On 14 April 2026, Government Chief Whip Mary Butler published the Summer 2026 Legislation Programme, which lists the National Cyber Security Bill among the measures the government wants on the statute books. The headline purpose is unobjectionable and overdue: Ireland was supposed to transpose the EU's NIS2 Directive (EU 2022/2555) by 17 October 2024 and, as the IAPP noted in February 2026, still had only a General Scheme to show for it. The problem is not the transposition. It is everything the Bill staples to it.
The legitimate core
NIS2 is a reasonable, risk-based instrument. It designates the National Cyber Security Centre (NCSC) as Ireland's competent authority and CSIRT, imposes incident-reporting duties on essential and important entities, and puts cyber-risk governance on the agenda of company boards. After ransomware crippled the Health Service Executive in 2021, few would dispute that Ireland needs a statutory NCSC with real coordination authority. Detective Superintendent Pat Ryan told the Oireachtas Justice Committee that cyber offences represent "the greatest threat of societal-level disruption," and on the merits of incident response he is right. A pro-innovation publication should want a competent, well-resourced national CSIRT — predictable rules and fast coordinated response are exactly what lets firms operate and invest with confidence.
The strongest case for the broader powers runs like this: a CSIRT that can only ask politely is useless mid-attack. If a botnet is exfiltrating data through a compromised domain at 3am, the argument goes, the state needs to be able to scan, sensor and block in real time, not file for a warrant and wait. That is a serious argument, and it deserves a serious answer rather than a reflexive civil-liberties veto.
What got bolted on
The answer is that the Bill's contested powers are not calibrated to that emergency at all. According to the Irish Council for Civil Liberties, in a 25 November 2025 analysis, the concerns cluster around Heads 6–10 of the General Scheme — provisions that exceed what NIS2 requires:
- A power to block access to a domain name in a manner ICCL and Digital Rights Ireland describe as an "internet death penalty," because disabling a domain can take down all content hosted on it, including material wholly unrelated to any threat.
- A power to compel communications providers — the submission names WhatsApp and iMessage operators and data-centre operators — to install surveillance sensors capturing metadata on the public's phone and internet usage.
- Authority to scan and store network traffic from public-sector bodies for up to 18 months, potentially sweeping in email content carrying health data and privileged legal communications.
- Permission to handle data for "national security" purposes — a term the Bill leaves undefined.
These are not incident-response tools. They are standing surveillance and shutdown capabilities, and the gap between the two is the whole problem.
Why undefined power is the wrong default
Trigger words matter. An undefined "national security" hook is not a drafting oversight; it is a blank cheque, because whatever the state later decides the phrase covers becomes lawful retroactively. Dr TJ McIntyre of Digital Rights Ireland told the committee that two of the powers — bulk scanning of public-sector traffic and warrantless collection from private communications on public networks — are "entirely unprecedented" and likely breach Court of Justice precedent. He is invoking the line of CJEU rulings, from Digital Rights Ireland (2014) through La Quadrature du Net (2020), that has repeatedly struck down general and indiscriminate data retention. A statute that authorises 18-month bulk capture without proportionality limits is walking straight back into the jurisprudence Ireland's own name is attached to.
The domain-blocking power is worse, because its harm is structural. Killing a domain is the bluntest instrument on the internet: it is over-inclusive by design, hard to reverse quickly, and trivially abused once normalised. The EFF reminded readers in May 2026 that shutdowns and blocks devastate ordinary life — access to medical care, banking, family contact — long before they inconvenience a sophisticated attacker, who simply moves. Once a democracy hands itself "extremely wide" blocking authority with no statutory definition of when it applies, it has built infrastructure that a future, less scrupulous government inherits intact.
The fix is narrowing, not killing
None of this is an argument against transposing NIS2 — it is an argument for transposing only NIS2, and legislating the extras separately under proper scrutiny. The proportionate path is well marked: define "national security" in the text; require prior independent (ideally judicial) authorisation for any sensor mandate or domain block; cap retention and tie it to specific, articulable threats; and bake in transparency reporting so the public can see how often these powers are used. Ireland hosts the European headquarters of a large share of the world's major technology firms; a surveillance-and-shutdown regime that the CJEU later voids would be both a rights failure and a competitiveness own-goal. Get the core done this summer. Send the rest back to be written properly.