Skip to main content
Informationssicherheit / NIS2

CSIRT

A Computer Security Incident Response Team (CSIRT) is a specialised team that receives, analyses, coordinates and resolves security incidents and notifies affected parties and authorities.

A Computer Security Incident Response Team (CSIRT) is a permanently established unit responsible for detecting, handling and coordinating IT security incidents. It receives reports of potential incidents, assesses their severity and impact (triage), initiates containment and recovery measures, and documents the entire course of an incident. The terms CERT (Computer Emergency Response Team) and IRT (Incident Response Team) are used synonymously; CSIRT has become the prevailing term in European and governmental usage.

A CSIRT combines technical, organisational and communication-related tasks. Technically it performs analysis, forensics and damage limitation; organisationally it manages escalation paths, roles and interfaces with business units, management, service providers and authorities; in terms of communication it is responsible for situational reports, notifications and, where applicable, press communication. The CSIRT is therefore the operational core of the incident response process and closely interlinked with emergency management, the ISMS and vulnerability management. In larger organisations it often works alongside a Security Operations Center (SOC) that handles continuous monitoring.

In a regulatory context, CSIRTs have gained considerable importance through the NIS2 Directive and its national transposition. Member States designate national CSIRTs that serve as the central point of contact for incident reports from essential and important entities, disseminate early warnings and support cross-border coordination within the CSIRTs Network. In Germany, the BSI fulfils a central CSIRT role through CERT-Bund. Affected companies, in turn, must maintain effective structures to meet the statutory reporting deadlines and to cooperate with the competent CSIRT.

Legal Basis

Art. 10 and Art. 11 NIS2 Directive (EU) 2022/2555; Section 5 BSIG (CERT-Bund / national CSIRT); ISO/IEC 27035

Practical Example

A logistics company classified as an essential entity discovers an active ransomware encryption on several servers over the weekend. The internal CSIRT is alerted via the defined escalation path, isolates the affected systems from the network, preserves forensic evidence and, based on the business impact analysis, classifies the incident as significant. Within 24 hours the team submits the NIS2 early warning to the national CSIRT at the BSI, coordinates recovery from backups in parallel, and keeps the compliance officer updated for the subsequent report due after 72 hours.

FAQ

A SOC (Security Operations Center) continuously monitors systems and detects suspicious activity in real time. A CSIRT takes over once a confirmed security incident exists, handling its analysis, coordination and resolution. In practice both units work closely together and their responsibilities sometimes overlap.
Under the NIS2 Directive, national CSIRTs are the central point of contact for incident reports from essential and important entities. They disseminate early warnings, support incident handling and coordinate across borders within the European CSIRTs Network. In Germany this task is carried out by CERT-Bund at the BSI.
The law does not mandate an in-house CSIRT, but entities affected by NIS2 must have effective processes for incident handling and reporting. Smaller organisations can bundle this function, outsource it to external providers or rely on national CSIRTs, as long as responsiveness and reporting deadlines are ensured.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Incident response Security Incident Security operations center NIS2 Reporting Obligation Emergency management
Back to Glossary