On 30 August 2024, the Department of the Environment, Climate and Communications published the highly anticipated General Scheme of the National Cyber Security Bill 2024 (the "Cyber Security Bill"), which implements the second Network and Information Security Directive (EU) 2022/2555 ("NIS 2"). This early draft is yet to pass through the Oireachtas or any legislative scrutiny, however, as EU member states are required to transpose NIS2 in full by 17 October 2024, we expect there to be relatively limited changes made in advance of its adoption.
For more information about NIS 2, please refer to our previous article: Essential and Important Information for Essential and Important Entities.
We will provide additional insights into the substance of the Cyber Security Bill over the days ahead, but in the interim there are a few key provisions to keep top of mind:
Federated Regulatory Regime
As signalled, Ireland has opted for a federated regulatory regime for NIS 2. This means that the National Cyber Security Centre ("NCSC") shall act as lead competent authority, taking the role of a central coordinator providing advice, guidance and support and development of regulatory frameworks and tools and as the central authority for engagement with European Commission, EU bodies and agencies, and other Member States. The Cyber Security Bill for the first time sets out the remainder of the competent authorities in Ireland.
The Minister for Environment, Climate and Communications may make regulations (secondary legislation) to designate additional competent authorities, as required.
Director and Management Liability
Article 20 of NIS 2 requires that 'management bodies' oversee implementation of NIS 2 obligations and provides that member states must implement the possibility for specific sanctions against individual members of those bodies should they fail to comply with enforcement orders.
The Cyber Security Bill provides greater clarity in this respect and confirms that in cases of non-compliance with an enforcement order, the designated national competent authority will have the power to apply to the High Court to suspend a chief executive officer or Director from exercising their managerial functions in essential and important entities, unless and until the court is satisfied that the entity meets the requirements set out in the compliance notice.
Similarly, where an entity operates under a licence or permit issued by the relevant competent authority, the High Court may make an order to temporarily suspend the license or authorisation concerning part or all of the relevant services.
Final Observations
The Cyber Security Bill does not implement the Critical Entities Resilience Directive (Directive (EU) 2022/2557). However, it does clarify that the Department of Defence is currently transposing that Directive into Irish law via statutory instrument. Entities identified as 'critical' under that Directive will be deemed to be an 'essential entity' for the purposes of NIS 2.
Clients who are within scope of NIS 2 should take the opportunity now to review their implementation plans in advance of the deadline for implementation on 17 October 2024.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.