NIS2: What Companies Need to Know
Introduction
The EU’s Network and Information Systems Directive (NIS2) is scheduled to come into effect across member states on October 18th, 2024. Businesses that fail to put the right measures in place by that date are at risk of facing serious regulatory problems, including the potential suspension of C-suite executives and fines of up to €10 million.
A worrying number of businesses in Ireland are either unaware of NIS2 or ill-prepared for its implementation. Companies wishing to comply with the directive need to be aware of the many updates they must make to their business before the rapidly approaching deadline. This article will explain what NIS2 is, who it affects, why it’s important, and what companies can do to prepare themselves for its enforcement.
What is NIS2?
The NIS2 Directive is the EU-wide legislation on cybersecurity. It’s focused on enhancing cybersecurity and boosting digital resilience across Europe. It could impact more than 180,000 organisations across member states including 4,000 in Ireland, from sole traders through to large-scale enterprises, in industries from finance to transportation to healthcare. [1]
In March, Microsoft Ireland’s national technology officer, Kieran McCorry, summarised NIS2’s key requirements in Tech Central, writing: “A key feature of NIS2 is the requirement to implement a benchmark of minimum cybersecurity measures including risk assessments, policies and procedures for cryptography, security procedures for employees with access to sensitive data, multi-factor authentication, and cyber security training.” [2]
He goes on, “The legislation also includes an emphasis on the need for cyber security in supply chains and prioritises the relationship between companies and direct suppliers. Additionally, NIS2 aims to harmonise cybersecurity requirements and enforcement across EU member states, while directing companies to create a plan for handling security incidents and managing business operations during and after a security incident.”
What that means in practice is that companies will be required to address risk management through the implementation of basic cyber hygiene procedures and cybersecurity training, regular software updates, access restrictions, encryption technologies, and monitoring of IT systems [3]. Risk management differs from company to company, depending on size and industry, but most companies will have to implement some version of those policies, if not more.
Affected companies will also have to register with national authorities. By recording and monitoring relevant companies, the EU is hoping to improve safety standards and cooperation in the event of safety incidents. Companies will be required to report significant security incidents to the authorities without delay, providing the nature of the incident, its impact, and the countermeasures taken. In some cases, information obligations to customers also exist. [4]
Companies classified as “particularly important companies” will have to provide evidence that they have implemented these required safety measures or face sanctions.
Speaking to the Irish Examiner, Neil Redmond, director of risk and regulation at PwC Ireland, explained how companies can figure out their classification status.
“Entities are classified as either ‘essential’ or ‘important’ based on their size, the sector they operate in and their importance to the public interest,” he says. “Large and Medium enterprises may be considered ‘essential entities’. These are organisations in sectors of high criticality with in excess of 250 employees and in excess €50m in annual revenue.” [5]
“Some of the ‘essential entities’ covered by NIS2 include those in sectors like energy, transport, health, banking and public administration while ‘important entities’ include waste management as a principle economic activity and postal services among others,” he adds.
What happens if you don’t act?
Ireland’s national competent authority for public sector bodies, the National Cyber Security Centre (NCSC), will have the remit to impose more stringent penalties for non-compliance under NIS2. [6]
For those entities deemed “essential”, the maximum fine is €10 million or 2% of global annual revenue, whichever is higher. This is reduced slightly for “important” entities but remains significant at €7 million of 1.4% of global annual revenue.
NIS2 introduces a momentous shift in cybersecurity accountability. Security teams will no longer be held solely responsible for non-compliance. Instead, management and executives can be found personally liable if gross negligence is found following a cybersecurity incident. Chief executives may be suspended from their duties over a significant breach.
That’s not to mention the reputational damage companies can suffer if they are found to not be complying with the new regulations. It can result in a loss in investor and customer confidence, most especially if a C-suite figure ends up being suspended.
Why is it important?
