:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/UHCOWHXBOZCKXPWYTW2QLP3I4Q.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/7MRM3KLVXRDGTPW2LHMXCZY4VI.png)
In recent months there have been a lot of discussions about new EU cybersecurity legislation, namely the Network and Information Systems 2 Directive (NIS2). NIS2 is the new European cybersecurity Directive that will replace the existing NIS Directive in October 2024. All European countries are currently transposing the NIS2 Directive into national law and organisations in Ireland are no different when it comes to being compliant with these new requirements.
Even though NIS2 will impact more than 180,000 organisations across the EU, there is a startling lack of awareness of the upcoming legislative changes among leaders in Ireland, as is evidenced by our latest report Cyber Security Trends in Ireland. This is further exacerbated by the cybersecurity vulnerabilities that persist across Irish industry and by the absence of comprehensive defence strategies, also highlighted in our report following research among C-suite executives within organisations in Ireland.
While there’s been a commendable adoption of cybersecurity training, the true resilience demanded by the evolving threat landscape necessitates ongoing investments in technological solutions. Our report reveals that 46 per cent of respondents have faced cyber incidents in the last three years, with 30 per cent experiencing data breaches. Strikingly, only 14 per cent reported incidents to regulatory bodies. The report revealed a significant gap exists in strategic processes, with just 44 per cent performing risk assessments and 38 per cent employing a multilayered defence strategy – all of which will be legislated for in less than 10 months’ time for many organisations in Ireland. The study also points to a potential complacency, with 26 per cent of organisations indicating a lack of IT security infrastructure investment planned for the coming year.
Leaders in Ireland are unaware of vital cybersecurity legislation that requires a deeper focus on strategic cybersecurity processes and resilience
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/XIILVL3EOFGATNKEIH6JGAI75Q.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/3J2BY6SSPFCIBHSTBSQDRXYRLQ.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/WHDHL7VYFRACVP2CDVQEL5KQIU.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/V3FDT7ZQYNE2BAJEHE3UVKKPFM.jpg)
Despite its potential to strengthen cybersecurity postures, more than 70 per cent of leaders in Ireland are either unaware or unprepared for compliance. Of those who are aware of NIS2, 20 per cent feel they are currently compliant with the legislation and 20 per cent believe they are not compliant. Sixty per cent of all respondents are unsure if they are or not. Positively, 31 per cent of organisations are planning to invest in their strategy to achieve compliance with NIS2 and 29 per cent have a roadmap in place to achieve this.
That said, this lack of awareness extends to the majority being unsure about their organisations having investment or a roadmap for NIS2 compliance. The research also revealed that while organisations may have experienced a cyber incident (46 per cent), not all (14 per cent) felt they had to report it. However, under NIS2, organisations will have to report earlier and more often. It is imperative that Irish organisations are aware of, and planning for, this new legislation that will have a significant impact on their organisations, and potentially their customers’, cybersecurity policies and defences.
What is NIS2 Legislation?
The NIS2 Directive mandates a baseline of minimum-security measures for digital service providers and operators of essential services, highlighting the urgency for organisations in Ireland to prepare for its implications. This includes organisations in the public and private sectors, across industries ranging from finance to transportation to healthcare.
Preparing for NIS2 will require companies to rethink the tools, processes, and skills that reinforce their cybersecurity. A key feature of NIS2 is the requirement to implement a benchmark of minimum cybersecurity measures including risk assessments, policies and procedures for cryptography, security procedures for employees with access to sensitive data, multi-factor authentication, and cybersecurity training. The legislation also includes an emphasis on the need for cybersecurity in supply chains and prioritises the relationship between companies and direct suppliers. Additionally, NIS2 aims to harmonise cybersecurity requirements and enforcement across EU Member States, while directing companies to create a plan for handling security incidents and managing business operations during and after a security incident.
Preparing for NIS2 Legislation?
Any kind of successful transformation effort is about people and company culture as much as it is about technology. Optimising your cybersecurity – and preparing for NIS2 – is no exception. This is not just an issue relegated to the IT department or the cybersecurity team. Effective security requires teamwork – from workers on the factory floor to C-suite leadership. Skilling and education are important components of empowering your people. The majority (62 per cent) of supply chain attacks are malware. And as most malware attacks rely on social engineering, you quickly see why people are so important.
It is important to note that NIS2 will require businesses to have plans in place both for mitigating risk and managing incidents when they do happen. Pre-empting attacks requires understanding where vulnerabilities exist and implementing safeguards accordingly.
For example, organisations can assess risks and comply with regulations using Microsoft 365 Compliance Manager and Microsoft Defender for Cloud. It is also possible to secure devices and networks against supply chain attacks using Microsoft Defender for Endpoint.
Microsoft’s recent strides in unifying incident experiences through Microsoft Sentinel and Microsoft Defender XDR mark another significant leap toward cohesive and efficient cybersecurity strategies. Meanwhile, from 1st of April, Microsoft Copilot for Security will be generally available in Ireland. The industry’s first generative AI solution will help security and IT professionals catch what others miss, move faster, and strengthen team expertise. Copilot is informed by large-scale data and threat intelligence, including more than 78 trillion security signals processed by Microsoft each day, and coupled with Large Language Models to deliver tailored insights and guide next steps. With Copilot, users can protect their environments at the speed and scale of AI and transform their security operations.
In conclusion, the forthcoming implementation of NIS2 demands urgent attention from leaders in Ireland. With mere months remaining until NIS2 becomes enforceable, strategic cybersecurity processes and resilience must become focal points of organisational agendas. Embracing these technologies and fostering a culture of vigilance and adaptability will be crucial for safeguarding organisations and their stakeholders in the face of escalating cyber threats.