Navigating the NIS2 Directive: Key insights for your business

The Network and Information Security (NIS) 2 Directive is set to transform the cyber security landscape for a significant number of organisations across Ireland. As a business dedicated to cyber security excellence, we understand that navigating this new regulatory framework can be complex. To help you understand its implications, we’ve answered some of the most pressing questions we receive from clients.

NIS2 101: What is the NIS2 Directive and what does it mean for my organisation?

Q: We've been hearing a lot about the NIS2 Directive, but what is it exactly, and how do we know if it applies to our business?

A: The NIS2 Directive is the EU's latest and most significant piece of cybersecurity legislation, replacing the original 2016 NIS Directive. Its primary goal is to achieve a higher common level of cybersecurity across the European Union. In an increasingly digital world, where a cyber incident in one organisation can have a cascading effect on an entire sector, the EU has broadened the scope and strengthened the requirements to bolster the collective resilience of its essential services and infrastructure.

Q: Who does NIS2 apply to?

A: A major change with NIS2 is the expanded scope of sectors it covers. The Directive now applies to a wider range of "essential" and "important" entities. These include sectors such as:

Essential Entities: Energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, and space.
Important Entities: Postal and courier services, waste management, manufacturing of critical products (like pharmaceuticals and medical devices), food production and processing, and digital providers (such as online marketplaces, search engines, and social networking platforms).

The Directive generally applies to medium and large organisations within these sectors. If your business operates within one of these areas and meets the size-cap thresholds, you will likely fall under the remit of NIS2.

Q: What are the key requirements?

A: NIS2 introduces a more harmonised and stringent set of cybersecurity obligations. Key requirements include:

Risk Management: You must implement a comprehensive suite of security measures to manage the risks posed to your network and information systems. This includes policies on risk analysis, incident handling, and business continuity.
Corporate Accountability: For the first time, NIS2 places direct responsibility on the management bodies of in-scope organisations. Senior management can now be held personally liable for non-compliance.
Strict Incident Reporting: Organisations must report significant cyber incidents to their national competent authority without undue delay, with an initial notification required within 24 hours of becoming aware of the incident, followed by a more detailed report within 72 hours.
Supply Chain Security: You are now responsible for the cybersecurity of your immediate supply chain and must take steps to assess and manage the security risks posed by your suppliers and service providers.

The Irish Government has committed to transpose the Directive into Irish law by the end of the year, with enforcement to follow. It is crucial for organisations to act now to assess their obligations and begin their compliance journey.