CSIRTs (Computer Security and Incident Response Teams) play a vital role in cyber resilience, reports ENISA (European Union Agency for Network and Information Security). For its full 36-page report on CSIRTs, ‘CSIRT landscape and IR capabilities in Europe 2025’, visit the ENISA website.
The recent updates of some EU states’ national cybersecurity strategies and of making into national law of the NIS Directive show a harmonisation, the study found. On international and European cooperation, the national cybersecurity agencies – more integrating the national/governmental CSIRT in their organisation – tend to play a central role. With much of the detailed application of the NIS Directive left to EU states, there remains a risk of fragmentation, the report warns. The role and scope of action of CSIRTs may also vary between countries.
The NIS Directive may have a positive effect at international level and provides the EU with a ‘norm setter’. With the EU General Data Protection Regulation (GDPR) in EU states’ law since May 2018, the impact of the NIS Directive outside the EU may illustrate the ability of the EU to reach political and normative consensus between nations on cybersecurity-related issues, and to act as a standard setter in data protection, privacy and transparency, the document suggests.
The NIS Directive is about cyber security of essential services. Work includes the development of sector-specific CSIRTs and collaboration, at EU and national levels. At a national level, the growing number of sector-specific and sector-wide CSIRTs could initiate a move towards cooperation according to a vertical model, besides by the national government CSIRTs.
The study found that successful cooperation in the field of Incident Response (IR) at an international level is driven by public-private partnerships; although security is sovereign and states are reluctant to agree on binding measures. Addressing digital security indeed requires involving the technology giants to define common norms in the governance of digital infrastructures and data.
IR services are developing in the European private sector; however, new vulnerabilities tend to target the hardware layer of devices made outside Europe. In the longer term, the NIS Directive seeks to stimulate the digital industry in Europe by increasing the demand for cybersecurity products and services. However, supply chain attacks and the Meltdown and Spectre vulnerabilities suggest that new vulnerabilities and threats are surfacing within hardware. The difficulties associated with detecting and mitigating these types of vulnerabilities raises a question for national governmental CSIRTs and European cybersecurity services providers in the IR value chain, should vulnerabilities and cyber-attacks increasingly affect devices, the study warns.
