Mr. Richard Browne:

It is across seven sectors, including health, education, transport, energy, financial services, banking and Internet infrastructure. For those seven sectors, what we are obliged to do, along with one other national competent authority, is to identify which entities we regard as being important. We then oblige those entities to meet security standards and to report serious incidents to the NCSC. That is the OES, or critical infrastructure, area. The other area is DSPs, or digital service providers. These are limited to three different sectors, namely, cloud computing, online sales platforms - that is, a platform that sells from A to B - and search engines. Those platforms have a different set of requirements. We are not obliged to designate those and, in fact, we cannot designate them. They are obliged to be self-designating and they are designated by definition in the directive and in our regulations. They are obliged to meet a set of security standards, not ours but ones that are set broadly in the EU implementing regulation. They are obliged to report incidents to us and the thresholds for reporting of those incidents are also set in parts 3 and 4 of that same EU implementing regulation.

Those are the requirements laid on those entities. We then have further requirements in terms of reporting to other EU member states and they to us in terms of incidents that are reported to us from both OES and DSPs. If, for example, an OES has operations in multiple member states and it is affected by an incident here that may have implications elsewhere, which could happen in this State given we have cross-border infrastructure in a number of sectors, we are then obliged to report to that other member state any outage or incident in that sector with regard to a specific OES. The same applies for DSPs. If for example, a DSP is based here at the European level and has an outage or incident of a given scale and it reports that incident to us, we are obliged to report to the single points of contact in every other member state which has a population that may be affected by that same incident.

Other states have reporting obligations to us and we have reporting obligations to them. We also have reporting obligations to the Commission, as one would expect, in reporting collectively how many incidents we have seen. We have to report to the Commission on how many entities we are likely to designate in the operators of essential services sector and so on.