Communications Regulation and Digital Hub Development Agency (Amendment) Act 2023

PART 1 Preliminary and General

1. Short title, collective citation, construction and commencement

1. (1) This Act may be cited as the Communications Regulation and Digital Hub Development Agency (Amendment) Act 2023.

(2) The Communications Regulation Acts 2002 to 2017 and this Act (other than Parts 10 and 11) may be cited together as the Communications Regulation Acts 2002 to 2023 and shall be construed together as one.

(3) This Act, other than this Part, shall come into operation on such day or days as the Minister may appoint by order or orders either generally or with reference to any particular purpose or provision and different days may be so appointed for different purposes or different provisions.

2. Interpretation

2. (1) In this Act—

“Act of 1926” means the Wireless Telegraphy Act 1926;

“Act of 1972” means the European Communities Act 1972;

“BEREC” means the Body of European Regulators for Electronic Communications;

“breach of conditions” means a breach of the conditions of—

(a) a general authorisation,

(b) any rights of use for radio spectrum,

(c) any rights of use for numbering resources, or

(d) the specific obligations referred to in Article 13(2) of the Directive;

“Code Regulations” means the European Union (Electronic Communications Code) Regulations 2022 (S.I. No. 444 of 2022);

“Commission” means the Commission for Communications Regulation;

“consumer” means any individual who uses or requests a publicly available electronic communications service for purposes which are outside his or her trade, business, craft or profession;

“date of service”, in relation to a notice or notification, means the date on which the notice or notification is given in accordance with section 60 of the Principal Act;

“Directive” means Directive 2018/1972 of the European Parliament and of the Council of 11 December 2018[^2] establishing the European Electronic Communications Code (Recast);

“general authorisation” means an authorisation for a person to provide an electronic communications network or service under and in accordance with regulations made under the Act of 1972 giving effect to Article 12 of the Directive;

“Minister” means Minister for the Environment, Climate and Communications;

“prescribed” means prescribed by regulations made by the Minister;

“Principal Act” means the Communications Regulation Act 2002;

“record” means any memorandum, book, report, statement, register, plan, chart, map, drawing, specification, diagram, program, algorithm, data, code, software, formula, pictorial or graphic work or other document, any photograph, film or recording (whether of sound or images or both), any form (including machine-readable form) or thing in which data (such as engineering data or personal data) or information is held or stored manually, mechanically, digitally or electronically and anything that is a part or a copy in any form, of any of, or any combination of, the foregoing, whether claimed as confidential or not;

“regulatory breach” means a failure to comply with—

(a) a regulatory provision,

(b) a relevant vendor measure,

(c) a confidentiality requirement of the Minister under section 26(1),

(d) a direction under section 33(2),

(e) a commitment under section 67, or

(f) an urgent interim measure;

“regulatory provision” has the meaning given to it by section 60;

“relevant vendor measure” has the meaning given to it by section 25;

“urgent interim measures” and “urgent interim measures notice” each has the meaning given to it by section 57.

(2) A word or expression that is used in this Act and that is also used in the Directive has, unless the context otherwise requires, the same meaning in this Act that it has in the Directive.

3. Regulations

3. (1) The Minister may make regulations in relation to any matter referred to in this Act as prescribed or to be prescribed or to be the subject of regulations, or otherwise for the purpose of enabling any of its provisions to have full effect.

(2) Regulations made under this Act may contain such incidental, supplementary, consequential or transitional provisions as appear to the Minister to be necessary for the purposes of the regulations.

(3) The Minister may consult with the Commission before making regulations under this Act.

(4) Every regulation under this Act shall be laid before each House of the Oireachtas as soon as may be after it has been made and, if a resolution annulling the regulation is passed by either such House within the next 21 days on which that House has sat after the regulation is laid before it, the regulation shall be annulled accordingly, but without prejudice to the validity of anything previously done thereunder.

4. Exercise of powers of authorised officers for purposes of Act

4. An authorised officer may exercise any powers exercisable by him or her under the Principal Act (other than a power exercisable for a purpose specified in section 39(3A) of the Principal Act) for the purposes of this Act.

