A “national exercise” will be held in May to make sure that the state is prepared against a possible major cyberattack during Ireland presidency of the European Council, the head of the National Cyber Security Centre has revealed.
Ireland will hold the rotating EU presidency from July until the end of December of this year.
Over those six months, dozens of events are scheduled throughout the country involving ministers, presidents and prime ministers from all 27 EU member states.
A meeting of the European Political Community involving up to 40 European heads of state and governments is also due to be held in Ireland in the Autumn.
Ahead of the presidency, work is underway to ensure that Ireland is sufficiently secure.
A comprehensive programme of operational exercises, risk assessments and legislative updates is planned to manage the unique security demands being put on the state.
“We have a national exercise in early May which will focus on rehearsing literally how we respond to a hybrid-type event during a major presidency event and the work around that”, said Richard Browne, Director of the National Cyber Security Centre, speaking at an event organised by the Institute of International and European Affairs (IIEA).
The national exercise will be a “key part” of the presidency’s cybersecurity preparations “in terms of bringing everybody in the state together to understand how to manage”, he added.
“We also have a risk assessment which is complete” and will be “provided to ministers very shortly”.
For security reasons, “we may well publish a redacted version of it or shortened version of it for public consumption.”
Other work is ongoing to “bolster defences in government and elsewhere.” That is understood to involve up to 250 critical infrastructure operators.
Denmark, which held the rotating presidency in the second half of 2025 is providing Ireland with security advice.
“Other European countries have obviously gone through some similar things in the recent months and we’ve learned a lot from the Danes, for example”, said Donal Óg McCarthy, Cybersecurity Lead Ireland at consulting company, Accenture.
The most important lesson, he said, was that both the state and the private sector need to be getting prepared against the worst.
“I think it is a moment to think about how is it going to impact my business? What are the potential angles of attack that could experience and learn from what others have experienced”, he advised.
Ireland’s National Cyber Risk Assessment (NCRA) was published in December of last year, but Richard Browne says it is already out of date.
Artificial intelligence (AI) used in cybersecurity attacks was a “genuinely new thing” which was not considered when the report was written.
Even though the NCRA was pitched as the template for cybersecurity, he now says the state must move beyond it.
“We need to be building systems that automate detection and response using AI to anticipate a coming problem”, he said.
“We can map, manage, and track all the information coming into and out of the public sector. We can use our vast amount of threat intelligence and everything else to find risks and threats in that. Great. It’s not enough.
We need to expend extend out to cover critical infrastructure. We need much better granular visibility of the risks and threats as they present to critical infrastructure.”
Last night the government published an updated National Digital & AI Strategy in which the the National Cyber Security Centre is tasked with carrying out a nationwide “AI Risk Assessment” to help public bodies assess and manage “security and resilience risks in AI systems”.
The government has also committed to integrating cybersecurity and resilience testing into all major infrastructure programmes. This will get Ireland into line with EU law as defined in the so-called NIS2 Directive and forthcoming Cyber Resilience Act.
It comes as the EU and governments consider what more they can do to boost cybersecurity.
Jacky Fox, Global Lead for Security Strategy Practice at Accenture said that at the moment, we cannot guarantee that other countries will come to our aid in case of a major cyberattack.
“We have this concept that if there’s a weather event [like a storm, forest fires or floods] in a country in Europe, let’s say, that people will come in from other countries to help.”
“We know that power cables, for example, are going to get hit or there could be an issue with our reservoirs. So we can plan around that and we can bring people in and we equally allow our people to go to other countries to help.
And you’d like to think that when there’s emergencies around something like cybersecurity that we can have that mutual assistance concept, but the reality is is if something really bad happens in a country, can you actually say well we can predict when that’s going to happen to my country therefore I will let people go to assist?
It’s a sort of an area that, I feel, while we are collaborating kind of internationally, we’re sort of a little bit on our own as well.”