The European Union Agency for Cybersecurity (ENISA) has released a comprehensive handbook to guide national and sectoral authorities in overseeing the cybersecurity and resilience of critical infrastructure under the NIS 2 Directive. Designed for use at the national, regional, and EU levels, the Handbook for Cyber Stress Testing provides a structured approach to assessing the cybersecurity and resilience of critical sector entities. It may also serve as a valuable resource for supervisory bodies operating under related regulations, such as the Digital Operational Resilience Act (DORA) and the Critical Entities Resilience (CER) directive.
The handbook defines a cyber stress test as ‘a targeted assessment of the resilience of individual organisations and their ability to withstand and recover from significant cybersecurity incidents, ensuring the provision of critical services, in different risk scenarios.’ Cyber stress tests are becoming an essential part of the regulatory toolkit for national authorities, complementing existing oversight methods and enabling more focused, risk-informed supervision of critical sectors. ENISA remains committed to supporting authorities and agencies, nationally, regionally, and across the EU, in implementing effective cyber stress testing programs.
It outlines five key steps for organising a cyber resilience stress test, providing a structured roadmap for national and sectoral authorities.
- Defining the scope and objectives involves selecting the relevant sector and entities, identifying test objectives and risk scenarios, and engaging stakeholders.
- Designing the stress test includes refining the methodology, developing realistic risk scenarios, selecting appropriate resilience metrics, and setting a clear timeline.
- Executing the test focuses on effective engagement and offering support and guidance to participating entities throughout the process.
- Gap analysis is then conducted to uncover critical findings and highlight resilience gaps.
- The conclusion phase involves compiling recommendations and lessons learned to inform future improvements and policymaking.
The structured approach helps authorities assess individual organizational resilience as well as systemic risks across sectors and jurisdictions. It allows conducting cyber stress tests, detailing how they can be used to evaluate organizational resilience, interdependencies, and systemic risk. These insights help identify vulnerabilities and capability gaps at the individual and sector-wide levels.
The guidance is designed to be applicable at national, regional, and EU levels and includes a practical example focused on the EU health sector. In addition, the handbook provides actionable recommendations for each phase of the process, from selecting the number and type of entities tested to developing realistic scenarios and applying resilience metrics.
National cybersecurity authorities and agencies can use cyber stress tests for several key purposes. They help assess the preparedness of individual entities to withstand significant cybersecurity incidents, even under severely adverse conditions. These tests also allow authorities to evaluate the overall resilience of a critical sector and gain insights into potential systemic risks.
Cyber stress tests can support responses to national risk assessments that highlight specific threats or scenarios. They also serve as valuable preparation for cyber exercises involving cross-border and cross-sector operational collaboration. Additionally, the results can inform supervisory priorities by identifying systemic issues and vulnerabilities. Importantly, these tests can foster dialogue on key threats and encourage collaboration between authorities and critical sector entities.
For the organizations undergoing a cyber stress test, the process offers clear benefits. It provides a structured opportunity to assess their level of preparedness and resilience in the face of significant cybersecurity incidents, helping them better understand and address potential gaps in their defenses.
Under the NIS2, national authorities and agencies need to supervise the cybersecurity and resilience of entities in the critical sectors. There are many different approaches national authorities can take for this, and cyber stress tests can become a part of their toolkit.
After defining sector-specific cybersecurity requirements, authorities typically verify compliance through audits, conducted by the authority itself or by accredited third parties, either before (ex-ante) or after (ex-post) an incident. Audits may be paper-based, remote, or on-site and have historically focused on broad compliance frameworks such as ISO 27001 or SOC 2, making them lengthy and costly.
Effective supervision, however, involves more than audits. Authorities can also share threat-intelligence feeds and guidance; convene workshops to raise awareness and address common issues; launch public-private partnerships; run sector-wide cyber exercises; and use cyber stress tests to probe specific threats or risk scenarios and spark deeper dialogue with operators.
Apart from cyber stress tests, the cybersecurity domain has a wide range of other cybersecurity assessment and testing methods that authorities can use, such as on-site audits, penetration tests, ethical hacking, red-teaming, and vulnerability scanning. Authorities and agencies should find the right methods to use, depending on their setting and their needs.
Also, depending on the cybersecurity maturity of the sector and depending on the needs, authorities can decide to adopt a more mandatory/stringent approach to cyber stress tests, or a more voluntary/exploratory approach. Authorities must clarify their intentions towards the entities being stress tested: authorities should clarify upfront what will happen with the stress test results, if gaps will be followed up, etc.
ENISA detailed that national cyber stress tests are typically conducted by a national authority tasked with overseeing cybersecurity within a specific critical sector. These tests aim to assess the resilience of selected entities to major cyber incidents. While stress tests can also be conducted at regional or EU-wide levels, national-level tests are often the most straightforward to organize.
Authorities may choose to test a large number of entities with a broad, quantitative approach, producing general statistics on sector maturity. Alternatively, a smaller, targeted group allows for more tailored assessments and deeper follow-up.
National cybersecurity bodies are encouraged to coordinate with other sectoral regulators, such as those in finance or disaster resilience, who may bring experience from stress testing in their domains. The cross-sectoral knowledge can help design more effective cyber stress tests that align with broader national resilience goals.
Regional cyber stress tests, while more complex to plan and coordinate, can offer significant benefits, especially in regions with interconnected economies and shared infrastructure. For example, two neighboring countries with linked electricity grids may conduct a joint stress test involving five key entities from each nation, aiming to strengthen cross-border collaboration between authorities and entities.
The Cyber Solidarity Act encourages such coordinated efforts among EU Member States. The European Commission has allocated funding through the Digital Europe Programme to support these activities, including national and regional cyber stress tests using various assessment methodologies.
The European Central Bank (ECB) recently conducted an EU-wide cyber stress test of the financial sector, while the European Commission and member states carried out a similar exercise for the energy sector, focusing on physical threats and natural disasters. Union-level stress tests offer valuable support to national authorities by providing common tools, such as questionnaires and data analysis, while fostering EU-wide dialogue on shared threats.
For example, a joint effort involving 20 to 30 national authorities might assess ransomware readiness across liquefied natural gas terminals, selecting two to five key entities per country. Findings from such tests can reveal systemic risks, promote best practices, and inform EU policy and supervision priorities.
In its conclusion, ENISA emphasized the value of cyber stress testing as a practical tool for assessing and improving resilience across critical sectors. The handbook introduced the concept, outlined a step-by-step methodology, and referenced real-world case studies and good practices. While still relatively new to the cybersecurity domain, stress testing has a proven track record in sectors like finance, where it is used to assess systemic risks and strengthen preparedness.
Cyber stress tests offer national NIS authorities a targeted, lightweight approach to evaluating cybersecurity gaps and operational resilience in complex, interconnected systems. As these tests gain traction, they are becoming an important addition to the regulatory oversight toolkit. ENISA expressed its commitment to supporting national and EU-level authorities in implementing cyber stress tests to strengthen collective cyber resilience.
Last week, ENISA launched the European Vulnerability Database (EUVD or EU Vulnerability Database), as mandated by the NIS2 Directive. Now live and maintained by the agency, the EUVD serves as a centralized, trusted source of actionable information on cybersecurity vulnerabilities affecting products and services. It provides detailed entries, including mitigation guidance and exploitation status. The EUVD is designed to improve the integration and interoperability of publicly available vulnerability data from various sources, including CSIRTs, vendors, and existing databases.
