Ireland's cybersecurity authority is given the power to scan the networks of state institutions

The center will also have the power to “block or suspend” websites if they have been manipulated with the intention of causing harm to the state or other states.

The general draft of the just released National Cyber ​​Security Bill will give the NCSC a statutory role in protecting the country’s national security.

“Foreign or domestic interference”

This includes, in particular, preventing “foreign or domestic interference” in important information and network systems, including in the area of ​​information manipulation, for example through disinformation.

The Bill also imposes significant legal obligations on important and significant entities to report cybersecurity incidents to the NCSC and to conduct their own risk assessments and security plans.

The proposals give the NCSC legal powers to monitor compliance, including inspection powers and the ability to conduct searches on the basis of court orders.

It will also have the power to impose sanctions on CEOs and heads of important and essential service companies and even revoke state business licenses.

EU obligations including NIS2

The draft law comes in the context of the EU's increasing commitments in the area of ​​cybersecurity, including the implementation of the EU Network and Information Security Directive (NIS2).

The draft law published by the Ministry of Environment, Climate and Communications provides for the NCSC to become an executive authority of the ministry, thereby giving it greater independence.

However, because the centre has “a range of national security responsibilities”, the proposals state that it cannot be completely independent of the minister to whom it will report.

Regarding its expanded role, the proposals state: “The General Arrangements set out the roles of the NCSC, including national cybersecurity oversight, resilience building, information sharing (national and international) and national incident response.

Proposed NCSC scanning powers

“It also gives the NCSC specific powers to carry out a range of scanning activities to identify systems vulnerable to specific attacks. This type of activity is also required by the State under Article 11 of the NIS2 Directive.”

It said this type of review – which can also include assessments – is carried out by similar national cybersecurity organizations abroad with the aim of identifying system vulnerabilities.

“It is possible, although unlikely, that this type of review could also identify infrastructure in the state that is being used by a threat actor without the owner's knowledge,” an explanation of the bill states.

It states that with the consent of the companies concerned, the NCSC can place sensors – either physical devices or software – in the systems to collect data to help detect and combat threats.

The NCSC operates a sensor system for government entities, but a draft bill states there has been a “long-standing need” to offer this capability to other entities to manage “national security risks to critical infrastructure and services”.

Powers to combat DNS abuse

The bill also gives the NCSC the power to take action if the Domain Name System (DNS) – dubbed the “phone book” of the internet – is misused or compromised by state or criminal actors seeking to harm systems in Ireland or elsewhere.

“The state has experienced a significant number of these incidents in the period since February 2022,” it said in a statement.

It said these incidents could have “complex international elements”, with the origin and destination of the incident potentially being in different jurisdictions.

“Therefore, these powers are necessary to ensure that the territory of this State is not used as a base for attacks against other States,” says a note on the bill.

“These powers include basic powers to block or suspend certain domains found to be abusive, as well as restrictions on their use.”

While the NCSC is the national competent authority under NIS2, the draft law provides for sectoral competent authorities in key areas.

These include the Utilities Regulatory Commission, the Communications Regulatory Commission, the Central Bank of Ireland, the Aviation Authority of Ireland, the Rail Regulatory Commission, the Minister for Transport (for the maritime sector), the National Transport Authority and health authorities.