Countdown for new Cyber Security Laws
Irish cyber security law is on the cusp of a number of significant developments. DORA and NIS 2, in particular, have imminent deadlines. These laws will require organisations to ensure that they can respond to cyber security incidents and that their networks, systems and supply chains are operationally resilient. The challenges of complying with these laws will vary for organisations depending on, amongst other things, an organisation’s cyber security maturity, the existing measures that it already has in place, and the extent to which they are in scope of the legislation. This briefing sets out a summary of cyber security laws of which you should be aware, and guidance to help you understand the extent to which it relates to your organisation.
NIS 2
What is it?
The NIS 2 Directive1 (“NIS 2”) is the second generation of the EU’s network and information security legislation. It will replace the Network and Information Security Directive2 (“NIS 1”). Following a review of NIS 1, the European Commission published a proposal on 16 December 2020 to repeal NIS 1 replacing it with NIS 2. One of the main shortcomings identified with NIS 1 was the limited number of sectors covered. NIS 2 significantly expands this.
Who is within scope?
NIS 2 applies to ‘essential’ and ‘important’ entities falling within certain sectors. Our previous briefing (here) sets out information regarding the scope of NIS 2, including regarding the applicable sectors to which it applies. In short, essential entities are those operating in sectors of “high criticality” including:
- Energy
- Transport
- Banking
- Financial market infrastructure
- Health (including healthcare providers, pharmaceutical manufacturers and certain medical device manufacturers)
- Drinking water
- Waste water
- Digital infrastructure (including cloud computing, data centre service providers, top-level domain name registries)
- ICT service management (B2B)
- Public administration and space
With some exceptions, essential entities are large-sized entities (i.e. those with 250 or more employees and whose annual turnover is greater than €50 million and/or its annual balance sheet total is more than €43 million).
Important entities operate in “other critical” sectors (e.g. postal/courier services; waste management; manufacturing; research; food production and distribution; chemical manufacturing). In addition, medium-sized entities operating in sectors of “high-criticality” are also classified as important entities. A medium-sized entity is one with 50 to 249 employees and either has an annual turnover of not more than €50 million or an annual balance sheet total not exceeding €43 million.
Under the NIS 1 Regulations3, which transposed NIS 1 into Irish law, there are approximately 70 entities designated as ‘operators of essential services’. In contrast, the National Cyber Security Centre (“NCSC”) is expecting much greater numbers (approximately 3,500 entities) to be subject to NIS 2.
It is important to determine whether an entity is an ‘essential’ or ‘important’ entity as essential entities will be subject to ex ante supervision by the ongoing competent authority including onsite inspections, regular and ad hoc audits, targeted security audits and security scans to check for vulnerabilities. Important entities, in contrast, are subject to ex post (or reactive) supervision, meaning that the competent authority will take action through ex post supervisory measures when there is evidence, an indication or information alleging noncompliance with NIS 2.
Key obligations:
Some of the key obligations under NIS 2 include:
- Cybersecurity risk-management measures;
- Incident reporting;
- Communications to service recipients and the public; and
- Supply chain security.
See our previous briefing (here) for further information regarding the key obligations which are set out above.
In addition, as noted in a further briefing (here), the European Commission has published a draft Implementing Regulation setting out the cyber-security risk-management measures that digital infrastructure and digital providers will be expected to implement.
Key Dates
NIS 2 is to be transposed into Irish law by 17 October 2024. On 30 August, the Irish Government published the General Scheme for the National Cyber Security Bill, which we have considered in a separate briefing (here). At the time of writing (16 October), the Bill has not been published and thus has not received any legislative scrutiny. As such, the transposition deadline will be missed. A potential General Election on the horizon is another factor which may impact on when legislation will be enacted.
DORA
What is it?
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) (“DORA”) is an EU Regulation that is aimed at achieving a high common level of digital operational resilience for EU regulated financial entities so that they can withstand and respond to cyber threats and ICT incidents.
DORA will be supplemented by guidance and secondary legislation primarily in the form of regulatory technical standards (RTS’) and implementing technical standards (ITS’) drafted by the European Supervisory Authorities (ESAs)4 and adopted by the European Commission. The table below sets out the status of the RTS’ and ITS’:
First batch (Published on 17 January 2024) |
Second Batch (Published on 17 July 2024) |
Final RTS (Published on 26 July 2024) |
---|---|---|
|
|
|
Status: Adopted by the European Commission. |
Status: Submitted to the European Commission for adoption. |
Status: Submitted to the European Commission for adoption. |
Who is within scope?
