Cybersecurity in Ireland: navigating NIS2

Introduction

The landscape of cybersecurity and data protection legislation within the European Union has undergone significant evolution over the past few years, culminating in the introduction of the second Network and Information Security Directive (EU) 2022/2555, commonly referred to as NIS2. This directive replaces its predecessor, Directive (EU) 2016/1148 (NIS1), marking a significant step forward in the EU's efforts to bolster cybersecurity across the member states.

This article aims to provide a comprehensive overview of the transition from NIS1 to NIS2, focusing on its implications for Ireland, the new obligations introduced, enforcement provisions, and the steps businesses need to take to comply.

Scope of NIS1 and NIS2

• NIS1 was the EU's first piece of legislation aimed at establishing a baseline level of cybersecurity across key sectors of the economy. It focused on operators of essential services (OES) and digital service providers (DSPs), requiring them to take appropriate security measures and report significant cyber incidents.

• NIS2 broadens the scope significantly, covering a wider range of sectors and types of entities. It introduces stricter security and incident reporting requirements, extends coverage to medium and small-sized entities in certain sectors, and emphasises the importance of supply chain security.

What's new?

NIS2 introduces several new obligations for entities within its scope, aiming to significantly enhance the cybersecurity posture across the European Union. These obligations reflect a comprehensive approach to managing cyber risks, ensuring incident preparedness, and fostering a culture of security among both Essential and Important Entities.

Here's a detailed look at some of the key new obligations under NIS2:

Risk Management Measures

Entities are required to adopt a wide range of technical, operational, and organisational measures based on a thorough risk assessment. These include:

• Security Policies: Implementation of robust security policies tailored to the identified risks.
• System Security: Measures to ensure the security of network and information systems, including encryption, access control, and the use of multi-factor authentication.
• Incident Handling: Establishment of incident response and recovery plans, including procedures for responding to and recovering from cybersecurity incidents.
• Supply Chain Security: Entities must assess the cybersecurity risks associated with their supply chains and third-party services, ensuring that suppliers and partners adhere to security standards.
• Testing and Auditing: Regular testing and auditing of the effectiveness of security measures, including vulnerability assessments and penetration testing.

Reporting Obligations

NIS2 strengthens the incident reporting framework, requiring entities to report significant incidents to the relevant national authorities within a shorter timeframe:

• Incident Reporting: Entities must report significant cyber incidents to their national CSIRTs or designated competent authorities without undue delay, and where feasible, no later than 24 hours after becoming aware of the incident.
• Follow-up Reports: After the initial notification, entities are required to provide follow-up reports detailing the incident's impact, the measures taken in response, and recommendations for preventing future incidents.

Information Sharing

To foster a culture of information sharing and collaboration, NIS2 encourages entities to share information related to cyber threats, vulnerabilities, and incidents with relevant stakeholders, including industry peers and national authorities, while ensuring the protection of personal data.

Accountability and Governance

NIS2 places a greater emphasis on the accountability of senior management and governance bodies within entities:

• Management Duties: Senior management is explicitly required to oversee the implementation of cybersecurity policies, ensuring that adequate resources are allocated to cybersecurity efforts.
• Governance Frameworks: Entities must establish governance frameworks that integrate cybersecurity risk management into their overall business risk management processes.

Enhanced Preparedness and Collaboration:

Entities are expected to participate in national and EU-wide cybersecurity exercises to enhance their preparedness. They are also encouraged to engage in collaborative efforts, such as information sharing and analysis centres (ISACs), to improve collective resilience against cyber threats.

Who is affected?

While NIS1 focused primarily on Operators of Essential Services (OES) and Digital Service Providers (DSPs), with member states having a degree of flexibility in identifying the specific entities considered essential. NIS2 introduces a more extensive categorisation of entities into Essential and Important Entities, significantly broadening the range of sectors and types of organisations covered.  These categories encompass a wide range of sectors and types of organisations, reflecting the Directive's aim to cover more aspects of the economy and society that are vital for maintaining key societal and economic activities. Below is a detailed overview of the types of entities that fall within the scope of NIS2:

Essential Entities

These are entities operating within sectors considered critical for the maintenance of vital societal functions or economic activities. The sectors and examples of entities within this category include, but are not limited to:

• Energy: Including electricity, oil, gas, heat, and hydrogen suppliers and distributors. This covers entities involved in production, transmission, distribution, and storage.

