Skip to content

NIS2 Implementation: Critical Requirements for Legislation from CSIRT Perspective

Bottom line: Austria’s national CSIRT demands legal clarity on two key points of NIS2 implementation: first, authorization for nationwide vulnerability scanning and data processing beyond regulated entities—lessons from Dutch counterparts—and second, precise definition of support tasks for essential entities through cyber-threat intelligence sharing rather than reactive assistance only.

As an Austrian cybersecurity team, we see two critical points in implementing the EU NIS2 Directive that will determine the effectiveness of our work: a clear legal basis for proactive scans across the entire country and precise task definitions for national CERTs.

With the transfer of cyber agendas from the Federal Chancellery to the Federal Ministry of the Interior, the draft of the Austrian NIS2 law is also being redrawn. As the national CSIRT, we would like to bring two practical points to the attention of the responsible team that would significantly improve our operational efficiency.

**Legal Framework for Nationwide Vulnerability Scanning**

The NIS2 Directive restricts CSIRT tasks to essential and important entities. However, the current Austrian law (§14 NISG) wisely includes an opening clause: teams may also assist other entities if they are affected by incidents. This principle is life-saving – our Dutch colleagues experienced the following scenario without a legal basis: a partner informed them of compromised systems with imminent ransomware activation pending. However, these systems were not within the regulatory scope. The NCSC Netherlands was not allowed to pass on the warnings – purely for legal reasons.

Similarly, this applies to proactive scanning pursuant to Article 11 of the NIS2 Directive. This vulnerability scanning is intended to uncover security gaps and inform affected organizations. To do this effectively, we need complete, up-to-date directories of all IP addresses and domains of regulated entities. Realistically speaking, this data acquisition will work questionably. The solution is pragmatic: give us legal freedom to scan the entire country. This does not burden any Austrian company and makes our work more transparent and effective – not to mention the security benefits for the entire country.

**Clear Definition of CSIRT Support Tasks**

Article 11(3) of the Directive obliges us to “monitor and analyze cyber threats” with support for essential entities in real-time monitoring of their systems. We interpret this as: we issue warnings and share cyber-threat intelligence to help organizations conduct their own independent monitoring. This preventive, informative role is more meaningful and scalable than being merely a reactive emergency responder.


Source: www.cert.at

Share on: