Policy information
Cyber Security
From Department of the Environment, Climate and Communications
Published on
Last updated on
Cyber security, the protection of our IT systems, data services and communication networks, is vitally important to our economy and society. Disruption to our digital systems is very expensive and it undermines trust and confidence in them. It is the government’s role to develop policy and strategies which help us to safely use and enjoy digital communication.
The Department of the Environment, Climate and Communications (DECC) and several other government departments and agencies work with a range of critical infrastructure operators and international partners to protect the security of key systems and data.
It also works to implement EU legislation on cyber security to bring about safer digital communication across Europe.
The National Cyber Security Strategy was published in December 2019, and follows on from the country's first strategy. It is a broader and more comprehensive document than the last one, and is informed by the operational experience gained by the National Cyber Security Centre (NCSC) from 2015 to 2019, and from ongoing national and international engagements in the area.
The vision behind the 2019 Strategy is for Ireland to continue to safely enjoy the benefits of the digital revolution and to play a full part in shaping the future of the Internet. This vision will be achieved through:
- the protection of the State, its people, and its critical national infrastructure from cyber threats
- the development of the capacity of the State, of research institutions, of businesses and of the people, to both better understand and manage the nature of the challenges we face
- the engagement by the State, nationally and internationally, in a strategic manner, supporting a free, open, peaceful and secure cyber space
A public consultation was undertaken in the first half of 2019 in order to inform the Strategy and ensure that awareness and best practice in cyber security and cyber hygiene were at the core of the strategy development process. The public consultation process was designed to gather the views of the general public and also of those with an interest in the subject, such as specialists in the field of cyber security.
The National Cyber Security Centre (NCSC) was established in 2011 and is the government’s operational unit for network and information security. The role of the NCSC is to lead in the management of major cyber security incidents, provide guidance and advice to citizens and businesses, and manage cyber security related risks to key services.
Like similar bodies in other EU Member States, the NCSC has also moved steadily towards a more proactive approach across a range of areas. The provisions of the EU Network and Information Systems Directive 2016/1148 have been used to develop a quasi-regulatory approach for critical infrastructure providers, an approach which operates alongside the existing and ongoing work of the NCSC.
The Computer Security Incident Response Team (CSIRT), which is part of the NCSC, looks after risk and incident handling in the State. Its responsibilities include:
- monitoring incidents within the State
- providing early warnings, alerts, announcements and dissemination of information about risk and incidents to relevant stakeholders
- responding to incidents they are notified about
- providing dynamic risk and incident analysis and situational awareness
Ireland has its own policies and legislation for governing cyber security. We also abide by the collective legislation that is imposed by the EU. The EU Network and Information Systems Directive 2016/1148 was signed into Irish law on 18 September 2018 by way of S.I. No. 360 of 2018. This represents a significant change in how countries in the EU approach cyber security, and involves a shift in approach towards a more formal type of regulatory relationship in certain key industries. Some of the responsibilities that the Directive places on the State, and on businesses, include:
- the application of a set of binding security obligations to a wide range of critical infrastructure operators - Operators of Essential Services. These include energy, healthcare, financial services, transport, drinking water supply, digital infrastructure and telecommunications
- the application and policing, by the State, of a new regulatory regime on so called Digital Service Providers (DSPs). These include cloud computing providers, search engines providers and providers of online market places
- critically, and in a similar manner to that for data protection, placing the responsibility on government for dealing with the security of services provided by multinational companies across the European Union that have their European headquarters located in Ireland
The Directive places security obligations and incident reporting requirements on Operators of Essential Services. A company or utility is identified as an Operator of Essential Services if it meets all three of the following criteria:
- the entity provides a service which is essential for the maintenance of critical societal and economic activities
- the provision of that service should depend on network and information systems
- a security incident would have significant disruptive effects on the essential service
Companies and utilities in the following sectors and subsectors are included for consideration:
- Energy: electricity, oil and gas
- Transport: air, rail, water and road
- Banking: credit institutions
- Financial market infrastructures: trading venues and central counterparties
- Health: healthcare providers
- Water: drinking water supply and distribution
- Digital infrastructure: internet exchange points, domain name system service providers and top level domain name registries
Since 2017 DECC has been engaging with companies and utilities in both the private and public sector that have been identified as Operators of Essential Services. These entities must follow a set of security guidelines which have been drafted to address both the technical and the procedural/organisational elements of the Directive. The security guidelines consist of five themes which provide a high level view of an organisation's management of cyber security risk. These are - Identify, Protect, Detect, Respond and Recover.
Operators of Essential Services are also required to report incidents which fall under the scope of the Directive. Reportable incidents are ones that have a significant impact on essential services, where the service is interrupted and not working for a given period of time. Further information on incident reporting can be found in the above mentioned security guidelines.
The Directive also aims to improve the security of some important online services. Online marketplaces, online search engines and cloud computing services are known as Digital Service Providers. These entities are subject to incident reporting requirements and security measures where they have to identify and manage the security risks to the systems they use to provide their services by taking appropriate technical and organisational measures.
Unlike Operators of Essential Services, the government does not identify companies as Digital Service Providers. The onus is on corporations instead to determine if they fall under the scope of the Directive and, if they do, to comply with the security measures and incident reporting guidelines.
It is important to note that micro and small enterprises are not covered by the Directive so any enterprise that employs fewer than 50 people and whose annual turnover and/or annual balance sheet total is less than €10 million is exempt from complying with it.
These guidelines provide an understandable set of specifications that can be referenced by Public Sector Bodies when they are planning the procurement of ICT goods and services. It addresses a range of cyber security domains including organisational practices, supply chain security (including risks such as data leaks, supply chain breaches, and malware attacks), evaluation considerations, and attestation information that may be required from suppliers when procuring ICT goods and services throughout the Plan, Source and Manage phase of the procurement process.
