This study highlights the complexities behind the notion of cyber crisis and the degree of subjectivity it involves. The elevation of a large-scale cyber incident into a cyber crisis relies predominantly on a political decision, and depends largely on the level of risk that EU Member States (MS) are prepared to tolerate (i.e. ‘risk appetite’).