ComReg to be charged with overseeing security of data centres in expansion of its regulatory role

ComReg, the regulator of the telecoms sector, is set to be given responsibility for looking at the resilience and security of data centres in the future as part of an expansion of its role.

The watchdog said that it would have new regulatory functions on foot of two EU directives known as NIS2 and CER.

ComReg chair Robert Mourik said there would be certain standards that data centres would have to meet.

“We have to verify whether the operators, not just operators, but the owners of data centres meet those standards,” he said.

The additional regulatory work would probably require the need for ComReg to hire more staff on top of the watchdog’s recently approved headcount of 232 staff.

The Government is currently drafting the National Cyber Security Bill which would transpose the Network and Information Security (NIS2) directive into national law, the regulator said.

[ With almost 100 regulators, are there too many watchdogs in the State? ]

[ Getting new regulator up and running was like building an aircraft while flying, says executive chair ]

NIS2 addresses cybersecurity matters and will require member states “ensure that essential entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems”.

The directive will also require member states “to prevent or minimise the impact of incidents on recipients of their services and on other services”.

“In tandem with this legislation, the Government will also be transposing Critical Entities Resilience (CER) directive which aims to enhance and strengthen physical resilience to risks that could impact on the provision of essential services such as digital infrastructure that are key to the proper functioning of the economy and of society,” the regulator said.

Mr Mourik said that the regulator’s work will start with “the resilience and security of the telecom networks”.

“And we are kind of really gearing up for that. We’ve made plans, we’ve talked to industry, what that means, etc. Now, the Government says you shouldn’t just do that for the telecom operators. We also want you to do that for the cloud providers, for example, and for various other parts of that bigger electronic value chain,” he said.

“We have just done a study to see what does that mean for us? What do we need to inspect? We don’t know much about cloud infrastructure, about data centres and all those things.”