NIS implementation guidance distinguishes the legal Point of Contact role from the operational CSIRT contact function used for incident interaction and notifications. Organizations should formalize both governance accountability and operational execution to ensure notification obligations can be met consistently.
Sources: Legislative Decree 138/2024, ACN incident management guidance
Key takeaways
- The Point of Contact is a formally designated person under the NIS framework.
- The CSIRT contact role handles interaction with CSIRT Italia and incident notification workflows.
- The CSIRT contact should have at least one substitute to ensure operational continuity.
- Role assignment, competencies, and delegation model should be documented and auditable.
Sources: ACN incident management guidance, Legislative Decree 138/2024
Role model in practice
1. Point of Contact (governance/legal anchor)
The Point of Contact is the legally designated individual for NIS framework interactions, as defined by applicable provisions.
2. CSIRT contact (operational interface)
The CSIRT contact manages communication with CSIRT Italia and executes mandatory incident notifications on behalf of the entity.
3. Substitute model and continuity
At least one substitute should be defined for CSIRT contact activities to avoid operational gaps in urgent notification windows.
4. Competence and responsibility mapping
The organization should document required skills, assigned responsibilities, and internal coordination with cyber, legal, and management stakeholders.
Sources: ACN incident management guidance
Minimum evidence set for role readiness
| Area | Practical objective | Typical evidence |
|---|---|---|
| Role designation | Formal and current appointment model | Appointment acts, role matrix |
| Substitute coverage | Continuity of CSIRT interface and notifications | Substitute assignment records, duty coverage plan |
| Procedure alignment | Roles embedded in incident/notification workflows | Incident SOP, notification procedure, contact register |
| Competence baseline | Role holders have required capability profile | Training records, qualification evidence |
Sources: ACN incident management guidance
90-day execution checklist
- Verify legal designation and registry data for Point of Contact.
- Confirm CSIRT contact assignment and at least one active substitute.
- Align incident-response playbooks with role-specific duties and handoffs.
- Validate contact channels and availability model through simulation.
- Keep role governance records synchronized with organizational changes.
FAQ
Are Point of Contact and CSIRT contact the same role?
They can be associated operationally, but guidance distinguishes legal designation from operational CSIRT interaction duties.
Sources: ACN incident management guidance
Is a substitute mandatory for CSIRT operations?
Guidance indicates substitute coverage is required to ensure continuity of mandatory interactions and notifications.
Sources: ACN incident management guidance
What should be audited first for role compliance?
Designation records, substitute coverage, incident-notification procedures, and evidence of role capability and activation readiness.
Sources: ACN incident management guidance, Legislative Decree 138/2024