NIS2: How starting your compliance journey now will safeguard your future

New EU cybersecurity directive NIS2 will help strengthen cybersecurity and organisational resilience in this digital age.


In brief

  • NIS2’s legislative scope extends to 18 sectors, including public bodies, research organisations and certain food and manufacturing organisations. 
  • Organisations will have to address cybersecurity risks in their own ICT supply chains. Early assessments of suppliers and contractual enhancements will be key.
  • Breach of obligations could mean large fines, for example ‘essential entities’ may face fines of a maximum of at least €10,000,000 or 2% of the total worldwide annual turnover in the previous financial year.

The intense uptake of digital solutions and innovative technologies over the past four years has changed the way we socialise, work, shop, bank, and receive necessary services, such as health. As sectors and services increasingly become interconnected and interdependent, the cybersecurity threat landscape continues to grow in sophistication and focus.

Safeguarding critical infrastructures and services is paramount to protect society and economies from these actors. In response, EU lawmakers have introduced several interconnected EU-wide laws to improve the digital and operational resilience of the sectors and services we rely on most. 

The second Network and Information Systems Directive (Directive (EU) 2022/2555 (‘NIS2’) is one of these EU-wide laws. It comes into effect on 18 October 2024 and will have a compliance impact on many public and private sector organisations, across 18 sectors, similar to that experienced under the GDPR. The regulatory supervision and enforcement measures under NIS2 bear similarities to the GDPR. However, direct accountability and liability for upper management and possible suspension of CEO duties, brings this squarely into the board room.

NIS2 is an evolution from its predecessor NIS-D, extending the legislative scope to capture entities in a number of additional sectors and sub-sectors, including public bodies and a wider range of digital service providers, as well as covered entities’ ICT supply chains.

The world has changed rapidly since NIS-D was introduced in 2016. Critical information now lives on multiple platforms and devices ripe for attack. Since late 2022 alone, there has been a 200% increase in human-operated ransomware attacks¹. So, the introduction of NIS2 is vitally important as it will place greater emphasis on proactive risk management, incident reporting, and cooperation among EU Member States. This collaborative and proactive approach to cybersecurity threats will mean we are all better protected.

NIS2 sets out the minimum powers of supervision and enforcement that Member State competent authorities must have. Administrative fines can be imposed on essential and important entities for breaches of obligations relating to cybersecurity risk management measures and incident notification. For ‘essential entities’ the maximum fine is the higher of at least €10,000,000 or at least 2% of the total worldwide annual turnover in the previous financial year. For ‘important entities,’ these figures are €7,000,000 and 1.4%.

Irish legislation must be enacted before 18 October 2024 to transpose NIS2. Consistent with its treatment of NIS-D, the transposing legislation will provide that breaches of certain provisions of same will be a criminal offence. We expect that a person found guilty of any of these offences will be liable on conviction to a fine and/or imprisonment.

The introduction of GDPR style administrative fines, personal responsibility for members of so-called ‘management bodies’ of covered entities, the likely inclusion of criminal offences under Irish implementing laws, and the negative publicity that may follow non-compliance makes NIS2 a board-room issue.

It is vital that CEOs, CFOs, CIOs, CISOs and board members understand not only the financial, personal, and reputational consequences of non-compliance - which underscores the urgency of pursing NIS2 compliance now - but also the role that NIS2 will play in safeguarding their organisation’s cybersecurity and operational resilience.

Navigating NIS2

Legal analysis: the first step on your NIS2 journey

Organisations will differ in their level of compliance or maturity across the key control areas that are required under NIS2. However, one thing is certain, all in-scope organisations should now be considering the implications of NIS2 to ensure they have sufficient time to assess, design, and implement their compliance plans before NIS2 comes into effect.

Organisations operating in the sectors defined in NIS2 will need to assess whether they fall within its scope, the availability of any exemptions, their categorisation as ‘essential’ or ‘important’, their NIS2 obligations, and the impact of and interplay with other EU cybersecurity and operational resilience laws. 

NIS2 requires organisations to address cybersecurity risks in their own ICT supply chains. In practice, this will require a risk-based assessment of ICT supplier relationships, enhancing contracts and securing inspection and other rights to ensure supply chain security. Early supplier engagement will be essential. 

To the extent certain in-scope organisations are established and/or providing their services in more than one EU Member State, they may be subject to implementing laws in more than one jurisdiction or the EU Member State where their cybersecurity risk management decisions are predominately made. The NIS2 jurisdiction rules require careful consideration and may cause certain entities to rethink the geographic positioning of cybersecurity decision making.

Summary 

To successfully achieve and sustain NIS2 compliance, your organisation must commit to continuous improvement as well as adoption of proactive measures. Both are key in this ever-evolving digital landscape. Beginning your compliance journey with a legal analysis of the new directive will ensure you start on the right path and will ensure your organisation not only avoids substantial financial penalties but also becomes more resilient to evolving cyber threats.

Learn more about NIS2 and how our EY team can assist your compliance.

About this article

Authors