Source: OJ L 333, 27.12.2022, p. 80–152Current language: EN
- High common level of cybersecurity for entities
Basic legislative acts
- NIS 2 directive
Article 10 Computer security incident response teams (CSIRTs)
Summary What does Article 10 of the NIS 2 directive say?
This article establishes the framework for how Member States must set up and operate their Computer Security Incident Response Teams (CSIRTs).
It covers both the internal obligations — such as ensuring CSIRTs have adequate resources, secure infrastructure, and defined incident handling processes — and their external relationships, including cooperation within the EU-wide CSIRTs network, participation in peer reviews, and the ability to build working relationships with third-country counterparts.
The article connects closely to Article 11, which sets out the detailed requirements and tasks that CSIRTs must meet, effectively making this article the establishment provision and Article 11 the operational one.
Important points:
- Member States are required to designate or establish one or more CSIRTs, ensure they are adequately resourced, and provide them with secure communication infrastructure for exchanging information with essential and important entities.
- CSIRTs are required to cooperate within the EU CSIRTs network and participate in peer reviews organised under Article 19.
- CSIRTs may establish cooperation relationships with third-country incident response teams, including exchanging personal data in accordance with Union data protection law.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Each Member State shall designate or establish one or more CSIRTs. The CSIRTs may be designated or established within a competent authority. The CSIRTs shall comply with the requirements set out in Article 11(1), shall cover at least the sectors, subsectors and types of entity referred to in Annexes I and II, and shall be responsible for incident handling in accordance with a well-defined process.
Member States shall ensure that each CSIRT has adequate resources to carry out effectively its tasks as set out in Article 11(3).
Member States shall ensure that each CSIRT has at its disposal an appropriate, secure, and resilient communication and information infrastructure through which to exchange information with essential and important entities and other relevant stakeholders. To that end, Member States shall ensure that each CSIRT contributes to the deployment of secure information-sharing tools.
The CSIRTs shall cooperate and, where appropriate, exchange relevant information in accordance with Article 29 with sectoral or cross-sectoral communities of essential and important entities.
The CSIRTs shall participate in peer reviews organised in accordance with Article 19.
Member States shall ensure the effective, efficient and secure cooperation of their CSIRTs in the CSIRTs network.
The CSIRTs may establish cooperation relationships with third countries’ national computer security incident response teams. As part of such cooperation relationships, Member States shall facilitate effective, efficient and secure information exchange with those third countries’ national computer security incident response teams, using relevant information-sharing protocols, including the traffic light protocol. The CSIRTs may exchange relevant information with third countries’ national computer security incident response teams, including personal data in accordance with Union data protection law.
The CSIRTs may cooperate with third countries’ national computer security incident response teams or equivalent third-country bodies, in particular for the purpose of providing them with cybersecurity assistance.
Each Member State shall notify the Commission without undue delay of the identity of the CSIRT referred to in paragraph 1 of this Article and the CSIRT designated as coordinator pursuant to Article 12(1), of their respective tasks in relation to essential and important entities, and of any subsequent changes thereto.
Member States may request the assistance of ENISA in developing their CSIRTs.
Relevant recitals
Recital 41 National CSIRTs
Member States should be adequately equipped, in terms of both technical and organisational capabilities, to prevent, detect, respond to and mitigate incidents and risks. Member States should therefore establish or designate one or more CSIRTs under this Directive and ensure that they have adequate resources and technical capabilities. The CSIRTs should comply with the requirements laid down in this Directive in order to guarantee effective and compatible capabilities to deal with incidents and risks and to ensure efficient cooperation at Union level. Member States should be able to designate existing computer emergency response teams (CERTs) as CSIRTs. In order to enhance the trust relationship between the entities and the CSIRTs, where a CSIRT is part of a competent authority, Member States should be able to consider functional separation between the operational tasks provided by the CSIRTs, in particular in relation to information sharing and assistance provided to the entities, and the supervisory activities of the competent authorities.
Recital 61 Designated coordinating CSIRT
Member States should designate one of its CSIRTs as a coordinator, acting as a trusted intermediary between the reporting natural or legal persons and the manufacturers or providers of ICT products or ICT services, which are likely to be affected by the vulnerability, where necessary. The tasks of the CSIRT designated as coordinator should include identifying and contacting the entities concerned, assisting the natural or legal persons reporting a vulnerability, negotiating disclosure timelines and managing vulnerabilities that affect multiple entities (multi-party coordinated vulnerability disclosure). Where the reported vulnerability could have significant impact on entities in more than one Member State, the CSIRTs designated as coordinators should cooperate within the CSIRTs network, where appropriate.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
incident
Definition
risk
Definition
ICT product
Definition
network and information system
- an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;
- any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or
- digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;
Definition
ICT service
Definition
cyber threat
Definition
entity
Definition
cybersecurity
Definition
vulnerability
Definition
incident handling