Cross-Border SOC Exercise

Mansfeld-Südharz, Germany - December 4, 2025

A civilian red-team drill that will test the first NIS2 mutual-aid clause between two EU regions without moving a single byte across military networks

The calendar entry is still marked “tentative” in three languages, but the diplomatic note that reached the county chancellery last week carries enough signatures to make the 2027 Czech–Saxony-Anhalt cross-border SOC exercise feel inevitable. What began as a hallway conversation in Prague’s CZ.NIC headquarters has evolved into a fully budgeted civilian drill that will pit a mixed blue team against a simulated ransomware syndicate for forty-eight hours, using only the shared tooling of the Cyber Resilience Alliance and the Czech national CSIRT’s telemetry feeds. The novelty is not the duration nor the scenario; it is the legal wrapper: the exercise will be the first field test of the NIS2 mutual-aid clause that allows two public administrations to pool real-time incident data without invoking NATO or EU military protocols, a step that regulators in Brussels have wanted to see since the directive was finalised but that no region has yet dared to try.

The choreography is deliberately minimalist. Both sides will keep their production networks untouched; instead, each SOC replicates a 1:10 scale clone of its live environment inside an air-gapped cluster physically located in the former railway freight depot in Bitterfeld. The depot’s 400-metre long hall is already wired for 100 Gb/s dark fibre that terminates 38 kilometres away at the DE-CIX apocalypse-proof node in Leipzig, giving the Czech observers the same latency they would experience from their own colocation cages in Holešovice. A second 40 Gb/s line runs south-west to Prague’s National Cyber and Information Security Agency (NUCZ) emergency floor, ensuring that if either national authority wants to pull the plug it can do so by physically severing a single patch cord, a design choice that satisfied both data-protection officers who insisted on a mechanical kill-switch rather than a software API.

Scenario writers have agreed on a two-phase plot. During the first twelve hours a commodity ransomware strain—stripped of its crypto routines but leaving behaviour intact—will land inside a fictional chemicals distributor that exists only as Terraform code. The distributor’s OT network controls a simulated polymer batch reactor whose temperature curve is copied from real historian data donated by a local paint manufacturer; if the reactor drifts more than 3 °C for longer than ninety seconds, the exercise shifts into Phase Two, triggering a mutual-aid request under Article 22 of NIS2. At that moment the Czech team gains read-only access to the German SIEM, while the German team receives mirrored telemetry from the Czech national sensor grid, a reciprocal visibility that has never been attempted outside classified military circles. The legal basis is a one-page Memorandum of Cooperation signed by both interior ministries in October 2025; it states that raw packet payloads remain under the originating state’s jurisdiction, while IoCs and statistical aggregates are treated as Community-wide public goods, a compromise that took six months to negotiate but that now sits in the drawer like a pre-nuptial agreement waiting for the wedding day.

Operational control follows the same symmetry. Each SOC keeps its own run-books, but both feed a shared STIX repository hosted on an immutable ledger anchored in the Bitterfeld depot. Every observable artifact—IP, hash, YARA rule, Sigma signature—must carry a dual signature: one from the duty officer on the producing side, one from the liaison officer on the consuming side. The ledger appends a Merkelised timestamp every thirty seconds, creating an evidentiary chain that regulators can audit after the fact to prove that no unauthorised retagging took place, a safeguard demanded by Czech privacy law and by the German Federal Data Protection Act in equal measure. If the ledger diverges by even a single hash, the exercise pauses automatically, forcing human adjudication before traffic can resume, a design that turns integrity itself into a kill-switch.

"A civilian Article 5 for packets: once the idea is in the wild, the only thing left to scale is courage."

The red team is outsourced but not anonymous. The Czech cabinet approved a competitive tender that selected a Prague-based consultancy composed entirely of former CSIRT staff who hold NATO SECRET clearances but will work unclassified during the drill, a hybrid status that gives them access to nation-grade exploit frameworks while keeping the exercise inside civilian legal airspace. Their brief is to maximise dwell time without ever deploying destructive payloads; instead they must exfiltrate a 200-row customer database and threaten to publish it on a simulated dark-web leak site unless a 1.2 million-euro ransom is paid in Monero. The wallet exists on a private testnet, so no real value changes hands, but the transaction metadata must traverse the public Monero testnet for thirty minutes before the red team can claim victory, giving the blue side a narrow window to trace the mixing logic and issue a takedown notice to the simulated hoster, a procedural step that tests both countries’ legal quick-freeze mechanisms under the EU Cyber-Sanctions regime.

Metrics are few but unforgiving. The blue teams must detect initial ingress within ninety minutes, isolate the OT network within three hours, and produce a court-ready evidence package within six. Failure on any single metric triggers an automatic after-action review streamed live to observers from DG CONNECT and the EU Cyber-Security Agency, turning the depot into a temporary classroom for every other region considering a similar pact. Success is defined more stringently: the teams must also publish a post-mortem playbook under Creative Commons within thirty calendar days, including all anonymised logs and the Ansible playbooks used to rebuild the environment, ensuring that the exercise yields a reusable artefact rather than a ceremonial pat on the back. If they succeed, the ledger will mint a non-fungible token that acts as a compliance passport recognised by both national regulators, the first time a training event produces a credential that can be presented during future NIS2 audits.

Funding is already locked. The Czech cabinet set aside 1.8 million Czech koruna in its 2026 cybersecurity budget, while Saxony-Anhalt’s interior ministry matched the sum through the EFRE digitalisation envelope, giving the organisers a combined 3.6 million € for a drill that is expected to cost 2.9 million €, leaving a contingency reserve large enough to cover travel, translation and the inevitable last-minute hardware failure. No vendor sponsorship is accepted, a deliberate choice to avoid the optics of a trade show; instead, equipment is loaned by both parents and returned wiped at the end, keeping the exercise financially sterile. What little marketing exists will carry a single logo: the Cyber Resilience Alliance crest, ensuring that the brand travels while the governance remains county-bound.

Save-the-date cards go out in January 2026, but the real signalling happens now. By publishing the scenario outline eighteen months in advance, the organisers hope to attract at least six additional regions—Hungary, Austria, Slovenia and three German Länder have already signalled informal interest—turning the bilateral drill into a de facto European qualification standard. If that happens, the freight depot in Bitterfeld will have achieved something bigger than a training event: it will have boot-strapped a civilian equivalent of Article 5, not for tanks, but for packets, a mutual-defence clause that runs on open-source code instead of closed-door treaties. And once that idea is in the wild, the only thing left to scale is courage.

The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.

Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.