On 30 August 2024, the Department of the Environment, Climate and Communications published the General Scheme for the National Cyber Security Bill 2024 (CSB).
Once enacted, it will transpose the second Network and Information Security Directive (EU) 2022/2555 (NIS2) into Irish law. NIS2 will repeal Directive (EU) 2016/1148 (NIS1), the first EU-wide piece of cybersecurity legislation.
NIS2 provides for legal measures, including obligations on organisations that are in-scope of the directive, to achieve an increased and harmonised level of cybersecurity across the EU. It applies to more sectors than NIS1 and introduces new cybersecurity obligations. It also introduces board-level responsibility for cybersecurity.
Publishing the CSB represents the first step in transposing NIS2 into Irish law. As of the date of this article, it has not yet been put before the Oireachtas or received any legislative scrutiny. On 17 October 2024, the Joint Committee on Transport and Communications met with representatives from Cyber Ireland for pre-legislative scrutiny of the CSB. However, the 17 October 2024 deadline for EU member states to transpose NIS2 was missed by the Irish Government due to the 2024 General Election. Considering the regulatory pressure from the EU, we anticipate Ireland will move quickly to finalise this legislation and once the newly-formed Irish government re-convenes the legislative process can re-commence.
(1) In scope entities
NIS2 applies to certain entities in the following sectors:
| Annex I Sectors | Annex II Sectors |
|---|---|
| Energy | Postal and courier services |
| Transport | Waste management |
| Banking | Manufacture, production and distribution of chemicals |
| Financial market infrastructures | Production, processing and distribution of food |
| Health | Manufacturing |
| Drinking water | Digital providers |
| Waste water | Research |
| Digital infrastructure | |
| B2B ICT services management | |
| Public administration | |
| Space |
NIS2 applies to public and private entities listed in Annexes 1 and 2 that meet or exceed the ceilings for medium-sized enterprises. A medium-sized enterprise employs 50-249 people and has an annual turnover of €10-50m.
Regardless of their size, NIS2 also applies to the following entities listed in Annexes 1 and 2:
- Public and private entities that provide electronic communications networks (PECNs), publicly available electronic communications services (PECSs), trust services, top level domain (TLD) name registries or domain name systems (DNS).
- Entities identified as critical entities under Directive (EU) 2022/2557 (Critical Infrastructures Directive).
- Entities providing domain name registration services.
- Entities that are the sole providers of services essential for the maintenance of critical societal or economic activities.
- Entities providing a service, the disruption of which could significantly impact security, safety or health.
- Entities providing a service, the disruption of which could result in significant systemic risk.
- Entities that are critical due to their importance at national or regional level in their sector.
(2) Supply Chain
Even if an entity is not directly within the scope of NIS2, it may have to comply with NIS2 if it is part of a supply chain for an in-scope entity. Under NIS2, organisations are required to mitigate risks arising from their supply chain by establishing a supply chain security policy to govern their relations with direct suppliers and service providers.
If a supplier or service provider is identified, in accordance with the organisation's supply chain security policy, as being in scope of an identified risk to the organisation's network and security systems, the organisation must assess:
- the supplier's cybersecurity practices and ability to meet the organisation's cybersecurity specifications;
- the overall quality and resilience of the ICT products and ICT services; and
- the cybersecurity risk-management measures embedded in them.
Organisations must also include adequate security clauses in their contracts with such direct suppliers or service providers.
Therefore, suppliers of network components, certain hardware and software, or ICT suppliers and service providers providing data storage, cybersecurity, software development or other IT and telecommunications services or products, may find themselves having to demonstrate compliance with NIS2-driven customer cybersecurity requirements. Depending on the particular organisation, supplier/service provider, product/service and use case, this may not be limited to IT-related products and services, and may include, for example, facility security systems and services that may present a cybersecurity risk, or any suppliers or service providers who may have access to network and security systems,
The European Commission has published the final version of Commission Implementing Regulation (EU) 2024//2690 (CIR), which provides further detail on supply chain security management. The EU Agency for Cybersecurity (ENISA) published draft technical guidance which was open to public consultation until 9 January 2025. While it is legally non-binding, the guidance is intended to help entities in implementing the technical and methodological requirements of cyber security risk management measures, as set out in the CIR, including supply change security management.
