General Scheme of the National Cyber Security Bill 2024

On 24 July 2024, the government gave its approval to the priority drafting of the National Cyber Security Bill 2024 in line with the General Scheme published below. The National Cyber Security Bill 2024 is the legislative vehicle for the transposition of the Network and Information Security Directive EU 2022/2555 (NIS2 Directive). It also provides for the establishment of the National Cyber Security Centre (NCSC) on a statutory basis and for related matters including clarity around its mandate and role in general.

Some of the key provisions the General Scheme transposes are:

• Designation of Competent Authorities: National Competent Authorities (NCAs) have been designated for overseeing the implementation of the Directive and enforcement within each relevant sector. The Minister also has the ability via secondary legislation to designate additional competent authorities as required in consultation with the relevant persons the Minister considers appropriate
• Essential and Important Entities: The Directive defines two categories of entities: "Essential Entities" in critical sectors like energy and transport, and "Important Entities" in sectors with a high cyber risk profile (such as waste management, postal services)
• Cybersecurity Risk Management: Essential Entities will be required to implement stricter risk management measures, including conducting regular risk assessments, adopting appropriate security measures, and having a plan for incident response
• Incident Reporting: Both Essential and Important Entities will have obligations to report certain cyber incidents to the competent authority
• Supervision and Enforcement: There are penalties for non-compliance with the Directive, including the power to restrict company CEOs and Directors and other senior managers from their positions in Essential and Important Entities where there has been a non-compliance with this act. There is also a power for an NCA who issues a license to an entity to operate their business in the State to suspend that license until there is a compliance with the provisions in the Directive. These penalties are serious in nature but reflect the seriousness of the breaches and also reflect what is contained within the Directive. The High Court provides a sufficient level of safeguards in the implementation of these measures. It also follows the attitude adopted in the Companies Act (2014) (as amended) where all sanctions of a serious nature are dealt with by the High Court

Some of the key provisions for the NCSC are:

• Governance: The governance of the NCSC, including establishing it as an Executive Office of DECC as well as setting out the composition and governance structure of NCSC more generally. The NCSC has a number of National Security roles and thus, cannot be fully independent of Ministerial Authority. It will have reporting obligations to the Minister. It will, however, be important to ensure the safeguarding of the NCSC’s independence within the Bill in circumstances where it was established by Government Decision and operates under the authority of the Minister
• Enhanced Role: The General Scheme sets out roles for the NCSC including national cyber security monitoring, resilience building, information sharing (national and international) and the national incident response. It also gives the NCSC specific powers to engage in a range of scanning type activities to identify systems vulnerable to specific exploits. This type of activity is also required of the State under Article 11 of the NIS2 Directive
• Use of Sensors: The NCSC shall provide, upon the request of an essential or important entity, a proactive scanning of the network and information systems of the entity concerned to detect vulnerabilities with a potential significant impact