European Union (Resilience of Critical Entities) Regulations 2024

• Year: 2024

STATUTORY INSTRUMENTS

S.I. No.559of2024

European Union (Resilience of Critical Entities) Regulations 2024

Notice of the making of this Statutory Instrument was published in

“Iris Oifigiúil” of 25 th October, 2024.

TABLE OF CONTENTS

Regulation PART 1 PRELIMINARY AND GENERAL 1. Citation and commencement 2. Interpretation PART 2 SCOPE OF REGULATIONS 3. Non-application of Regulations 4. Safeguarding of essential functions of State PART 3 ADMINISTRATION 5. Sharing of information 6. Funding of competent authorities and critical entities PART 4 SINGLE POINT OF CONTACT AND COMPETENT AUTHORITIES 7. Single point of contact 8. Designation of competent authorities 9. Functions of competent authorities PART 5 NATIONAL STRATEGY ON RESILIENCE OF CRITICAL ENTITIES 10. National Strategy on the Resilience of Critical Entities PART 6 CRITICAL ENTITIES 11. National risk assessment 12. Identification of critical entities 13. Critical entities list 14. Cancellation of identification as critical entity on request of critical entity 15. Critical entity risk assessments 16. Resilience and security requirements in respect of critical entities 17. Background checks 18. Incident notification by critical entities PART 7 CRITICAL ENTITIES OF PARTICULAR EUROPEAN SIGNIFICANCE 19. Identification of critical entities of particular European significance 20. Co-operation with other Member States 21. Advisory missions PART 8 GUIDANCE 22. Guidance PART 9 IMPLEMENTATION AND ENFORCEMENT 23. Inspections, supervision and enforcement 24. Safeguards PART 10 AUTHORISED OFFICERS 25. Appointment of authorised officers 26. Powers of authorised officers 27. Compliance notice PART 11 INFORMATION NOTICES 28. Information notice PART 12 FINAL PROVISIONS 29. Service of documents, etc. 30. Penalties 31. Costs of prosecutions 32. Prosecution of offences: critical entities 33. Hearing of proceedings otherwise than in public 34. Review of Regulations by Minister SCHEDULE SECTORS, SUBSECTORS AND CATEGORIES OF ENTITIES

I, MICHEÁL MARTIN, Minister for Defence, in exercise of the powers conferred on me by section 3 of the European Communities Act 1972 (No. 27 of 1972), for the purpose of giving full effect to Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 1, and further effect to Commission Delegated Regulation (EU) 2023/2450 of 25 July 2023 2, hereby make the following regulations:

PART 1

PRELIMINARY AND GENERAL

Citation and commencement

1. (1) These Regulations may be cited as the European Union (Resilience of Critical Entities) Regulations 2024.

(2) These Regulations shall come into operation on 17 October 2024.

Interpretation

2. (1) In these Regulations—

“authorised officer” means a person appointed under Regulation 25(1);

“banking sector” means the entities specified at entry no. 3 in column (1) of the Table set out in the Schedule;

“Central Bank” means the Central Bank of Ireland;

“competent authority”, in relation to a critical entity, means the entity designated as a competent authority in the State under Regulation 8(2) in respect of the sectors referred to in that Regulation;

“competent authority in another Member State” means an entity designated as a competent authority by a Member State (other than the State) for the purposes of the Directive;

‘critical entity’ means—

(a) a public or private entity which has been identified in accordance with Regulation 12 as belonging to one of the categories of entities specified in column (3) of the Table set out in the Schedule, and

(b) for the purposes of the public administration sector, the entities specified at entry no. 9 in column (1) of the Table set out in the Schedule;

“critical entities list” means the compiled list of critical entities of the State identified by competent authorities in accordance with Regulation 13;

“Critical Entities Resilience Group” means the group established under Article 19(1) of the Directive;

