{"id":105460,"date":"2025-04-29T10:14:15","date_gmt":"2025-04-29T10:14:15","guid":{"rendered":"https:\/\/my.legal500.com\/guides\/?post_type=comparative_guide&#038;p=105460"},"modified":"2026-04-13T13:39:57","modified_gmt":"2026-04-13T13:39:57","slug":"ireland-data-protection-cybersecurity","status":"publish","type":"comparative_guide","link":"https:\/\/my.legal500.com\/guides\/chapter\/ireland-data-protection-cybersecurity\/","title":{"rendered":"Ireland: Data Protection &amp; Cybersecurity"},"content":{"rendered":"","protected":false},"template":"","class_list":["post-105460","comparative_guide","type-comparative_guide","status-publish","hentry","guides-data-protection-cybersecurity","jurisdictions-ireland"],"acf":[],"appp":{"post_list":{"below_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Byrne Wallace Shields LLP<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2022\/05\/BWS_nostrapline_RGB-1.jpg\"\/><\/span><\/div>"},"post_detail":{"above_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Byrne Wallace Shields LLP<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2022\/05\/BWS_nostrapline_RGB-1.jpg\"\/><\/span><\/div>","below_title":"<span class=\"guide-intro\">This country specific Q&amp;A provides an overview of Data Protection &amp; Cybersecurity laws and regulations applicable in Ireland<\/span><div class=\"guide-content\"><div class=\"filter\">\r\n\r\n\t\t\t\t<input type=\"text\" placeholder=\"Search questions and answers...\" class=\"filter-container__search-field\">\r\n\t\t\t<\/div>\r\n\r\n\t\t\t\r\n\r\n\r\n\t\t\t<ol class=\"custom-counter\">\r\n\r\n\t\t\t\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered; what sectors, activities or data do they regulate; and who enforces the relevant laws).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The primary legislation governing data protection and privacy in Ireland is the Data Protection Acts 2018, as amended (\u201c<strong>2018<\/strong> <strong>Act<\/strong>\u201d), which gives further effect to the General Data Protection Regulation (\u201c<strong>GDPR<\/strong>\u201d) and transposes into national law, Directive (EU) 2016\/680\u00a0 (\u201c<strong>Law Enforcement Directive<\/strong>\u201d) which applies to the processing of personal data for law enforcement purposes. The Data Protection Acts 1988 to 2003 as amended also still apply in certain limited circumstances.<\/p>\n<p>The Data Protection Commission (\u201c<strong>DPC<\/strong>\u201d) is the national competent authority for the regulation and enforcement of this legislation.<\/p>\n<p>The European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, as amended (\u201c<strong>e-Privacy Regulations<\/strong>\u201d) transpose Directive 2002\/58\/EC (\u201c<strong>e-Privacy Directive<\/strong>\u201d) in Ireland. The e-Privacy Regulations outline specific rules with regard to the use of cookies, marketing communications and security of electronic communications networks and services. The e-Privacy Regulations were amended by the European Union (Electronic Communications Code) Regulations 2022, which increased the range of service providers falling within the scope of the legislation.<\/p>\n<p>The Data Sharing and Governance Act 2019, as amended (\u201c<strong>2019 Act<\/strong>\u201d) regulates the sharing of information, including personal data, between public bodies, provides for the establishment of base registries and the Personal Data Access Portal, and established the Data Governance Board.<\/p>\n<p>Regulation (EU) 2019\/881 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification (\u201c<strong>Cybersecurity Act<\/strong>\u201d) has direct effect in Ireland and grants a cybersecurity certification and operational cooperation mandate to ENISA, in addition to introducing an EU-wide cybersecurity certification framework for ICT products, services and processes.<\/p>\n<p>The European Union (Measures for a High Common Level of Security of Network and Information Systems) Regulations 2018 (\u201c<strong>NIS Regulations<\/strong>\u201d) transpose Directive (EU) 2016\/114 and apply a set of binding security obligations to critical infrastructure operators in the energy, healthcare, financial services, transport, water supply, digital infrastructure, and telecommunications sectors. A unit of the Department of Communications, Climate Action and Environment, the Computer Security Incident Response Team (\u201c<strong>CSIRT<\/strong>\u201d), is designated as the computer security incident response team in the State. The Minister for the Environment, Climate and Communications is the designated competent authority for the purposes of enforcement against providers within all sectors, including digital services providers, other than the banking and financial market infrastructure sectors to which the Central Bank of Ireland (\u201c<strong>CBI<\/strong>\u201d) is designated.<\/p>\n<p>The NIS Regulations apply to both Digital Service Providers (\u201c<strong>DSPs<\/strong>\u201d) and Operators of Essential Services (\u201c<strong>OES<\/strong>\u201d) in the State which are designated, either as a result of self-identification or identification by a competent authority, having regard to three cumulative criteria:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Whether the entity performs a service that is \u201cessential for the maintenance of critical societal or economic activities\u201d,<\/li>\n<li>Whether the provision of that service depends on network and information systems, and<\/li>\n<li>Whether an incident would have a significant disruptive effect on the provision of the service offered.<\/li>\n<\/ul>\n<p>In practice, in comparison to the number of entities that will be subject to updated cybersecurity legislation in the State in the near future, a relatively small number of entities are subject to the provisions of the NIS Regulations.<\/p>\n<p>The Communications Regulation and Digital Hub Development Agency (Amendment) Act 2023 (as amended) gives effect to certain provisions of EU Directive 2018\/1972, which established the European Electronic Communications Code and was fully commenced on 9 June 2023. This Act mandates that providers of public electronic communications networks and services take appropriate and proportionate measures to manage the risks posed to the security of networks and services. This Act designates the Commission for Communications Regulation (<strong>\u201cComReg<\/strong>\u201d) as the competent authority for the purposes of enforcement in the State. The European Union (Electronic Communications Code) Regulations 2022 transpose the remainder of the Directive.<\/p>\n<p>The Digital Services Act 2024 was enacted on 17 February 2024, giving further effect to Regulation (EU) 2022\/2065 on a Single Market for Digital Services, which empowers the European Commission to regulate online intermediaries and platforms such as marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms. It aims to prevent illegal and harmful activities online and the spread of disinformation.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any expected changes in the data protection, privacy or cybersecurity landscape in 2025 - 2026 (e.g., new laws or regulations coming into effect, enforcement of such laws and regulations, expected regulations or amendments)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Upcoming EU legislation in areas such as AI, cybersecurity, and privacy, will significantly impact Ireland\u2019s legislative framework and have already had an impact on how organisations deal with their data protection and cybersecurity obligations. The data protection and cybersecurity landscape is constantly evolving as a result of technological advancements and initiatives from the European Parliament and it is anticipated that there will be a substantial amount of change in this area during 2025-2026.<\/p>\n<p>The EU AI Act (the \u201c<strong>AI Act<\/strong>\u201d) was commenced in August 2024 and will apply in a phased manner over 3 years. The first implementation milestone was on 2 February 2025 with the introduction of rules on prohibited AI practices and setting out a requirement for organisations to ensure staff have a sufficient level of AI literacy. The Minister for Enterprise, Tourism and Employment has designated eight public bodies to act as competent authorities for enforcement of the AI Act and the appointment of a lead regulator is anticipated in the coming months. Legislation is currently being drafted to give effect to these appointments, as well as setting out the penalties and fines for non-compliance.<\/p>\n<p>The EU Data Act entered into force on 11 January 2024 and aims to create a single market in the EU for data generated by Internet of Things products in order to promote innovation and increase competitiveness. The EU Data Act does this by making data more accessible, introducing fair contractual terms, and safeguarding data transfers. Key provisions of the EU Data Act will become applicable from 12 September 2025 with transitional provisions for certain specific situations up until 12 September 2027.