Article 15: CSIRTs network

Article 15: CSIRTs network requirement is operationalized by making your incident reporting and cooperation processes “CSIRT-ready” in every EU Member State where you operate: you must know the national CSIRT points of contact, align internal escalation paths to share actionable incident information quickly, and keep evidence that coordination can happen on demand (Directive (EU) 2022/2555, Article 15).

Key takeaways:

• Treat Article 15 as an operational coordination requirement, not a paperwork exercise (Directive (EU) 2022/2555, Article 15)
• Build a tested “national CSIRT engagement” workflow mapped to your jurisdictions and incident types (Directive (EU) 2022/2555, Article 15)
• Keep exam-ready proof: contacts, playbooks, logs of exercises, and incident comms decisioning records (Directive (EU) 2022/2555, Article 15)

Article 15 establishes that EU Member States will cooperate through a network of national CSIRTs (Computer Security Incident Response Teams) to support swift and effective operational cooperation (Directive (EU) 2022/2555, Article 15). As a regulated entity, you don’t “join the network” directly in the way a government authority does, but you will be supervised on whether you can interact with your national competent authorities and CSIRT channels quickly and consistently when an incident hits.

For a CCO or GRC lead, the practical problem is rarely the legal text. It’s operational friction: unclear ownership between Security and Compliance, fragmented jurisdictional scope, missing national points of contact, and incident workflows that are documented but not executable under pressure. Article 15 is where those gaps show up, because cross-border coordination requires precision, speed, and reliable records.

This page translates the article 15: csirts network requirement into an implementation checklist you can assign to control owners. The goal: build a repeatable capability to (a) identify the correct CSIRT interface per jurisdiction, (b) package incident information in a consistent way, and (c) demonstrate, with artifacts, that coordination is real.

Requirement: Article 15: CSIRTs network (what it means operationally)

Plain-English interpretation

Article 15 sets up a network of national CSIRTs across Member States to build trust and enable swift operational cooperation (Directive (EU) 2022/2555, Article 15). For operators, the expectation is straightforward: your incident management program must be able to interface with national CSIRT-led cooperation when needed, without scrambling for contacts, approvals, or basic incident facts.

Think of this as “coordination readiness.” If your organization experiences a significant incident, authorities may need fast, structured information so they can correlate signals across sectors and borders. Your job is to ensure your internal processes can produce that information and route it through the right channels.

Who it applies to (entity + operational context)

Applies to:

• Essential and important entities in scope of NIS 2, as transposed into national law, because you will be supervised against operational cooperation expectations connected to incident handling and reporting duties (Directive (EU) 2022/2555).
• Organizations operating in multiple EU Member States, or with cross-border digital infrastructure, because CSIRT coordination often becomes cross-jurisdictional in practice (Directive (EU) 2022/2555, Article 15).
• Security operations, incident response, legal/compliance, communications, and third-party management functions, because CSIRT-facing coordination requires technical facts, legal review, external comms discipline, and supply chain awareness (Directive (EU) 2022/2555, Article 15).

Operational contexts where Article 15 will surface:

• Ransomware and extortion events with ecosystem spillover
• Vulnerability exploitation affecting multiple organizations
• Outages involving shared third parties (cloud, managed service providers, critical software suppliers)
• Incidents where indicators of compromise need rapid sharing

Regulatory text

“In order to contribute to the development of confidence and trust and to promote swift and effective operational cooperation among Member States, a network of national CSIRTs is established.” (Directive (EU) 2022/2555, Article 15)

What the operator must do with this text

The text creates the cooperation mechanism at Member State level, but regulated entities must be ready to support that cooperation through executable incident coordination. Your implementation target: prove you can identify the right national CSIRT interfaces and produce timely, structured incident information that can be shared through supervisory channels when required (Directive (EU) 2022/2555, Article 15).

