ARTICLE
4 September 2024

General Scheme Of NIS 2 Implementing Legislation Published

M
Matheson

Contributor

Established in 1825 in Dublin, Ireland and with offices in Cork, London, New York, Palo Alto and San Francisco, more than 700 people work across Matheson’s six offices, including 96 partners and tax principals and over 470 legal and tax professionals. Matheson services the legal needs of internationally focused companies and financial institutions doing business in and from Ireland. Our clients include over half of the world’s 50 largest banks, 6 of the world’s 10 largest asset managers, 7 of the top 10 global technology brands and we have advised the majority of the Fortune 100.
On 30 August 2024, the Department of the Environment, Climate and Communications published the highly anticipated General Scheme of the National Cyber Security Bill 2024...
Ireland Technology

On 30 August 2024, the Department of the Environment, Climate and Communications published the highly anticipated General Scheme of the National Cyber Security Bill 2024 (the "Cyber Security Bill"), which implements the second Network and Information Security Directive (EU) 2022/2555 ("NIS 2"). This early draft is yet to pass through the Oireachtas or any legislative scrutiny, however, as EU member states are required to transpose NIS2 in full by 17 October 2024, we expect there to be relatively limited changes made in advance of its adoption.

For more information about NIS 2, please refer to our previous article: Essential and Important Information for Essential and Important Entities.

We will provide additional insights into the substance of the Cyber Security Bill over the days ahead, but in the interim there are a few key provisions to keep top of mind:

Federated Regulatory Regime

As signalled, Ireland has opted for a federated regulatory regime for NIS 2. This means that the National Cyber Security Centre ("NCSC") shall act as lead competent authority, taking the role of a central coordinator providing advice, guidance and support and development of regulatory frameworks and tools and as the central authority for engagement with European Commission, EU bodies and agencies, and other Member States. The Cyber Security Bill for the first time sets out the remainder of the competent authorities in Ireland.

1512952a.jpg

The Minister for Environment, Climate and Communications may make regulations (secondary legislation) to designate additional competent authorities, as required.

Director and Management Liability

Article 20 of NIS 2 requires that 'management bodies' oversee implementation of NIS 2 obligations and provides that member states must implement the possibility for specific sanctions against individual members of those bodies should they fail to comply with enforcement orders.

The Cyber Security Bill provides greater clarity in this respect and confirms that in cases of non-compliance with an enforcement order, the designated national competent authority will have the power to apply to the High Court to suspend a chief executive officer or Director from exercising their managerial functions in essential and important entities, unless and until the court is satisfied that the entity meets the requirements set out in the compliance notice.

Similarly, where an entity operates under a licence or permit issued by the relevant competent authority, the High Court may make an order to temporarily suspend the license or authorisation concerning part or all of the relevant services.

Final Observations

The Cyber Security Bill does not implement the Critical Entities Resilience Directive (Directive (EU) 2022/2557). However, it does clarify that the Department of Defence is currently transposing that Directive into Irish law via statutory instrument. Entities identified as 'critical' under that Directive will be deemed to be an 'essential entity' for the purposes of NIS 2.

Clients who are within scope of NIS 2 should take the opportunity now to review their implementation plans in advance of the deadline for implementation on 17 October 2024.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More