• Transport: Covering air, rail, water, and road transport sectors. This includes airport and port operators, air traffic control, railway operators, and entities responsible for traffic management systems.

• Banking: All credit institutions are included, reflecting the critical role of banking services in the economy.

• Financial Market Infrastructures: This includes operators of trading venues and central counterparties, which are crucial for the functioning of financial markets.

• Health: Entities such as hospitals, providers of medical services, and manufacturers of critical medical products fall under this category.

• Drinking Water: Entities involved in the supply and distribution of drinking water, including water treatment facilities.

• Waste Water: This includes entities responsible for the management and treatment of wastewater.

• Digital Infrastructure: This covers Internet Exchange Points (IXPs), Domain Name System (DNS) service providers, and Top-Level Domain Name (TLD) registries.

• Public Administration: Certain public administration entities, including those providing essential services to the public, are also considered essential.

Important Entities

This category includes entities that are not classified as essential but whose disruption could still cause significant societal or economic impacts. Examples include:

• Postal and Courier Services: Entities providing essential postal and courier services.

• Waste Management: Entities involved in the collection, treatment, and disposal of waste, including hazardous waste.

• Manufacture, Production, and Distribution of Chemicals: Entities involved in the chemical sector.

• Food: Entities involved in the production, processing, distribution, storage, and supply of food.

• Digital Providers: Including online marketplaces, online search engines, and cloud computing services.

• Research and Education: Entities in the education sector, including universities and research institutions, may also be classified as important entities depending on the national implementation.

It's important to note that the specific classification and identification of essential and important entities will depend on the national implementation of NIS2 by each EU member state, including Ireland.

Extraterritorial effect

NIS2 has provisions that extend its reach beyond the territorial borders of the European Union, similar to other GDPR. This extraterritorial effect is primarily focused on ensuring that entities outside the EU that provide services within the Union comply with the Directive's cybersecurity and incident reporting requirements, particularly when these services are critical to maintaining essential societal or economic activities within the EU. Key aspects include:

• Services Offered in the EU: NIS2 applies to entities that offer services within the EU, regardless of whether they are established in an EU Member State. This means that if a company based outside the EU provides essential or important services (as defined under NIS2) to entities within the EU, it must adhere to the Directive's requirements. This includes implementing risk management measures and reporting significant incidents.
• Designation of Representatives: NIS2 requires relevant entities not established in the EU but offering services within it to designate a representative in one of the Member States where the services are offered. This representative acts as a point of contact for regulatory authorities concerning the entity's compliance with NIS2.
• Global Supply Chains: Entities within the EU are required to ensure that their suppliers, including those outside the EU, adhere to cybersecurity standards that comply with NIS2 requirements. This means that non-EU companies could be indirectly affected by NIS2 through contractual obligations imposed by their EU-based partners.
• Cooperation and Information Sharing: NIS2 encourages international cooperation in cybersecurity, recognising the global nature of cyber threats. This includes sharing information about threats and incidents with entities and authorities outside the EU, further extending the Directive's influence beyond EU borders.

Enforcement

The enforcement provisions under NIS2 represent a significant strengthening of the regulatory framework, aimed at ensuring strict compliance with the Directive's requirements across the European Union. These provisions are designed to ensure that entities take their cybersecurity obligations seriously and that there are tangible consequences for non-compliance. Here's a detailed look into the enforcement mechanisms introduced by NIS2:

1. Enhanced Powers for National Authorities: NIS2 grants greater powers to national authorities responsible for overseeing the Directive's implementation, including Competent Authorities, Single Points of Contact (SPOCs), and Computer Security Incident Response Teams (CSIRTs). These powers include:
   • Inspections and Audits: Authorities have the power to conduct regular and ad-hoc inspections and audits of entities to assess compliance with cybersecurity requirements. This may include reviewing policies, procedures, and the effectiveness of implemented security measures.
   • Access to Information: Entities are required to provide national authorities with all necessary information to assess compliance. This includes details about risk management practices, incident response plans, and reports on significant cyber incidents.
   • Investigative Powers: Authorities can investigate alleged breaches of the Directive, including the power to question individuals, examine records, and gather evidence related to cybersecurity practices and incidents.

2. Compliance Notices and Orders: Competent Authorities have the authority to issue compliance notices to entities that are found to be in breach of their obligations under NIS2. These notices can mandate specific actions to rectify non-compliance within a set timeframe. Failure to comply with these notices can result in further enforcement actions, including financial penalties.