“Delegated Regulation” means Commission Delegated Regulation (EU) 2023/2450 of 25 July 2023 2supplementing Directive (EU) 2022/2557 of the European Parliament and of the Council by establishing a list of essential services;

“digital infrastructure sector” means the entities specified at entry no. 8 in column (1) of the Table set out in the Schedule;

“Directive” means Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 1on the resilience of critical entities and repealing Council Directive 2008/114/EC;

“DORA Regulation” means Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 3on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011;

“drinking water sector” means the entities specified at entry no. 6 in column (1) of the Table set out in the Schedule;

“enactment” means—

(a) an Act of the Oireachtas,

(b) a statute that was in force in Saorstát Éireann immediately before the date of the coming into operation of the Constitution and that continues in force by virtue of Article 50 of the Constitution, or

(c) an instrument made under an Act of the Oireachtas or a statute referred to in paragraph (b);

“energy sector” means the subsectors and entities specified at entry no. 1 in column (1) of the Table set out in the Schedule;

“essential service” means a service which is crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment;

“European significance” shall be construed in accordance with Article 17 of the Directive;

“financial market infrastructure sector” means the entities specified at entry no. 4 in column (1) of the Table set out in the Schedule;

“food production, processing and distribution sector” means the entities specified at entry no. 11 in column (1) of the Table set out in the Schedule;

“General Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 4on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

“health sector” means the entities specified at entry no. 5 in column (1) of the Table set out in the Schedule;

“incident” means an event which has the potential to significantly disrupt, or that disrupts, the provision of an essential service, including when it affects the national systems that safeguard the rule of law;

“liaison officer” means a person designated by a critical entity under Regulation 16(10);

“Minister” means the Minister for Defence;

“Minister responsible” means the following:

(a) in relation to the exercise by a Minister of the Government of any powers, functions or duties vested in him or her by virtue of any enactment in respect of a sector or subsector, that Minister;

(b) in relation to the administration and business of the public service by virtue of any enactment by a Department of State in respect of a sector or subsector, the Minister of the Government having charge of that Department;

“national risk assessment” means the National Risk Assessment of Ireland prepared by the Minister, from time to time, and published on a website maintained by the Minister, which—

(a) fulfils the requirements of the Member State risk assessment within the meaning of Article 5(1) of the Directive, and

(b) fulfils the requirements of a general risk assessment carried out pursuant to Article 6(1) of Decision No. 1313/2013/EU of the European Parliament and of the Council of 17 December 2013 5;

“National Strategy on the Resilience of Critical Entities” means the national strategy prepared and adopted by the Minister under Regulation 10;

“NIS 2 Directive” means Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 6on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148;

“personal data” has the meaning given to it in Article 4 of the General Data Protection Regulation;

“public administration sector” means the entities specified at entry no. 9 in column (1) of the Table set out in the Schedule;

“railway” has the meaning given to it in section 2 (1) of the Railway Safety Act 2005 (No. 31 of 2005);

“resilience” means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident;

“risk” means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;

“risk assessment” means the overall process for determining the nature and extent of a risk by identifying and analysing potential relevant threats, vulnerabilities and hazards which could lead to an incident and by evaluating the potential loss or disruption of the provision of an essential service caused by that incident;

“sector” shall be construed in accordance with the Annex to the Directive;

“significant disruptive effect” shall be construed in accordance with Article 7 of the Directive;

“single point of contact” means the person designated as the single point of contact in the State under Regulation 7;

“single point of contact in another Member State” means the person designated as the single point of contact in a Member State (other than the State) for the purposes of the Directive;

“space sector” means the entities specified at entry no. 10 in column (1) of the Table set out in the Schedule;

“subsector” shall be construed in accordance with the Annex to the Directive;

“transport sector” means the subsectors and entities specified at entry no. 2 in column 1 of the Table set out in the Schedule;

“Union” means the European Union;

“waste water sector” means the subsectors and entities specified at entry no. 7...