Systemic Cyber Incident Coordination Framework (EU-SCICF)

What is the Systemic Cyber Incident Coordination Framework (EU-SCICF)?

On December 2, 2021, the European Systemic Risk Board (ESRB), responsible for the macroprudential oversight of the EU financial system and the prevention and mitigation of systemic risk, published a recommendation for the establishment of a pan-European systemic cyber incident coordination framework (EU-SCICF).

The European Systemic Risk Board has a broad remit, covering banks, insurers, asset managers, shadow banks, financial market infrastructures and other financial institutions and markets. In pursuit of its macroprudential mandate, the ESRB monitors and assesses systemic risks and, where appropriate, issues warnings and recommendations.

According to the ESRB, there is a need to establish a pan-European systemic cyber incident coordination framework (EU-SCICF) for relevant authorities in the Union. The objective of the EU-SCICF would be to increase relevant authorities’ level of preparedness to facilitate a coordinated response to a potentially major cyber incident.

Major cyber incidents may pose a systemic risk to the financial system, given their potential to disrupt critical financial services and operations. The amplification of an initial shock can either occur through operational or financial contagion or through an erosion of confidence in the financial system. If the financial system is unable to absorb these shocks, financial stability will be at risk and this situation can result in a systemic cyber crisis.

---

2 February 2025 - The European Systemic Cyber Incident Coordination Framework (EU-SCICF) in the presentation of the German Federal Financial Supervisory Authority (BaFin)

In BaFin's fourth annual compilation of the risks that are most capable of jeopardising the financial stability or the integrity of the financial markets in Germany, we read:

"From 2025 onwards, BaFin will gradually implement the Systemic Cyber Incident Coordination Framework (EU-SCICF) together with the other European national supervisory authorities and the European supervisory authorities EBA, ESMA and EIOPA. This framework is intended to facilitate communication and coordination between authorities in the event of cyber incidents that pose a risk to financial stability."

---

1 February 2025 - The European Systemic Cyber Incident Coordination Framework (EU-SCICF) in the "Cross sectoral work" of the European Baning Authority (EBA)

We read:

"The pan-European Systemic Cyber Incident Coordination Framework aims at gradually enabling an effective coordinated response at Union level in the event of a major cross-border ICT-related incident or related cyber-threat having a systemic impact on the Union’s financial sector.

The EU-SCICF forum’s scope of action is the progressive development of this framework by advancing and testing relevant tools (e.g. procedures, arrangements) to support effective coordination between authorities in case of a systemic event. To this end, the forum will also support a network of authorities to convene during such an incident or threat."

---

The European Systemic Cyber Incident Coordination Framework (EU-SCICF), from the European Supervisory Authorities (ESAs)

---

29 November 2024 - The European Systemic Cyber Incident Coordination Framework (EU-SCICF) is set up in accordance with Article 49(1) of Regulation (EU) 2022/2554 (DORA)

Terms of Reference (ToR) – EU-SCICF Forum

Note: The ToR, approved by the ESAs’ Board of Supervisors, came into effect on 17 Jan 2025.

1. The European Systemic Cyber Incident Coordination Framework (EU-SCICF) is set up in accordance with Article 49(1) of the Regulation on digital operational resilience for the financial sector Regulation (EU) 2022/2554 (hereinafter, DORA) and ESAs Joint Committee (JC) response to the Recommendation of the European Systemic Risk Board of 2 December 2021 on a pan-European systemic cyber incident coordination framework for relevant authorities (ESRB/2021/17).

2. The EU-SCICF framework foresees two modalities of operation,

(1) non-crisis mode (development, maintaining and testing of the framework) and

(2) crisis mode (facilitate the coordination of response of members in case of a systemic cyber incident).

3. The EU-SCICF forum scope of action covers the non-crisis mode. It is set up with the objective to facilitate the operationalisation of an effective EU-level coordination (crisis mode) in the event of a cross-border major ICT-related incident or related threat that could have a systemic impact on the Union’s financial sector.

