---
title: "NIST SP 800-61 Rev. 3 vs NIS2 incident reporting: practical side-by-side comparison"
canonical_url: "https://www.sorena.io/artifacts/global/nist-sp-800-61-rev-3/nist-800-61-vs-nis2"
source_url: "https://www.sorena.io/artifacts/global/nist-sp-800-61-rev-3/nist-800-61-vs-nis2"
author: "Sorena AI"
description: "Compare NIST SP 800-61 Rev. 3 and NIS2 incident reporting with side-by-side scope, owner, trigger, evidence, cadence, assurance, and decision-rule rows."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "NIST SP 800-61 Rev. 3 vs NIS2 incident reporting"
  - "NIST SP 800-61 Rev. 3"
  - "comparison"
  - "evidence mapping"
  - "source-linked decision"
  - "NIST SP 800-61"
  - "Incident response"
  - "CSF 2.0"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# NIST SP 800-61 Rev. 3 vs NIS2 incident reporting: practical side-by-side comparison

Compare NIST SP 800-61 Rev. 3 and NIS2 incident reporting with side-by-side scope, owner, trigger, evidence, cadence, assurance, and decision-rule rows.

*Side-by-side* *GLOBAL* *NIST SP 800-61 Rev. 3*

## NIST SP 800-61 Rev. 3 vs NIS2 incident reporting: practical side-by-side comparison

Turn guidance into a standalone operating path with clear scope, accountable owners, evidence requirements, review cadence, and decision outputs.

Use this comparison when stakeholders are mixing NIST SP 800-61 Rev. 3 with NIS2 incident reporting. The goal is not to pick a winner; it is to separate scope, owners, evidence, review cadence, and assurance so one implementation record can support both sides without overclaiming.

## NIST SP 800-61 Rev. 3 vs NIS2 incident reporting: practical side-by-side comparison

Compare NIST SP 800-61 Rev. 3 and NIS2 incident reporting with side-by-side scope, owner, trigger, evidence, cadence, assurance, and decision-rule rows.

- **NIST SP 800-61 Rev. 3**: NIST SP 800-61 Rev. 3 is voluntary incident-response guidance: use it to structure preparation, detection, response, recovery, evidence, and lessons-learned work before mapping any separate legal duty.
- **NIS2 incident reporting**: NIS2 incident reporting is the second workstream in this comparison. Use it to test where the comparator has different scope, owners, triggers, evidence, timing, enforcement, and reuse limits from NIST SP 800-61 Rev. 3.

