Network and Information Security Directive

On 6th July 2016, the European Union formally adopted the Directive for security of network and information systems. The Directive was published in the Official Journal of the European Union on 19th July and will come into effect on August 8th, meaning that the transposition deadline is 9th May 2018.

The main objective of the Directive is to ensure that there is a high common level of cyber security across member states through a number of different elements. The first element is to improve the cyber security capabilities of EU Member States’ through the development of policy and regulations to maintain a base standard of network and information security. The Directive will impose a series of requirements on companies in sectors deemed critical to the functioning of society and the economy, including technical and procedural cyber security requirements and binding reporting obligations. In addition, the Directive will improve the co-operation between and across member states, through public and private sector entities, in relation to incidents that affect network and information systems.

Companies providing digital services specified in Annex III of the Directive are categorised as Digital Service Providers and are to meet requirements set by the European Commission through the EU legal mechanism known as implementing acts.

Operators of Essential Services (OES)

In order to realise the Directive and its objectives, Member States’ must identify the Operators of Essential Services within its jurisdiction, ensure that such entities have security measures in place and that they report significant incidents. Further information on the directive in regards to Operators of Essential Services can be found here.

Digital Service Providers (DSP)

Companies providing digital services specified in Annex III of the Directive are categorised as Digital Service Providers and are to meet requirements set by the European Commission through the EU legal mechanism known as implementing acts. Further information on the directive in regards to Digital Service Providers can be found here.

Reporting an NISD incident to the NCSC

If you are a DSP subject to the NIS Directive, please see the DSP page for the incident reporting form.
If you are an OES subject to the NIS Directive, please see the OES page for the incident reporting form.

NIS Complience Guidelines for Operators of Essential Services

For the Irish translation of this document, click this link.