3. Financial Penalties: One of the most significant enforcement mechanisms under NIS2 is the introduction of substantial financial penalties for non-compliance. While NIS1 allowed for penalties, NIS2 specifies higher maximum fines, making non-compliance a potentially costly affair for entities. Penalties can be imposed for various infringements, such as failure to implement adequate security measures, failure to report significant incidents promptly, or non-compliance with national authority directives.

4. Public Disclosure: In certain cases, national authorities may decide to make information about significant cyber incidents and non-compliance publicly available. This measure is intended to increase transparency and accountability, although it must be balanced with the need to protect sensitive information and avoid undue harm to the entities involved.

5. Cross-Border Enforcement: Given the cross-border nature of many cyber threats and the digital single market, NIS2 emphasises cooperation among member states in enforcement efforts. This includes sharing information about incidents and enforcement actions, assisting in investigations, and coordinating responses to significant cross-border cyber threats.

Implementation of NIS2 in Ireland

Ireland, like all EU member states, was required to transpose NIS2 into national law by 17 October 2024.

National Cyber Security Bill 2024

In Ireland, the NIS2 will be transposed by the National Cyber Security Act. The Irish Government published the General Scheme for the National Cyber Security Bill 2024 (the “Bill”) on 30 August 2024. The Bill will transpose the NIS2 into Irish law, and will also provide for the establishment of the National Cyber Security Centre (the “NCSC”) on a statutory basis. The General Scheme is an early stage in the legislative process, and gives an indication of the structure and provisions of the final act. On the basis that the transposition date for the NIS2 has now passed, we expect that the Bill will make a swift passage through the legislative process.

Some of the Bill’s provisions are:

• Designation of Competent Authorities: National Competent Authorities (NCAs) have been designated for overseeing the implementation of the Directive and enforcement within each relevant sector. The Minister also has the ability via secondary legislation to designate additional competent authorities as required in consultation with the relevant persons the Minister considers appropriate

• Supervision and Enforcement: The Bill sets out penalties for non-compliance, including the power to restrict company CEOs and Directors and other senior managers from their positions in Essential and Important Entities. There is also a power for an NCA who issues a license to an entity to operate their business in Ireland to suspend that license until there is a compliance with the provisions in the Directive. Given the seriousness of these penalties, the sanctions will be dealt with by the High Court.

The NCSC

The NCSC was established in July 2011 with a broad remit across the cyber security of Government ICT and critical national infrastructure, including a national incident response capability, international cooperation and engaging with critical infrastructure operators. In addition, the Computer Security Incident Response Team (CSIRT) within the NCSC has been designated as the national CSIRT, and the NCSC has also been designated as the National Coordination Centre and the National Cybersecurity Authority. The NCSC was the subject of a capacity review in 2021, to benchmark it against equivalent agencies in other EU Member States, one of the recommendations being that it should be established on a statutory basis.

In this regard, the Bill establishes the NCSC as an Executive Office of the Minister and the Department for Environment, Climate and Communications. The NCSC must be subject to ministerial authority on the basis that it has a role in national security.
The Bill also specifies the NCSC’s roles, including national cyber security monitoring, the incident response function, resilience building, information sharing and national incident response. This ensures that the NCSC can perform the general roles set out in the NIS2 and also carry out its existing and developing roles.

From an NIS2 perspective, the NCSC will hold the following functions:

• Designated Competent Authority for certain entities;
• Designated Cyber Crisis Management Authority;
• Single Point of Contact on cybersecurity (SPOC); and
• Computer Security Incident Response Team (CSIRT).
  The Bill also gives the NCSC specific powers in relation to scanning, DNS blocking and sinkholing, and the deployment of sensors on to the corporate networks of essential and important entities.

Next steps for businesses

Businesses operating within the scope of NIS2 need to begin preparing for compliance if they haven't already. This involves conducting thorough risk assessments, updating incident response plans, ensuring robust cybersecurity measures are in place, and understanding the specific obligations and reporting requirements applicable to them.

Conclusion

The evolution from NIS1 to NIS2 marks a pivotal moment in the EU's commitment to strengthening cybersecurity across its member states, including Ireland. With the expanded scope, stricter requirements, and enhanced enforcement mechanisms introduced by NIS2, businesses face a significant task in ensuring compliance.