| Dimension | NIST SP 800-61 Rev. 3 | NIS2 incident reporting | Operational implication | Sources |
| --- | --- | --- | --- | --- |
| Scope and covered activity | SP 800-61 Rev. 3 structures incident response as risk management guidance. Use NIST SP 800-61 Rev. 3 to define the in-scope system, product, service, supplier, release, incident, or governance process before mapping evidence. | NIS2 creates EU cybersecurity and incident reporting duties for entities in scope. Use NIS2 incident reporting to define the separate assurance, certification, legal, contractual, or operating lens before claiming equivalence. | For scope, write separate acceptance criteria for NIST SP 800-61 Rev. 3 and NIS2 incident reporting; reuse evidence only where it proves both claims without changing the meaning. | [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.<br>[NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.<br>[NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.<br>[European Commission NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-NIS2-directive-faqs?ref=sorena.io) - Official European Commission FAQ for NIS2 scope, measures, and incident reporting context. |
| Who must act | Assign NIST SP 800-61 Rev. 3 work to the owner who can approve the scoped risk, control, software, supplier, incident, or governance decision and provide evidence. | Assign NIS2 incident reporting work to the owner who controls that program, contract, certification, legal obligation, or operational procedure. | A shared team can support both sides, but the accountable owner should be named separately for NIST SP 800-61 Rev. 3 and NIS2 incident reporting. | [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.<br>[NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.<br>[NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.<br>[European Commission NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-NIS2-directive-faqs?ref=sorena.io) - Official European Commission FAQ for NIS2 scope, measures, and incident reporting context. |
| Trigger or threshold | NIST SP 800-61 Rev. 3 work starts when an organization needs to prepare for, detect, respond to, recover from, or learn from a cybersecurity incident within its risk-management program. | NIS2 incident reporting is triggered when an essential or important entity becomes aware of a significant incident, starting early-warning, notification, intermediate-report, and final-report obligations. | Record the specific trigger facts that rerun the comparison: the cybersecurity event or incident for NIST SP 800-61 Rev. 3, and awareness of a significant incident for NIS2 so the 24-hour, 72-hour, and one-month clocks can be checked. | [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.<br>[NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.<br>[NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.<br>[Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj/eng?ref=sorena.io) - Binding NIS2 source for significant-incident reporting triggers, early warning, incident notification, intermediate reports, and final reports.<br>[European Commission NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-NIS2-directive-faqs?ref=sorena.io) - Official European Commission FAQ for NIS2 scope, measures, and incident reporting context. |
| Core obligations | NIST SP 800-61 Rev. 3 asks teams to prepare, detect, analyze, respond, recover, document, and improve. Use it to build incident-response procedures, logging, evidence handling, and lessons-learned actions. | NIS2 requires entities in scope to put in place cybersecurity risk-management measures and to notify significant incidents using the directive's timing rules, including early warning, incident notification, and final reporting. | Convert the comparison into two separate duty lists: operational incident-response steps for NIST SP 800-61 Rev. 3 and legally timed reporting plus risk-management measures for NIS2. | [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.<br>[NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.<br>[NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach. |
| Evidence and records | NIST SP 800-61 Rev. 3: keep the evidence that proves this side of the decision, including cited text, registers, policies, test records, contracts, notices, reports, approvals, or audit artifacts. | NIS2 incident reporting: keep comparator evidence in a distinct record set and link only the artifacts that genuinely satisfy both source-linked requirements. | Keep a traceable evidence matrix: source, claim, owner, artifact, review date, and whether the evidence satisfies NIST SP 800-61 Rev. 3, NIS2 incident reporting, or both. | [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.<br>[NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.<br>[NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach. |
| Timing and cadence | NIST SP 800-61 Rev. 3: capture the application date, commencement date, transition period, reporting clock, review cadence, remediation window, or certification renewal that controls this side. | NIS2 incident reporting: track the comparator schedule separately so a later deadline, recurring audit, or incident timer is not hidden by the other workstream. | Use separate clocks for each side and surface the earliest decision date, longest retention or review duty, and any transition period that changes implementation sequencing. | [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.<br>[NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.<br>[NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach. |
| Enforcement or assurance route | NIST SP 800-61 Rev. 3: identify the competent authority, regulator, assessor, customer audit, certification body, contractual remedy, penalty, or supervisory process tied to this side. | NIS2 incident reporting: identify the comparator enforcement or assurance route and record where supervision, penalties, market access, certification, or contract leverage differs. | Escalate when enforcement routes differ because a regulator, market-surveillance authority, certification body, customer, or contract counterparty may require different proof. | [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.<br>[NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.<br>[NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach. |
| Overlap and reuse | NIST SP 800-61 Rev. 3: reuse controls only where the source-linked duty, evidence standard, owner, and timing align with the comparator; otherwise keep a bridge note. | NIS2 incident reporting can reuse evidence from the other side only when the same fact pattern, system boundary, control, owner, and source-linked requirement are genuinely aligned. | Reuse evidence carefully: overlap can reduce duplicated work, but it does not merge scope, actors, deadlines, penalties, or public-facing wording. | [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.<br>[NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.<br>[NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach. |
| Practical decision rule | Choose NIST SP 800-61 Rev. 3 as the primary lens when the question is about the NIST SP 800-61 Rev. 3 scope, terminology, evidence, and audience. | Choose NIS2 incident reporting as the primary lens when the question is about the NIS2 incident reporting scope, terminology, evidence, and audience. | When both apply, write one decision record with two source-linked claims instead of forcing one framework to stand in for the other. | [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.<br>[NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.<br>[NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.<br>[European Commission NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-NIS2-directive-faqs?ref=sorena.io) - Official European Commission FAQ for NIS2 scope, measures, and incident reporting context. |

Sources for Scope and covered activity - NIST SP 800-61 Rev. 3:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.
  - Quote: "incident response recommendations and considerations"
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
  - Quote: "incident detection, response, and recovery activities"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"

Sources for Scope and covered activity - NIS2 incident reporting:

- [European Commission NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-NIS2-directive-faqs?ref=sorena.io) - Official European Commission FAQ for NIS2 scope, measures, and incident reporting context.
  - Quote: "legal measures to boost the overall level of cybersecurity"

Sources for Scope and covered activity - operational implication:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.
  - Quote: "incident response recommendations and considerations"
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
  - Quote: "incident detection, response, and recovery activities"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"

