Mr. Richard Browne:

That is what I am coming to. With regard to cybersecurity incidents, there is a provision in the directive in article 1.6 aroundlex specialis. I am sorry for the complexity but the Chairman did ask. This means that if there is a sector specific piece of European Union legislation - in this case PSD 2 which is the payment services directive No. 2 - that imposes obligations on entities that are judged to be sufficient or in excess of NIS in this case, the competent authority can deem that the European Union sector-specific legislation applies in respect of those services. In financial services and credit institutions - those two out of seven - is that the Central Bank has designated entities where it has said an entity is now an OES but it has disapplied the security measures. The Central Bank already has PSD 2 in place and implemented, but the incident reporting obligation in NIS applies.

Importantly, for the purpose of this conversation, the reporting obligation is to us, not to anybody else. The computer security incident response team, CSIRT, within the National Cyber Security Centre, NCSC, is the focal point for all incident reporting in the State. We receive incident reports from the financial services sector in the same way as we receive them from the aviation sector or the public sector. All those are centralised in the NCSC within the CSIRT in our database of, what we call, bad stuff. It is a collective intelligence framework of malware now seized and we can then act on that as if it were any other sector.