The National Cyber Security Centre (NCSC) is located within my Department and serves to provide a range of cyber security services to owners of Government IT infrastructure and Critical National Infrastructure (CNI). The areas of online safety and cyber defence also fall under the remit of other Government Departments, including the Department of Defence and the Department of Justice and Equality.
Since its establishment in 2011, the focus of the NCSC has been on developing capacity and engaging with national and international stakeholders around sharing information, securing systems and responding to incidents. The NCSC also works to collate and analyse data from cyber-attacks and to coordinate with those targeted to introduce mitigation measures, and it continues to work with utility operators and with similar bodies in other jurisdictions to ensure that risks to infrastructure in Ireland are managed appropriately, including the active management of ongoing issues.
The NCSC is also home to the national Computer Security Incident Response Team (CSIRT-IE) and is responsible for acting as a conduit for information to constituents (including operators of Critical National Infrastructure, Government Departments and Agencies), providing expert advice and analysis on cyber security issues and for coordinating significant incidents. Like similar bodies in other jurisdictions, the NCSC acts as a central contact point in the event of a government or nation-wide cyber security incident affecting the State. The CSIRT received International Accreditation in 2017.
From 9 May 2018, European Union Directive 2016/1148, concerning measures for a high common level of security of network and information systems will place a number of significant responsibilities on the NCSC in respect of Cyber Security, and will require my Department to establish a list of key critical infrastructure operators, known as Operators of Essential Services (OES) in the energy, transport, banking, financial market infrastructures, health, drinking water supply and digital infrastructure sectors. These OES will be subject to a set of binding security obligations and reporting requirements in relation to cyber security incidents affecting them.
In addition, the State will be required to apply a new regulatory regime to Digital Service Providers (DSPs), who include cloud computing providers, search engines providers and providers of online market places. As a consequence of this, and in a similar manner to that for data protection, the State will have responsibility for applying the provisions of this Directive in respect of security of services provided by some multinational companies across the European Union, as a consequence of their European headquarters being located in Ireland.