurity Skills Framework (ECSF)

³Based on ECSF: https://www.enisa.europa.eu/topics/education/european-cybersecurity-skills-framework