Ireland to miss EU cybersecurity deadline

Ireland is to the miss a deadline to transpose a new European Union cybersecurity directive into Irish law.

The Network and Information Security Directive, or NIS2, is supposed to be adopted by EU Member States by 17 October.

It requires organisations in both the public and private sector to boost their cyber defences.

NIS2 expands the scope of covered organisations and sectors to improve the security of supply chains.

There will be stricter requirements for enforcing cybersecurity, and more severe repercussions for non-compliance including heavy fines and legal ramifications for managers.

The Heads of Bill of the legislation to transpose the directive was published in August and the Department of the Environment, Climate and Communications said that it is currently engaging with other relevant Government departments and agencies on the drafting of the Bill.

"Unfortunately, the transposition deadline of 17 October 2024 will not be met," a Department spokesperson said.

"NIS2 is a complex piece of legislation which requires a complete overhaul of existing legislation."

"Ireland is not alone in this regard, most EU Member States have indicated they will not meet the transposition deadline, with the majority indicating that it will be 2025 before national legislation is in place," the Department said.

"The NIS2 Directive is a revision of the NIS Directive, which is currently in force in the State and will remain in full effect, covering the most critical operators within the State, while the NIS2 Directive is being transposed into national law," the spokesperson said.

While the directive will not be transposed on time, a number of steps have been taken to meet the requirements of the new EU cybersecurity rules.

The Government has approved the designation of the national competent authorities for each of the sectors set out in the directive, including the designation of the National Cyber Security Centre as the lead national competent authority.