NIS2 is an evolution from its predecessor EU cybersecurity legislation, NIS-D, which was introduced in 2016. NIS2 will extend the legislative scope beyond critical national infrastructure and essential services organisations (such as utilities and transport), to capture entities in 18 sectors, including public sector bodies and agencies, digital services providers (DSPs), research organisations, and certain food and manufacturing organisations.
In addition, organisations will be required to address cybersecurity risks in their own ICT supply chains so this regulation will also impact any companies supplying into the entities that are designated as “essential” or “important” by the regulation.
The world has changed rapidly since NIS-D was introduced, driven by the pace of digital transformation that has accelerated during and since the pandemic. The introduction of NIS2 is vitally important as it will place greater emphasis on proactive risk management, incident reporting and co-operation among EU member states.
As we have seen internationally and in Ireland in recent years, cybersecurity attacks can have a significant and detrimental impact on business operations and public services.
For example, when the HSE suffered the most significant cyberattack on an Irish state agency (as well as the largest known attack against a health service computer system in history) in May 2021, all of its IT systems nationwide had to be shut down. In May 2023, a zero-day vulnerability in Progress Software’s MOVEit Transfer file software allowed attackers to gain access to MOVEit servers and steal customer data.
This impacted a wide range of organisations, including multiple government agencies, healthcare providers and retail and consumer businesses. NIS2 aims to place the responsibility for proactively addressing these potential threats firmly with those in senior leadership positions within these organisations.
The objective of NIS2 is to achieve a common level of cybersecurity maturity across the EU, so that businesses, consumers and services across these critical sectors are better protected and prepared for potential cyberattacks. There will be enhanced requirements around cyber security as well as much stricter demands in terms of incident reporting, with all significant incidents here to be reported to National Cyber Security Centre (NCSC) or the designated competent authority within 24 hours, as well as greater enforcement and regulation.
NIS2 will also mandate more accountability in the C-suite to ensure that these organisations have sufficient capabilities and controls in relation to cybersecurity. There is provision for the C-suite to be held personally liable, including the potential for the chief executive being suspended from their duties.
Businesses in breach of NIS2 could also be liable for substantial fines. For those entities deemed “essential”, the maximum fine is €10 million or 2 per cent of global annual revenue, whichever is higher. This is reduced slightly for “important” entities but remains substantial at €7 million of 1.4 per cent of global annual revenue.
We are currently awaiting the introduction of primary legislation to transpose NIS2 into effect, with the Heads of Bill expected by the summer. In addition to setting out the detail on how the directive will be implemented here in Ireland, it will also put in place the “competent authority” for each sectors; the body that will be responsible for enforcing the regulation.
[ Cybercrime a major threat to small businesses ]
There are currently just over five months until NIS2 is scheduled to come into effect across the EU, so now is the time for businesses to get prepared.
In the first instance, companies need to start assessing if and how NIS2 will impact them. Organisations will need to show that they are sufficiently prepared to respond to and recover from a cyber incident in advance of one happening, including across their network of suppliers.
While many companies will need external assistance, there are in-house actions that every business should take now to check if and how they are impacted by NIS2.
The first thing you should do is work out your designation. Are you an essential or important entity? At a simple level, an “essential” entity is something that was already under the scope of the existing NISD. Most, but not all, of the companies that are coming into scope now under NIS2 will, therefore, be defined as “important”.
Once an organisation is clear on its designation, you will need to understand what additional controls need to be implemented to meet the requirements of NIS2. Our experience suggests that most are going to establish an enterprise-wide programme with a cross-functional team including, legal, IT and risk management to assess the requirements and deliver the compliance programme.
Organisation leaders need to understand that this is not purely a cyber, technical, or regulatory issue to be solved – it is a mandatory enterprise imperative that will demand appropriate governance and resourcing from the highest levels. In my view, it’s all about the people in terms of ensuring your organisation has the appropriate accountability, awareness, skills and capabilities in place as cybersecurity continues its journey from the server room to the boardroom.