Decrypting the Craic: The latest updates on data protection, cyber, and AI in Ireland

An abundance of new authorities 

The EU Artificial Intelligence Act (AI Act) became effective in August 2024, with its provisions being rolled out progressively until August 2027. A key point to note is that under the AI Act, with the exception of the role of the Commission, and unlike the GDPR, there is no “one stop shop” principle of regulation – instead, authorities (plural!) in each EU Member State have a role to play. 

Additional powers to protect fundamental rights 

Ireland’s pronouncement on its regulators commenced in October 2024, when the government published a list of nine national public authorities responsible for protecting fundamental rights under the AI Act. Under Art 77 of the AI Act, these authorities will be granted additional powers to help them fulfil their existing responsibilities of safeguarding fundamental rights, particularly in situations where the use of AI presents a high risk to those rights. These authorities will have the power to request and access any documentation created under the AI Act to help them to fulfil their existing duties. 

The Financial Services & Pensions Ombudsman and Irish Human Rights & Equality Commission will be highly relevant for organisations operating in the financial sector particularly where AI is used to support credit scoring, insurance underwriting and the approval of loans, with the potential for bias against certain communities. 

Meanwhile, technology companies, particularly those in the social media space, should look to the Coimisiún na Meán (Media Commission) which is likely to focus on risks surrounding manipulative content and misinformation, as well as, of course, the Data Protection Commission. Given the current regulatory focus on children’s data, the Ombudsman for Children will also be highly relevant. 

The other authorities having powers relating to fundamental rights are the An Coimisiún Toghcháin (Electoral Commission), Environmental Protection Agency, Ombudsman (which handles complaints related to public services) and Ombudsman for the Defence Forces. 

Market surveillance authorities 

The pronouncements on regulators continued on 4 March 2025, when the government approved the designation of a further 8 authorities under Article 70, this time to act as market surveillance authorities – the regulators with specific powers to investigate breaches of the AI Act, and to conduct enforcement actions, including issuing fines. 

These authorities are the Central Bank of Ireland, Commission for Communications Regulation, Commission for Railway Regulation, Competition and Consumer Protection Commission, Health and Safety Authority, Health Products Regulatory Authority, the Marine Survey Office of the Department of Transport, and not forgetting the Data Protection Commission - note the multiple hats it will wear on top of its existing responsibilities for data protection and electronic communications. 

A future government decision will designate additional authorities, along with a lead regulator, who will oversee the enforcement of the AI Act and carry out various centralised functions to ensure its effective implementation. Further details will be set out in the AI Bill which will be published in due course. 

Ireland’s NIS2: Cybersecurity gets a serious upgrade! 

The Irish Government released their legislative programme for 2025 at the end of February which contained the National Cyber Security Bill. 

A draft of the National Cyber Security Bill was published on 30 August 2024 and implements the EU NIS2 Directive. The NIS2 Directive establishes cybersecurity requirements for organisations providing essential or important services crucial for maintaining critical societal and economic functions, such as energy supply or financial transactions. It is an upgrade to the existing NIS Directive. 

As an EU Directive, NIS2 must be incorporated into the national laws of each EU Member State before it can take effect. The deadline for each EU Member State to transpose the Directive into its national law was 17 October 2024, however only 5 countries transposed the Directive on time. The exact timelines for the progress of the National Cyber Security Bill is unknown as legislative procedures in the Oireachtas (Irish parliament) have still not commenced for 2025 following the formation of a new government. 

EU AI Act: Law enforcement’s get-out-of-jail-free card 

Under the EU AI Act, Ireland is granted a significant exemption from certain provisions, based on its special status under EU treaties relating to freedom, security and justice. 

Ireland is not bound by the prohibitions on biometric categorisation systems provisions when used in police and judicial cooperation, or criminal activity prediction systems and real-time remote biometric identification systems. Similarly, Ireland is not obligated to implement certain obligations regulating the use of high-risk post-remote biometric identification systems. 

This exemption gives Ireland flexibility, allowing it to choose whether or not to adopt these provisions. While the above mentioned AI Act obligations don’t automatically apply, Ireland can voluntarily incorporate them into its national laws. This creates an almost unique regulatory environment for AI systems in Ireland, particularly in sectors like law enforcement, which may foster innovation but also raise concerns about alignment with EU standards. Despite this opt-out, Ireland remains bound by EU obligations on fundamental rights and data protection, including the GDPR and the Data Protection and Law Enforcement Directive, ensuring accountability and safeguards are maintained. 

Third DPC Commissioner’s a charm 

The Irish Data Protection Commission (DPC) is in the process of appointing a third data protection commissioner, who will co-lead with Dale Sunderland and Des Hogan. The DPC is the national regulatory authority in Ireland for ensuring compliance with the GDPR. 

The two current data protection commissioners were appointed in February 2024 by Minister Helen McEntee, following Helen Dixon’s resignation as the authority’s sole commissioner, after nearly a decade in the position. The commissioners will serve a 5 year term. 

The DPC’s office has increased from 30 to approximately 250 people over the last ten years, with its budget rising from €3.6m to €29m during the same period, which reflects the importance of the DPC’s work not just for Ireland but for the EU. It continues to be one of the EU’s leading data protection authorities in terms of enforcement. The increase in the number of commissioners from 1 to 3 was provided for under Section 15 of the Data Protection Act 2018. The applications for the appointment of the third commissioner closed on 6 March 2025 with an announcement expected later this year. 

What steps should organisations take? 

Organisations located in Ireland or that have Irish customers or users should: 

• Understand which Irish regulators will impact their use of AI, and monitor any upcoming guidance or announcements on their priorities, with potentially the opportunity to provide input on consultations surrounding such guidance. 
• Keep an eye on the progress of the National Cyber Security Bill as it progresses through the legislative process, understanding how preparedness for NIS2 may need to be adapted to meet Irish nuances. Organisations subject to NIS2 can already start compliance preparations based on the wording of the NIS2 Directive. 
• Organisations supplying biometric categorisation and identification services to law enforcement in Ireland should consider the extent to which obligations under the AI Act are subject to potential exemptions. 
• As the third DPC Commissioner is appointed, organisations should reflect on the extent to which this will influence the DPC’s enforcement agenda, and how the organisation will adapt.

Authored by Robert Fett and Ciara Monaghan.