On 24 June 2025, Ireland’s National Cyber Security Centre (NCSC) published a set of proposed Risk Management Measures (RMMs) and launched Cyber Fundamentals, a framework designed to assist organisations to comply with the EU’s Directive (EU) 2022/2555 (the NIS2 Directive). The NIS2 Directive sets out high level measures for cybersecurity for in-scope entities across the EU and is to be transposed in Ireland by the upcoming National Cybersecurity Bill. 

RMMs

Who do they apply to?

The RMMs are intended to apply to essential and important entities within scope of the NIS2 Directive and which are

Continue Reading Risk Management Measures and Cyber Fundamentals: the NCSC’s roadmap towards NIS2 compliance

On 11 June 2025, the Minister for Justice, Jim O’Callaghan announced:

  1. The General Scheme of the Criminal Justice (International Cooperation Office) Bill 2025 (General Scheme) to (i) implement the eEvidence Regulation (EU) 2023/1543 (the Regulation) and (ii) transpose the Legal Representative Directive (EU) 2023/1544 (the Directive); 
  1. the establishment of the new Criminal Justice International Cooperation Office (CJICO).

The Director of the CJICO will operate as the designated (i) enforcing authority under the Regulation and (ii) central authority under the Directive. 

The eEvidence Regulation and Directive 

The eEvidence Regulation creates a mechanism for EU

Continue Reading Establishment of the Criminal Justice International Cooperation Office

On February 13, the European Commission (EC) and the European Board for Digital Services (EBDS) endorsed the integration of the Code of Practice on Disinformation (the Disinformation Code) into the framework of the Digital Services Act (DSA). 

Article 45 of the DSA provides for the formation of voluntary codes of conduct at EU level to ”contribute to the proper application of” the DSA. The Disinformation Code is the second code integrated into the DSA via Article 45, following the EC’s recent integration of the Code of Conduct on Countering Illegal Hate

Continue Reading EU’s Code of Conduct on Disinformation Integrated into DSA
  • The Opinion concerns the scope of “personal data” under Regulation 2018/1725 (which is the EU institutions’ equivalent to the GDPR and which mirrors much of the same language and principles as the GDPR). It proposes a broader conceptualisation
Continue Reading One man’s pseudonymisation is another man’s anonymisation: The AG Opinion in SRB v EDPS and the scope of “personal data”

On January 20, in a long-awaited move, the European Commission (EC) announced the integration of the revised Code of Conduct on Countering Illegal Hate Speech Online (the Hate Speech Code) into the regulatory framework of the Digital Services Act (DSA). 

Article 45 of the DSA provides for the formation of voluntary codes of conduct at EU level to ”contribute to the proper application of” the DSA. The Hate Speech Code marks the first Code to be integrated into the DSA framework via the Article 45 process. 

Background

The Hate Speech Code revises and

Continue Reading EU’s Code of Conduct Countering Online Hate Speech Becomes Part of the DSA

Today marks the effective date of the Digital Operational Resilience Act (DORA) and with it, additional incident reporting obligations for in-scope financial entities. 

With the aim of standardising the incident reporting process for financial entities throughout the EU, from today, in-scope financial entities must report any ‘major ICT-related incidents’ to their relevant competent authority. 1For the majority of financial entities within the scope of DORA in Ireland, this will be the Central Bank of Ireland while for others (such as pensions trustees) it will be the Pensions Authority. These new incident reporting obligations apply in addition to

Continue Reading Navigating the DORA ICT Incident Reporting Obligations

The European Commission has launched its first set of “specification proceedings” under the Digital Markets Act (“DMA”).

“Specification proceedings” are actions taken by the Commission under the DMA which formalises the Commission’s regulatory discussions with a gatekeeper, allowing it to investigate particular compliance points, which can ultimately result in the Commission issuing a decision to the relevant gatekeeper on what specific measures a gatekeeper must implement to ensure effective DMA compliance.

These latest proceedings relate to Apple’s interoperability obligations under the DMA. Article 6(7) of the DMA provides that gatekeepers shall allow providers of services and providers of

Continue Reading Commission launches first specification proceedings under the DMA

Recent technological advances in generative AI have transformed the way in which we listen to and create music. Many artists and industry players have readily adopted generative AI, viewing it as a creative force to be harnessed, while others remain wary. 

The use of increasingly sophisticated AI tools to generate musical works poses a number of challenges from a legal perspective, particularly in relation to how they may impact intellectual property rights. 

In this blogpost we explore some of these legal considerations in further detail.

Input Considerations – Training AI Models

Generative or algorithmic art is not particularly new; the

Continue Reading AI-Generated Music: How Will the Existing Copyright Framework Cope? 

The Irish Data Protection Commission (DPC) released its 148-page annual report on 29 May 2024 (the Annual Report), highlighting the scope of work and enforcement activities undertaken by the DPC throughout 2023. A full copy of the report is available here.

In this series of articles we decode the report – providing an insight into the key points of focus, emerging themes and potential areas of future regulatory developments. 

This Article will aim to provide an overview of what we have learned in respect of data breach notifications from this year’s Annual Report, and what future

Continue Reading Decoding the Data Protection Commission’s 2023 Annual Report – Part 1: Data Breaches

On 13 March 2024, the European Parliament and the Council adopted Regulation (EU) 2024/900 on the transparency and targeting of political advertising (the Regulation). The Regulation is now in force, however, the majority of its provisions will not take effect until October 2025.

This article aims to provide a summary of the key provisions of the Regulation under the following headings:

  1. Scope of the Regulation
  2. Transparency and due diligence obligations 
  3. Targeting and ad delivery of online political advertising
  4. Supervision and enforcement
  1. Scope of the Regulation

The Regulation is intended to provide harmonised rules on transparency and related due diligence

Continue Reading Political Advertising Regulation