Dr. Richard Browne:

The directive is very complex. I will not bore everybody with all of the detail of it but in very simple terms, the national competent authorities under the directive were designated by Government decision last year. We will have at least ten competent authorities covering telecoms, energy, and so on. It will be a broad set. The NCA forum has met once and it will meet again in person next week. All of the competent authorities are in the room and understand what their roles will be. It is important to stress that the actual role competent authorities will have is quite narrow. It is just assurance and to ensure that security measures which will be provided to them by us, or by the European Union in one case, will be applied to the entities in their sector.

The rationale for doing this is very important to explore. The first reason is that in many cases there are sector-specific Acts with a cyber component either in place or coming. That means in practical terms that, for example, in aviation, there is aviation legislation with a cybersecurity component. That is the case in electricity supply, healthcare and a number of other areas. Sectoral regulators are already in the cybersecurity regulation space. This Government decision essentially streamlines or mainstreams cybersecurity regulation by making the sectoral experts the cybersecurity regulators in those specific cases. In many cases, that means that the regulators have some expertise and are well embarked on that process.

Moving to the Deputy's second point, and I will come back to the state of play thereafter, the NCA forum has a number of different roles. The first is to ensure consistency of application of the directive, that is to say that every single sector gets the same level of attention and has the security measures applied in the same coherent way. As I said in my opening address, we are well embarked in drawing up and establishing those security measures and that will be done at later stages with the NCAs in the room. They will see these as they evolve and they will learn this process as they goes on.

There are a number of other things in train that I will not go into right now.

They will allow us to help these NCAs in the area of staffing and procurement, for example. We can procure things on their behalf that they can then draw down for use in their own piece.

On the state of play, it is important to point out one thing in particular, which I believe we inevitably will come back to in future meetings. Part of the NIS2 has a substantial main establishment component, which is to say that for digital infrastructure under the directive for large entities, cloud computing and other similar entities, the site of the European headquarters of those companies will dictate from where they are regulated. That means that for large multinationals with a European headquarters in Ireland, the regulatory locus for NIS2 will be in Ireland. This means the telecoms regulator, ComReg, will have a substantial role in upscaling, quite significantly I suspect, to meet a substantial pan-European challenge.