← Ireland

Communications Regulation and Digital Hub Development Agency (Amendment) Act 2023

In short

This law amends existing legislation concerning communications regulation and the Digital Hub Development Agency. It primarily focuses on enhancing the security of communication networks and services, protecting consumers, and improving the resolution of complaints and disputes.

What it regulates

Who it concerns

Key points

📄 Legal text
Communications Regulation and Digital Hub Development Agency (Amendment) Act 2023 Skip to content Disclaimer Feedback Helpdesk Gaeilge LĂ©im go dtĂ­ an t-ĂĄbhar SĂ©anadh Aiseolas Deasc chabhrach English Gaeilge English Produced by the Office of the Attorney General TĂĄirgthe ag Oifig an Ard-Aighne Home Legislation Acts of the Oireachtas Statutory Instruments Pre-1922 Legislation Constitution External Resources Bills (Houses of the Oireachtas) Iris OifigiĂșil / Official Gazette Revised Acts (LRC) Classified List of Legislation (LRC) Translations (acts.ie) Translations (Houses of the Oireachtas) Government Publications for Sale EU Law (EUR-Lex) FAQ Disclaimer Feedback Helpdesk Search Baile ReachtaĂ­ocht Achtanna an Oireachtais IonstraimĂ­ ReachtĂșla ReachtaĂ­ocht RĂ©amh-1922 Bunreacht AcmhainnĂ­ Seachtracha BillĂ­ (Tithe an Oireachtais) Iris OifigiĂșil Achtanna Athbhreithnithe (CAD) (An CoimisiĂșn um AthchĂłiriĂș an DlĂ­) Liosta Rangaithe ReachtaĂ­ochta AistriĂșchĂĄin (achtanna.ie) AistriĂșchĂĄin (Tithe an Oireachtais) FoilseachĂĄin Rialtais ar DĂ­ol DlĂ­ AE (EUR-Lex) CCanna (Ceisteanna Coitianta) SĂ©anadh Aiseolas Deasc chabhrach Cuardach TitleTeideal Year(s) or rangeBliain nĂł blianta nĂł raon TypeCineĂĄl All Legislation Acts Statutory Instruments Advanced SearchCuardach Casta HomeBaile ActsAchtanna 2023 Communications Regulation and Digital Hub Development Agency (Amendment) Act 2023 Communications Regulation and Digital Hub Development Agency (Amendment) Act 2023 Permanent Page URL View by SectionAmharc de rĂ©ir Ailt View Full ActAmharc ar an Acht IomlĂĄn Bill History Stair Bille Commencement, Amendments, SIs made under the Act Tosach Feidhme, Leasuithe, IRĂ­ arna ndĂ©anamh faoin Acht Open PDFOscail PDF Print Full ActPriontĂĄil an tAcht IomlĂĄn Number 4 of 2023 COMMUNICATIONS REGULATION AND DIGITAL HUB DEVELOPMENT AGENCY (AMENDMENT) ACT 2023 CONTENTS PART 1 Preliminary and General Section 1. Short title, collective citation, construction and commencement 2. Interpretation 3. Regulations 4. Exercise of powers of authorised officers for purposes of Act PART 2 Security of Networks and Services 5. Interpretation (Part 2) 6. Obligation on providers to take measures to manage risk 7. Security measures guidelines 8. Courts, etc. to have regard to security measures guidelines 9. Commission to have regard to security measures guidelines in connection with carrying out functions 10. Adjudicator to have regard to security measures guidelines in connection with carrying out functions 11. Providers to notify Commission of any incident of significant impact on networks or services 12. Providers to notify users of particular and significant threat of security incident 13. Commission to seek to ensure compliance by providers with Part 2 14. Power of Commission to serve security measures directions 15. Security audits 16. Assistance and information sharing 17. Appeal of decisions, etc. under Part 2, Part 4 or Code Regulations 18. Appeal to Court of Appeal from decision under section 17 PART 3 Security measures in respect of certain vendors 19. Interpretation (Part 3) 20. Critical components 21. Minister to assess likelihood of vendor being subjected to interference by third country 22. Assessment as relevant vendor 23. Minister may consult for the purposes of assessments under this Part 24. Obligation to provide information for the purposes of assessments under this Part 25. Relevant vendor measures 26. Confidentiality of relevant vendor notice 27. Consultation before taking measures under section 25 28. Appeal of relevant vendor measure 29. Material not publicly available that relates to security of the State 30. Hearing of appeal of relevant vendor measure other than in public 31. Appeal to Court of Appeal from decision under section 28 32. Commission to report to Minister on this Part 33. Commission to monitor providers’ compliance with relevant vendor measures 34. Review of operation of Part PART 4 Measures to assist consumers and other end-users 35. Interpretation (Part 4) 36. Commission may require publication of information on quality of service 37. Minimum quality-of-service standards 38. Customer charters 39. End-user compensation PART 5 Resolution of complaints and disputes 40. Interpretation (Part 5) 41. Procedures for handling complaints and resolution of disputes 42. Handling of complaints and resolution of disputes to be provided for in code of practice 43. Provider to report on end-user complaints 44. Commission may require information regarding end-user complaints 45. Notification to end-user of right to refer dispute to Commission 46. Commission may require provider to comply with code of practice 47. Resolution of relevant disputes by Commission 48. Procedure for resolution of disputes by Commission 49. Direction 50. Disputes involving parties in more than one Member State 51. Remuneration and expenses of person appointed by Commission to carry out dispute resolution process 52. Enforcement 53. Commission to be listed as alternative dispute resolution entity 54. Procedure under this Part without prejudice to other remedies 55. Application of Universal Service Regulations to certain disputes 56. Continuation of measures under Universal Services Regulations PART 6 Interim Measures 57. Urgent interim measures 58. Imposition of urgent interim measures by High Court PART 7 Administrative Sanctions Chapter 1 Interpretation and application of Part 7 59. Interpretation (Part 7) 60. Regulatory provisions and power of Minister to apply Part to certain breaches 61. Application of Part Chapter 2 Preliminary procedure 62. Power of Commission to resolve suspected regulatory breach, etc. 63. Notice of suspected non-compliance 64. Supplementary notice of suspected non-compliance 65. Commission may revoke notice of suspected non-compliance, etc. 66. Commission may publish notice of suspected non-compliance, etc. 67. Commitments 68. Settlements 69. Actions by authorised officer following investigation 70. Referral report 71. Referral of matter by authorised officer to adjudicator for adjudication 72. Withdrawal by Commission of matter referred to adjudicator 73. Power of Commission to share certain documents 74. Regulations and rules relating to referrals to adjudicator Chapter 3 Adjudicators 75. Nomination of adjudicators 76. Appointment of adjudicators 77. Independence of adjudicators 78. Regulations to ensure independence of adjudicators 79. Adjudicators may sit together 80. Regulations in relation to adjudicators 81. Assistants to adjudicators 82. Effect of appointment as adjudicator on terms of employment or contract with Commission Chapter 4 Procedure following referral to adjudicator 83. Notification by adjudicator following referral 84. Actions following referral under section 68(3)(c) 85. Actions following referral under section 71 86. Admissibility of evidence and rules for oral hearings conducted by adjudicators 87. Powers of adjudicators and offences 88. Orders for costs in proceedings before adjudicator 89. Regulations in relation to proceedings before