Lionheart Client Update: Cyber Security Bill 2024

Lionheart Client Update: National Cyber Security Bill 2024

On August 30, 2024, the Irish Government published the long-awaited General Scheme of the National Cyber Security Bill 2024. This marks a significant step forward in Ireland's legislative process and provides an initial framework for the forthcoming draft Bill. Once finalised and enacted, this legislation will have a profound impact on the country’s cybersecurity landscape, as it will:

1. Transpose the EU Network and Information Security Directive (NIS2) into Irish law.

2. Establish a comprehensive framework for Ireland’s national cybersecurity strategy.

3. Grant the National Cyber Security Centre (NCSC) statutory recognition, defining its mandate and responsibilities.

Key Provisions of the General Scheme

1. Transposition of NIS2 Directive

The NIS2 Directive, part of the EU’s strategic approach to enhancing the resilience and incident response capabilities of both public and private entities, categorizes regulated entities as either ‘Essential’ or ‘Important.’ This categorisation depends on the entity’s size, sector, and criticality to the EU’s security and economy. Sectors deemed critical include energy, transportation, digital infrastructure, banking, and more.

2. Designation of Competent Authorities

The General Scheme designates the NCSC as the lead competent authority for managing large-scale cybersecurity incidents in Ireland and as the primary liaison with the European Commission and other EU Member States. Additionally, sector-specific competent authorities have been identified to oversee cybersecurity compliance within their respective areas, such as:

- Energy and Utilities: Commission for the Regulation of Utilities

- Digital Infrastructure: Commission for Communications Regulation

- Financial Services: Central Bank of Ireland

- Transport: Irish Aviation Authority, Commission for Rail Regulation,

National Transport Authority, and others

- Health: An agency under the remit of the Minister for Health

3. Cybersecurity Risk Management Measures

Under the new legislation, entities will be required to implement appropriate technical, operational, and organisational measures to manage the security of their network and information systems. This includes conducting regular risk assessments, improving supply chain security, and ensuring adequate cybersecurity training for management and staff.

4. Incident Reporting Requirements

All entities falling within the scope of the Bill must report cyber incidents to the CSIRT (Computer Security Incident Response Team) within 24 hours of detection. Further guidance on incident reporting and thresholds will be provided by the European Commission’s Draft Implementing Regulation (DIR).

5. Enforcement and Personal Liability for Non-Compliance

The General Scheme outlines strict enforcement measures and personal liability for senior management in cases of non-compliance. Penalties include substantial fines and potential restrictions on senior management positions, underscoring the need for robust compliance measures across affected organisations.

Implications for Businesses

With the deadline for transposition set for October 17, 2024, businesses must act now to prepare for compliance. Key actions include:

1. Assess Applicability: Determine if your business falls under the scope of NIS2, considering the new sectors now covered, such as ICT service management, public administration, and medical devices.

2. Understand Jurisdictional Rules: For businesses operating across multiple EU Member States, it’s crucial to understand the varying implementation of NIS2 across jurisdictions.

3. Develop Compliance Strategies: Prepare compliance plans that cover governance, cybersecurity measures, and incident reporting procedures. Align these with other EU regulations such as GDPR and the ePrivacy Directive.

Looking Ahead

The General Scheme is still subject to pre-legislative scrutiny, and further developments are expected as the draft Bill progresses through the legislative process. However, with the transposition deadline approaching, the legislative process is likely to be expedited, with limited amendments expected.

At Lionheart, we are closely monitoring the Bill’s progress and are ready to assist clients in navigating these complex regulatory requirements. If you have any questions or would like support in preparing your organisation for compliance, please do not hesitate to reach out to our expert team.

Contact us today to ensure your business is fully prepared for the upcoming changes in Ireland’s cybersecurity landscape.