What you actually need to do (step-by-step)

1) Build a jurisdiction-to-CSIRT contact map

Deliverable: a maintained list that ties:

• Member State(s) where you are in scope
• National CSIRT point(s) of contact (and backups)
• National competent authority points of contact if separate in your country
• Communication methods (secure email, portal, phone escalation, after-hours process)
• Internal owners for each jurisdiction (primary + delegate)

Operational note: keep this in a controlled system with an update owner and change log. Auditors will treat stale contact data as an operational failure because it blocks “swift” cooperation (Directive (EU) 2022/2555, Article 15).

2) Translate the CSIRT network concept into an internal “CSIRT engagement” playbook

Your playbook should answer, without debate:

• What incidents trigger external coordination?
• Who authorizes outreach and what can be shared pre-approval?
• What minimum technical facts must be captured before notifying?
• How to handle cross-border incidents when multiple jurisdictions may be implicated

Minimum content checklist:

• Decision tree for escalation to Compliance/Legal, executive sponsor, and incident commander
• Standard incident data package (see step 3)
• Templates for initial outreach and follow-up updates
• Rules for protecting sensitive data while still being operationally useful

This should align to your broader NIS 2 incident triage and reporting workflow so you do not have one process for “regulatory reporting” and another for “CSIRT coordination” (Directive (EU) 2022/2555, Article 15).

3) Standardize the incident information package (make it repeatable)

Create a “CSIRT-ready incident packet” that Security can compile quickly. Include:

• Incident summary in plain language (what happened, what’s impacted)
• Systems/services affected (customer-facing, internal, critical service)
• Timeline (discovery time, containment actions)
• Known/likely root cause category (phishing, exploited vulnerability, third party compromise)
• Indicators of compromise (hashes, IPs, domains) where appropriate
• Current status and next actions
• Cross-border footprint (regions, subsidiaries, shared infrastructure)
• Third-party dependencies involved and what you’ve requested from them

Keep it consistent. Consistency is what makes cooperation “effective” under pressure (Directive (EU) 2022/2555, Article 15).

4) Assign clear RACI across Security, Legal, Compliance, and Communications

A common failure mode is a “four-way deadlock” during an incident. Fix it with explicit responsibility:

• Security: owns technical facts, IOCs, containment narrative
• Compliance/GRC: owns jurisdictional determination, log of notifications, evidence retention
• Legal: owns privilege strategy and constraints on disclosure
• Comms: owns external messaging alignment to avoid contradiction

Document who can press “send” to national CSIRT channels and who is a mandatory reviewer.

5) Integrate third-party dependencies into incident coordination

If a third party is part of the incident, your CSIRT-ready packet and workflow must capture:

• Contractual notification obligations and timelines
• How you obtain technical detail from the third party (ticketing, dedicated incident liaison)
• What you can share externally without breaching contract terms

This is where third-party risk management meets incident response. If you cannot extract facts from a critical supplier, you cannot cooperate effectively (Directive (EU) 2022/2555, Article 15).

6) Test the workflow and record outcomes

Run tabletop exercises that specifically test:

• Cross-border decisioning (which jurisdiction, who contacts whom)
• Off-hours contact accuracy
• Ability to generate the incident packet from your tooling
• Internal approval speed

Capture lessons learned, assign remediation items, and track closure. Examiners trust tested processes more than polished policies (Directive (EU) 2022/2555, Article 15).

Required evidence and artifacts to retain

Keep artifacts that prove readiness and execution:

• NIS 2 obligation register with jurisdictional applicability and control owners (Directive (EU) 2022/2555)
• CSIRT contact register with last review date and change history
• Incident triage/escalation workflow (diagram + written procedure) with clear triggers (Directive (EU) 2022/2555, Article 15)
• CSIRT engagement playbook and communication templates
• Completed tabletop/exercise records: agenda, participants, scenarios, results, remediation tickets
• Incident packets (redacted if needed) and decision logs from real incidents
• Third-party dependency inventory for critical services tied to incident processes (Directive (EU) 2022/2555, Article 15)

Practical tip: store evidence in a single “exam binder” workspace with immutable timestamps. Daydream can help by turning obligations into assigned controls, then tracking artifacts and owners in one place without losing the audit trail (Directive (EU) 2022/2555, Article 15).