PART 2 Security of Networks and Services

5. Interpretation (Part 2)

5. In this Part—

“CSIRT” means the unit of the Department of the Environment, Climate and Communications known as the computer security incident response team;

“ENISA” means the European Union Agency for Network and Information Security;

“provider” means a provider of public electronic communications networks or of publicly available electronic communications services;

“security audit” means the process of examining and evaluating, by such means as are necessary, a provider’s overall ability to appropriately manage the risks posed to the security of networks and services, including the provider’s ability to prevent and minimise the impact of security incidents on users and on other networks and services;

“security incident” means any action that compromises the availability, authenticity, integrity or confidentiality of networks and services, of stored or transmitted or processed data, or of the related services offered by, or accessible via, those electronic communications networks or services;

“security measures guidelines” has the meaning given to it by section 7;

“security of networks and services” means the ability of electronic communications networks and services to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of those networks and services, of stored or transmitted or processed data, or of the related services offered by, or accessible via, those electronic communications networks or services.

6. Obligation on providers to take measures to manage risk

6. (1) Providers shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of networks and services.

(2) Measures taken in accordance with subsection (1) shall ensure a level of security appropriate to the risk presented having regard to the state of the art.

(3) In particular, measures, including the use of encryption where appropriate, shall be taken by providers to prevent security incidents and minimise the impact of any security incident on users and on other networks and services.

(4) The Minister, having consulted with the Commission, may make regulations in relation to the types of measures to be taken by providers to manage risks in accordance with subsection (1).

(5) Regulations under subsection (4) may—

(a) contain such incidental, supplementary and consequential provisions as appear to the Minister to be necessary or expedient for the purposes of ensuring that risks posed to the security of networks and services are appropriately managed,

(b) apply generally or to such class of providers, electronic communications networks or electronic communications services, technologies, equipment, associated facilities or associated services as the Minister may prescribe, and

(c) include different provisions in relation to different classes of providers, electronic communications networks or electronic communications services, technologies, equipment, associated facilities or associated services.

(6) Subject to subsection (8), the Minister shall, before making regulations under subsection (4), publish a draft of the proposed regulations on a website maintained by or on behalf of the Department of the Environment, Climate and Communications and allow a period of 30 days beginning on the day on which the draft is published during which persons may make written representations to the Minister in relation to the proposed regulations.

(7) The Minister may, having considered any representations received during the period specified in subsection (6), make the regulations with or without modification.

(8) Where the Minister is satisfied that regulations under subsection (4) are required urgently in order to prevent a serious imminent risk to the security of networks and services, to the health or safety of persons or to property, the Minister may make the regulations without complying with subsection (6).

(9) Subsections (1), (2) and (3) areregulatory provisions.

(10) A provider that fails to comply with a provision of regulations made under this section that is stated in the regulations to be a penal provision commits an offence and is liable on summary conviction to a class A fine.

7. Security measures guidelines

7. (1) The Minister may, for the purpose of providing practical guidance to providers, having consulted with the Commission and such other persons as he or she may consider appropriate—

(a) prepare and publish guidelines on the implementation of technical and organisational measures to manage the risks posed to the security of networks and services, and

(b) approve guidelines, or any part of guidelines, on the implementation of technical and organisational measures to manage the risks posed to the security of networks and services made or published by another person,

(each referred to in this Act as “security measures guidelines”).

(2) Without prejudice to the generality of subsection (1), security measures guidelines may relate to any of the following:

(a) the risks posed to the security of networks and services;

(b) the types of measures considered appropriate for securing electronic communications networks and services;

(c) guidance on the implementation methods of specified measures;

(d) standards or technical specifications that may be considered appropriate for the implementation of specified measures;

(e) certification schemes that may be considered appropriate to adopt for the implementation of specified measures;

(f) commencement times for certain measures;

(g) transitional provisions for providers.

(3) Before publishing or approving security measures guidelines, the Minister shall publish a draft of the proposed guidelines on a website maintained by or on behalf of the Department of the Environment, Climate and Communications and allow a period of 30 days beginning on the day on which the draft is published during which persons may make written representations in relation to the proposed guidelines.

(4) The Minister may, having considered any representations received during the period specified in subsection (3), publish or, as the case may be, approve the guidelines with or without modification.

(5) Where the Minister approves guidelines he or she shall publish the approved guidelines or a notice to that effect.

(6) Where the Minister is satisfied that security measures guidelines are required urgently in order to prevent a serious imminent risk to the security of networks and services, to the health or safety of persons or to property, the Minister may publish or approve the guidelines without consulting in accordance with subsection (3).

(7) The Minister may publish security measures guidelines in such form or manner as he or she considers appropriate, including on the internet, and any security measures guidelines published shall specify the date from which they have effect.

