NIS2 Art.35.1: Large-Scale Cybersecurity Incident Coordination (EU-CyCLONe)
What This Control Requires
EU-CyCLONe is hereby established in order to support the coordinated management of large-scale cybersecurity incidents and crises at operational level and to ensure the regular exchange of relevant information among Member States and Union institutions, bodies, offices and agencies.
In Plain Language
When a cyber incident is too big for any single country to handle alone, EU-CyCLONe (European Cyber Crises Liaison Organisation Network) steps in. It coordinates the response to large-scale, cross-border incidents at the operational level, sitting between the technical work of CSIRTs and the political decisions of the Council.
You will not deal with EU-CyCLONe directly - it operates at the Member State level. But if you run critical infrastructure or provide services across multiple EU countries, its decisions can affect you. During a major incident, coordinated guidance or instructions may flow from EU-CyCLONe through your national CSIRT to your organisation.
Understanding this coordination layer helps you plan for scenarios where an attack is not just hitting you, but hitting your entire sector or region simultaneously. Your incident response plans should account for that reality.
How to Implement
Familiarise yourself with where EU-CyCLONe fits in the European incident management framework. You will not interact with it directly, but your incident response plans need to account for large-scale incidents that trigger EU-level coordination.
Build large-scale incident scenarios into your business continuity and incident response planning. Think about coordinated attacks hitting multiple entities across your sector, critical supply chain components compromised across several Member States, EU coordination channels activating with guidance flowing through your national CSIRT, and your organisation being asked to contribute information or implement coordinated response measures.
Make sure your incident response procedures include escalation paths for large-scale events. When an incident looks like it has cross-border or sector-wide implications, flag that clearly in your CSIRT notification so the right coordination mechanisms can activate.
Keep an eye on EU-CyCLONe exercises and their lessons learned. ENISA publishes reports from EU-level exercises that offer useful insights into coordination challenges and what works.
If you provide critical services, think through how a large-scale coordinated attack would affect your operations and what role you might play in the response. Develop procedures for receiving and acting on guidance from national authorities during such events.
Participate in national-level exercises that simulate large-scale incidents. These test the coordination mechanisms that feed into EU-CyCLONe and give your team practical experience with their role in the broader response framework.
Evidence Your Auditor Will Request
- Incident response plans addressing large-scale, cross-border incident scenarios
- Escalation procedures for incidents with EU-wide implications
- Business continuity plans considering coordinated sector-wide attacks
- Participation records in national-level cybersecurity exercises
- Awareness materials on EU crisis coordination mechanisms
Common Mistakes
- Incident response planning only considers isolated, localised incidents
- No awareness of EU-level coordination mechanisms and their implications
- Escalation procedures do not account for cross-border or sector-wide scenarios
- Organisation does not participate in national or EU-level cybersecurity exercises
- No procedures for receiving and implementing coordinated response guidance
Related Controls Across Frameworks
Frequently Asked Questions
Will EU-CyCLONe communicate directly with our organisation?
What qualifies as a 'large-scale' cybersecurity incident?
Track NIS2 compliance in one place
AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.
Start Free Assessment