NIS2 and Ireland: Rethinking Cybersecurity Regulation to Meet Changing Threat Landscape

Guest post by Seamus McCorry, country manager, Ireland, at Check Point Software

The EU’s Network and Information Security Directive 2 (NIS2) took effect on 17 October 2024, imposing stricter cybersecurity standards across the EU. This directive, designed to combat the evolving threat landscape, targets a broader range of sectors, including critical infrastructure and digital services. While the full implementation deadline for compliance doesn’t set in until 2028, organisations should start making changes now so that the deadline is met.

Understanding and complying with these regulations is critical for organisations in Ireland, or else they risk significant penalties, including legal action against executives. However, the NIS2 directive is, as yet, widely undefined, which can make compliance tricky. So, how can Irish organisations get ahead in understanding and implementing the appropriate cybersecurity measures to achieve compliance?

Defining and Decoding NIS2

Building upon the 2016 NIS Directive, NIS2 directly responds to the evolving and increasingly complex cyber threat landscape. Its primary goal is to minimise cyber risk and standardise cybersecurity measures across the European Union. It will also impact any organisation that trades within the EU, regardless of where they are in the world.

As previously stated, NIS2, while well-intentioned, presents a challenge for Irish organisations due to its lack of concrete, legally defined minimum requirements. The lack of definition in terms of specific compliance minimums is to provide flexibility and adaptability to the changeable cybersecurity landscape. Instead of prescribing rigid, one-size-fits-all rules, NIS2 establishes a framework of principles and general obligations. This approach allows organisations to tailor their security measures to their specific risk profiles and operational needs as long as they meet the recommendations set out by member states.

One such principle is promoting a risk-based approach to cybersecurity, requiring organisations to adequately assess risks specific to the organisation and implement appropriate security measures. NIS2 also expands the scope of this risk by expecting organisations to have adequate supply chain security, incident response plans, and risk management in place. Finally, NIS2 emphasises the importance of cybersecurity by design and default.

However, this flexibility also presents challenges. Organisations may struggle to interpret the directive’s requirements and determine the exact level of security measures needed to comply. This ambiguity can lead to uncertainty and potential non-compliance, even for the experienced information security professional. While NIS2 doesn’t provide a checklist, it implies a level of protection that likely includes fundamental security measures such as firewalls, intrusion prevention systems, endpoint protection, multi-factor authentication, data encryption, and access controls.

Liability and Litigation

Despite these initial challenges, NIS2 has the potential to enhance Ireland’s cybersecurity landscape significantly. By emphasising the importance of robust security programmes and fostering collaboration between legal and IT teams, NIS2 can elevate Irish organisations’ overall information security maturity. This directive also clarifies the distinct roles of Chief Information Security Officer (CISO) and Data Protection Officer (DPO), empowering CISOs to become strategic advisors to management. However, this increased responsibility also raises concerns around accountability and potential liability for Irish organisations.

A unique aspect of NIS2 is that it holds executives and managers personally liable for cybersecurity failures. Unlike previous regulations, NIS2 explicitly states that management bodies can be held accountable for gross negligence and misconduct, like not properly reporting or covering up potential breaches, like in the case of the 2016 Uber breach, potentially facing legal action or removal from their positions. This heightened level of personal responsibility is a significant departure from past practices and requires a proactive approach to cybersecurity.

To comply with NIS2, management must demonstrate the existence and implementation of robust cybersecurity risk management measures. This includes regular cybersecurity training, risk assessments, and the development of effective incident response plans. Additionally, they must ensure timely notification of affected parties and authorities in the event of a cyberattack. While the full implementation deadline is 2028, some requirements, like incident reporting, are immediate.

The specific interpretation and enforcement of NIS2 may vary across EU member states. However, it’s clear that all Irish organisations must now proactively implement robust security measures, such as regular risk assessments, incident response plans, and strong access controls. By understanding the core principles of NIS2 and implementing appropriate measures, organisations can protect themselves from potential liabilities and ensure compliance with this important regulation, but where should business leaders start?

What Management Needs To Do Now

Compliance often sets a baseline level of security, but it’s important to strike a balance between meeting regulatory requirements and addressing an organisation’s real-world risks. This balance is particularly crucial when aligning security measures with broader business objectives, such as digital transformation. It is essential that both information security professionals and the wider management teams work together to ensure compliance (and beyond).

Knowing where to start when striving towards compliance can be difficult without strict guidelines. However, organisations will struggle to meet these goals without continued understanding and awareness. Leaders should commit to monitoring updates and guidance from EU authorities and national regulators. Internally, management and security teams must understand their responsibilities and what the directive means for their organisation; otherwise, they risk legal challenges if something goes wrong. Speaking to external information security experts can make the directive easier to understand.

Organisations should create a flexible information security team to meet NIS2’s evolving demands. Appointing a separate DPO and CISO to oversee data and information security is important but often overlooked. Defining these roles and keeping the responsibilities distinct is essential to ensuring effective responsibility distribution. To compound the success of this effort, ongoing effective communication and teamwork between the broader IT and legal teams must take place to address compliance.

Regular audits are also crucial for assessing an organisation’s cyber risk profile and ensuring ongoing compliance with NIS2. Organisations can identify gaps, strengthen security measures, and demonstrate their commitment to cybersecurity by conducting critical reviews of different business areas. These audits should be conducted in accordance with NIS2 standards to verify the full adoption of its requirements. Similarly, identifying and prioritising risk is important and can help leaders allocate resources accordingly.

Additionally, proactively adopting industry best practices and standards, such as those outlined by the NIST Cybersecurity Framework (voluntary guidelines designed to help organisations assess and improve their ability to prevent, detect, and respond to cybersecurity risks) or ISO 27001 (a standard that focuses on confidentiality, integrity, and data availability), is a great way to aid compliance despite the lack of definition.

Finally, prompt incident response is crucial. In the event of a cyber incident, organisations must notify affected parties and authorities within 24 hours of detection, followed by a detailed report within 72 hours. A final report should be submitted one month later. Effective response measures can significantly reduce the impact of a security incident. As previously stated, while the full implementation deadline is 2028, the incident reporting requirements have immediately come into effect.

Getting Ahead

Implementing NIS2 is a complex and ongoing process. It requires a long-term commitment to enhance security across the EU. From 2028, organisations will face annual audits to prove compliance, but it is better to get ahead now instead of waiting for the deadline to get closer. If one is not already in place, it is imperative that organisations start developing a compliance roadmap imminently. To stay ahead, Irish organisations should proactively audit their existing security measures, define clear responsibilities, and raise cybersecurity awareness throughout the organisation.

See more stories here.