<\/p>\n<p>The EU Data Governance Act (\u201c<strong>DGA<\/strong>\u201d) sets out legal framework for the sharing of public sector data. This has been implemented in Ireland by the European Union (Data Governance Act) (No. 2) Regulations 2024, which were signed into law on 31 December 2024. These regulations designate the Competition and Consumer Protection Commission (\u201c<strong>CCPC<\/strong>\u201d) as the competent authority tasked with a number of responsibilities including monitoring compliance with the DGA and processing of complaints regarding non-compliance.<\/p>\n<p>As part of its cybersecurity strategy, the EU has issued numerous new legal acts aimed at increasing the level of cybersecurity. The Cyber Resilience Act (\u201c<strong>CRA<\/strong>\u201d) entered into force on 10 December 2024 with the main obligations being applicable from 11 December 2027. The CRA will ensure that products and services are designed with appropriate cybersecurity measures and will strengthen Ireland\u2019s approach to digital platforms and consumer protection. The Cyber Solidarity Act (\u201c<strong>CSA<\/strong>\u201d) came into force on 4 February 2025 and is designed to help cross border defence against cyber-attacks, by implementing emergency and response management systems. The European Union (Digital Operational Resilience) (No. 2) Regulations 2025 (S.I. 20\/2025) (Regulations) came into effect on 11 February 2025. From an Irish perspective, these regulations complete the implementation of the EU\u2019s Regulation 2022\/2554 on digital operational resilience for the financial sector (\u201c<strong>DORA<\/strong>\u201d) which has been applicable since 17 January 2025. The aim with DORA is to increase resilience in the financial sector by imposing increased security requirements.<\/p>\n<p>The NIS2 Directive, which was required to be transposed into domestic law by all Member States in October, 2024, has not yet been transposed in Ireland. The heads of bill of the National Cyber Security Act were published by the Department of the Environment, Climate and Communications on 30 August 2024 but are still only in draft form and have yet to go through the legislative process. It appears to be unlikely that the legislation will be transposed before Q3 of 2025, based on current projections. When the legislation is enacted it will transpose the NIS2 Directive into Irish Law and will change the face of cybersecurity regulation in the State.<\/p>\n<p>The following Bills are being progressed by the Irish Government:<\/p>\n<ol style=\"padding-left: 0\" type=\"i\">\n<li>The pre-legislative scrutiny of the Criminal Justice (Protection, Preservation of and Access to Data on Information Systems) Bill was completed in March 2024. The purpose of this Bill is to allow An Garda S\u00edoch\u00e1na to request the preservation and production of data held on IT systems in order to investigate criminal offences.<\/li>\n<li>The Health Information Bill 2024 is at Committee Stage as of 5 February 2025 and this Bill will provide a clear legal basis for the establishment of a Digital Health Record for people in Ireland.<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any registration or licensing requirements for entities covered by these data protection and cybersecurity laws, and if so what are the requirements? Are there any exemptions? What are the implications of failing to register \/ obtain a licence?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no registration or licensing requirements for controllers or processors in Ireland. All organisations that have appointed a Data Protection Officer (\u201c<strong>DPO<\/strong>\u201d) pursuant to the GDPR are required to notify the contact details to the DPC. While there are no registration or licencing requirements on entities under the NIS Regulations the competent authorities are required to establish and maintain a Register of Operators of Essential Services (\u201c<strong>ROES<\/strong>\u201d), without exception.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How do the data protection laws in your jurisdiction define \u201cpersonal data,\u201d \u201cpersonal information,\u201d \u201cpersonally identifiable information\u201d or any equivalent term in such legislation (collectively, \u201cpersonal data\u201d)? Do such laws include a specific definition for special category or sensitive personal data? What other key definitions are set forth in the data protection laws in your jurisdiction (e.g., \u201ccontroller\u201d, \u201cprocessor\u201d, \u201cdata subject\u201d, etc.)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Irish law adopts the definitions of personal data and special category data in accordance with the GDPR. The 2018 Act also adopts the GDPR definitions of biometric data, genetic data and data concerning health, as well as the key definitions set out in Article 4 of the GDPR. The definition of personal data in the 2019 Act extends to cover deceased individuals.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What principles apply to the processing of personal data in your jurisdiction? For example: is it necessary to establish a \u201clegal basis\u201d for processing personal data?; are there specific transparency requirements?; must personal data only be kept for a certain period? Please provide details of such principles.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Article 5 of the GDPR sets out key principles for the protection of personal data. These principles, both directly and indirectly, influence the other rules and obligations found throughout the applicable legislation. Compliance with these fundamental principles of data protection is the first step for controllers in ensuring that they fulfil their obligations under the GDPR. The following is a brief overview of the Article 5 principles:<\/p>\n<p><strong>Lawfulness, fairness, and transparency<\/strong>: Any processing of personal data should be lawful and fair. It should be transparent to individuals that personal data concerning them is collected, used, consulted, or otherwise processed and to what extent the personal data is or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. Data subjects must be provided with information as to the categories of recipients that their personal data has been or will be disclosed, as well as information as to any further processing that is carried out.<\/p>\n<p><strong>Purpose Limitation<\/strong>: Personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. In particular, the specific purposes for which personal data is processed should be explicit, legitimate and determined at the time of the collection of the personal data. However, further processing for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes (in accordance with Article 89(1) GDPR) is not considered to be incompatible with the initial purposes.<\/p>\n<p><strong>Data Minimisation<\/strong>: Processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. This requires, in particular, ensuring that the period for which the personal data is stored is limited to a strict minimum (see also the principle of \u2018Storage Limitation\u2019 below).<\/p>\n<p><strong>Accuracy:<\/strong> Controllers must ensure that personal data is accurate and, where necessary, kept up to date; taking every reasonable step to ensure that personal data that is not inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. In particular, controllers should accurately record information they collect or receive and the source of that information.<\/p>\n<p><strong>Storage Limitation:<\/strong> Personal data should only be kept in a form which permits identification of data subjects for as long as is necessary for the purposes for which the personal data are processed. In order to ensure that the personal data is not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.<\/p>\n<p><strong>Integrity and Confidentiality<\/strong>: Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including protection against unauthorised or unlawful access to, or use of personal data and the equipment used for the processing and against accidental loss, destruction or damage, using appropriate technical and\/or organisational and security measures.<\/p>\n<p><strong>Accountability:<\/strong> The controller is responsible for, and must be able to demonstrate compliance with all of the above principles. Controllers must take responsibility for their processing of personal data and how they comply with the GDPR, and be able to demonstrate (through appropriate records and measures) their compliance, in particular to the DPC.<\/p>\n<p>In addition, it is necessary to establish one of the six legal bases for processing personal data provided by Article 6(1) of the GDPR. Article 6(1) of the GDPR sets out what these potential legal bases are, namely: consent; contract; legal obligation; vital interests; public task; or legitimate interests.<\/p>\n<p>Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person\u2019s sex life or sexual orientation (i.e. special category data) is prohibited, unless one of the conditions set out in Article 9(2) of the GDPR applies.