Art. 15 CSIRTs network | NIS 2 directive |

1. In order to contribute to the development of confidence and trust and to promote swift and effective operational cooperation among Member States, a network of national CSIRTscomputer security incident response teams is established.
1. The CSIRTscomputer security incident response teams network shall be composed of representatives means a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive; it has legal personality or is entitled by law to act on behalf of another entity with legal personality; it has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital; it is financed, for the most part, by the State, regional authorities or by other bodies governed by public law, is subject to management supervision by those authorities or bodies, or has an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional authorities or by other bodies governed by public law; it is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character; of the CSIRTscomputer security incident response teams designated or established pursuant to Article 10 and the computer emergency response team for the Union’s institutions, bodies and agencies (CERT-EU). The Commission shall participate in the CSIRTscomputer security incident response teams network as an observer. ENISA shall provide the secretariat and shall actively provide assistance for the cooperation among the CSIRTscomputer security incident response teams.
1. The CSIRTscomputer security incident response teams network shall have the following tasks:
  1. to exchange information about the CSIRTscomputer security incident response teams’ capabilities;
  2. to facilitate the sharing, transfer and exchange of technology and relevant measures, policies, tools, processes, best practices and frameworks among the CSIRTscomputer security incident response teams;
  3. to exchange relevant information about incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, near misses, cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;, risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; and vulnerabilities means a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat;;
  4. to exchange information with regard to cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; publications and recommendations;
  5. to ensure interoperability with regard to information-sharing specifications and protocols;
  6. at the request of a member of the CSIRTscomputer security incident response teams network potentially affected by an incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, to exchange and discuss information in relation to that incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; and associated cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;, risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; and vulnerabilities means a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat;;
  7. at the request of a member of the CSIRTscomputer security incident response teams network, to discuss and, where possible, implement a coordinated response to an incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; that has been identified within the jurisdiction of that Member State;
  8. to provide Member States with assistance in addressing cross-border incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; pursuant to this Directive;
  9. to cooperate, exchange best practices and provide assistance to the CSIRTscomputer security incident response teams designated as coordinators pursuant to Article 12(1) with regard to the management of the coordinated disclosure of vulnerabilities means a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; which could have a significant impact on entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; in more than one Member State;
  10. to discuss and identify further forms of operational cooperation, including in relation to:
    
    categories of cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; and incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;;
    
    early warnings;
    
    mutual assistance;
    
    principles and arrangements for coordination in response to cross-border risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; and incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;;
    
    contribution to the national large-scale cybersecurity incident means an incident which causes a level of disruption that exceeds a Member State’s capacity to respond to it or which has a significant impact on at least two Member States; and crisis response plan referred to in Article 9(4) at the request of a Member State;
  11. to inform the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; of its activities and of the further forms of operational cooperation discussed pursuant to point (j), and, where necessary, request guidance in that regard;
  12. to take stock of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; exercises, including those organised by ENISA;
  13. at the request of an individual CSIRT, to discuss the capabilities and preparedness of that CSIRT;
  14. to cooperate and exchange information with regional and Union-level Security Operations Centres (SOCs) in order to improve common situational awareness on incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; and cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; across the Union;
  15. where relevant, to discuss the peer-review reports referred to in Article 19(9);
  16. to provide guidelines in order to facilitate the convergence of operational practices with regard to the application of the provisions of this Article concerning operational cooperation.
1. By 17 January 2025, and every two years thereafter, the CSIRTscomputer security incident response teams network shall, for the purpose of the review referred to in Article 40, assess the progress made with regard to the operational cooperation and adopt a report. The report shall, in particular, draw up conclusions and recommendations on the basis of the outcome of the peer reviews referred to in Article 19, which are carried out in relation to the national CSIRTscomputer security incident response teams. That report shall be submitted to the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;.
1. The CSIRTscomputer security incident response teams network shall adopt its rules of procedure.
1. The CSIRTscomputer security incident response teams network and EU-CyCLONe shall agree on procedural arrangements and cooperate on the basis thereof.