National Authorities, CSIRTs, and EU-Level Cooperation

1. From NIS1 to NIS2: Why the Institutional Architecture Changed

NIS2 (Directive (EU) 2022/2555), which entered into force in January 2023 and must be transposed by Member States by 17 October 2024, significantly reshapes the EU cybersecurity governance landscape.

To understand the institutional actors, keep three layers in mind:

1. National level

• National competent authorities (NCAs) for NIS2
• Computer Security Incident Response Teams (CSIRTs)
• Single points of contact (SPOCs)
• Sectoral regulators / data protection authorities, etc.

1. EU coordination level

• European Union Agency for Cybersecurity (ENISA)
• Cooperation Group (policy coordination between Member States)
• CSIRTs Network (technical/operational cooperation between CSIRTs)

1. EU crisis management level

• EU-CyCLONe (European Cyber Crisis Liaison Organisation Network) for large-scale incidents and crises.

Historically, under NIS1 (Directive (EU) 2016/1148), similar bodies existed, but:

• Coverage was narrower (only certain operators of essential services and digital service providers).
• Roles and cooperation duties were less prescriptive.
• Cross-border crisis management was less developed (EU-CyCLONe was only piloted from 2020 onwards).

Under NIS2, these structures are formalised and expanded, and cooperation duties are more binding, especially for entities operating in multiple Member States.

Key analytical question for this module:

> How do these institutions interact to detect, manage, and learn from cyber incidents that cross borders and sectors?

2. National Competent Authorities (NCAs): Mandate and Powers

NIS2 requires each Member State to designate one or more national competent authorities for its implementation (Art. 7–9 NIS2). In practice, you will typically see:

• A central NIS2 authority (e.g., a national cybersecurity agency or ministry).
• Sectoral authorities (e.g., energy regulator, health authority) with NIS2 responsibilities in their sector.

Core functions of NCAs

1. Regulatory & policy role

• Transpose NIS2 into national law (often via a cybersecurity act or amendments to existing sectoral laws).
• Issue secondary rules, guidelines, and technical standards (e.g., baseline security measures, notification formats).
• Coordinate with other national regulators (data protection, financial supervision, telecoms).

1. Supervisory & enforcement role

• Identify and register essential and important entities (EEs and IEs).
• Monitor compliance (ex-ante and ex-post supervision).
• Impose corrective measures and sanctions (fines, binding instructions, temporary bans, public naming).

1. Coordination & international role

• Act as Single Point of Contact (SPOC) for cross-border cooperation under NIS2.
• Participate in the Cooperation Group and (where relevant) EU-CyCLONe.
• Coordinate with CSIRTs and sectoral regulators at national level.

Practical edge case

• A Member State may choose one single authority for all sectors (e.g., a national cyber agency).
• Another may choose a federal or multi-agency model, with separate authorities for energy, health, transport, etc., plus a central coordination body.

For entities operating in multiple Member States, this means:

• You might face different lead authorities per country and per sector.
• However, NIS2 pushes these authorities to coordinate to avoid contradictory obligations.

When reading national laws, look for terms like "NIS2 competent authority", "national cybersecurity authority", or "authority responsible for the security of network and information systems"—these are your NCAs under different labels.

3. CSIRTs: Operational Backbone of NIS2

Every Member State must have at least one Computer Security Incident Response Team (CSIRT) with responsibilities under NIS2 (Art. 10–12). Some countries already had mature CSIRTs; NIS2 clarifies and reinforces their role.

Core tasks of national CSIRTs

1. Incident handling

• Receive incident notifications (often via a national portal).
• Provide technical assistance and guidance to entities.
• Coordinate technical response to large-scale incidents.

1. Monitoring and early warning

• Monitor threats and vulnerabilities (e.g., via threat intel feeds, honeypots, sectoral ISACs).
• Issue alerts, advisories, and indicators of compromise (IoCs).
• Share information with the CSIRTs Network and ENISA.

1. Crisis management support

• Support national crisis cells for cyber incidents.
• Liaise with EU-CyCLONe for large-scale cross-border crises.

CSIRTs vs. NCAs

• NCAs: Primarily regulatory, supervisory, and strategic.
• CSIRTs: Primarily technical, operational, and tactical.

They must cooperate closely. For example:

• An entity reports an incident to the NCA (because the law says so).
• The NCA immediately forwards technical details to the CSIRT.
• The CSIRT helps the entity contain the incident and shares anonymised indicators with other CSIRTs.

