The exercise will test how cyber security experts across the EU would respond to genuine cyber attacks on banks.
Cyber security experts from the financial institutions, as well as others from internet service providers (ISPs), telecoms firms and local and national Governments are all involved in the exercise.
The European Commission said that the experts are testing how they tackle more than 1,200 separate "cyber incidents" as part of a "simulated distributed denial of service (DDoS) campaign".
DDoS attacks typically involve hackers using malware-infected computers to bombard systems with such large amounts of traffic that they cease to function.
"The exercise is testing how they would respond and co-operate in the event of sustained attacks against the public websites and computer systems of major European banks," the Commission said in a statement. "If real, such an attack would cause massive disruption for millions of citizens and businesses across Europe, and millions of Euros of damage to the EU economy."
The Commission said that there was a 36% rise in the number of "web-based attacks" in 2011, and that there had been a "four-fold increase in companies reporting security incidents with a financial impact" between 2007 and 2010. The World Economic Forum has said that there is a 10% risk that, within the next decade, a "major Critical Information Infrastructure incident" could occur and cause €200 billion-worth in "economic damage", it added.
Neelie Kroes, who is responsible for the European Commission's Digital Agenda, said: "This is the first time banks and internet companies have been part of an EU-wide cyber-attack exercise. This cooperation is essential given the growing scale and sophistication of cyber-attacks. Working together at European level to keep the internet and other essential infrastructures running is what today's exercise is all about."
The Commission said that it intends to "present a comprehensive strategy on cyber security" before the end of the year. The proposals will contain draft legislation with the aim of improving "network and information security across the EU" and will "provide for a cooperation mechanism amongst the Member States and introduce security requirements for the private sector".
In July the Commission began consulting on the issue, seeking the views of Governments, businesses and others in a bid to help it form its legislative plans. At the time it said that businesses could be required to report when their "essential" systems, including the internet, have been disrupted due to "cyber incidents". The consultation runs until 15 October.
The Commission is seeking to expand the existing security breach notification regime that operates in the telecoms sector.
Currently telecoms operators and internet service providers are required, under the EU's Privacy and Electronic Communications Directive, to "take appropriate technical and organisational measures to appropriately manage the risks posed to security of networks and services" and take measures to "prevent and minimise the impact of security incidents on users and interconnected networks." The Directive requires that the network or service providers notify national regulators of any "breach of security or loss of integrity that has had a significant impact on the operation of networks or service".
Regulators can share details of the incidents with regulators in other EU member states and can require that the public is also notified of breaches if it is in the public interest for the notification to be made, under the terms of the Directive.
Technology law specialist Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, last month said that senior managers in UK business should pay greater attention to the threat of cyber attacks, establish what the cost of such an incident would be to their firms and insure against it.
