{"id":"eu-cert-network-feeds","slug":"eu-cert-network-feeds","title":"Threat Intelligence: EU National CERT and CSIRT Network","description":"During a coordinated cyberattack campaign targeting European government networks in early 2025, CERT-EE and CERT-LV were among the first to publish technical indicators, drawing on their substantial experience with state","category":"modules","tags":["modules","real-time","compliance"],"lastModified":"2026-03-18","source_ref":"content/modules/eu-cert-network-feeds.md","url":"/developers/eu-cert-network-feeds","htmlPath":"/developers/eu-cert-network-feeds","jsonPath":"/api/docs/modules/eu-cert-network-feeds","markdownPath":"/api/docs/modules/eu-cert-network-feeds?format=markdown","checksum":"4f7b30d410516cfac147a07491929ce6882987e6230e62e6c6f015997e09d019","headings":[{"id":"overview","text":"Overview","level":2},{"id":"integrated-national-authorities","text":"Integrated National Authorities","level":2},{"id":"key-features","text":"Key Features","level":2},{"id":"national-feed-synchronization","text":"National Feed Synchronization","level":3},{"id":"authoritative-national-vulnerability-advisories","text":"Authoritative National Vulnerability Advisories","level":3},{"id":"country-of-origin-attribution-context","text":"Country-of-Origin Attribution Context","level":3},{"id":"cross-border-incident-correlation","text":"Cross-Border Incident Correlation","level":3},{"id":"nis2-incident-reporting-integration","text":"NIS2 Incident Reporting Integration","level":3},{"id":"clearance-segregated-tlp-distribution","text":"Clearance-Segregated TLP Distribution","level":3},{"id":"advisory-deduplication-across-authorities","text":"Advisory Deduplication Across Authorities","level":3},{"id":"use-cases","text":"Use Cases","level":2},{"id":"integration","text":"Integration","level":2}],"markdown":"# Threat Intelligence: EU National CERT and CSIRT Network\n\n## Overview\n\nDuring a coordinated cyberattack campaign targeting European government networks in early 2025, CERT-EE and CERT-LV were among the first to publish technical indicators, drawing on their substantial experience with state-sponsored operations active in their geography. Within hours, BSI and NCSC-NL had published corroborating advisories with additional technical detail. An analyst using Argus saw all four national authority advisories in a single consolidated view, deduplicated the overlapping IOC set, and confirmed that three C2 domains were independently reported by four separate national authorities. That multi-source confirmation elevated the confidence assessment from possible to high. The combined intelligence from twelve national CERT feeds, processed automatically, provided a threat picture no single national authority could have produced alone.\n\nThe European Union maintains a network of national Computer Security Incident Response Teams (CSIRTs) and cybersecurity agencies coordinated through ENISA (European Union Agency for Cybersecurity) and the CSIRTs Network established under Article 12 of the NIS Directive. Each member state operates one or more authoritative national bodies responsible for threat information collection, incident coordination, and cybersecurity advisories. Argus integrates with twelve national cybersecurity authorities across the EU, exposing their authority-specific advisory, alert, incident, warning, and statistics surfaces inside a single operational workspace.\n\n```mermaid\nflowchart LR\n    A[12 National CERT Feeds] --> B[Per-Authority Sync Mutations]\n    B --> C[IOC Deduplication at Ingest]\n    C --> D[TLP Level Mapping to secrecy_level]\n    D --> E[Multi-Source Provenance Preserved]\n    E --> F[Analyst Consolidated View]\n    F --> G[MISP Indicator Cross-Reference]\n    F --> H[Sigma / Suricata Rule Correlation]\n    F --> I[NIS2 Compliance Workflow Support]\n```\n\n**Last Reviewed:** 2026-03-18\n**Last Updated:** 2026-04-14\n\n## Integrated National Authorities\n\n| Integration | Authority | Country |\n|---|---|---|\n| `cert_be` | CERT.be: Centre for Cybersecurity Belgium | Belgium |\n| `cert_bund` | CERT-Bund: Computer Emergency Response Team of the Federal Office for Information Security | Germany |\n| `bsi_bund` | BSI: Bundesamt für Sicherheit in der Informationstechnik | Germany |\n| `cert_ee` | CERT-EE: Estonian Information System Authority | Estonia |\n| `cert_fi` | NCSC-FI: National Cyber Security Centre Finland | Finland |\n| `cert_lv` | CERT.lv: Information Technology Security Incident Response Institution of the Republic of Latvia | Latvia |\n| `cert_ro` | CERT-RO: Romanian National Cybersecurity Directorate | Romania |\n| `cert_se` | NCSC-SE: National Cyber Security Centre Sweden | Sweden |\n| `cert_si` | SI-CERT: Slovenia Computer Emergency Response Team | Slovenia |\n| `ncsc_nl` | NCSC-NL: Nationaal Cyber Security Centrum Netherlands | Netherlands |\n| `nukib` | NÚKIB: National Cyber and Information Security Agency of the Czech Republic | Czech Republic |\n| `cncs_pt` | CNCS: Centro Nacional de Cibersegurança Portugal | Portugal |\n\n## Key Features\n\n### National Feed Synchronization\n\nEach national authority integration exposes its own typed query and sync mutation pair rather than a single shared contract. Examples include `certBeAdvisories` with `syncCertBeAdvisory`, `certBundAlerts` with `syncCertBundAlert`, `certEeIncidents` with `syncCertEeIncident`, `bsiAdvisories` with `syncBsiAdvisory`, and `ncscNlAdvisories` with `syncNcscNlAdvisory`. Feed data is persisted under organisation and clearance-level scoping.