DORA applies to almost all types of EU regulated financial entities, including:
Banking |
Credit institutions. Payment institutions, including payment institutions exempted pursuant to the Payment Services Directive (“PSD2”)5. Account information service providers. Electronic money institutions, including electronic money institutions exempted pursuant to the E-Money Directive6. |
---|---|
Funds and Investment |
Investment firms. Crypto-asset service providers as authorised under the Markets in Crypto-Assets Regulation (“MiCA”)4 and issuers of asset-referenced tokens (“ARTs”). Managers of alternative investment funds (“AIFs”). UCITS management companies. |
Insurance and reinsurance |
Insurance undertakings and reinsurance undertakings. Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries. |
Pensions |
Institutions for occupational retirement provision. Note: Institutions for occupational retirement provision which operate pension schemes which do not have more than 15 members in total are excluded. |
Financial infrastructure and other services |
Central securities depositories. Central counterparties. Trading venues. Trade repositories. Data reporting service providers. Credit rating agencies. Administrators of critical benchmarks. Crowdfunding service providers. Securitisation repositories. |
In addition, DORA also applies to ICT third-party service providers who provide ICT services7 to in-scope financial entities. DORA will have a more significant impact for those ICT third-party service providers who are designated by the ESAs as ‘critical’8 as they will be subject to a direct oversight regulatory regime by one of the ESAs. The ESAs will publish a list of these critical ICT third-party service providers. Other ICT third-party service providers will be subject to DORA indirectly by virtue of providing ICT services to in-scope financial entities.
Please see our previous briefing, for more information on who is within scope of DORA.
Interaction with NIS 2
DORA is sectoral specific legislation for financial entities. As such, where the cyber-security risk-management measures or incident reporting obligations in DORA are at least as equivalent in effect as those in NIS 2, DORA applies.
Key obligations:
The key obligations for in-scope financial entities are:
1. Managing of ICT third-party risk
DORA imposes obligations on how in-scope financial entities manage ICT third-party risk. Some of the obligations include:
- Contracts – DORA requires all contracts for the use of ICT services to address certain minimum elements. Where the ICT services support the financial entity’s critical or important functions, there are additional elements to be included in the contract. For more information, please see our previous briefing.
- Pre-contract diligence – Before entering into a contractual arrangement on the use of ICT services, financial entities must undertake various due diligence type assessments including:
- Assessing whether the ICT services support the financial entity’s critical or important functions.
- Assessing if supervisory conditions for sub-contracting are met.
- Assessing the relevant risks in relation to the contractual arrangement.
- Identifying and assessing any conflicts of interests.
- Checking if the ICT third-party service provider complies with appropriate information security standards.
- ICT Third-Party Risk Strategy – Financial entities are required to adopt an ICT third-party risk strategy, which shall include a policy on the use of ICT services supporting critical or important functions.
- Register of Information – Financial entities are required to maintain a register of information in relation to its contractual arrangements for ICT services provided by ICT third-party service providers. Further information can be found in our previous briefing.
2. ICT risk management framework – DORA requires financial entities to have an ICT risk management framework that enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience. The framework must be well documented and include, amongst other things, policies, procedures, ICT protocols and tools to protect information and ICT assets.
3. ICT-Related Incident Reporting – Financial entities are required to classify ICT-related incidents and determine their impact based on certain criteria, such as the relevance to clients and financial counterparts affected. The reason for the classification is to enable financial entities to identify those that are ‘major ICT-related incidents’ as these are to be reported to the national competent authority (e.g. Central Bank of Ireland for credit institutions). Reporting applies on a phased basis and the timelines proposed in the current draft RTS are quite tight:
(a) Initial Notification is to be made within 4 hours of classifying an incident as a ‘major ICT-related incident’ and no later than 24 hours following it detection.
(b) Intermediate Report is to be made within 72 hours of classifying the incident as a ‘major ICT-related incident’.
(c) Final report to be submitted within 1 month of classifying the incident as a ‘major ICT-related incident’.
Clients must also be notified of a ‘major ICT-related incident’ that has an impact on their financial interests. Notification is to be made by the in-scope financial entity “without undue delay as soon as they become aware of it”.