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any circumstances for which consent is required or typically obtained in connection with the processing of personal data? What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under Irish law, explicit consent is required for the use of personal data for health research purposes pursuant to the Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations, as amended.<\/p>\n<p>Pursuant to the e-Privacy Regulations, consent is required in respect of electronic direct marketing for new customers. Consent is not required in respect of electronic direct marketing for existing customers, where certain conditions are satisfied.<\/p>\n<p>Consent is required for the use of non-essential cookies or other tracking technologies. Consent is often the most appropriate basis for the use of biometric data.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What special requirements, if any, are required for processing particular categories of personal data (e.g., health data, children\u2019s data, special category or sensitive personal data, etc.)? Are there any prohibitions on specific categories of personal data that may be collected, disclosed, or otherwise processed?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>N\/A<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction include any derogations, exemptions, exclusions or limitations other than those already described? If so, please describe the relevant provisions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The GDPR and the 2018 Act set out various derogations, exemptions, exclusions and limitations, for example in relation to data subject rights. Article 23 of the GDPR creates the right for Member States to introduce derogations to data protection law in certain situations. Member States can introduce derogations from transparency obligations and data subject rights, but only where the measure \u201crespects the essence of fundamental rights and freedoms and is necessary and proportionate in a democratic society\u201d.<\/p>\n<p>In addition to this, the provisions in Chapter IX of the GDPR provide for a mixed set of derogations, exemptions and powers to impose additional requirements, in respect of GDPR obligations and rights, for particular types of processing.<\/p>\n<p>The 2018 Act permits controllers to restrict data subject rights where it is necessary and proportionate to safeguard certain objectives, as set out in Sections 60 and 94 of the 2018 Act. Examples of such restrictions include:<\/p>\n<ol style=\"padding-left: 0\">\n<li>Data Protection Act 2018 (section 60(6)) (Central Bank of Ireland) Regulations 2020 restricts data subject access to information for which the Central Bank of Ireland is the controller in certain circumstances.<\/li>\n<li>The Data Protection Act 2018 (Access Modification) (Health) Regulations 2022 restrict data subject access to health data, where the application of that right would be likely to cause serious harm to the physical or mental health of the data subject.<\/li>\n<\/ol>\n<p>Derogations also exist in relation to the rules applicable to the transfer of data outside the EEA which can be relied upon in limited circumstances.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Does your jurisdiction require or recommend risk or impact assessments in connection with personal data processing activities and, if so, under what circumstances? How are these assessments typically carried out?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The legislative requirements have been interpreted as requiring organisations to carry out risk assessments in relation to data processing activities on an extensive basis. Where controllers or processors are processing personal data that is likely to result in a high risk to the data subject\u2019s rights, a Data Protection Impact Assessment (\u201c<strong>DPIA\u201d<\/strong>) must be carried out prior to commencement. The GDPR provides some non-exhaustive examples of when data processing is likely to result in high risks. High risk processing includes large scale processing of special categories of personal data, or processing of personal data relating to criminal convictions and offences. The DPC has published guidance in this area to assist organisations in determining when a DPIA is required.<\/p>\n<p>Organisations will differ in how risk assessments are carried out and much will depend on the organisation\u2019s risk assessment policy. It is important that the organisation\u2019s DPO is involved in such assessments.<\/p>\n<p>In addition, where the legitimate interests ground is relied on under Article 6(1)(f) of the GDPR as a lawful basis for processing, it is recommended best practice for the controller to carry out a Legitimate Interests Assessment (\u201c<strong>LIA<\/strong>\u201d) which involves assessing the impact of the proposed processing on individuals\u2019 interests through a balancing test.<\/p>\n<p>If personal data is being transferred to a third country outside the EEA that is not covered by an adequacy decision, a Transfer Impact Assessment (\u201c<strong>TIA<\/strong>\u201d) should be carried out to ensure that the third country provides an equivalent level of protection to personal data as provided by the GDPR or, where this is not the case, that supplementary measures are put in place to protect the data. This is a legal obligation when data is being transferred based on a reliance on one of the transfer tools set out in Article 46 of the GDPR.<\/p>\n<p>Additional risk assessment requirements will apply under the AI Act for specified categories of AI and will need to be carried out in conjunction with data protection and IT security risk assessments.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any specific codes of practice applicable in your jurisdiction regarding the processing of personal data (e.g., codes of practice for processing children\u2019s data or health data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no specific codes of practice regarding the processing of personal data.<\/p>\n<p>The DPC has published comprehensive guidance in relation to various different processing activities for example; guidance in relation to the processing of children\u2019s data entitled \u2018Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing.\u2019 The purpose of this guidance is to assist organisations implement and develop strong data protection standards for the processing of children\u2019s personal data.<\/p>\n<p>Organisations may prepare codes of conduct and they must formally submit their draft codes of practice to the DPC for approval. If a code of conduct covers processing activities in more than one member state, the draft code is sent to the European Data Protection Board\/EDPB for review and approval. For non-public sector organisations, the code of conduct must identify a Monitoring Body to ensure compliance with the code.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are organisations required to maintain any records of their data processing activities or establish internal processes or written documentation? If so, please describe how businesses typically meet such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Article 30 of the GDPR imposes a duty on controllers, processors and their representatives to record data processing activities (a \u201c<strong>ROPA<\/strong>\u201d). The ROPA must be in writing, including electronic form and must be updated regularly and available for submission to the DPC upon request. Organisations with fewer than 250 employees are exempt from keeping this record in certain circumstances, although a ROPA is mandatory for all organisations for HR related data.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend data retention and\/or data disposal policies and procedures? If so, please describe such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Article 5 of the GDPR provides that personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Specific time periods for retention of personal data are not stipulated by the GDPR or the 2018 Act. A controller must ensure that an appropriate time limit is established for the erasure of personal data and the carrying out of periodical reviews of the need for retention of that data. A written data retention policy is advisable for the purposes of demonstrating compliance with this obligation.<\/p>\n<p>Certain Irish legislation stipulates minimum retention periods for certain personal data, such as employee-related records.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Under what circumstances is it required or recommended to consult with the applicable data protection regulator(s)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Where a controller determines, by way of data protection impact assessment (\u201c<strong>DPIA\u201d<\/strong>) that the intended processing would result in a high risk to the data protection rights of individuals in the absence of mitigation measures, they must consult with the DPC. The controller is obliged to carry out the DPIA, together with the DPO and any data processors. A controller has an obligation under the GDPR to notify the DPC within 72 hours once becoming aware of a personal data breach.<\/p>\n<p>Organisations must submit draft codes of conduct to the DPC and are strongly advised to engage with the DPC informally at the early stages of the drafting of a code of conduct.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require the appointment of a data protection officer, chief information security officer, or other person responsible for data protection? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>An organisation is required to appoint a designated DPO, where the processing is carried out by a public authority or body; the core activities require regular and systematic monitoring of data subjects on a large scale; or the core activities consist of processing on a large scale of special category data or data relating to criminal convictions and offences. The duties of DPOs include advising the organisation on data protection obligations, monitoring compliance including audits and training, acting as a contact point for the DPC and handling queries or complaints of data subjects. Article 27 of the GDPR requires non-EU organisations to designate in writing a representative in the EU unless one of the specified exemptions applies.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend employee training related to data protection? If so, please describe such training requirement(s) or recommendation(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>One of the legislative duties of the DPO is to oversee training of staff by the organisation. The DPC advises that it is good practice to provide all staff with data protection training on or shortly after commencing employment. Evidence of ongoing training is considered necessary to demonstrate compliance with the principle of accountability and to ensure compliance with other provisions of the GDPR.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require controllers to provide notice to data subjects of their processing activities? If so, please describe such notice requirement(s) (e.g., posting an online privacy notice).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The principle of transparency set out in the GDPR, requires controllers to provide information to individuals about how their data is processed. The minimum required information to be provided to data subjects includes the identity of the controller, the reason for processing the data, the lawful basis for processing the personal data, applicable data transfer details, data retention timeframe and the existence of the individual\u2019s rights under data protection law. The information above is typically provided by way of a data privacy notice.<\/p>\n<p>Pursuant to the e-Privacy Regulations, subscribers must be informed of the types of data that are processed, the duration of such processing, the possibility to withdraw their consent and whether the data will be transmitted to a third party for specified purposes.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction draw any distinction between the responsibility of controllers and the processors of personal data? If so, what are the implications?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The GDPR imposes obligations on both controllers and processors. However, a clear distinction is drawn: primary responsibility for the protection of personal data under the GDPR is placed on controllers. A processor will be liable only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including through the use of tracking technologies such as cookies. How are these or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Monitoring is not specifically restricted or prohibited by the GDPR or the 2018 Act. However, a controller must establish a lawful basis for processing, and large scale monitoring of a publically accessible area requires completion of a DPIA.<\/p>\n<p>Automated decision making (including profiling) is prohibited, where it produces legal effects concerning an individual. There are some exceptions to this prohibition, for example where the decision is authorised or required under Irish law.<\/p>\n<p>The e-Privacy Regulations prohibit the use of cookies or other tracking technologies which are not strictly necessary, unless the user has given explicit consent to that use. The standard of consent is set out under the GDPR. Consent for the placement of non-essential cookies is not valid if it was either bundled or obtained by way of pre-checked boxes that users must deselect. Controllers must ensure that opt-in consent is obtained for each purpose for which cookies are set and consent must be as easy to withdraw as it was to provide in the first place.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on targeted advertising and\/or behavioral advertising. How are these terms or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Both targeted and behavioural advertising are forms of data processing that must have a legal basis. The appropriate legal basis for behavioural advertising is currently the subject of much debate before the regulators and the Courts. Regulator decisions have struck down contractual necessity and legitimate interests as appropriate legal bases for behavioural advertising. As a result consent is now considered the only appropriate legal basis. The EU\u2019s Digital Markets Act requires that users consent is obtained for combining their personal data between services for advertising purposes and that users who do not consent must have access to a (less personalised) but equivalent alternative. These developments have led to the implementation of \u2018consent or pay\u2019 models by large online platforms. In April 2024 the EDPB issued a decision on these models, finding that large online platforms are unlikely to be able to comply with the requirements for valid consent if they provide users only with a binary choice between consenting to processing of personal data for behavioural advertising purposes or paying a fee. There have been significant questions raised about this \u2018consent or pay\u2019 model with regard to economic equity, transparency and data subject choice, in circumstances where it may present a potential economic divide between data subjects who can afford to pay for this option and those who cannot. It could also introduce undue pressure on data subjects to consent to data collection in circumstances where they could be exploited. Meta has recently been the subject of a significant fine by the EU Commission for non-compliance in this area, which it tends to appeal<sup>1<\/sup>.<\/p>\n<p>The DSA prescribes transparency rules and prohibits the use of certain data types (including special category data) for targeted advertising for online platforms. The DSA prohibits targeted advertising aimed at children and requires service providers to carry out a risk assessment of the risk that their platform may pose to children.<\/p>\n<p><u>Footnote(s):<\/u><\/p>\n<p><sup style=\"font-size: 9px\">1<\/sup> <span style=\"font-size: 12px\"> <a href=\"https:\/\/ec.europa.eu\/commission\/presscorner\/detail\/en\/ip_25_1085\">https:\/\/ec.europa.eu\/commission\/presscorner\/detail\/en\/ip_25_1085<\/a><\/span><\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction restricting the sale of personal data. How is the term \u201csale\u201d or such related terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong><em>\u00a0<\/em><\/strong>\u201cSale\u201d in the context of sale of personal information is not defined in Irish law, however is captured by the broad definition of processing. Therefore, a controller must comply with all of the legal obligations applicable to the processing of personal data under the GDPR, including the core principles as outlined in response to question 5 above. A purchaser of personal data would need to verify the data\u2019s usability, i.e. ensuring its lawful collection and subsequent use.\u00a0This would include reviewing the vendor\u2019s record of processing activities to ensure the vendor has complied with all legal requirements, such as obtaining valid consent and conducting a legitimate interests assessment.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction restricting telephone calls, text messaging, email communication, or direct marketing. How are these terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Direct marketing is governed by both the GDPR\u00a0and the e-Privacy Regulations. The e-Privacy Regulations prohibit unsolicited communication, such as the use of electronic mail for direct marketing purposes without prior consent of a subscriber or user (except in certain circumstances relating to existing customers). Individuals have the right to withdraw consent or object to receiving electronic direct marketing. A facility to opt-out must be included with each marketing communication.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction addressing biometrics, such as facial recognition. How are such terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The processing of biometric data is prohibited except in certain circumstances as set out in Article 9 of the GDPR. The processing of biometric data is considered to be a high risk activity that requires a DPIA to be carried out. The DPC has also advised that the processing of biometric data should generally be optional for the user.<\/p>\n<p>An Garda S\u00edoch\u00e1na (Recording Devices) Act 2023 was adopted on 5 December 2023, to permit the use of body-worn cameras by An Garda S\u00edoch\u00e1na. Body-worn cameras have been currently rolled out in Dublin, Waterford and Limerick for the purposes of informing the national deployment. These cameras currently do not use biometrics however there is more controversial legislation being taken forward by the Irish government to provide for retrospective use of biometric technologies, including facial recognition technology<sup>2<\/sup>. The use of live facial recognition technology is not yet provided for in legislation but may be considered in future government initiatives.<\/p>\n<p><u>Footnote(s):<\/u><\/p>\n<p><sup style=\"font-size: 9px\">2<\/sup> <span style=\"font-size: 12px\"> <a href=\"https:\/\/www.oireachtas.ie\/en\/debates\/question\/2025-03-20\/140\/#:%7E:text=The%20General%20Scheme%20of%20the%20Recording%20Devices%20%28Amendment%29,facial%20recognition%20technology%20%28FRT%29%20in%20limited%20circumstances%20only\">https:\/\/www.oireachtas.ie\/en\/debates\/question\/2025-03-20\/140\/#:%7E:text=The%20General%20Scheme%20of%20the%20Recording%20Devices%20%28Amendment%29,facial%20recognition%20technology%20%28FRT%29%20in%20limited%20circumstances%20only<\/a><\/span><\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction addressing artificial intelligence or machine learning (\u201cAI\u201d).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The AI Act entered into force in Ireland on 2 August 2024 with all provisions to be fully implemented by 2026. Provisions already in force include the ban on prohibited AI practices and the provisions in relation to AI literacy. \u00a0Other provisions such as the requirement that Member States lay down rules for fines and penalties and the rules relating general-purpose AI rules including governance, will come into force during 2025. Obligations for high-risk AI systems, which are subject to stringent requirements under the AI Act, will not be fully in force until 3 years post the date of enactment. <strong><em>\u00a0<\/em><\/strong><\/p>\n<p>The AI Act will follow a risk-based approach, differentiating between uses of AI that create an unacceptable risk, a high risk, and a low or minimal risk. The AI Act introduces EU-wide minimum requirements for AI systems and proposes a sliding scale of rules based on the risk: the higher the perceived risk, the stricter the rules. AI systems with an \u2018unacceptable level of risk\u2019 will be strictly prohibited and those considered as \u2018high-risk\u2019 will be permitted, but subject to very stringent obligations.<\/p>\n<p>In terms of extra-territorial effect, the AI Act applies to providers placing on the market or putting into service AI systems in the EU, irrespective of whether those providers are established within the EU or a third country, users of AI systems located within the EU and providers and users of AI systems that are located in a third country, where the output produced by the system is in the EU.<\/p>\n<p>AI systems are subject to the GDPR where personal data is added to or used to train AI or AI is otherwise used to process personal data. European data protection regulators, including the DPC, have expressed growing concerns with regard to the use of personal data in the training of AI systems, particularly where data subjects have not provided explicit consent for this processing. This can occur in circumstances where AI models are trained using a method which involves the retrieval of publicly available data on the internet called \u2018data scraping\u2019. Individuals may be unaware that their personal data is being used for this purpose, which leads to legal issues relating to lack of valid consent and transparency. There have been significant concerns expressed by European Data Protection watchdogs and digital rights advocates with regard to the Chinese AI model DeepSeek. Data protection regulators have raised cybersecurity and safety concerns in the use of this application, including the potential for the generation of harmful and biased content.<\/p>\n<p>The fines and penalties which may be imposed under the AI Act are significant and surpass those under the GDPR: Tier 1 fines for non-compliance with the prohibitions are up to \u20ac35,000,000 or up to 7% of annual worldwide turnover. Tier 2 fines for non-compliance with specific provisions are up to \u20ac15,000,000 or up to 3% of annual worldwide turnover.\u200d Tier 3 fines for supplying incorrect, incomplete or misleading information to the authorities are up to \u20ac7,500,000 or 1% of annual worldwide turnover. There are special considerations for SMEs in relation to penalties under the AI Act.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Is the transfer of personal data outside your jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism or notification to or authorization from a regulator?)<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Transfers of personal data from Ireland to non-EEA or \u2018third\u2019 countries are governed by Chapter V of the GDPR. Such transfers are permitted, either where there is an EU Commission adequacy decision in place or, alternatively, where appropriate safeguards are implemented, such as standard contractual clauses (\u201c<strong>SCCs<\/strong>\u201d) or Binding Corporate Rules (\u201c<strong>BCRs<\/strong>\u201d), under Article 46 of the GDPR. Derogations may also apply in limited circumstances under Article 49 of the GDPR. In June 2021, the European Commission approved four separate modular sets of SCCs and the appropriate module to be used will depend on the data protection role of the data exporter and data importer. Where SCCs are used, they should comply with the European Data Protection Board recommendations. In particular, the exporter must carry out a transfer risk assessment and also identify and implement supplementary measures, where required, to ensure an \u201cessentially equivalent\u201d level of protection applies to the personal data in third country.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What personal data security obligations are imposed by the data protection laws  in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Controllers and processors are obliged to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk arising from processing activities. Article 32 of the GDPR sets out specific examples of measures (on a non-exhaustive basis) to ensure security of processing of personal data as well as certain considerations that should be taken into account, such as the costs of implementation and the nature, scope, context and purposes of processing.<\/p>\n<p>The e-Privacy Regulations impose certain security obligations on undertakings providing a publically available electronic communications network or service. Security measures must at least ensure that the personal data can be accessed only by authorised personnel for legally authorised purposes, protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure, and ensure the implementation of a security policy with respect to the processing of personal data.<\/p>\n<p>The DPC issued Data Security Guidance for Microenterprises in July 2019 and a separate Guidance for Controllers on Data Security in February 2020.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction impose obligations in the context of  security breaches which impact personal data? If so, how do such laws define a security breach (or similar term) and under what circumstances must such a breach be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The term \u2018personal data breach\u2019 is defined in the GDPR as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.<\/p>\n<p>The NIS Regulations define the term \u201cincident\u201d as any event having an actual adverse effect on the security of network and information systems.<\/p>\n<p>A controller is obliged to notify the DPC within 72 hours of becoming aware of a personal data breach, unless it is unlikely to result in a risk to individuals. Controllers are also obliged to notify the affected data subject of the personal data breach, where the breach is \u2018likely to result in a high risk to the rights and freedoms of the natural person\u2019.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction establish specific rights for individuals, such as the right to access and the right to deletion? If so, please provide a general description of such rights, how they are exercised, and any exceptions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In accordance with the GDPR, individuals have various rights including the right of access, right of erasure, right of rectification, right of restriction, right of data portability and right to make a complaint to the DPC. Data subjects can exercise their rights by contacting the controller who must respond without undue delay and at the latest within one month of receipt of the request (this time period can be extended by up to two months in exceptional circumstances).<\/p>\n<p>If a request is refused, a controller must inform a data subject without delay of the reasons why their request is refused and also of the possibility of lodging a complaint with the DPC and\/or seeking a judicial remedy.<\/p>\n<p>There are various exceptions to data subjects\u2019 rights, set out in section 60 and 94 of the Data Protection Act 2018, which seek to balance the rights of data subjects on the one hand with the rights of third parties, or the needs of civil society, on the other hand. For example, personal data that is legally privileged is not required to be provided on foot of a DSAR nor is personal data required to be erased if processing is necessary for compliance with a legal obligation.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction provide for a private right of action and, if so, under what circumstances?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Where a data subject considers that their rights have been infringed as a result of personal data processing, they may bring a data protection action against the controller or processor concerned to the District, Circuit or High Court, depending on the value of the claim. The Courts and Civil Law (Miscellaneous Provisions) Act 2023 added the District Court to the choices of venues for data protection litigation, the monetary average compensation for data breach claims is very modest and well within the District Court level. However, the 2018 Act granted jurisdiction to the Circuit Court and High Court only. This resulted in costs of these claims exceeding their value. This new provision should mean these claims will now more properly be brought in the District Court.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection law? Does the law require actual and material damage to have been sustained, or is non-material injury to feelings, emotional distress or similar sufficient for such purposes?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Section 117 of the 2018 Act permits an individual to seek compensation for damage caused as a result of the infringement of data protection laws. Damage includes material and non-material damage. The interpretation of \u2018non-material damage\u2019 has been the subject of a number of decisions of the CJEU.<\/p>\n<p>A Supreme Court decision is awaited with regard to whether prior authorisation is required from the Injuries Resolution Board (which is the \u00a0statutory body that assess the value an individual\u2019s personal injury claim) where a plaintiff is seeking damages for mental distress and this will have a significant impact on a number of cases currently before the Irish Courts.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are data protection laws in your jurisdiction typically enforced?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Privacy and data protection laws are enforced through the DPC and the Courts. The DPC possesses broad enforcement powers, as well as investigatory powers including search and seizure powers, power to issue information and enforcement notices for which failure to comply is an offence and a right to apply to the High Court for the suspension or restriction of processing of data, where it is considered that there is an urgent need to act. The DPC also has the power to prosecute offences under the 2018 Act and the e-Privacy Regulations.<\/p>\n<p>The DSA will be enforced by the European Commission and Member States\u2019 DSCs in respect of intermediary services with their main establishment in that Member State. The DSA designates CNM as the DSC in Ireland. The DSCs have wide powers of investigation and powers to impose administrative sanctions.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Regulatory fines for breaches of data protection law can be up to the greater of \u20ac20,000,000 or 4% of global annual turnover of the relevant organisation, depending on the nature of the infringement. Other sanctions include a temporary or permanent ban on the processing of personal data, a reprimand or withdrawal of certification.<\/p>\n<p>The 2018 Act imposes a maximum fine of up to \u20ac1,000,000 on public authorities or bodies that do not act as an \u2018undertaking\u2019 within the meaning of the Irish Competition Act 2002.The maximum criminal penalty for summary offences under the 2018 Act is \u20ac5,000 and\/or 12 months\u2019 imprisonment. Indictable offences and carry a maximum penalty of \u20ac250,000 and\/or five years\u2019 imprisonment.<\/p>\n<p>The DPC does not have the power to impose regulatory fines pursuant to the e-Privacy Regulations. However, offences under these regulations can be prosecuted in the Court. A summary offence carries a maximum fine of \u20ac5,000. Indictable offences carry a maximum fine of \u20ac250,000, depending on the nature of the offence being prosecuted.<\/p>\n<p>In the event of non-compliance with the DSA, service providers could receive a fine of up to 6% of their annual global turnover.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any guidelines or rules published regarding the calculation of such fines or thresholds for the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The GDPR is silent as to the process which supervisory authorities should adopt in calculating a fine or sanction, however the DPC is required to consider certain factors as stipulated by Article 83 of the GDPR. In May 2022 the EDPB published Guidelines on the calculation of administrative fines under the GDPR (Guidelines 04\/2022).<\/p>\n<p>As a matter of domestic law, the DPC\u2019S decision must be demonstrably rational and not arbitrary. Fines or sanctions administered by the Court in the context of prosecutions are at the discretion of the judge.<\/p>\n<p>The DSA provides that CNM, in setting the fine in any particular case, must take into account a number of factors, as listed within the Broadcasting Act 2009, as amended by the 2022 Act.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to  appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In Ireland, controllers or processors can appeal fines imposed by the DPC, within 28 days of receipt of the decision. Upon hearing an appeal, the Court may confirm the decision of the DPC, impose a different fine, or annul the decision. Where an organisation wishes to challenge the decision making process of the DPC they may do so by way of judicial review.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The DPC is actively implementing its Regulatory Strategy for 2022-2027<sup>3<\/sup>\u00a0to ensure accountability among data controllers and processors. This strategy involves prioritising the consistent enforcement of data protection law by sanctioning proportionately, and judiciously and taking a fair and balance approach to complaint handling. In 2025, we can expect that there will be an increased focus on the protection of children and other vulnerable groups, the prioritisation of prosecution, sanctions and fines, and publishing guidance for small and medium sized enterprises.<\/p>\n<p>The DPC has continued the trend of imposing large fines against \u201cBig Tech\u201d companies and social media platforms which included a \u20ac310 million fine imposed on LinkedIn in October 2024 and a \u20ac251 million fine imposed on Meta in December 2024.<\/p>\n<p>The EU AI Act will introduce significant requirements on data usage, transparency and risk management in terms of AI systems. The DPC will be required to monitor the use of personal data in the training of AI systems and is empowered to impose penalties for non-compliance with data protection obligations. The DPC has issued guidance on the implementation and use of AI systems, particularly with regard to the use of personal data to train Large Language Models. This is a clear indication that the Irish regulator will be closely monitoring the use of these systems going forward. Organisations who are deploying AI systems will be required to adhere to strict rules on the processing of personal data for the purposes of AI training.<\/p>\n<p>EU-US data transfers have been subject to a good deal of uncertainty with recent developments in the US administration. The EU-US Data Privacy Framework will continue to be monitored by the European Commission to ensure an adequate level of protection for data transfers remains in place.<\/p>\n<p><u>Footnote(s):<\/u><\/p>\n<p><sup style=\"font-size: 9px\">3<\/sup> <a href=\"https:\/\/www.dataprotection.ie\/sites\/default\/files\/uploads\/2021-12\/DPC_Regulatory%20Strategy_2022-2027.pdf\"><span style=\"font-size: 12px\"> https:\/\/www.dataprotection.ie\/sites\/default\/files\/uploads\/2021-12\/DPC_Regulatory%20Strategy_2022-2027.pdf<\/span><\/a><\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the implementation of specific cybersecurity risk management measures and\/or require that organisations take specific actions relating to cybersecurity? If so, please provide details.