In recent years, the EU has been dedicating efforts towards strengthening resilience of critical infrastructure to achieve a high level of cybersecurity across the Union. In this direction, among the relevant EU legislation, the Cyber Solidarity Act supports such efforts by setting out measures to improve the EU’s capabilities to detect, prepare for and respond to cybersecurity threats and incidents.

In the cybersecurity domain, there is an array of security testing methodologies that can be used. Stress tests offer a lightweight and targeted method for assessing cybersecurity and resilience yet not widely applied.

In response to this, the EU Agency for Cybersecurity developed the handbook as guidance for national or sectorial authorities overseeing cybersecurity and resilience of critical sectors, at the national, regional or EU level under NIS 2 Directive. It could also be useful for other supervisory and national authorities under the sectorial regulations, such as those under Digital Operational Resilience Act (DORA) or the Critical Entities Resilience (CER) Directive. 

The handbook provides the definition a cyber stress test as ‘a targeted assessment of the resilience of individual organisations and their ability to withstand and recover from significant cybersecurity incidents, ensuring the provision of critical services, in different risk scenarios.’ 

The handbook provides a step-by-step guide for cyber stress testing, outlines how tests can be suitable for assessing resilience, dependencies and systemic risks, and explains how they can be conducted at the national, regional and EU level. It includes a practical example to demonstrate the process, covering the EU health sector.

The handbook further offers valuable recommendations at each step of the process, including how decisions on the number and type of entities tested can affect the results and complexity of the test, as well as tips regarding scenario development and the use of resilience metrics to identify gaps and issues at both entity and sector level.

Cyber stress tests are a valuable tool in the regulatory toolkit of the national authorities, complementing other activities and enabling a more efficient and targeted supervision of critical sectors. ENISA, looks forward to continue providing the necessary support to authorities and agencies, at the national and EU levels, with carrying out national-, regional- and EU-level cyber stress tests.