NIS2: What I need to know as a Director

(Brian Honan, CEO and Founder, BH Consulting)

The Network and Information Security Directive (NIS2), is the updated directive from the European Union designed to ensure those organisations providing critical services to society have a minimal and common base level of cybersecurity in place.

One item in particular to highlight is that NIS2 mandates board-level accountability, including personal liability for directors in cases of severe non-compliance.

When does NIS2 come into force?

The NIS2 directive is due to come into force on the 17^th October 2024 and Ireland will transpose that directive under the proposed National Cyber Security Bill 2024.

NIS2 has been likened in impact to cybersecurity for organisations that the EU General Data Protection Regulation (GDPR) was to data protection when it was introduced in 2018. However, unlike the EU GDPR, which had a lot of awareness before it came into effect in May 2018, it can be argued the same level awareness does not exist for NIS2. In a report published by Microsoft earlier this year it was highlighted that 70 per cent of Irish business leaders are not appropriately aware or prepared for NIS2. This is a major concern as NIS2 will place the responsibility and accountability for cybersecurity at board and senior management level within regulated entities. Aside from the accountability for cybersecurity within the regulated entities, the board and business leaders are also obligated to be trained and aware of cybersecurity, they also need to supervise the implementation of appropriate risk management measures and sign off on them.

What sectors does NIS2 apply to?

While the original NIS directive introduced in 2016 impacted several hundred organisations in Ireland, the National Cyber Security Centre estimates that NIS2 will extend to over 3,000 Irish organisations and over 180,000 across the whole of the EU. This is due to the NIS2 directive expanding the sectors to be regulated industries from 8 sectors to 19 sectors. NIS2 will apply to those organisations operating in the following sectors;

• Energy
• Health
• Transport
• Drinking Water
• Banking
• Digital Infrastructure
• Financial Market Infrastructure
• Digital Service Providers
• Food
• Manufacturing
• Postal and Courier
• Providers of Public Electronic Communications Network or Services
• ICT Service Management
• Waste Water
• Waste Management
• Public Administration
• Space
• Research
• Chemicals

Major differences between the original NIS and NIS2

• NIS2 mandates board-level accountability, including personal liability for directors in cases of severe non-compliance.
• The expansion of the entities that fall under the directive.
• An increase in the number of regulated industry sectors from 8 to 19 sectors.
• Increased compliance requirements with stronger obligations on risk management, incident reporting, and governance.
• Fines can reach up to 2% of an organisation’s global turnover or €10 million, whichever is higher.
• There is a much stronger obligation for regulated entities in relation to cybersecurity risk management.
• Enhanced incident notification and reporting requirements. Organisations need to notify the regulator within 4 hours of becoming aware of a breach.
• Regulated entities are now required to demonstrate they are managing cybersecurity risks within their supply chain.

As a director what should I do regarding NIS2?

With the new responsibility and accountability regime for the board and its members under NIS2 it is important that as a director you are confident in your organisation’s compliance with the requirements of the directive. If you are a director in one of the regulated entities under NIS2 then you should consider the following steps;

1. Determine if your organisation does come under the remit of the NIS2 directive. The National Cyber Security Centre has an excellent quick guide on the directive which includes a table to identify if the directive applies to your business.
2. Carry out a NIS2 readiness assessment. As with any initiative it is important to understand where you are starting from. A NIS2 readiness assessment should Identify and assess the cybersecurity measures that are currently in place and whether those measures meet the requirements of the directive
3. Put in place appropriate technical and organisational measures identified in the readiness assessment to protect your networks and systems from cyber threats. These can include policies, procedures, firewalls, encryption, access controls, and regular software updates.
4. Create a comprehensive incident response plan that outlines the steps to take in the event of a cybersecurity incident. This plan should include procedures for reporting incidents to the appropriate regulator for your organisation and cooperating with competent authorities.
5. Educate staff on cybersecurity best practices and raise awareness about the potential risks they may encounter. Regular training sessions can help employees identify and respond to security threats effectively.
6. Implement appropriate security measures to protect sensitive information within your organisation. This may involve restricting access to sensitive data, implementing encryption, and regularly backing up critical data.
7. Make sure that your business dedicates sufficient resources to address cybersecurity risks effectively.
8. Consider seeking guidance from cybersecurity specialists to ensure you are taking the necessary steps to secure your systems and data. External companies can provide support and advisory services tailored to the needs of your business.
9. Look to getting certified to a cybersecurity standard, such as ISO27001, as such certification can give the confidence that your organisation’s cybersecurity program is operating in line with industry good practices while also giving assurance to customers.
10. Cybersecurity is an evolving field as business, technology, and cybercriminals continually evolve and change. New technologies such as AI can bring advantages to business but also introduce new cyber-risks, which is why it’s essential to stay updated on the latest cybersecurity trends, threats, and regulations. This lets you adapt your measures accordingly to address emerging risks effectively.

Should your organisation not be directly regulated by NIS2 it is important to note that a key element under NIS2 for regulated organisations is that they need to manage their cyber-risk within their supply chain. So even if your organisation is not a regulated entity some of your clients may be, resulting in them demanding evidence that your organisation has appropriate cybersecurity measures in place. If this is the case your organisation needs to be prepared for the following;

• Enhanced and more regular vendor evaluation and cybersecurity requirements from regulated customers which will need to be responded to.
• Customers may include cybersecurity requirements in their contracts which your organisation needs to ensure it is aware of and can meet those requirements, especially in relation to incident reporting and notification.
• Be prepared to deal with additional cybersecurity requirements from customers.
• In the event your organisation suffers a cybersecurity breach you may be obligated to notify any of your customers regulated by NIS2 within specific and strict timelines.
• Your organisation will need to engage in transparent, in-depth reviews, and reporting of any incidents, particularly those that impact on regulated clients.

Any organisation that goes through the process of complying with NIS2 will, by definition, be making themselves more resilient. In doing so, they will earn the trust of customers and partners and reduce their exposure to risk. Investing in cybersecurity is an investment in the long-term success and resilience of your business.