The Irish Government published the long-awaited General Scheme for the National Cyber Security Bill 2024 on 30 August 2024. A general scheme in Irish law is an important early stage in the legislative process which broadly sets out what a full draft Bill is expected to look like. The next step will be for the full draft Bill to be presented before the Irish legislature.
Once finalised and enacted, the Bill will:
- Transpose the Network and Information Security Directive EU 2022/2555 (NIS2) into Irish law
- Establish the general framework for Ireland’s national cybersecurity strategy, and
- Establish Ireland’s National Cyber Security Centre on a statutory basis and set out its mandate and role
NIS2 forms part of a package of measures to improve the resilience and incident response capabilities of public and private entities, competent authorities and the EU as a whole in the field of cybersecurity and critical infrastructure protection. Entities regulated under NIS2 are categorised as ‘Essential’ or ‘Important’ depending on factors such as size, industry sector and criticality. In basic terms, these are entities in sectors which are considered critical to the EU’s security and the functioning of its economy and society, such as:
- Energy
- Transportation
- Banking
- Digital infrastructure such as data centre service providers and providers of electronic communications networks and services
- Digital providers such as social networks and online marketplaces
- Medical devices, and
- Wholesale food production and distribution
The General Scheme sets out an initial draft structure for how NIS2 will be transposed into Irish law. Key aspects of the General Scheme include:
1. Designation of national competent authorities
The National Cyber Security Centre (NCSC) will be designated as the competent authority for the management of large-scale cybersecurity incidents and crises in Ireland. The NCSC will also be designated as Ireland’s Computer Security Incident Response Team (CSIRT) with a range of responsibilities including incident handling. The General Scheme also provides that the NCSC will act as lead competent authority. This means it will act as the central coordinator in Ireland and the central authority for engagement with the European Commission and other Member States.
The General Scheme also provides for the designation of the following sector-specific competent authorities which will oversee implementation and enforcement of the cybersecurity regime within their relevant sectors:
Competent Authority |
Industry Sector |
Commission for the Regulation of Utilities |
Energy Drinking water Waste water |
Commission for Communications Regulation |
Digital infrastructure ICT service management Space Digital providers |
Central Bank of Ireland |
Banking Financial market |
Irish Aviation Authority |
Transport - aviation |
Commission for Rail Regulation |
Transport - rail |
The Minister for Transport |
Transport - maritime |
National Transport Authority |
Transport - road |
An Agency or Agencies under the remit of the Minister for Health |
Health |
NCSC |
All other sectors set out in the Schedules to the Bill |
2. Cybersecurity risk management measures
The General Scheme will transpose the risk management and reporting obligations under NIS2 into Irish law. All entities will be required to put in place appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems. Organisations will need to conduct risk assessments and implement measures based on an all-hazards approach to mitigate risk. This might include examining supply chain security, cyber hygiene practices, human resources security, etc.
The European Commission has also published a Draft Implementing Regulation (DIR) elaborating on the security measures that certain Digital Infrastructure and Digital Provider entities will be expected to implement.
The management board of Essential and Important entities will be required to:
- Approve, oversee the implementation of and monitor the application of the risk management measures, and
- Follow cyber security risk-management training and encourage their employees to take relevant cyber security training on a regular basis.
3. Incident reporting
All entities will have an obligation to report certain cyber incidents to the CSIRT. The timelines for reporting are extremely tight, with an early warning to be made within 24 hours of becoming aware of the breach. Notifications to customers may also be required. The DIR provides further clarity around the proposed reporting thresholds for certain Digital Infrastructure and Digital Provider entities.
4. Enforcement powers and personal liability for company officers
The relevant competent authority in each sector will, as noted, be responsible for supervision and enforcement. The General Scheme provides for a broad range of sometimes novel supervision and enforcement powers, including the appointment of independent adjudicators.
