Cybersecurity is a key focus and business critical concern for Irish businesses at the highest level. Ireland’s imminent Presidency of the Council of the European Union is expected to increase exposure to cyberattacks as the government handles more sensitive data.
Accordingly, there will be an increased need for cybersecurity vigilance by businesses during the Presidency. It is essential that businesses take steps now to carry out a gap analysis and ensure compliance with relevant cybersecurity laws, including the NIS 2 Directive (“NIS 2”), which is due to be shortly implemented into Irish law.
Ireland’s director of the National Cyber Security Centre (“NCSC”), Richard Browne, has been reported as warning that he expects cyberattacks during the Irish EU presidency to focus on trying to cause “reputational” damage to the EU and Ireland. It is hoped that the NCSC will have the necessary enforcement powers to deal with these threats, including from increasingly sophisticated AI models, via the National Cyber Security Bill, once implemented. That Bill will transpose NIS 2 into national law.
To date only the General Scheme of the National Cyber Security Bill (“General Scheme”) has been published. Ireland has opted for a federated regulatory regime for NIS 2. This means that the NCSC shall act as lead competent authority, taking the role of a central coordinator providing advice, guidance and support and development of regulatory frameworks and tools and as the central authority for engagement with European Commission, EU bodies and agencies, and other Member States. The General Scheme sets out the remainder of the competent authorities in Ireland responsible for enforcing NIS 2, as set out below.
| Competent Authority | NIS 2 Sector |
| Commission for the Regulation of Utilities (“CRU”) | Energy
Drinking Water Waste Water |
| Commission for Communications Regulation (“ComReg”) | Digital Infrastructure
ICT Service Management Space Digital Providers |
| Central Bank of Ireland (“CBI”) | Banking
Financial Markets |
| Irish Aviation Authority (“IAA”) | Transport – Aviation |
| Commission for Rail Regulation (“CRR”) | Transport – Rail |
| Minister for Transport | Transport – Maritime |
| National Transport Authority (“NTA”) | Transport – Road |
| An Agency or Agencies under the remit of the Minister for Health | Health |
| NCSC | All other in-scope entities |
The Minister for Environment, Climate and Communications may make Regulations (secondary legislation) to designate additional competent authorities, as required.
Companies are reminded that Article 20 of NIS 2 requires that ‘management bodies’ approve the implementation, and oversee such implementation, of cybersecurity risk management measures. NIS 2 expressly provides that management bodies can be held liable for infringements by the company of that obligation (further discussed here). The National Cyber Security Bill will provide clarity on how Ireland intends to hold management bodies accountable for NIS 2 obligations. Management bodies should take action now to ensure that the company is prepared and ready to comply with NIS 2.
Our FAQs on NIS 2, including its national implementation, are available here. The Irish Government’s Legislation Programme for Summer 2026 lists the National Cyber Security Bill for priority publication this summer 2026, but it remains to be seen whether it will be published before the summer recess.
Contact us
For more information please contact our Technology and Innovation Group or your usual Matheson contact.