Cyber threat intelligence is only as useful as the foundations it is built upon. Without a shared vocabulary, consistent methods, and clear priorities, even the best analysis risks being misunderstood, misapplied, or lost in translation between the teams that produce it and the people who need to act on it.
Today we are publishing our Cyber Threat Intelligence Framework — the analytical and operational backbone of how CERT-EU classifies, assesses, and prioritises malicious cyber activity relevant to Union entities, our constituents, and their wider ecosystem.
Why a framework — and why now?
Union entities operate in an increasingly complex threat environment. They span multiple countries, sectors, and partnerships. They rely on shared systems, common software, and interconnected supply chains. A threat to one can quickly become a threat to many.
Over the years, we have refined our internal methods to keep pace with this reality. The framework formalises that work into a single, transparent reference document. It is designed to serve two audiences: our analysts who produce threat intelligence, and the security officers, primary operational contacts, and decision-makers across Union entities who receive it and act on it.
What is in the framework?
The framework introduces the core concepts and scales that structure our CTI products:
- Malicious activities of interest (MAIs) — how we define what we track and why.
- Ecosystem — the components (countries, sectors, events, partners, providers, software, and systems) that determine whether a threat is relevant to our constituents, even when they are not directly targeted.
- Threat and counter-threat categories — classifying activity by adversarial intent, from cyberespionage to hacktivism, cybercrime, and beyond.
- Threat domains — a hierarchical model for scoping the geographical and institutional reach of a threat.
- Threat levels and threat actor levels — structured scales for prioritising alerts and adversaries.
- Confidence and uncertainties — how we assess information quality using the NATO Admiralty Code and communicate analytical uncertainty using FIRST-standard language.
- Attribution — the principles that govern our strictly technical, evidence-based approach to linking activity to threat actors.
- Scoring — how we calculate threat and mitigation scores to support prioritised defence planning.
The framework is also a key enabler for our Full-Spectrum Adversary Approach, our own flavour of threat-informed defence, which relies on consistent modelling of threats across both strategic and technical dimensions.
Built on recognised standards
The framework does not reinvent the wheel. It aligns with EU cybersecurity regulations, MITRE ATT&CK, NATO intelligence standards, and FIRST good practices for CTI reporting. Where we have developed our own methods — such as the ecosystem model or the scoring formulae — we have documented the reasoning transparently.
A living document
The framework reflects our current practices, but it is not set in stone. We expect it to evolve as the threat landscape changes, as regulations develop, and as we learn from our constituents and partners.
We welcome your feedback. If you have questions, suggestions, or observations, please reach out to us at services@cert.europa.eu.
📄 Read the full CERT-EU Cyber Threat Intelligence Framework →