Coordinating CSIRT

A Computer Security Incident Response Team (CSIRT) is an organised group that receives, analyses, and responds to cybersecurity incidents and vulnerability reports. A Coordinating CSIRT is one that takes an active role in facilitating the disclosure process — acting as a neutral intermediary between security researchers and affected manufacturers, particularly in multi-vendor or cross-border scenarios. The CSIRT coordinates the timeline, manages communications between parties, validates the vulnerability report, and issues a coordinated advisory. In the EU context, national CSIRTs established under the NIS2 Directive have a specific coordination mandate. ENISA maintains a directory of EU national CSIRTs and coordinates among them for EU-level issues.

The CRA assigns national CSIRTs specific responsibilities in supporting the CRA's vulnerability disclosure ecosystem. These include: receiving vulnerability notifications from manufacturers per Article 14 (manufacturers notify ENISA, and ENISA coordinates with national CSIRTs); assisting manufacturers in identifying researchers who have reported vulnerabilities; facilitating coordination when a vulnerability affects products from multiple manufacturers; and contributing national vulnerability data to ENISA's European Vulnerability Database. National CSIRTs also serve as an escalation path when researchers cannot reach a manufacturer and need a trusted intermediary to engage on their behalf. Manufacturers should establish working relationships with the relevant national CSIRT in their home member state.

Several EU national CSIRTs are particularly active in coordinating vulnerability disclosures relevant to CRA-covered products:

• NCSC-NL (Netherlands): One of Europe's most active CVD coordinators, with extensive experience in multi-vendor coordinated disclosures and a publicly accessible vulnerability reporting portal.
• BSI CERT-Bund (Germany): Germany's national CSIRT, handling high volumes of vulnerability coordination relevant to industrial and IoT products.
• CERT-FR (France): ANSSI's incident response and coordination arm, with particular focus on critical infrastructure and industrial systems.
• NCSC-UK: While post-Brexit, maintains strong coordination relationships with EU CSIRTs and is relevant for manufacturers operating across both markets.
• ENISA: At the EU level, ENISA coordinates between national CSIRTs and operates the EUVDB.

Manufacturers should consider contacting a coordinating CSIRT in the following situations:

• A vulnerability in a shared component (library, SDK, or firmware) affects multiple manufacturers' products simultaneously and coordinated disclosure is needed.
• A researcher has contacted the manufacturer through a national CSIRT and the CSIRT is facilitating the disclosure.
• The manufacturer has received a researcher report but cannot assess the impact without expert assistance.
• The manufacturer suspects a vulnerability may have national security implications.
• The manufacturer has been unable to contact a researcher who appears to be preparing to disclose a vulnerability publicly.

Pre-registering with the national CSIRT and establishing a point of contact before an incident occurs significantly reduces response latency when coordination is needed urgently.