Richard Bruton (Dublin Bay North, Fine Gael) | Oireachtas source

I reject the suggestion that the Government has been lethargic in this area. We have a national cybersecurity strategy in place and we are currently reviewing it. It is out for public consultation at present.

If the Deputy has particular proposals, there is an opportunity to improve our cybersecurity plan. The EU directive to which the Deputy refers was transposed into Irish law on 18 September 2018 by SI 360/2018. Under Regulations 17 and 18 of that statutory instrument, operators of essential services in key areas of critical national infrastructure in energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution and digital infrastructure are required to meet specific security requirements and incident reporting requirements relating to their network and information systems. My Department has drawn up draft guidelines for operators of essential services that are designed to assist operators to meet these security and incident reporting requirements, manage the risks posed to the security of the network and information systems used in their operations and minimise the impact of incidents affecting those systems. As the operators of essential services for which my Department has responsibility are spread over five separate sectors, the changes that need to be made will be dependent on the existing level of preparedness of each individual operator. The proposed guidelines were published for public consultation on 11 January in accordance with Regulation 25.2 of that statutory instrument, which requires that persons be afforded an opportunity to submit written representations relating to the draft guidelines within 30 working days from publication. The deadline for submissions was 27 February. The representations that have been received as part of this process are under consideration. The changes to be made to the guidelines are minimal and relate primarily to some of the controls to be used and to indicative incident reporting levels. The final version of the guidelines will be published and will come into operation in the second quarter of this year.

See this speech in context