Draft cyber defence plan says Ireland is vulnerable to hostile groups and states

Ireland’s draft cyber security strategy is out for public consultation, with a closing date of August 21. Picture: iStock

Ireland’s draft cyber security strategy is out for public consultation, with a closing date of August 21. Picture: iStock

Ireland faces a “disproportionate” cyber threat from hostile groups and states because it hosts a significant share of EU data and is home to the European headquarters of many multinational tech giants, according to Ireland’s draft cyber security strategy.

The draft document warns that while Ireland deals with a wide range of cyber activities from state-aligned cyber groups, the “greatest threat” to Irish networks comes from cybercrime groups.

The draft strategy — which has been out for public consultation — sets an ambitious range of targets between now and the end of 2030.

The strategy is, in large part, driven by the implementation of the Second EU Network and Information Security (NIS2) Directive.

This directive expands, to 18, the number of sectors that must comply.

It also obliges member states to enforce standards through supervisory and enforcement bodies, both at sector and national level.

Ireland referred to EU courts over NIS2

As reported in the Irish Examiner last week, Ireland has been referred to the European courts over its failure to implement NIS2.

Key to Ireland’s implementation of the directive is the enactment of the National Cyber Security Bill.

While the general scheme of this bill was published in August 2024, the final bill has yet to be introduced.

The Department of Justice has said that work on the bill is almost complete and that it expects to notify the European Commission of the transposition of NIS2 “by the end of 2026”.

The draft strategy says that NIS2 has “greatly enhanced” the number of entities needing to meet cyber requirements, with “an estimated 4,500 [entities] coming into the scope for supervision and enforcement”.

'Competent authorities' needed for 18 sectors

'National competent authorities' have be established — and resourced — for each of the 18 sectors, with the National Cyber Security Centre taking on the role of National Competent Authority.

In addition, the strategy states there are obligations on Ireland as the host of EU data: “Ireland will be tasked with supervising on behalf of the EU the cyber security risk management in cloud computing and other digital services providers which have their main establishment in the State, as well as taking any necessary enforcement actions."

One of the key gaps identified in the strategy is the lack of a comprehensive national sensor network for critical services, which places Ireland at risk from “malicious actors, especially state-aligned groups”.

It says these states often combine cyberattacks with information campaigns and physical acts of sabotage.

It says that without a sensor network to identify separate, but linked, incidents “the State risks missing early warning signs of a hybrid operation aimed at causing widespread disruption”.

To correct this gap, the strategy calls for the establishment of a 'National Detection Network', with an implementation date of 'Q4 2030' — some four-and-a-half years from now.

The same deadline is set for the expansion of the State’s 'cyber threat intelligence' capability — which will bring together cyber intelligence from various quarters — and a 'national cyber defence services programme' — which will strengthen cyber defences, protect democratic institutions and cyber resilience across the state.

The closing date for submissions is August 21. 

  • Cormac O’Keeffe, Security Correspondent

x

More in this section

Lunchtime News

Newsletter

Get a lunch briefing straight to your inbox at noon daily. Also be the first to know with our occasional Breaking News emails.

Cookie Policy Privacy Policy Brand Safety FAQ Help Contact Us Terms and Conditions

© Examiner Echo Group Limited