4. Digital Operational Resilience Testing – Financial entities (other than microenterprises) are required to establish a sound and comprehensive digital operational resilience testing programme (DRTP). The DRTP shall provide for testing of basic requirements (e.g. vulnerability assessments, open source analysis, network security assessments, physical security reviews, end-to-end testing and penetration testing). For many financial entities, its DRTP shall also provide for more advanced testing by means of Threat Led Penetration Testing (TLPT). Notably, a draft RTS on TLPT has been published which specifies, amongst other things, the criteria to be used for identifying financial entities required to perform TLPT.
5. Information sharing – Chapter VI provides for financial entities to share amongst each other cyber threat information and intelligence. This is aimed at enhancing the digital operational resilience of financial entities through raising awareness of cyber threats so as to limit its ability to spread. DORA envisages such information and intelligence sharing to take place within trusted communities of financial entities with the implementation of information sharing arrangements that protect the potentially sensitive nature of the information shared. Financial entities are also required to notify competent authorities of their participation in such information sharing arrangements.
Key date:
DORA will apply from 17 January 2025.
EU Cybersecurity Act
What is it?
The EU Cybersecurity Act9 is an EU Regulation which entered into force on 27 June 2019. It established:
- The EU cybersecurity agency, European Network and Information Security Agency (ENISA)10, on a permanent basis.
- An EU Cybersecurity Certification Framework (“Framework”) that laid down the requirements for EU-wide cybersecurity certification schemes to be developed for ICT products, services and processes.
The objective of the Framework was to ensure an adequate level of cybersecurity for ICT products, services and processes in the EU market. There were several certification schemes for ICT products in different EU Member States, but without mutual recognition. To avoid the risk of fragmentation at an EU level, the EU Cybersecurity Act was aimed at providing for a common EU cybersecurity certification framework allowing conformity certificates to be recognised across EU Member States.
ENISA is responsible for drawing up certification schemes:
- EUCC - On 31 January 2024, ENISA adopted the first cybersecurity scheme, the European Cybersecurity Scheme on Common Criteria (EUCC), for ICT products (e.g. software, hardware and technological components). From 31 January 2025, businesses can apply for certification of their ICT products under the EUCC.
- EU Cloud Services (EUCS) – A draft cybersecurity certification scheme for cloud services was published on 22 December 2020 and remains the subject of ongoing consultation. A requirement for cloud services (and its accompanying data) to be hosted in the EU has proven to be controversial.
- EU5G – A certification scheme for 5G mobile communications is being developed in two phases. A first draft of the scheme will be made available for public consultation.
- Artificial intelligence – ENISA is assessing whether and how AI could be the object of cybersecurity certification.
On 18 April 2023, the European Commission proposed a targeted amendment to the EU Cybersecurity Act to enable the adoption of certification schemes for ‘managed security services’ covering areas such as incident response, penetration testing, security audit and consultation. This development may assist in the emergence of trusted cybersecurity managed service providers.
Key date
On 6 March 2024, the European Parliament and the Belgian Presidency of the Council of the European Union reached a provisional agreement on the targeted amendment to the EU Cybersecurity Act. The text will undergo further technical adjustments, as well as undergoing a legal/linguistic review, before being presented to the Council and European Parliament for adoption.
Cyber Resilience Act
What is it?
On 10 October 2024, the Council adopted the Cyber Resilience Act (“CRA”) which provides for cyber security requirements for products with digital elements (PDEs)11 with a view to ensuring that PDEs, such as connected smartwatches, baby monitors, TVs, fridges and devices, are safe before they are placed on the market.
The CRA excludes from its scope certain products and/or fields, including medical devices, in vitro diagnostic devices, spare parts for PDEs, motor vehicles, marine equipment, PDEs developed for national security or defence and PDEs designed to process classified information.
Who is in-scope?
The CRA imposes obligations and requirements on ‘economic operators’ in relation to PDEs. ‘Economic operators’ include the:
- Manufacturer;
- Authorised representative;
- Importer;
- Distributor; or
- Other natural or legal person subject to obligations in relation to the manufacture of PDEs or making them available on the EU market (e.g. open-source software stewards),
in each case where they supply a PDE for distribution or use in the EU in the course of a commercial activity.
The regulatory burden under the CRA falls most heavily on manufacturers.
Key obligations
Some of the key obligations under the CRA include:
1. Cybersecurity Requirements – PDEs must meet the essential cybersecurity requirements, set out in Part I of Annex I of the CRA, to be made available on the EU market.