Sources for Who must act - NIST SP 800-61 Rev. 3:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.
  - Quote: "incident response recommendations and considerations"
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
  - Quote: "incident detection, response, and recovery activities"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"

Sources for Who must act - NIS2 incident reporting:

- [European Commission NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-NIS2-directive-faqs?ref=sorena.io) - Official European Commission FAQ for NIS2 scope, measures, and incident reporting context.
  - Quote: "legal measures to boost the overall level of cybersecurity"

Sources for Who must act - operational implication:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.
  - Quote: "incident response recommendations and considerations"
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
  - Quote: "incident detection, response, and recovery activities"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"

Sources for Trigger or threshold - NIST SP 800-61 Rev. 3:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.
  - Quote: "incident response recommendations and considerations"
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
  - Quote: "incident detection, response, and recovery activities"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"

Sources for Trigger or threshold - NIS2 incident reporting:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj/eng?ref=sorena.io) - Binding NIS2 source for significant-incident reporting triggers, early warning, incident notification, intermediate reports, and final reports.
  - Quote: "within 24 hours"
- [European Commission NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-NIS2-directive-faqs?ref=sorena.io) - Official European Commission FAQ for NIS2 scope, measures, and incident reporting context.
  - Quote: "legal measures to boost the overall level of cybersecurity"

Sources for Trigger or threshold - operational implication:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.
  - Quote: "incident response recommendations and considerations"
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
  - Quote: "incident detection, response, and recovery activities"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"

Sources for Core obligations - NIST SP 800-61 Rev. 3:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.
  - Quote: "incident response recommendations and considerations"
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
  - Quote: "incident detection, response, and recovery activities"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"

Sources for Core obligations - NIS2 incident reporting:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.
  - Quote: "incident response recommendations and considerations"
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
  - Quote: "incident detection, response, and recovery activities"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"

Sources for Core obligations - operational implication:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.
  - Quote: "incident response recommendations and considerations"
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
  - Quote: "incident detection, response, and recovery activities"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"

Sources for Evidence and records - NIST SP 800-61 Rev. 3:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.
  - Quote: "incident response recommendations and considerations"
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
  - Quote: "incident detection, response, and recovery activities"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"

Sources for Evidence and records - NIS2 incident reporting:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.
  - Quote: "incident response recommendations and considerations"
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
  - Quote: "incident detection, response, and recovery activities"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"

Sources for Evidence and records - operational implication:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.
  - Quote: "incident response recommendations and considerations"
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
  - Quote: "incident detection, response, and recovery activities"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"

Sources for Timing and cadence - NIST SP 800-61 Rev. 3:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.
  - Quote: "incident response recommendations and considerations"
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
  - Quote: "incident detection, response, and recovery activities"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"

Sources for Timing and cadence - NIS2 incident reporting:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.
  - Quote: "incident response recommendations and considerations"
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
  - Quote: "incident detection, response, and recovery activities"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"

Sources for Timing and cadence - operational implication:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.
  - Quote: "incident response recommendations and considerations"
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
  - Quote: "incident detection, response, and recovery activities"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"

Sources for Enforcement or assurance route - NIST SP 800-61 Rev. 3:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.
  - Quote: "incident response recommendations and considerations"
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
  - Quote: "incident detection, response, and recovery activities"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"

Sources for Enforcement or assurance route - NIS2 incident reporting:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.
  - Quote: "incident response recommendations and considerations"
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
  - Quote: "incident detection, response, and recovery activities"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"

Sources for Enforcement or assurance route - operational implication:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.
  - Quote: "incident response recommendations and considerations"
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
  - Quote: "incident detection, response, and recovery activities"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"

Sources for Overlap and reuse - NIST SP 800-61 Rev. 3:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.
  - Quote: "incident response recommendations and considerations"
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
  - Quote: "incident detection, response, and recovery activities"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"

Sources for Overlap and reuse - NIS2 incident reporting:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.
  - Quote: "incident response recommendations and considerations"
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
  - Quote: "incident detection, response, and recovery activities"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"

Sources for Overlap and reuse - operational implication:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.
  - Quote: "incident response recommendations and considerations"
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
  - Quote: "incident detection, response, and recovery activities"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"

Sources for Practical decision rule - NIST SP 800-61 Rev. 3:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.
  - Quote: "incident response recommendations and considerations"
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
  - Quote: "incident detection, response, and recovery activities"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"

