Understanding the Impact of the Transposition of the CER Directive into Irish Law
Written By
Partner
Ireland
I am an experienced Irish lawyer. I specialise in complex technology, data and IP transactions, and advise innovative clients on the laws and regulations applicable to related products and services offered in Ireland and other parts of the European Union.
Associate
Ireland
I am an associate in Bird & Bird's International Commercial Group, based in the Dublin office where I specialise in Technology, Media, Entertainment and Sports.
Related
Practices
Regions
Countries
Offices
Has the CER Directive been transposed into Irish law? [1]
Yes. A statutory instrument, the European Union (Resilience of Critical Entities) Regulations 2024, (the “Irish CER Regulations”) gives effect to the CER Directive. In line with the EU deadline, the Irish CER Regulations came into effect on the 17th of October 2024.
What is the objective of the CER Directive?
The CER Directive was introduced with the aim of enhancing the resilience of critical entities that provide services which are essential for vital societal functions or economic activities in the European Union. The CER Directive seeks to minimise the impact of natural and man-made disruptive incidents in 11 key sectors:
- Energy
- Transport
- Banking
- Financial market infrastructure
- Health
- Drinking water
- Wastewater
- Digital infrastructure
- Public administration
- Space
- Large-scale production, processing and distribution of food
Who will regulate the CER Directive in Ireland?
Ireland has adopted a federated and sector focused approach to implementing the CER Directive, allocating supervisory and enforcement responsibilities to regulatory bodies across a number of sectors. The regulatory bodies tasked with overseeing the sectors that are in scope of the Irish CER Regulations are as follows:
Sector | Regulator |
|---|---|
The Energy Sector | The Commission for Regulation of Utilities |
Drinking Water and Waste Water Sectors | Environmental Protection Agency |
Transport: Air | Irish Aviation Authority |
Transport: Rail and Public Transport Provided by Railway Services | Commission for Railway Regulation |
Transport: Water | Marine Survey Office |
Transport: Road and Public Transport (other than Railways provided services) | National Transport Authority |
Banking and Financial Market Infrastructure Sector* | The Central Bank |
Health Sector | Health Information and Quality Authority and The Minister of the Government |
Digital Infrastructure Sector* | Commission for Communications Regulation |
Public Administration** | Ministers of the Government
|
Space Sector | The Minister of the Government |
Food Production, Processing and Distribution Sector | The Minister for Agriculture, Food and the Marine |
*The Irish CER Regulations provide that certain parts of the regulations will not apply to critical entities, or their competent authorities, in the sectors of banking, financial market infrastructure and digital infrastructure where these entities or authorities are or will be regulated by Irish laws implementing the NIS2 Directive[2] in Ireland, or under the Digital Operational Resilience Act Regulation[3] (“DORA”). There is an anomaly currently, as Ireland is late in transposing NIS2 and the National Cyber Security Bill [4] is yet to be published.
**The Irish CER Regulations do not apply to a Public Administration entity in the areas of national security, public security, defence or law enforcement.
What organisations are impacted by the Irish CER Regulations?
The Irish CER Regulations have far-reaching implications for a wide range of organisations across the 11 designated sectors mentioned above, including:
- The energy sector: this sector encompasses electricity, gas, district heating and cooling, and oil.
- The transport sector: this sector includes air, rail, road, water and public transport.
- The health sector: this sector includes healthcare providers, entities carrying out research and development activities of medicinal products, EU reference laboratories, pharmaceutical companies and entities manufacturing medical devices on the public health emergency critical devices list and is another critical area which is affected by the Irish CER Regulations.
- The digital infrastructure sector: this sector includes providers of internet exchange points, domain name service providers, top-level domain name registries, providers of cloud computing services, providers of data centre services, providers of content delivery networks, providers of electronic communications networks, and trust service providers.
- The Food Production, Processing and Distribution Sector: this sector is broadly defined, and can cover those engaged in any stage of production, processing and distribution of food.
What are the deadlines for compliance?
The relevant competent authority must identify the critical entities for their sector no later than 21 months after the date of the coming into operation of the Irish CER Regulations. The identified critical entities must be notified by the relevant competent authority no later than one month following their identification.
Once notified by the relevant competent authority, the Irish CER Regulations will apply to an identified critical entity, 10 months from the date of their notification, as per Regulation 12(7).
In relation to the public administration sector, entities in this sector must meet the relevant critical entity obligations by 17 June 2027.
Critical entities are required to register with the relevant competent authorities. The relevant competent authority for each critical entity must maintain a list of identified critical entities, including:
- the name of the entity;
- the address of the entity; and
- the name and contact details of the designated liaison officer for that entity.
This list must be maintained and reviewed from time to time by the relevant competent authority, and in any event, must be completed no later than the 17 July 2030 and every four years thereafter.
What should you do now?
Organisations that regulators determine should be regulated by the Irish CER Regulations will be required to take a number of immediate steps to safeguard compliance and enhance their resilience, depending on if they are designated (i) a critical entity or (ii) a critical entity of particular European significance.
Entities should first determine if any of their activities fall within one of the 11 sectors designated by the Irish CER Regulations. It is sensible to form a view as to whether this regulatory regime is likely to apply to your organisation, how the organisation may be designated, and begin compliance preparations now, rather than wait until the regulators determine which entities are in scope.
Contact Us
If you would like any further information on any of the points raised in this article, and how the Irish CER Regulations might impact your business, please reach out to us, and we can support you in a way that works best for you.
[1] Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC (the “CER Directive”)
[2] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (Text with EEA relevance)
[3] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance)
[4] The National Cyber Security Bill 2024 - Heads of Bill
