Cybersecurity Policy

Fundamentally, to ensure the resilience of the national grid and other essential services to cyber threats, it is vital that robust cyber security measures are implemented by the entities concerned.

The European Union Directive 2016/1148 concerning measures for a high common level of security of network and information systems, the NIS Directive, established a regulatory framework to safeguard Operators of Essential Services in specific sectors of Critical National Infrastructure, including banking and financial market infrastructures. The NIS Directive was published in the Official Journal of the EU in July 2016 and was transposed into Irish law on the 18th of September 2018 by way of Statutory Instrument No. 360 of 2018 (www.irishstatutebook.ie/eli/2018/si/360/made/en) (hereafter “the 2018 Regulations”).

The 2018 Regulations place a number of significant responsibilities on the State and on critical infrastructure in respect of cyber security. These responsibilities are wide ranging, but, inter alia, require the State to identify Operators of Essential Services (OES) in specific sectors of Critical National Infrastructure. These OES are required to take appropriate and proportionate technical and organisational measures to manage security risks to their network and information systems; to take steps to prevent and minimise the impact of any incident that affects the security of their network and information systems to ensure the continuity of the services they provide; and to report serious incidents to the National Competent Authority and the national Computer Security Incident Response Team (CSIRT), and to comply with instructions of these authorities in this regard.

The Directive obliged the State to designate National Competent Authorities (NCA) in respect of the security of network and information systems. These entities ensure that the implementation of the Directive is monitored on an ongoing basis within the State and formalise channels of communication both with the relevant authorities of other Member States and with An Garda Síochána and the Office of the Data Protection Commissioner. Regulation 7(2) of the 2018 Regulations designates the Central Bank of Ireland as the NCA in respect of operators of essential services in the Banking and Financial Market Infrastructures sectors. I am designated as the NCA for the other five sectors within scope of the NIS Directive, including the Energy sector, and Ireland’s CSIRT is in the National Cyber Security Centre (NCSC).

With respect to the national grid, EirGrid as the Transmission System Operator (TSO) and ESB Networks as the Distribution System Operator have both been designated as OES under the 2018 Regulations. The NCSC engages with these bodies on an ongoing basis to supervise their compliance with the Regulations and share information relating to cyber threats.

In the years since 2018, the global cyber threat landscape has deteriorated and many significant cyber security incidents have occurred, including the ransomware incident which impacted the HSE’s systems in May 2021. The European Union and its Member States, recognising the need for an enhanced regulatory framework, initiated at the end of 2020 a review of the NIS Directive and a revised NIS Directive, “NIS2”, was published in the Official Journal of the European Union as Directive (EU) 2022/2555 on 27 December 2022. NIS 2 will bring a broad expansion of the scope of the Directive as well as a strengthened supervisory and enforcement regime for existing sectors, underpinned by a set of sanctions and fines. Officials in my Department are currently working on the transposition of the NIS 2 Directive into Irish law and liaising with relevant Departments and agencies to prepare for its implementation.