Five European CSIRTs, five different beats
The landing page surfaces five European national Computer Security Incident Response Teams — INCIBE, CERT-PL, BSI, NCSC-NL, CIRCL — as advisory references against ~1,500 CVEs. We expected them to be duplicating NVD content in the local language; the data says no. Each one specialises on a distinct slice of the vulnerability surface that the global catalogues under-cover.
What we ingest from each CSIRT
The references come from the ENISA Vulnerability Database (EUVD). For each CVE, EUVD lists which national CSIRTs published an advisory pointing to it. We store the link, the host, and the country code on the CVE record. The advisory content lives at the CSIRT URL — we don’t scrape or mirror it.
Live counts as of today:
| CSIRT | Country | CVEs referenced | Host |
|---|---|---|---|
| INCIBE | 🇪🇸 Spain | 1,024 | incibe.es |
| CERT-PL | 🇵🇱 Poland | 388 | cert.pl |
| BSI | 🇩🇪 Germany | 11 | bsi.bund.de |
| NCSC-NL | 🇳🇱 Netherlands | 14 | advisories.ncsc.nl |
| CIRCL | 🇱🇺 Luxembourg | 13 | vulnerability.circl.lu |
The volume spread is the first surprise. INCIBE alone is ~7× CERT-PL and ~70× the three smaller CSIRTs combined. That doesn’t reflect Spanish industry being more vulnerable; it reflects INCIBE’s policy of issuing a public CERT advisory for every cataloged vendor request. CERT-PL operates similarly. BSI, NCSC-NL, and CIRCL publish more selectively.
What this article is not
We hoped to publish a publication-speed comparison — which CSIRT consistently advises first on a fresh CVE? The data doesn’t support it. The EUVD record stores the aggregation date, not each individual CSIRT’s advisory date, and the aggregation lag against NVD publish is effectively zero (EUVD pulls in references the same day NVD publishes the CVE, on average). To rank speed we’d need to scrape each CSIRT’s advisory page for its own publication timestamp — a project for a future iteration.
What the data does support is a coverage-pattern audit. Which vendors does each CSIRT advise on?
INCIBE: Spanish small-vendor SaaS
INCIBE’s top vendors by reference count are almost all
Spanish-domestic SaaS and SMB software companies:
Creartia Internet Consulting (40
references), AndSoft (40), Janobe
(38), Apprain (32), BigProf
(28). These are not names that show up in CISA KEV; they barely
show up in NVD search results outside of INCIBE’s own
advisories. Recent example: CVE-2026-4320, an
authorization bypass in the
Creartia ICMS Content Management platform — a
Spanish CMS used by Spanish operators. NVD has the CVE; INCIBE
provides the actual advisory page with remediation context.
This is INCIBE’s real value. Spanish-language vendor ecosystems get systematically under-cataloged by English-language vulnerability databases. INCIBE fills that gap and ENISA aggregates the result. If your asset surface has any Spanish-vendor SaaS, INCIBE references are the place to look.
CERT-PL: Polish vendors and a numbering scheme
CERT-PL’s pattern is similar — Polish-vendor
coverage that NVD wouldn’t prioritise alone:
CGM (25), OpenSolution (22),
Soplanning (15), Jan Syski
(12), Raytha (11). Recent examples:
CVE-2026-47324 and CVE-2026-47325
— XSS and predictable-credential bugs in
ProjectsAndPrograms school-management-system, published
under CERT-PL’s sequential advisory URL scheme
(cert.pl/en/posts/2026/06/CVE-2026-47324/). The
scheme makes it easy to walk CERT-PL’s advisory archive
chronologically — each CVE-id gets its own permalink with
the same path shape.
Of note: CERT-PL frequently coordinates the disclosure
themselves (the
cvd@cert.pl email shows up in NVD as a third-party
reference contact). That implies CERT-PL is doing the vendor
outreach + CVE assignment, not just republishing afterwards.
For Polish-vendor SaaS, CERT-PL is often the upstream source.
