01 March, 2024
Recent high-profile incidents have brought cybersecurity sharply into focus for regulators. International and local authorities are changing how organisations approach cybersecurity, with the regulatory landscape set to change significantly in the coming years. One cornerstone of this change is the revised Network and Information Security Directive (NIS2), introduced by the European Commission. NIS2 will come into effect from 17 October 2024, so between now and then what do obligated organisations need to know about this new regulation, and how can they prepare for compliance?
NIS2 builds on the foundations laid by the original NIS Directive (NIS1), focusing on ‘essential’ and ‘important’ entities across specific sectors and digital service providers. With the adoption of NIS2, supervisory bodies are taking a more proactive approach to compliance. Regulators are mandating that entities in highly critical sectors regularly engage with and report to authorities regarding cybersecurity. These essential sectors include public administration, energy providers, transport and water suppliers. Public sector enterprises that may be considered important entities include postal services, research institutes, food producers and manufacturing businesses. Compared to NIS1, NIS2 significantly expands the scope of entities considered essential to the public interest.
Ireland’s national competent authority for public sector bodies, the National Cyber Security Centre (NCSC), will have the remit to impose more stringent penalties for non-compliance under NIS2 (the competent authority for the financial services sector will be the Central Bank of Ireland). Fines can include up to €10m or 2% of total global annual revenue for essential entities or up to €7m or 1.4% of total global annual revenue for important entities, whichever figure is higher. NIS 2 highlights a shift in accountability for cybersecurity in an organisation. It moves away from holding security teams solely responsible for non-compliance, as now organisational management and executives can be found personally liable if gross negligence is found following a cybersecurity incident. Management can be mandated to publicly disclose instances of, and the identity of the legal person(s) responsible for, non-compliance. It is expected that Senior executives will take on greater responsibility and accountability for the implementation of effective cybersecurity incident management processes under NIS2.
An important question facing organisations is: what requirements will entities classified as ‘essential’ have to meet, and how does this differ from ‘important entities’? The primary responsibilities for both will revolve around cybersecurity risk management, incident response and communications in particular:
Cybersecurity incident response and crisis management processes
Incident reporting
Vulnerability management and disclosure
Testing of cybersecurity controls
Data protection through techniques such as encryption
Essential entities will be subject to a more stringent regulatory regime for monitoring compliance, with the NCSC empowered to perform regular, targeted and ad hoc audits as well as issue information and documentation requests. Whereas essential entities are subject to an ex-ante (i.e. before the event) approach to supervision, an ex-post (i.e. after the event) regime will be enforced for important entities with a more limited scope for audits. Both entity classes will, however, be required to comply with the same requirements laid down by the competent authorities.
How resilient is our organisation to a cyber attack? Are we prepared to handle a cyber crisis and report accordingly? What threats do we face, and what vulnerabilities do we have in our digital estate? These are key questions for organisations as they prepare to comply with NIS2.
Businesses in all impacted sectors should adopt a proactive approach to NIS2 compliance, making the most of the valuable time before the requirements are enforced in full.
1. Understand your business’s regulatory landscape
First and foremost, organisations should understand whether they are in scope for NIS2. If so, businesses should be aware of whether they will be subject to ex-ante (essential entities) or ex-post (important entities) regulatory oversight. Beyond the scope of NIS2, identifying other potential regulations the organisation may have to comply with in the future, such as the Critical Entities Resilience Directive (CER) and the EU AI Act, can also benefit businesses in the long run.
2. Assess your ability to comply
Gaining insight into your organisation’s current conformance with NIS2 will help set a compliance baseline and guide efforts to close compliance gaps. A useful tool is a cybersecurity controls framework – mapping specific controls in operation within your business to each NIS2 clause can help inform you of areas where the organisation cannot meet its NIS2 obligations at present. Current state assessments should cover cybersecurity domains, from governance and reporting to technical data protection controls, assessing the operating effectiveness of in-place controls and identifying potential control gaps.
3. Proactively test incident response processes
Tabletop exercises and comprehensive crisis simulation activities are effective ways to periodically assess your business’s ability to respond to cyber incidents. All stakeholders, including senior executives and third parties, should understand their responsibilities during an incident to enable a rapid, secure recovery. Moreover, accountability for reporting to authorities and external stakeholders is critical for compliance – NIS2 sets out strict incident reporting requirements with tight deadlines. Active testing of your organisation’s ability to communicate effectively internally and externally during and following an incident is important, as is the efficient mitigation of the incident’s root cause.
4. Embed resilience testing
Authorities have shone a spotlight on cyber resilience. NIS2 sets a common foundation for organisations across the European Union in relation to their ability to withstand digital disruption. Public sector bodies should implement a resilience testing programme across their key digital platforms and services to validate to what extent operations can be maintained in adverse circumstances. Testing should be performed regularly with a risk-based approach to scope and frequency. At a minimum, failover testing is a must. Organisations should define recovery time objectives (RTOs) and recovery point objectives (RPOs) for their critical systems to set the minimum expectations of the business for recovering its key digital services.
5. Develop an end-to-end threat and vulnerability management programme
Going hand-in-hand with resilience testing, understanding your business’s open vulnerabilities in its digital systems will help drive effective cyber risk management. Exercises such as vulnerability scanning should be supplemented by manual penetration tests conducted by experienced cybersecurity professionals on key systems. Further, vulnerability testing should cover all areas relevant to cybersecurity, not just traditional IT systems. Operational technology (OT) can comprise a major part of a public sector body’s digital footprint and attack surface. Processes should be established to regularly test for vulnerabilities, with test outputs including remediation plans for closing identified weaknesses. The volume and criticality of open vulnerabilities should be communicated within the business to help instil cultural awareness and accountability for the organisation’s security.
Regulatory compliance can be challenging. Public sector bodies facing resourcing constraints can find it difficult to dedicate adequate time to prepare for upcoming legislation. The coming months will be a critical period for organisations in becoming compliant in preparation for NIS2. Our experts are ready to help you navigate your business’s compliance journey.