NIS2 FAQs

The NIS2 Directive states that it should be possible for Member States to designate or establish more than one National Competent Authority with different roles or supervising different sectors.

The Irish Government will designate the National Cyber Security Centre as lead National Competent Authority for the NIS2 Directive and will also designate ComReg and multiple other bodies as sectoral National Competent Authorities for the NIS2 Directive.

The Irish Government will designate ComReg as the National Competent Authority for the NIS2 Directive for the following sectors:

• Digital Infrastructure:
  • Internet exchange point providers
  • DNS service providers (excluding the operators of root name servers)
  • TLD name registries
  • Cloud computing service providers
  • Data centre service providers
  • Content delivery network providers
  • Trust service providers
  • Providers of public electronic communications networks
  • Providers of publicly available electronic communication services
• ICT Service Management (Business to Business):
  • Managed service provider
  • Managed security service provider
• Digital Providers:
  • Providers of online marketplaces
  • Providers of online search engines
  • Providers of social networking services platforms
• Space

ComReg awaits transposition to finalise its functions and obligations. However, it is expected that ComReg’s core roles will be supervision and enforcement of the requirements of NIS2 for entities within the Digital Infrastructure, ICT Service Management (Business to Business), Space and Digital Providers sectors.

ComReg is collaborating with the National Cyber Security Centre and other sectoral National Competent Authorities as part of the National Competent Authority Forum to assist preparation for new NIS2 functions and obligations. ComReg is also engaging with the Department of the Environment, Climate and Communications as part of the transposition of the NIS2 Directive regarding ComReg’s functions as National Competent Authority under NIS2.

ComReg, alongside the National Cyber Security Centre, participated in the EU Comitology procedure in which a committee, consisting of delegates from Member States, conducted an examination of the Commission Implementing Regulation and assisted in defining the measures and criteria ahead of its adoption by the European Commission.

ComReg is also an active participant in the NIS2 Cooperation Group. The Cooperation Group’s overall mission is to achieve a high common level of security for network and information systems in the European Union. It supports and facilitates the strategic cooperation and the exchange of information among EU Member States.

The NIS2 Directive, Directive 2022/2555, was published in December 2022.

The National Cyber Security Bill 2024 will be the mechanism for transposing the NIS2 Directive into Irish law. When the bill transposing the NIS2 Directive is enacted it will be available on the Irish Statute Book.

On 30 August 2024, the Irish government published the General Scheme of the National Cyber Security Bill 2024. Publishing the General Scheme of the National Cyber Security Bill is the initiation of the legislative process to transpose the NIS2 Directive into Irish law and it provides an indication of what will be in the legislation.

Under the NIS2 Directive, the European Commission published the Commission Implementing Regulation (EU) 2024/2690 on 18^th October 2024. The Commission Implementing Regulation lays down the technical and the methodological requirements of cyber security risk-management measures referred to in Article 21(2) of the NIS2 Directive (EU) 2022/2555 and further specifies the cases in which an incident shall be considered to be significant as referred to in Article 23(3) of the NIS2 Directive for certain types of entities. This regulation is applicable to the following types of entities:

• DNS service providers
• TLD name registries
• cloud computing service providers
• data centre service providers
• content delivery network providers
• managed service providers
• managed security service providers
• providers of online marketplaces, online search engines, social networking services platforms
• trust service providers.

The Annex of the Implementing Regulation provides details on the technical and methodological requirements of cybersecurity risk management measures mandated under Article 21 of the NIS2 Directive. This includes information on:

• the policy on the security of network and information systems
• security of acquisition, development and maintenance of network and information systems
• risk management policy
• incident handling policy
• business continuity and crisis management measures
• the supply chain security policy
• assessing the effectiveness of risk-management measures
• basic cyber hygiene practices and security training
• cryptography
• human resources security
• access control
• asset management
• environmental and physical security.

There is useful NIS2 information on the National Cyber Security Centre’s website such as the Am I in Scope tool and the NIS2 FAQ which may help entities understand if they are in scope.

The principle of main establishment is provided for under Article 26 of the NIS2 Directive and is explained further in the National Cyber Security Centre’s NIS2 FAQ.

The scope of sectors for main establishment includes a number of sectors for which ComReg will be National Competent Authority. The impact of main establishment is that there may be entities with services in multiple member states which will be under the jurisdiction of Ireland under the NIS2 Directive. In these cases, ComReg may be required to carry out supervision and enforcement of these entities that provide services in other member states, thereby increasing the scale and complexity of ComReg’s supervision and enforcement function.

While awaiting national transposition of the NIS2 Directive, existing incident reporting obligations for providers of publicly available Electronic Communications Networks and Services pursuant to the Communications Regulation and Digital Hub Development Agency (Amendment) Act 2023 remain in place. These existing incident reporting obligations are unaffected until such time as they are amended or repealed by the legislation transposing the NIS2 Directive.

Entities’ incident reporting obligations under the NIS2 Directive will be detailed in the legislation transposing the NIS2 Directive and will take effect following national transposition. The NCSC have provided a summary of the general incident notification requirements set out under the NIS2 Directive in Section 4 of the NCSC’s NIS2 Quick Reference Guide.

The Commission Implementing Regulation defines the criteria for which incidents are to be classified as a “significant incident” in certain subsectors (see FAQ “Are there any regulations published by the European Commission?”). Reporting of “significant incidents” under the Commission Implementing Regulation will be required by entities following the national transposition of the NIS2 Directive.

The NIS2 Directive provides for significantly strengthened enforcement measures giving National Competent Authorities the ability to impose fines of up to €10 million or 2% of the company’s global turnover for findings of non-compliance.