adjudicator 90. Decision of adjudicator in relation to breach 91. Decision of adjudicator in relation to administrative sanction 92. Adjudication to take effect when confirmed by High Court 93. Notice of adjudication Chapter 5 Imposition of administrative sanctions 94. Requirement to pay financial penalty 95. Requirement to pay refund 96. Requirement to pay compensation 97. Suspension or withdrawal of authorisation or rights of use 98. Guidelines 99. Regulations in relation to certain matters Chapter 6 Admissibility of certain evidence 100. Admissibility of evidence before Commission Chapter 7 Restrictions on disclosure of certain information 101. Restrictions on disclosure of certain information 102. Confidentiality rings Chapter 8 Appeals, confirmation and judicial review of certain decisions 103. Interpretation (Chapter 8 of Part 7) 104. Decisions reviewable only by appeal under this Chapter 105. Appeal against urgent interim measures notice 106. Appeal against adjudication 107. Conduct of appeals 108. Orders for costs by Court on appeal 109. Court confirmation of adjudication 110. Publication of adjudication 111. Adjudicator may refer question of law to Court 112. Judicial review 113. Appeals to Court of Appeal 114. Treatment of amounts paid to Commission pursuant to Part 7 115. Non-applicability of limitation periods to certain actions 116. Commission to collect information relating to appeals and decisions to grant interim measures Chapter 9 Revocation, transitional provisions and consequential amendments 117. Transitional provision where certain notifications have been given PART 8 Amendment of Code Regulations 118. Amendment of Code Regulations PART 9 Miscellaneous Amendments to Principal Act 119. Amendment of section 2 of Principal Act 120. Amendment of section 10 of Principal Act 121. Power of Minister to request advice from Commission 122. Power of Commission to obtain information 123. Power of Commission to share information with Minister 124. Amendment of section 39 of Principal Act 125. Amendment of section 40 of Principal Act 126. Amendment of section 43 of Principal Act 127. Undertaking not to overcharge or charge for services not supplied 128. Commission may apply to High Court for order to restrain certain repeated or apprehended contraventions 129. Amendment of section 46B(1) of Principal Act 130. Amendment of section 46D of Principal Act 131. Amendment of section 57A of Principal Act 132. Service of notices 133. Miscellaneous amendments to Principal Act 134. Amendment to Part 2 of Schedule 1 to Principal Act PART 10 Amendments to Digital Hub Development Agency Act 2003 135. Amendment of Digital Hub Development Agency Act 2003 PART 11 Amendment to Postal and Telecommunications Services Act 1983 136. Financing for the purposes of maintaining post office network and countering consequences of Brexit Acts Referred to Broadcasting Act 2009 (No. 18) Civil Law and Criminal Law (Miscellaneous Provisions) Act 2020 (No. 13) Communications Regulation (Amendment) Act 2007 (No. 22) Communications Regulation (Premium Rate Services and Electronic Communications Infrastructure) Act 2010 (No. 2) Communications Regulation Act 2002 (No. 20) Communications Regulation Acts 2002 to 2017 Companies Act 2014 (No. 38) Competition (Amendment) Act 2022 (No. 12) Competition Act 2002 (No. 14) Consumer Rights Act 2022 (No. 37) Defence Act 1954 (No. 18) Digital Hub Development Agency Act 2003 (No. 23) European Communities Act 1972 (No. 27) Freedom of Information Act 2014 (No. 30) Local Government Act 2001 (No. 37) Postal and Telecommunications Services Act 1983 (No. 24) Probation of Offenders Act 1907 (7 Edw. 7 c. 17) Statute of Limitations (Amendment) Act 1991 (No. 18) Statute of Limitations 1957 (No. 6) Wireless Telegraphy Act 1926 (No. 45) Number 4 of 2023 COMMUNICATIONS REGULATION AND DIGITAL HUB DEVELOPMENT AGENCY (AMENDMENT) ACT 2023 An Act to give effect to certain provisions of Directive 2018/1972 of the European Parliament and of the Council of 11 December 2018 1 establishing the European Electronic Communications Code; to provide that providers of public electronic communications networks and providers of publicly available electronic communications services take appropriate and proportionate measures to manage the risks posed to the security of networks and services; to enable the Minister to take measures in respect of the supply of critical components by certain vendors in order to safeguard the security of supply of such components; to provide for measures to assist consumers and other end-users; to provide for the resolution of certain complaints and disputes; to provide for interim measures to prevent certain breaches; to lay down rules on administrative sanctions applicable to breaches of regulatory provisions, including provisions adopted, and binding decisions of the Commission for Communications Regulation, pursuant to that Directive, in order to ensure that such provisions are implemented and that penalties for failure to do so are appropriate, effective, proportionate and dissuasive; to amend the European Union (Electronic Communications Code) Regulations 2022 ( S.I. No. 444 of 2022 ); to amend the Communications Regulation Act 2002 ; to amend the Digital Hub Development Agency Act 2003 ; to amend the Postal and Telecommunications Services Act 1983 to enable funding to be made available for the purposes of maintaining the post office network and countering consequences of withdrawal of the United Kingdom from the European Union; and to provide for related matters. [2nd March, 2023] Be it enacted by the Oireachtas as follows: PART 1 Preliminary and General Short title, collective citation, construction and commencement 1. (1) This Act may be cited as the Communications Regulation and Digital Hub Development Agency (Amendment) Act 2023. (2) The Communications Regulation Acts 2002 to 2017 and this Act (other than Parts 10 and 11 ) may be cited together as the Communications Regulation Acts 2002 to 2023 and shall be construed together as one. (3) This Act, other than this Part, shall come into operation on such day or days as the Minister may appoint by order or orders either generally or with reference to any particular purpose or provision and different days may be so appointed for different purposes or different provisions. Interpretation 2. (1) In this Act— “Act of 1926” means the Wireless Telegraphy Act 1926 ; “Act of 1972” means the European Communities Act 1972 ; “BEREC” means the Body of European Regulators for Electronic Communications; “breach of conditions” means a breach of the conditions of— (a) a general authorisation, (b) any rights of use for radio spectrum, (c) any rights of use for numbering resources, or (d) the specific obligations referred to in Article 13(2) of the Directive; “Code Regulations” means the European Union (Electronic Communications Code) Regulations 2022 ( S.I. No. 444 of 2022 ); “Commission” means the Commission for Communications Regulation; “consumer” means any individual who uses or requests a publicly available electronic communications service for purposes which are outside his or her trade, business, craft or profession; “date of service”, in relation to a notice or notification, means the date on which the notice or notification is given in accordance with section 60 of the Principal Act; “Directive” means Directive 2018/1972 of the European Parliament and of the Council of 11 December 20182 establishing the European Electronic Communications