EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Recent Searches
New requirements under the NIS2 Directive are just the beginning, individual accountability will be a gamechanger for how organisations approach cybersecurity.
In brief
- Organisations need to prepare for a new cybersecurity regulatory regime with a range of new requirements.
- Individual accountability will be potentially transformative for the cyber landscape in Ireland and across Europe.
- Continuous risk assessment and ongoing investment will be required to remain compliant with NIS2 in the years ahead.
The NIS2 Directive has the potential to transform the way cybersecurity is approached by organisations in Ireland and across Europe. The directive aims to strengthen the cybersecurity capacity of organisations across a wide range of key industries as well as the public sector and introduces fines of up to €10 million or 2% of an organisation’s global turnover for non-compliance.
Focus squarely on individual accountability
The main difference between NIS2 and its forerunner, the NIS Directive, is the introduction of personal accountability to cybersecurity for the first time. Similar to the Individual Accountability Framework (IAF) in the financial services world, senior executives will be responsible for their organisation’s compliance with the directive.
Where an organisation is found to be non-compliant, responsible officers including the CIO, CEO, and board members can face sanctions including prohibition from exercising their functions within the organisation.
The impact of this aspect of the directive should not be underestimated. Quite simply, it is a gamechanger for the way cybersecurity is discussed and approached by organisations. Up until now, Chief Technology Officers (CTOs) and Chief Information Security Officers (CISOs) could struggle to make the business case for cybersecurity investments, due mainly to a lack of appreciation for its importance at wider C-suite and board level.
Making the case for new technology investments can be relatively straightforward in comparison. The CTO or other responsible officer can point to cost savings and efficiencies or enhancements to employee or customer experience or other value generating outcomes when making the business case. Board and C-suite members can understand the value of moving systems to the cloud but tend not to appreciate the need to add extra layers of security.
Cyber has not been quite such an easy sell, but this is likely to change for the better. Focus and investment tended to increase in the wake of cyber incidents and decline during periods of relative calm when senior executives and board members could allow themselves to be lulled into a false sense of security.
Individual accountability will have the effect of concentrating minds to a greater extent even than the potential fines. The reputational damage to the organisation, not to mention the individual concerned, of having an executive suspended from duties for a breach of the directive could be incalculable. The message it would send to the market is that the organisation does not take cyber seriously and nor does its leadership.
Accountability regime likely to be far reaching
Senior leaders will need to deepen their understanding of cybersecurity and the risks it presents for the organisations. They will also need to familiarise themselves with the requirements of NIS2 Directive to ensure compliance on an ongoing basis. This in no way absolves CTOs and CISOs from responsibility for improving their case making ability when advocating for cyber investments.
The identity of the “responsible officer” to be held accountable is not clearly defined in the directive. It could in theory apply to everyone from the CTO to the CEO, the chair of the board risk committee and the chair of the board itself. For public sector organisations, it could apply to the CTO, the CEO, or the Secretary General of the Department.
We will likely have to await the publication of the legislation to transpose the directive into Irish law for clarity on this issue. In the meantime, senior leadership teams and boards will need to prepare for the prospect of a very far-reaching accountability regime.
The directive also expands quite significantly the number of sectors covered with health, digital infrastructure, public administration, ICT providers, and waste management among those now in scope. It also introduces new cybersecurity risk and incident management requirements as well as strict reporting requirements for cybersecurity incidents.
Five-step strategy to be NIS2 compliant
While that may complete the journey to NIS2 compliance, it marks the beginning of another one which leads to cyber risk quantification (CRQ). This is just beginning to be discussed in the market but will be front of mind for CTOs, CISOs and cyber professionals in the near future.
For the first time, it will offer a means of objectively quantifying cyber risk in terms that will be comparable across organisations and sectors and will enable the setting of baselines against which improvement or deterioration can be measured.
NIS2 is the present, CRQ is the future.
Summary
The transposition into Irish law of the NIS2 Directive will bring with it new cybersecurity and incident reporting requirements for organisations across a wide range of industries in the public and private sectors. For the first time, it introduces the concept of individual accountability. This will not only incentivise compliance but will have far-reaching consequences for how cyber investments are viewed at C-suite and boardroom levels.
Related articles
NIS2: How starting your compliance journey now will safeguard your future
New EU cybersecurity directive NIS2 will help strengthen organisational resilience in this digital age.
The NIS2 Directive is the EU-wide legislation on cybersecurity that provides legal measures to increase the overall level of cybersecurity in the EU.