The National Cyber Security Bill 2024

What is the National Cyber Security Bill 2024?

Introduced in 2022, the NIS2 Directive is the EU-wide legislation on cybersecurity. It promotes and harmonises measures to boost the overall level of cybersecurity in the EU.

The National Cyber Security Bill 2024 will transpose NIS2 into Irish law once enacted. It also provides for the establishment of the National Cyber Security Centre on a statutory footing and sets out its mandate and role in general.

Scope of the National Cyber Security Bill?

The Bill's scope encompasses a wide range of sectors deemed essential and important for national security and public safety. This includes areas such as:

  • Energy
  • Transportation
  • Banking, and
  • Medical devices

The legislation will apply to both public authorities and private organisations that operate in these sectors, ensuring comprehensive coverage of entities that could be vulnerable to cyber incidents.

What are the key features of the National Cyber Security Bill?

1. Designation of national competent authorities

The National Cyber Security Centre (NCSC) will be designated as the competent authority for the management of large-scale cybersecurity incidents and crises in Ireland. The NCSC will also be designated as Ireland’s Computer Security Incident Response Team (CSIRT) with a range of responsibilities including incident handling.

2. Cybersecurity risk management measures

The General Scheme will transpose the risk management and reporting obligations under NIS2 into Irish law. All entities will be required to put in place appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems. Organisations will need to conduct risk assessments and implement measures based on an all-hazards approach to mitigate risk. This might include examining supply chain security, cyber hygiene practices, human resources security, etc.

3. Incident reporting

All entities will have an obligation to report certain cyber incidents to the CSIRT. The timelines for reporting are extremely tight, with an early warning to be made within 24 hours of becoming aware of the breach. Notifications to customers may also be required. The Draft Implementing Regulation (DIR) provides further clarity around the proposed reporting thresholds for certain Digital Infrastructure and Digital Provider entities.

4. Enforcement powers and personal liability for company officers

The relevant competent authority in each sector will, as noted, be responsible for supervision and enforcement. The General Scheme provides for a broad range of sometimes novel supervision and enforcement powers, including the appointment of independent adjudicators.

Notably, the General Scheme provides that senior management may be held personally liable for an organisation’s non-compliance with its cybersecurity risk-management obligations, including incident reporting. Following a finding of non-compliance, organisations will first be issued with a Compliance Notice setting out the suspected breach and directing the organisation to remedy its non-compliance. Where an organisation subsequently fails to comply with a Compliance Notice, it commits an offence and is liable to fines and penalties. The relevant competent authority may also apply to the High Court to restrict senior management from their positions. If the organisation operates under a license or permit issued by the competent authority, the competent authority may also temporarily suspend the licence until compliance is achieved.

5. The National Cyber Security Centre

The NCSC is already responsible for advising and informing Government IT and critical national infrastructure providers of current threats and vulnerabilities associated with network information security. The General Scheme provides the NCSC with a statutory footing, clarifying its role and mandate. The General Scheme also intends to give the NCSC specific powers to engage in a range of scanning activities to identify systems vulnerable to specific exploits.

When will the National Cyber Security Bill come into force?

The Irish Government published the long-awaited General Scheme for the National Cyber Security Bill 2024 on 30 August 2024.

The National Cyber Security Bill is currently at general scheme stage which is an important early stage in the legislative process as it sets out the structure of what the final law might look like. The deadline for EU Member States to transpose NIS2 into national law is 17 October 2024.

Given the upcoming deadline and the fact that the European Commission has indicated that cybersecurity is one of its top priorities, it is anticipated that the legislative process will be streamlined with limited amendments made to the Bill before it is finalised and enacted.

Impact of the National Cyber Security Bill

The impact of the National Cyber Security Bill 2024 is poised to be significant:

  • By establishing a clear framework for cybersecurity, Ireland aims to bolster its defenses against increasing cyber threats
  • The Bill introduces stringent compliance requirements, ensuring that organisations take their cybersecurity responsibilities seriously
  • With mandatory reporting and risk management measures, entities will be better equipped to handle cyber incidents effectively

The National Cyber Security Bill 2024 represents a proactive step towards safeguarding Ireland's critical infrastructure and enhancing its overall cybersecurity resilience in line with European standards.

For more information and expert advice, contact a member of our Privacy & Data Security team.