Ossian Smyth (Dún Laoghaire, Green Party) | Oireachtas source

As I understand it, the idea is a state agency would have to allocate a certain percentage of its ICT budget to cybersecurity. This is similar to the rule whereby NATO countries have to put 2% of their budget into defence. It is being promoted by Estonia, which sought and supported it when I visited, and it also supports the NATO approach. The downside is that it is an input measure, which means there is a target that is all about what is put into the system rather than what is got out of it. Our opinion is that we want to see measures of performance, that is, what is being done and achieved and what standards are being reached, rather than how much money is being put into the system. As a result, we do not support that approach.

On security by design and what could be done to ensure companies have secure products, work is being done at EU level on a cyber resilience directive. Members will see in the 5G toolbox produced by the European Commission that there is concern about and interest in whether products are safe to use, whether they have security designed into them and whether they come from trustworthy companies, that is, whether the suppliers can be relied on to supply software that can be used in our critical infrastructure. A framework for that is being developed at an EU level. No one country is going to produce very different policies on the reliability or trustworthiness of various suppliers' software.