National Cyber Security Bill 2024 (Ireland)

The National Cyber Security Bill 2024 is an Irish bill published by the Oireachtas in 2024.^[1] The legislation was published on 30 August 2024.^[2]

NIS 2

The legislation transposes several important parts of NIS2:^[1][3]

Designation of competent authorities

National competent authorities are defined.^[1][3] Ireland has chosen a federated model for NIS 2, with the National Cyber Security Centre as the lead competent authority, with responsibility for large-scale cybersecurity incidents in Ireland.^[4] The NCSC is also designated as Irelands' CSIRT.^[3][2]

Caption text

Competent Authority	NIS 2 sector
Commission for Regulation of Utilities	Energy, Drinking Water, Waste water[4][2]
Commission for Communications Regulation	Digital infrastructure, ICT Service management, Space, Digital Providers[4][2]
Central Bank of Ireland	Banking, Financial markets[4][2]
Irish Aviation Authority	Aviation[4][2]
Commission for Railway Regulation	Rail[4][2]
Minister for Transport	Maritime transport[4][2]
National Transport Authority	Road[4][2]
An agency or agencies under the remit of the Minister for Health	Health[4][2]
National Cyber Security Centre	All other in-scope sectors[4][2]

Essential and important entities

1. Essential entities operate in critical sectors such as energy and transport.^[1]
2. Important entities operate in sectors with a high cyber risk such as waste management and post.^[1]

Cybersecurity risk management

Essential entities will be required to have robust risk management, including regular risk assessments, having suitable security measures and a plan for incidence response.^[1][2]

Incident reporting

Both essential and important entities are required to report significant incidents to a competent authority.^[1][3][2]

Supervision and enforcement

Noncompliance with the directive can lead to CEOs, directors and other managers having their roles restricted in essential and important entities.^[1] If an individual, knowingly or through neglect, can be proven to have caused a corporate body to not comply, then can be found personally liable.^[1] Financial penalties can also be imposed.^[1]

For an essential entity the maximum penalty is the larger of €10 million or 2% of worldwide turnover in the previous financial year.^[1][2]

For an important entity the maximum penalty is the larger of €7 million or 1.4% of worldwide turnover in the previous financial year.^[1][2]

Business licences can be suspended by a national competent authority.^[1] The High Court oversees these matters.^[1]

National Cyber Security Centre

Main article: National Cyber Security Centre

The bill also deals with the National Cyber Security Centre.^[1][2]

The centre will be established as an executive office of the Department of the Environment, Climate and Communications.^[1]

The centre will have enhanced responsibilities both nationally and internationally.^[1] It will have the power to scan for vulnerable systems and employ sensors, at request of an important or essential entity.^[1]