Art. 15 + 16 NIS 2

The CSIRT Network and EU-CyCLONe under Articles 15 and 16

NIS 2 builds two cross-border cooperation networks. The CSIRT Network handles technical incident response between national CSIRTs. EU-CyCLONe handles political coordination when a cyber crisis goes beyond one country. Both have ENISA as their secretariat.

Simon OrzelSimon Orzel·

The short version

NIS 2 does two things at once. It tells in-scope entities to report incidents to their national CSIRT or competent authority. It also tells the member states to talk to each other when an incident crosses borders or threatens more than one country. The talking-to-each-other part is what Articles 15 and 16 set up.

Article 15 creates the CSIRT Network. It is the technical and operational layer. National CSIRTs (in Germany: CERT-Bund at the BSI) plus CERT-EU sit on it. They exchange threat data, coordinate cross-border incident response, and share tools. ENISA runs the secretariat.

Article 16 creates EU-CyCLONe, the European Cyber Crises Liaison Organisation Network. It is the political layer. Member state authorities for cyber crisis management (in Germany: the Federal Ministry of the Interior) sit on it. They coordinate the political response to large-scale incidents. ENISA also runs the secretariat. Same agency, two layers.

The legal source
Both networks are creatures of the directive itself. There is no separate implementing regulation that establishes them. National transposition runs through the Article 10 CSIRT designations and the national authorities for cyber crisis management.

Article 15(1) and Article 16(1) NIS 2 Directive (2022/2555)

In order to contribute to the development of confidence and trust between the Member States and to promote swift and effective operational cooperation, a network of national CSIRTs is established. […] In order to support the coordinated management of large-scale cybersecurity incidents and crises at operational level and to ensure the regular exchange of relevant information between Member States and Union institutions, bodies, offices and agencies, a European cyber crisis liaison organisation network (EU-CyCLONe) is established.

Two adjacent articles. Two networks. Article 15 sits on the operational tier. Article 16 sits on the political tier. The directive sets up both bodies directly. No further EU law is needed to make them exist.

N/A — Article-level institutions

There is no implementing regulation that further specifies the CSIRT Network or EU-CyCLONe.

Unlike Article 21(2) (which the CIR fleshes out), Articles 15 and 16 are self-executing. The networks have published their own rules of procedure, but those are working documents, not EU legislation. What matters for in-scope entities is who their national counterparts are, not the internal operating procedures of the networks.

National CSIRT designation under Art. 10 NIS 2 + national cyber crisis authority

Germany: CERT-Bund (at the BSI) is the designated national CSIRT on the Article 15 Network. The Federal Ministry of the Interior (BMI) represents Germany on EU-CyCLONe.

Each member state names a national CSIRT under Article 10 NIS 2 and names the authority responsible for cyber crisis management. For Germany, the BSIG confirms BSI as the national authority and CERT-Bund as the national CSIRT. The political-tier representative on EU-CyCLONe is the BMI.

What each network actually does
Article 15(3) lists sixteen tasks for the CSIRT Network. Article 16(3) lists five tasks for EU-CyCLONe. The third box looks at where one ends and the other begins.
Art. 15(3)

CSIRT Network: operational cooperation

The Network exchanges information on CSIRT capacities, shares tools and procedures, swaps incident and threat data, coordinates response to cross-border incidents, supports member states with incidents that affect them, and feeds into coordinated vulnerability disclosure under Article 12. Technical work between technical teams.

Art. 16(3)

EU-CyCLONe: political coordination

EU-CyCLONe builds preparedness for managing large-scale cybersecurity incidents and crises, develops a shared situational picture, assesses consequences and proposes how to remedy them, coordinates the political response, and (on a member state's request) discusses national large-scale incident response plans. Political work between political representatives.

The boundary

When the operational layer escalates to the political layer

Small or routine cross-border incidents stay on the CSIRT Network. Large-scale incidents that need decisions at ministerial level (cross-sector impact, public communications, EU-level statements) escalate to EU-CyCLONe. The two networks are designed to hand work between each other, with ENISA as the connecting secretariat.

Two rules that shape the cooperation architecture
Two design principles sit underneath both Article 15 and Article 16. They explain why NIS 2 needed two networks instead of one.

Technical and political are different jobs

A CSIRT analyst sharing malware signatures across borders has a different job from a ministerial advisor briefing a cabinet on whether to attribute an attack to a state actor. NIS 2 keeps them in separate networks on purpose. Mixing the two layers is how you slow down the technical response and crowd out political decision-making.

