Mr. David McGill:

My colleague Ms Heenan and I thank the Cathaoirleach and members of the committee for the opportunity to appear today to assist in the pre-legislative scrutiny of the general scheme of the national cyber security Bill 2024. This legislation represents a significant step in strengthening the State’s cybersecurity and resilience. It will enhance cybersecurity risk management in Ireland, bringing with it significant improvements in our capacity to protect against and respond to major incidents. It also reflects the growing importance of cybersecurity as a matter of national interest, not only for the protection of our most critical national infrastructure but also for our economy, our democratic processes and the safety of our citizens.

The primary objective of the Bill is to transpose the second EU network and information security directive, known as the NIS2 directive.

The NIS2 directive is a revision of the original NIS directive which is currently in force in the State and will remain in full effect, covering the most critical operators of essential services and digital service providers in the State, until the NIS2 directive is transposed and enacted.

In addition to transposing the NIS2 directive, the Government agreed that this Bill should be used to incorporate relevant provisions to establish the National Cyber Security Centre, NCSC, on a statutory basis and provide for related matters, including clarity around its mandate and role in general regarding other actors in the cyber area.

I know the committee has been provided with a copy of the general scheme and an explanatory memorandum, so I do not intend to take up much of the committee’s time going through the general scheme in detail. However, I will outline some of the high-level provisions within the scheme.

In transposing the NIS2 directive, Ireland has chosen to designate multiple national competent authorities for the regulation of essential and important entities across 18 sectors, including energy, transport, health, digital infrastructure and public administration. These bodies are existing regulators in these sectors and have, therefore, deep sectoral knowledge and experience, which will allow them to be best placed to implement the provisions of this directive in their sectors.

The NCSC, as well as being designated a national competent authority for the public administration sector, will also be designated as the lead national competent authority. This additional role is a recognition of its current experience in implementing the existing NIS directive and development of its cybersecurity expertise and capacity in recent years. As the lead national competent authority, the NCSC takes on the role of co-ordinating and providing support and guidance to the other national competent authorities as they take on their new functions under this Bill.

The general scheme provides for a suite of supervision and enforcement powers to enable the national competent authorities to fulfil their role effectively. These include the power to conduct security audits of entities, inspect premises, direct entities to comply with risk management measures and, where necessary, impose significant administrative sanctions on non-complaint entities. The general scheme provides a clear framework for risk management and incident reporting obligations and also designates the NCSC as Ireland’s computer incident response team for the purposes of this directive.

There will be enhanced governance and oversight arrangements to ensure accountability and transparency in how cybersecurity is managed at the highest levels. Responsibility for cybersecurity will be placed on the boards and management teams of the regulated entities.

Finally, the general scheme provides for the governance of the NCSC, including establishing it as an executive office of this Department. It sets out roles for the NCSC, including national cybersecurity monitoring, resilience building, information sharing, both at national and international levels, and to act as the central body for dealing with national cyber incident response. It also allows the NCSC to take a number of different measures in specific cases. These include allowing it to take measures where the domain name system, DNS, system is being abused or compromised by a threat actor in order to perpetuate harm against systems in Ireland or elsewhere; measures to allow the NCSC to identify certain high-level risks and threats as they occur; and to detect and, in some cases, prevent cybersecurity incidents.

I look forward to an informative and constructive discussion. I am happy to address any queries members may have.