The EU Network and Information Security Directive places a series of obligations on Member States on the security of both Operators of Essential Services and Digital Service Providers. In the case of the former, Member States must identify those services that are both dependent on network and information systems and which are essential to the maintenance of critical societal and/or economic activities. The identified operators will then be obliged to meet certain security requirements and to report incidents to a National Competent Authority.
A public consultation on the transposition of the Directive closed in late 2016, and the Department is presently working on the development of primary legislation to transpose this Directive, as well as engaging directly with relevant Departments and Agencies across Government. The Directive identifies a list of types of entities that must be considered, including operators in the energy, healthcare, transport and internet infrastructure sectors. Once complete, this process will result in an official list of identified operators of essential services. It is possible for Member States to add entities to their national list, outside of those sectors identified in the Directive, but it is unlikely that this will occur in the short term. Defining political parties as critical infrastructure is therefore unlikely, and in any case the responsibility for security would remain with those entities.
