Impact study CSIRT’s in the framework of the reformed Network- and Information Security Directive

In June 2022, a political agreement has been reached in the reform of the Network- and Information Security Directive (NIS). This reform is driven by development in technologies, the ever-increasing digitalisation of society, increasing dependence on information- and security networks in combination with new and existing threats. The new NIS2-Directive entails an expansion of tasks and competences of Computer Security Incident Response Teams (CSIRTs) compared to NIS1. It is a broadening of the scope, as well as the kind of CSIRT-tasks. NCSC-NL has commissioned Tilburg University to conduct an impact study on its own organisations and its activities, following this reform.

Goal

The intended purpose of this study was to map the changes in requirements and tasks of CSIRTs and ‘good practices’ in meeting these requirements and carrying those tasks, as well as the internal organisation. To do this, the researchers have looked at six CSIRTs from EU member states, namely NCSC in the Netherlands, CERT.at in Austria, CERT-FR in France, CERT-BUND in Germany, CERT-EE in Estonia and the Center for Cyber Security in Denmark.

Research results

The most important results of the impact study are:

  • How CSIRT-tasks are carried out differs greatly per country, as well as the good practices. These good practices are laid out extensively in the attached report.
  • The major challenges with the new NIS2-Directive are, for most CSIRTs, the scalability, ensuring access to CSIRT-services for newly appointed sectors and organisations, and the organisation of several tasks within the national system.
  • The differences per country are whether they have a centralised or more decentralised approach to the organisation of CSIRT-tasks in the country, the use of risk-based or sector-based approaches to identify and respond to threats, different forms of automation for information exchange, knowledge sharing, and tools for proactive scanning of vulnerable networks and organisations.
  • Acquiring and keeping the needed capacity and means for the expansion of sectors and organisations under the scope of the NIS2-Directive is a major challenge for most CSIRTs. Especially in the case of hiring and keeping personnel and funds.
  • The creation and building of an ecosystem of trusted CSIRTs and organisations can help the national CSIRT to scale up to make sure that all sectors and organisations within the scope of the NIS2-Directive can make use of CSIRT-services.

Next steps

The NIS2-Directive will be formalised this fall after a vote in the European Parliament and the European Council of the heads of state. The member states then have 21 months to transpose the directive into new or existing national legislation. The Netherlands will amend the Wet Beveiliging Netwerk- en Informatiesystemen (Wbni). The Ministry of Justice and Security will take the lead for this, and NCSC-NL will be involved. In this period, choice will be made in how the directive needs to be interpreted in our national legislation. The results from this research will be used as input. NCSC-NL will communicate towards its current and possible future constituency about relevant matters during this proces.