Network and Information Security Directive
The Network and Information Systems Directive 2016/1148 was published in the Official Journal of the EU in July 2016 and was signed into Irish law on the 18th of September 2018 by way of Statutory Instrument No. 360 of 2018. It represents a significant change in how countries in the EU approach cyber security, and involves a shift in approach towards a more formal type of regulatory relationship in certain key industries.
The responsibilities that the Directive places on the State and on businesses are wide ranging, but, among other things:
- Involve the application of a set of binding security obligations to a wide range of critical infrastructure operators, i.e. Operators of Essential Services. These include energy, healthcare, financial services, transport, drinking water supply and digital infrastructure and telecommunications.
- Require the State to apply and police a new regulatory regime on so called Digital Service Providers (DSPs). These include cloud computing providers, search engines providers and providers of online market places.
- Critically, and in a similar manner to that for data protection, the State has responsibility for dealing with the security of services provided by multinational companies across the European Union that have their European headquarters located in Ireland. The majority of these multinational companies are from the United States.
For more detailed information on Operators of Essential Services and Digital Services Providers, please follow the links below.
Operators of Essential Services (OES)
In order to realise the Directive and its objectives, Member States’ must identify the Operators of Essential Services within its jurisdiction, ensure that such entities have security measures in place and that they report significant incidents. Further information on the directive in regards to Operators of Essential Services can be found here.
These Security Guidelines are published here to assist Operators of Essential Services (OES) in meeting their network and information system security and incident reporting obligations under the Directive (transposed into Irish Leglislation under Regulations 17 and 18 of S.I. 360 of 2018: European Union (Measures For A High Common Level Of Security Of Network And Information Systems). They represent a sample approach that can be adopted by OES to manage the risks posed to the security of the network and information systems used in their operations, and to minimise the impact of incidents affecting those systems. They are both technology neutral and non-sector specific to allow OES in different sectors adapt these to meet their needs, and to evolve their sector specific response along with technological advances and business requirements.
Draft Security Measures were published for public consultation in January 2019. All submissions have been considered, and the final version can be found here.
Digital Service Providers (DSP)
Companies providing digital services specified in Annex III of the Directive are categorised as Digital Service Providers and are to meet requirements set by the European Commission through the EU legal mechanism known as implementing acts. Further information on the directive in regards to Digital Service Providers can be found here.
Reporting an NISD incident to the NCSC
If you are an OES subject to the NIS Directive, please see the OES page for the incident reporting form.
If you are a DSP subject to the NIS Directive, please see the DSP page for the incident reporting form.