The Network and Information Security Directive 2022/2555 (the “NIS2 Directive”) has now come into effect from 17 October 2024 with application to the following sectors (but subject to the enactment of domestic Irish legislation to fully transpose its provisions)::

• healthcare;
• manufacturing of pharmaceutical products or preparations, medicinal products or medical devices;
• energy and utilities;
• transport;
• financial institutions (save for those complying with the ICT risk management aspects of the Digital Operational Resilience Act (DORA);
• digital infrastructure (including providers of cloud computing services);
• digital providers such as online marketplaces, online search engines and social networking services platforms
• business to business ICT service management;
• chemicals production;
• production, processing and distribution of food;
• manufacture of motor vehicles, machinery and transport equipment;
• manufacture of computer, electronic and optical products;
• manufacture of electrical equipment; and
• research organisations.

Irish National Legislation

The Irish government has not yet enacted the legislation to transpose the NIS2 Directive into Irish law, among the functions of which are to: designate certain sectoral regulators as the competent authorities for the purpose of implementing NIS2; establish offences and fines at national level (which could be up to 1.4% of total annual worldwide turnover or 7 million euro or 2% of total annual worldwide turnover or 10 million euro); establish a register of entities which are within the scope of the proposed legislation; and to establish the basis for issuing penalties (including in respect of the personal liability of management bodies). To date, the government has published the General Scheme for the National Cyber Security Bill 2024 (the “Scheme”) to transpose the NIS 2 Directive but has not yet introduced it to the legislative process in the form of a Bill. The Bill will also provide for the establishment of the National Cyber Security Centre (“NCSC”) on a statutory basis and provide for clarification of the role and mandate of the NCSC including as the national Computer Security Incident Response Team (“CSIRT”). The relevant Minister for the purpose of this legislation is the Minister for Environment, Climate and Communications (“Minister”).

Who needs to comply?

If you fall under one of the above sectors, you should consider whether the nature of your activities fall within the scope of the NIS2 Directive. If so, you should then establish whether your entity in question constitutes an “important” entity or an “essential” entity based on the parameters in the NIS2 Directive for personnel headcount and turnover/size of balance sheet, with the key difference being the level of regulatory oversight to which these entities are subject.

What are its key requirements?

The NIS2 Directive, at Article 21, sets out a checklist for entities within scope to assess the cyber and physical security of their network and information systems to identify if any improvements need to be implemented, taking a risk-based approach to this. Reporting structures also need to be implemented to ensure that entities are in position to comply with the new reporting obligations to the NCSC and its competent authority of significant security incidents under the NIS2 Directive, as the initial report needs to be made within 24 hours upon becoming aware of the incident and ‘without undue delay’ to recipients of their service who are potentially affected by a significant incident. Therefore, entities should review their internal escalation and reporting processes and adjust them as necessary for the purposes of NIS2.

Governance and Liability

One of the key aspects of the NIS2 Directive is the specific need for the entity’s ‘management body’ to approve and oversee the implementation of the necessary measures under Article 21 and to undergo training (and arrange employee training) on cybersecurity risk management practices . Importantly, the management body can be held personally liable for failure to comply with Article 21. ‘Management body’ is not defined in the NIS2 Directive but is defined in the Scheme as ‘a body of group of individuals vested with the authority and responsibility for the oversight, direction and control of an entity’. The threshold for imposing personal liability on the members of a management body is not well defined in the Scheme, referring to both gross negligence and wilful neglect. It is expected that the Bill will more precisely define the grounds for personal liability.

New Regulatory Powers

Article 8 of NIS2 Directive requires (in addition to designating a lead national competent authority) the designation of competent authorities for supervisory and enforcement purposes.The Scheme does this on a sector-specific basis (and the Minister may designate additional competent authorities). These authorities will have audit and dawn raid rights in addition to rights of enforcement including issuance of compliance notices. Those designated under the Scheme include:

• the Central Bank of Ireland in respect of activities carried out in the banking and financial markets sectors;
• Commission for Communications Regulation (ComReg) for the digital and ICT sectors;
• the Commission for the Regulation of Utilities (CRU) in respect of the energy, drinking water, and wastewater sectors; and
• the Irish Aviation Authority for the aviation transport sector; and
• any agency or agencies under the remit of the Minister for Health for the healthcare sector.

Further Information

Further information on the NIS2 Directive is available on our video series here Network and Information Security Directive (NIS2) – Arthur Cox LLP and in our briefing here Update on key EU operational resilience and cybersecurity legislative developments – Arthur Cox LLP