ENISA unveils cyber stress testing handbook to strengthen critical infrastructure resilience under NIS2
ENISA has released a handbook on cyber stress testing to support national and sectoral authorities in assessing the cybersecurity and resilience of critical infrastructure under the NIS2 Directive.
The European Union Agency for Cybersecurity (ENISA) has released a Handbook for Cyber Stress Testing to support national and sectoral authorities in assessing the cybersecurity and resilience of critical infrastructure, in line with the NIS2 Directive. The guidance is intended for use at the national, regional, and EU levels and complements regulatory frameworks such as the Digital Operational Resilience Act (DORA) and the Critical Entities Resilience (CER) directive.
Cyber stress tests are defined as targeted assessments of an organisation’s capacity to maintain critical services during and after significant cybersecurity incidents. The handbook outlines five main steps for organising these tests:
- Defining scope and objectives – identifying relevant sectors, entities, risk scenarios, and test goals;
- Designing the test – developing methodologies, resilience metrics, and timelines;
- Executing the test – engaging participants and providing guidance;
- Conducting a gap analysis – identifying key findings and resilience gaps;
- Concluding and follow-up – compiling lessons learned and formulating recommendations.
The structured process enables authorities to evaluate both organisational preparedness and systemic sectoral risks. Practical recommendations are provided for each step, and an example from the health sector illustrates potential applications.
Authorities may use cyber stress tests to inform national risk assessments, prepare for cyber exercises, identify sector-wide vulnerabilities, and support supervisory planning. Tests can also serve as a basis for dialogue between regulators and operators.
While audits and certifications remain standard supervisory tools, stress tests offer an additional method tailored to specific risk scenarios. Depending on sector maturity and regulatory context, authorities may adopt either a voluntary or more prescriptive approach to testing. ENISA recommends clearly communicating the scope, purpose, and use of test results in advance.
Cyber stress tests can be conducted at national, regional, or EU-wide levels. National-level exercises are typically overseen by authorities responsible for specific critical sectors, either broadly assessing sector maturity or focusing on selected entities. Cooperation with sectoral regulators, such as those in finance or civil protection, can enhance the design and implementation of tests.
Regional and EU-wide stress tests, though more complex to coordinate, may be suited to sectors with cross-border dependencies. Recent examples include joint efforts in the energy and financial sectors, coordinated by the European Commission and the European Central Bank. EU funding through the Digital Europe Programme is available to support such initiatives, including the development of common tools and methodologies.
In parallel, ENISA has launched the European Vulnerability Database (EUVD), mandated under NIS2. The EUVD is a centralised, authoritative source of publicly available vulnerability information, supporting coordination among national CSIRTs, vendors, and regulators.
The Handbook for Cyber Stress Testing contributes to broader efforts to strengthen risk-informed cybersecurity oversight across the EU and encourages the consistent integration of cyber stress testing into national and sectoral supervisory practices.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
