The NIS2 Directive Uncovered

NIS2 Directive

The NIS2 Directive: Strengthening Cyber Security in the EU

The EU’s NIS2 Directive will revolutionise cybersecurity in Ireland and the EU, much like GDPR transformed data privacy. It will change how boards of management view and prioritise cybersecurity, especially in critical infrastructure and supply chain organisations. The key question is whether organisations will comply before the deadline and if boards are ready for the changes and consequences. This lack of preparedness could lead to non-compliance, making organisations vulnerable to cyber threats and hefty penalties.

Is NIS2 enough?

The escalating cyber threat landscape in the EU, with a staggering 2.2 billion records compromised in 556 data breaches in 2023, has spurred the implementation of the NIS2 Directive.

This new legislation is a significant advancement from the 2016 NIS Directive. It now covers over 4,000 organisations, up from 125, and shifts cyber security responsibility from IT departments to the boardroom. Some may argue it is overdue, but the timing could be fortuitous. With many organisations operating remotely and adopting digital-first models, cyber security is now a pressing concern for senior management.

The NIS2 Directive strengthens defences against cyberattacks and digital disruption. However, low awareness among boards of management is a critical challenge. This lack of preparedness could lead to a panic for compliance once the directive takes effect in October 2024. There are hefty fines and sanctions for both organisations and their c-suites.

What entities are in scope under the NIS2 Directive?

The NIS2 Directive, set to be enacted in Ireland on October 17th, significantly expands the scope of cyber security regulation to encompass critical national sectors and service providers. This includes essential services like transportation, energy, healthcare, and banking, as well as newly added sectors like food, manufacturing, and postal services. Entities are classified as Essential or Important based on their size, sector, and impact on society and the economy, with Essential entities facing the most stringent requirements. This broad scope ensures that organisations crucial to the nation’s functioning are held to high cyber security standards, safeguarding both their operations and the services they provide to the public.

Evolution of IT Security Risk to Business Risk

It has been observed that while large enterprises might possess some level of preparedness due to adherence to standards like ISO 27001(information security management), there will be resource limitations (people and budget) and a lack of internal ownership will pose significant obstacles to many mid-sized enterprises. There is a need to underscore that cyber security is not solely an IT concern but a holistic business risk that necessitates ownership at the board and C-suite levels. Companies are struggling with effective risk management, not only in terms of IT risk but also overall business risks and the risks associated with non-compliance with NIS2.

This includes establishing and managing an effective risk register that is updated over time, encompassing not only IT risks but all company risks, including those associated with non-compliance with NIS2. Whilst an employee may be appointed to manage the risk register, the board of directors are ultimately accountable for it and the risks it contains. Traditionally, the Head of IT or the Chief Information Security Officer (CISO) would be responsible for ICT risk management solely, but this is no longer the case. NIS2 mandates active cybersecurity oversight by the Board & senior management, integrating it into strategic organisational planning beyond IT.

Navigating Technical Complexities and Third-Party Risks

Many businesses lack the internal resources and expertise to address concerning technical complexities like monitoring and incident response, necessitating external assistance. Some of the technical controls that businesses need to have in place include Security Information and Event Management (SIEM), Managed Detection and Response (MDR), and Identity and Access Management (IDM). The majority of businesses do not have these capabilities in-house, so they will need outside help from third-party expertise.

Third-party suppliers to critical organisations must now meet higher cybersecurity standards under NIS2. These suppliers need to comply with enhanced cybersecurity controls, either according to NIS2 or international standards like ISO27001. ISO27001 aligns well with NIS2 controls. Organisations should consider adopting ISO27001 controls, either by aligning with the standard or achieving certification. Organisations are responsible for ensuring their suppliers meet these standards. They will be held accountable for any security breaches due to supplier negligence. This underscores the importance of thorough due diligence and ongoing monitoring of third-party suppliers. It ensures the security of the entire supply chain.

Supply Chain Security: A New Imperative under NIS2 Directive

NIS2 introduces novel supply chain security standards, mandating businesses to conduct risk assessments at various levels. Notably, a risk assessment encompasses non-technical factors like potential influence from third parties. Organisations must remain vigilant regarding these assessments, as they could trigger compliance issues and financial penalties. Businesses are also responsible for ensuring that their critical suppliers have adequate cyber security controls in place. This includes understanding how sensitive information is handled by third parties, implementing robust data access, storage, and encryption controls, and ensuring that multi-factor authentication (MFA) is in place. Additionally, backups and encryption of backups, privileged access management, cyber insurance coverage, and incident response plans are all essential components of a secure supply chain.

