Cyber Security Legislation

​"Directive 2016/1148 of the European Parliament and of the Council of 6th July 2016 concerning measures for a high common level of security of network and information systems across the Union"  was published in the Official Journal of the EU in July 2016.

The objectives of the Directive are to be achieved by:

  • requiring Member States, including Ireland, to increase their preparedness and have a minimum set of cyber security capabilities at regulatory and operational levels, encompassing national strategies, National Competent Authorities (NCAs) and national Computer Security Incident Response Teams (CSIRTs).
  • establishing formal EU co-operation arrangements at both strategic and operational levels, namely a co-operation group and a CSIRT network, between the Member States to improve mutual collaboration on cyber security.
  • requiring identified "operators of essential services" (digital infrastructure, energy, transport, finance, health, water supply) to take appropriate and proportionate technical and organisational measures to manage security risks, to report serious incidents to NCAs and to comply with instructed requirements of NCAs.
  • requiring digital service providers (online/e-commerce marketplaces, online search engines, cloud computing services) to take appropriate and proportionate technical and organisational measures to manage security risks, to report particular incidents to NCAs and to comply with requirements of NCAs.

Directive Implications

The Directive will have direct implications for many firms and utilities in the State. Many of these firms and utilities are to be designated as 'operators of essential services' with security obligations and incident reporting requirements binding on them.  These will include:

  • electricity, gas and oil companies
  • airlines, shipping firms, ports and airports
  • rail and road authorities, traffic management authorities
  • banks, other credit institutions, some financial intermediaries
  • hospitals and clinics
  • water distribution and Internet based companies 

The Directive will also result in Ireland having to regulate particular multinational corporations who have their European headquarters based in Ireland and provide digital services in Europe. These digital services are online/ecommerce marketplaces, online search engines and cloud computing services.