The European Union Network and Information Security Directive marks an extremely significant step change in how the EU and its Member States approach the Cyber Security of critical infrastructure and key online services. Once fully implemented, Member States will have a formal and binding set of arrangements in place around Critical Infrastructure, adapted to the needs of each State. These arrangements involve the State identifying certain key critical infrastructure operators in sectors like energy, transport, healthcare provision and digital infrastructure, and requiring these operators to meet a set of binding security requirements and to report incidents. The Directive also requires all Member States to apply and police a new unified regulatory regime on Digital Service Providers (DSPs), which include cloud computing providers, search engines providers and providers of online market places.
The Directive also places obligations on the State itself, with a view to ensuring that States can cooperate and share information in the event of a large scale incidents affecting several countries and to ensure that every State has significant capacity of its own. These requirements include the adoption of a national strategy, the designation of a National Computer Security Incident Response Team (CSIRT) with responsibility for risk and incident handling and the requirement to designate a National Competent Authority (NCA) for the purposes of the Directive.
In Ireland, the National Cyber Security Centre in my Department has been working on the transposition for a considerable period of time and will be the National Competent Authority. The unit has identified a set of critical infrastructure operators and in November, published a set of draft security measures to apply to these. Regulations to transpose the Directive itself are at a very advanced stage, and I expect to be in a position to sign these in the coming days. The unit has also been developing its own capacity internally, particularly with regard to the Computer Security Incident Response Team (CSIRT) which received international accreditation last year. Further recruitment into the NCSC is also underway, in part to be in a position to fully deliver the requirements of the Directive.