The draft General Scheme of the National Cyber Security Bill (CSB) is the proposed Irish legislative measure to implement the NIS2 Directive (Network and Information Systems 2 Directive).

It is designed to safeguard the cybersecurity landscape in Ireland and the European block by requiring in-scope entities to implement a baseline level of cybersecurity. The 17 October 2024 deadline for EU member states to transpose NIS2 was missed by the Irish government due to the 2024 General Election. Considering the regulatory pressure from the EU, we anticipate Ireland will move quickly to finalise this legislation and though still in the pre-legislative scrutiny phase, it has been given priority drafting status in the Spring 2025 Legislative Programme.

Under the current draft, Heads 28, 29 and 37 of the CSB set out the compliance obligations for in-scope entities. It is crucial for organisations that are in the scope of NIS2 to understand these provisions and the related cybersecurity obligations.

a) Who is in-scope of NIS2?

NIS2 applies to ‘essential entities’ and ‘important entities’, as explained in our previous article. These include organisations providing critical services in energy, healthcare, transport, banking, and digital infrastructure sectors. Businesses outside these sectors may not be directly subject to NIS2’s mandatory requirements. Still, they may be indirectly subject to the requirements if they are part of an in-scope entity’s supply chain.

It is essential for organisations regulated by NIS2 to implement risk-management measures, incident-handling protocols, business continuity practices, supply chain security management, and a number of other measures. Failure to comply can result in consequential penalties, including fines that could reach up to €10m or 2% of worldwide turnover in the financial year ending in the year immediately before the financial year in which the regulatory breach last occurred, whichever is higher. Non-compliance may also result in personal liability for directors, suspension of licences to operate, and reputational harm.

b) What must organisations do to comply?

Heads 28 and 29 of the CSB outline the cyber-security risk management measures and incident notification obligations that organisations must meet to show compliance. These provisions require organisations to adopt cybersecurity measures to prevent, detect, and respond to cyber threats. Below are the core components of Head 28 and Head 29 and how organisations can ensure compliance.

In addition to NIS2 and the CSB, the European Commission has also published the final version of Commission Implementing Regulation (EU) 2024//2690 (CIR), which provides further detail on cyber security risk management measures with an emphasis on the principle of proportionality. The EU Agency for Cybersecurity (ENISA) published draft technical guidance, which was open to public consultation until 9 January 2025. While it is legally non-binding, the guidance is intended to help entities implement the technical and methodological requirements of cyber security risk management measures, as set out in the CIR.

c) Risk Management Systems

Organisations must implement appropriate and proportionate technical, organisational and operational measures that manage the risks posed to the systems underpinning their services on an ‘all-hazards’ basis to protect their network and information systems and the physical environment of those systems. This includes at least the following:

• Developing and maintaining a risk management strategy and policies that outline how to mitigate, respond to, and recover from identified threats.
• Conducting regular risk assessments to identify internal and external supply chain vulnerabilities.
• Implementing incident handling policies and procedures.
• Ensuring supply chain security.
• Ensuring security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure.
• Implementing business continuity practices and disaster recovery plans including backup procedures.
• Implementing policies and procedures to assess the effectiveness of cybersecurity risk-management measures.
• Implementing basic cyber hygiene practices and cybersecurity training.
• Ensuring human resources security, access control policies and asset management.
• Implementing access controls and multi-factor authentication solutions: Restricting access to systems, data, and infrastructure based on roles and responsibilities within the organisation.
• Implementing policies and procedures regarding the use of cryptography and, where appropriate, encryption.

The measures must be proportionate to the risk, entity size, cost, impact and severity of the relevant risks. They must take into account state-of-the-art and applicable standards. In this regard, Article 2 and the Annex to the CIR provide additional guidance. In relation to proportionality, Article 2(2) provides that relevant entities shall: “take due account of the degree of their exposure to risks, their size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact”. It also provides that where a technical and methodological requirement of cybersecurity risk management measures is required, and it is stated (in the CIR/Annex to the CIR) where it is ‘appropriate’, ‘applicable’ or ‘to the extent feasible’ but the relevant entity considers it is not appropriate, not applicable or not feasible for it to apply such requirements, the relevant entity must document its rationale for reaching that determination.

The above measures aim to ensure that the company can quickly restore essential and important services and minimise downtime in the event of a cyber incident. However, it should be noted that this is not an exhaustive list.

Organisations should ensure that their risk management policies are regularly updated to reflect the latest cybersecurity threats and challenges, particularly those that affect the specific sector in which the company operates.

d) Training

The ‘management board’ is defined in the CSB as the body or group of individuals vested with the authority and responsibility for the oversight, direction and control of an entity.

The management board of those entities within scope are required to follow cyber security risk-management training. The management board should also encourage employee training and cybersecurity awareness programs so that employees gain sufficient knowledge and skills to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity. Building a security-conscious culture within the organisation is a key factor in compliance.

Next Steps for Businesses:

Given the complexity of NIS2, organisations must adopt a multi-faceted, cross-functional approach to compliance. Organisations should start by:

1. conducting an internal audit of current cybersecurity practices to identify gaps in compliance. This should involve a thorough review of the company’s risk management policies and procedures, security measures, and employee training programs;
2. consulting independent IT consultants to remedy any technical or operational cybersecurity gaps;
3. updating any related policies and documents, including data protection documents;
4. reviewing and updating incident handling and notification policies and procedures, breach response plans and appointing responsible and accountable persons;
5. reviewing contracts to ensure any downstream providers are also being held to the standard of compliance required by NIS2; and
6. ensuring board readiness for NIS2 obligations, including board training, establishing reporting and escalation lines, designating cybersecurity matters for board review and approval, board visibility of cybersecurity issues via board agenda and otherwise, and establishing sub-committees as necessary/appropriate with appropriate appointees.

Complying with NIS2 means taking a proactive, comprehensive approach to managing cybersecurity risks, responding to incidents, and cooperating with regulatory authorities. Heads 28, 29 and 37 highlight the need for risk management and a structured enforcement framework, ensuring that businesses are prepared to face the evolving cyber threat landscape.

By adhering to these requirements, organisations can strengthen their resilience against cyberattacks, and avoid penalties under NIS2.

For more information on NIS2, see the next article from William Fry’s NIS2 series here, or access William Fry’s TechReg Connect software solution. Alternatively, you can contact Rachel Hayes, Leo Moore, Susan Walsh, or your usual William Fry contact on our expert Technology team.

Contributed by Susan Walsh.