Network and Information Security Directive

The Network and Information Systems Directive 2016/1148 was published in the Official Journal of the EU in July 2016 and was signed into Irish law on the 18th of September 2018 by way of Statutory Instrument No. 360 of 2018. It represents a significant change in how countries in the EU approach cyber security, and involves a shift in approach towards a more formal type of regulatory relationship in certain key industries.

The responsibilities that the Directive places on the State and on businesses are wide ranging, but, among other things:

For more detailed information on Operators of Essential Services and Digital Services Providers, please follow the links below.

Operators of Essential Services (OES)

In order to realise the Directive and its objectives, Member States’ must identify the Operators of Essential Services within its jurisdiction, ensure that such entities have security measures in place and that they report significant incidents. Further information on the directive in regards to Operators of Essential Services can be found here.

Security Guidelines

These Security Guidelines are published here to assist Operators of Essential Services (OES) in meeting their network and information system security and incident reporting obligations under the Directive (transposed into Irish Leglislation under Regulations 17 and 18 of S.I. 360 of 2018: European Union (Measures For A High Common Level Of Security Of Network And Information Systems). They represent a sample approach that can be adopted by OES to manage the risks posed to the security of the network and information systems used in their operations, and to minimise the impact of incidents affecting those systems. They are both technology neutral and non-sector specific to allow OES in different sectors adapt these to meet their needs, and to evolve their sector specific response along with technological advances and business requirements.

Draft Security Measures were published for public consultation in January 2019. All submissions have been considered, and the final version can be found here.

Digital Service Providers (DSP)

Companies providing digital services specified in Annex III of the Directive are categorised as Digital Service Providers and are to meet requirements set by the European Commission through the EU legal mechanism known as implementing acts. Further information on the directive in regards to Digital Service Providers can be found here.

Reporting an NISD incident to the NCSC

If you are an OES subject to the NIS Directive, please see the OES page for the incident reporting form.
If you are a DSP subject to the NIS Directive, please see the DSP page for the incident reporting form.

NIS Compliance Guidelines for Operators of Essential Services

For the Irish translation of this document, click this link.