On May 10, 2018, an important piece of legislation, the Network and Information Systems Directive (NISD), was adopted by EU Member States. This was in response to a drive to develop a common approach across Europe to address the potential socio-economic damage caused by attacks on the network and information systems of critical national infrastructure. Find out more about NISD here.
The key parties affected by NISD are Operators of Essential Services (OESs) and Digital Service Providers (DSPs). For the UK in general terms the following are considered to be OESs:
- Providers of drinking water to more than 200,000 people
- Electricity, Oil and Gas providers, distributors and system operators
- Digital Infrastructure operators – domain registries, domain name service providers, internet exchange operators
- Health care providers
- Transport operators – Air, Maritime, Road and Rail
DSPs are operators of:
- online marketplaces
- online search engines
- providers of cloud services.
If you're unsure what exactly a DSP is - or whether your business might be considered one for the purposes of NISD - you can find out more by reading our previous article and watching our video.
The first obligation for parties that are Operators of Essential Services (OESs) is to notify their relevant Competent Authority that they qualify as an OES before 10 August 2018. The next key deadline is that parties who qualify as Relevant Digital Service Providers must register with the Information Commissioner before 1 November 2018.
If you're unsure whether your business is considered a OES or DSP for the purposes of NISD or would like some advice on how to register, please get in touch with our international cyber security team who would be delighted to help.