Sources for Practical decision rule - NIS2 incident reporting:

- [European Commission NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-NIS2-directive-faqs?ref=sorena.io) - Official European Commission FAQ for NIS2 scope, measures, and incident reporting context.
  - Quote: "legal measures to boost the overall level of cybersecurity"

Sources for Practical decision rule - operational implication:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.
  - Quote: "incident response recommendations and considerations"
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
  - Quote: "incident detection, response, and recovery activities"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"

### When should teams use NIST SP 800-61 Rev. 3 first versus NIS2 incident reporting first?

- Use NIST SP 800-61 Rev. 3 first when the task is to build or test incident response preparation, detection, response, recovery, evidence handling, or lessons learned.
- Use NIS2 incident reporting first when the task is to meet a statutory duty: determine whether the entity is in scope, whether the incident is significant, and whether the 24-hour, 72-hour, or one-month report clock applies.
- Use both when one fact pattern supports both the operational response file and the NIS2 reporting record.

Sources for the practical decision rule:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.
  - Quote: "incident response recommendations and considerations"
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
  - Quote: "incident detection, response, and recovery activities"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [European Commission NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-NIS2-directive-faqs?ref=sorena.io) - Official European Commission FAQ for NIS2 scope, measures, and incident reporting context.
  - Quote: "legal measures to boost the overall level of cybersecurity"

## How should teams use the NIST SP 800-61 Rev. 3 vs NIS2 incident reporting comparison in practical compliance decisions?

Read the table row by row and write a decision record for the actual scope. The useful output is a source-linked mapping, not a broad statement that the two frameworks are similar.

- Define which side is the primary driver.
- Identify shared evidence only after both source-linked claims are clear.
- Keep legal, certification, customer, and internal governance timers separate.

Sources for this answer:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
- [European Commission NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-NIS2-directive-faqs?ref=sorena.io) - Official European Commission FAQ for NIS2 scope, measures, and incident reporting context.

*Recommended next step*

*Placement: after the practical workflow*

## Put this NIST SP 800-61 Rev. 3 guidance into practice

Use the cited sources to turn the guidance into scoped decisions, owners, evidence requests, and review checkpoints.

- [Open Assessment Autopilot for NIST SP 800-61 Rev. 3](/solutions/research-copilot.md): Create source-linked tasks, evidence requests, and review checkpoints for this NIST SP 800-61 Rev. 3 scope.
- [Review this NIST SP 800-61 Rev. 3 scope with Sorena](/contact.md): Check source coverage, ownership, evidence gaps, and next steps before publishing or operationalizing the work.

## Primary sources

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned.
  - Quote: "incident response recommendations and considerations"
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
  - Quote: "incident detection, response, and recovery activities"
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
  - Quote: "does not prescribe how outcomes should be achieved"
- [European Commission NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-NIS2-directive-faqs?ref=sorena.io) - Official European Commission FAQ for NIS2 scope, measures, and incident reporting context.
  - Quote: "legal measures to boost the overall level of cybersecurity"
- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj/eng?ref=sorena.io) - Binding NIS2 source for significant-incident reporting triggers, early warning, incident notification, intermediate reports, and final reports.
  - Quote: "within 24 hours"

