National Cyber Security Bill 2024 (Ireland)
From Wikipedia, the free encyclopedia
The National Cyber Security Bill 2024 is an Irish bill published by the Oireachtas in 2024.[1] The legislation was published on 30 August 2024.[2]
Designation of competent authorities
The legislation transposes several important parts of NIS 2:[1][3]
National competent authorities are defined.[1][3] Ireland has chosen a federated model for NIS 2, with the National Cyber Security Centre as the lead competent authority, with responsibility for large-scale cybersecurity incidents in Ireland.[4] The NCSC is also designated as Irelands' CSIRT.[3][2]
| Competent Authority | NIS 2 sector |
|---|---|
| Commission for Regulation of Utilities | Energy, Drinking Water, Waste water[4][2] |
| Commission for Communications Regulation | Digital infrastructure, ICT Service management, Space, Digital Providers[4][2] |
| Central Bank of Ireland | Banking, Financial markets[4][2] |
| Irish Aviation Authority | Aviation[4][2] |
| Commission for Railway Regulation | Rail[4][2] |
| Minister for Transport | Maritime transport[4][2] |
| National Transport Authority | Road[4][2] |
| An agency or agencies under the remit of the Minister for Health | Health[4][2] |
| National Cyber Security Centre | All other in-scope sectors[4][2] |
Essential and important entities
- Essential entities operate in critical sectors such as energy and transport.[1]
- Important entities operate in sectors with a high cyber risk such as waste management and post.[1]
Cybersecurity risk management
Essential entities will be required to have robust risk management, including regular risk assessments, having suitable security measures and a plan for incidence response.[1][2]
Incident reporting
Both essential and important entities are required to report significant incidents to a competent authority.[1][3][2]
Supervision and enforcement
Noncompliance with the directive can lead to CEOs, directors and other managers having their roles restricted in essential and important entities.[1] If an individual, knowingly or through neglect, can be proven to have caused a corporate body to not comply, then can be found personally liable.[1] Financial penalties can also be imposed.[1]
For an essential entity the maximum penalty is the larger of €10 million or 2% of worldwide turnover in the previous financial year.[1][2]
For an important entity the maximum penalty is the larger of €7 million or 1.4% of worldwide turnover in the previous financial year.[1][2]
Business licenses can be suspended by a national competent authority.[1] The High Court oversees these matters.[1]