EU law will shake up cybersecurity in 4,000 Irish firms, says risk expert

NIS2 takes effect on October 18, it is a key part of the EU’s cybersecurity strategy and is in line with the European Commission’s priority to make Europe, including Ireland, fit for the digital age. The NIS2 covers around 160,000 organisations across Europe including over 4,000 in Ireland.

“NIS2 introduces greater cybersecurity standards (more stringent supervisory measures and reporting timelines) for operators of critical services and infrastructure,” says Mr Redmond. “In particular, NIS2 brings more of these types of services such as transportation, energy utilities, telecoms, water services and health services into scope.

“Entities are classified as either ‘essential’ or ‘important’ based on their size, the sector they operate in and their importance to the public interest. Large and Medium enterprises may be considered ‘essential entities’. These are organisations in sectors of high criticality with in excess of 250 employees and in excess €50m in annual revenue.

“Some of the ‘essential entities’ covered by NIS2 include those in sectors like energy, transport, health, banking and public administration while ‘important entities’ include waste management as a principle economic activity and postal services among others,” he adds.

Recent PwC surveys suggest the new legislation is well-timed for Irish businesses. PwC’s recent Digital Trust survey notes that 53% of Irish business leaders expect GenAI to lead to catastrophic cyber attacks in the year ahead.

At the same time, just 25% of Irish respondents to PwC’s recent Risk Survey revealed that they plan to invest in upgrading critical cybersecurity systems compared to 30% globally. Ireland lags global peers in how companies are planning their cybersecurity.

PwC's recent Irish CEO survey revealed that 90% of Irish business leaders are concerned about their organisation's exposure to cyber risks.

“With advances in technologies, such as AI, they are right to be concerned,” he said. “NIS2 is a landmark piece of legislation covering a much larger remit than just simply IT and has implications for other areas of business. We will see cybersecurity taken to new levels including how companies manage threats and risks to their business. Failure to meet the new standards may result in hefty fines.” 

 Mr Redmond said the new NIS2 rules are setting a whole new bar of compliance. An essential entity is a company that provides a service that the country as a whole requires to be effective 24/7.

“Companies under the remit of NIS2 must carry out regular testing of their cybersecurity controls and demonstrate a robust incident response and reporting system and crisis management processes,” he said. “The board needs to be aware and approve the adequacy of cybersecurity risk management measures in an organisation. They can’t just accept what they’re told, they have to challenge and understand why they are taking a course of action.” 

 Under NIS2, the National Cyber Security Centre (NCSC) will be carrying out audits and inspections on a more regular basis, following a more proactive approach. For example, in Ireland, the National Cyber Security Centre (NCSC) will be able to ask an organisation for information on a regular basis.

Once the October 2024 deadline passes, the NCSC will carry out regular audits and inspections with the threat of sanctions and penalties to follow for non-compliance. 

"With more stringent regulation on the way, there is no room for complacency," said Neil Redmond. "The Irish Government, the European Union and the NCSC are seeing that companies may not necessarily appreciate how cybersecurity supports the economy or their businesses. 

"So trying to encourage companies to be compliant with the NIS2 gives an impetus to go back to their own Boards and stakeholders and explain its importance. 

“In our experience, some companies don’t have the level of maturity that would be required to meet the new NIS2 obligations,” he said. “They really need to focus on an enterprise-wide programme, including all business units, so that they can sustain an audit and maintain cybersecurity resilience.

“The arrival of NIS2 creates greater responsibilities for Boards to fully understand how their companies’ data is being processed and their technology is being used. Transparency is key and knowledge is power. Stakeholders really need to understand what’s going on in their organisations.”