The National Cyber Security Bill 2024 is an Irish bill published by the Oireachtas in 2024.[1] The legislation was published on 30 August 2024.[2]
NIS 2
The legislation transposes several important parts of NIS2:[1][3]
Designation of competent authorities
National competent authorities are defined.[1][3] Ireland has chosen a federated model for NIS 2, with the National Cyber Security Centre as the lead competent authority, with responsibility for large-scale cybersecurity incidents in Ireland.[4] The NCSC is also designated as Irelands' CSIRT.[3][2]
| Competent Authority | NIS 2 sector |
|---|---|
| Commission for Regulation of Utilities | Energy, Drinking Water, Waste water[4][2] |
| Commission for Communications Regulation | Digital infrastructure, ICT Service management, Space, Digital Providers[4][2] |
| Central Bank of Ireland | Banking, Financial markets[4][2] |
| Irish Aviation Authority | Aviation[4][2] |
| Commission for Railway Regulation | Rail[4][2] |
| Minister for Transport | Maritime transport[4][2] |
| National Transport Authority | Road[4][2] |
| An agency or agencies under the remit of the Minister for Health | Health[4][2] |
| National Cyber Security Centre | All other in-scope sectors[4][2] |
Essential and important entities
- Essential entities operate in critical sectors such as energy and transport.[1]
- Important entities operate in sectors with a high cyber risk such as waste management and post.[1]
Cybersecurity risk management
Essential entities will be required to have robust risk management, including regular risk assessments, having suitable security measures and a plan for incidence response.[1][2]
Incident reporting
Both essential and important entities are required to report significant incidents to a competent authority.[1][3][2]
Supervision and enforcement
Noncompliance with the directive can lead to CEOs, directors and other managers having their roles restricted in essential and important entities.[1] If an individual, knowingly or through neglect, can be proven to have caused a corporate body to not comply, then can be found personally liable.[1] Financial penalties can also be imposed.[1]
For an essential entity the maximum penalty is the larger of €10 million or 2% of worldwide turnover in the previous financial year.[1][2]
For an important entity the maximum penalty is the larger of €7 million or 1.4% of worldwide turnover in the previous financial year.[1][2]
Business licences can be suspended by a national competent authority.[1] The High Court oversees these matters.[1]
National Cyber Security Centre
The bill also deals with the National Cyber Security Centre.[1][2]
The centre will be established as an executive office of the Department of the Environment, Climate and Communications.[1]
The centre will have enhanced responsibilities both nationally and internationally.[1] It will have the power to scan for vulnerable systems and employ sensors, at request of an important or essential entity.[1]
References
- ^ a b c d e f g h i j k l m n o p q r Delaney, Sharon (2024-09-25). "National Cyber Security Bill 2024". Beauchamps. Retrieved 2025-02-19.
- ^ a b c d e f g h i j k l m n o p Austin, Julie; Madden, Michael (2024-09-16). "National Cyber Security Bill 2024 General Scheme Published". Lexology. Retrieved 2025-02-19.
- ^ a b c d "The National Cyber Security Bill 2024 (NIS2)". Mason Hayes & Curran. Retrieved 2025-02-19.
- ^ a b c d e f g h i j Salizzo, Carlo; Bohan, Anne-Marie; Crowley, Deirdre; Hanna, Sarah Jayne; Brennan, Davinia; Condon, Thomas (2024-09-02). "General Scheme of NIS 2 Implementing Legislation Published". Matheson. Retrieved 2025-02-19.
You must be logged in to post a comment.