Firms warned of EU cyber security fines

A large number of Irish firms will be liable for multi-million euro penalties if they fail to comply within 21 months with new EU-wide cyber security rules due to come into effect next month.

Firms warned of EU cyber security fines

The EU has moved to update and improve the preparedness of businesses to deal with cyber attacks and prevent breaches, as global estimates put the cost of cyber crime at €350bn and set to rise to €1.89tn by 2019.

As part of its efforts to counter the growing threat to business, a new cybercrime policy, the Network Information Security (NIS) directive, will come into force in August.

Under NIS, businesses classed as either essential service providers or digital service providers (DSPs) must adopt the requirements of the directive within 21 months of August 2016 or face fines of up to €10m or 2% globally.

Essential service providers are organisations active in critical sectors such as energy, transport, health and finance.

Digital service providers refer to online marketplaces, search engines and cloud services. A separate set of rules — the General Data Protection Regulation (GDPR) — also allows for potentially larger fines of €20m or 4% of global turnover.

“Be prepared, not scared is the message in relation to the new EU legislation on privacy and security. The eye-watering fines of up to €20m are not for being breached, but are for not being prepared,” International Cyber Threat Task Force president Paul C Dwyer said yesterday.

The confusion the UK’s Brexit vote has caused could play into Ireland’s hands if we can show a clear and comprehensive cyber policy has been adopted in the EU’s soon-to-be sole English-speaking country.

This could land Ireland a larger slice of the multi-billion windfall that adoption of NIS is expected to yield.

“It is estimated that the new NIS directive will add €500bn to the GDP of Europe, and, in a post-Brexit era, this is the most appealing and viable [option] for Ireland to take advantage of.

“The UK is now essentially a ‘No Man’s Cloud land’, so operators and, more importantly, global customers are unsure what this means in relation to the security and compliant hosting of their data.

"Hence the massive opportunity for Irish providers to instill confidence and bring clarity and comfort to customers hosting and protecting their data” Mr Dwyer said at a briefing in Dublin yesterday for members of Ireland’s cyber task force which includes Ryanair, Vodafone, ESB Networks and Virgin Media among others.

Attendees also heard how ransomware attacks are becoming so common that businesses are attempting to expense them.

More in this section

Lunchtime News Wrap

A lunchtime summary of content highlights on the Irish Examiner website. Delivered at 1pm each day.

Sign up

Our Covid-free newsletter brings together some of the best bits from, as chosen by our editor, direct to your inbox every Monday.

Sign up