EU Cybersecurity proposals pose significant risks for Ireland and Irish businesses – Digital Business Ireland

Digital Business Ireland (DBI) has called on the Irish Government to seek changes to the European Commission’s proposal to revise the EU Cybersecurity Act.

DBI warned that the current proposals, known as CSA2, pose significant risks for Ireland and Irish businesses, as they are very broad and lack sufficient detail – especially in terms of non-technical standards that could potentially apply to every ICT device used by a business.

DP Fitzgerald, a spokesperson for DBI, stated: “This proposal could affect up to 18 key sectors of the economy and public service — including energy, health, transport, and financial services – and the breadth and lack of detail in the proposal risks creating unintended consequences across the wider economy with SMEs, at risk of being disproportionately impacted”.

The proposed revision also provides for a significant centralisation of powers at EU level, introducing binding, EU-wide ICT supply-chain measures. This includes the ability for the European Commission to designate “high-risk suppliers”, impose mandatory restrictions, or phase out obligations directly on electronic communications networks.

DBI have highlighted that the proposal to designate entire third countries as ‘high-risk’ is particularly worrying, as it would automatically classify all suppliers from those countries as high-risk and impose blanket bans on them, creating significant risks for businesses in Ireland with global supply chains.

DP Fitzgerald stated: “Removing national discretion is especially problematic for smaller Member States such as Ireland. A one-size-fits-all approach could undermine Ireland’s digital competitiveness, disrupt existing infrastructure investments, and limit our ability to respond proportionately to risk. Ireland already operates a robust, best-in-class cybersecurity framework, and we should not be disadvantaged for having achieved an effective and proportionate regime”.

DBI has written to the Minister for Justice, calling on the Government to seek changes to CSA2 to:

—  Respect and protect Ireland’s national competencies.
—  Ensure that any non- technical criteria are objective, risk-based and verifiable.
—  Ensure any proposed new restrictions are proportionate to the assessed risk.

Digital Business Ireland has welcomed comments by the Minister for Communications, Patrick O’Donovan, who stated Ireland does “not believe in protectionism and, before applying security restrictions on products in sensitive supply chains, we will need to take a balanced and proportionate risk-based assessment to implement these types of measures”