Your 911 for Cyberattacks
Who do you call when your network is on fire
Most organisations find out what a national CSIRT is at the worst possible moment, usually sometime around 2am, with half their network offline. Don't be that organisation.
Later in this post you'll find an updated cheat sheet I first put together in 2022, covering the first 50 countries by population, plus everything you actually need to know before something goes wrong.
First a few words about national CSIRTs.
What is a National CSIRT?
A national CSIRT (Computer Security Incident Response Team) is the country's central authority for coordinating cybersecurity incident response. You'll also hear them called national CERTs.
Think of them as the cyber equivalent of a national emergency coordination centre, not necessarily the first responder who turns up at your door, but the body that makes sure the right people are talking to each other when something serious happens.
Their job covers a lot of ground. They receive and triage incident reports, analyse threats, coordinate response efforts across organisations and sectors, issue warnings and advisories, share threat intelligence, and act as the official national point of contact for both domestic and international cybersecurity matters. When an attack is big enough to matter at national level, these are the people orchestrating the response.
National vs. regional CSIRTs
Most countries operate a single national CSIRT, but larger or more federated nations sometimes layer regional CSIRTs underneath the national one. That's useful when you need someone who understands local context and can respond without everything routing through the primary CSIRT first.
The general principle is straightforward: national CSIRTs handle strategic coordination and high-impact incidents; regional CSIRTs provide local support and act as a more accessible first point of contact for organisations that might not quite hit the threshold for national-level attention, or who just don't know where to start.
Who's in the wider network?
National CSIRTs don't operate in isolation. They're embedded in a broader international ecosystem that most people never think about until something goes wrong across borders.
Within the EU, ENISA (the EU Agency for Cybersecurity) coordinates the EU CSIRTs Network - a formal collaboration between national CSIRTs across all EU member states. When an incident crosses borders (and increasingly they do), this is the mechanism that lets national teams share threat intelligence and coordinate response without starting from scratch each time.
Globally, FIRST (Forum of Incident Response and Security Teams) plays a similar role. It's a worldwide membership organisation that facilitates coordination between CSIRTs regardless of geography. If your national CSIRT needs to reach a counterpart on the other side of the world at 2AM, FIRST is probably how that relationship was built.
Who Trains the Trainers?
Here's something that doesn't get enough attention. The quality of your national CSIRT depends heavily on the training its staff receive, and a significant chunk of that training flows through the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), based in Tallinn, Estonia.
The CCDCOE runs an extensive programme of residential and online courses covering topics like malware analysis, OT security, incident response and legal frameworks for cyber operations, aimed squarely at national cyber defence practitioners, including CSIRT staff.
They also run Locked Shields, the world's largest live-fire cyber defence exercise, where national teams defend simulated national infrastructure against coordinated attacks in real time. Think of it as a full-scale fire drill for the people who'd be managing your country's response to a serious attack.
The CCDCOE is also behind the Tallinn Manual, the authoritative reference on how international law applies to cyber operations — which starts to matter a lot when an incident stops looking like criminal activity and starts looking like state-sponsored aggression.
The practical upshot: the person who picks up when you report a major incident may well have been through a CCDCOE course or exercise. It's one of those organisations quietly making the whole ecosystem better in the background.
On a related note, there's now a growing commercial market in cyber ranges.
What is a Cyber range?
A Cyber range is a sophisticated simulation environments that organisations and governments use to train security teams in realistic attack scenarios. It's a fast-moving space worth a dedicated article, but it's worth knowing these platforms are increasingly part of how CSIRT staff stay sharp between major exercises.
Who are CSIRTs actually supposed to help?
This is where people sometimes get confused, so let's be direct about it.
National CSIRTs are not consumer tech support. Their primary constituency is critical infrastructure operators like energy, water, transport, finance, healthcare, along with government entities and organisations that fall under regulations like NIS2. If a hospital network goes down or a power grid is compromised, that's squarely in national CSIRT territory.
Businesses and organisations outside these categories can still report incidents, particularly when there's a national-level risk or the situation requires coordinated support beyond what the organisation can handle internally. Most national CSIRTs will at minimum point you in the right direction.
"They're there to stop the lights going out, not recover your Instagram password"
Citizens dealing with personal cybersecurity issues or cybercrime should start with local law enforcement or their country's dedicated consumer cybercrime service. National CSIRTs aren't set up to help you recover a hacked social media account, though again, they'll usually tell you who can.
If you're genuinely unsure which service handles personal cybercrime in your country, Google is your friend. Search for "[your country] cybercrime reporting" and you'll find the right one."
NIS2 and mandatory reporting
If your organisation falls under the EU's NIS2 Directive which came into force in October 2024 and significantly expanded the scope of the original NIS rules, reporting to your national CSIRT isn't optional. It's a legal obligation with hard deadlines.
You have 24 hours from becoming aware of a significant incident to file an early warning with your national CSIRT. Within 72 hours, you need to submit a full incident notification including your initial assessment, severity level, and indicators of compromise. A final report with root cause analysis and mitigation measures follows within 30 days.
"Significant incident" has a specific definition under NIS2, but in practice it means anything that causes or could cause serious operational disruption, financial loss, or harm to other organisations or individuals. If you're debating whether something qualifies, it probably does.
NIS2 also covers a much wider range of sectors than its predecessor, pulling in digital infrastructure, managed service providers, postal services, waste management, and food production among others. If you haven't confirmed whether your organisation is in scope, that's worth sorting out sooner rather than later.
What actually happens after you report?
Reporting to a national CSIRT isn't like filing a form and waiting. In a well-functioning response, you'll get triage and acknowledgement fairly quickly, followed by technical guidance and depending on the severity of the incident and your sector, potentially active hands-on support.
If your incident is part of a wider campaign, you may also receive threat intelligence about other affected organisations and known indicators of compromise. And if the incident crosses sectors or national borders, your CSIRT will manage coordination with counterparts elsewhere so you're not trying to navigate that yourself at the worst possible moment.
What they won't do is take over your incident response entirely, or handle prosecution. That's law enforcement's role. Think of them as a highly capable coordinator and advisor rather than a rescue team.
"People don't look for their national CSIRT's number at 9am on a Tuesday. They need it at 2am when everything's on fire."
How to find your national CSIRT
Which brings us to the table below. I've listed national CSIRTs for the 50 most populous countries, current as of February 2026.
A quick note: some countries don't have a publicly accessible national CSIRT, or don't seem to have one at all. And one or two links may only work if you're connecting from within that country or via a VPN node there.
List was current as of February 2026.
