The Government has published a draft bill that transposes an EU directive on cyber-security into Irish law.

The proposed legislation will also put the National Cyber Security Centre (NCSC) on a statutory footing, as well as setting out its mandate.

The National Cyber Security Bill 2024 designates national competent authorities (NCAs) to oversee implementation and enforcement of the EU directive within relevant sectors.

‘Essential entities’

Under the proposals, ‘essential entities’ in sectors such as energy and transport will have to implement strict risk-management measures. The bill also defines ‘important entities’ in areas of higher risk, such as waste management and postal services.

Both categories will have obligations to report certain cyber incidents to the competent authority.

The bill also includes penalties for non-compliance with the directive – including the power to restrict company CEOs, directors, and other senior managers from their positions in essential and important entities where there has been non-compliance with the act.

Scanning

NCAs that issue licences to businesses to operate will also have the power to suspend such a licence until a business complies with the directive.

The bill also sets out rules for the governance of the NCSC, which will have reporting obligations to the Minister for Environment, Climate and Communications.

As well as setting out the centre’s roles in areas such as monitoring and responding to incidents, the bill also gives it specific powers to engage in a range of scanning activities to identify systems vulnerable to specific exploits.