Art. 11 Requirements, technical capabilities and tasks of CSIRTs | NIS 2 directive |

1. The CSIRTscomputer security incident response teams shall comply with the following requirements:
  1. the CSIRTscomputer security incident response teams shall ensure a high level of availability of their communication channels by avoiding single points of failure, and shall have several means for being contacted and for contacting others at all times; they shall clearly specify the communication channels and make them known to constituency and cooperative partners;
  2. the CSIRTscomputer security incident response teams’ premises and the supporting information systems shall be located at secure sites;
  3. the CSIRTscomputer security incident response teams shall be equipped with an appropriate system for managing and routing requests, in particular to facilitate effective and efficient handovers;
  4. the CSIRTscomputer security incident response teams shall ensure the confidentiality and trustworthiness of their operations;
  5. the CSIRTscomputer security incident response teams shall be adequately staffed to ensure availability of their services at all times and they shall ensure that their staff is trained appropriately;
  6. the CSIRTscomputer security incident response teams shall be equipped with redundant systems and backup working space to ensure continuity of their services.
2. The CSIRTscomputer security incident response teams may participate in international cooperation networks.
1. Member States shall ensure that their CSIRTscomputer security incident response teams jointly have the technical capabilities necessary to carry out the tasks referred to in paragraph 3. Member States shall ensure that sufficient resources are allocated to their CSIRTscomputer security incident response teams to ensure adequate staffing levels for the purpose of enabling the CSIRTscomputer security incident response teams to develop their technical capabilities.
1. The CSIRTscomputer security incident response teams shall have the following tasks:
  1. monitoring and analysing cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;, vulnerabilities means a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; and incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; at national level and, upon request, providing assistance to essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned regarding real-time or near real-time monitoring of their network and information systems means: any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;;
  2. providing early warnings, alerts, announcements and dissemination of information to essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned as well as to the competent authoritiesas defined in Article 46 and other relevant stakeholders on cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;, vulnerabilities means a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; and incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, if possible in near real-time;
  3. responding to incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; and providing assistance to the essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned, where applicable;
  4. collecting and analysing forensic data and providing dynamic risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; and incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; analysis and situational awareness regarding cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;;
  5. providing, upon the request of an essential or important entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, a proactive scanning of the network and information systems means: any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; of the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned to detect vulnerabilities means a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; with a potential significant impact;
  6. participating in the CSIRTscomputer security incident response teams network and providing mutual assistance in accordance with their capacities and competencies to other members of the CSIRTscomputer security incident response teams network upon their request;
  7. where applicable, acting as a coordinator for the purposes of the coordinated vulnerability means a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; disclosure under Article 12(1);
  8. contributing to the deployment of secure information-sharing tools pursuant to Article 10(3).
2. The CSIRTscomputer security incident response teams may carry out proactive non-intrusive scanning of publicly accessible network and information systems means: any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; of essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;. Such scanning shall be carried out to detect vulnerable or insecurely configured network and information systems means: any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; and inform the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned. Such scanning shall not have any negative impact on the functioning of the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’ services.
3. When carrying out the tasks referred to in the first subparagraph, the CSIRTscomputer security incident response teams may prioritise particular tasks on the basis of a risk-based approach.
1. The CSIRTscomputer security incident response teams shall establish cooperation relationships with relevant stakeholders in the private sector, with a view to achieving the objectives of this Directive.
1. In order to facilitate cooperation referred to in paragraph 4, the CSIRTscomputer security incident response teams shall promote the adoption and use of common or standardised practices, classification schemes and taxonomies in relation to:
  1. incident-handling procedures;
  2. crisis management; and
  3. coordinated vulnerability means a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; disclosure under Article 12(1).