ENISA as the connective tissue

ENISA runs the secretariat for both networks. Same agency, same building, same situational awareness. That is the EU's deliberate design choice: keep the two cooperation layers structurally separate but make sure they share a common operating picture. Without that, the political layer would be reacting on stale information.

Who sits on which network
Each member state has one CSIRT on the Article 15 Network and one political-level representative on EU-CyCLONe. The list is public.
Germany

CERT-Bund (BSI) + BMI

CERT-Bund at the BSI is Germany's national CSIRT on the Article 15 Network. The Federal Ministry of the Interior (BMI) represents Germany on EU-CyCLONe. For an in-scope entity, the practical contact is BSI. The political tier runs above your head, but its decisions can shape what BSI tells you to do.

EU-wide

ENISA as secretariat for both networks

ENISA, the EU's cybersecurity agency, provides the secretariat for the CSIRT Network and for EU-CyCLONe. It produces guidance documents that emerge from both networks (incident response playbooks, threat reports, exercise reports). Those publications feed back into national guidance like the BSI Infopakete.

Other member states

National CSIRTs + national cyber crisis authorities

Every member state names one. The Netherlands: NCSC-NL on the CSIRT Network, the Ministry of Justice and Security on EU-CyCLONe. Austria: GovCERT Austria on the Network, the Federal Chancellery on the political tier. The structure is identical EU-wide; the agencies differ by country.

Three things people get wrong about these networks
Three assumptions that come up in calls. All three create a wrong mental model of how NIS 2 cooperation works.

  • The CSIRT Network handles everything cyber-related at EU level.

    It does not. The CSIRT Network is the operational and technical layer. Large-scale incidents that need political coordination (cross-sector communications, attribution decisions, ministerial briefings) escalate to EU-CyCLONe. Two networks, two layers, by design.

  • EU-CyCLONe is a regulator we report to.

    It is not. EU-CyCLONe is a coordination body between member state authorities. It does not regulate in-scope entities. It does not receive incident reports. Reporting under Article 23 NIS 2 goes to your national CSIRT or competent authority. EU-CyCLONe operates one tier above that, between governments.

  • We file our incident reports with the CSIRT Network.

    You do not. Article 23 NIS 2 says you report to your national CSIRT or competent authority. In Germany, that is the BSI. The national CSIRT then shares relevant information with the CSIRT Network where cross-border coordination is needed. The Network is your CSIRT's counterparty, not yours.

What this means for an in-scope entity

For a Stadtwerk or Mittelstand IT operator, the practical touchpoint is your national CSIRT. In Germany that is CERT-Bund at the BSI. You report incidents under Article 23 NIS 2 to them, you read their advisories, you call them when something is on fire. The CSIRT Network and EU-CyCLONe run behind that interface.

Why these networks still matter to you: when a cross-border incident hits (think of a supply-chain attack affecting fifteen countries at once), the coordination that happens at CSIRT Network level is what makes your national CSIRT's response coherent with the rest of the EU. And the political coordination at EU-CyCLONe level is what determines whether the response stops at technical containment or becomes a public statement. Both shape what advice you ultimately receive.

How we handle this on the platform

The incident module routes notifications to your national CSIRT under Article 23 (in Germany: BSI). You do not interact with the CSIRT Network or EU-CyCLONe directly; the national CSIRT is your single counterparty for incident reporting. The platform takes care of the deadlines (24h early warning, 72h notification, one-month final report).

Our reference layer surfaces the ENISA publications and guidance documents that come out of the CSIRT Network's work. Threat advisories, joint reports, exercise findings: these feed into how we interpret 'appropriate and proportionate' under Article 21(1). You do not have to track them yourself.

Sources
  • Directive (EU) 2022/2555 (NIS 2), Articles 15 and 16 — eur-lex.europa.eu/eli/dir/2022/2555/oj
  • Directive (EU) 2022/2555 (NIS 2), Article 10 (CSIRT designation) and Article 23 (incident reporting)
  • ENISA website on the CSIRT Network and EU-CyCLONe — enisa.europa.eu
  • BSI Act (BSIG), CERT-Bund as national CSIRT under §5 BSIG
  • EU-CyCLONe Standard Operating Procedures (publicly summarised by ENISA)
Route incident reporting through the right channel, automatically
Article 23 deadlines, BSI/national-CSIRT routing, audit trail. Free, open source, no lock-in.
Open the free platform