The Network and Information Systems Directive 2016/1148 was published in the Official Journal of the EU in July 2016. It represents a significant change in how countries in Europe approach cyber security, and involves a shift in approach towards a more formal type of regulatory relationship in certain key industries.
The responsibilities that the Directive places on the State and on businesses are wide ranging, but, among other things, will:
- Involve the application of a set of binding security obligations to a wide range of critical infrastructure operators, i.e. operators of essential services. These will include energy, healthcare, financial services, transport, drinking water supply and digital infrastructure and telecommunications.
- Require the State to apply and police a new regulatory regime on so called Digital Service Providers (DSPs). These will include cloud computing providers, search engines providers and providers of online market places.
- Critically, and in a similar manner to that for data protection, the State will have responsibility for dealing with the security of services provided by multinational companies across the European Union that have their European headquarters located in Ireland. The majority of these multinational companies are from the United States.
NIS Directive Security Measures and Incident Reporting for Operators of Essential Services
A consultation paper on the NIS Directive Security Measures and Incident Reporting for Operators of Essential Services was published 15th November 2017. This consultation paper sets out a proposed approach for those measures with which certain key infrastructure operators (or 'Operators of Essential Services' - OES) will be required to comply with if designated as such under the Network and Information Systems Directive. The paper also sets out a draft set of incident reporting guidelines.
Public Consultation on the NIS Directive Security Measures and Incident Reporting for Operators of Essential Services