Operators of crucial services such as drinking water, healthcare and power will have three days to alert the Government of any cyberattacks on their systems which could disrupt the country, under new security measures.
About 70 companies and bodies responsible for services deemed critical for everyday life will have to implement new legally binding security measures on their IT systems, and also adhere to reporting obligations.
The so-called operators of essential services also include transport companies – including air, rail and bus – as well as banks, other financial services and telecoms providers.
Under the regulations, announced on Friday by Minister for Communications, Climate Action and the Environment Richard Bruton, companies experiencing significant outages or loss of service will have to tell a computer security incident response team (CSIRT) in the Minister's department within 72 hours.
They will have to indicate whether the severity of the threat is major, moderate or minor, if known at the time.
They will also have to identify the number of people at risk of being affected, as well as any particular threats to the health and safety of the population, including up to possible loss of life.
“We must ensure that those who operate essential services in the State are protected from hacking and other cyber risks,” said Mr Bruton.
“These new guidelines will ensure that the relevant organisations have the necessary safeguards in place to protect themselves and the people they serve.”
Mr Bruton said the measures will form part of a wider programme for protecting State infrastructure, which will be contained in the new National Cyber Security Strategy, which is currently being finalised.
“Internet-based technologies are now fully embedded in everything we do,” he said.
“This has huge benefits but brings with it new risks which we must safeguard against. These new guidelines will ensure our essential services operate in accordance with best practice.”