NIS2

Background

As noted by the European Commission, NIS2 is the EU-wide legislation on cybersecurity which updates the 2016 NIS Directive (see below). It provides legal measures to boost the overall level of cybersecurity in the EU, by modernising the existing legal framework to keep up with increased digitisation and an evolving cybersecurity threat landscape.

By expanding the scope of the cybersecurity rules to new sectors and entities, it further improves the resilience and incident response capacities of public and private entities, competent authorities and the EU as a whole.

The following are an example of some of the elements of the Directive:

• Increasing Member States' preparedness, by requiring them to be appropriately equipped. For example, with a Computer Security Incident Response Team (CSIRT) and a competent national network and information systems (NIS) authority;
• Improving cooperation among all the Member States, by setting up a Cooperation Group to support and facilitate strategic cooperation and the exchange of information among Member States;
• Strengthening a culture of security across sectors that are vital for our economy and society and that rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure;
• Ensuring businesses identified by the Member States as operators of essential services in the above sectors will have to take appropriate security measures and notify relevant national authorities of serious incidents. Key digital service providers, such as search engines, cloud computing services and online marketplaces, will have to comply with the security and notification requirements under the Directive.

National Steps

Ireland continues to work through the transposition requirements of the Directive, for its due date of 17 October 2024. It is intended that a draft Heads of Bill will be brought before Cabinet ahead of year end, 2023.

The NCSC is committed to engaging with its constituents and stakeholders to ensure that requirements are communicated ahead of time, and assistance is provided where possible, and in a suitable manner.

NIS Directive

The Network and Information Systems Directive 2016/1148 was published in the Official Journal of the EU in July 2016 and was signed into Irish law on the 18th of September 2018 by way of Statutory Instrument No. 360 of 2018.

The responsibilities that the Directive places on the State and on businesses are wide ranging, but, among other things:

• Involved the application of a set of binding security obligations to a wide range of critical infrastructure operators, i.e. Operators of Essential Services;
• Required the State to apply and police a new regulatory regime on so called Digital Service Providers (DSPs);
• Placed responsibility for dealing with the security of services provided by multinational companies across the European Union that have their European headquarters located in Ireland onto the State.

Operators of Essential Services (OES)

Further information on the directive in regards to Operators of Essential Services can be found here.

Digital Service Providers (DSP)

Further information on the directive in regards to Digital Service Providers can be found here.