Why your organisation can’t afford to ignore new EU cybersecurity laws
New EU cybersecurity legislation comes into force soon. Affected organisations must comply with it or face significant fines — so it’s vital to prepare for its implementation.
In a matter of months, a new EU law comes into force, which will have a dramatic impact on Ireland’s digital services sector. This is NIS2 — also known as the Network and Information Security Directive — an extensive piece of legislation seeking to strengthen and harmonise cybersecurity across organisations in all EU member states.
Mandatory NIS2 compliance and potential fines
NIS2 becomes law in October 2024, and compliance will be mandatory for organisations that meet or exceed a specific size and/or turnover threshold. Those that don’t reach the Directive’s cyber risk management and incident reporting standards — among other requirements — could face potentially punitive fines. That’s why Irish businesses should be asking themselves: will this new legislation apply to us? If it does, are we ready for it?
David Curtin, CEO of .ie — the trusted national registry for over 330,000 .ie domain names — is concerned that they might not be prepared. “NIS2 is an update of NIS1, the previous EU cybersecurity directive,” he explains. “While NIS1 only applied to around 100 Irish companies, approximately 3,000 Irish entities will have to comply with the new legislation, according to the NCSC.”
Broader scope and stricter enforcement
Another difference is that only seven sectors were affected by NIS1 (including healthcare, energy and transport); but NIS2 will cover 15 sectors (including manufacturing, digital providers and food production). “Plus, this time around, the supervisory regime will be strictly enforced, and failure to report breaches will be harshly punished,” warns Curtin. The maximum fine for violations is €10,000,000 or 2% of global yearly revenue — whichever is higher.
The new legislation poses challenges from a regulatory enforcement standpoint, he admits. “To be able to do their jobs properly, regulators will need to be fully resourced with the right staff and facilities,” says Curtin. “This will take time, which is fast running out.”
Taking proactive steps to help prepare your business
Affected organisations must be ready for the October cut-off date. For its part, .ie’s multi-stakeholder Policy Advisory Committee has been spreading the word about NIS2 and highlighting basic steps to support cyber-preparations. “Carry out a full audit of your systems landscape and assess your approach to risk management, crisis management and disaster recovery,” says Curtin.
“Top managers have to get involved in this task — don’t delegate it. Also, evaluate your supply chains to ensure your providers are NIS2 compliant, and carry out an incident response ‘dry run,’ but don’t bury your head in the sand. Find out now if NIS2 applies to you.”
