World Watch/Ireland/Cybersecurity
Language:EnglishSpanishFrenchGermanPortugueseHindi

Cybersecurity · Ireland

Cybersecurity - Ireland

Sectoral rulesNetwork and Information Systems regime led by the National Cyber Security Centre (NCSC). Current in-force obligations are instrument/sector-specific: the NIS1 Regulations (S.I. No. 360/2018), the EU DORA Regulation for financial entities, and GDPR breach rules. The comprehensive NIS2-style National Cyber Security Bill 2024 is still pending enactment.

Ireland has not yet enacted a single comprehensive horizontal cybersecurity law; obligations today arise from a patchwork of in-force sectoral/EU instruments (NIS1 for operators of essential services and digital service providers, DORA for finance, GDPR for personal-data breaches). The EU NIS2 Directive's transposition deadline of 17 October 2024 was missed, and the implementing National Cyber Security Bill 2024 remains a priority Bill expected to be enacted in 2026. The NCSC is designated as lead national competent authority and CSIRT, with sectoral regulators acting as competent authorities.

NIS2 not yet transposed

Ireland missed the 17 October 2024 NIS2 transposition deadline; the General Scheme of the National Cyber Security Bill 2024 was published 30 August 2024 and the Bill remains a government legislative priority expected to pass in 2026.

source 1source 2
Lead authority: NCSC

The National Cyber Security Centre will be the lead national competent authority and national CSIRT for NIS2, responsible for managing large-scale cybersecurity incidents and crises.

source 1source 2
Sectoral competent authorities

Designated sectoral regulators include ComReg (communications), the Central Bank of Ireland (finance), the Commission for Regulation of Utilities (energy), the Irish Aviation Authority and the National Transport Authority.

source 1source 2
NIS2 incident reporting (pending)

Once transposed, in-scope essential/important entities must file an early warning to the NCSC within 24 hours of awareness of a significant incident, with follow-up reports and notification of affected service recipients without undue delay. Registration/reporting portals remain inactive until the Bill is enacted.

source 1source 2
GDPR personal-data breach notification (in force)

Under GDPR, controllers must notify the Data Protection Commission within 72 hours of becoming aware of a personal-data breach that poses a risk to individuals, and notify affected individuals without undue delay where the risk is high.

source 1source 2
DORA for financial entities (in force)

The EU Digital Operational Resilience Act applies directly since 17 January 2025, imposing ICT risk management, resilience testing, third-party oversight, and major ICT-incident reporting (initial notification within hours, with intermediate and final reports) on banks, insurers and other financial entities; the Central Bank of Ireland is the supervisor.

source 1source 2

Machine-assisted translation · verified 5/23/2026 · orientation, not legal advice. English version →