Code (Recast); “general authorisation” means an authorisation for a person to provide an electronic communications network or service under and in accordance with regulations made under the Act of 1972 giving effect to Article 12 of the Directive; “Minister” means Minister for the Environment, Climate and Communications; “prescribed” means prescribed by regulations made by the Minister; “Principal Act” means the Communications Regulation Act 2002 ; “record” means any memorandum, book, report, statement, register, plan, chart, map, drawing, specification, diagram, program, algorithm, data, code, software, formula, pictorial or graphic work or other document, any photograph, film or recording (whether of sound or images or both), any form (including machine-readable form) or thing in which data (such as engineering data or personal data) or information is held or stored manually, mechanically, digitally or electronically and anything that is a part or a copy in any form, of any of, or any combination of, the foregoing, whether claimed as confidential or not; “regulatory breach” means a failure to comply with— (a) a regulatory provision, (b) a relevant vendor measure, (c) a confidentiality requirement of the Minister under section 26 (1), (d) a direction under section 33 (2), (e) a commitment under section 67 , or (f) an urgent interim measure; “regulatory provision” has the meaning given to it by section 60 ; “relevant vendor measure” has the meaning given to it by section 25 ; “urgent interim measures” and “urgent interim measures notice” each has the meaning given to it by section 57 . (2) A word or expression that is used in this Act and that is also used in the Directive has, unless the context otherwise requires, the same meaning in this Act that it has in the Directive. Regulations 3. (1) The Minister may make regulations in relation to any matter referred to in this Act as prescribed or to be prescribed or to be the subject of regulations, or otherwise for the purpose of enabling any of its provisions to have full effect. (2) Regulations made under this Act may contain such incidental, supplementary, consequential or transitional provisions as appear to the Minister to be necessary for the purposes of the regulations. (3) The Minister may consult with the Commission before making regulations under this Act. (4) Every regulation under this Act shall be laid before each House of the Oireachtas as soon as may be after it has been made and, if a resolution annulling the regulation is passed by either such House within the next 21 days on which that House has sat after the regulation is laid before it, the regulation shall be annulled accordingly, but without prejudice to the validity of anything previously done thereunder. Exercise of powers of authorised officers for purposes of Act 4. An authorised officer may exercise any powers exercisable by him or her under the Principal Act (other than a power exercisable for a purpose specified in section 39(3A) of the Principal Act) for the purposes of this Act. PART 2 Security of Networks and Services Interpretation (Part 2) 5. In this Part— “CSIRT” means the unit of the Department of the Environment, Climate and Communications known as the computer security incident response team; “ENISA” means the European Union Agency for Network and Information Security; “provider” means a provider of public electronic communications networks or of publicly available electronic communications services; “security audit” means the process of examining and evaluating, by such means as are necessary, a provider’s overall ability to appropriately manage the risks posed to the security of networks and services, including the provider’s ability to prevent and minimise the impact of security incidents on users and on other networks and services; “security incident” means any action that compromises the availability, authenticity, integrity or confidentiality of networks and services, of stored or transmitted or processed data, or of the related services offered by, or accessible via, those electronic communications networks or services; “security measures guidelines” has the meaning given to it by section 7 ; “security of networks and services” means the ability of electronic communications networks and services to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of those networks and services, of stored or transmitted or processed data, or of the related services offered by, or accessible via, those electronic communications networks or services. Obligation on providers to take measures to manage risk 6. (1) Providers shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of networks and services. (2) Measures taken in accordance with subsection (1) shall ensure a level of security appropriate to the risk presented having regard to the state of the art. (3) In particular, measures, including the use of encryption where appropriate, shall be taken by providers to prevent security incidents and minimise the impact of any security incident on users and on other networks and services. (4) The Minister, having consulted with the Commission, may make regulations in relation to the types of measures to be taken by providers to manage risks in accordance with subsection (1). (5) Regulations under subsection (4) may— (a) contain such incidental, supplementary and consequential provisions as appear to the Minister to be necessary or expedient for the purposes of ensuring that risks posed to the security of networks and services are appropriately managed, (b) apply generally or to such class of providers, electronic communications networks or electronic communications services, technologies, equipment, associated facilities or associated services as the Minister may prescribe, and (c) include different provisions in relation to different classes of providers, electronic communications networks or electronic communications services, technologies, equipment, associated facilities or associated services. (6) Subject to subsection (8), the Minister shall, before making regulations under subsection (4), publish a draft of the proposed regulations on a website maintained by or on behalf of the Department of the Environment, Climate and Communications and allow a period of 30 days beginning on the day on which the draft is published during which persons may make written representations to the Minister in relation to the proposed regulations. (7) The Minister may, having considered any representations received during the period specified in subsection (6), make the regulations with or without modification. (8) Where the Minister is satisfied that regulations under subsection (4) are required urgently in order to prevent a serious imminent risk to the security of networks and services, to the health or safety of persons or to property, the Minister may make the regulations without complying with subsection (6). (9) Subsections (1), (2) and (3) areregulatory provisions. (10) A provider that fails to comply with a provision of regulations made under this section that is stated in the regulations to be a penal provision commits an offence and is liable on summary conviction to a class A fine. Security measures guidelines 7. (1) The Minister may, for the purpose of providing practical guidance to providers, having consulted with the Commission and such other persons as he or she may consider appropriate— (a) prepare and publish guidelines on the implementation of technical and organisational