You are here:

Network and Information Systems Directive

Network and Information Systems Directive

The Network and Information Systems Directive 2016/1148 was published in the Official Journal of the EU in July 2016 and was signed into Irish law on the 18th of September 2018 by way of Statutory Instrument No. 360 of 2018.  It represents a significant change in how countries in the EU approach cyber security, and involves a shift in approach towards a more formal type of regulatory relationship in certain key industries.

The responsibilities that the Directive places on the State and on businesses are wide ranging, but, among other things:

  • Involve the application of a set of binding security obligations to a wide range of critical infrastructure operators, i.e. Operators of Essential Services. These include energy, healthcare, financial services, transport, drinking water supply and digital infrastructure and telecommunications.
  • Require the State to apply and police a new regulatory regime on so called Digital Service Providers (DSPs). These include cloud computing providers, search engines providers and providers of online market places.
  • Critically, and in a similar manner to that for data protection, the State has responsibility for dealing with the security of services provided by multinational companies across the European Union that have their European headquarters located in Ireland. The majority of these multinational companies are from the United States.

For more detailed information on Operators of Essential Services and Digital Services Providers, please follow the links below.