How will security incidents be handled under the new NIS2 Directive, and what role does CSIRT play in resolving them?
First, it is necessary to define three basic terms according to NIS2 – incident, security incident, and CSIRT. According to the draft NIS2 directive, an incident is any event that threatens the availability, authenticity, integrity, or confidentiality of stored or transmitted data.
- According to the draft NIS2 directive, an incident is any event that compromises the availability, authenticity, integrity, or confidentiality of stored or transmitted data or related services offered by or accessible through network and information systems.
- Incident response means all activities and procedures aimed at detecting, analyzing, controlling, and responding to an incident.
- The abbreviation CSIRT refers to computer security incident response teams.
CSIRT is a group of IT professionals who provide an organization with services and support related to the assessment, management, and prevention of cybersecurity emergencies, as well as the coordination of incident response efforts. The main objective of CSIRT is to respond quickly and effectively to computer security incidents in order to regain control and minimize damage. CSIRT has been in place in Slovakia for several years.
The NIS 2 Directive states that organizations belonging to one of two regimes (basic and essential) are required to report incidents that have a significant impact on the entity, specifying the basic criteria for identifying a significant incident:
- the incident has caused or is likely to cause serious operational disruption or financial loss to the entity concerned, or
- the incident has affected or is likely to affect other natural or legal persons, causing significant material or non-material losses.
The obligation to report cyber and security incidents is also defined in NIS2. The directive requires all entities, regardless of whether they are classified as "essential" or "important," to report incidents to the designated CSIRT team without undue delay, at the latest within 24 hours of their discovery. In addition to mandatory reporting, NIS2 provides for voluntary reporting not only of incidents but also of cybersecurity events and significant cybersecurity threats. The cyber security manager function, which is a mandatory function only for operators of essential services under the current Directive (NIS), should significantly assist entities (operators) in dealing with incidents and resolving them. We do not yet know whether the role of cybersecurity manager will also be mandatory in NIS2 and in both regimes, but based on the information available, we can expect this to be the case.
