**3.3 Assessment of the cyber risk across organizations**

A RA for a specific CI sector is feasible, as was shown by the EUropean Risk Assessment and COntingency planning Methodologies for interconnected energy networks (EURACOM) project [37]. This approach extended the EUropean Risk Assessment Methodology (EURAM) [38] with contingency planning. In particular, chapter 4 of the EURACOM report discusses the cyber threats to the energy CI sector. The methodology is based on a common and holistic approach (end-to-end energy supply chain) for RA, RM and contingency planning across the power, gas, and oil CI subsectors.

The seven steps of the EURAM RA methodology are shown in **Figure 3**. The methodology scales from the department level to the operator level, to the CI or CII sector, and national level. Moreover, the methodology may embed the results of other RA methodologies. Risk which cannot be dealt with at a certain level may be input to the next higher level of abstraction. For example, the risk implications of a pandemic or a state actor cyber-attack to a nation cannot be managed alone by a CI operator and must be off-loaded to and managed at the national or even supranational level.
