Threat Intelligence: EU National CERT & CSIRT Network

Overview#

The European Union maintains a network of national Computer Security Incident Response Teams (CSIRTs) and cybersecurity agencies coordinated through ENISA (European Union Agency for Cybersecurity) and the CSIRTs Network established under Article 12 of the NIS Directive. Each member state operates one or more authoritative national bodies responsible for threat information collection, incident coordination, and cybersecurity advisories. Argus integrates with twelve national cybersecurity authorities across the EU, providing a consolidated threat intelligence feed drawing from the full breadth of European national cyber expertise into a single operational picture.

Integrated National Authorities#

Integration	Authority	Country
`cert_be`	CERT.be -- Centre for Cybersecurity Belgium	Belgium
`cert_bund`	CERT-Bund -- Computer Emergency Response Team of the Federal Office for Information Security	Germany
`bsi_bund`	BSI -- Bundesamt für Sicherheit in der Informationstechnik	Germany
`cert_ee`	CERT-EE -- Estonian Information System Authority	Estonia
`cert_fi`	NCSC-FI -- National Cyber Security Centre Finland	Finland
`cert_lv`	CERT.lv -- Information Technology Security Incident Response Institution of the Republic of Latvia	Latvia
`cert_ro`	CERT-RO -- Romanian National Cybersecurity Directorate	Romania
`cert_se`	NCSC-SE -- National Cyber Security Centre Sweden	Sweden
`cert_si`	SI-CERT -- Slovenia Computer Emergency Response Team	Slovenia
`ncsc_nl`	NCSC-NL -- Nationaal Cyber Security Centrum Netherlands	Netherlands
`nukib`	NÚKIB -- National Cyber and Information Security Agency of the Czech Republic	Czech Republic
`cncs_pt`	CNCS -- Centro Nacional de Cibersegurança Portugal	Portugal

Key Features#

National Feed Synchronisation#

Each national authority integration follows a consistent sync pattern:

fetchCertFeed

(or equivalent per-authority operation) polls the national authority's API for new advisories, indicators, and vulnerability data. Each sync cycle captures new and updated items since the last successful sync timestamp. Feed data is normalised to the Argus indicator model and persisted under organisation and clearance-level scoping.

Authoritative National Vulnerability Advisories#

National CERT advisories frequently precede or supplement CVE entries in NVD. Authorities such as BSI and NCSC-NL produce detailed technical advisories for vulnerabilities affecting industrial control systems, critical infrastructure, and government IT. These advisories contain exploitation context (active exploitation in the wild, proof-of-concept code public) not always reflected in CVSS base scores alone.

Country-of-Origin Attribution Context#

Indicators and advisories from each national authority carry country-of-origin metadata. Attribution claims and victim country context from Eastern European CSIRTs (CERT-EE, CERT-LV) carry particular weight for threats originating from state actors active in that geography. Argus preserves this provenance metadata through the data model.

Cross-Border Incident Correlation#

ENISA's CSIRTs Network enables cross-border incident information sharing. When a coordinated attack campaign impacts multiple EU member states, multiple national feeds may produce overlapping indicators from different national perspectives. Argus deduplicates at the IOC level while preserving the multi-source provenance -- an indicator confirmed by four national CSIRTs carries significantly higher confidence than one reported by a single commercial feed.

NIS2 Incident Reporting Integration#

NIS2 Article 23 requires essential and important entities to report significant incidents to national authorities. The same national authority integrations that pull advisory data into Argus provide the bilateral channel -- operators can use Argus to push incident notifications to the appropriate national CERT (CERT.be for Belgian entities, NCSC-NL for Dutch entities, etc.) meeting NIS2 notification obligations from a single interface.

Clearance-Segregated TLP Distribution#

National CERT feeds carry Traffic Light Protocol (TLP) markings. TLP:RED material (restricted to named recipients), TLP:AMBER (limited distribution), TLP:GREEN (community distribution), and TLP:CLEAR (unrestricted) are handled according to the TLP standard. Argus maps TLP levels to

secrecy_level

values, ensuring that TLP:RED material from a national CERT bilateral sharing relationship is not leaked to users below the clearance level for that sharing arrangement.

Advisory Deduplication Across Authorities#

BSI (the German federal cybersecurity authority) and CERT-Bund (BSI's CERT function) are both integrated and sometimes produce overlapping advisories on the same vulnerability. Argus deduplicates advisory content across sources at ingest, preserving multi-source attribution while presenting a single advisory record to analysts.

Use Cases#

European Threat Landscape Morning Brief: SOC analysts start their shift with a consolidated view of overnight advisories from all twelve national authorities, highlighting new critical advisories and active exploitation warnings relevant to their asset inventory.
Sector-Specific Critical Infrastructure Alerting: BSI and NCSC-NL produce detailed ICS/SCADA vulnerability advisories. Operators managing critical infrastructure can filter the combined EU CERT feed for energy/water/transport sector advisories and correlate against their OT asset inventory.
NIS2 Compliance Operations: EU member state organisations required to report to their national CERT can track the advisory landscape from all national authorities, identify what peer organisations in their sector are being warned about, and prepare mandatory reports through the same Argus interface.
Election Integrity and Democratic Process Protection: CERT-EE and CERT-LV have extensive experience with state-sponsored cyber operations targeting democratic institutions. Their feeds carry particularly high-value pre-disclosure intelligence for threat actors active against European democratic institutions and government networks.
NATO Collective Defence Intelligence Fusion: During heightened geopolitical tension, Argus aggregates the real-time advisory outputs of the NATO/EU member state CERT network into a single fused threat picture for NATO ISR and cyber operations -- the collective European national intelligence becomes a single operational asset.

Integration#

Each national authority is individually accessible via GraphQL queries prefixed with the integration name (e.g.,

certBeAdvisories

ncscNlAdvisories

bsiAdvisories

). A unified

euCertFeed

query returns normalised indicators and advisories across all integrated national authorities with source attribution, supporting the consolidated European threat picture view.

All operations require authentication and organisation scoping. TLP-restricted material requires matching clearance level assignment.

Works alongside MISP (many national CERTs are MISP community members sharing via the same protocol), STIX/TAXII (some national authorities publish machine-readable STIX-formatted indicators), Sigma Rules (national authority advisories frequently include detection rule recommendations), and Suricata IDS (some authorities publish network signatures alongside advisories).

Last Reviewed: 2026-03-18

Metadonnees du module

Documentation rendue