## Related Topic Guides

- [How should teams handle communications under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/communications.md): How should teams handle communications under NIST SP 800-61 Rev. 3 incident response? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.
- [How should teams handle event vs. incident under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/event-vs-incident.md): How should teams handle event vs. incident under NIST SP 800-61 Rev. 3 incident response? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.
- [How should teams handle lessons learned under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/lessons-learned.md): How should teams handle lessons learned under NIST SP 800-61 Rev. 3 incident response? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.
- [How should teams handle post-incident evidence under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/post-incident-evidence.md): How should teams handle post-incident evidence under NIST SP 800-61 Rev. 3 incident response? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.
- [How should teams handle reporting clocks under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/reporting-clocks.md): How should teams handle reporting clocks under NIST SP 800-61 Rev. 3 incident response? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.
- [How should teams handle severity under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/severity.md): How should teams handle severity under NIST SP 800-61 Rev. 3 incident response? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.
- [NIST SP 800-61 Rev. 3 Changes Guide](/artifacts/global/nist-sp-800-61-rev-3/rev-3-changes.md): Practical NIST SP 800-61 Rev. 3 Changes Guide guidance with source-linked decisions, owner checklists, evidence records, and implementation steps.
- [NIST SP 800-61 Rev. 3 compliance playbook](/artifacts/global/nist-sp-800-61-rev-3/compliance.md): Practical NIST SP 800-61 Rev. 3 compliance playbook guidance with source-linked decisions, owner checklists, evidence records, and implementation steps.
- [NIST SP 800-61 Rev. 3 CSF 2.0 Incident Profile Guide](/artifacts/global/nist-sp-800-61-rev-3/csf-2-0-incident-profile.md): Practical NIST SP 800-61 Rev. 3 CSF 2.0 Incident Profile Guide guidance with source-linked decisions, owner checklists, evidence records, and implementation steps.
- [NIST SP 800-61 Rev. 3 FAQ: practical implementation questions](/artifacts/global/nist-sp-800-61-rev-3/faq.md): Standalone NIST SP 800-61 Rev. 3 FAQ questions with source-linked answers, implementation checklists, and evidence guidance.
- [NIST SP 800-61 Rev. 3 incident communications: stakeholder matrix and notification templates](/artifacts/global/nist-sp-800-61-rev-3/communications-and-escalation.md): Practical NIST SP 800-61 Rev. 3 Communications and Escalation Guide guidance with source-linked decisions, owner checklists, evidence records, and implementation steps.
- [NIST SP 800-61 Rev. 3 Incident Response Playbook Template](/artifacts/global/nist-sp-800-61-rev-3/incident-response-playbook-template.md): Practical NIST SP 800-61 Rev. 3 Incident Response Playbook Template guidance with source-linked decisions, owner checklists, evidence records, and implementation steps.
- [NIST SP 800-61 Rev. 3 Post-Incident Evidence Log Workflow](/artifacts/global/nist-sp-800-61-rev-3/post-incident-evidence-log-workflow.md): A practical NIST SP 800-61 Rev. 3 Post-Incident Evidence Log Workflow with steps, owners, evidence fields, decisions, and source-linked review triggers.
- [NIST SP 800-61 Rev. 3 Severity Classification and SLA Model](/artifacts/global/nist-sp-800-61-rev-3/severity-classification-and-sla-model.md): Practical NIST SP 800-61 Rev. 3 Severity Classification and SLA Model guidance with source-linked decisions, owner checklists, evidence records, and implementation steps.
- [NIST SP 800-61 Rev. 3 vs CISA playbooks: practical side-by-side comparison](/artifacts/global/nist-sp-800-61-rev-3/nist-800-61-vs-cisa-playbooks.md): Compare NIST SP 800-61 Rev. 3 and CISA playbooks with side-by-side scope, owner, trigger, evidence, cadence, assurance, and decision-rule rows.
- [NIST SP 800-61 Rev. 3 vs ISO 22301 business continuity: practical side-by-side comparison](/artifacts/global/nist-sp-800-61-rev-3/nist-800-61-vs-iso-22301.md): Compare NIST SP 800-61 Rev. 3 and ISO 22301 business continuity with side-by-side scope, owner, trigger, evidence, cadence, assurance, and decision-rule rows.
- [NIST SP 800-61 Rev. 3 vs ISO/IEC 27035: practical side-by-side comparison](/artifacts/global/nist-sp-800-61-rev-3/nist-800-61-vs-iso-27035.md): Compare NIST SP 800-61 Rev. 3 and ISO/IEC 27035 with side-by-side scope, owner, trigger, evidence, cadence, assurance, and decision-rule rows.
- [NIST SP 800-61 Rev. 3: escalation decision workflow for incident communications](/artifacts/global/nist-sp-800-61-rev-3/communications-escalation-workflow.md): A practical NIST SP 800-61 Rev. 3 Communications Escalation Workflow with steps, owners, evidence fields, decisions, and source-linked review triggers.
- [What should recovery include in a NIST SP 800-61 Rev. 3 incident response process?](/artifacts/global/nist-sp-800-61-rev-3/faq/recovery.md): Recovery should include restoring affected services, validating that the incident is contained, confirming monitoring is in place, communicating status, preserving evidence, and deciding when normal operations can safely resume.
- [Which CSIRT roles should teams define under NIST SP 800-61 Rev. 3?](/artifacts/global/nist-sp-800-61-rev-3/faq/csirt-roles.md): Which CSIRT roles should teams define under NIST SP 800-61 Rev. 3? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/nist-sp-800-61-rev-3/nist-800-61-vs-nis2