The Network and Information Security Directive, or NIS2, must be transposed into national law by EU Member States by 17 October.
Ireland has said that it will miss Thursday’s deadline, but the new rules will soon become a reality. They will require organisations in both the public and private sector to boost their cyber defences. There are severe penalties for breaches of the new rules.
What is NIS2?
The NIS2 Directive is a continuation and expansion of the previous EU cybersecurity directive, NIS. It aims to boost cyber defences across the EU by requiring certain companies and State bodies to enhance the security of their network and information systems.
It means that operators of critical infrastructure and essential services must implement appropriate security measures and report any cyber breaches to the relevant authorities. The directive was approved back in 2022 and aims to protect critical sectors, such as energy, transport, health, banking, water and digital infrastructures from major cyberattacks.
NIS2 expands the scope of covered organisations and sectors to improve the security of supply chains. There will be stricter requirements for enforcing cybersecurity, and more severe repercussions for non-compliance including heavy fines and legal ramifications for managers.
What bodies are covered by the new rules?
The directive covers ‘essential entities’ and ‘important entities’.
Essential organisations will generally have a minimum of 250 employees, annual turnover of at least €50m or a balance sheet of at least €43m. The essential sectors include energy, transport, finance, public administration, health, space, water and digital infrastructure.
Important entities will generally have a minimum of 50 employees, an annual turnover of €10m or a balance sheet of €10m. The sectors in this category include postal services, waste management, chemicals, research, food, manufacturing and digital providers including online search engines, and social networking service platforms.
What are the penalties for breaking the rules?
Essential entities could face fines of up to €10m or 2% of their global annual revenue, whichever is higher. Important entities could be hit with fines of up to €7m or 1.4% of their global annual revenue, whichever is higher.
The rules move away from holding an organisation’s IT department solely responsible for cyber breaches, with new measures that hold top managers personally liable for negligence in the event of a security incident.
Individuals could be temporarily banned from holding management positions in the case of repeated violations. Grant Thornton Ireland has described NIS2 as groundbreaking legislation that could have a more dramatic impact than the introduction of the General Data Protection Regulation (GDPR).
Recent research by Grant Thornton revealed that over half of businesses in Ireland experienced a cyberattack in the past year, with nearly a fifth of companies surveyed not having a cybersecurity policy in place.
“The risk of cyberattacks has multiplied in recent years driven by the rise of hybrid working and the increase in the number of devices workers use, ultimately giving hackers more opportunities to target an organisation’s most critical data,” said Mike Harris, Grant Thornton Ireland Partner, Cyber Security. “Similarly, the type of hacking attempts has also rapidly evolved, including criminal gangs using AI to clone colleagues’ voices to breach cyber defences.”
“As a result, there has never been more of a critical moment for organisations to ensure that they have robust protections in place,” Mr Harris said.
Is the Irish Government ready?
Ireland will miss the deadline of 17 October to transpose the directive.
The Heads of Bill of the relevant legislation was published in August and the Department of the Environment, Climate and Communications said that it is currently engaging with other relevant Government departments and agencies on the drafting of the bill.
“Unfortunately, the transposition deadline of 17 October 2024 will not be met,” a department spokesperson said. “NIS2 is a complex piece of legislation which requires a complete overhaul of existing legislation.”
“Ireland is not alone in this regard, most EU Member States have indicated they will not meet the transposition deadline, with the majority indicating that it will be 2025 before national legislation is in place,” the department said.
“The NIS2 Directive is a revision of the NIS Directive, which is currently in force in the State and will remain in full effect, covering the most critical operators within the State, while the NIS2 Directive is being transposed into national law,” the spokesperson said.
While Ireland will miss the 17 October deadline, many steps have already been taken in preparation for the directive. The National Cyber Security Centre (NCSC) has been designated as the lead National Competent Authority to enforce the new rules. All significant cyber incidents must be reported to NCSC within 24 hours.
A ‘significant’ incident is defined as anything which affects or is capable of affecting operations or causing financial loss.
NCSC supervision measures will include on-site inspections, off-site supervision and random checks. There will also be regular and targeted security audits, as well as security scans.
When it comes to enforcement measures, the NCSC will have the powers to issue warnings, binding instructions, ad order entities to make public aspects of infringements. It will also have the authority to impose fines.
Other competent authorities for specific sectors include the Commission for the Regulation of Utilities, the Commission for Communications Regulation, the Central Bank of Ireland and the Irish Aviation Authority.
Each EU Member State must establish a list of essential and important entities within their jurisdiction by 17 April 2025.
Are businesses ready?
A recent survey found that four in ten Irish businesses believe their organisation will not be prepared for the new NIS2 rules.
With the 2021 HSE cyberattack still fresh in people’s memories, Ireland knows better than most countries how devastating it can be when hackers target critical infrastructure. The importance of cyber resilience is also key in this country due to the presence of so many of the world’s biggest companies in critical areas such as pharmaceuticals and technology.
When it comes to boosting cyber defences, major multinationals and Government bodies will have large budgets and experienced teams at their disposal.
Many smaller businesses, however, may not be aware of their obligations under these new EU rules and could find themselves struggling to meet the requirements. From food producers to transport companies, it is up to managers to check if their organisation falls within the new cybersecurity rules or face the consequences if they are found to be in breach of the regulations.