2. Cybersecurity Risk Assessments – Manufacturers are required to assess the risks associated with PDEs based on their intended purpose and reasonably foreseeable use, as well as the PDE’s conditions of use. The outcome of that assessment shall be taken into account during the planning, design, development, production, delivery and maintenance phase (i.e. the support period) of the PDE. When placing a PDE on the market, the cybersecurity risk assessment is to be included in the PDE’s technical documentation.
3. Conformity Assessments – Manufacturers are required to carry out conformity assessments to verify that the PDE meets the essential cybersecurity requirements of the CRA. Different conformity assessments apply depending upon the PDE’s risk classification:
(a) For lower-risk PDEs (i.e. those in the default category), the conformity assessment may involve self-assessment by the manufacturer to demonstrate compliance with the CRA.
(b) For PDEs that are considered ‘important’ (and further sub-divided into Classes I and II), they are subject to additional requirements in relation to the conformity assessment due to the cybersecurity risks associated with their functionality and intended use.
i. For Class I PDEs12 and where the manufacturer does not apply harmonised standards, common specifications or submit to EU cybersecurity certifications schemes, it must use either of the following procedures:
1. Module B (EU-type examination procedure) and Module C (Conformity to Type based on Internal Production Control) – For Module B, a notified body examines the technical design of the PDE and the manufacturer’s vulnerability handling process and verifies that it meets the CRA’s essential cybersecurity requirements. Following Module B, the manufacturer ensures that the production process ensures conformity to the approved type as part of Module C.
2. Module H (Full Quality Assurance) – Conformity assessment is based on full quality assurance.
ii. For Class II PDEs13, the manufacturer can demonstrate conformity by using any of the procedures that apply to Class I PDEs (as set out above) or obtaining certification of the PDE under an EU Cybersecurity Certification Scheme, adopted under the EU Cybersecurity Act, which has a minimum assurance level of ‘substantial’ (e.g. EUCC).
(c) Critical PDEs14 shall demonstrate conformity by obtaining certification under a European Cybersecurity Certification Scheme in accordance with Article 8(1) or following any of the procedure used for Class II PDEs.
4. EU Declaration of Conformity and CE Marking - Once the conformity assessment has been completed, the manufacturer shall draw up the EU Declaration of Conformity that states that the essential cybersecurity requirements prescribed by the CRA have been demonstrated. By drawing up the EU Declaration of Conformity, the manufacturer assumes responsibility for the compliance of the PDE. In addition, manufacturers are to affix the CE marking to PDEs.
5. Reporting obligations – If a manufacturer becomes aware of any actively exploited vulnerability contained in a PDE, or of any severe incident having an impact on the security of the PDE, it shall notify the Computer Security Incident Response Team (CSIRT) and ENISA without undue delay and in any event within 24 hours of becoming aware, by way of an early warning notification. Further phased reporting obligations follow the early warning notification.
Key Dates
The CRA was adopted on 10 October 2024 and it will enter into enter into force 20 days after its publication in the Official Journal. Most of the CRA’s provisions will apply 36 months after the date on which it enters into force with some provisions applying sooner:
- Article 14 (Reporting obligations of manufacturers) will apply 21 months after the CRA enters into force.
- Chapter IV (Notification of Conformity Assessment Bodies) will apply 18 months after the CRA enters into force.
CER Directive
What is it?
On 16 January 2023, the Critical Entities Resilience Directive15 (“CER Directive”) entered into force. The CER Directive is aimed at ensuring the continuous provision of essential services to citizens by strengthening the resilience of critical entities against a range of threats, including natural hazards, terrorist attacks, insider threats, sabotage and public health emergencies.
Who is within scope?
The European Commission has adopted16 a list of essential services, in the 11 sectors covered by the CER Directive, that are crucial for the maintenance of vital societal functions, economic activities, public health and safety or the environment:
- Energy sector – Services such as supply of electricity, energy storage, generation of energy, district heating operators, gas suppliers and distributors, transmission of gas and storage of gas.
- Transport sector - Services such as traffic management control for roads, operators of intelligent transport systems for the roads subsector and public transport passenger services.
- Banking sector – Essential services such as taking deposits and lending.
- Financial market infrastructure sector - Services such as the operation of trading venues and of clearing systems.
- Health sector – Services provided by EU reference laboratories, entities carrying out R&D for medicinal products, manufacturers of basic pharmaceutical products and pharmaceutical preparations, certain medical device manufacturers and distributors of medicinal products.
- Drinking water sector - Drinking water supply and drinking water distribution.
- Waste water - Waste water collection, treatment and disposal services.
