Malcolm Byrne (Wicklow-Wexford, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

223. To ask the Minister for Communications, Climate Action and Environment for an update on Ireland's implementation of Directive 2022/2555, known as Network and Information Systems 2; if he will outline the legal framework for cybersecurity in Ireland; and if he will make a statement on the matter. [8132/25]

Darragh O'Brien (Dublin Fingal East, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Substantial work has been completed by my Department on the transposition of the NIS2 Directive. Separately, Government agreed in 2021 to establish the National Cyber Security Centre (NCSC) on a statutory basis and provide for related matters including clarity around its mandate and role in general and in relation to other actors in the cyber area. The NCSC will also require additional powers to implement the provisions of the NIS2 Directive. Therefore, transposing of the NIS2 Directive and the additional statutory powers required for the NCSC will be taken forward as a single legislative instrument, the National Cyber Security Bill.

The NIS2 Directive is a revision of the NIS Directive which is currently in force in the State via SI 360 of 2018 and will remain in full effect covering the most critical operators within the State while the NIS2 Directive is being transposed into national law.

SI 360 of 2018 established a national framework for network and information systems (NIS) security by:

• Setting up a competent authority, a single point of contact, and a Computer Security Incident Response Team (CSIRT).
• Identifying and regulating Operators of Essential Services (OES): These are entities in critical sectors like energy, transport, banking, and healthcare that rely heavily on NIS.
• Imposing security and incident reporting obligations on OES and Digital Service Providers (DSPs). This ensures they take appropriate measures to protect their systems and report any significant incidents.
• Promoting co-operation and information sharing: This includes collaboration between the competent authorities, the CSIRT, the Data Protection Commissioner and An Garda Síochána.

• Wider Scope: NIS2 covers many more sectors, including public administration, waste management and manufacturing.
• Stricter Requirements: NIS2 imposes more specific and stringent cyber security obligations on organisations, including risk management, incident reporting, and supply chain security.
• Stronger Enforcement: NIS2 introduces stricter supervision and enforcement mechanisms, with potential for significant fines for non-compliance.
• Increased Co-operation: NIS2 promotes greater information sharing and cooperation among member states and relevant authorities to enhance collective cyber security resilience.