The legislation to enact the critical cybersecurity measures has not been introduced in time for the law to take effect in October, say industry experts. It may not now be enacted in 2024.
It is described as ‘a major step forward for cyber resilience in Europe’
NIS2 makes company directors potentially responsible for cybersecurity incidents, incentivising companies to ensure that their processes are safe and up to code.
It is described by the Department of Communications, which is responsible for steering the directive into Irish law, as “a major step forward for cyber resilience in Europe” which will “enhance cyber-risk management across the EU” and “generate significant improvements in our capacity to respond to major incidents”.
However, Ireland now looks set to miss out because of the late publication of the legislative bill.
“The minister or the department cannot pre-empt the outcome or the length of time the legislative process will take,” said a spokesperson for the Department of Communications. “That is a matter solely for the Oireachtas.”
The departmental spokesperson added that “significant work” is ongoing around the transposition of NIS2 into Irish law, via the National Cyber Security Bill 2024, and added that there is “ongoing engagement with industry, sectoral entities, and the public administration sector”.
To date, the spokesperson said, the Government has approved the designation of “national competent authorities” for each of the sectors set out in the cybersecurity directive.
The National Cyber Security Centre has been appointed as the lead national competent authority and will be a “central coordinator” for “advice, guidance and support” including “development of regulatory framework and tools to assist the other competent authorities”.
‘It still has to be brought before the Oireachtas and is subject to legal scrutiny’
While Ireland looks set to miss the transposition deadline, that doesn’t mean that Irish companies should think they don’t have to get ready for compliance, says Nicola Barden, a senior associate at the law firm Pinsent Masons.
“If Ireland misses the implementation deadline, it seems likely that the legislation will pass soon after,” she said.
“Businesses should not take the missed implementation deadline as an opportunity for non-compliance.
“They should still take steps, to the extent possible, to meet the requirements, using the information they have in the bill.”
However, she warned that the current general scheme of the National Cyber Security Bill 2024, published on August 30, “is at a very early stage of the legislative process” with a wait for completion likely.
“It still has to be brought before the Oireachtas and is subject to legal scrutiny and possible changes,” she said.
“Having said that, we are further along the legislative process than some other member states, such as Germany and Spain, which have not yet published the implementing legislation.
“The good news for Irish businesses is that they have draft legislation to review to help them prepare and determine if they are caught by NIS2.”