European Union: European Union Agency for Cybersecurity adopted Cybersecurity Exercise Methodology

On 16 February 2026, the European Union Agency for Cybersecurity (ENISA) adopted the Cybersecurity Exercise Methodology to guide organisations in developing cybersecurity exercises. The framework provides a theoretical approach for the planning, execution, and evaluation of simulations designed to test team and system capabilities against emerging cyber threats. The methodology aims to support the development of exercises that build resilience and agility in mitigating cyber risks through the testing of skills, processes, and internal policies. It includes a support toolkit featuring examples, templates, and practical guidance to facilitate a structured approach across the whole lifecycle of an exercise. This lifecycle is divided into six distinct phases, incorporating go/no-go checklists at each stage to ensure that requirements are met and potential risks are reduced before proceeding. While originally developed for crisis management at the European Union level, the documentation is intended for use by cybersecurity professionals, national governments, and private organisations regardless of their current maturity level. The methodology aligns with established international standards, specifically ISO 22398:2013 and ISO 22361:2022. As a living document, the methodology provides a mechanism for users to share feedback and practical insights to ensure the guidance adapts to the evolving cybersecurity landscape.