Cybersecurity · Ireland
Cybersecurity regulation in Ireland (2026)
Ireland shaded by its cybersecurity status
Ireland has not yet enacted a single comprehensive horizontal cybersecurity law; obligations today arise from a patchwork of in-force sectoral/EU instruments (NIS1 for operators of essential services and digital service providers, DORA for finance, GDPR for personal-data breaches). The EU NIS2 Directive's transposition deadline of 17 October 2024 was missed, and the implementing National Cyber Security Bill 2024 remains a priority Bill expected to be enacted in 2026. The NCSC is designated as lead national competent authority and CSIRT, with sectoral regulators acting as competent authorities.
Key points
Ireland missed the 17 October 2024 NIS2 transposition deadline; the General Scheme of the National Cyber Security Bill 2024 was published 30 August 2024 and the Bill remains a government legislative priority expected to pass in 2026.
The National Cyber Security Centre will be the lead national competent authority and national CSIRT for NIS2, responsible for managing large-scale cybersecurity incidents and crises.
Designated sectoral regulators include ComReg (communications), the Central Bank of Ireland (finance), the Commission for Regulation of Utilities (energy), the Irish Aviation Authority and the National Transport Authority.
Once transposed, in-scope essential/important entities must file an early warning to the NCSC within 24 hours of awareness of a significant incident, with follow-up reports and notification of affected service recipients without undue delay. Registration/reporting portals remain inactive until the Bill is enacted.
Under GDPR, controllers must notify the Data Protection Commission within 72 hours of becoming aware of a personal-data breach that poses a risk to individuals, and notify affected individuals without undue delay where the risk is high.
The EU Digital Operational Resilience Act applies directly since 17 January 2025, imposing ICT risk management, resilience testing, third-party oversight, and major ICT-incident reporting (initial notification within hours, with intermediate and final reports) on banks, insurers and other financial entities; the Central Bank of Ireland is the supervisor.
Timeline - major decisions & events
Ireland's National Cyber Security Centre released its most detailed national cyber risk review to date, warning of escalating nation-state activity (notably China- and Russia-aligned actors), supply-chain risk, and cascading cross-sector impacts. It frames the threat picture driving Ireland's expanding cybersecurity obligations.
Department of Justice / NCSC (gov.ie) ↗The EU Digital Operational Resilience Act (Regulation 2022/2554) became directly applicable, imposing ICT risk-management, incident-reporting, resilience-testing and third-party oversight duties on banks, insurers, investment firms and others. The Central Bank of Ireland is the competent supervisor, including for Threat-Led Penetration Testing.
Central Bank of Ireland ↗The EU deadline to transpose the NIS2 Directive (EU 2022/2555) lapsed while Ireland was still drafting its enabling legislation, leaving the expanded obligations not yet in domestic force. It marked a compliance gap that the National Cyber Security Bill is intended to close.
NCSC Ireland ↗The government published the heads of the Bill to transpose NIS2, placing the NCSC on a statutory footing for the first time, designating sectoral competent authorities, and introducing tight incident-reporting timelines (24-hour early warning). It expands regulatory scope from roughly 450 to several thousand entities.
Department of Justice (gov.ie) ↗Ireland's Health Service Executive suffered the most significant cyberattack on an Irish state body, shutting down nationwide health IT for weeks with recovery costs exceeding €100m. The incident reshaped national cyber resilience priorities and investment in the NCSC.
Health Service Executive ↗Ireland's second national strategy set out a broader framework for protecting critical infrastructure, growing the NCSC, and deepening EU/international cooperation, building on operational experience since 2015. It guided the country's cyber policy through the NIS1 era and the HSE attack response.
NCSC Ireland ↗S.I. No. 360/2018 implemented the original NIS Directive, imposing security and 72-hour incident-notification duties on Operators of Essential Services and Digital Service Providers, with fines up to €500,000. This established Ireland's first sector-wide statutory cybersecurity obligations.
Irish Statute Book ↗Ireland's first dedicated cybercrime statute created offences for unauthorised access, interference and interception of information systems, fulfilling obligations under the Budapest Convention and EU Directive 2013/40/EU. It gave law enforcement new search-and-seizure powers for cyber offences.
Irish Statute Book ↗The government formally established the National Cyber Security Centre (building on CSIRT-IE) and published Ireland's first National Cyber Security Strategy (2015-2017). This created the institutional foundation for national incident response and critical-infrastructure protection.
NCSC Ireland ↗Ireland - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →