NIS2: Shaping Ireland’s digital future

June 04, 2024

In an increasingly digitised and interconnected world, the security of digital networks and information systems is more important than ever. The EU has been moving to strengthen cybersecurity and safeguard communication and data across its member states, and the Network and Information Security Directive 2 (NIS2) is the latest development in this area.

What is NIS2?

NIS2 is the updated version of the 2016 NIS Directive, the first EU-wide cybersecurity law, which introduced cyber risk management requirements for critical sectors across the bloc. Since then, the importance of safeguarding critical national infrastructure from cyber threats has been brought sharply into focus through consecutive high-profile cyberattacks across the EU, while global events, such as the COVID-19 pandemic and Russia’s invasion of Ukraine, have highlighted the need for secure supply chains. The new law, which will apply from 18 October 2024, comes as a response to this evolving threat landscape, and to keep pace with an increasing reliance on digital technologies across many sectors of society.

Key changes and requirements

Expanded scope: NIS2 expands the scope of the law to include many more sectors that are essential for the economy and society, with organisations categorised as either ‘essential’ or ‘important’ based on their size, criticality and the sector they belong to. Many organisations in sectors such as manufacturing, food production, public administration and research will find themselves newly in scope of the law, while organisations in sectors such as energy, health and transport will have been in scope of the first Directive.

Enhanced security and incident reporting requirements: NIS2 raises the bar for security measures and incident handling, requiring organisations to adopt robust cyber risk management practices and establish methods for reporting incidents. Organisations will have to report incidents that have a ‘significant impact’ on the provision of their services to a centralised authority (in Ireland, this will likely be the National Cyber Security Centre) along a strict timeline.

Supply chain security: A new obligation under NIS2 is that regulated organisations will be required to manage the security of their supply chains, which greatly expands the scope of organisations directly or indirectly impacted by the law. Organisations will have to seek assurance from their suppliers and service providers that they have appropriate cybersecurity measures in place. This aims to address the risks posed by the global proliferation of threats against supply chains, which has demonstrated how smaller organisations can be targeted due to their position in critical chains.

Increased accountability and penalties for non-compliance: NIS2 provides for significant penalties in case of non-compliance. Crucially, it moves away from holding IT teams solely responsible for cybersecurity and raises organisational governance of cybersecurity to the board level, as management bodies will bear ultimate responsibility for cybersecurity and can face personal repercussions for infringements. Failure to comply can also mean fines for the organisation: up to €10m or 2% of total global annual revenue for ‘essential’ entities, or up to €7m or 1.4% of total global annual revenue for ‘important’ entities. Monitoring compliance with NIS2 in Ireland is likely to be shared between the National Cyber Security Centre and sectoral regulators.

Steps organisations can take to prepare

NIS2 will represent a regulatory shift for organisations in many sectors of society, with compliance calling for a proactive approach to cybersecurity. Many details, including the landscape of supervision, management liability, and supply chain requirements will be ironed out when Ireland transposes the law (which it must do by 17 October 2024). However, there are steps that organisations can take to prepare:

  • Understand your organisation’s regulatory landscape: Determine if you are in scope of the law and the jurisdiction you will fall under and map your obligations under NIS2 against other laws and sector-specific legislation. Determine if your organisation can perform a gap analysis in-house and, if not, seek assistance from external service providers.
  • Assess your NIS2 readiness and implement measures to address gaps: Map existing cybersecurity policies and procedures against the law’s requirements to help you to identify gaps. Where gaps are found, establish comprehensive cybersecurity policies and procedures and communicate them to your organisation.
  • Map your supply chain dependencies: Work closely with suppliers and service providers to ensure they meet NIS2 security standards. Conduct regular audits and assessments of third-party security practices.
  • Establish and proactively test your incident response plan: Develop a robust incident response plan that includes a method for classifying incidents and a reporting protocol. Regularly test the plan to assess your organisation’s ability to communicate effectively during an incident, keeping in mind the deadlines established by NIS2.
  • Leverage standards and certification schemes: Existing industry standards, such as the National Institute for Standards and Technology (NIST) 2.0 framework or ISO27001, can guide organisations towards the requirements of the law.
  • Embed a culture of cybersecurity training and awareness in your organisation: NIS2 places a strong emphasis on training and awareness programmes to foster a culture of cybersecurity throughout the organisation. Implement a regular cybersecurity training programme for all staff and targeted trainings for the management body.
  • Assign responsibility and resources to complying with NIS2: Engage your management level early in the process of preparing for NIS2 compliance. Ensure you have sufficient resources to successfully meet all implementation requirements in time.

Conclusion

NIS2 marks a significant step forward in efforts to bolster cybersecurity across the EU. For organisations in Ireland, compliance will not just be a legal obligation but also a strategic imperative. As cyber threats continue to evolve, aligning with NIS2 will be essential for organisations to safeguard their operations and contribute to a more secure digital world.

Áine Clarke

Digital and AI Affairs Executive, Ibec

See all News
Ibec Launches 2025 Budget Campaign
Ibec Launches 2025 Budget Campaign June 27, 2024
Opening the Conversation on Menopause in the Workplace
Opening the Conversation on Menopause in the Workplace June 04, 2024
NIS2: Shaping Ireland’s digital future
NIS2: Shaping Ireland’s digital future June 04, 2024
See all News

Featured Events / upcoming events

See all Events
KC Connect in 15 - Managing Intoxicants
KC Connect in 15 - Managing Intoxicants July 09, 2024
Irish Medtech QA/RA Forum
Irish Medtech QA/RA Forum July 11, 2024
Employment Law Regional Series 2024
Employment Law Regional Series 2024 September 10, 2024
See all Events