measures to manage the risks posed to the security of networks and services, and (b) approve guidelines, or any part of guidelines, on the implementation of technical and organisational measures to manage the risks posed to the security of networks and services made or published by another person, (each referred to in this Act as “security measures guidelines”). (2) Without prejudice to the generality of subsection (1), security measures guidelines may relate to any of the following: (a) the risks posed to the security of networks and services; (b) the types of measures considered appropriate for securing electronic communications networks and services; (c) guidance on the implementation methods of specified measures; (d) standards or technical specifications that may be considered appropriate for the implementation of specified measures; (e) certification schemes that may be considered appropriate to adopt for the implementation of specified measures; (f) commencement times for certain measures; (g) transitional provisions for providers. (3) Before publishing or approving security measures guidelines, the Minister shall publish a draft of the proposed guidelines on a website maintained by or on behalf of the Department of the Environment, Climate and Communications and allow a period of 30 days beginning on the day on which the draft is published during which persons may make written representations in relation to the proposed guidelines. (4) The Minister may, having considered any representations received during the period specified in subsection (3), publish or, as the case may be, approve the guidelines with or without modification. (5) Where the Minister approves guidelines he or she shall publish the approved guidelines or a notice to that effect. (6) Where the Minister is satisfied that security measures guidelines are required urgently in order to prevent a serious imminent risk to the security of networks and services, to the health or safety of persons or to property, the Minister may publish or approve the guidelines without consulting in accordance with subsection (3). (7) The Minister may publish security measures guidelines in such form or manner as he or she considers appropriate, including on the internet, and any security measures guidelines published shall specify the date from which they have effect. Courts, etc. to have regard to security measures guidelines 8. In any legal proceedings before a court or tribunal, the court or tribunal shall have regard to a security measures guideline in determining any question arising in the proceedings if— (a) the question relates to a time when the guideline was in force, and (b) the guideline appears to the court or tribunal to be relevant to the question. Commission to have regard to security measures guidelines in connection with carrying out functions 9. The Commission shall have regard to any security measures guideline in determining any question arising in relation to it carrying out its functions if— (a) the question relates to a time when the guideline was in effect, and (b) the guideline appears to the Commission to be relevant to determining the question. Adjudicator to have regard to security measures guidelines in connection with carrying out functions 10. An adjudicator shall have regard to any security measures guideline in determining any question arising in relation to it carrying out its functions under Part 7 if— (a) the question relates to a time when the guideline was in force, and (b) the guideline appears to the adjudicator to be relevant to the question. Providers to notify Commission of any incident of significant impact on networks or services 11. (1) A provider shall, where any security incident occurs that has had or is having a significant impact on the operation of the provider’s electronic communications networks or services, notify the Commission in accordance with subsection (3) without undue delay. (2) In order to determine whether the impact of a security incident is significant for the purposes of subsection (1) a provider shall have regard to the following matters in respect of the incident: (a) the duration of the incident; (b) the number of users affected; (c) any class of users particularly affected; (d) the geographical area affected; (e) the extent to which the functioning of the network or service was affected; (f) the impact of the incident on economic and societal activities; (g) the cause of the incident and any particular circumstances that resulted in the security incident. (3) A notification made under subsection (1) shall contain the following information in relation to the incident: (a) the provider’s name; (b) the public electronic communications network or publicly available electronic communications services provided by it affected by the incident; (c) the date and time the incident occurred and its duration; (d) the information specified in paragraphs (a) to (g) of subsection (2). (e) information concerning the nature and impact of the incident; (f) information concerning any or any likely cross-border impact; (g) such other information as the Commission may specify. (4) Where a provider notifies the Commission of an incident in accordance with this section it shall, as soon as practicable, notify the Commission when the incident is resolved and of the actions taken by it to remedy the incident and, where applicable, any actions taken to reduce the likelihood of a similar incident occurring in the future. (5) Where the Commission is notified of a security incident under subsection (1) it shall— (a) inform the Minister of the notification, and (b) where the Commission, having consulted with the Minister, considers it appropriate to do so, notify the competent authorities of other Member States and ENISA. (6) Where the Commission determines, having consulted with the Minister, that the disclosure of a security incident notified under subsection (1) is in the public interest it may inform the public of the incident or require the provider concerned to do so. (7) Subsections (1), (2), (3) and (4) are regulatory provisions. (8) A provider— (a) who fails to notify the commission in accordance with subsection (1). (b) who fails to make all reasonable efforts to provide the information referred to in subsection (3), or (c) that is required by the Commission under subsection (6) to inform the public of a security incident and that fails to do so, commits an offence and is liable on summary conviction to a class A fine. (9) The Commission shall in each year submit a summary report to the Minister, the European Commission and ENISA on the notifications received and the actions taken by the Commission in accordance with this section. Providers to notify users of particular and significant threat of security incident 12. (1) In the case of a particular and significant threat of a security incident in public electronic communications networks or publicly available electronic communications services, a provider of such networks or services shall— (a) inform its users potentially affected by such a threat of any possible protective measures or remedies which can be taken by the users, and (b) where appropriate, inform its users of the threat itself. (2) Subsection (1) is a regulatory provision. (3) A provider who fails to inform its users in accordance with subsection (1)(a) commits an offence and is liable on summary conviction to a class A fine. Commission to seek to ensure compliance by providers with Part 2 13. The Commission shall take reasonable steps to ensure that providers comply with the obligations placed on them by or under this Part. Power of Commission to serve security measures directions 14. (1) A provider shall, on the request of the Commission, provide the Commission with the information needed to assess the security of the provider’s networks and services, including documented security policies. (2) The Commission may serve a direction (referred to in this Part as a “security measures direction”) on a provider— (a) to remedy a security incident, (b) to prevent a security incident from occurring when a significant threat has been identified, or (c) to ensure that the provider is in compliance with this Part. (3) Without prejudice to the generality of subsection (2), a security measures direction may require a provider to do one or more of the following: (a) to implement specified measures within specified time limits to remedy a security incident or prevent one from occurring when a significant threat has been identified; (b) where the Commission has reasonable grounds to believe that a provider is failing, or has failed, to act in accordance with this Part, regulations under this Part or security measures guidelines, to provide a statement to the Commission indicating what measures the provider has taken to comply with the relevant regulations or guidelines and, where the provider has failed to act in accordance with regulations or guidelines, explaining the reasons for such failure; (c) to provide information needed to assess the security of their networks and services, including documented security policies; (d) to submit to a security audit by the Commission or a qualified independent person nominated by the Commission and make the results of any security audit not carried out by the Commission available to the Commission; (e) to bear the costs of an audit under paragraph (d). (f) to implement specified measures within specified time limits in order to remedy any deficiencies identified during an assessment referred to in paragraph (c) or a security audit referred to in paragraph (d). (4) A direction under subsection (2) takes effect— (a) immediately upon its service, where the Commission considers, and states in the direction, that it is necessary that the direction take effect immediately to prevent a serious imminent risk to the security of networks and services, the health or safety of persons or to property, and (b) in any other case upon the expiration of the period allowed for representations to be made under subsection (5). (5) A provider that is the subject of a security measures direction may make written representations to the Commission in respect of the direction within the period of 14 days beginning on the date on which the direction is served on the provider and the Commission shall consider any representations made to it during that period and affirm (with or without modification) or withdraw the direction. (6) Where a direction is affirmed under subsection (5) the Commission shall notify the provider concerned. (7) A provider that fails to comply with a security measures direction commits an offence and is liable on summary conviction to a class A fine. Security audits 15. (1) Where the Commission serves a security measures direction on a provider requiring the provider to submit to a security audit the Commission may appoint such member of the staff of the Commission, or such other suitably qualified independent person as the Commission considers appropriate,(referred to in this section as a “security auditor”) to carry out the security audit in accordance with the direction. (2) A security auditor shall, on his or her appointment, be provided by the Commission with a certificate of his or her appointment and when exercising a power referred to in subsection (3) shall, if requested by any person thereby affected, produce such certificate to that person for inspection. (3) Where the Commission serves a security measures direction on a provider requiring the provider to submit to a security audit a security auditor may, for the purposes of carrying out the audit, exercise any power exercisable by an authorised officer under the Principal Act (other than a power exercisable for a purpose specified in section 39(3A) of the Principal Act) and where a security auditor exercises such a power a reference to an authorised officer exercising such a power in the Principal Act shall include a reference to the security auditor. Assistance and information sharing 16. (1) The Commission may, for the purposes of exercising its functions under this Part, consult, cooperate, share information with, or obtain the assistance of— (a) the CSIRT, (b) a Computer Security Incident Response Team in another Member State designated pursuant to Article 9 of Directive (EU) 2016/11483 , and (c) a national regulatory authority in another Member State to whom a task under the Directive has been assigned. (2) The Commission shall, where appropriate, consult and cooperate with the Garda SĂ­ochĂĄna, the competent authorities designated in accordance with Regulations 7 and 8 of the European Union (Measures for a High Common Level of Security of Network and Information Systems) Regulations 2018 ( S.I. No. 360 of 2018 ), the competent authorities within the meaning of Article 8(1) of Directive (EU) 2016/11484 and the Data Protection Commission in relation to any matter concerning this Part. (3) The Commission shall consult and cooperate with the Data Protection Commission in relation to any incident involving personal data (within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20165 ). (4) Information shared under this Part may include personal data. (5) Where the Commission receives or shares information under this Part in relation to a provider the Commission shall take all reasonable steps to protect the confidentiality of the information so shared, the security of networks and services and the commercial interests of the provider to which the information relates. Appeal of decisions, etc. under Part 2, Part 4 or Code Regulations 17. (1) Neither a decision or a requirement of— (a) the Commission under this Part or Part 4 , or the Code Regulations (other than Regulation 98 and 99), or (b) the Minister under Regulation 70, 76 or 100 of the Code Regulations, shall be challenged, including as to its validity, other than by way of an appeal under this section. (2) For the avoidance of doubt, in respect of a decision or requirement referred to in subsection (1) no proceeding (including an application for judicial review) may be brought before the courts other than an appeal under this section. (3) A person affected by a decision or a requirement of— (a) the Commission under this Part or Part 4 , or the Code Regulations (other than Regulation 98 and 99), or (b) the Minister under Regulation 70, 76 or 100 of the Code Regulations, (referred to in this section as the “decision”) may, not later than 28 days after the person receives notice of the decision, appeal the decision to the High Court. (4) Pending the outcome of an appeal, the decision of the Commission or the Minister, as the case may be, shall stand unless on application to the High Court, the Court suspends the application of the decision until the determination of an appeal or its withdrawal. (5) The respondent to an appeal referred to in subsection(3)(a) shall be the Commission. (6) The respondent to an appeal referred to in subsection (3)(b) shall be the Minister. (7) A person that brings an appeal under this section shall, on the same date as it makes such appeal notify the respondent of the fact that it has made the appeal and of the grounds on which it has made the appeal. (8) The High Court may, for the purpose of ensuring the efficient, fair and timely determination of an appeal, give directions in respect of the conduct of the appeal. (9) An appellant shall, when making an appeal precisely state all of the grounds in law and fact upon which the appeal is made and shall provide to the Court all of the documents and evidence which it is alleged support the granting of the appeal or upon which the appellant intends to rely to support those grounds. (10) Subject to subsection (11), a party to an appeal shall not be entitled during the course of an appeal to make submissions to the Court other than submissions related to the grounds stated, or documents and evidence provided under subsection (9). (11) The Court may, upon application and where it considers it necessary for the fair and proper determination of an appeal, require or permit a party to an appeal to— (a) make submissions to the Court other than submissions related to the grounds stated or documents and evidence provided under subsection (9), and (b) provide documents or evidence to the Court other than documents or evidence provided under subsection (9). (12) Notwithstanding subsection (11), the Court shall refuse to consider submissions, documents or evidence where it considers that— (a) the submissions, documents or evidence are not relevant to the appeal, or (b) it is appropriate to do so in order to avoid undue repetition of submissions. (13) Where the Court has granted leave to deliver additional submissions, documents or evidence on an application under subsection (11), the Court shall give directions as to the scope, form and time-frame for delivery of such additional submissions, documents or evidence. (14) The Court may receive evidence by oral examination in court, by affidavit, or by deposition taken before an examiner or commissioner. (15) The Court, on hearing an appeal against a decision, may consider— (a) whether the jurisdiction existed to make the decision, (b) whether the law was correctly applied in reaching the decision, or (c) whether the decision is supported by the evidence including evidence admitted in accordance with subsection (11). (16) In considering an appeal, the Court shall have regard to— (a) the record of the decision the subject of the appeal, (b) the grounds stated by the parties to the appeal, and documents and evidence relied upon by the parties to support those grounds, under subsection (9), and (c) any submissions, documents or evidence admitted under subsection (11). (17) The Court may, on the hearing of an appeal against a decision— (a) confirm the decision, or (b) where it is satisfied by reference to the grounds of appeal that a serious and significant error of law or fact, or a series of minor errors of law or fact which when taken together amount to a serious and significant error, was made in making the decision, or that the decision was made without complying with fair procedures, annul the decision in its totality or in part, and— (i) remit the decision for reconsideration by the Commission or the Minister, as the case may be, subject to such directions as the Court considers appropriate, or (ii) vary the decision and substitute such other decision as the Court considers appropriate. Appeal to Court of Appeal from decision under section 17 18. The decision of the High Court under section 17 shall be final and no appeal shall lie from the decision of the High Court to the Court of Appeal in any case save with leave of the High Court, which leave shall only be granted where the High Court certifies that its decision involves a point of law of exceptional public importance and that it is desirable in the public interest that an appeal should be made to the Court of Appeal. PART 3 Security measures in respect of certain vendors Interpretation (Part 3) 19. In this Part— “component” includes any function, technology, equipment, hardware, software, facility, good or service used in the provision of electronic communications networks or electronic communications services; “critical component” means a critical component prescribed by the Minister under section 20 ; “provider” means a provider of public electronic communications networks or of publicly available electronic communications services; “relevant vendor” means a vendor, in respect of which the Minister has made an assessment under section 22 ; “third country” means a country other than a Member State of the European Union, an EEA state, Switzerland and the United Kingdom; “vendor” means a person who, normally for remuneration, provides components, functions, technology, equipment, hardware, software, facilities or services to providers of electronic communications networks to build or operate the network. Critical components 20. (1) The Minister may prescribe any component or any class of components as a critical component or critical components. (2) Without prejudice to the generality of subsection (1), in prescribing a component or class of components, the Minister may have regard to: (a) the impact a compromise of a component referred to in subsection (1) would have on the availability, authenticity, integrity or confidentiality of those networks and services; (b) the likelihood of a compromise of such a component; (c) the extent of the impact a compromise of such a component would have on national security, or economic or societal activities; (d) the number of users likely affected by a compromise of such a component. Minister to assess likelihood of vendor being subjected to interference by third country 21. (1) The Minister may assess at any time, and on an ongoing basis, the likelihood of a vendor being subjected to interference by a third country. (2) Without prejudice to the generality of the matters that the Minister may consider for the purposes of subsection (1), the Minister shall have regard to the following matters when making an assessment under that subsection: (a) whether or not a strong link exists between the vendor and the government of any third country; (b) the status of the rule of law and the political situation within the third country in question, in particular whether or not there is democratic or legislative oversight, including an independent judiciary, in place, and whether or not data protection or security agreements exist between the European Union and the third country in question; (c) the characteristics of the vendor’s business ownership and practices, in particular whether the ownership structure is transparent and whether the vendor’s sources of finance are transparent; (d) the ability of the third country in question to exert any form of pressure upon the vendor, including in relation to influencing where equipment is to be manufactured; (e) whether or not the third country, from which the vendor originates, conducts or is associated with an offensive cyber policy. Assessment as relevant vendor 22. (1) Where the Minister makes an assessment— (a) in accordance with section 21 , that there is a likelihood of a vendor being subjected to interference by a third country, (b) that there is a significant risk that a vendor will not be able to secure supply of critical components, (c) that the overall quality