Page Contents
Key Contacts
Last Friday the government published the General Scheme for the National Cyber Security Bill 2004 (the General Scheme). The Bill, once finalised, will:
The NIS2 Directive follows on from the NIS1 Directive and further harmonises cybersecurity standards across the EU.
The NIS Directives identify critical actors within certain sectors of the economy (defined in NIS2 as “essential entities” and “important entities”) which could cause widespread economic and societal disruption if compromised by way of a cybersecurity incident. The Directives require Member States to impose certain minimum standards of cybersecurity preparedness on such actors.
We are continuing our assessment of the General Scheme and will be providing further insights and commentary over the coming days. However for now, we wanted to briefly highlight some of key aspects of the Scheme:
Enforcement powers and personal liability for company officers
The General Scheme provides for a broad range of supervision and enforcement powers for the relevant competent authorities. These include the types of regulatory powers which have become commonplace in many of Ireland’s regulatory frameworks such as powers of inspection and the power to issue Compliance Notices and administrative fines.
Article 20 of the NIS2 Directive requires Member States to impose a specific obligation on the “management bodies” of essential and important entities to approve the cybersecurity risk-management measures taken by that entity and to oversee their effective implementation. Article 20 also provides that senior management should be liable for infringements by that entity of those cybersecurity risk-management obligations. The transposition of this requirement has been a highly anticipated element of the Bill.
Head 28 of the General Scheme transposes this requirement, providing that the “management board” (defined as a body of [sic] group of individuals vested with the authority and responsibility for the oversight, direction and control of an entity) can be held liable for infringements as set out in Part 8 of the General Scheme.
Part 8 of the General Scheme outlines the processes for investigation and enforcement and sets out the process by which entities can be issued with a Compliance Notice. A Compliance Notice will be issued following a finding of non-compliance and will detail the actions which an entity must take to achieve compliance.
Head 37B of the General Scheme provides that, where an entity then subsequently fails to comply with a Compliance Notice, the relevant competent authority may apply to the High Court to obtain an order to suspend a chief executive officer or director of the relevant company from exercising their managerial functions, unless and until the court is satisfied that the entity meets the requirements set out in the Compliance Notice.
Similarly, if such an entity operates under a licence or permit issued by the relevant competent authority, the High Court may issue an order to temporarily suspend the licence or authorization for part or all of the relevant services.
The maximum fine which can be issued under the General Scheme is €10 million and of at least 2 per cent of an entity’s worldwide turnover in the previous financial year, whichever is the greater.
Designation of national authorities
Head 17 of the General Scheme outlines the relevant national authorities which will be responsible for regulatory oversight across different economic sectors. Most of these appointments are not too surprising, typically assigning existing regulators oversight of their respective sectors. For example the Central Bank is responsible for the banking and financial markets sectors and the Irish Aviation Authority is responsible for oversight of the aviation sector. Notably ComReg has a relatively broad purview under the Scheme - it is responsible for organisations operating in the Digital Infrastructure, Digital Providers, ICT Services Managers and Space sectors.
The regulatory requirements under the General Scheme represent a substantial new responsibility for many of these existing regulators.
The National Cyber Security Centre (NCSC)
The NCSC was originally established by way of a Government Decision in 2011. However under the General Scheme, it will be established on a statutory basis with an enhanced role in respect of national cyber security monitoring, general resilience building, and the national incident response systems.
It is designated as the lead competent authority for Ireland, meaning it will act as the central co-ordinator for the other designated authorities under the General Scheme, as well as the central authority for engagement with the EU Commission and other EU bodies. It will also serve a competent authority for a diffuse range of industry sectors such as public administration, postal and courier services and manufacturing.
The NCSC is also designated as the Computer Security Incident Response Team (or CSIRT) under the General Scheme. Under Artcle 10 of the NIS2 Directive, Member States are required to establish or designate one or more CSIR to prevent, detect, respond to and mitigate cyber security incidents and risks. Many of the provisions in Artcle 10 replicate similar provisions as set out in the NIS1 Directive which were transposed into Irish law in Secton 10 of S.I. 360 of 2018, which had previously designated the NCSC as Ireland’s CSIRT.
Next steps
The General Scheme represents the first step in transposing the NIS2 Directive into Irish law. It has not yet been put before the Oireachtas or received any legislative scrutiny.
However all EU Member States are required to transpose the NIS2 in full by 17 October 2024 and the rhetoric from Brussels suggests that its implementation is considered a key priority for the EU. Accordingly it is generally expected that there will be a considerable push to ensure a streamlined legislative process with limited substantial amendments to the proposed text.
For further information in relation to this topic, please contact Aideen Burke, partner, Eoghan O'Keeffe, knowledge consultant or any member of ALG's Technology team.
Date published: 3 September 2024
