Thursday, December 26, 2024 | Jumada al-akhirah 24, 1446 H
broken clouds
weather
OMAN
22°C / 22°C
EDITOR IN CHIEF- ABDULLAH BIN SALIM AL SHUEILI

Ireland slow to incorporate EU cybersecurity law

minus
plus

Ireland looks set to miss the October 17 deadline to transpose the EU’s Network and Information Security Directive (NIS2) , regarded as important in helping to prevent cybersecurity incidents and IT attacks. The legislation to enact the critical cybersecurity measures has not been introduced in time for the law to take effect in October, say industry experts. It may not now be enacted in 2024.


NIS2 makes company directors potentially responsible for cybersecurity incidents, incentivising companies to ensure that their processes are safe and up to code.


It is described by the Department of Communications, which is responsible for steering the directive into Irish law, as “a major step forward for cyber resilience in Europe” which will “enhance cyber-risk management across the EU” and “generate significant improvement in our capacity to respond to major incidents”. However, Ireland now looks set to miss out because of the late publication of the legislative bill.


“The minister or the department cannot pre-empt the outcome or the length of time the legislative process will take,” said a spokesperson for the Department of Communications.


“That is a matter solely for the Oireachtas (the President and house of representatives who make laws for Ireland).” The departmental spokesperson added that “significant work” is ongoing around the transposition of NIS2 into Irish law, via the National Cyber Security Bill 2024, and added that there is “ongoing engagement with industry, sectoral entities, and the public administration sector.


To date, the spokesperson said, the Government has approved the designation of “national competent authorities” for each of the sectors set out in the cybersecurity directive. The National Cyber Security Centre has been appointed as the lead national competent authority and will be a “central coordinator” for “advice guidance and support” including “development of regulatory framework and tools to assist the other competent authorities”.


While Ireland looks set to miss the transposition deadline, that doesn’t mean the Irish companies should think they don’t have to get ready for compliance, says Nicola Barden, a senior associate at the law firm Pinsent Masons.


“If Ireland misses the implementation deadline, it seems likely that the legislation will pass soon after,” she added. “Businesses should not take the missed implementation deadline as an opportunity for non-compliance. They should still take steps, to the extent possible, to meet the requirements, using the information they have in the bill.” However, she warned that the current general scheme of the National Cyber Security Bill 2024, published on August 30, “is at a very early stage of the legislative process” with a wait for completion likely.


“It still has to be brought before the Oireachtas and is subject to legal scrutiny and possible changes. Having said that, we are further along the legislative process than some other member states, such as Germany and Spain, which have not yet published the implementing legislation.” She added: “The good news for Irish businesses is that they have draft legislation to review to help them prepare and determine if they are caught by NIS2.” The EU also have a gripe with Ireland on another issue and as such the European Commission has opened infringement procedures against the country for allegedly not fully transposing a directive on insolvency into law.


Brussels sent a letter of formal notice to Ireland on September 26, accusing the country of not meeting a July 17 deadline to set out how it plans to introduce electronic communications for three aspects of insolvency.


The Directive on Restructuring and Insolvency put an obligation on EU states to make sure that the parties involved in cases of insolvency and the discharge of debt, including the practitioner and the judicial or administrative authority, can do certain things electronically. These include filing of claims, submission of restructuring or repayment plans, and the notifications to creditors. Ireland and Austria have been accused of failing to notify Brussels of what steps they plan to take.


SHARE ARTICLE
arrow up
home icon