- In order to contribute to the development of confidence and trust and to promote swift and effective operational cooperation among Member States, a network of national CSIRTs is established.
- The CSIRTs network shall be composed of representatives of the CSIRTs designated or established pursuant to Article 10 and the computer emergency response team for the Union’s institutions, bodies and agencies (CERT-EU). The Commission shall participate in the CSIRTs network as an observer. ENISA shall provide the secretariat and shall actively provide assistance for the cooperation among the CSIRTs.
- The CSIRTs network shall have the following tasks:
- to exchange information about the CSIRTs’ capabilities;
- to facilitate the sharing, transfer and exchange of technology and relevant measures, policies, tools, processes, best practices and frameworks among the CSIRTs;
- to exchange relevant information about incidents, near misses, cyber threats, risks and vulnerabilities;
- to exchange information with regard to cybersecurity publications and recommendations;
- to ensure interoperability with regard to information-sharing specifications and protocols;
- at the request of a member of the CSIRTs network potentially affected by an incident, to exchange and discuss information in relation to that incident and associated cyber threats, risks and vulnerabilities;
- at the request of a member of the CSIRTs network, to discuss and, where possible, implement a coordinated response to an incident that has been identified within the jurisdiction of that Member State;
- to provide Member States with assistance in addressing cross-border incidents pursuant to this Directive;
- to cooperate, exchange best practices and provide assistance to the CSIRTs designated as coordinators pursuant to Article 12(1) with regard to the management of the coordinated disclosure of vulnerabilities which could have a significant impact on entities in more than one Member State;
- to discuss and identify further forms of operational cooperation, including in relation to:
- categories of cyber threats and incidents;
- early warnings;
- mutual assistance;
- principles and arrangements for coordination in response to cross-border risks and incidents;
- contribution to the national large-scale cybersecurity incident and crisis response plan referred to in Article 9(4) at the request of a Member State;
- to inform the Cooperation Group of its activities and of the further forms of operational cooperation discussed pursuant to point (j), and, where necessary, request guidance in that regard;
- to take stock of cybersecurity exercises, including those organised by ENISA;
- at the request of an individual CSIRT, to discuss the capabilities and preparedness of that CSIRT;
- to cooperate and exchange information with regional and Union-level Security Operations Centres (SOCs) in order to improve common situational awareness on incidents and cyber threats across the Union;
- where relevant, to discuss the peer-review reports referred to in Article 19(9);
- to provide guidelines in order to facilitate the convergence of operational practices with regard to the application of the provisions of this Article concerning operational cooperation.
- By 17 January 2025, and every two years thereafter, the CSIRTs network shall, for the purpose of the review referred to in Article 40, assess the progress made with regard to the operational cooperation and adopt a report. The report shall, in particular, draw up conclusions and recommendations on the basis of the outcome of the peer reviews referred to in Article 19, which are carried out in relation to the national CSIRTs. That report shall be submitted to the Cooperation Group.
- The CSIRTs network shall adopt its rules of procedure.
- The CSIRTs network and EU-CyCLONe shall agree on procedural arrangements and cooperate on the basis thereof.