Ireland

(a) What is the NIS2 implementation status?

Ireland has not transposed NIS2 yet. The draft legislation follows the NIS2 framework and recognises the Belgian Cyber Fundamentals Framework and NIST 2.0 as relevant reference standards. Covered entities will be required to notify the national CSIRT of incidents without undue delay, including an early warning within 24 hours and a full incident report within 72 hours, followed by interim and final reports where applicable. Entities in scope must register with the relevant competent authority by providing detailed organisational, contact, sectoral, and cross‑border service information; this registration obligation was set to apply from 17 January 2025. The lead competent authority will be the National Cyber Security Centre (NCSC), with other regulators as competent authorities for certain other sectors.

(b) What is the envisaged NIS2 implementation timeline?

At present, registration under the Irish NIS2 framework is not yet possible.

Once registration becomes available, entities will be required to register with the competent supervisory authority responsible for their respective sector.

(c) What does the NIS2 mean for other national cybersecurity legislation?

NIS2 is expected to largely bolster the cybersecurity capabilities and resilience of entities covered but its full effects on national cybersecurity legislation still remains unclear because the updated cybersecurity legislation is still to be finalised.

Several key components will be included in the national legislation either already established or nearing completion, such as:

• The creation of a national competent authority (NCA) forum and the appointment of competent authorities for different sectors;
• Comprehensive guidance on the risk management and incident reporting measures required for entities within scope;
• The further enhancement of the national cyber security incident response team (CSIRT);
• The release of a national cyber security strategy; and
• The publication of a national cyber emergency plan.

(d) Who will be the supervisory authority and how are they preparing the market?

The lead competent authority will be the National Cyber Security Centre (NCSC) in Ireland. The Bill confirms that the NCSC will be designated as the Computer Security Incident Response Team (CSIRT) and the competent authority for certain entities and for the management of large-scale cyber security incidents and crises in Ireland. Besides designating the NCSC as the lead competent authority, the Bill has also designates a number of other regulators as competent authorities for certain other sectors (e.g. the Commission for the Regulation of Utilities for energy, drinking water and waste water, the Commission for Communications Regulation for digital infrastructure, ICT service management, space and digital providers, the Central Bank of Ireland for banking and financial market, etc). The Bill mirrors the definitions for essential and important entities set out in NIS2; however, it also proposes that the competent Minister may make regulations designating an entity as an essential or important entity.

The NCSC has taken several steps to prepare organisations for compliance and resilience, including:

• Releasing draft risk management measures required under NIS2 (see here);
• Joining the ‘Cyber Fundamentals Framework’, a cybersecurity framework designed to help organisations comply with NIS2;
• Publishing the NIS2 FAQ ( see here) in which focus on NIS2 compliance and key requirements; and
• Forming the sectoral cybersecurity information sharing network through the Cyber-CORE (CO-ordination and REsponse) program.

(e) What should you be doing/on the lookout for?

NIS2 is a game changer as it affects a broader scope of entities and includes more stringent requirements compared to those under NIS 1, aimed at bolstering cybersecurity in key industries. It covers both important (eg waste management, food production, digital providers) and essential entities (eg certain entities in the sectors of energy, transport, health, etc.), subjecting the latter category to a higher level of cybersecurity risk management and reporting obligations.

NIS2 specifies different measures to be taken by the entities to which NIS2 applies, such as risk management procedures and policies, as well as encryption techniques. NIS2 also places direct obligations on management bodies and requires executives to gain a deeper understanding of cybersecurity requirements. NIS2 further raises penalties and includes stringent incident reporting requirements with an initial notification within 24 hours. NIS2 also supports cooperation between supervisory authorities requiring a broader understanding of different risk categories, functions, data sets and relevant laws from entities covered by this legislation.

Based on the above, clients should especially consider and be on the lookout for the following:

• Entities covered: consider whether they are covered by NIS2 as an essential or important entity.
• Cybersecurity compliance: review internal policies and procedures with a focus on cybersecurity measures implemented, reporting channels, as well as relevant internal policies and functions.
• Training programs: review cybersecurity training programs and guidelines with a deeper involvement of managers filling in key functions.
• Data security and breach management: review data security measures and personal data breach management practices and policies with a focus on managing different types of incidents and data breaches.
• Contractual relations: review and update contractual arrangements and templates with contractors, partners, and employees by putting more focus on the security measures to be implemented and followed by the parties, as well as cooperation and supervision in respect of cybersecurity and data security.
• Liability and insurance: explore and consider different insurance schemes and policies with respect to the relevant industry and risk factors.