The Government is likely to transpose a critical EU cybersecurity directive into national legislation within the coming days, after the European Commission commenced early-stage infringement proceedings against 17 member states, including Ireland.

The directive is the cornerstone of the EU’s efforts to step up its overall cybersecurity and it applies binding obligations on a wide range of service operators, including in energy, financial services, transport, water suppliers, telecommunications companies and healthcare services.

Member states were obliged to do this by May 9th and so far 11 have notified the commission that they have fully transposed it.

The commission last week said it would send a formal notice to 17 member states to fully transpose the first piece of EU-wide legislation on cybersecurity, the Network and Information Systems (NIS) directive.

The State has been in the process of identifying which services qualify as critical infrastructure and will be notifying them that they have been designated as “operators of essential services” (OES) for the purposes of the directive.

Essential services

The Department of Communications, Climate Action and Environment said it had been working on the transposition of the directive since 2016. This had involved engaging with stakeholders in both the private and public sectors in relation to the identification of those operators of essential services.

It said there had also been detailed discussions with sectoral regulators and Government departments, and “a significant number of bilateral contacts with other EU member states”.

“The department has written to the approximately 60 undertakings that have been identified as potential OES, and published a consultation paper on the proposed security measures and incident reporting guidelines that these entities will have to meet once they have been formally designated,” it said.

While the organisations were not identified by the department, they are likely to include organisations such as Irish Rail, certain local authorities, ESB Networks, Gas Networks Ireland, Eirgrid, Irish Water, Transport Infrastructure Ireland, the various port companies, the Dublin Airport Authority, National Ambulance Service and the acute hospitals.

Particular risk

A draft statutory instrument has been under discussion with the office of the Parliamentary Counsel to the Government since late 2017, and it was anticipated that the transposition process would be completed in the coming days, the department said.

The Government’s National Risk Assessment published earlier this month identified the potential disruption to the State’s critical information infrastructure through a cybersecurity attack as a particular risk.

It said criminal gangs operating in different parts of the world had growing capabilities in terms of launching disruptive cyberattacks and also holding entities to ransom where they succeed in encrypting business and personal data.

Ransomware attack

“This was particularly evident from the WannaCry ransomware attack in May 2017, which caused serious disruption to a number of large organisations across the world. While in these cases the impact on Ireland was relatively minimal, the risk of further, more devastating attacks remains,” the assessment said.

“In addition to being costly, attacks could affect the availability of cash which, depending on the downtime, could have serious effects on the economy. The recent cyberattack also demonstrates the potential impact on the provision of services and on the reputation of businesses and the public service, while prolonged or repeated incidents risk creating a backlash against digitisation, with further economic consequences.”