News Item

Incidents Handling and Cybercrime Investigations

The European Union Agency for Cybersecurity (ENISA) explores how CSIRTs, law enforcement agencies and the judiciary cooperate and how they can train together to better tackle cyber incidents and respond to cybercrime.

Published on March 08, 2022

The report published today facilitates the cooperation between CSIRTs and law enforcement agencies (LEAs) and looks into their interaction with the judiciary (judges and prosecutors). This updated and extended version of the report comes along with an updated version of the training material delivered by ENISA in 2020 in the form of a handbook and a toolset.

ENISA is presenting these newly published report and training material at the Regional Cybercrime Cooperation Exercise and Conference of Law Enforcement/CSIRT Cooperation organised by the Council of Europe and the European Commission taking place from 7-11 March in Athens, Greece.

Why is this cooperation needed?

While CSIRTs mitigate incidents, law enforcement agencies conduct investigations. Although each community has a specific role, they often deal with the same cases. In doing so, the activities of one of them can sometimes overlap and/or could also possibly interfere with the goals and the activities of the others. In addition, other factors are at play which may have an impact on the cooperation and these include technical, legal, organisational challenges and at times even behavioural differences between the communities.

What is the purpose of the report?

This report addresses the legal and organisational framework, roles and duties of CSIRTs, LEAs and the judiciary. It also analyses their required competences, as well as synergies and potential interferences in their respective activities. By facilitating the cooperation between the CSIRT and the LE communities and their interaction with the judiciary, this work has the final aim to contribute to a better response to cybercrime.

Key conclusions and next steps

Conclusions from the analysis of sixteen different EU/EEA Member States include:

  • the structure and organisation of the different communities vary by country;
  • CSIRT-LEA cooperation help decrease the risk of evidence being compromised and of interferences in each other’s activities;
  • CSIRTs play an important role in informing (potential) victims of cybercrime and in providing them with information on how to report a crime to the Police.

Next steps suggested include:

  • the extension of the analysis to additional countries;
  • the development of a catalogue of competences in incident handling and cybercrime investigations;
  • the organisation of joint training and exercises.

 Training material

The training material published today consists of a handbook designed for the trainer and a toolset for the trainee. The handbook explains the concepts addressed using scenarios. the toolset includes exercises based on these scenarios. This training material is an updated version of the training material on CSIRT-LE cooperation published last year.


ENISA has been collecting input from the communities and compiling reports to shed light on the different aspects of the cooperation between CSIRTs, LE and the judiciary to further enhance this cooperation. In addition, the Agency has been developing training material and co-organising the annual ENISA-EC3 workshop on CSIRT-LE Cooperation whose 10-year anniversary was celebrated last October.

Further Information

2021 Report on CSIRT and Law Enforcement Cooperation

Training Handbook

Training Toolset

CSIRTs and Law Enforcement Agencies – ENISA topic

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies