← CRA Glossary
CVD & Vulnerability Management

CSIRT — Computer Security Incident Response Team

A CSIRT is a team that coordinates responses to cybersecurity incidents, typically operating at a national or sector level. Under the CRA, manufacturers must notify the relevant national CSIRT within 24 hours of discovering an actively exploited vulnerability in their product, alongside simultaneous notification to ENISA.

A CSIRT is a team that coordinates responses to cybersecurity incidents, typically operating at a national or sector level. Under the CRA, manufacturers must notify the relevant national CSIRT within 24 hours of discovering an actively exploited vulnerability in their product, alongside simultaneous notification to ENISA.

CVD & Vulnerability Management
Free CVD portal →

What Is a CSIRT?

A Computer Security Incident Response Team (CSIRT) is an organisational unit that receives reports about security incidents, analyses them, coordinates response activities, and disseminates information to relevant stakeholders. CSIRTs operate at multiple levels: national CSIRTs (one or more per EU member state, designated under the NIS2 Directive), sector-specific CSIRTs (focused on critical infrastructure sectors like energy, finance, or healthcare), and internal CSIRTs within large organisations for their own IT security. EU national CSIRTs are networked through the CSIRTs Network, coordinated by ENISA. The NIS2 Directive and CRA both assign formal notification and coordination functions to national CSIRTs.

CRA reference:Article 14

CSIRT Notification Under the CRA

Article 14 of the CRA requires manufacturers to notify ENISA and the relevant national CSIRT within 24 hours of becoming aware of an actively exploited vulnerability. 'Relevant national CSIRT' means the CSIRT of the member state where the manufacturer is established. For non-EU manufacturers with an EU authorised representative, the relevant CSIRT is that of the member state where the authorised representative is established. Manufacturers placing products in multiple member states should maintain documented relationships with each relevant national CSIRT. Notification templates and contact procedures vary by country; manufacturers should establish these contacts before an incident occurs.

CRA reference:Article 14

National CSIRTs in the EU

Key national CSIRTs relevant to manufacturers in major EU markets include:

  • Germany — BSI's CERT-Bund (Bundesamt für Sicherheit in der Informationstechnik)
  • France — CERT-FR (Agence nationale de la sécurité des systèmes d'information / ANSSI)
  • Netherlands — NCSC-NL (Nationaal Cyber Security Centrum)
  • Sweden — CERT-SE (Swedish Civil Contingencies Agency)
  • Poland — CERT Polska (NASK)
  • Spain — CCN-CERT (Centro Criptológico Nacional)
  • Italy — CSIRT Italia (Agenzia per la Cybersicurezza Nazionale)

All national CSIRTs publish their contact details, reporting procedures, and PGP keys. Manufacturers should bookmark the CSIRT of their primary establishment.

CRA reference:Article 14

CSIRT vs. PSIRT: Key Differences

Manufacturers sometimes confuse CSIRTs and PSIRTs:

  • A CSIRT is a national or sector-level government or quasi-government team that receives notifications, coordinates responses, and warns affected parties. It is the regulatory body the manufacturer notifies.
  • A PSIRT is the manufacturer's own internal team responsible for managing vulnerabilities in the products they make. It is the team that sends notifications to CSIRTs.

The CRA creates a formal relationship between PSIRTs and CSIRTs: when a manufacturer's PSIRT determines that a vulnerability is actively exploited, the PSIRT triggers the Article 14 notification to ENISA and the national CSIRT. Manufacturers without a PSIRT or equivalent function cannot reliably meet this obligation.

CVD Portal makes CSIRT — Computer Security Incident Response Team compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Which national CSIRT should we notify — the one in our country or the country where our product is used?+

Article 14 requires notification to the CSIRT of the member state where the manufacturer (or EU authorised representative) is established. This is your 'home' CSIRT. That CSIRT then coordinates with other member states' CSIRTs as needed, including sharing alerts with CSIRTs in countries where the vulnerable product is widely deployed. You do not need to individually notify every national CSIRT in the EU — the CSIRTs Network handles cross-border coordination.

What information do we include in the CSIRT notification?+

The Article 14 early notification (within 24 hours) should include: the product name and affected versions, a brief description of the vulnerability and exploitation status, an initial severity assessment (CVSS score if available), and any interim mitigations you have identified. The 72-hour early warning adds a preliminary impact assessment. The 14-day final report includes full technical details, CVE ID, CSAF advisory reference, fix availability, and root cause analysis. Formats and templates vary by national CSIRT.

Does our internal IT security team count as a CSIRT for CRA purposes?+

No. An internal IT security team is not a national or sector CSIRT. For CRA purposes, you notify the national CSIRT (a government-designated body), not your own internal team. Your internal team — or PSIRT — is the function that decides when to notify the national CSIRT and prepares the notification. Confusing internal and external CSIRTs is a common mistake that leads to missed regulatory notification obligations.

Related terms

Product Security Incident Response Team (PSIRT)A PSIRT is a dedicated organisational function responsible for receiving, investigating, and coordinating responses to security vulnerabilities and incidents in a manufacturer's products. The EU Cyber Resilience Act's vulnerability handling obligations effectively require manufacturers to have PSIRT-equivalent capabilities.ENISA — EU Agency for CybersecurityENISA (the European Union Agency for Cybersecurity) is the EU's dedicated cybersecurity agency, headquartered in Athens with offices in Brussels. Under the CRA, ENISA operates the central EU vulnerability registry, receives Article 14 notifications of actively exploited vulnerabilities, and publishes guidance supporting manufacturer compliance.Vulnerability HandlingVulnerability handling is the complete lifecycle process through which a manufacturer identifies, evaluates, remediates, and discloses security vulnerabilities in its products. Annex I Part II of the CRA makes robust vulnerability handling a mandatory ongoing obligation for all manufacturers of products with digital elements.Incident ResponseIncident response is the organised process for detecting, containing, investigating, and recovering from cybersecurity incidents — events where a product's security has been or may have been compromised. The EU Cyber Resilience Act requires manufacturers to have incident response capabilities and to notify authorities within strict timeframes when security incidents occur.

CRA articles using this term

Article 14Active Exploitation and Incident Reporting — 24h, 72h, and 14-Day ObligationsArticle 13Coordinated Vulnerability Disclosure Obligations for ManufacturersArticle 11Reporting Obligations for Manufacturers — Notifying Authorities

Browse the full CRA Compliance Checklist

See how CSIRT — Computer Security Incident Response Team fits into your complete CRA compliance programme.

View checklists →