Some Member States merge roles (e.g., the national cyber agency is both NCA and hosts the CSIRT), but NIS2 still expects functional separation between regulation/enforcement and incident response to avoid conflicts of interest.

4. Worked Example: Incident Flow Across Authorities

Consider a ransomware attack in 2025 on a cross-border energy company operating in three EU countries (A, B, and C). The company is an essential entity in all three.

Step-by-step flow

1. Detection and internal escalation

• SOC detects abnormal encryption activity in control systems in Country A.
• Internal incident response team classifies it as a major incident with cross-border impact.

1. Notification to authorities (within NIS2 deadlines)

• The company notifies:
• The NCA and/or CSIRT in Country A (depending on national procedure).
• Because operations in B and C are affected, it also notifies NCAs/CSIRTs in B and C, or the lead authority if one has been designated for the group.

1. National coordination

• In each country, the NCA:
• Checks compliance with NIS2 notification obligations.
• Assesses whether other entities in the sector may be affected.
• The CSIRT:
• Analyses samples of the malware.
• Issues a national security advisory with IoCs to other energy providers.

1. EU-level technical cooperation

• National CSIRTs share technical details via the CSIRTs Network (secure channels).
• ENISA helps correlate IoCs with known campaigns and supports cross-border analysis.

1. EU-level crisis management (if large-scale)

• If the incident threatens energy supply in several Member States, NCAs may trigger EU-CyCLONe.
• EU-CyCLONe coordinates high-level decision-making: e.g., prioritisation of cross-border energy flows, public communication, and strategic options.

1. Post-incident supervision

• NCAs in A, B, and C may launch coordinated supervision (see later step) to check whether the company’s security measures met NIS2 standards.
• If serious deficiencies are found, they may impose sanctions, require remediation plans, and possibly peer review of how authorities handled the case.

This example shows how NCAs, CSIRTs, the CSIRTs Network, ENISA, and EU-CyCLONe form a multi-layered response system.

5. EU-CyCLONe: Cross-Border Cyber Crisis Management

EU-CyCLONe (European Cyber Crisis Liaison Organisation Network) was informally created in 2020 and is now formally anchored in NIS2 (Art. 16).

What EU-CyCLONe is (and is not)

• Is: A network of national authorities responsible for cyber crisis management (often including NCAs, interior ministries, or national security councils).
• Is not: A technical incident response body (that’s the CSIRTs Network).

Main functions

1. Strategic coordination during large-scale incidents

• Facilitate situational awareness at political/strategic level.
• Coordinate non-technical response measures: public communication, international outreach, strategic decisions (e.g., whether to invoke mutual assistance clauses).

1. Support for decision-makers

• Provide consolidated impact assessments to ministers and national crisis cells.
• Help align national crisis response plans with EU-level frameworks.

1. Preparedness and exercises

• Organise or support cross-border cyber crisis exercises.
• Develop playbooks and standard operating procedures for large-scale incidents.

Edge case: When both CSIRTs Network and EU-CyCLONe are active

For a major EU-wide phishing campaign with limited systemic impact:

• CSIRTs Network is active (technical sharing).
• EU-CyCLONe might not be activated.

For a massive attack on EU payment systems affecting multiple Member States:

• CSIRTs Network handles technical coordination.
• EU-CyCLONe coordinates crisis management, including communication with finance ministries and central banks.

For entities: understanding EU-CyCLONe is crucial because your national NCA may escalate your incident into this network if it has systemic implications.

6. Mapping Actors to Functions (Thought Exercise)

Use this as a short reasoning exercise. For each task, decide which actor is primarily responsible under NIS2: NCA, CSIRT, Cooperation Group, CSIRTs Network, or EU-CyCLONe.

1. Publishing a national regulation specifying minimum cybersecurity measures for hospitals.
2. Analysing a new malware strain and sharing IoCs with other Member States.
3. Coordinating political messaging among Member States during a major EU-wide cyber crisis.
4. Discussing common EU-level guidance on supply chain risk management under NIS2.
5. Receiving and triaging incident notifications from essential entities in the telecom sector.

---

Suggested answers (do not peek before attempting):

1. NCA – regulatory/supervisory function.
2. CSIRTs Network (via national CSIRTs) – technical/operational sharing.
3. EU-CyCLONe – strategic crisis coordination.
4. Cooperation Group – policy-level coordination and guidance.
5. Usually NCA and/or CSIRT, depending on the national model; formally, the NCA is responsible for enforcement, but CSIRTs often operate the notification platform.

7. Information-Sharing and Cooperation Mechanisms

NIS2 builds a multi-channel information-sharing architecture.

