Roles of CSIRT Units in Proactive Cybersecurity Assessment and its Boundaries

The evolving cybersecurity landscape demands a shift in the roles of CSIRT units, emphasizing proactive measures such as vulnerability assessment. This presentation explores the legislative and operational frameworks in Slovakia, Czechia and Poland, providing a comparative analysis of their approaches to empowering CSIRT units under new cybersecurity laws.

In Slovakia, proactive vulnerability scanning is already a cornerstone of government unit CSIRT.SK activities within its constituency, exemplified by the Achilles project. The recently amended Slovak Cybersecurity Act further clarifies that all CSIRT units have the legal authority to conduct non-invasive vulnerability detection and assessments within their scope. These assessments explicitly avoid negative impacts on the networks, systems, or services being evaluated, maintaining a balance between proactive security and minimal disruption. In its draft Cybersecurity Act, Czechia adopts a similarly proactive stance. The Czech National Cyber and Information Security Agency (NÚKIB) coordinates activities related to cybersecurity threats and vulnerabilities, including vulnerability searches and penetration testing. These activities are conducted with the explicit consent of affected parties, reflecting a balanced approach that prioritizes collaboration and adherence to ethical principles

Poland's draft Cybersecurity Act, part of the NIS2 Directive transposition, offers a broader and more invasive framework. It permits security assessments, with CSIRT units granted powers to bypass system protections under controlled conditions, tailoring a variant of red teaming. This approach raises critical questions about legal and ethical boundaries, particularly in balancing the need for comprehensive security assessments with respecting organizational autonomy and privacy.

The presentation examines how these approaches reflect the broader goals of proactive cybersecurity while addressing the challenges of harmonization and trust in public-private partnerships. By comparing Slovakia’s and Czechia’s non-invasive strategy with Poland’s expansive and potentially invasive measures, we aim to spark discussion on how CSIRT units can effectively enhance national cybersecurity resilience without overstepping legal or ethical boundaries.

 Michal Rampášek

Michal Rampášek is a well-known Bratislava attorney specializing in cybersecurity, information technology and criminal law, with more than 10 years of experience. He is an attorney at PETERKA & PARTNERS in Bratislava. 

Michal is a freelance lawyer for the Slovak Government CSIRT Unit (CSIRT.SK), where he provides legal advice on cyber security and regulation. Thanks to his deep expertise in IT, cybersecurity and criminal law, he offers clients comprehensive legal advice tailored to new regulations and the digital environment. He is a member of ISACA Slovakia Chapter and also a certified Cyber Security Manager.  

In addition to his legal practice, he is a PhD student and external lecturer at the Institute of Information Technology and Intellectual Property Law at the Faculty of Law of Comenius University in Bratislava. 

Michal is the author of several scientific articles focused on information technology law and cybersecurity and regularly speaks at professional and scientific conferences on this topic. He is also co-author of the university textbook "Law and Artificial Intelligence".