How the NIS2 directive will affect
your business and your industry

As the European Union gears up for the implementation of the NIS2 directive in October 2024, Irish companies need to prepare for a significant shift in cybersecurity compliance. The Network and Information Security Directive (NIS2) builds upon its predecessor, NIS1, by expanding its scope, tightening its requirements and aiming to create a more resilient digital infrastructure across the EU.

The challenge for many companies is working out just how it applies to their specific activities, and how they can make sure they are compliant in the ways that specifically apply to them. The potential fines for violating NIS2 can be quite large, and NIS2 now also includes new measures to hold top management personally liable. More information on potential NIS2 monetary and non-monetary penalties can be found here. To avoid any penalty, it is firstly important to understand NIS2 and what is required under this directive.

Understanding NIS2 and its evolution from NIS1

The NIS1 directive was implemented in 2018 and at the time was the first EU-wide legislation on cybersecurity. It was and still is aimed at improving the cyber resilience of critical infrastructure sectors such as energy, transport, water, banking, financial market infrastructures, healthcare, and digital infrastructure. NIS2 extends this scope to include a wider range of sectors and introduces stricter security requirements and incident reporting obligations.

For Irish companies finding themselves newly subject to NIS2, the journey to compliance may seem daunting. Breaking down the process into manageable steps can facilitate a smoother transition.

“The best way to get moving on this is to start with a gap analysis, assessing your current cybersecurity posture against the requirements of NIS2. Identify areas where your existing measures fall short and prioritise these gaps,” said Stephen Corrigan, Solution Sales Principal for Vodafone Ireland.

“From there, you can start to develop a comprehensive cybersecurity strategy that encompasses all aspects of cybersecurity, from risk management to incident response. This strategy should align with the specific requirements of NIS2.”

Continuous vigilance should be the rule

If you want to be compliant with NIS2’s risk management guidelines, it’s important to establish a risk management framework that includes regular risk assessments, threat detection and vulnerability management. Corrigan advises that these measures are continuously updated to address emerging threats.

“Develop and regularly test incident response plans to ensure they are effective in mitigating the impact of cyber incidents and establishing clear communication protocols. Know who needs to be notified and what their responsibilities are.”

Initially, conducting a gap analysis and developing a cybersecurity strategy should be prioritised, as these steps lay the foundation for subsequent actions. But it’s a given that educating employees on cybersecurity best practices and their role in maintaining the company’s security is also really important.

Fostering a cybersecurity-centric corporate culture

Creating and maintaining a cybersecurity-centric corporate culture is crucial for the successful implementation of NIS2. This involves embedding cybersecurity principles into every aspect of the organisation and ensuring that all employees understand their role in protecting the company’s digital assets.

“This makes security monitoring really important, particularly given the statistics on the amount of malware out there. Is security monitoring an afterthought, or a core concern? And if you’re not where you need to be, do you need specialist help to get there?” said Stephen Corrigan of Vodafone.

“Company leaders should demonstrate a strong commitment to cybersecurity by allocating sufficient resources, supporting security initiatives, and leading by example. Continuous education and awareness programs should be conducted to keep employees informed about the latest threats and best practices. Empower employees to take ownership of their cybersecurity responsibilities and hold them accountable for their actions.”

Above all, it’s important to note that successful compliance with NIS2 is a matter of cultural buy-in. The best way to stay on the right side of the rules is to foster a working environment where employees feel comfortable reporting security concerns and incidents without fear. Culture is the fuel that powers corporate success, so recognise and reward employees who demonstrate exemplary cybersecurity practices, reinforcing the importance of their contributions.

Extending NIS2 compliance to the supply chain

NIS2 not only applies to the organisations directly covered by the directive but also extends to their supply chains. This means that companies must ensure that their suppliers and third-party vendors are equally compliant with the directive’s requirements.

To achieve this, it’s important to regularly conduct due diligence exercises, assessing the cybersecurity posture of potential suppliers and integrate cybersecurity criteria into the vendor selection process. Make this a central question in all supply agreements.

Next, implement contractual obligations around any areas of concern. These should include specific cybersecurity requirements in contracts with suppliers and third-party vendors to ensure they adhere to NIS2 standards.

“This will be a challenge for some organisations to bring this topic up, but the most important thing is to get started with having the conversation. Start with your key suppliers because that’s where the highest risk resides. Explain that you’re subject to NIS2 requirements and as they provide you with services, you expect them to take certain measures as well,” said Tim Timmermans, Chief Information Security Officer for Vodafone partner ON2IT.

“There needs to be a top-down approach to foster the right level of engagement, and a good reporting base to make it possible to implement the requirements of NIS2. Be aware of the strategic risk of failing to comply, but also of the organisational risk. You’re being asked to comply with NIS2 for a reason, because the work you do comes with responsibilities and risks.”

It can help, according to Timmermans, to make your relationships with suppliers collaborative in this regard. Work with them to share best practices, threat intelligence and incident response strategies. Make sure to also regularly audit the cybersecurity practices of your suppliers to ensure ongoing compliance and so any weaknesses can be addressed.

The NIS2 directive represents a significant evolution in the EU’s approach to cybersecurity, with far-reaching implications for Irish companies, especially in the energy, transport, banking, and healthcare sectors. As the implementation date approaches, Irish businesses must act swiftly to safeguard their operations and maintain their competitive edge in an increasingly interconnected world.

Different industries face unique challenges and threats, and thus, prioritisation of compliance steps may vary. The energy sector for example, given its critical nature, must focus on securing both IT and operational technology (OT) systems. Companies operating in this space need to prioritise real-time monitoring and threat detection, ensuring the security of SCADA systems and other critical infrastructure components.

Regular security audits and updates are also essential to protect against sophisticated cyber threats targeting the energy grid.

Ensuring the security of logistics networks and transport systems is similarly crucial. Companies in this sector should prioritise securing communication channels, enhancing supply chain visibility, and implementing robust access controls. Protecting passenger and freight data from cyberattacks is also a key concern, requiring stringent data protection measures.

The banking sector handles highly sensitive financial data and is a prime target for cybercriminals. Financial institutions should prioritise advanced threat detection systems, encryption, and secure transaction processes. Regular penetration testing and incident response drills are essential to maintain a robust security posture. Compliance with data protection regulations such as GDPR should be seamlessly integrated with NIS2 requirements.

Healthcare providers must protect sensitive patient information and ensure the availability of medical services. This sector should focus on implementing strong access controls, encryption, and regular security audits. Incident response plans should be designed to minimize disruption to patient care in the event of a cyberattack. Training staff on cybersecurity best practices is particularly important to prevent breaches caused by human error.