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The NIS Regulations apply a set of binding security obligations to critical infrastructure operators in the energy, healthcare, financial services, transport, water supply, digital infrastructure, and telecommunications sectors. Both Digital Service Providers (\u201c<strong>DSPs<\/strong>\u201d) and Operators of Essential Services (\u201c<strong>OES<\/strong>\u201d) are required to identify and take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of the network and information systems used by them. Those measure are required to ensure a level of security which is appropriate to the risk posed and also take into account the security of systems and facilities, incident handling, business continuity management, monitoring auditing &amp; testing and compliance with international standards.<\/p>\n<p>OES are required to take appropriate measures to prevent and minimize the impact of incidents affecting the security of the network and information systems used by it in the provision of essential services. This is to ensure continuity of those services.<\/p>\n<p>Under the NIS2 Directive, when transposed by the National Cybersecurity Act, \u201cessential\u201d and \u201cimportant\u201d entities will be required to follow more specific rules in relation to risk management measures to be adopted in relation to cybersecurity.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific requirements regarding supply chain management? If so, please provide details of these requirements.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Other than the overarching requirements set out above in relation to risk management measures to be adopted, there are no specific requirements relating to supply chain management under the NIS Regulations.<\/p>\n<p>The NIS2 Directive, however, will impose specific requirements regarding supply chain management and security for entities. Member States will be required to adopt policies addressing cybersecurity in the supply chain for ICT products, and ICT services used by entities for the provisions of their service. Article 21 of the NIS2 Directive, which relates generally to cybersecurity risk management measures, will require that entities ensure supply chain management, including security related aspects, between them and their direct suppliers or service providers.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose information sharing requirements on organisations?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Organisations subject to the NIS Regulations are required to share certain information. This can be, for example, in the context of reporting an incident, in accordance with regulations 18 and 22, or in the context of security assessments carried out in accordance with regulation 27.<\/p>\n<p>In addition to this, authorised officers appointed in accordance with regulation 28\u00a0 have the power to request, inspect, review and examine any books, documents or records in respect of the security of network and information systems as well as other forms of information as set out in regulation 29. Failure to follow the request of an authorised officer is a criminal offence.<\/p>\n<p>Finally, regulation 31 relates to information notices and provides that competent authorities may serve notices upon an OES or DSs that requires that entity to furnish to the competent authority information specified in the notice. This information notice is appealable by entities.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the appointment of a chief information security officer, regulatory point of contact, or other person responsible for cybersecurity? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is no specific obligation under the NIS Regulations to officially appoint a chief information security officer, regulatory point of contact or other person responsible for cybersecurity. Notwithstanding this, the regulation relates to offences committed by bodies corporate and provides that where such an offences has been committed with the consent or connivance or was attributable to any wilful neglect by a director, manager, secretary or other officer purporting to act in that role, that individual, as well as the corporate body will be liable to criminal prosecution.<\/p>\n<p>The NIS2 Directive, when transposed in Ireland, will place greater levels of responsibility on C-suite management in this regard.\u00a0 Competent authorities will have the power, where there has been a failure to comply with a direction of a national competent authority, to prohibit temporarily any natural person who is responsible for discharging managerial responsibilities at chief executive officer or legal representative level in the entity from discharging those responsibilities.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there specific cybersecurity laws \/ regulations for different industries (e.g., finance, healthcare, government)? If so, please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><a href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CELEX:32022R2554\">The Digital Operational Resilience Act (DORA)<\/a> aims to strengthen the IT security of financial entities such as banks, insurance companies and investment firms. DORA is considered a sector-specific Union legal Act for the purposes of the NIS2 Directive.<\/p>\n<p>In healthcare, although there is no specific separate legislation, the Commission has presented <a href=\"https:\/\/commission.europa.eu\/news\/bolstering-cybersecurity-healthcare-sector-2025-01-15_en\">an EU Action Plan to strengthen the cybersecurity of hospitals and healthcare providers<\/a>. The Action Plan\u202fbuilds on existing legislation, such as the EU-wide legislation on cybersecurity, and extends its scope to include general practices. It focuses on prevention, detection, impact mitigation and deterrence of cyber threats. The Plan also aims to establish a pan-European Cybersecurity Support Centre to provide more tailored guidance to hospitals and healthcare providers. By the end of the year, it will be further refined through a collaborative approach and will be rolled out progressively over the next 2 years<sup>4<\/sup>.<\/p>\n<p><u>Footnote(s):<\/u><\/p>\n<p><sup style=\"font-size: 9px\">4<\/sup> <span style=\"font-size: 12px\"> <a href=\"https:\/\/commission.europa.eu\/news\/bolstering-cybersecurity-healthcare-sector-2025-01-15_en\">Bolstering the cybersecurity of the healthcare sector &#8211; European Commission<\/a><\/span><\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What impact do international cybersecurity standards have on local laws and regulations?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The use of internationally accepted standards and specification relevant to the security of network and information systems is encouraged in terms of compliance by an OES with their obligations under the existing NIS Regulations.<\/p>\n<p>International cybersecurity standards have influenced the NIS2 Directive, and are specifically referenced in the Articles and Preamble.<\/p>\n<p>Article 21 requires that account should be taken of international standards in the determination of cybersecurity risk-management measures.<\/p>\n<p>Article 25 provides that, in order to promote convergent implementation of Article 21, Member States shall encourage the use of European and international standards and technical specifications relevant to the security of network and information systems.<\/p>\n<p>The NIS2 Directive acknowledges that ISO\/IEC 30111 and ISO\/IEC 29147 provide guidance on vulnerability handling and vulnerability disclosure. Further, the Preamble states that the Commission, ENISA and Member States should continue to foster alignment with international standards in the area of cybersecurity risk management.<\/p>\n<p>Cybersecurity risk-management measures, for which responsibility lies to a great extent with the entities, should address the physical and environmental security of network and information systems by including measures to protect such systems from system failures, human error, malicious acts or natural phenomena, in line with European and international standards, such as those included in the ISO\/IEC 27000 series. The use of international standards is also promoted in the absence of appropriate cybersecurity certification schemes, which may take a number of years to implement.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose obligations in the context of  cybersecurity incidents? If so, how do such laws define a cybersecurity incident and under what circumstances must a cybersecurity incident be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The NIS Regulations set out the following obligations relating to incident notifications:<\/p>\n<p>Regulation 18 provides that an OES shall notify the CSIRT of any incident concerning it that has a significant impact on the continuity of an essential service provided by it in respect of which it is designated as an operator of essential services. The notification shall be made as soon as possible and not later than 72 hours after the OES concerned becomes aware of the occurrence of the incident. Regulation 18(4) sets out the factors in determining whether the incident has a significant impact on the continuity of essential service.