On 18 February, the Government published its new Legislation Programme setting out legislation to be published or drafted as a priority this Spring 2025 (the “Programme”).  As anticipated, the Programme includes legislation to support the most recent big ticket EU legislative initiatives in the technology sector, namely, the NIS2 Directive, the Data Act and the AI Act.

National Cyber Security Bill

The National Cyber Security Bill to transpose Network and Information Security Directive 2022/2555 (the “NIS2 Directive”) is listed as one of the Bills for priority publication during the Spring session 2025.

Ireland missed the transposition deadline for the NIS2 Directive of 17 October 2024. Although a General Scheme for the National Cyber Security Bill 2024 was published last August, pre-legislative scrutiny is ongoing. The Scheme designates a number of competent authorities for supervisory and enforcement purposes on a sector-specific basis. The Bill will more precisely set out the obligations for organisations in scope and their management bodies, the designation of competent authorities, as well as provisions for sanction and enforcement. It will also provide for the establishment of the National Cyber Security Centre on a statutory basis and clarification of the role and mandate of the NCSC including as the national Computer Security Incident Response Team.

EU Member States were required to apply the transposed measures from 18 October 2024, and Ireland is not alone in failing to meet this deadline. In November 2024, the European Commission opened infringement procedures for failing to fully transpose the NIS2 Directive by sending a letter of formal notice to 23 Member States.

Further information on the General Scheme and the NIS2 Directive is available in our briefing, ‘Are you Cyber Ready? Key Points of the NIS2 Directive’ and our video series, Network and Information Security Directive (NIS2).

EU Data Regulation Bill

Regulation (EU) 2023/2854 on harmonised rules on fair access to and use of data (the “Data Act”) ensures fairness in the allocation of the value of data amongst the stakeholders in the data economy and clarifies who can use what data and under which conditions. It entered into force on 11 January 2024 and applies from 12 September 2025. The Data Act is directly applicable in EU Member States, although supplementing domestic legislation is required to identify the relevant supervisory authority/authorities, to determine the type and level of penalties and to detail the procedure for the complaint mechanism.

While not expressly referring to the Data Act, in the Programme, the overarching purpose of the EU Data Regulation Bill is described as supporting innovation and economic growth, by creating a harmonised framework on fair access and use of data and clarifying who can create value from data and under which conditions, aligning it to the Data Act.

Notably, the Programme envisages that the Bill will designate the National Competent Authorities responsible for implementing and enforcing the EU regulation, although with the exception of ComReg, it does not specifically call these authorities out. Given the broad range of measures under the Data Act, it is possible that the Bill will designate multiple competent authorities on sector-specific basis, following a recent trend in the designation of regulatory powers in Ireland. The Digital Services Act 2024 provides a recent example of this within the digital sector. It designates Coimisiún na Meán as the Digital Services Coordinator and lead competent authority, and the Competition and Consumer Protection Commission as a competent authority with specific responsibility for online marketplaces. Similarly, the Cyber Security Bill and the proposal to legislate for artificial intelligence regulation (below) appears to envisage a number of sector specific regulators having powers in a specific legislative area in respect of a relevant sector, rather than a single centralised regulator that oversees all sectors.

In fact, while EU Member States can appoint one (or more) competent authorities, they must ensure that for specific sectoral data access and use issues related to its application, the competence of sectoral authorities must be respected. With regard to ComReg, the Data Act expressly requires that the application and enforcement of Articles 23 to 31 (switching between data processing services) and Articles 34 and 35 (interoperability as regards data processing services) of the Data Act must be carried out by a competent authority with experience in the field of data and electronic communications services. As regards the protection of personal data under the Data Act, supervisory authorities responsible for monitoring the application of the GDPR are assigned responsibility for monitoring the application of the Data Act, which would draw in the Data Protection Commission. To facilitate cooperation and to assist in relation to application and enforcement, where more than one competent body is appointed under the Data Act, a data coordinator must be designated from among them.

The EU Data Regulation Bill is a priority for drafting this Spring session 2025.

Further information on the Data Act, is available in our briefing Part 1: Harnessing the power of data under the Data Act and our video series, Data Act Video Series.

Regulation of Artificial Intelligence Bill

The purpose of the Bill is to give full effect to EU Regulation 2024/1689 laying down harmonised rules on artificial intelligence (the “AI Act”). It is not listed as a priority Bill for drafting this Spring session but sits within the category of ‘all other legislation for the Spring session’. It will designate the National Competent Authorities responsible for implementing and enforcing the EU regulation and will provide for penalties for non-compliance.

The AI Act, which is directly applicable, entered into force on 1 August 2024 and its provisions will commence in a phased manner until August 2027. EU Member States are required to designate national supervisory authorities (“at least one” market surveillance authority and “at least one” notifying authority) by 2 August 2025. The Department of Enterprise, Trade and Employment held a public consultation on the national implementation process last year in which it sought views on the configuration of national competent authorities for implementation of the Act. It reports that while there was no clear consensus, many respondents suggested a “hybrid” approach, with a central coordinating body working together with sector-specific authorities. Heads of the Bill are in preparation.

Further information on the AI Act is available in our video series, The EU AI Act and most recent briefing on AI, The EU Commission Guidelines on prohibited AI practices.

Criminal Justice (Protection, Preservation of and Access to Data on Information Systems) Bill and Criminal Justice (International Cooperation Authority) Bill

The e-Evidence Package, comprising Regulation (EU) 2023/1543 and Directive (EU) 2023/1544, aims to implement a more efficient alternative mechanism to the current regime for cross-border law enforcement requests in the European Union. These two Bills will progress its application in Ireland. The General Scheme of the Criminal Justice (Protection, Preservation of and Access to Data on Information Systems) Bill was published in 2024 by the Department of Justice. Pre-legislative scrutiny completed in March 2024. The Criminal Justice (Protection, Preservation of and Access to Data on Information Systems) Bill will give effect to a number of the provisions of the Budapest Convention on Cybercrime, the EU e-Evidence Regulation ((EU) 2021/784) and the EU Terrorist Content Online Regulation ((EU) 2021/784).

The Criminal Justice (International Cooperation Authority) Bill will provide for the establishment of a new criminal justice sector entity incorporating regulatory and competent authority functions to fulfil Ireland’s obligations under the e-Evidence Regulation and the Legal Representative (Directive 2023/1544). Heads of the Bill are in preparation.

Further information on the e-Evidence Package is available in our briefing, The e-Evidence Package: A New Regime for Cross-Border Law.