National Cyber Security Bill 2024

The Government recently approved the priority drafting of the National Cyber Security Bill 2024 (the Bill) in accordance with the General Scheme. The Bill will transpose the Network and Information Security Directive EU 2022/2555 (NIS2). The deadline for implementation of this Directive is 17 October 2024. It will also formally establish the National Cyber Security Centre (NCSC) on a statutory basis, providing a clear framework for its mandate and role in safeguarding national cybersecurity.

Key Provisions

The Bill transposes several critical aspects of the NIS2 Directive, including: 

1. Designation of Competent Authorities: National Competent Authorities (NCAs) are designated to oversee the implementation and enforcement of the Directive in relevant sectors. Examples of such competent authorities include Commission for Communications Regulation (Comreg), the Central Bank of Ireland (CBI) and the Irish Aviation Authority (IAA). The Minister has the authority to designate additional competent authorities as necessary, following consultation with appropriate stakeholders. 
2. Essential and Important Entities: The Directive defines two categories of entities:
   • Essential Entities: Operating in critical sectors such as energy and transport.
   • Important Entities: Sectors with a high cyber risk profile, such as waste management and postal services.

The Minister may also make regulations designating an entity as an essential or important entity. This will apply where the criteria set out in the NIS2 is particularly broad so entities not yet within scope may find themselves bound by way of future additional regulation.

3. Cybersecurity Risk Management: Essential Entities will be required to implement robust risk management measures. This includes regular risk assessments, adopting suitable security measures, and maintaining a plan for incident response.
4. Incident Reporting: Both Essential and Important Entities are obligated to report significant cyber incidents to the competent authority.
5. Supervision and Enforcement: Non-compliance with the Directive will result in serious penalties. These include the ability to restrict CEOs, Directors, and other senior managers from their roles in Essential and Important Entities. Where a corporate body has committed an infringement or offence, it also provides that an individual (such as a director) can be held personally liable for that infringement if it can be proven that they had knowledge of such act or that such act can be attributed to the wilful neglect of that individual. The Bill provides for significant financial penalties and administrative sanctions. The maximum amount of a financial penalty which may be imposed is:
   • for Essential Entities; the greater of €10 million or 2% of worldwide annual turnover in the preceding financial year, and;
   • for Important Entities; the greater of €7 million or 1.4% of total worldwide annual turnover in the preceding financial year. 

NCAs also have the power to suspend business licenses until compliance is achieved. The High Court will oversee the implementation of these measures, ensuring a high level of safeguard.

Establishment of the National Cyber Security Centre (NCSC)

The Bill also addresses the governance and role of the National Cyber Security Centre:

1. Governance: The NCSC will be established on a legislative basis as an Executive Office of the Department of Environment, Climate and Communications (DECC), with defined governance structures. While it will report to the Minister, maintaining a level of independence within the NCSC is a priority, particularly as it undertakes national security roles.
2. Enhanced Role: The NCSC will have expanded responsibilities in national cybersecurity monitoring, resilience building, information sharing (both nationally and internationally), and incident response. The NCSC will also have the power to conduct proactive scanning activities to identify vulnerable systems, in line with Article 11 of the NIS2 Directive.
3. Use of Sensors: Upon request, the NCSC will provide Essential or Important Entities with proactive network and information system scanning services to detect vulnerabilities that could have significant impacts.

Key Takeaways

NIS2 imposes cybersecurity obligations on both public sector bodies and private sector entities. With the deadline for NIS2 transposition fast approaching, here are three critical steps organisations should take to ensure compliance:

1. Is your organisation captured by NIS2?

NIS2 applies to many sectors not previously covered by NIS1, including ICT service management, public administration, medical devices, pharmaceutical industries, and wholesale food businesses. Even if your organisation was not previously affected by NIS1, it may now fall within the scope of NIS2. 

2. Examine jurisdictional requirements

If your business operates across multiple EU Member States, it may fall under the jurisdiction of each country where it provides services or is established. This requires understanding how each Member State has implemented NIS2. However, for certain sectors like public administration and digital infrastructure, your business may only be regulated in its country of "main establishment." 

3. Prepare a compliance strategy

The key obligations under NIS2 include governance, cybersecurity measures, and incident reporting. Organisations should:

• Implement cybersecurity training
• Conduct risk assessments to identify vulnerabilities
• Update incident response protocols
• Review third party risk management processes
• Implement risk mitigation strategies 

Organisations will also need to coordinate NIS2 compliance with other EU laws including GDPR, the ePrivacy Directive, and DORA. A comprehensive, multi-faceted compliance strategy will be required. 

For more information, please contact Sharon Delaney or another member of the Data Protection team in Beauchamps.