The National Cyber Security Bill 2024 is an Irish bill published by the Oireachtas in 2024. The legislation was published on 30 August 2024.
The legislation transposes several important parts of NIS 2:
National competent authorities are defined. Ireland has chosen a federated model for NIS 2, with the National Cyber Security Centre as the lead competent authority, with responsibility for large-scale cybersecurity incidents in Ireland. The NCSC is also designated as Irelands' CSIRT.
Essential entities will be required to have robust risk management, including regular risk assessments, having suitable security measures and a plan for incidence response.
Both essential and important entities are required to report significant incidents to a competent authority.
Noncompliance with the directive can lead to CEOs, directors and other managers having their roles restricted in essential and important entities. If an individual, knowingly or through neglect, can be proven to have caused a corporate body to not comply, then can be found personally liable. Financial penalties can also be imposed.
For an essential entity the maximum penalty is the larger of â¬10 million or 2% of worldwide turnover in the previous financial year.
For an important entity the maximum penalty is the larger of â¬7 million or 1.4% of worldwide turnover in the previous financial year.
Business licenses can be suspended by a national competent authority. The High Court oversees these matters.
The bill also deals with the National Cyber Security Centre.
The centre will be established as an executive office of the Department of the Environment, Climate and Communications.
The centre will have enhanced responsibilities both nationally and internationally. It will have the power to scan for vulnerable systems and employ sensors, at request of an important or essential entity.