BSI: international vendors with German impact
BSI’s 11 references break a different way. Top vendor:
QNAP Systems (1 reference; the other 10 are
“n/a” in the EUVD record). The substantive examples
we can verify are international — CVE-2023-50358
QNAP NAS command injection;
CVE-2019-11073 PRTG Network Monitor RCE;
CVE-2019-19232 Sudo Runas impersonation. BSI’s
Cybersicherheitswarnungen surface looks like it’s tuned to
what affects German federal and operator infrastructure, not
to German-domestic vendors per se.
Reading 11 advisories doesn’t support stronger claims than that. BSI publishes way more than 11 advisories in total — what we see is the subset that EUVD indexed against specific CVE-ids. The thinness here reflects an indexing gap, not a publishing gap.
NCSC-NL: small but operationally focused
NCSC-NL’s 14 references are dominated by Kiloview (10 references) — a Chinese video encoder/decoder vendor whose products end up in Dutch broadcast and AV deployments. Other recent picks: CFMOTO (a Chinese vehicle manufacturer with an IDOR in the vehicle-API), Extreme Networks Aerohive HiveOS. The pattern is operational: when the Netherlands has deployed-base exposure on a specific OT or network vendor, NCSC-NL puts up the advisory.
CIRCL: a CSIRT advising on its own software
CIRCL’s 13 references include the most unusual category
on the list: they advise on their own tools.
CIRCL maintains MISP, the AIL framework,
RansomLook, and others as open-source security
infrastructure used by other CSIRTs and SOCs. When a vulnerability
is found in those tools, CIRCL is the natural reporter and
assigner. Recent examples: CVE-2026-40584 in
RansomLook, CVE-2026-39416 in the AIL framework,
CVE-2025-67906 XSS in MISP. The advisory URL scheme
— vulnerability.circl.lu/vuln/gcve-1-YYYY-NNNN
— reflects CIRCL’s parallel CVE-numbering effort
(GCVE) for their internal coordination.
For practitioners running MISP or any of the CIRCL-maintained tools, CIRCL’s vulnerability index is effectively the upstream security feed.
Honest caveats
This audit is over ~1,500 advisory references for five CSIRTs — a small slice of what European CSIRTs publish and what EUVD indexes. There are ~30 CSIRTs in EUVD’s full feed; the five surfaced on the landing page are simply the highest-volume contributors. The patterns I draw here hold for the visible sample; the long tail of smaller CSIRTs may have different shape entirely.
Other limitations to keep in mind:
- Vendor metadata is uneven. BSI records are 10 of 11 “n/a” for vendor. Some of the “Top vendor” rankings reflect cataloguing depth as much as actual focus.
- We don’t scrape advisory content. Country-specific guidance (NIS2 references, national-regulator contacts, sector-specific impact notes) lives at the CSIRT URL — not in our DB. If you need that depth, follow the link.
- No publication-speed ranking yet. EUVD aggregation date is not the same as the CSIRT’s own publication date. A speed comparison needs per-CSIRT scraping for the original advisory timestamp.
How to use this on the site
Every CVE detail page has an EU & UK References section that surfaces these CSIRT advisory links with the country flag. The section appears on every CVE page where at least one of the five CSIRTs (or NCSC-UK) published an advisory. If you’re operating in any of these regions, treat those links as the regulator’s view: they may carry sector-specific obligations that NVD’s neutral CVE description doesn’t.
TL;DR
- Five European CSIRTs surface ~1,500 advisory references on this site. They specialise on regional vendor coverage, not duplicating NVD.
- INCIBE — Spanish SaaS / SMB vendors (1,024 refs). CERT-PL — Polish vendors with upstream CVD coordination (388). BSI — international vendors with German-operator impact (11). NCSC-NL — OT and network gear in deployed Dutch base (14). CIRCL — advises on its own widely-used security tools (13).
- If your asset surface includes Spanish or Polish SaaS, the “long tail” that NVD under-covers is in the INCIBE / CERT-PL advisories. Read them.
- The site doesn’t reproduce CSIRT advisory content — it links to it. Country-specific guidance lives at the source.
Last updated 06 June 2026. Data: live aggregation of the
euvd_vulnerabilities collection (~354k records).
Companion to the cross-walk
article and the
four-dimensions primer.