Unpacking NIS2 and the importance of third-party risk management

Key changes in the NIS2 Directive

The NIS2 Directive introduces several key changes and improvements over its predecessor. It broadens the scope of entities covered, including additional sectors such as cloud computing, digital providers, manufacturing and research. Organisations must now assess and manage risks more systematically and proactively.

NIS2 adopts a risk-based approach to cybersecurity, emphasising the importance of risk management, assessment and mitigation strategies. It also places a stronger emphasis on supply chain security, recognising the interconnected nature of modern digital ecosystems.

One of the most significant changes is the introduction of stricter incident reporting requirements. Organisations must report significant cybersecurity incidents to the relevant national authorities within a shorter time frame. Specifically, an early warning must be reported within 24 hours, followed by a full incident notification within 72 hours, and a final report within one month of the incident notification. Failure to comply can result in substantial fines and increased regulatory scrutiny.

Management accountability and compliance

Management accountability is critical to NIS2, with senior executives responsible for ensuring compliance. This includes the potential for regulatory fines and the impact on the organisation’s brand and reputation if cybersecurity measures are lacking.

Organisations are taking this seriously. According to PwC’s 2024 Global Digital Trust Insights Survey, 80% of senior executives plan to increase their cyber budget in 2024, with 50% of respondents in Ireland prioritising compliance with regulations and directives.

This, along with the introduction of stricter incident reporting requirements, underscores the need for robust cybersecurity measures, including third-party risk management (TPRM), to protect against evolving threats. Regulators, particularly within Europe, are increasingly scrutinising the security of third-party relationships. NIS2 will hold organisations accountable for managing third-party and fourth-party risks, driving a consistent approach to TPRM.

Key actions businesses can take today

1. Strengthen vendor due diligence: Implement enhanced due diligence procedures to ensure all third-party vendors comply with NIS2 standards. This includes regular audits, compliance checks and continuous monitoring to mitigate potential risks.

2. Enhance incident response plans: Develop and refine your incident response strategies to address potential cybersecurity threats from third parties. Ensure your plans align with NIS2 requirements and include clear communication, mitigation and recovery protocols.

3. Follow the series: Stay updated with our monthly TPRM series for valuable insights.

We are here to help you

As the NIS2 deadline approaches, organisations must proactively ensure compliance and protect their critical infrastructure. Our TPRM service, supported by our new Managed Services Centre in Cork, offers the expertise and comprehensive solutions you need to navigate the complexities of NIS2, manage third-party risks and achieve regulatory compliance.

With our technology, efficient processes and industry expertise, you can reduce your organisation’s risk profile while navigating the complexities of DORA, NIS2 and AI integration. Contact us today to discuss your challenges in more detail and explore the solutions we can provide.