\n\n### Authoritative National Vulnerability Advisories\n\nNational CERT advisories frequently precede or supplement CVE entries in NVD. Authorities such as BSI and NCSC-NL produce detailed technical advisories for vulnerabilities affecting industrial control systems, critical infrastructure, and government IT. These advisories contain exploitation context, including active exploitation in the wild and public proof-of-concept availability, that is not always reflected in CVSS base scores alone.\n\n### Country-of-Origin Attribution Context\n\nIndicators and advisories from each national authority carry country-of-origin metadata. Attribution claims and victim country context from Eastern European CSIRTs (CERT-EE, CERT-LV) carry particular weight for threats originating from state actors active in that geography. Argus preserves this provenance metadata through the data model.\n\n### Cross-Border Incident Correlation\n\nENISA's CSIRTs Network enables cross-border incident information sharing. When a coordinated attack campaign impacts multiple EU member states, multiple national feeds may produce overlapping indicators from different national perspectives. Argus deduplicates at the IOC level while preserving the multi-source provenance: an indicator confirmed by four national CSIRTs carries significantly higher confidence than one reported by a single commercial feed.\n\n### NIS2 Incident Reporting Integration\n\nNIS2 Article 23 requires essential and important entities to report significant incidents to national authorities. Argus supports the surrounding compliance workflow, but the national CERT integrations documented here are authority-specific ingest and synchronization surfaces rather than direct outbound notification submission channels to those authorities.\n\n### Clearance-Segregated TLP Distribution\n\nNational CERT feeds carry Traffic Light Protocol (TLP) markings. TLP:RED material (restricted to named recipients), TLP:AMBER (limited distribution), TLP:GREEN (community distribution), and TLP:CLEAR (unrestricted) are handled according to the TLP standard. Argus maps TLP levels to `secrecy_level` values, ensuring that TLP:RED material from a national CERT bilateral sharing relationship is not leaked to users below the clearance level for that sharing arrangement.\n\n### Advisory Deduplication Across Authorities\n\nBSI (the German federal cybersecurity authority) and CERT-Bund (BSI's CERT function) are both integrated and sometimes produce overlapping advisories on the same vulnerability. Argus deduplicates advisory content across sources at ingest, preserving multi-source attribution while presenting a single advisory record to analysts.\n\n## Use Cases\n\n- **European Threat Landscape Morning Brief**: SOC analysts start their shift with a consolidated view of overnight advisories from all twelve national authorities, highlighting new critical advisories and active exploitation warnings relevant to their asset inventory.\n- **Sector-Specific Critical Infrastructure Alerting**: BSI and NCSC-NL produce detailed ICS/SCADA vulnerability advisories. Operators managing critical infrastructure can filter the combined EU CERT feed for energy, water, and transport sector advisories and correlate against their OT asset inventory.\n- **NIS2 Compliance Operations**: EU member state organisations required to report to their national CERT can track the advisory landscape from all national authorities, identify what peer organisations in their sector are being warned about, and prepare compliance workflows in Argus alongside the national CERT data they consume.\n- **Election Integrity and Democratic Process Protection**: CERT-EE and CERT-LV have extensive experience with state-sponsored cyber operations targeting democratic institutions. Their feeds carry high-value pre-disclosure intelligence for threat actors active against European democratic institutions and government networks.\n- **NATO Collective Defence Intelligence Fusion**: During heightened geopolitical tension, Argus aggregates the real-time advisory outputs of the NATO and EU member state CERT network into a single fused threat picture for NATO ISR and cyber operations.\n\n## Integration\n\nEach national authority is individually accessible via its own GraphQL surface, for example `certBeAdvisories`, `certBundAlerts`, `certEeIncidents`, `ncscNlAdvisories`, `bsiAdvisories`, `nukibWarnings`, and the corresponding per-authority stats and sync mutations. There is no single `euCertFeed` GraphQL field; consolidated European views are composed at the application layer from the individual authority domains.\n\nAll operations require authentication and organisation scoping. TLP-restricted material requires matching clearance level assignment.\n\nWorks alongside MISP (many national CERTs share via the MISP protocol), STIX/TAXII (some national authorities publish machine-readable STIX-formatted indicators), Sigma rules (national authority advisories frequently include detection rule recommendations), and Suricata IDS (some authorities publish network signatures alongside advisories).\n"}