4. The organisation of the EU-SCICF Forum rests with the ESA Joint Committee.

5. In light of the objective above, the EU-SCICF Forum is tasked to:

a) develop and maintain documents, protocols, procedures, arrangements, taxonomy and plans to support coordination in case of crisis mode, taking into account the existing coordination frameworks and the cyber threat landscape;

b) prepare the set-up of a dedicated ad-hoc group responsible for managing the crisis mode (when activated); and

c) exercise and test the protocols and procedures to ensure continued preparedness in the event of activation of the crisis mode of the EU-SCICF.

6. These tasks will be reflected by the EU-SCICF Forum into an internal annual or multi-annual work plan with activities providing an overview of areas of thematic focus and actions, including on exercise/testing programme. This plan will contribute to the JC work programme.

7. The EU-SCICF Forum includes a summary of its activities to the JC annual report.

8. A webpage with more information on the EU-SCICF shall be maintained as part of the ESAs websites and other materials as appropriate.

29 November 2024 - The European Systemic Cyber Incident Coordination Framework (EU-SCICF) is set up in accordance with Article 49(1) of Regulation (EU) 2022/2554 (DORA)

---

Understanding the recommendations for the Systemic Cyber Incident Coordination Framework (EU-SCICF)

According to the (December 2021) recommendation from the European Systemic Risk Board (ESRB):

Recommendation A – Establishment of a pan-European systemic cyber incident coordination framework (EU-SCICF).

1. It is recommended that, as envisaged in the Commission’s proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector (hereinafter ‘DORA’), the European Supervisory Authorities (ESAs), jointly through the Joint Committee, and together with the European Central Bank (ECB), the European Systemic Risk Board (ESRB) and relevant national authorities, start preparing for the gradual development of an effective Union-level coordinated response in the event of a cross-border major cyber incident or related threat that could have a systemic impact on the Union’s financial sector.

Preparatory work towards a Union-level coordinated response should entail the gradual development of EU-SCICF for the ESAs, the ECB, the ESRB and relevant national authorities. This also should include an assessment of the resource requirements for the effective development of the EU-SCICF.

2. It is recommended that the ESAs undertake, in view of sub-Recommendation A(1), in consultation with the ECB and the ESRB, a mapping and subsequent analysis of current impediments, legal and other operational barriers for the effective development of the EU-SCICF.

Recommendation B – Establishment of points of contact of the EU-SCICF.

It is recommended that the ESAs, the ECB and each Member State among their relevant national authorities should designate a main point of contact which should be communicated to the ESAs. This contact list will facilitate the development of the framework and, once the EU-SCICF is in place, the points of contact and the ESRB should be informed in case of a major cyber incident. Co-ordination should also be envisaged between the EU-SCICF and the designated single point of contact under Directive (EU) 2016/1148 that Member States have established on the security of network and information systems to ensure cross-border cooperation with other Member States and with the Network and Information Systems Cooperation Group.

Recommendation C – Appropriate measures at Union level.

It is recommended that, based on the result of the analyses carried out in accordance with Recommendation A, the Commission should consider the appropriate measures needed to ensure effective coordination of responses to systemic cyber incidents.

For sub-Recommendation A(1), the following compliance criteria are specified.

1. When preparing for an effective Union-level coordinated response which should entail the gradual development of the EU-SCICF by exercising the power envisaged in the future Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector (hereinafter ‘DORA’), the European Supervisory Authorities (ESAs), acting through the Joint Committee, and together with the European Central Bank (ECB), the European Systemic Risk Board (ESRB) and relevant national authorities, and in consultation with the European Union Agency for Network and Information Security and the Commission where considered necessary, should consider including in the envisaged preparation for the EU-SCICF at least the following aspects:

(a) analysis of the resource requirements for effective development of the EU-SCICF;

(b) developing crisis management and contingency exercises involving cyberattack scenarios with a view to developing communication channels;

(c) development of a common vocabulary;

(d) development of a coherent cyber incident classification;

(e) establishment of secure and reliable information sharing channels, including back-up systems;

(f) establishment of points of contact;

(g) address confidentiality in information sharing;

(h) collaboration and information sharing initiatives with financial sector cyber intelligence;

(i) development of effective activation and escalation processes through situational awareness;

(j) clarification of the responsibilities of framework participants;

(k) development of interfaces for cross-sectoral and, where relevant, third country coordination;

(l) ensuring coherent communication by relevant authorities with the public to preserve confidence;

(m) establishment of predefined communication lines for timely communication;

(n) performance of appropriate framework testing exercises, including cross-jurisdictional testing and third country coordination, and assessments which result in lessons learned and framework evolution;

(o) ensuring effective communication and countermeasures against disinformation.

