The clock is ticking for Irish businesses tasked with upgrading their cybersecurity defences before enhanced new EU measures come into force.
The Network and Information Security 2 Directive (NIS2) sets baseline security standards for digital providers and operators of key services. The new regulations supersede the EU’s previous NIS Directive (now known as NISD or NIS1) and must be transposed into Irish law by 17 October, coming into effect the following day.
‘Organisations are sleeping at the wheel in their preparation to comply’
Despite the looming deadline, however, there are concerns that many organisations are not yet on track. A 2023 Microsoft report, which found that almost half of executives operating in Ireland had faced cyber incidents in the previous three years, also highlighted that 70% of leaders in the state were either unaware or not yet ready for NIS2 compliance.
Low awareness
NIS2 aims to ensure a high common level of cyber defence across all member states in response to a rapidly evolving and increasingly aggressive threat landscape. Its arrival is particularly timely, given the recent arrival of accessible AI tools, now being deployed by criminals to attack digital defences.
Mike Harris, partner in cyber at Grant Thornton Ireland, warns that ‘organisations are sleeping at the wheel in their preparation to comply, with low levels of awareness about NIS2 requirements and ramifications’.
‘The one thing we’ve learned in the past couple of years is that any organisation can get hit’
He believes that many have still not realised they could come into scope. ‘This will change as we get closer to the compliance deadline and there are more awareness activities from regulators,’ he says. ‘I do also think many sectors struggle with cyber even today. The one thing we’ve learned in the past couple of years is that any organisation can get hit. I’m still surprised by the number of organisations that first worry about cybersecurity when they are hit by an attack.
‘The much wider scope of NIS2 means many are going to have to get serious about cyber risk management for the first time.’
Assessments from the National Cyber Security Centre bear this point out. Currently working with businesses to promote awareness, it has said that while around 100 Irish entities were in scope for the previous directive, more than 4,000 could be affected by NIS2.
Wider and deeper
The rise in numbers can be attributed to the fact while NIS2 builds on the structure of the original regulations, it covers a much wider and deeper pool of enterprises. Previous classifications of ‘operators of essential services’ and ‘providers of digital services’ will be replaced by two new categories of sectors deemed either ‘essential’ or ‘important’ to the functioning of society:
Essential (sectors of high criticality)
- energy
- transport
- banking
- financial market infrastructure
- health
- digital infrastructure
- ICT service management
- drinking water
- waste water
- public administration
- space.
Important (other critical sectors)
- postal and courier services
- waste management
- chemical manufacturing, production, distribution
- food production, distribution, processing
- manufacturing
- digital providers
- research.
Organisations must consider their sector, size and level of criticality when assessing whether and where they fall into scope. Unlike NISD, both categories are subject to the same standards, including NIS2’s stringent new fines for non-compliance:
- essential entities: up to €10m or 2% of worldwide annual turnover
- important entities: up to €7m or 1.4% of worldwide annual turnover.
‘There are new important entities who are facing the regulation for the first time’
In a significant change, anyone managing or representing a company can be held personally to account. As individual executives and board members could potentially face penalties if a company is found to be non-compliant, Harris recommends considering specific training for this group so that they understand their obligations and can provide effective oversight.
Tips to prepare
Organisations planning for NIS2 should:
- establish scope and whether exemptions are applicable. The National Cyber Security Centre has a helpful document
- consider which member state laws apply if they have operations in multiple EU countries
- review and update cybersecurity procedures, with particular attention to supply chain security
- focus on robust risk management measures and resilience testing
- review and update incident response procedures in line with NIS2’s requirements for reporting cyber incidents
- consider training for senior management and board members in light of new accountability measures.
PwC’s 2024 Global Digital Trust Insights survey found that 42% of respondents in Ireland identified third-party breaches as the top threat to digital defences. NIS2 addresses this issue, too, with businesses now mandated to ensure that their suppliers adhere to appropriate cybersecurity measures and carry out regular risk assessments.
Time to prepare
Neil Redmond, director of cybersecurity at PwC Ireland, anticipates ‘a mix of levels of understanding’ when it comes to preparations. ‘There are essential entities who are used to NISD regulations and so are in a good position to prepare for NIS2 as they can leverage past learnings and frameworks.
‘On the other hand, there are new important entities who are facing the regulation for the first time. They may not have the appreciation of what is required, how their supply chains are under the microscope and what they need to do to get compliant.’
Given the wider breadth of sectors and entities that will be falling into scope, Redmond believes it may be necessary to have a gradual rollout of obligations, but advises against complacency. ‘Now is the time to either ramp up preparations to meet compliance, or to begin your journey with a focus on having a level of compliance by the effective date,’ he says.
‘Unfortunately, no entity can afford to do nothing at this stage.’