According to Microsoft’s ‘Cybersecurity Trends in Ireland 2023’ report, more than 70% of leaders were either unaware or unprepared for compliance with NIS2. Of those who were aware of NIS2, 20% felt they were currently compliant with the legislation and 20% believed they were not compliant. While 60% of all respondents were unsure if they are or not. Positively, 31% of organisations were planning to invest in their strategy to achieve compliance with NIS2 and 29% had a roadmap in place to achieve this. [7]
The need for increased cybersecurity is pronounced. According to the same report, 46% of respondents had faced cyber incidents in the last three years, with 30% experiencing data breaches. Only 14% reported incidents to regulatory bodies, 44% performed risk assessments and 38% employed a multi-layered defence strategy. As already noted, these will all be requirements from October.
Ireland is no stranger to cybersecurity attacks. The HSE attack of 2021 lives long in the memory. It remains the largest known attack against a health service computer system in history. Fears linger over future attacks on a similar scale.
PwC’s recent Irish CEO survey revealed that 90% of Irish business leaders are concerned about their organisation’s exposure to cyber risks. Meanwhile, their Digital Trust survey revealed that 53% of Irish business leaders expect GenAI to lead to catastrophic cyber attacks in the year ahead [8]. The NIS2 directive is nothing if not timely.
What can companies do to prepare?
Writing in the Irish Times, Carol Murphy, an EY partner and head of technology risk, suggests companies start by assessing if and how NIS2 will impact them [9]. They should work out their designation then work to understand what additional demands the new directive is expecting them to implement.
She advises leaders that they “need to understand that this is not purely a cyber, technical, or regulatory issue to be solved – it is a mandatory enterprise imperative that will demand appropriate governance and resourcing from the highest levels.” Given higher-ups will be held accountable for failure, it especially behoves them to make sure the entire organisation is aware of what is expected of them.
PwC advises five key actions companies can take now to ensure they are in compliance when October rolls around. They are (1) Understand your business’s regulatory landscape (2) Assess your ability to comply (3) Proactively test incident response processes (4) Embed resilience testing (5) Develop an end-to-end threat and vulnerability management programme. [10]
We’ve addressed the first in Murphy’s suggestions. In terms of assessing ability to comply, PwC recommends adopting a cybersecurity controls framework. “Mapping specific controls in operation within your business to each NIS2 clause can help inform you of areas where the organisation cannot meet its NIS2 obligations at present.”
In order to proactively test incident response processes, they suggest using tabletop exercises and comprehensive crisis simulation activities. They also suggest, given the importance of reporting incidents to NIS2’s directive, that companies actively test their ability to communicate effectively internally and externally during and following an incident.
Regarding the embedding of resilience testing, they suggest regular testing with a risk-based approach to scope and frequency. “Organisations should define recovery time objectives (RTOs) and recovery point objectives (RPOs) for their critical systems to set the minimum expectations of the business for recovering its key digital services.”
In terms of developing an end-to-end threat and vulnerability management programme, they suggest exercises such as vulnerability scanning by manual penetration tests conducted by experienced cybersecurity professionals on key systems. They note that vulnerability testing should cover all areas relevant to cybersecurity, not just traditional IT systems. They suggest communicating the volume and criticality of open vulnerabilities within the business “to help instil cultural awareness and accountability for the organisation’s security.”
NIS2: What companies need to know
The new NIS2 directive will come into effect in October, with a number of Irish businesses still unprepared for its implementation. The directive will enhance cybersecurity and boost digital resilience across Europe. This is especially important given the growing prevalence of cyber attacks across the world, not to mention the extent to which such attacks could worsen as AI develops. Not preparing can result in major fines or even suspensions for executives.
To avoid such outcomes, businesses need to prepare now. That starts with finding out your designation, assessing your ability to comply, testing your incident response processes, embedding resilience testing, and developing threat and vulnerability management programmes. It’s down to leaders to make cybersecurity part of their company culture. Leaders that fail to do so will soon be held accountable.
More on Cybersecurity
Combatting Cybersecurity Risks
The Unsolvable Problem of AI Safety
Sources
[3] https://www.cocus.com/en/nis2-security-requirements-for-companies/
[4] https://www.cocus.com/en/nis2-security-requirements-for-companies/
[5] https://www.irishexaminer.com/business/technology/arid-41372734.html
[6] https://www.pwc.ie/services/consulting/insights/understanding-nis2-directive.html
[8] https://www.irishexaminer.com/business/technology/arid-41372734.html
[10] https://www.pwc.ie/services/consulting/insights/understanding-nis2-directive.html