1. Within Member States

• NCA ↔ CSIRT:
• Exchange incident notifications and technical details.
• Coordinate on enforcement vs. assistance (e.g., CSIRT provides help; NCA handles sanctions if needed).

• NCA/CSIRT ↔ entities:
• Entities must notify significant incidents and near misses (depending on national transposition).
• Authorities provide feedback, warnings, and tailored guidance.

2. Between Member States

• Cooperation Group (policy level):
• Shares best practices, guidance, and national strategies.
• Coordinates on risk assessments and priority sectors.

• CSIRTs Network (technical level):
• Shares technical data on threats, vulnerabilities, and incidents.
• Can set up joint response teams for major incidents.

• EU-CyCLONe (crisis level):
• Shares situational awareness and strategic decisions during crises.

3. With EU bodies and agencies

• ENISA:
• Provides analytical support, threat landscape reports, and facilitates cooperation.
• Hosts or supports platforms for secure info-sharing.

• Other EU bodies (e.g., ECB, EBA, EIOPA, ESMA for financial sector; EDPB for data protection):
• Coordinate with NCAs for sector-specific or fundamental-rights-related issues.

Confidentiality vs. transparency

NIS2 requires confidential treatment of sensitive info but also promotes responsible disclosure and transparency when in the public interest. This creates tensions:

• Too much secrecy → other entities cannot prepare.
• Too much transparency → may reveal vulnerabilities or harm reputation.

NCAs and CSIRTs must balance this, often by:

• Publishing anonymised advisories.
• Delaying public disclosure until mitigation measures exist.
• Coordinating public statements via EU-CyCLONe in crises.

8. Coordinated Supervision and Lead Authority Mechanisms

For entities operating in multiple Member States, coordinated supervision under NIS2 is crucial.

Lead authority concept (simplified)

NIS2 encourages (and in some cases requires) Member States to:

• Designate a lead NCA for cross-border entities (often based on main establishment or main operations).
• Other involved NCAs act as concerned authorities.

This is partly inspired by the GDPR one-stop-shop, but less centralised and with more flexibility.

Coordinated supervision in practice

1. Joint supervisory actions

• Two or more NCAs can perform joint audits or inspections of a cross-border entity.
• They may agree on a common supervisory plan.

1. Mutual assistance

• An NCA can request another NCA to collect information or carry out on-site inspections on its behalf.

1. Dispute resolution and escalation

• If NCAs disagree on findings or sanctions, they can raise the issue in the Cooperation Group.
• ENISA may provide technical opinions, but final decisions remain national.

Edge cases and tensions

• Regulatory arbitrage: Entities might choose a Member State with a perceived "softer" NCA as their main establishment. NIS2 tries to limit this by:
• More harmonised minimum requirements.
• Stronger peer pressure via the Cooperation Group and peer reviews.

• Overlap with GDPR and sectoral rules:
• A data breach may trigger both NIS2 and GDPR obligations.
• Coordinated supervision may involve NIS2 NCAs and data protection authorities.

For advanced analysis, compare how NIS2 coordinated supervision differs from GDPR’s one-stop-shop in terms of legal certainty and protection against forum shopping.

9. Peer Reviews: Supervising the Supervisors

NIS2 introduces peer reviews of Member States’ cybersecurity capabilities and implementation (Art. 20–21). This is about evaluating authorities, not entities.

Objectives

• Assess the effectiveness of national NIS2 implementation (laws, NCAs, CSIRTs).
• Identify best practices and gaps.
• Increase trust between Member States (important for cross-border supervision and mutual assistance).

How peer reviews work (core features)

• Conducted by experts from other Member States, often supported by ENISA.
• Cover aspects like:
• Governance and mandate of NCAs and CSIRTs.
• Incident notification processes and quality.
• Participation in CSIRTs Network, Cooperation Group, and EU-CyCLONe.
• Results are summarised in reports with recommendations.

Why this matters for entities

• Peer reviews indirectly affect you by raising the bar for authorities.
• If your national NCA is found weak, expect reforms and stricter supervision in the medium term.
• Peer review findings may influence how consistently NIS2 is enforced across the EU.

Analytically, peer reviews are a tool of "soft" enforcement on Member States, complementing the "hard" enforcement (infringement procedures) by the European Commission.

10. Quick Knowledge Check: Matching Actors and Roles

Test your understanding of the main institutional actors and their functions under NIS2.

11. Flashcard Review: Key Institutions and Mechanisms

Use these flashcards to consolidate the most important terms from this module.