Consequences of Non-Compliance with NIS2 Directive

The financial penalties for non-compliance with NIS2 are substantial. They stop organisations from being lax in their cybersecurity practices. Essential entities could face fines of up to €10 million or 2% of their global annual turnover, whichever is greater. Important entities face slightly lower but still significant penalties, up to €7 million or 1.4% of their global annual turnover.

The financial repercussions do not stop there. If non-compliance with NIS2 also results in data breaches under GDPR, the fines can be even more severe. GDPR fines can reach up to €20 million or 4% of the organisation’s annual revenue whichever is higher. Organisations that violate NIS2 regulations will face substantial fines for both NIS2 and GDPR. They will also be publicly named and shamed.

This highlights the importance of complying with NIS2.

Essential Entities, those considered most critical to society and the economy, are under strict cyber security supervision. I.e. security checks before and after an incident.

They include:

  • On-site inspections: Experts visit the entity’s physical location to assess their cyber security measures.
  • Regular and targeted security audits: These are in-depth reviews of the entity’s cyber security practices. This is done either on a routine basis or in response to a specific concern.
  • Security scans: Use automated tools to identify vulnerabilities in the entity’s systems.
  • Information requests: The supervising authority can ask the entity to provide details about its cyber security measures and practices.

This comprehensive approach ensures that Essential Entities maintain a high level of cybersecurity readiness and can quickly address any potential threats.

Key Considerations for Irish Organisations

NIS2 represents a significant shift in the cyber security landscape. Organisations that fail to adapt, risk facing significant financial penalties, legal action, and reputational damage. By taking proactive steps to comply with the new regulations, organisations can not only avoid these risks but also strengthen their overall cyber security posture.
The minimum controls that organisations need to implement are:

  1. Risk analysis & information system security
  2. Incident Handling & Reporting
  3. Business continuity measures (back-ups, disaster recovery, crisis management)
  4. Supply Chain Security
  5. Security in system acquisition, development, and maintenance, including vulnerability handling and disclosure
  6. Policies and procedures to assess the effectiveness of cyber security risk management measures
  7. Basic computer hygiene and training
  8. Policies on the appropriate use of cryptography and encryption
  9. Human resources security, access control policies and asset management
  10. Use of multi-factor, secured voice/video/text & secured emergency communication
  11. Continuous improvement

Source: NCSC “NIS2 A Quick Reference Guide” 2024

Greater Incident Reporting Obligations with NIS2

The NIS2 Directive mandates stringent incident reporting obligations for essential and important entities. Upon detection of a significant incident, they must provide an early warning to the NCSC within 24 hours, followed by a formal report within 72 hours. They must also provide updates upon request and submit a final report within one month of the incident’s resolution. These reports should detail the incident’s impact, root cause, and mitigation measures taken. This ensures transparency and prompt response to significant cyber threats.

Conclusion

The EU’s NIS2 Directive, though arguably overdue, is necessary for strengthening Ireland’s cybersecurity resilience. It expands its scope to critical sectors and service providers, mandates stringent incident reporting, and shifts responsibility to the board level. NIS2 can significantly enhance Ireland’s defences against rising cyber threats. However, low board-level awareness, compliance complexity, and the need for robust risk management strategies pose challenges.

Despite these hurdles, Ireland has a unique opportunity. It can achieve compliance and become a global leader in cybersecurity. By proactively addressing these challenges and fostering a culture of cybersecurity awareness, Ireland can protect critical infrastructure and sensitive information. This will showcase its position as a digital powerhouse on the world stage.

David McNamara is the founder of CommSec Cyber Security and a board member at Cyber Ireland. With a career spanning technical roles at industry giants like IBM, Siemens, Fujitsu, and Eir, David brings a wealth of expertise to the cybersecurity landscape. He is a sought-after media commentator, regularly sharing insights on cyber security news and trends, and is a passionate advocate for raising awareness of cyber threats and empowering organisations to strengthen their digital defences.

More Resources on NIS2:

Watch our Videos on NIS2