Notably, the General Scheme provides that senior management may be held personally liable for an organisation’s non-compliance with its cybersecurity risk-management obligations, including incident reporting. Following a finding of non-compliance, organisations will first be issued with a Compliance Notice setting out the suspected breach and directing the organisation to remedy its non-compliance. Where an organisation subsequently fails to comply with a Compliance Notice, it commits an offence and is liable to fines and penalties. The relevant competent authority may also apply to the High Court to restrict senior management from their positions. If the organisation operates under a license or permit issued by the competent authority, the competent authority may also temporarily suspend the licence until compliance is achieved.
In line with NIS2, the maximum fine which can be issued for infringements under the General Scheme is:
- For essential entities, €10 million or at least 2% of an organisation’s worldwide group turnover in the previous financial year, whichever is greater
- For important entities, €7 million or at least 1.4% of an organisation’s worldwide group turnover in the previous financial year, whichever is greater
5. The National Cyber Security Centre
The NCSC is already responsible for advising and informing government IT and critical national infrastructure providers of current threats and vulnerabilities associated with network information security. As noted, the General Scheme provides the NCSC with a statutory footing, clarifying its role and mandate. The General Scheme also intends to give the NCSC specific powers to engage in a range of scanning activities to identify systems vulnerable to specific exploits.
Top Tips for Businesses
With the deadline for transposition fast approaching, here are our top three tips for businesses:
- First, determine if your business is caught by NIS2 and how. NIS2 applies to a number of new sectors that were not originally in scope under NIS1 including ICT service management (B2B), public administration, waste management, medical devices, pharma and wholesale food businesses. The fact that your business was not caught by NIS1 does not mean it will not be caught by NIS2.
- Second, consider which jurisdiction your business will be subject to. The general rule is that, if an entity provides services or is established in more than one Member State, it will fall under the separate and concurrent jurisdiction of each of those Member States. In that case, businesses will need to understand how NIS2 was implemented in those jurisdictions. The rules on jurisdiction will however differ for public administration entities, Digital Infrastructure and Digital Providers , some of which will only be regulated in their Member State of ‘main establishment’ in the EU.
- Third, start preparing your compliance plans. The obligations under NIS2 fall into three buckets, (i) governance, (ii) cybersecurity measures, and (iii) incident reporting. Most compliance plans that we are developing with clients will include developing training for management bodies, conducting cyber security risk assessments, updating incident reporting procedures and conducting supply chain audits. We are also assisting clients in coordinating their approach to compliance across NIS2 and similar existing and forthcoming EU laws such as GDPR, the ePrivacy Directive and DORA.
Conclusion
The General Scheme has not yet faced any pre-legislative scrutiny by the Government. It will be subject to further scrutiny as part of the legislative process once the text of the Bill is finalised. However, the deadline for EU Member States to transpose the NIS2 into national law is 17 October 2024. Given the upcoming deadline and the fact that the European Commission has indicated that cybersecurity is one of its top priorities, it is anticipated that the legislative process will be streamlined with limited amendments made to the proposed General Scheme before the text of the Bill is finalised and enacted. Organisations should identify whether or not they are subject to the obligations set out in the General Scheme, so they are prepared to comply with this legislation when it enters into force.
For more information and expert advice, contact a member of our Privacy & Data Security team.
People also ask
What is the NIS2 Directive? |
Introduced in 2022, the NIS2 Directive is the EU-wide legislation on cybersecurity. It promotes and harmonises measures to boost the overall level of cybersecurity in the EU. |
What is National Cyber Security Bill? |
The National Cyber Security Bill 2024 will transpose NIS2 into Irish law once enacted. It also provides for the establishment of the National Cyber Security Centre on a statutory footing and sets out its mandate and role in general. |
When is the National Cyber Security Bill effective? |
This remains to be seen. The National Cyber Security Bill is currently at general scheme stage which is an important early stage in the legislative process as it sets out the structure of what the final law might look like. The deadline for EU Member States to transpose the NIS2 into national law is 17 October 2024. Given the upcoming deadline and the fact that the European Commission has indicated that cybersecurity is one of its top priorities, it is anticipated that the legislative process will be streamlined with limited amendments made to the Bill before it is finalised and enacted. |
The content of this article is provided for information purposes only and does not constitute legal or other advice.