of critical components supplied by a vendor is inadequate, or (d) that the cybersecurity practices of a vendor are inadequate, the Minister may take measures in accordance with section 25 . (2) The Minister may conduct an assessment under subsection (1) at any time and on an ongoing basis. Minister may consult for the purposes of assessments under this Part 23. The Minister may consult with such persons as the Minister considers appropriate for the purposes of sections 21 and 22 . Obligation to provide information for the purposes of assessments under this Part 24. (1) The Minister may request any person to provide information that the Minister reasonably believes he or she requires for the purpose of section 21 or 22 . (2) A person who fails to make all reasonable efforts to comply with a request under subsection (1) commits an offence and is liable— (a) on summary conviction, to a class A fine or imprisonment for a term not exceeding 6 months, or both, or (b) on conviction on indictment, to imprisonment for a term not exceeding 5 years or to a fine not exceeding €250,000, or both. Relevant vendor measures 25. (1) Subject to section 22 , the Minister may, if he or she considers it necessary to control risks to the security of electronic communications networks or electronic communications services which may affect national security, by notice in writing (referred to in this Part as a “ relevant vendor notice”), take any of the following measures (referred to in this Act as a “relevant vendor measure”): (a) prohibit the installation by a provider of critical components made or supplied by a relevant vendor; (b) prohibit or restrict the use by a provider of critical components made or supplied by a relevant vendor; (c) place conditions on the installation or use by a provider of critical components made or supplied by a relevant vendor; (d) prohibit the installation or use by a provider at a specified location of critical components made or supplied by a relevant vendor; (e) require a provider to remove, disable or modify critical components made or supplied by a relevant vendor; (f) place a restriction, expressed as a percentage of the total quantity of critical components used by the provider on their network or any part of their network, on the quantity of critical components made by a relevant vendor that a provider may use; (g) where critical components made or supplied by a relevant vendor are in use by a provider, require the provider to use these critical components in a specified manner or at a specified location. (2) A relevant vendor notice shall specify— (a) the provider or providers to which it applies, (b) that the Minister considers it necessary to take the measures contained in the order to control risks to the security of electronic communications networks or electronic communications services which may affect national security, (c) where the Minister considers that consultation under section 27 (1) would be contrary to the interests of national security, the reasons therefor, (d) the reasons for the issuing of the notice, and (e) the time at which the notice comes into operation. (3) Paragraph (d) of subsection (2) shall not apply where the Minister considers that specifying the reasons for the issuing of the notice in the notice would be contrary to the interests of national security. (4) The Minister may at any time, by further notice in writing, revoke or vary a relevant vendor measure. (5) Where the Minister makes, varies or revokes a relevant vendor notice he or she shall give the notice, in accordance with section 60 of the Principal Act, to any provider to which the notice applies. (6) Where the Minister gives notice to a provider in accordance with subsection (5), the Minister shall take all reasonable steps to give a copy of the notice to the relevant vendor specified in the notice. (7) The requirement in subsection (6) shall not apply to the giving of a relevant vendor notice if the Minister considers that giving a copy of the notice to the relevant vendor would be contrary to the interests of national security. (8) A provider that fails to comply with a relevant vendor measure or a notice varying such a measure given to such provider or made under subsection (1) commits an offence and is liable— (a) on summary conviction, to a class A fine or imprisonment for a term not exceeding 6 months, or both, or (b) on conviction on indictment, to imprisonment for a term not exceeding 5 years or to a fine not exceeding €250,000, or both. Confidentiality of relevant vendor notice 26. (1) The Minister may require a provider to which a relevant vendor measure applies to treat as confidential the existence or contents of the measure and of the relevant vendor notice in circumstances where the Minister considers that disclosure of the measures imposed by the notice or of the contents of the notice would be contrary to the interests of national security. (2) A provider that fails to comply with a requirement made under subsection (1) commits an offence and is liable— (a) on summary conviction, to a class A fine or imprisonment for a term not exceeding 6 months, or both, or (b) on conviction on indictment, to imprisonment for a term not exceeding 5 years or to a fine not exceeding €250,000, or both. Consultation before taking measures under section 25 27. (1) The Minister, before taking any measures under section 25 , shall— (a) consult with the provider or providers which would be subject to the proposed measures, and (b) make reasonable efforts to consult with the relevant vendor in respect of which the measures are proposed to be taken. (2) The requirement in subsection (1) shall not apply if the Minister considers that such consultation would be contrary to the interests of national security. Appeal of relevant vendor measure 28. (1) A relevant vendor measure shall not be challenged, including as to its validity, other than by way of an appeal under this section. (2) For the avoidance of doubt, in respect of a measure under section 25 , no proceeding (including an application for judicial review) may be brought before the courts other than an appeal under this section. (3) A person affected by a relevant vendor measure or a variation of such measure may, not later than 28 days after the person receives notice of the measure or variation, appeal the measure or variation to the High Court. (4) Pending the outcome of an appeal, the measure taken by the Minister, shall stand, unless on application to the High Court, the Court suspends the application of the measure until the determination of an appeal or its withdrawal. (5) A person that brings an appeal under this section shall, on the same date as it makes such appeal, notify the Minister of the fact that it has made the appeal and of the grounds on which it has made the appeal. (6) The High Court may, for the purpose of ensuring the efficient, fair and timely determination of an appeal, give directions in respect of the conduct of the appeal. (7) An appellant shall, when making an appeal, precisely state all of the grounds in law and fact upon which the appeal is made and shall provide to the Court all of the documents and evidence which it is alleged support the granting of the appeal or upon which the appellant intends to rely to support those grounds. (8) Subject to subsection (9), a party to an appeal shall not be entitled during the course of an appeal to make submissions to the Court other than submissions related to the