8. Courts, etc. to have regard to security measures guidelines

8. In any legal proceedings before a court or tribunal, the court or tribunal shall have regard to a security measures guideline in determining any question arising in the proceedings if—

(a) the question relates to a time when the guideline was in force, and

(b) the guideline appears to the court or tribunal to be relevant to the question.

9. Commission to have regard to security measures guidelines in connection with carrying out functions

9. The Commission shall have regard to any security measures guideline in determining any question arising in relation to it carrying out its functions if—

(a) the question relates to a time when the guideline was in effect, and

(b) the guideline appears to the Commission to be relevant to determining the question.

10. Adjudicator to have regard to security measures guidelines in connection with carrying out functions

10. An adjudicator shall have regard to any security measures guideline in determining any question arising in relation to it carrying out its functions under Part 7 if—

(a) the question relates to a time when the guideline was in force, and

(b) the guideline appears to the adjudicator to be relevant to the question.

11. Providers to notify Commission of any incident of significant impact on networks or services

11. (1) A provider shall, where any security incident occurs that has had or is having a significant impact on the operation of the provider’s electronic communications networks or services, notify the Commission in accordance with subsection (3) without undue delay.

(2) In order to determine whether the impact of a security incident is significant for the purposes of subsection (1) a provider shall have regard to the following matters in respect of the incident:

(a) the duration of the incident;

(b) the number of users affected;

(c) any class of users particularly affected;

(d) the geographical area affected;

(e) the extent to which the functioning of the network or service was affected;

(f) the impact of the incident on economic and societal activities;

(g) the cause of the incident and any particular circumstances that resulted in the security incident.

(3) A notification made under subsection (1) shall contain the following information in relation to the incident:

(a) the provider’s name;

(b) the public electronic communications network or publicly available electronic communications services provided by it affected by the incident;

(c) the date and time the incident occurred and its duration;

(d) the information specified in paragraphs (a) to (g) of subsection (2).

(e) information concerning the nature and impact of the incident;

(f) information concerning any or any likely cross-border impact;

(g) such other information as the Commission may specify.

(4) Where a provider notifies the Commission of an incident in accordance with this section it shall, as soon as practicable, notify the Commission when the incident is resolved and of the actions taken by it to remedy the incident and, where applicable, any actions taken to reduce the likelihood of a similar incident occurring in the future.

(5) Where the Commission is notified of a security incident under subsection (1) it shall—

(a) inform the Minister of the notification, and

(b) where the Commission, having consulted with the Minister, considers it appropriate to do so, notify the competent authorities of other Member States and ENISA.

(6) Where the Commission determines, having consulted with the Minister, that the disclosure of a security incident notified under subsection (1) is in the public interest it may inform the public of the incident or require the provider concerned to do so.

(7) Subsections (1), (2), (3) and (4) are regulatory provisions.

(8) A provider—

(a) who fails to notify the commission in accordance with subsection (1).

(b) who fails to make all reasonable efforts to provide the information referred to in subsection (3), or

(c) that is required by the Commission under subsection (6) to inform the public of a security incident and that fails to do so,

commits an offence and is liable on summary conviction to a class A fine.

(9) The Commission shall in each year submit a summary report to the Minister, the European Commission and ENISA on the notifications received and the actions taken by the Commission in accordance with this section.

12. Providers to notify users of particular and significant threat of security incident

12. (1) In the case of a particular and significant threat of a security incident in public electronic communications networks or publicly available electronic communications services, a provider of such networks or services shall—

(a) inform its users potentially affected by such a threat of any possible protective measures or remedies which can be taken by the users, and

(b) where appropriate, inform its users of the threat itself.

(2) Subsection (1) is a regulatory provision.

(3) A provider who fails to inform its users in accordance with subsection (1)(a) commits an offence and is liable on summary conviction to a class A fine.

13. Commission to seek to ensure compliance by providers with Part 2

13. The Commission shall take reasonable steps to ensure that providers comply with the obligations placed on them by or under this Part.

14. Power of Commission to serve security measures directions

14. (1) A provider shall, on the request of the Commission, provide the Commission with the information needed to assess the security of the provider’s networks and services, including documented security policies.

(2) The Commission may serve a direction (referred to in this Part as a “security measures direction”) on a provider—

(a) to remedy a security incident,

(b) to prevent a security incident from occurring when a significant threat has been identified, or

(c) to ensure that the provider is in compliance with this Part.

(3) Without prejudice to the generality of subsection (2), a security measures direction may require a provider to do one or more of the following:

(a) to implement specified measures within specified time limits to remedy a security incident or prevent one from occurring when a significant threat has been identified;