Knogin
[Kernmodules]

Threat Intelligence: EU National CERT & CSIRT Network

The European Union maintains a network of national Computer Security Incident Response Teams (CSIRTs) and cybersecurity agencies coordinated through ENISA (European Union Agency for Cybersecurity) and the CSIRTs Network

Modulemetadata

The European Union maintains a network of national Computer Security Incident Response Teams (CSIRTs) and cybersecurity agencies coordinated through ENISA (European Union Agency for Cybersecurity) and the CSIRTs Network

Terug naar Lijst

Bronverwijzing

content/modules/eu-cert-network-feeds.md

Laatst bijgewerkt

18 mrt 2026

Categorie

Kernmodules

Inhoudschecksum

f6ab08ccd2d1a9f6

Tags

modulesreal-time

Gerenderde documentatie

Deze pagina rendert de Markdown en Mermaid van de module direct vanuit de publieke documentatiebron.

Overview#

The European Union maintains a network of national Computer Security Incident Response Teams (CSIRTs) and cybersecurity agencies coordinated through ENISA (European Union Agency for Cybersecurity) and the CSIRTs Network established under Article 12 of the NIS Directive. Each member state operates one or more authoritative national bodies responsible for threat information collection, incident coordination, and cybersecurity advisories. Argus integrates with twelve national cybersecurity authorities across the EU, providing a consolidated threat intelligence feed drawing from the full breadth of European national cyber expertise into a single operational picture.

Integrated National Authorities#

IntegrationAuthorityCountry
cert_be
CERT.be -- Centre for Cybersecurity BelgiumBelgium
cert_bund
CERT-Bund -- Computer Emergency Response Team of the Federal Office for Information SecurityGermany
bsi_bund
BSI -- Bundesamt für Sicherheit in der InformationstechnikGermany
cert_ee
CERT-EE -- Estonian Information System AuthorityEstonia
cert_fi
NCSC-FI -- National Cyber Security Centre FinlandFinland
cert_lv
CERT.lv -- Information Technology Security Incident Response Institution of the Republic of LatviaLatvia
cert_ro
CERT-RO -- Romanian National Cybersecurity DirectorateRomania
cert_se
NCSC-SE -- National Cyber Security Centre SwedenSweden
cert_si
SI-CERT -- Slovenia Computer Emergency Response TeamSlovenia
ncsc_nl
NCSC-NL -- Nationaal Cyber Security Centrum NetherlandsNetherlands
nukib
NÚKIB -- National Cyber and Information Security Agency of the Czech RepublicCzech Republic
cncs_pt
CNCS -- Centro Nacional de Cibersegurança PortugalPortugal

Key Features#

National Feed Synchronisation#

Each national authority integration follows a consistent sync pattern: 

fetchCertFeed
(or equivalent per-authority operation) polls the national authority's API for new advisories, indicators, and vulnerability data. Each sync cycle captures new and updated items since the last successful sync timestamp. Feed data is normalised to the Argus indicator model and persisted under organisation and clearance-level scoping.

Authoritative National Vulnerability Advisories#

National CERT advisories frequently precede or supplement CVE entries in NVD. Authorities such as BSI and NCSC-NL produce detailed technical advisories for vulnerabilities affecting industrial control systems, critical infrastructure, and government IT. These advisories contain exploitation context (active exploitation in the wild, proof-of-concept code public) not always reflected in CVSS base scores alone.

Country-of-Origin Attribution Context#

Indicators and advisories from each national authority carry country-of-origin metadata. Attribution claims and victim country context from Eastern European CSIRTs (CERT-EE, CERT-LV) carry particular weight for threats originating from state actors active in that geography. Argus preserves this provenance metadata through the data model.

Cross-Border Incident Correlation#

ENISA's CSIRTs Network enables cross-border incident information sharing. When a coordinated attack campaign impacts multiple EU member states, multiple national feeds may produce overlapping indicators from different national perspectives. Argus deduplicates at the IOC level while preserving the multi-source provenance -- an indicator confirmed by four national CSIRTs carries significantly higher confidence than one reported by a single commercial feed.

NIS2 Incident Reporting Integration#

NIS2 Article 23 requires essential and important entities to report significant incidents to national authorities. The same national authority integrations that pull advisory data into Argus provide the bilateral channel -- operators can use Argus to push incident notifications to the appropriate national CERT (CERT.be for Belgian entities, NCSC-NL for Dutch entities, etc.) meeting NIS2 notification obligations from a single interface.

Clearance-Segregated TLP Distribution#

National CERT feeds carry Traffic Light Protocol (TLP) markings. TLP:RED material (restricted to named recipients), TLP:AMBER (limited distribution), TLP:GREEN (community distribution), and TLP:CLEAR (unrestricted) are handled according to the TLP standard. Argus maps TLP levels to 

secrecy_level
values, ensuring that TLP:RED material from a national CERT bilateral sharing relationship is not leaked to users below the clearance level for that sharing arrangement.

Advisory Deduplication Across Authorities#

BSI (the German federal cybersecurity authority) and CERT-Bund (BSI's CERT function) are both integrated and sometimes produce overlapping advisories on the same vulnerability. Argus deduplicates advisory content across sources at ingest, preserving multi-source attribution while presenting a single advisory record to analysts.

Use Cases#

  • European Threat Landscape Morning Brief: SOC analysts start their shift with a consolidated view of overnight advisories from all twelve national authorities, highlighting new critical advisories and active exploitation warnings relevant to their asset inventory.
  • Sector-Specific Critical Infrastructure Alerting: BSI and NCSC-NL produce detailed ICS/SCADA vulnerability advisories. Operators managing critical infrastructure can filter the combined EU CERT feed for energy/water/transport sector advisories and correlate against their OT asset inventory.
  • NIS2 Compliance Operations: EU member state organisations required to report to their national CERT can track the advisory landscape from all national authorities, identify what peer organisations in their sector are being warned about, and prepare mandatory reports through the same Argus interface.
  • Election Integrity and Democratic Process Protection: CERT-EE and CERT-LV have extensive experience with state-sponsored cyber operations targeting democratic institutions. Their feeds carry particularly high-value pre-disclosure intelligence for threat actors active against European democratic institutions and government networks.
  • NATO Collective Defence Intelligence Fusion: During heightened geopolitical tension, Argus aggregates the real-time advisory outputs of the NATO/EU member state CERT network into a single fused threat picture for NATO ISR and cyber operations -- the collective European national intelligence becomes a single operational asset.

Integration#

Each national authority is individually accessible via GraphQL queries prefixed with the integration name (e.g., 

certBeAdvisories
, 
ncscNlAdvisories
, 
bsiAdvisories
). A unified 
euCertFeed
query returns normalised indicators and advisories across all integrated national authorities with source attribution, supporting the consolidated European threat picture view.

All operations require authentication and organisation scoping. TLP-restricted material requires matching clearance level assignment.

Works alongside MISP (many national CERTs are MISP community members sharing via the same protocol), STIX/TAXII (some national authorities publish machine-readable STIX-formatted indicators), Sigma Rules (national authority advisories frequently include detection rule recommendations), and Suricata IDS (some authorities publish network signatures alongside advisories).

Last Reviewed: 2026-03-18