Cormac Devlin (Dún Laoghaire, Fianna Fail)
Link to this: Individually | In context

1446. To ask the Tánaiste and Minister for Justice and Equality the timeline to transpose the NIS2 Directive; the number of operators of essential and important entities notified; the expected audit cadence; the supports in place for SMEs within supply chains to meet the new obligations; and if he will make a statement on the matter. [47198/25]

Jim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context

Substantial work has been completed by my Department on the National Cyber Security Bill, which is the legislative vehicle transposing the NIS2 Directive. My Department is currently engaging with the Office of Parliamentary Council, the Attorney General’s Office, the National Cyber Security Centre (NCSC) and other relevant Government Departments and Agencies on the drafting of the Bill, which is at an advanced stage.

Officials from my Department provided a briefing to the Joint Oireachtas Committee on Justice, Home Affairs and Migration to assist in the pre-legislative scrutiny process for the General Scheme of the Bill on 15 July 2025. We are awaiting the Committee's decision on how they wish to proceed.

The NIS2 Directive represents a significant broadening and deepening of the regulatory framework established in the first NIS Directive, requiring a complete overhaul of existing cyber security legislation in the State. The application of the NIS2 Directive differs from the original directive in that the scope now extends to 18 sectors of both essential and important entities who must self-assess if they fall into scope of the legislation and register on a dedicated portal which will be hosted by the NCSC.

Under a federated model of regulation, the relevant national competent authority (NCA) will be responsible for the supervision and enforcement of entities which fall within its designated sector. The National Cyber Security Bill provides a suite of measures in relation to supervision and enforcement which will be available to NCA’s.

Many small and medium-sized enterprises (SMEs) face specific cyber security challenges such as low cyber-awareness, a lack of remote IT security and an increased level of threat, such as ransomware. They may also be susceptible to supply chain attacks due to less rigorous cyber security risk-management measures. Such supply chain attacks not only impact the SMEs and their operations but can also have a cascading effect leading to larger attacks on entities to which they provided supplies.

It is expected the majority of SMEs falling within the scope of the NIS2 Directive will be classed as important entities and will be subject to a less burdensome ex-post supervision regime. Notwithstanding this, the NCSC has a range of materials on their website to assist entities in improving their cyber security, resilience and awareness and to help them prepare for the implementation of the NIS2 Directive. They have also been leading on a number of initiatives to specifically support SMEs including:

• Publishing guidance on cyber security measures for small Irish business which includes practical and evidence-based security measures to help them to protect against some of the most common threats in that area.
• Provision of a Cyber Security Improvement Grant, offering support to Irish SMEs to implement changes in their IT systems and practices to increase their cyber security and therefore help protect their businesses from cyberattacks. The grant ranges from €20,000-€60,000 per award.