Irish business leaders are at risk of facing significant regulatory issues, including suspensions and fines, because they are unprepared or simply unaware of the EU’s Secondary Networks and Information Systems Directive (NIS2). Masu. is scheduled to enter into force across all member states on 18 October 2024.
The new regulation focuses on strengthening cybersecurity and strengthening digital resilience across Europe and could impact more than 4,000 businesses on the island of Ireland, from sole traders to large corporations.
Many businesses are unaware that they may be within the scope of the new Directive and that the potential impact is very real. Reputational damage from stakeholders such as regulators and investors, diminished customer confidence, and possible suspension and fines for top executives and directors are all possible outcomes.
As we have seen internationally and in Ireland in recent years, cybersecurity attacks can have a significant and detrimental impact on business operations and public services.
NIS2 evolved from its predecessor, the EU cybersecurity law NIS-D, introduced in 2016. NIS2 expands its legal scope beyond critical national infrastructure and essential service organizations (such as public works and transportation) to capture entities in 18 sectors. This includes public sector bodies and agencies, digital service providers (DSPs), research organizations, and certain food and manufacturing organizations.
Additionally, as organizations need to address cybersecurity risks in their own ICT supply chains, the regulation also applies to companies supplying products to organizations designated as “essential” or “critical” by the regulation. influence.
Since the introduction of NIS-D, the world has changed rapidly, driven by the pace of digital transformation that accelerated during and after the pandemic. The implementation of NIS2 is critical as it places greater emphasis on proactive risk management, incident reporting and cooperation between EU Member States.
As we have seen internationally and in Ireland in recent years, cybersecurity attacks can have a significant and detrimental impact on business operations and public services.
For example, in May 2021, when the HSE suffered the most serious cyber attack on a state agency in Ireland (and the largest ever known attack on a health service computer system), all IT systems across the country were shut down. I had to. In May 2023, a zero-day vulnerability existed in Progress Software's MOVEit Transfer file software that allowed attackers to access her MOVEit servers and steal customer data.
This affected a wide range of organizations, including multiple government agencies, healthcare providers, and retail and consumer businesses. NIS2 is intended to place the responsibility firmly on those in senior leadership positions within these organizations to proactively address these potential threats.
The aim of NIS2 is to achieve a common level of cybersecurity maturity across the EU to better protect businesses, consumers and services in these critical sectors and prepare them against potential cyber-attacks. In addition to increased cybersecurity requirements, there are also stricter requirements for incident reporting, with all significant incidents being reported to the National Cyber Security Center (NCSC) or designated competent authority within 24 hours for enforcement action. is scheduled to be strengthened. And regulations.
NIS2 will also mandate greater executive accountability to ensure these organizations have sufficient capabilities and controls over cybersecurity. There are provisions that make executives personally liable, including the possibility that the chief executive may be suspended from his or her duties.
Companies that violate NIS2 can also face hefty fines. The maximum fine for entities deemed “essential” is the higher of €10 million or 2% of annual global revenue. Although this is slightly reduced for “significant” entities, it is still a large amount at 7 million euros, which is 1.4% of global annual revenues.
We are currently awaiting the introduction of the basic legislation to bring NIS2 into force, with the main draft of the bill expected to be introduced by the summer. In addition to setting out details of how the Directive will be implemented here in Ireland, there will also be 'competent authorities' in each sector. An agency responsible for enforcing regulations.
[ Cybercrime a major threat to small businesses ]
With just over five months now until NIS2 is scheduled to come into force across the EU, now is the time for businesses to prepare.
First, companies should begin assessing whether and how NIS2 will affect them. Organizations must demonstrate that they are adequately prepared to respond to and recover from a cyber incident before it occurs, including across their supplier network.
While many companies will need external help, there are internal actions all companies should take now to determine if and how they are affected by NIS2.
The first thing you need to do is decide on your designation. Are you essential or critical? At a simple level, an “essential” entity is one that was already within her existing NISD. Therefore, most, but not all, companies currently subject to NIS2 are defined as “material.”
Once an organization has defined its designation, it must understand what additional controls need to be implemented to meet NIS2 requirements. In our experience, most companies plan to establish an enterprise-wide program with cross-functional teams such as legal, IT, and risk management to assess requirements and implement a compliance program.
Organizational leaders must understand that this is not a purely cyber, technical, or regulatory issue to solve. This is an essential corporate imperative that demands appropriate governance and resources from the highest levels. In my view, it's all about people when it comes to ensuring organizations have the right accountability, awareness, skills and capabilities as cybersecurity continues its journey from the server room to the boardroom. That's what I think.
Carol Murphy is a Partner and Head of Technology Risk at EY
