Introduction
Major new legal requirements will place specific cybersecurity obligations on companies across Ireland’s economy by the end of this year. While the existing Network and Information Security Directive has flown under the radar for many Irish companies, stiff penalties and enhanced obligations on directors should put its successor right at the top of the agenda.
By no later than 17 October 2024, Ireland is required to implement the second Network and Information Security Directive (EU) 2022/2555 (“NIS 2”). NIS 2 will repeal its predecessor, Directive (EU) 2016/1148 (“NIS 1”), which served as the first EU-wide piece of cybersecurity legislation.
Scope
Like the earlier legislation, NIS 2 is focused on enhancing cybersecurity preparedness within specific sectors of the economy and they key players within them that are deemed either ‘essential’ or ‘important’ to the economy of the State. Notably, this includes sectors such as transport, pharmaceutical and medical device manufacturing, food production and distribution, healthcare, network infrastructure, telecommunications, water supply, waste management, energy and postal services.
Companies that fall into those categories will now be subject to a significantly increased cybersecurity preparedness and incident reporting regime. While the Directive affords Member States a degree of discretion, they must introduce administrative fines and penalties for non-compliance.
Banks, credit institutions, insurance undertakings and other regulated “financial entities” will fall into the scope of the companion legislation the Digital Operational Resilience Act which provides for similar but more extensive obligations.
Irish Implementation
The National Cyber Security Bill that will transpose NIS 2 into national law is listed on the Government Legislation Programme for Summer 2024 but we are yet to see a public draft. The National Cyber Security Centre (the “NCSC”) is expected to be Ireland’s competent authority for public body sectors, as well as taking a coordinating role across all sectors. While we are still waiting to see the Irish implementing legislation, sectoral regulators such as the Commission for the Regulation of Utilities (CRU) and the Commission for Communications Regulation (ComReg) are also expected to take on responsibility for supervising essential and important entities within their areas of competency.
Risk Management Measures
At the core of NIS 2 is the requirement for all in-scope entities to take “appropriate and proportional technical, operational and organisational measures” to manage the risks posted to the security of their systems that are used for operations or provision of services (and to prevent or minimise the impact of incidents on those systems and services). This is explicitly subject to a proportionality test, based on the entity’s exposure to risk and the resources available to it as well as the likelihood and severity of potential incidents.
These risk management measures are not specific to cyber-attacks or specific kinds of incidents. Instead, NIS 2 requires an “all-hazards approach” which means that the organisation’s strategy needs to anticipate risks and incidents coming from any direction. This would include cyberattacks, natural disasters, bad internal actors, negligence and many other potential incident vectors.
There is also an indicative, non-exhaustive list of measures which should be put in place. This includes measures familiar to most organisations such as information security policies or business continuity / disaster recovery plans. However, the specifics of translating these policies into technical specifications are very much left up to the individual organisation to suit their risk profile and resources. NIS 2 also permits Member States to mandate that organisations follow particular EU cybersecurity certification schemes in order to meet these requirements, though it’s unclear if Ireland will take the opportunity to do so.
Nonetheless, the European Commission is due to adopt implementing acts which lay down technical standards for certain entities in the technology sector (such as managed service providers) by 17 October 2024. Additional requirements for other sectors may follow, though they are not subject to specific deadlines.
Increased Reporting Obligations
NIS 2 obliges ‘essential’ entities to report and engage with the designated authorities in relation to cybersecurity incidents and threats. Unlike its predecessor, NIS 2 introduces a three stage mechanism for reporting security incidents to the authorities.
Affected entities must submit an initial ‘early warning’ notification to the competent authorities within twenty-four hours of becoming aware of certain incidents or cyber threats. This should not be a detailed assessment of the incident, but rather a signal to the regulator that it may need to warn other entities (in Ireland and across the EU) which may be subject to similar incidents.
The initial notification of a cyber incident / threat must be followed by subsequent intermediate notification within 72 hours of the trigger event and a final report notification within one month. These two notifications contain an increased level of detail, and notably the final report is required to contain a form of root cause analysis.
Obligations on Senior Management
Perhaps motivated by the relatively low profile of NIS 1, NIS 2 obliges members of the management body (ie, directors) to undertake specific cybersecurity-related training on a regular basis. In addition, senior management must approve cyber risk management measures and manage the overall implementation of such measures to mitigate an entity’s cyber risk and respond to incidents if they arise. Non-compliance may result in fines and temporary suspensions – ultimately the specific form of these will be determined by the Irish implementing legislation once it is enacted.
Sanctions and Fines
NIS 2 affords Member States with the discretion to set out rules on penalties in their domestic implementing legislative and mandates that Member States impose GDPR-like administrative fines for non-compliance. Such penalties must be “effective, proportionate and dissuasive”. The administrative fines envisaged by NIS 2 include fines for specific breaches of up to €10 million or 2% of total global turnover (whichever is higher). The NCSC has the authority to impose such penalties under NIS 2. From a management perspective, NIS 2 provides that senior management can be obliged to disclose the identity of individual responsible for non-compliance.
This approach mirrors the trend across EU legislation such as the GDPR and the Digital Services Act mandating administrative penalties – a regime that is relatively new to Irish law, and which has faced constitutional stumbling blocks in challenges to the jurisdiction of the Workplace Relations Commission and the Data Protection Commission. The Irish implementation of NIS 1 imposed criminal rather than administrative penalties for any breach, so in a sense this is a step back. On the other hand, we are not aware of any criminal proceedings being brought in respect of NIS 1, so this change in approach may represent an opportunity for more ‘modern’ regulatory enforcement (rather than leaving it to the courts).
Looking Forward
The immediate step for anyone concerned about their organisation’s preparedness for NIS 2 is to take advice to assess whether they are an ‘essential’ or ‘important’ entity. Covered entities should take the opportunity now to review cyber hygiene practices and invest in improving internal cybersecurity protocols and policies.
If you have any queries in relation to this update, please contact Carlo Salizzo, Anne-Marie Bohan, Deirdre Crowley, Sarah Jayna Hanna, Davinia Brennan or any member of our Technology & Innovation Group.