Ireland must implement EU security laws by October

It must also ensure that each of the 11 sectors mentioned in the directive establish enforcement and reporting mechanisms.

The sector are energy; transport; banking; financial market infrastructure; health; drinking water; digital infrastructure; public administration; space and the large scale production and distribution of food.

The scope of the directive includes gas and oil pipelines, energy connectors and the projected growth in offshore wind turbines as well as communication and data sub-sea cables.

The Department of Defence is the lead agency to drive and coordinate implementation of the directive.

It said that, apart from itself, there are 10 government departments that come under the remit of the directive, as well as the public administration sector.

“This directive creates a framework to support member states in ensuring that critical entities are able to prevent, resist, absorb and recover from disruptive incidents, whether they are caused by natural hazards, accidents, terrorism, insider threats, or public health emergencies," said a Department of Defence information note.

It said, once identified, the critical entities have to conduct their own risk assessments and take “technical, security and organisational” measures to boost their resilience and to report incidents.

The department said the estimated cost to staff the various competent authorities would be €6m anually.

Commenting, Professor Andrew Cottey of the Department of Government and Politics in UCC, said: “The fact that the Irish government has made the Department of Defence the lead government department on this and is planning to invest €6mn annually suggests that the government is aware that Ireland has particular vulnerabilities in relation to seabed and sea surface infrastructure, such as internet cables, electricity interconnectors and windfarms, and that the Defence Forces need to play a role in addressing these vulnerabilities.” 

The Department of Defence said this directive was being implemented in tandem with the Network and Information Systems Directive (NIS2) – the new EU cybersecurity law, also to be implemented by October.

The Department of Communications is responsible and its information note said the directive expands the scope to new sectors and entities and increases the resilience of agencies.

The directive increases reporting requirements and a greater range of incidents have to be reported, with increased supervision and enforcement.

Cyber expert Brian Honan said: “The goal of NIS2 is to ensure that those entities that it applies to have conducted effective risk assessments and appropriate cybersecurity controls in place. 

"Regulated entities will also need to report breaches to the appropriate regulator and have effective measures to respond and deal with a cyber attack.”