Article 7, NIS 2 Directive (Proposal 16.12.2020).
National cybersecurity crisis management frameworks
1. Each Member State shall designate one or more competent authorities responsible for the management of large-scale incidents and crises. Member States shall ensure that competent authorities have adequate resources to perform, in an effective and efficient manner, the tasks assigned to them.
2. Each Member State shall identify capabilities, assets and procedures that can be deployed in case of a crisis for the purposes of this Directive.
3. Each Member State shall adopt a national cybersecurity incident and crisis response plan where objectives and modalities in the management of large-scale cybersecurity incidents and crises are set out. The plan shall lay down, in particular, the following:
(a) objectives of national preparedness measures and activities;
(b) tasks and responsibilities of the national competent authorities;
(c) crisis management procedures and information exchange channels;
(d) preparedness measures, including exercises and training activities;
(e) relevant public and private interested parties and infrastructure involved;
(f) national procedures and arrangements between relevant national authorities and bodies to ensure the Member State’s effective participation in and support of the coordinated management of large-scale cybersecurity incidents and crises at Union level.
4. Member States shall communicate to the Commission the designation of their competent authorities referred to in paragraph 1 and submit their national cybersecurity incident and crisis response plans as referred to in paragraph 3 within three months from that designation and the adoption of those plans. Member States may exclude specific information from the plan where and to the extent that it is strictly necessary for their national security.
Note: This is not the final text of the NIS 2 Directive. This is the text of the NIS 2 Directive Proposal of 16.12.2020.