In a nutshell: Austria is preparing its NIS2 implementation. A CSIRT representative recommends two regulatory measures: first, national security teams should be allowed to support entities outside the NIS2 perimeter—as the Netherlands learned painfully; second, task definitions should clearly establish that CSIRTs promote independent system monitoring through threat intelligence and warnings.
An Austrian CSIRT team outlines core requirements for effective implementation of the NIS2 Directive. The focus is on regulations governing geographic scope and the concrete design of tasks—points that determine success or failure of the cybersecurity strategy.
Cyber responsibilities shifted during Austria’s government transition from the Federal Chancellery to the Federal Ministry of the Interior. The new team faces the task of transposing the NIS2 Directive into national law. An experienced security leader brings two critical points based on his practical perspective.
Expand protective scope beyond NIS2 entities
The Directive restricts CSIRT tasks to essential and important entities. However, current Austrian law contains a pragmatic regulation: CSIRTs may support entities outside the NIS perimeter if they are affected by cyber risks or incidents. The Dutch NCSC experienced this gap painfully—it could not relay warnings about compromised systems and imminent ransomware activation to affected companies because no legal basis existed. A similar problem arises with proactive network scanning: CSIRTs should identify and notify vulnerable or insecurely configured systems—but they need complete IP address and domain directories. A legislative provision allowing CSIRTs to scan the entire national network would have significant practical benefits: fewer administrative hurdles, greater efficiency, and better overall protection without meaningful burden on Austrian businesses.
Clarify task definitions
Article 11(3) of the NIS2 Directive defines the CSIRT function as “monitoring and analysis of cyber threats, vulnerabilities and security incidents at national level” with support available for critical entities. From a practitioner’s viewpoint, this means: through alerts and cyber threat intelligence, CSIRTs support operators in monitoring their systems independently. This interpretation is sound and should be explicitly anchored in legislation.
Source: www.cert.at