Skip to main content
GFCE 2017 Joint Cyber Incident Response Teams
Geographical scope: National, Cross-border
What

Description

The Global Forum on Cyber Expertise (GFCE) Global Good Practices for National CSIRTs is a comprehensive reference document that synthesises international experience to guide the establishment, development, and professionalisation of national Computer Security Incident Response Teams. The document covers the full spectrum of national CSIRT functions, including mandate definition, governance models, stakeholder relationships, operational procedures, technical tooling, information sharing arrangements, and capacity building pathways. It draws on case studies and lessons learned from CSIRTs across diverse regional and institutional contexts, providing practical guidance applicable to both emerging and established teams. The good practices are structured to support cross-border CSIRT coordination by emphasising interoperability, standardised communication channels, and alignment with international frameworks such as the ITU-T and FIRST guidelines.

Where

Geographical Scope

Global, with direct applicability to EU27 Member States. The GFCE framework has been used in national CSIRT development programmes across Africa, Asia, Latin America, and Eastern Europe, often in partnership with ENISA, ITU, and bilateral development agencies.

Problems Solved

Relevance to Civil-Defence Cooperation

This practice addresses the following cooperation needs identified in the COcyber needs assessment (D2.2). Filled squares indicate needs directly addressed by the practice.

  • Fragmentation of cybersecurity efforts
  • Lack of information-sharing
  • Lack of awareness capacity
  • Lack of dual-use technologies
  • Lack of coordinated policies
  • Lack of cross-pollination
  • Lack of cutting-edge innovation
  • Cultural differences
Impact

Benefits & Challenges

Anticipated Benefits

  • Provides a globally validated, practical reference for national CSIRT development that reduces the risk of reinventing established solutions.
  • Promotes interoperability between national CSIRTs by encouraging adoption of shared standards and communication protocols.
  • Offers a common baseline for cross-border CSIRT cooperation, facilitating mutual assistance and information sharing during transnational incidents.
  • Supports capacity building in developing countries and regions, contributing to a more resilient global cybersecurity ecosystem.
  • Bridges civilian and defence CSIRT functions by addressing the full spectrum of national incident response, including cross-sector coordination.

Anticipated Challenges

  • The generality of the good practices may require significant national adaptation to fit specific legal, institutional, and resource contexts.
  • Implementing the full range of recommended practices requires sustained political commitment and long-term funding not always available in developing contexts.
  • Cultural and linguistic differences across regions may impede the uniform adoption of communication standards and shared protocols.
  • Keeping the framework current with the rapidly evolving threat landscape and technological developments requires regular revision cycles.
  • Ensuring genuine civil-military coordination within national CSIRT structures faces institutional and classification barriers in many countries.
How

Domains

Threat Intel.
COcyber Project - D4.1 Guidelines on Cybersecurity Civil-Defence Cooperation - 2024-2026
Back to Repository of Practices