With less than a week to go the implementation deadline, only two Member States have notified the Commission of their national transposition of NIS2
14 October 2024
EU Member States have until 17 October 2024 (Deadline) to adopt and publish national laws which comply with the EU’s new cyber security laws, commonly known as NIS2.
To recap, NIS2 is designed to help entities to better protect themselves against cyber threats and ensure that the EU’s critical national infrastructure is more resilient and secure. For more information see our article here.
To date, only Belgium and Croatia have officially notified the European Commission of their national implementations and it looks like many of the remaining 25 Member States may miss the Deadline.
Our nearest EU neighbour, Ireland, recently published its legislative vehicle - General Scheme for the National Cyber Security Bill 2024 (Bill). Once the Bill is finalised and enacted, it will transpose NIS2 into Irish law, establish the overarching framework for Ireland’s national cyber security strategy and place its National Cyber Security Centre (NCSC) on a statutory footing and clarify its mandate and role.
Key elements of the Bill include:
- Designation of National Competent Authorities
The NCSC will be designated as the competent authority for the management of large-scale cyber security incidents and crises in Ireland. It will also be designated as Ireland’s computer security incident response team (CSIRT) and will act as lead competent authority. The Bill also designates sector-specific competent authorities (CA) who will oversee the implementation and enforcement of NIS2 within their relevant sectors, e.g. the Commission for Communications Regulation will be the CA for digital infrastructure, ICT service management, space and digital providers.
- Cyber Security Risk Management Measures
The Bill transposes the cyber risk management obligations under NIS2 (Article 21(1)) into Irish law. In scope entities are required to put in place “appropriate and proportionate technical, operational and organisational measures” to manage the risk posed to the security of their network and information systems and to prevent or minimise the impact on service users and other services – as expected, the Bill also includes the NIS2 baseline measures (Article 21(2)). Entities must ensure a level of security appropriate to the risk posed based on an “all-hazards” approach (taking into account the state of the art, the cost of implementation and relevant EU/international standards). The recent draft Implementing Regulation (IR) provides further prescriptive measures to be implemented by certain entities offering cross border digital services. (For more information on the IR, see our article here.) When considering supply chain security, entities must take into account the vulnerabilities specific to each direct supplier/service provider and the overall quality of their products/cyber practices, including their secure development procedures. The Irish Minister for the Environment, Climate and Communications may also make regulations to impose further measures on essential/important entities.
- Incident Reporting
In line with Article 23 of NIS2, in scope entities must comply with stringent onerous reporting requirements. Notification timeframes are very narrow and an early warning must be made within 24 hours of awareness of a “significant incident”. Notification to impacted service users may also be required in certain cases. The IR also provides further clarity around the proposed reporting thresholds for certain digital provider entities. Ensuring that entities have processes in place to identify incidents and meet these tight reporting deadlines will be a major challenge, particularly when complex supply chains are involved.
- Registration
By 17 April 2025, the NCSC must establish a list of essential and important entities (defined in line with NIS2) and in-scope entities must submit certain information to the CA for the purpose of establishing this list. Certain digital service providers must also submit certain information to the NCSC by 17 January 2025 to enable ENISA to create and maintain a register of such entities.
- Enforcement Powers and Sanctions
The relevant sector-specific CA will be responsible for supervision and enforcement and in line with NIS2 and the Bill provides them with a wide range of supervisory and enforcement powers. Following a finding of non-compliance, an essential/important entity will first be issued with a “compliance notice” setting out the suspected breach and directing its remedy. Where the entity fails to do so without reasonable excuse, it commits an offence and is liable to an administrative fine aligned with the two tiers of fines set out in NIS2, i.e. the greater of
i) €10 million or at least 2% of worldwide group turnover for essential entities, or
ii) €7 million or at least 1.4% of worldwide group turnover for important entities.
NIS2 requires Member States to give CAs the power to temporarily prohibit individuals from discharging managerial responsibilities at the senior management C-Suite level at essential entities or temporarily suspend its licence/authorisation, until the necessary action has been taken to remedy deficiencies and/or comply with requirements requested by the CAs (see Recital 133 and Article 32(5)(b) of NIS2). The Bill has gone further and enables Irish CAs to apply to the High Court to restrict senior management from their position in the case of non-compliance with a compliance notice in the case of both essential and important entities. Where either type of entity operates under licence/ authorisation, this may also be temporarily suspended until compliance is achieved (see Head 37B of the Bill).
In line with Articles 32(6) and 33(5) of NIS2, senior management (e.g. directors, officers, managers and company secretaries) may also be held personally liable for an essential/important entity’s non-compliance with its cyber security risk management or incident reporting obligations (and any associated penalties imposed) where it can be proved that the infringement was committed with their “consent, connivance or is attributable to any wilful neglect” and are liable to be proceeded against and punished as if they committed the infringement (see Head 43(1) of the Bill).
The combined effect of these powers should help to ensure that cybersecurity becomes a priority board agenda item for in scope entities subject to Irish NIS2 laws.
Next steps
Once the text is finalised, the Bill will be subject to further scrutiny as part of the legislative process. However, given the looming Deadline and the high priority status of cybersecurity within the European Commission, it is expected that the Irish legislative process will be expedited and that amendments to the Bill will be limited.
UK Cyber Reforms
While the UK will not directly adopt NIS2, its Cyber Security & Resilience Bill will likely share many of NIS2’s core principles as both the UK and EU attempt to strengthen their cybersecurity preparedness and resilience in order to try to more effectively manage and mitigate the ever evolving threat landscape.
If you require any advice re NIS2, such as assessing whether you are in scope and/or how it might impact your business or customers, please contact Mary Traynor or Ali Vaziri.