<\/p>\n<p>Regulation 22 provides that a relevant DSP shall notify the CSIRT of any incident that has a substantial impact on the provision by it of a digital service. The notification shall be made not later than 72 hours after the relevant DSP becomes aware of the occurrence of the incident. Section 2(4) sets out factors to take into account in determining whether to notify an incident.<\/p>\n<p>Regulation 6 provides for the co-operation of the competent authority where necessary with the DPC in relation to any matter concerning the regulations, including in relation to an incident resulting in personal data breach. Additionally, s6 provides that the competent authority, in accordance with law, may consult and co-operate, where necessary, by sharing information with the Garda S\u00edoch\u00e1na in relation to any matter to which the regulations apply.<\/p>\n<p>The CBI <em>Cross Industry Guidance in respect of Information Technology and Cyber Security Risks<\/em> provides that it is expected firms will notify the CBI when they become aware of a cybersecurity incident that could have a significant and adverse effect on a firm\u2019s ability to provide adequate services to its customers, its reputation or financial condition.<\/p>\n<p>Section 19 of the Criminal Justice Act 2011 imposes a mandatory obligation to report certain cybersecurity offences, in certain circumstances, to the Garda\u00ed.<\/p>\n<p>Providers of public electronic communications networks and services must notify users of a significant threat of a security incident pursuant to the Communications Regulation and Digital Hub Development Agency (Amendment) Act 2023.\u00a0 Providers are required to notify ComReg, of any security incident that will have a significant impact on the provider\u2019s networks or services pursuant to this Act as well as the e-Privacy Regulations.<\/p>\n<p>The NIS2 Directive will impose further, and more stringent, requirements upon entities in relation to incident reporting in the form of a multi-stage approach. There is also further detail provided for Member States in the handling of serious incidents at national and international levels.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are cybersecurity laws in your jurisdiction typically enforced?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the NIS Regulations, the Minister for the Environment, Climate and Communications is the designated competent authority for the purposes of enforcement against providers within all sectors as well as digital services providers, other than the banking and financial market infrastructure sectors to which the Central Bank of Ireland is designated. Enforcement actions have been relatively rare under the NIS Regulations, with an emphasis placed on ensuring compliance through supervision and collaboration.<\/p>\n<p>Under regulation 30, competent authorities can, if an authorised officer is of the view that there is non-compliance with the legislation, issue a compliance notice to an entity, requiring it to take certain remedial actions within a specified time period. The consequence for failing to comply with a compliance notice is criminal prosecution.<\/p>\n<p>The provisions relating to enforcement under the NIS2 Directive are more-broad and afford greater powers to regulators to ensure compliance with the legislation. The inclusion of an administrative fines regime will afford considerable power to regulators to ensure compliance.<\/p>\n<p>ComReg is empowered to issue administrative sanctions in response to infringements of the Communications Regulation and Digital Hub Development Agency (Amendment) Act 2023.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What powers of oversight \/ inspection \/ audit do regulators have in your jurisdiction under cybersecurity laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The NIS Regulations provide certain powers to competent authorities to enable them to enforce the provisions of the Regulations effectively. These powers include the power to carry out security assessments (regulation 27), which allow competent authorities to assess OES and DSPs compliance with security and incident notification requirements. Similarly, regulation 31 provides for the issuing of information notices.<\/p>\n<p>As mentioned above, regulation 29 of the NIS Regulations affords powers to authorised officers which allows them to enter premises without consent or a warrant, inspect, examine, and require the production of records or information, secure and retain records or information, require assistance and cooperation from relevant persons, interview individuals and require truthful answers.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violations of cybersecurity laws in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In addition to the issuing of compliance notices to entities, regulation 34 of the NIS Regulations provides that a person guilty of an offence under a number of the provisions is liable on summary conviction, to a class A fine or on conviction on indictment, to a fine not exceeding \u20ac50,000 (in the case of an individual) and \u20ac500,000 (in the case of a person other than an individual).<\/p>\n<p>We are not aware of any criminal sanction being applied in respect of an offence under the NIS Regulations to date.<\/p>\n<p>NIS2, when transposed, will bring significantly increased levels of fines for non-compliance with the legislation in addition to further powers aimed at ensuring compliance by essential and important entities. This will include measures\u00a0 to heighten the responsibilities placed on management boards of entities.<\/p>\n<p>Where an adjudicator deems that a breach has been committed under the Communications Regulation and Digital Hub Development Agency (Amendment) Act 2023, they may issue a fine of up to \u20ac5,000,000 or 10% of turnover for a corporate body or up to \u20ac500,000 or 10% of the annual income of a natural person, which must be confirmed by the High Court.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any guidelines or rules published regarding the calculation of such fines or thresholds for the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is no guidance published in respect of the NIS Regulations, having regard to the fact that the fines are imposed by the Court.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Regulation 30(8) of the NIS Regulations provides that a person aggrieved by a compliance notice may, not later than 14 working days after the date on which the notice is served on the person, appeal against the notice to a judge of the Circuit Court for the circuit in which the notice was served and, in determining the appeal, the judge may, if he or she is satisfied that it is reasonable to do so, confirm, vary or cancel the notice.<\/p>\n<p>Regulation 31 provides for a right to appeal an information notice. Regulation 31 (5) provides that a person on whom an information notice is served may, within 7 working days of the day on which the notice is served, appeal against a requirement specified in the notice to a judge of the Circuit Court for the circuit in which the notice was served and, in determining the appeal, the judge may, if he or she is satisfied that it is reasonable to do so, confirm, vary or cancel the notice.<\/p>\n<p>Any decisions made by the Court in relation to criminal offences under the NIS Regulations are amenable to appeal in the ordinary manner.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no identifiable trends in enforcement activity in relation to cybersecurity regulation, which appears to be in apparent stasis pending the transposition of the NIS2 Directive. The obvious priority at a national level is the transposition of the NIS2 Directive via the National Cybersecurity Act. Coupled with this, the State is assisting the public bodies who will be designated as national competent authorities under that legislation, in preparation for taking on this role, through the provision of resources, guidance and training.<\/p>\n<p>Having regard to the broadening scope of the NIS2 Directive, a significantly increased number of both public and private entities will be required to comply with its provisions. It is noticeable at this stage, even before the transposition of the legislation, that affected entities are seeking advice in how to prepare for the NIS2 Directive and the requirements that will be imposed affecting their operations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\r\n<div class=\"word-count-hidden\" style=\"display:none;\">Estimated word count: <span class=\"word-count\">10813<\/span><\/div>\r\n\r\n\t\t\t<\/ol>\r\n\r\n<script type=\"text\/javascript\" src=\"\/wp-content\/themes\/twentyseventeen\/src\/jquery\/components\/filter-guides.js\" async><\/script><\/div>"}},"_links":{"self":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide\/105460","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide"}],"about":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/types\/comparative_guide"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/media?parent=105460"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}