Ireland’s cybersecurity landscape is on the brink of significant change. The new National Cyber Security Bill 2024 is set to reshape how organisations approach digital security, says Julie Austin, privacy and data security partner at business law firm Mason Hayes & Curran. This legislation aims to bolster cybersecurity resilience and incident response capabilities across critical sectors.
The Bill, which will give effect to the EU’s NIS2 Directive, introduces stringent cybersecurity risk management measures, incident reporting requirements, and accountability for management bodies.
The Irish Government was due to transpose the NIS2 Directive into Irish law by 17 October 2024. However, due to the complexity of the legislation, the Government has indicated that this deadline will not be met. A recent survey of 160 professionals by Mason Hayes & Curran also identified that:
- Four in ten (38%) believe their organisation will not be prepared for NIS2 compliance by 17 October
- More than two-thirds (67%) say complexity is their biggest concern about NIS2 implementation
- A quarter of businesses (25%) are not confident in their ability to meet new reporting requirements
When is the National Cyber Security Bill effective?
This remains to be seen. The National Cyber Security Bill is currently at general scheme stage which is an important early stage in the legislative process as it sets out the structure of what the final law might look like. The deadline for EU Member States to transpose the NIS2 into national law is 17 October 2024. Given the upcoming deadline for transposition and the fact that the European Commission has indicated that cybersecurity is one of its top priorities, it is anticipated that the legislative process will be streamlined with limited amendments made to the Bill before it is finalised and enacted.
What sectors does NIS2 apply to?
The NIS2 Directive encompasses a wide range of sectors deemed essential and important for national security and public safety.
Entities regulated under NIS2 are classified as ‘essential’ or ‘important,’ based on factors such as size, industry sector, and their criticality to national infrastructure.
NIS2 will apply to a wider and deeper pool of entities than currently covered by the existing NIS Directive. While traditional sectors like energy, transportation, and banking are included, NIS2 extends its reach to other sectors such as research, ICT service management (business to business), public administration, manufacturing, manufacturing, production and distribution of chemicals, wholesale food production and distribution. It also extends the definition of digital infrastructures.
The expansive scope of NIS2 reflects the interconnected nature of today’s economy, where a cyber incident in one sector can have significant repercussions across others.
What measures should I take to comply?
The obligations under NIS2 fall into three core buckets, (i) governance, (ii) cybersecurity measures, and (iii) incident reporting. Most compliance plans that Mason Hayes & Curran is developing with clients will include developing training for management bodies, establishing a governance framework, conducting cyber security risk assessments, updating incident reporting procedures and conducting supply chain audits. We are also assisting clients in co-ordinating their approach to compliance across NIS2 and similar existing and forthcoming EU laws such as GDPR, the ePrivacy Directive and DORA.
Relevant for smaller entities who are not cross border, the National Cyber Security Centre proposes to launch an Irish Cyber Security Measures Certification. Entities in scope of NIS2 in Ireland will be able to go to market and procure a certification from a regulated provider. There will be a national standard, overseen by the NSAI and the Department of Enterprise, Trade and Employment to facilitate the development of a private market for cyber security certification.
I’m a small enterprise operating in a sector in scope – am I caught by the new rules?
Generally, subject to some exceptions, an entity must qualify as a medium-sized enterprise (as defined in Recommendation 2003/361/EC) or larger in order to come within the scope of NIS2. Recommendation 2003/361/EC provides that a medium-sized enterprise has at least 50 employees and an annual turnover or annual balance sheet total of at least €10 million. However, an enterprise that is part of a larger group may need to include staff headcount/turnover/balance sheet data from that group when assessing whether it falls within the definition of medium-sized enterprise.
We are a large business operating in multiple jurisdictions in the EU – do we need to comply with all local laws implementing NIS2 in all Member States?
The general rule is that, if an entity provides services or is established in more than one member state, it will fall under the separate and concurrent jurisdiction of each of those Member States. In that case, businesses will need to understand how NIS2 is implemented in those jurisdictions. The rules on jurisdiction will however differ for Digital Infrastructure and Digital Providers where the “main establishment principle” is intended to apply.
What fines can be imposed for noncompliance?
In line with NIS2, the maximum fine which can be issued for infringements under the General Scheme is:
- For essential entities, €10 million or at least 2% of an organisation’s worldwide group turnover in the previous financial year, whichever is greater.
- For important entities, €7 million or at least 1.4% of an organisation’s worldwide group turnover in the previous financial year, whichever is greater.
In addition, notably, the NIS2 provides that senior management may be held personally liable for an organisation’s noncompliance with its cybersecurity risk-management obligations.
For more information and expert advice, please contact a member of the Technology team at Mason Hayes & Curran