NIS2: The Three-Month Countdown

Just three months remain until the 17 October deadline for EU member states to implement the NIS2 Directive. Preparations are well underway in Irish organisations due to be impacted by the forthcoming National Cyber Security Bill. This article will outline the process that lies ahead and some crucial considerations for business, even if your organisation isn’t directly in scope.

Legislative landscape

The National Cyber Security Bill Ireland is the proposed legislation which will transpose the EU’s NIS2 Directive into national law. Heads of the bill were under preparation last September according to the Government’s Autumn Legislation Programme 2023.

Given the target date for implementation of 17 October 2024, one could reasonably expect the bill to be listed for priority publication in the Autumn Session when the Dáil returns from summer recess.

 

Three Key Changes under the National Cyber Security Bill

  1. Formalisation of the National Cyber Security Centre (NCSC): The NCSC will gain a statutory foundation, solidifying its role in safeguarding national cyber security.
  2. Expanded Scope: The directive’s reach will extend beyond critical infrastructure providers to include postal and courier services, waste management, food production, processing and distribution and other “important” as well as “essential” entities.
  3. Reporting Requirements: New incident reporting obligations will be one of the biggest changes for many affected bodies. These obligations are intended to promote information sharing, to ensure a more robust national cyber security posture.

 

Three Crucial Steps for Organisations Within Scope

NIS2 preparations are well underway in most in-scope organisations. If your preparations are not as advanced as you might wish, our experts recommend focusing on these three key areas:

  1. Comprehensive Inventory: Identify all critical assets and systems within your organisation’s digital infrastructure, mapping their interdependencies to understand potential vulnerabilities. This can be a time-consuming task when first undertaken but will be an invaluable resource.
  2. Thorough Business Impact Analysis (BIA): Evaluate the potential consequences of cyber incidents on your operations, finances, reputation, and legal compliance. This assessment will inform your risk mitigation strategies.
  3. Robust Continuity Planning: Develop and test plans to maintain essential functions in the event of a cyber-attack or disruption. This includes data backup, disaster recovery, and communication protocols.

Three Essential Considerations for All Organisations

Even if NIS2 doesn’t directly apply to your organisation, its ripple effects are unavoidable:

  1. Supply Chain Security: Expect heightened scrutiny of your cybersecurity practices from partners and clients who are within the directive’s scope. Under NIS2, supply chain organisations can expect to see enhanced contractual obligations relating to their security stance, as well as increased rights of due diligence and audit in favour of the customer/in-scope organisation.
  2. Increased Cyber Threats: A heightened focus on national cybersecurity may inadvertently draw attention from malicious actors. Stay vigilant and bolster your defences proactively.
  3. Regulatory Evolution: The National Cyber Security Bill is just one (albeit significant) measure in a series of increasing cyber regulations. Stay informed and up to date to remain compliant.

 

Expert Advice and Guidance

Cybersecurity and resilience is a vast and ever-changing field of expertise. If your organisation would benefit from the advice of our experienced managed security team, please reach out to us on at hello@viatel.com.