NIS2
Last updated 12th November 2024
Update – The NIS2 registration and incident reporting portals are not available at this time.
Once the legislation is implemented, both the NIS2 registration portal and the NIS2 incident reporting portal will be available for use.
The earlier version of NIS2 (NIS1) is still operational and continues to apply to already designated Operators of Essential Services (OESs)within the State.
Background
The NIS2 Directive is the EU-wide legislation on cybersecurity which updates the 2016 NIS Directive. It was introduced to strengthen and harmonise cyber security across the European Union, and to keep-up with increased digitisation and an evolving cybersecurity threat landscape.
Building on measures introduced in the 2016 legislation, and expanding the scope of the cybersecurity rules to new sectors and entities further improves the resilience and incident response capacities of public and private entities, competent authorities, and the EU as a whole.
Overview of Directive
Some elements of the Directive include:
- strengthening the culture of security across sectors that are vital for our economy and society and that rely heavily on ICT, such as energy, transport, water, banking, healthcare and digital infrastructure. For financial market infrastructures, the Digital Operational Resilience Act (DORA) will take priority;
- ensuring businesses identified by the Member States as operators of essential services in the above sectors take appropriate security measures and notify relevant national authorities of serious incidents;
- increasing responsibility for boards and management bodies of organisations;
- introducing risk management measures. (The NCSC’s forthcoming ‘Irish Cyber Security Measures Certification’ scheme will encompass NIS2 aligned measures, and will also include a level which will aid SMEs in strengthening their resilience), and;
- requiring key digital service providers, such as search engines, cloud computing providers and online marketplaces, to comply with the security and notification requirements of the Directive.
National Steps
Unfortunately, the transposition deadline for NIS2 of 17 October 2024 has not been met. Ireland continues to work through the transposition requirements of the Directive. NIS2 is a complex piece of legislation which requires a complete overhaul of existing legislation. The predecessor of NIS2 (NIS1) remains in full effect and covers the most critical operators within the State.
A Cabinet decision in July 2024 directed priority drafting of the legislation transposing the NIS2 Directive, and drafting is progressing swiftly. The Heads of the General Scheme of the Bill for this legislation was published on the Department of Environment, Climate and Communications (DECC) website in September 2024.
There are numerous pillars that will form part of the national legislation already in place, or in final stages of development, for example:
- the creation of a national competent authority (NCA) forum, and designation of competent authorities for various sectors;
- detailed guidance on the risk management and incident reporting measures that need to be taken by in-scope entities;
- the further strengthening of the national cyber security incident response team (CSIRT-IE);
- the publication of a national cyber security strategy;
- the publication of a national cyber emergency plan;
- the establishment of a sectoral cyber security information sharing network (the Cyber-CORE (CO-ordination and REsponse) program).
The groundwork being laid by these initiatives ensures that upon publication of national legislation, the supporting structures that are required to give effect to it will be available.
DECC and the NCSC will continue to work closely with all stakeholders, including the Houses of the Oireachtas, the OPC, the Commission and others to ensue this comprehensive legislation is drafted and passed in a suitable time-frame.
