Preparing for new cybersecurity rules under NIS2

NIS2 is set to overhaul cybersecurity requirements across the EU from October 2024, introducing new cybersecurity risk management and reporting requirements for many organisations in Ireland. But what does this mean for your business?

?

What is NIS2?

The new Network and Information Security Directive, known as NIS2, updates and replaces the NIS Directive which took effect in Ireland in 2018. NIS2 aims to modernise the existing legal framework to allow it to keep up with increased digitisation and an evolving cybersecurity threat landscape and will bring a significant shift in how cyber security will be governed across the EU and in Ireland.

NIS2 has deep and wide-ranging implications for almost every sector of the economy, with changes including:

• Additional sectors and increased scope
• Specified security measures for cybersecurity risk management
• Increased obligations for incident and threat reporting
• Top-level accountability
• New supervision and enforcement measures and penalties

?

Scope and services

One of the most significant changes in NIS2 is that it will hugely expand the number of Irish businesses covered by cybersecurity rules. For many companies, this will be their first time having to comply with such obligations. While NIS1 covered approximately 120 sectors, the National Cyber Security Centre (NCSC) estimates that more than 3,500 will come into the scope of NIS2.

Any business with more than 50 employees or a turnover of over €10 million per year may be in scope. It will be the responsibility of each company within scope to self-identify as such and implement the required security measures.

NIS2 will apply to a wide range of sectors, including:

• Energy
• Transport
• Banking
• Financial Markets
• Health
• Water
• Digital Infrastructure
• ICT Service Management
• Public Administration
• Space
• Postal and Courier Services,
• Waste Management
• Chemicals
• Food
• Manufacturing
• Digital Service Providers

NIS2 removes the previous distinction between ‘operators of essential services’ and ‘digital services providers’, and instead designates entities as ‘Essential’ or ‘Important’ based on size, sector and criticality. While all companies will have strict risk management requirements, these designations will affect the level supervision and enforcement measures applied to them.

Essential services will be covered on an Ex-Ante basis, meaning they will be subject to regular audits and information requests on an upfront basis to determine risk. Important services will be subject to Ex- Post supervision, meaning they will only be audited following security incidents.

?

Risk management

NIS2 brings more top-level accountability: risk management measures must be signed off by the management board in an organisation. They can be held liable for an incident or an audit failure. Responsibility for cybersecurity has been extended from the IT function of a business into other functions.

Risk management measures must include the following:

• Policies on risk analysis and information system security;
• Incident handling;
• Business continuity and crisis management;
• Supply chain security, including with direct suppliers or service providers;
• Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
• Policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
• Basic cyber hygiene practices and cybersecurity training;
• Policies and procedures regarding the use of cryptography and encryption;
• HR security, access control policies and asset management;
• MFA or continuous authentication solutions, and secure emergency communication

?

Reporting obligations and penalties

Once NIS2 is in force, companies will be obligated to report significant incidents but reporting threats and near misses will remain voluntary. A significant incident is one that can cause severe operational disruption of service, or that is capable of affecting another national service.

There are much shorter timelines for reporting incidents under NIS2 and the NCSC have said they expect to see a large increase in the reporting of incidents. The NCSC has committed to provide a single portal that will enable entities to register as being in scope and report significant incidents, as required by the Directive. Each incident may require submitting multiple reports, for example to the to the NCSC, the federated supervisor, the Gardaí and the DPC.

NIS2 provides national authorities with a minimum list of enforcement powers for non-compliance and allows fines of up to €10m or 2% of total worldwide annual turnover of an entity - whichever is higher.

?

Next steps

EU member states are required to transpose the Directive into national law by October 17th, 2024, and it will take effect across the EU from October 18th. As of August, however, Ireland has yet to publish the planned National Cyber Security Bill to make the necessary legislative changes. This will leave an extremely tight window to introduce and pass the Bill through all stages of the Oireachtas between the end of the summer recess and the October deadline. This time pressure will leave little time for debate or amendments to the Bill once published.

Once the Bill is enacted, the National Cyber Security Centre will develop a framework and detailed guidelines for compliance with NIS2, which is planned to be published in early 2025. They will also launch a platform for reporting security incidents and introduce a national certification scheme, with accredited training available from regulated providers.

For more information on NIS2, there is a NCSC guide to NIS2 available online.

Elaine Bardon is an Account Executive in the Dublin office, offering support to clients across a range of sectors. She previously worked with the Commission for Aviation Regulation. Elaine has extensive team leadership and administrative experience and completed an MBA from the Dublin Business School.