---

16 April 2024 – The European Systemic Risk Board (ESRB) published the paper “Advancing macroprudential tools for cyber resilience – Operational policy tools, April 2024.”

According to the paper, the pan-European systemic cyber incident coordination framework (EU-SCICF) should build on the Digital Operational Resilience Act (DORA) for the financial sector and should complement existing frameworks (e.g. financial and cyber incident) as well as the Network and Information Security (NIS2) Directive and the Resilience of Critical Entities Directive (CER).

Read the paper: Advancing macroprudential tools for cyber resilience – Operational policy tools, April 2024

16 April 2024 - ESRB Recommendation to establish a pan-European systemic cyber incident coordination framework (EU-SCICF).

In 2021 the ESRB, recognising a gap in crisis coordination frameworks, recommended European supervisory authorities (ESAs) to start preparing for the gradual development of an effective EU level coordinated response in the event of a cross-border major cyber incident or a related threat that could have a systemic impact on the Union’s financial sector.

The ESRB recommended establishing the pan-European systemic cyber incident coordination framework (EU-SCICF). The EU-SCICF should build on the Digital Operational Resilience Act (DORA) for the financial sector and should complement existing frameworks (e.g. financial and cyber incident) as well as the Network and Information Security (NIS2) Directive and the Resilience of Critical Entities Directive (CER).

It will also consider the interplay between operational disruption (including mitigants and financial stability) and relevant macroprudential tools. The swift coordination and communication required, and bridging coordination and communication gaps between the relevant authorities at the Union level, will make it possible to:

• make an early assessment of a major cyber incident’s impact on financial stability;

• coordinate properly and develop a clear action plan, if required, among the financial authorities involved in planning a coordinated response to a major cyber incident;

• maintain confidence in the financial system;

• limit contagion across the financial sector.

The EU-SCICF will contribute to preventing a major cyber incident from becoming a risk to financial stability. It also establishes a list of designated points of contact for the ESAs, the ECB and each Member State.

The success of collaboration between private and public parties when an incident has occurred depends heavily on effective communication. At-crisis communication can be depicted by and described in three layers.

1. The first level is tactical and is where initial action is taken (e.g. IT teams restore systems, markets teams analyse how much liquidity may be needed and briefings are provided to other parts of the organisation). These teams establish communication lines to third parties and employees at other authorities with relevant technical capabilities, as well as internal communication between relevant units. The main actors at the tactical level are computer security incident response teams (CSIRTs).

2. The second level is operational and is where (macroprudential) coordination is initiated and management informed. This level has the main responsibility for coordination in a crisis. It is activated quickly for serious events and entails crisis preparedness and contact with higher level officials at other authorities (including other central banks), with other coordinating bodies and with the media. At this level, EU-wide frameworks such as the EU-SCICF may be activated.

3. The third level is strategic and deals with major policy questions such as changing liquidity policies and coordinating with the Government and advising it on major policy issues such as use of public funds. This level is particularly important for pan-European incidents where high level EU crisis management mechanisms (such as the Integrated Political Crisis Response) may be triggered.

---

This website is developed and maintained by Cyber Risk GmbH as part of its professional activities in the fields of risk management and regulatory compliance.

Cyber Risk GmbH specializes in supporting organizations in understanding, navigating, and implementing complex European, U.S., and international risk related regulatory frameworks.

Content is produced and maintained under the professional responsibility of George Lekatis, General Manager of Cyber Risk GmbH, a well known expert in risk management and compliance. He also serves as General Manager of Compliance LLC, a company incorporated in Wilmington, NC, with offices in Washington, DC, providing risk and compliance training in 58 countries.