Cyber Risk Update: Ireland and the EU 2021

Ireland’s national cyber security infrastructure was recently criticised at an Oireachtas Committee hearing, with calls for a comprehensive national approach to tackling cyber risk. The high-profile cyber-attacks on the Health Service Executive earlier this year, and last year's cyberattack involving the IT company, SolarWinds, have reinforced the need for a new approach to cyber security.

Ireland’s National Cyber Security Strategy

Ireland’s National Cyber Security Strategy1 (the “National Strategy”) was published in December 2019, and followed the first national Strategy published in 2015. It is a broader and more comprehensive document than its predecessor and builds on the operational experience gained by the National Cyber Security Centre from 2015 to 2019.  A public consultation in relation to the National Strategy in early 2019 informed the revised National Strategy.

The National Strategy sets out a series of twenty measures to be taken under seven headings: developing national capacity to handle cyber security incidents; protecting critical national infrastructure; addressing public sector data and networks; skills; enterprise development; engagement and citizens. The National Strategy aims to protect the State, its people, and its critical national infrastructure from threats in the cyber security space. It also intends to develop the capacity of the State, research institutions, businesses and citizens to both better understand and manage cybersecurity challenges. The National Strategy also envisages strategic engagement by the State, at a national and international level, in support of a free, open and secure cyber space.

Key objectives at the centre of the National Strategy include continuing to improve the ability of the State to respond to and manage cyber security incidents, including those with a national security component; identifying and protecting critical national infrastructure by increasing its resilience to cyber-attack; and ensuring that operators of essential services have appropriate incident response plans in place to reduce and manage any disruption to services. The National Strategy also aims to invest in educational initiatives to prepare the workforce for advanced IT and cybersecurity careers and to raise awareness of the responsibilities of private businesses around securing their networks, devices and information and driving research and development in cyber security in Ireland, including by facilitating investment in new technology.  At the wider level, the National Strategy aims to grow engagement with international partners and organisations to ensure that cyber space remains open, secure, free and able to facilitate economic and social development.

The National Strategy does not directly address how these measures are to be funded and achieving these stated aims within the timeframe outlined will be challenging. The launch of the National Strategy was also, however, an important development as it recognised Ireland’s increasing significance in the digital economy and highlighted the role of Ireland’s National Cyber Security Centre as a key player in realising the EU’s cyber security objectives.

New EU Cybersecurity Strategy

On 16 December 2020, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy presented a new EU Cybersecurity Strategy (the “Strategy”), which outlines the EU framework to protect EU citizens and businesses from cyber threats, promote secure information systems and protect a global, open, free and secure cyberspace. The Strategy aims to establish the EU as a leader in international norms and standards in cyberspace and to strengthen EU cooperation with partners around the world to promote a secure cyberspace.

On 22 March 2021, the EU Council adopted conclusions on the EU’s Cybersecurity Strategy, highlighting a number of areas for action in the coming years (e.g., creating a network of security operation centres in the EU and applying the EU 5G toolbox measures). The conclusions may be viewed as an endorsement of the Strategy and should accelerate the Commission’s role in establishing a detailed implementation plan for the new strategy.  Some would like to see the Commission also develop a strategic European cyber diplomacy that is coherent in its supranational, democratic, and economic dimensions.

The new EU Cybersecurity Strategy contains concrete proposals for regulatory, investment and policy initiatives in three areas of EU action:

1. Resilience, technological sovereignty and leadership

The first EU-wide law on cybersecurity, the NIS Directive2, in force since 2016, will be updated with more stringent supervision measures, new sanctions and fines, and streamlined incident reporting. The Strategy aims to enhance the Directive to increase the level of cyber resilience of critical public and private sectors including energy grids, rail networks, data centres and manufacturing of medical devices and pharmaceutical products. The Commission also proposes to launch a network of Security Operations Centres across the EU, powered by artificial intelligence, to provide a ‘cybersecurity shield' for the EU, detecting signs of a cyberattack early enough to enable action.

2. Operational capacity to prevent, deter and respond

The Commission is preparing, in cooperation with the Member States, a new Joint Cyber Unit, to strengthen cooperation between EU bodies and Member State authorities responsible for preventing, deterring and responding to cyber-attacks. The EU will also aim to further enhance cyber defence cooperation and develop cyber defence capabilities, building on the work of the European Defence Agency and encouraging Member States to avail of the Permanent Structured Cooperation and the European Defence Fund.  

3. Cooperation to advance a global and open cyberspace

The EU has demonstrated its commitment to supporting the new Cybersecurity Strategy by way of a substantially increased level of investment in the EU's digital transition over the next seven years, through the next long-term EU budget and in particular the Digital Europe Programme and Horizon Europe, as well as the Recovery Plan for Europe. Member States are thereby being encouraged to avail of the EU Recovery and Resilience Facility to boost cybersecurity and match EU-level investment.

What to expect

The COVID-19 pandemic has accelerated digitalisation across all sectors in Ireland and the EU at an unprecedented scale.  Increased digitalisation also brings increased vulnerability to cyber-attacks and other malicious online activities. As network and information systems become more embedded and complex, securing these is crucial but challenging.  Cyber risk must inform economic and social priorities, both nationally and across the EU.  As a member of UN Security Council Ireland is well placed to provide leadership on cyber risk, which is now so central to geo-political developments globally and this must also be reflected in a fit for purpose strategy nationally.

Also contributed by Emily Cunningham.

  1. Department of the Environment, Climate and Communications, National Cyber Security Strategy 2019-2024 (12 December 2019).
  2. EU Directive 2016/1148 concerning measures for a high common level of security of network and information systems across the Union.

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.