(3) NIS2 can apply even if there is no establishment in Ireland
NIS2 will generally apply to organisations within its scope which:
- are 'established' in Ireland;
- have their 'main establishment' in the EU, in Ireland; or
- in limited circumstances, are not established in Ireland but provide services in Ireland.
The test for whether an organisation with operations in more than one EU member state has its 'main establishment' in Ireland and is subject to the CSB, is set out in Article 26 of NIS2. (Article 26 of NIS2 provides that an entity shall be considered to have its main establishment in the EU member state where decisions related to cybersecurity risk management are predominantly taken. If such a member state cannot be determined or if such decisions are not taken in the EU, Article 26 provides that the main establishment shall be considered to be the member state where cybersecurity operations are carried out. If such a member state cannot be determined, the main establishment will be in the member state where that organisation has the highest number of employees in the EU.)
Head 21(13) of the CSB states that if an entity is not established in the EU but offers services within the EU, it shall designate a representative in the EU. The representative must be established in one of the member states where the services are offered. Such an entity shall fall under the member state's jurisdiction where the representative is established. Without a designated representative in the EU, any member state in which the entity provides services may take legal action against the entity for the infringement of NIS2.
(4) Essential and important entities
NIS2 categorises in-scope entities into either essential or important entities depending on factors such as size, industry sector and criticality.
Essential entities are Annex 1 entities that:
- exceed the ceilings for medium-sized enterprises;
- are trust service providers, top level domain name registries or trust service providers, regardless of size;
- are PECNs, PECSs, public administration entities of central government or at regional level that, following a risk-based assessment, provide services, the disruption of which could have a significant impact on critical societal or economic activities; and,
- 4. entities already identified as operators of essential services under the NIS1 Directive.
Any in-scope Annex 1 or Annex 2 entities not falling within those categories are deemed important entities.
The obligations for essential and important entities under NIS2 are the same; the distinction relates to supervision. Essential entities may be subject to proactive, ongoing and ad hoc monitoring and supervision. Important entities will only be subject to monitoring based on evidence or signs that they are not fulfilling their legal obligations.
(5) Other laws taking precedence for some entities
NIS2 will not apply to entities that are required by other sector-specific EU legal acts to adopt cybersecurity risk-management measures or to notify significant incidents, where such requirements are at least equivalent in effect to those under NIS2.
The EU Digital Operational Resilience Act (DORA) will come into effect in Ireland in January 2025 and the Department of Finance is responsible for giving full effect to DORA under Irish law. ENISA has provided guidance that the cybersecurity risk-management and reporting obligations, and supervision and enforcements powers under NIS2 should not apply to financial entities covered by DORA.
It is also important to note that the CSB does not apply to entities that the State has exempted from the application of DORA under article 2(4) of that Regulation (e.g. Central Bank, post office giro institutions, credit unions and friendly societies, if exempted by the State).
(6) Designation of other entities
Due to the broad scope of NIS2, Head 22 of the CSB proposes that the Minister for the Environment, Climate and Communication (Minister) may make regulations designating an entity as an essential or important entity (in consultation with relevant stakeholders).
The related explanatory note provides that this will apply where the criteria set out in NIS2 is particularly broad, such as where "the person is the sole provider in the State of a service which is essential for the maintenance of critical societal or economic activities". Therefore, entities could find themselves subject to the CSB through a specific regulation.
(B) Next steps – Actions to take
The CSB has not yet been enacted, so the dates below are indicative only and may be subject to change depending on when the CSB comes into force. This is particularly the case in respect of the 17 January 2025 deadline, which has now passed.
17 April 2025
Head 21 of the CSB provides that by 17 April 2025, the National Cyber Security Centre shall establish a list of essential and important entities as well as entities providing domain name registration services, which shall be reviewed and, where appropriate, updated, regularly and at least every two years.
17 January 2025
To establish this list, the Minister will require essential and important entities to submit at least the following information to the relevant competent authorities by 17 January 2025 (the date currently specified in Head 31 of the CDB):
- the name of the entity;
- the address and up-to-date contact details;
- where applicable, the relevant sector and subsector; and
- where applicable, a list of the Member States where they provide services falling within the scope of NIS2.
Organisations should take the time now to carry out an applicability assessment to understand if they are likely to be subject to the NIS2 and to ascertain to what extent their business is captured by the sectors and domains mentioned in NIS2. Organisations that fall within the scope of NIS2 should review their implementation plans ahead of the upcoming Irish implementing legislation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
