Source: OJ L 333, 27.12.2022, p. 80–152Current language: EN
- High common level of cybersecurity for entities
Basic legislative acts
- NIS 2 directive
Article 15 CSIRTs network
Summary What does Article 15 of the NIS 2 directive say?
This article establishes the network of national CSIRTs, which is the operational backbone for incident response cooperation across Member States.
Building directly on Article 10, which requires each Member State to designate or establish CSIRTs, this article brings those national bodies together into a formal network.
The article is notably detailed in setting out the tasks of this network, which centre on information sharing, coordinated responses to incidents, and the development of common operational practices.
ENISA plays a supporting role by providing the secretariat, while the Commission participates only as an observer.
The network also has a reporting obligation to the Cooperation Group and must maintain a working relationship with EU-CyCLONe.
Important points:
- The CSIRTs network is composed of national CSIRTs established under Article 10, with CERT-EU also included as a member.
- The CSIRTs network is required to produce a report on operational cooperation every two years, drawing on peer review outcomes, and submit it to the Cooperation Group.
- The CSIRTs network and EU-CyCLONe are required to agree on procedural arrangements and cooperate on the basis of those arrangements.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
In order to contribute to the development of confidence and trust and to promote swift and effective operational cooperation among Member States, a network of national CSIRTs is established.
The CSIRTs network shall be composed of representatives of the CSIRTs designated or established pursuant to Article 10 and the computer emergency response team for the Union’s institutions, bodies and agencies (CERT-EU). The Commission shall participate in the CSIRTs network as an observer. ENISA shall provide the secretariat and shall actively provide assistance for the cooperation among the CSIRTs.
The CSIRTs network shall have the following tasks:
to exchange information about the CSIRTs’ capabilities;
to facilitate the sharing, transfer and exchange of technology and relevant measures, policies, tools, processes, best practices and frameworks among the CSIRTs;
to exchange relevant information about incidents, near misses, cyber threats, risks and vulnerabilities;
to exchange information with regard to cybersecurity publications and recommendations;
to ensure interoperability with regard to information-sharing specifications and protocols;
at the request of a member of the CSIRTs network potentially affected by an incident, to exchange and discuss information in relation to that incident and associated cyber threats, risks and vulnerabilities;
at the request of a member of the CSIRTs network, to discuss and, where possible, implement a coordinated response to an incident that has been identified within the jurisdiction of that Member State;
to provide Member States with assistance in addressing cross-border incidents pursuant to this Directive;
to cooperate, exchange best practices and provide assistance to the CSIRTs designated as coordinators pursuant to Article 12(1) with regard to the management of the coordinated disclosure of vulnerabilities which could have a significant impact on entities in more than one Member State;
to discuss and identify further forms of operational cooperation, including in relation to:
categories of cyber threats and incidents;
early warnings;
mutual assistance;
principles and arrangements for coordination in response to cross-border risks and incidents;
contribution to the national large-scale cybersecurity incident and crisis response plan referred to in Article 9(4) at the request of a Member State;
to inform the Cooperation Group of its activities and of the further forms of operational cooperation discussed pursuant to point (j), and, where necessary, request guidance in that regard;
to take stock of cybersecurity exercises, including those organised by ENISA;
at the request of an individual CSIRT, to discuss the capabilities and preparedness of that CSIRT;
to cooperate and exchange information with regional and Union-level Security Operations Centres (SOCs) in order to improve common situational awareness on incidents and cyber threats across the Union;
where relevant, to discuss the peer-review reports referred to in Article 19(9);
to provide guidelines in order to facilitate the convergence of operational practices with regard to the application of the provisions of this Article concerning operational cooperation.
By 17 January 2025, and every two years thereafter, the CSIRTs network shall, for the purpose of the review referred to in Article 40, assess the progress made with regard to the operational cooperation and adopt a report. The report shall, in particular, draw up conclusions and recommendations on the basis of the outcome of the peer reviews referred to in Article 19, which are carried out in relation to the national CSIRTs. That report shall be submitted to the Cooperation Group.
The CSIRTs network shall adopt its rules of procedure.
The CSIRTs network and EU-CyCLONe shall agree on procedural arrangements and cooperate on the basis thereof.
Relevant recitals
Recital 45 CSIRT cooperation outside the EU
Given the importance of international cooperation on cybersecurity, the CSIRTs should be able to participate in international cooperation networks in addition to the CSIRTs network established by this Directive. Therefore, for the purpose of carrying out their tasks, the CSIRTs and the competent authorities should be able to exchange information, including personal data, with the national computer security incident response teams or competent authorities of third countries provided that the conditions under Union data protection law for transfers of personal data to third countries, inter alia those of Article 49 of Regulation (EU) 2016/679, are met.
Recital 47 CSIRT cooperation within the EU
The CSIRTs network should continue to contribute to strengthening confidence and trust and to promote swift and effective operational cooperation among Member States. In order to enhance operational cooperation at Union level, the CSIRTs network should consider inviting Union bodies and agencies involved in cybersecurity policy, such as Europol, to participate in its work.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
incident
Definition
risk
Definition
social networking services platform
Definition
online search engine
Definition
ICT product
Definition
large-scale cybersecurity incident
Definition
representative
Definition
network and information system
- an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;
- any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or
- digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;
Definition
managed security service provider
Definition
content delivery network
Definition
ICT service
Definition
cyber threat
Definition
entity providing domain name registration services
Definition
TLD name registry
Definition
managed service provider
Definition
DNS service provider
- publicly available recursive domain name resolution services for internet end-users; or
- authoritative domain name resolution services for third-party use, with the exception of root name servers;
Definition
data centre service
Definition
entity
Definition
cybersecurity
Definition
vulnerability
Definition
digital service
Definition
online marketplace
Definition
near miss
Definition
cloud computing service