On 25 October 2024, the Irish Government promulgated the European Union (Resilience of Critical Entities) Regulations 2024 SI 559/2024 (the “Regulations”). This statutory instrument implements the Critical Entities Resilience Directive (EU) 2022/2557 and aims to strengthen the resilience of so-called “critical entities” in Ireland, ensuring they can withstand and recover from various disruptions.
Key Highlights of the Regulations:
Scope and Application: The regulations will apply to a wide range of critical entities which have been designated as such by a competent authority (or which fall into the categories listed in the Regulations). It will include entities in the banking sector, energy, transport, and health services. Competent authorities must decide which entities they supervise should be counted as critical entities within 21 months of the entry into force of the Regulations, and those entities will be notified of their designation within one month of identification being made by a competent authority. The requirements then apply to critical entities from the date 10 months after their notification.
- National Strategy: A National Strategy on the Resilience of Critical Entities will be developed to provide a comprehensive framework for enhancing the resilience of these entities. This strategy will include risk assessments, identification of critical entities, and measures to improve their resilience.
- Competent Authorities: The regulations designate sector-specific competent authorities responsible for overseeing the implementation of the regulations. These existing regulators will have the power to conduct inspections, enforce compliance, and issue guidance to critical entities.
- Background Checks: The Regulations allow for the Minister to provide for circumstances in which a designated critical entity to carry out background checks, including criminal record checks.
- Incident Notification: Critical entities are required to notify the competent authorities of any incidents that could significantly disrupt their operations. This will enable timely responses and mitigate the impact of such incidents.
- Cooperation with Other Member States: The Regulations emphasize the importance of cooperation with other EU member states to enhance the resilience of critical entities across Europe. This includes sharing information, conducting joint risk assessments, and participating in advisory missions.
- Penalties and Enforcement: The Regulations outline penalties for non-compliance, including fines and other enforcement measures. Competent authorities are empowered to take necessary actions to ensure compliance and protect the public interest.
Conclusion
The Regulations represent a significant step in the Irish cybersecurity regulatory landscape, towards enhancing the resilience of critical entities. Any overlap with DORA and NIS 2 appears to be dealt with by way of a broad carve-out for entities already within the scope of that legislation, but the precise implementation remains to be seen.
Please get in touch with Carlo Salizzo, Ian O'Mara, Anne-Marie Bohan, Davinia Brennan, Deirdre Crowley, Connor Cassidy, Sarah Jayne Hanna or your usual Matheson contact, should you require further information in relation to the material referred to in this insight.