- Digital infrastructure sector - Services such as the provision and operation of internet exchange point service, domain name system (DNS) service, top-level domain registries, cloud computing providers, data centres, content delivery networks, providers of electronic communications services and providers of public electronic communications networks.
- Public administration sector – Services provided by public administration entities.
- Space sector – Operation of ground-based infrastructure services.
- Production, processing and distribution of food sector - Large-scale industrial food production and processing, food supply chain services and food wholesale distribution services.
By 17 July 2026, each Member State is to identify the critical entities within the sectors and subsectors outlined in the CER Directive.
Key obligations
Some of the obligations under the CER Directive include:
- Risk assessments – Both Member States and critical entities are required to conduct regular risk assessments. These assessments must consider all relevant risks, whether natural or man-made, that could disrupt the provision of essential services. Member States must report their findings to the European Commission.
- Resilience measures for critical entities – Member States are to ensure that critical entities take appropriate and proportionate technical, security and operational measures to ensure their resilience based on the risk assessments. Measures can include adequate physical protection of premises and critical infrastructure, business continuity measures, employee security management and security awareness and training.
- Incident notification – Member States are to ensure that critical entities notify their competent authority, without undue delay, of incidents that significantly disrupt or have the potential to significantly disrupt the provision of essential services. Unless they are operationally unable to do so, the initial notification must be submitted by critical entities within 24 hours of becoming aware of the incident. A detailed report may follow within 1 month, where relevant.
- Strategy on Resilience of Critical Entities – By 17 January 2026, each Member State shall adopt a strategy for enhancing the resilience of critical entities. The strategy shall contain, amongst other things: (i) strategic objectives and priorities; (ii) a governance framework; (iii) a description of the resilience measures for critical entities; (iv) a description of the process for identifying critical entities; (v) a description of the process for supporting critical entities (including measures to enhance cooperation between the public sector and private sector and public and private entities); and (vi) a list of the main authorities and relevant stakeholders (other than critical entities) involved in implementing the strategy. During June to July of 2021, the Department of Defence ran a public consultation on the CER Directive which will like be taken into account in Ireland’s strategy. The strategy is to be communicated to the European Commission within 3 months of its adoption.
Key date:
The CER Directive is to be transposed into Irish law by 17 October 2024. However, no heads of Bill or Bill have been published yet.
For more information, please contact the key contacts below from the Technology and Innovation Group.
Also contributed to by Lisa Leonard
- Directive (EU) 2022/25555.
- Directive (EU) 2016/1148.
- European Union (Measures for a High Common Level of Security of Network and Information Systems) Regulations 2018 (S.I No. 360/2018).
- European Supervisory Authorities comprise: European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA).
- Directive (EU) 2015/2366.
- Directive 2009/110/EC.
- ‘ICT services’ are defined in DORA as ”digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services”.
- Under Article 31(6) of DORA, the European Commission is empowered to adopt a delegated act to further specify the criteria for designating an ICT third-party service provider as ‘critical’. On 30 May 2024, the ‘Commission Delegated Regulation (EU) 2024/1502 on further specifying the criteria for the designation of ICT third-party service providers as critical’ was published in the Official Journal.
- Regulation (EU) 2019/881.
- ENISA was first established in 2004 by Regulation (EC) No. 460/2004 with the purpose of contributing to the goals of ensuring a high and effective level of network and information security within the EU and developing a culture of such for the benefit of consumers, enterprises and public administrations. ENISA’s mandate was subsequently extended on a number of occasions by a series of regulations with the last being in 2013 with Regulation (EU) No 526/2013 extending ENISA’s mandate until 19 June 2020.
- Product with a digital element (PDE) is defined, in Article 2(1) of the CRA, as “a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately”.
- Examples of Class 1 PDEs include identity management systems; password managers; VPNs; network management systems; SIEM systems; public key infrastructure and digital certificate issuance software; operating systems; smart home virtual assistants (general purpose); smart home products with security functionalities (e.g. baby monitors and alarm systems); certain Internet connected toys; certain personal wearables).
- Class II PDEs include firewalls; operating systems for servers; intrusion detection or prevention systems; tamper-resistant micro-controllers and micro-processors.
- Critical PDEs include hardware devices with security boxes; smart meter gateways within smart metering systems; smartcards or similar devices.
- Directive (EU) 2022/2557.
- Commission Delegated Regulation (EU) 2023/2450 supplementing Directive (EU) 2022/2557 by establishing a list of essential services.
This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.
Select how you would like to share using the options below