The second EU Network and Information Security Directive (EU) 2022/2555 (NIS2) significantly strengthens Ireland’s cybersecurity landscape.
This article explores the roles and responsibilities of the National Cyber Security Centre (NCSC) and designated competent authorities, the supervisory and enforcement measures for essential and important entities, and the penalties for non-compliance.
Cybersecurity is a standing agenda item and business-critical concern at the highest levels of most organisations. In most instances, however, responsibility for and oversight of cybersecurity has been given to IT teams, CISOs, and CTOs. The NIS2 is a game-changer for in-scope entities because cybersecurity is no longer siloed to IT but extends to board members and senior management (referred to as “management bodies” in NIS2) in certain critical sectors.
NIS2 imposes direct and significant responsibilities on board members and senior management to be involved in cybersecurity. Since October 2024, NIS2 requires board members and senior management to understand, oversee and implement effective cybersecurity risk management practices to ensure their organisations are operationally resilient.
Competent Authorities
NIS2 requires Irish transposing legislation to designate specific authorities as National Competent Authorities in each sector to manage and enforce the cybersecurity rules in their areas. The General Scheme of the National Cyber Security Bill 2024, which will transpose NIS2 into Irish law, designates the following competent authorities:
| Competent Authority | Industry Sector |
|---|---|
| Commission for the Regulation of Utilities | Energy, Drinking Water, Waste Water |
| Commission for Communications Regulation | Digital Infrastructure, ICT Service Management, Space, Digital Providers |
| Central Bank of Ireland | Banking, Financial Market |
| Irish Aviation Authority | Transport - Aviation |
| Commission for Rail Regulation | Transport - Rail |
| The Minister for Transport | Transport - Maritime |
| National Transport Authority | Transport - Road |
| An Agency or Agencies under the remit of the Minister for Health | Health |
| NCSC | All other sectors set out in the Schedules of the General Scheme |
The General Scheme of the National Cyber Security Bill allows the Minister for Environment, Climate and Communication to designate additional competent authorities.
National Cyber Security Centre
The NCSC in Ireland plays a crucial role in implementing and enforcing NIS2. The NCSC is the lead competent authority in Ireland for implementing NIS2. This is in recognition of the existing expertise built up in the NCSC in its role as a competent authority under the NIS1 Directive.
The duties of the NCSC will include:
- Acting as a central coordinator, providing advice, guidance, and support, including developing regulatory frameworks and tools.
- Acting as the central authority for engagement with the European Commission, EU bodies and agencies, and other Member States.
- Delivering a programme of support for competent authorities to support their capacity development, particularly staff recruitment, training and retention.
The NCSC is responsible for developing national cybersecurity strategies and ensuring effective incident response and crisis management. Additionally, the NCSC facilitates cooperation and information sharing among stakeholders to strengthen Ireland’s overall cyber resilience. In the case of a notified significant incident, the NCSC will provide to the notifying entity initial feedback on the significant incident and, upon request of the entity, guidance and operational advice on implementing possible mitigation measures and additional technical support. Where the significant incident is suspected to be criminal, the NCSC will provide guidance on reporting to law enforcement authorities.
Competent Authorities’ Powers: Supervision and Enforcement
Authorised officers of competent authorities are empowered to supervise essential and important entities under NIS2. To achieve this, an authorised officer may direct the entity to:
- Cease infringing conduct;
- Adopt measures necessary to prevent or remedy an incident within specified timeframes;
- Ensure cybersecurity risk-management measures compliance;
- Fulfil its incident reporting obligations;
- Inform affected persons of a cyber threat and possible protective or remedial measures;
- Allow the Competent Authority to conduct security audits and implement recommendations;
- Direct an entity to make public aspects of its infringements;
- Assist in security scans; and/or
- Hand over documents and records relating to the cybersecurity provisions within the entity.
Competent authorities may also conduct ad hoc audits of essential entities, for example, after a significant incident.
Essential and important entities are primarily subject to the same supervision and monitoring, except that essential entities are supervised on an ongoing, proactive (‘ex ante’) basis. In contrast, important entities are only subject to supervision and monitoring based on evidence or signs that they may not be fulfilling their legal obligations (on a reactive or ‘ex post‘ basis). In this regard, it is crucial to understand whether your organisation is an essential or important entity to prepare you for the applicable level of supervision and monitoring.
If an authorised officer believes an essential or important entity is in breach of NIS2, they can issue a compliance notice. The compliance notice should include a statement of the alleged contravention, details of the suspected breach and reasons for the authorised officer’s opinion. The compliance notice should also include directions and measures for the entity to take to prevent or address the breach, along with timelines for compliance.
An entity’s certification or authorisation to perform the relevant service may be suspended if it has not complied with a particular action deadline. Further, natural persons responsible for discharging managerial responsibilities at CEO or officer level of an entity may be temporarily prohibited from exercising managerial functions until the High Court is satisfied that the entity meets the requirements of the relevant compliance notice.
Powers of Inspection
To ensure compliance, authorised officers are empowered to conduct ad-hoc inspections on essential entities on-site. Where an authorised officer is prevented from exercising their powers to enter and inspect premises, take books, documents and records, obtain information or take photographs or recordings, the officer may apply for a warrant to authorise such entry. Officers are not permitted to enter private residences unless by consent or under a warrant obtained from a District Court Judge.
Penalties
A person who obstructs, impedes or assaults an authorised officer in the performance of their powers; alters, suppresses or destroys records or gives a competent authority or authorised officer information that is false or misleading in any material respect will be guilty of an offence and liable on summary conviction to a fine not exceeding €5,000 or imprisonment for a term not exceeding 12 months or both, or will be liable on conviction on indictment to a fine of up to €50,000 or imprisonment for a term of up to five years or both.
The maximum fine which can be issued for infringements is:
- Essential entities: €10 million or at least 2% of an organisation’s worldwide group turnover in the previous financial year, whichever is greater.
- Important entities: €7 million or at least 1.4% of an organisation’s worldwide group turnover in the previous financial year, whichever is greater.
Practical steps for in-scope entities to take
Given the many supervisory and enforcement measures for essential and important entities, entities should act now to assess and implement NIS2 compliance. A robust and comprehensive compliance plan could help entities avoid financial penalties and other enforcement measures and strengthen the organisation’s resilience to cyberattacks.
Status of NIS2 transposing legislation in Ireland
At the time of this publication, NIS2 is legally binding in the European Union (since 17 October 2024). However, NIS2 has yet to be transposed into Irish law, and Ireland is subject to infringement proceedings due to late transposition by the European Commission. The General Scheme for the National Cyber Security Bill 2024 is the proposed draft legislation to transpose NIS2 into Irish law. It has been included in the government’s priority legislation list. Please visit our website for relevant updates regarding the transposition of NIS2.
For more information on NIS2, see William Fry’s NIS2 series ; or access William Fry’s TechReg Connect software solution; or contact Leo Moore, Rachel Hayes, Susan Walsh or your usual William Fry contact.
