Cyber Resilience

Five European CSIRTs, five different beats

The landing page surfaces five European national Computer Security Incident Response Teams — INCIBE, CERT-PL, BSI, NCSC-NL, CIRCL — as advisory references against ~1,500 CVEs. We expected them to be duplicating NVD content in the local language; the data says no. Each one specialises on a distinct slice of the vulnerability surface that the global catalogues under-cover.

What we ingest from each CSIRT

The references come from the ENISA Vulnerability Database (EUVD). For each CVE, EUVD lists which national CSIRTs published an advisory pointing to it. We store the link, the host, and the country code on the CVE record. The advisory content lives at the CSIRT URL — we don’t scrape or mirror it.

Live counts as of today:

CSIRT Country CVEs referenced Host
INCIBE🇪🇸 Spain1,024incibe.es
CERT-PL🇵🇱 Poland388cert.pl
BSI🇩🇪 Germany11bsi.bund.de
NCSC-NL🇳🇱 Netherlands14advisories.ncsc.nl
CIRCL🇱🇺 Luxembourg13vulnerability.circl.lu

The volume spread is the first surprise. INCIBE alone is ~7× CERT-PL and ~70× the three smaller CSIRTs combined. That doesn’t reflect Spanish industry being more vulnerable; it reflects INCIBE’s policy of issuing a public CERT advisory for every cataloged vendor request. CERT-PL operates similarly. BSI, NCSC-NL, and CIRCL publish more selectively.

What this article is not

We hoped to publish a publication-speed comparison — which CSIRT consistently advises first on a fresh CVE? The data doesn’t support it. The EUVD record stores the aggregation date, not each individual CSIRT’s advisory date, and the aggregation lag against NVD publish is effectively zero (EUVD pulls in references the same day NVD publishes the CVE, on average). To rank speed we’d need to scrape each CSIRT’s advisory page for its own publication timestamp — a project for a future iteration.

What the data does support is a coverage-pattern audit. Which vendors does each CSIRT advise on?

INCIBE: Spanish small-vendor SaaS

INCIBE’s top vendors by reference count are almost all Spanish-domestic SaaS and SMB software companies: Creartia Internet Consulting (40 references), AndSoft (40), Janobe (38), Apprain (32), BigProf (28). These are not names that show up in CISA KEV; they barely show up in NVD search results outside of INCIBE’s own advisories. Recent example: CVE-2026-4320, an authorization bypass in the Creartia ICMS Content Management platform — a Spanish CMS used by Spanish operators. NVD has the CVE; INCIBE provides the actual advisory page with remediation context.

This is INCIBE’s real value. Spanish-language vendor ecosystems get systematically under-cataloged by English-language vulnerability databases. INCIBE fills that gap and ENISA aggregates the result. If your asset surface has any Spanish-vendor SaaS, INCIBE references are the place to look.

CERT-PL: Polish vendors and a numbering scheme

CERT-PL’s pattern is similar — Polish-vendor coverage that NVD wouldn’t prioritise alone: CGM (25), OpenSolution (22), Soplanning (15), Jan Syski (12), Raytha (11). Recent examples: CVE-2026-47324 and CVE-2026-47325 — XSS and predictable-credential bugs in ProjectsAndPrograms school-management-system, published under CERT-PL’s sequential advisory URL scheme (cert.pl/en/posts/2026/06/CVE-2026-47324/). The scheme makes it easy to walk CERT-PL’s advisory archive chronologically — each CVE-id gets its own permalink with the same path shape.

Of note: CERT-PL frequently coordinates the disclosure themselves (the cvd@cert.pl email shows up in NVD as a third-party reference contact). That implies CERT-PL is doing the vendor outreach + CVE assignment, not just republishing afterwards. For Polish-vendor SaaS, CERT-PL is often the upstream source.

BSI: international vendors with German impact

BSI’s 11 references break a different way. Top vendor: QNAP Systems (1 reference; the other 10 are “n/a” in the EUVD record). The substantive examples we can verify are international — CVE-2023-50358 QNAP NAS command injection; CVE-2019-11073 PRTG Network Monitor RCE; CVE-2019-19232 Sudo Runas impersonation. BSI’s Cybersicherheitswarnungen surface looks like it’s tuned to what affects German federal and operator infrastructure, not to German-domestic vendors per se.

Reading 11 advisories doesn’t support stronger claims than that. BSI publishes way more than 11 advisories in total — what we see is the subset that EUVD indexed against specific CVE-ids. The thinness here reflects an indexing gap, not a publishing gap.

NCSC-NL: small but operationally focused

NCSC-NL’s 14 references are dominated by Kiloview (10 references) — a Chinese video encoder/decoder vendor whose products end up in Dutch broadcast and AV deployments. Other recent picks: CFMOTO (a Chinese vehicle manufacturer with an IDOR in the vehicle-API), Extreme Networks Aerohive HiveOS. The pattern is operational: when the Netherlands has deployed-base exposure on a specific OT or network vendor, NCSC-NL puts up the advisory.

CIRCL: a CSIRT advising on its own software

CIRCL’s 13 references include the most unusual category on the list: they advise on their own tools. CIRCL maintains MISP, the AIL framework, RansomLook, and others as open-source security infrastructure used by other CSIRTs and SOCs. When a vulnerability is found in those tools, CIRCL is the natural reporter and assigner. Recent examples: CVE-2026-40584 in RansomLook, CVE-2026-39416 in the AIL framework, CVE-2025-67906 XSS in MISP. The advisory URL scheme — vulnerability.circl.lu/vuln/gcve-1-YYYY-NNNN — reflects CIRCL’s parallel CVE-numbering effort (GCVE) for their internal coordination.

For practitioners running MISP or any of the CIRCL-maintained tools, CIRCL’s vulnerability index is effectively the upstream security feed.

Honest caveats

This audit is over ~1,500 advisory references for five CSIRTs — a small slice of what European CSIRTs publish and what EUVD indexes. There are ~30 CSIRTs in EUVD’s full feed; the five surfaced on the landing page are simply the highest-volume contributors. The patterns I draw here hold for the visible sample; the long tail of smaller CSIRTs may have different shape entirely.

Other limitations to keep in mind:

How to use this on the site

Every CVE detail page has an EU & UK References section that surfaces these CSIRT advisory links with the country flag. The section appears on every CVE page where at least one of the five CSIRTs (or NCSC-UK) published an advisory. If you’re operating in any of these regions, treat those links as the regulator’s view: they may carry sector-specific obligations that NVD’s neutral CVE description doesn’t.

TL;DR

  • Five European CSIRTs surface ~1,500 advisory references on this site. They specialise on regional vendor coverage, not duplicating NVD.
  • INCIBE — Spanish SaaS / SMB vendors (1,024 refs). CERT-PL — Polish vendors with upstream CVD coordination (388). BSI — international vendors with German-operator impact (11). NCSC-NL — OT and network gear in deployed Dutch base (14). CIRCL — advises on its own widely-used security tools (13).
  • If your asset surface includes Spanish or Polish SaaS, the “long tail” that NVD under-covers is in the INCIBE / CERT-PL advisories. Read them.
  • The site doesn’t reproduce CSIRT advisory content — it links to it. Country-specific guidance lives at the source.

Last updated 06 June 2026. Data: live aggregation of the euvd_vulnerabilities collection (~354k records). Companion to the cross-walk article and the four-dimensions primer.