Bird & Bird's Cathal Flynn outlines the key findings of Ofcom's recently published UK interim guidance for essential operators in the digital infrastructure subsector being impacted by National Information Systems Directive (NISD).

Last week marked the adoption by each Member State of the European Union of an important piece of EU legislation, the Network and Information Systems Directive (NISD). To find out more about NISD and how it impacts you, please refer to our summary article, series of videos and handy NISD tracker highlighting the differences between various EU jurisdictions.

NISD affects, amongst others, operators of essential services (OESs) that rely on network and information systems, including providers of providers of digital infrastructure, and Ofcom has been designated as the competent UK authority for that subsector. One of Ofcom's duties is the preparation and publication of guidance; and on 8 May 2018, it published interim guidance for OESs in the digital infrastructure subsector. This is expected to evolve as it gains a better understanding of the sector, and will receive regular review

In summary, the guidance:

  1. clarifies the status of digital infrastructure providers as OESs for the purposes of NISD
  2. describes the three categories of essential services provided by digital infrastructure providers
  3. clarifies notification duties: any digital infrastructure providers as at May 10, 2018 are obliged to notify Ofcom of OES status no later than August 9, 2018
  4. outlines the security and incident reporting duties of digital infrastructure providers, noting that the measures taken must ensure a level of security appropriate to the risk presented.