Ireland
(a) What is the NIS2 implementation status?
NIS2 has not yet been implemented in Ireland. The first draft of the National Cyber Security Bill transposing the NIS2 Directive in Ireland has been recently published (for the draft Heads of Bill, click here). The Bill is expected to be approved in the upcoming month.
The Bill confirms that the National Cyber Security Centre will be designated as the Computer Security Incident Response Team (CSIRT) and the competent authority for certain entities and for the management of large-scale cyber security incidents and crises in Ireland. The Bill has also designated a number of other regulators as competent authorities for certain other sectors (e.g. the Commission of Communications Regulation for digital infrastructure, ICT service management, space and digital providers, the Central Bank of Ireland for banking and financial markets, etc.). The Bill mirrors the definitions for essential and important entities set out in the NIS2 Directive; however, it also proposes that the competent minister may make regulations designating an entity as an essential or important entity.
(b) What is the envisaged NIS2 implementation timeline?
It is expected that the process of transposition will be completed before 17 October 2024.
(c) What does the NIS2 mean for other national cybersecurity legislation?
NIS2 is expected to largely bolster the cybersecurity capabilities and resilience of entities covered but its full effects on national cybersecurity legislation still remains unclear because the updated cybersecurity legislation is still not drafted and the Heads of Bill are not expected to be drafted for government approval until the end of 2023. A new national cybersecurity strategy is also expected to be prepared, with the current National Cyber Security Strategy 2019-2024 moving to its final phase.
(d) Who will be the supervisory authority and how are they preparing the market?
The competent supervisory authority and details of the new cybersecurity legislation are not yet specified but details on this are expected by the end of 2023.
(e) What should you be doing/on the lookout for?
a. NIS2 is a game changer as it affects a broader scope of entities and includes more stringent requirements compared to those under NIS, aimed at bolstering cybersecurity in key industries. It covers both important (e.g. waste management, food production, digital providers) and essential entities (e.g. certain entities in the sectors of energy, transport, banking, etc.), subjecting the latter category to a higher level of cybersecurity risk management and reporting obligations.
b. NIS2 specifies different measures to be taken by the entities to which NIS2 applies, such as risk management procedures and policies, as well as encryption techniques. NIS2 also places direct obligations on management bodies and requires executives to gain a deeper understanding of cybersecurity requirements. NIS2 further raises penalties and includes stringent incident reporting requirements with an initial notification within 24 hours. NIS2 also supports cooperation between supervisory authorities requiring a broader understanding of different risk categories, functions, data sets and relevant laws from entities covered by this legislation.
c. Based on the above, clients should especially consider and be on the lookout for the following:
- Entities covered: consider whether they are covered by NIS2 as an essential or important entity.
- Cybersecurity compliance: review internal policies and procedures with a focus on cybersecurity measures implemented, reporting channels, as well as relevant internal policies and functions.
- Training programs: review cybersecurity training programs and guidelines with a deeper involvement of managers filling in key functions.
- Data security and breach management: review data security measures and personal data breach management practices and policies with a focus on managing different types of incidents and data breaches.
- Contractual relations: review and update contractual arrangements and templates with contractors, partners and employees by putting more focus on the security measures to be implemented by the parties, as well as cooperation and supervision in respect of cybersecurity and data security.
- Liability and insurance: explore and consider different insurance schemes and policies with respect to the relevant industry and risk factors.
Contact
Marie McGinley E: mariemcginley@eversheds-sutherland.ie
Aisling O’Hare E: aislingohare@eversheds-sutherland.ie
Daniel Necz E: danielnecz@eversheds-sutherland.ie
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page