The Irish government has released a National Strategy on the Resilience of Critical Entities, a comprehensive framework designed to protect essential public services – including digital and web infrastructure and datacentres – and critical national infrastructure (CNI) from cyber attacks and other disruptions.
Owned by Ireland’s Department of Defence (An Roinn Cosanta) and Office of Emergency Planning, the document sets out an overarching vision and a set of strategic objectives aimed at strengthening resilience across Ireland.
It was devised to comply with the European Union’s (EU’s) Critical Entities Resilience (CER) Directive, which obliges Member States to take specific measures to ensure essential services for economic and social functions are protected. The provisions laid down in CER are to be transferred into national law across the EU by the middle of October 2026.
“A resilient society is essential for our national security, as well as our economic and social well-being,” said Helen McEntee, Ireland’s minister for defence.
“This resilience relies on the continuous availability of a wide range of essential services including the water we drink, the food we eat, the energy that lights and heats our homes, the transport we depend on, and the health services that keep us healthy. Certain entities that provide these services are vital to the functioning of our society and are therefore classified as critical.
“These Critical Entities are significant, and they are increasingly interconnected and interdependent,” she said. “Many of them are provided by private industry in partnership with the State. While the resilience of critical infrastructure has always been part of our emergency strategy in Ireland, we now recognise the need for a more strategic approach to enhance this area.”
At the core of the strategy lie five strategic goals: to enhance the national risk assessment methodology to identify essential services; to embed a governance and coordination framework for critical entity resilience; to drive appropriate improvements in the resilience of critical entities; to enhance the Department of Defence’s strategic oversight of critical infrastructure dependencies across all sectors; and to ensure consistency with cyber security, maintaining an approach to resilience that aligns with Ireland’s national cyber objectives, and its obligations under EU laws such as NIS 2, Dora and so on.
Dublin hopes that besides improving public service resilience based on a better understanding of the risks such bodies face, the framework will also ensure a national and sector-wide perspective on risk, and support critical entities in meeting their obligations.
People across Ireland experienced the devastation of a successful cyber attack on an essential public service in May 2021, when the Health Service Executive (HSE) infamously fell victim to a Conti ransomware attack causing significant disruption.
The incident forced frontline clinical staff to fall back on pen and paper amid cancelled appointments and, significantly, downed Ireland’s Covid-19 testing referral system.
It took months for Ireland’s health system to recover, with millions of Euros spent on response and remediation efforts.
Clarity on CNI is welcome
David Ferbrache, managing director at Beyond Blue, an Edinburgh-based cyber risk and resilience consultancy, said it was encouraging for Ireland to establish a clear plan for CER compliance, and the document demonstrated its commitment to protecting both CNI and citizens. Clarity on intent, he added, would be valuable for the government, regulators and service operators.
“The CER Directive is widely regarded as the sister regulation to NIS2,” he said. “However, it takes a broader, all-hazards approach to resilience, extending beyond cyber threats to also address physical risks and third parties supporting critical industries. This ultimately helps safeguard essential services against outages and disruption, regardless of how an incident occurs or who it is targeted at.
“This is a positive step, particularly as recent disruptions to critical national infrastructure have been varied in cause, spanning malicious action, technology failures and natural hazards.”
Holistic
While the EU’s CER Directive does not apply to the UK, Ferbrache said it raised an important question as to whether the UK should adopt a similar approach reflecting the reality of today’s interconnected world and recognising that disruption takes many forms, not just cyber.
“While the Cyber Security and Resilience Bill (CSRB) is currently progressing through Parliament, it places a strong emphasis on cyber security, but gives less attention to broader resilience concerns,” he said. “These concerns cannot be ignored, protecting the availability of critical infrastructure cannot be achieved by only looking through the cyber lens. A more holistic approach is needed which bridges the cyber security and operational resilience disciplines.
“This all-hazards approach may require broader legislation and alignment of regulatory expectations on operators of essential services and their suppliers,” said Ferbrache. “While it’s unlikely that such provisions will be incorporated into the CSRB at this late stage, the UK government cannot afford to overlook this challenge in future.”
