How will security incidents be handled under the new NIS2 Directive, and what role does the CSIRT play in addressing them?
To begin with, it is necessary to define three basic terms according to NIS2: incident, security incident, and CSIRT.
- According to the proposed NIS2 Directive, an incident is any event that compromises the availability, authenticity, integrity, or confidentiality of data stored, transmitted, or processed, or of related services offered by or accessible through network and information systems.
- Incident response refers to all activities and procedures aimed at detecting, analyzing, controlling, and responding to an incident.
- The acronym CSIRT stands for Computer Security Incident Response Teams.
A CSIRT is a group of IT professionals who provide an organization with services and support related to the assessment, management, and prevention of cybersecurity-related emergencies, as well as the coordination of incident response efforts. The main goal of a CSIRT is to respond quickly and effectively to computer security incidents, thereby regaining control and minimizing damage. We have had a CSIRT in Slovakia for several years now.
The NIS 2 Directive states that organizations falling under one of the two regimes (basic and critical) are required to report incidents that have a significant impact on the entity, while outlining key criteria for identifying a significant incident:
- the incident has caused or may cause a serious disruption of service or financial loss to the entity concerned, or
- the incident has affected or may affect other natural or legal persons, causing significant material and non-material losses.
The obligation to report cyber and security incidents is also defined in NIS2. The Directive requires that all entities, regardless of whether they fall under the “essential” or “important” categories, must report the incident to the designated CSIRT team without undue delay, no later than 24 hours after its detection. In addition to mandatory reporting, the NIS2 Directive provides for voluntary reporting not only of incidents but also of cybersecurity events and significant cyber threats. The role of the cybersecurity manager is intended to significantly assist entities—operators—in managing incidents and resolving them; however, under the currently applicable NIS Directive, this role is mandatory only for operators of essential services.
We do not yet know whether the role of cybersecurity manager will also be mandatory in NIS2 and in both regimes, but based on the available information, we can expect this to be the case.