grounds stated or documents and evidence provided under subsection (7). (9) The Court may, upon application and where it considers it necessary for the fair and proper determination of an appeal, require or permit a party to an appeal to— (a) make submissions to the Court other than submissions related to the grounds stated or documents and evidence provided under subsection (7), and (b) provide documents or evidence to the Court other than documents or evidence provided under subsection (7). (10) Notwithstanding subsection (9), the Court shall refuse to consider submissions, documents or evidence where it considers that— (a) the submissions, documents or evidence are not relevant to the appeal, or (b) it is appropriate to do so in order to avoid undue repetition of submissions. (11) Where the Court has granted leave to deliver additional submissions, documents or evidence on an application under subsection (9), the Court shall give directions as to the scope, form and time-frame for delivery of such additional submissions, documents or evidence. (12) The Court may receive evidence by oral examination in court, by affidavit, or by deposition taken before an examiner or commissioner. (13) The Court, on hearing an appeal against a decision, may consider— (a) whether the jurisdiction existed to make the decision, (b) whether the law was correctly applied in reaching the decision, or (c) whether the decision is supported by the evidence including evidence admitted in accordance with subsection (9). (14) In considering an appeal, the Court shall have regard to— (a) the record of the decision the subject of the appeal, (b) the grounds stated by the parties to the appeal, and documents and evidence relied upon by the parties to support those grounds, under subsection (7), and (c) any submissions, documents or evidence admitted under subsection (9). (15) The Court may, on the hearing of an appeal against a decision— (a) confirm the decision, or (b) where it is satisfied by reference to the grounds of appeal that a serious and significant error of law or fact, or a series of minor errors of law or fact which when taken together amount to a serious and significant error, was made in making the decision, or that the decision was made without complying with fair procedures, annul the decision in its totality or in part, and remit the decision for reconsideration by the Minister subject to such directions as the Court considers appropriate. Material not publicly available that relates to security of the State 29. (1) Where an appeal of a relevant vendor measure or a variation in such measure relates to or involves any decision, evidence, document, material or any other matter that is not publicly available and relates to the security of the State, (referred to in this Part as “relevant material”), the High Court may— (a) where it is satisfied by information on oath or affirmation of the Minister, or of an officer of the Minister appointed by the Minister to provide such information, that there are reasonable grounds for believing that the disclosure to an appellant of relevant material would create a risk to the security of the State— (i) where satisfied that the relevant material can be redacted in a way that removes that risk, direct the Minister to provide the relevant material to the appellant subject to such redactions, or (ii) where satisfied that the relevant material or part thereof can be summarised or described in a way that removes that risk, direct the Minister to provide the appellant with such a summary or description, (b) where it is not satisfied by the information on oath or affirmation referred to in paragraph (a) that the disclosure to a party of relevant material would create a risk to the security of the State, direct that the relevant material or such part of that material as the High Court may direct, be provided to the party, and (c) take relevant material into account in making its decision in relation to the appeal regardless of the extent to which, or ways in which, the relevant material is provided to the appellant in accordance with this section. (2) The Minister shall comply with a direction of the High Court under subsection (1). (3) The information on oath or affirmation provided to the High Court under subsection (1) shall not, without the express authorisation of the Minister, be disclosed by the Court, an officer or agent of the Court, or any other person, to any person other than a party to an appeal. (4) When providing information on oath or affirmation under subsection (1), the Minister may apply to the High Court ex parte for an order that— (a) the information shall not be provided to a party to the appeal, and (b) a summary of the information, provided to the High Court with the application, shall be provided to the party. (5) The High Court shall grant the order applied for under subsection (4) if it is satisfied that— (a) the Minister has grounds for believing that providing the information on oath or affirmation under subsection (1) to a party would create a risk to the security of the State, and (b) the summary provided with the application for that order is sufficiently clear and detailed to allow the party effectively to challenge the basis on which, or way in which, the information on oath or affirmation is not being provided to it, or provided to it in part, as the case may be, and the Minister shall comply with such an order. (6) A person, other than a judge, who contravenes subsection (3) commits an offence and shall be liable— (a) on summary conviction, to a class A fine or imprisonment for a term not exceeding 6 months, or both, or (b) on conviction on indictment, to imprisonment for a term not exceeding 5 years or to a fine not exceeding €250,000, or both. Hearing of appeal of relevant vendor measure other than in public 30. If the High Court is satisfied, on an application by the Minister, that the hearing of an appeal of a relevant vendor measure, or a variation in such measure, is likely to result in the disclosure of relevant material and that such disclosure would create a risk to the security of the State it shall exclude from the hearing of the appeal all persons except— (a) a judge hearing the matter, (b) a judicial assistant, or other court personnel, whose presence is necessary for the judge to hear the matter, (c) the parties to the proceedings, (d) the legal representatives of the parties to the proceedings, and (e) a witness whose evidence is relevant to the proceedings, for as long as the witness’s presence is required for the purpose of providing such evidence, unless it is satisfied that the interests of justice require any other person not to be so excluded. Appeal to Court of Appeal from decision under section 28 31. The decision of the High Court under section 28 shall be final and no appeal shall lie from the decision of the High Court to the Court of Appeal in any case save with leave of the High Court, which leave shall only be granted where the High Court certifies that its decision involves a point of law of exceptional public importance and that it is desirable in the public interest that an appeal should be made to the Court of Appeal. Commission to report to Minister on this Part 32. The Commission shall issue a report to the Minister on the operation of this Part annually or as requested by the Minister. C 


🔗 To official source

AI explanation based on the official legal text. Indicative, not a substitute for legal advice.