Common exam/audit questions and hangups

Expect questions like:

• “Which national CSIRT(s) would you contact for an incident impacting these EU operations?”
• “Show the workflow from detection to external coordination decision.”
• “Who can approve sharing IOCs externally, and how is that documented?”
• “How do you handle incidents involving a critical third party?”
• “Show the most recent test of this process and what you fixed afterwards.”

Hangups that create findings:

• Confusion between “competent authority,” “single point of contact,” and “CSIRT” roles across countries
• Playbooks that exist but do not match how the SOC actually operates
• Missing records that demonstrate you can act quickly (Directive (EU) 2022/2555, Article 15)

Frequent implementation mistakes (and how to avoid them)

Mistake	Why it fails	Fix
Treating Article 15 as “government-only”	You still need operational cooperation readiness	Build CSIRT engagement playbook tied to incident workflows (Directive (EU) 2022/2555, Article 15)
One generic EU contact approach	National channels differ	Maintain per-jurisdiction contacts and rules in your obligation register (Directive (EU) 2022/2555)
No third-party incident fact path	You cannot assemble usable incident packets	Add third-party incident liaison requirements to contracts and onboarding checklists
No test records	You can’t prove readiness	Tabletop exercises with remediation tracking and retention (Directive (EU) 2022/2555, Article 15)

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this specific article, so this page does not list case law or penalties. Practically, the risk shows up as supervisory scrutiny of incident coordination readiness: if you cannot produce contacts, a tested workflow, and decision records, authorities can treat that as a governance and operational control weakness under the NIS 2 regime (Directive (EU) 2022/2555, Article 15).

Practical execution plan (30/60/90-day)

First 30 days (stabilize)

• Confirm NIS 2 in-scope jurisdictions and create/refresh your obligation register (Directive (EU) 2022/2555)
• Build the CSIRT contact register with owners and backups
• Draft the CSIRT engagement playbook v1 and align it to current incident response procedures

Days 31–60 (make it executable)

• Implement the “CSIRT-ready incident packet” template in your incident tooling or shared workspace
• Define RACI and approval workflow, including after-hours routing
• Update third-party incident clauses or operational runbooks for critical suppliers

Days 61–90 (prove it works)

• Run at least one cross-border tabletop exercise using a realistic scenario
• Close the top remediation items, especially contact accuracy and packet completeness
• Assemble an exam-ready evidence set: register, playbook, exercise outputs, and ticketed improvements

Daydream fit: treat Article 15 as a tracked requirement with mapped controls, owners, milestones, and artifact collection so your evidence stays current between audits (Directive (EU) 2022/2555, Article 15).

Frequently Asked Questions

Does Article 15 require my company to join the CSIRTs network?

Article 15 establishes a network of national CSIRTs between Member States (Directive (EU) 2022/2555, Article 15). Your operational obligation is to be ready to cooperate through the relevant national channels during incidents.

What’s the minimum I should have prepared for a supervisor?

A jurisdiction-mapped CSIRT contact register, a CSIRT engagement playbook aligned to incident response, and evidence you tested the workflow (Directive (EU) 2022/2555, Article 15). Keep decision logs that show who approved what and when.

How do I handle incidents that affect multiple EU countries?

Pre-map which entities/operations fall under which Member State and define who coordinates multi-jurisdiction outreach (Directive (EU) 2022/2555, Article 15). Use one incident packet format to prevent contradictory updates across countries.

Do I need to share indicators of compromise externally?

Article 15 is about effective operational cooperation through national CSIRTs (Directive (EU) 2022/2555, Article 15). Decide in advance what technical artifacts you can share, and document Legal’s rules and approval path.

How does third-party risk tie into Article 15?

If a third party is involved, you still need to assemble accurate incident facts for external coordination (Directive (EU) 2022/2555, Article 15). Build contractual and operational paths to get timely incident details from critical suppliers.

What evidence usually goes missing?

Teams often keep policies but not proof of execution: updated contacts, exercise records, and incident decision logs (Directive (EU) 2022/2555, Article 15). Treat evidence capture as part of the incident workflow, not an after-action chore.