Crisis management measures

The Cyber Emergency Response Plan provides those charged with its execution with the tools they need to react in an appropriate and flexible manner to the events that occur and to provide the best possible protection for the citizens or sectors affected, their vital interests and the nation's economic interests.


This is the first measure in the crisis management cycle. It enables the authorities to evaluate the degree of urgency and the impact of the incident on Luxembourg.

Increased surveillance

The 'increased surveillance' measure includes the actions to be implemented during a risk situation. It involves in particular

  • writing status reports on network traffic, the state of the network infection and the effectiveness of the counter measures in place;
  • evaluating all the statistics and data available to determine the severity of the situation and to be able to react instantly if necessary.

Technical analysis

'Technical analysis' is a measure that groups all the actions required to analyse in detail the attack, intrusion or other IT incident that could be linked to or could have caused the crisis situation. It also involves identifying all the systems affected to some degree (collateral damage) in order to organise coordination of and cooperation between the stakeholders involved and the international CERT community.


The 'isolation' measure acts on network traffic to counter any denial-of-service attacks (distributed or not).

It can also be applied to effectively isolate the systems under threat and avoid any information leaks.

System upgrade and protection

The 'system upgrade and protection' measure aims to contact potential targets, listed depending on the type of attack, in order to verify the existence of certain vulnerabilities that may be exploited by a threat. This list also includes the systems that may be targeted by an attack.

Having verified the vulnerabilities in a situation, the CERC will propose that the CC put in place

  • preventive measures concerning potential targets;
  • protective measures for potential targets;
  • or that the CC should partially or fully disconnect a target.

The 'isolation' measure is triggered if disconnecting a potential target is appropriate.

Activation of the national cyber reserve

'Activating the national cyber reserve' is a measure that aims to call on experts from the information systems and communication security sector of the public administration. If required and for specific areas, the reserve can be supplemented by experts from the private sector or international organisations of which Luxembourg is part. This measure is only triggered in a crisis of significant scope with a considerable impact.

Restoration of services

'Restoring services' is a measure which includes all the actions required to ensure that the activities affected by the incident can be resumed.

Restoration is done in stages and/or by priority level, and is brought to a close when the situation returns to normal.

Last update