13/02/2025
Podcast
EU

The NIS2 Directive, represents a significant advancement in the European Union’s approach to cybersecurity. Building on the foundations of the original NIS Directive, NIS2 expands its scope to cover a broader range of sectors and entities, ensuring that critical infrastructure across the EU is better protected against cyber threats. The directive introduces stricter cybersecurity requirements, including enhanced measures for securing supply chains and detailed reporting obligations.

Last year, our Technology and Innovation Group created a three-part series, led by Vivian Spies, which has been collated into this podcast episode. This podcast will focus on new requirements, cybersecurity risk management and reporting, and liability and governance under NIS2.

View Podcast Transcript
Introduction

The NIS2 Directive represents a significant advancement in the European Union’s approach to cybersecurity. The Directive introduces stricter cybersecurity requirements, including enhanced measures for securing supply chains and detailed reporting obligations. Our Technology and Innovation Group created a three-part video series on the NIS2 Directive, the episodes of which have now been collated into this podcast. This podcast will focus on new requirements, cybersecurity risk management and reporting, and liability and governance under NIS2.

Vivian Spies

Hello, and welcome to the first in our video series on the Network and Information Security Directive or, as more commonly referred to, NIS2. In this video series, we will be discussing some areas of interest pertaining to NIS2. Now, it’s also a good time to note that on the 30th of August, the government did publish the scheme for the National Cyber Security Bill, which will eventually form the basis for the Irish transposing legislation. I’m joined here today by my colleague, Laura McFadden, from the Technology and Innovation Group. You’re very welcome here today, Laura.

Laura McFadden

Hi. Thanks, Vivian.

Vivian Spies

Can you start by giving us a bit of an overview of what NIS2 is?

Laura McFadden

Yeah so NIS2 replaces the existing NIS Directive. Both are EU Directives, and they aim to achieve a high level of common cyber security across across the EU, except that NIS2 is more comprehensive and it has a broader scope.

Vivian Spies

Thanks for that overview an before we jump into the NIS2 requirements, can you maybe just outline for us why there was a need to replace NIS1 with NIS2 when there’s only six year’s gap between the two directives?

Laura McFadden

As I’m sure we all know, there’s been rapid technological developments and increased digitisation. With this rapid change comes an increased threat landscape. So NIS2 essentially aims to modernise the legal framework in order to be able to keep up with this change.

Vivian Spies

Thanks, Laura. I understand that the scope of NIS2 is much broader than that of NIS1. Why should organisations care about this?

Laura McFadden

Because of the broader scope, many entities may not have anticipated that they would fall within the scope of NIS2, and they might very well fall within that scope now. It’s really important to engage with NIS2 early on. For example, NIS2 includes new sectors such as B2B ICT Service Management, Manufacturing, and Research and some sectors which were already included under NIS1 have now been expanded under NIS2 as well.

Vivian Spies

That’s interesting. Can you maybe give us an example of such an expanded sector?

Laura McFadden

Definitely. A good example is the digital infrastructure sector. Under NIS, this only included IXPs, DNS service providers, and TLD name registries. Now, under NIS2, this sector has been expanded to include, amongst others, data centre service providers, electronic communications networks, and electronic communication services. This would include, for example, instant messaging apps, and that expansion alone would pull in dozens of entities under the scope of NIS2 now.

Vivian Spies

I see. Thanks, Laura. Tell me, how is it determined whether an entity will be classified as as essential versus important?

Laura McFadden

Factors like sector, organisation size, and revenue will be taken into consideration. However, in some instances, entities will be considered essential regardless of those factors.

Vivian Spies

That’s interesting. It seems that just because an entity might not have previously been captured by the scope of NIS1 does not mean that they should assume that they also won’t be captured by the scope of NIS2. Tell me, what does this mean for organisations’ practically, and how will an organisation know that it’s actually been designated?

Laura McFadden

Unfortunately, we won’t know until the transposing legislation comes in, but preparation for NIS 2 should certainly begin now so organisations should assess whether or not they fall within the scope of NIS 2, because there is a possibility that governments could require entities to self-assess and register, for example, on an online platform.

Vivian Spies

That’s great. Thank you, Laura. Just before we close off, can you please remind us what the deadline is for transposition in Ireland?

Laura McFadden

17th of October, 2024.

Vivian Spies

That’s all we have time for today. Thank you for your time today, and thank you, Laura, and thank you, everyone, for watching. In our next video, we will be discussing risk management and reporting under NIS2.

Vivian Spies

Hello, and welcome to the next video in our series on the Network and Information Systems Directive, or as more commonly referred to, NIS2. In this video, we’ll be discussing risk management measures and the reporting regime under NIS2. I’m joined here today by my colleague, Fionn Henderson, from the Technology and Innovation Group. Fionn, you’re very welcome here today.

Fionn Henderson

Thank you, Vivian.

Vivian Spies

I understand that NIS2 is more prescriptive regarding cybersecurity risk management measures. Can you tell us a little bit more about this?

Fionn Henderson

Absolutely. Article 21 of NIS2 requires important and essential entities to take measures to manage the risks, pose their systems underpinned their services, as well as to prevent or minimise the impact of incidents on the provision of their services. These have to be based on all hazards approach that aim to protect not only the systems themselves, but also the physical environment.

Vivian Spies

I see. Thanks, Fionn. Tell me, is there a minimum standard for the kinds of measures that entities must implement to manage risk?

Fionn Henderson

Yes, of course. Article 21 of NIS2 contains several minimum measures that are required. These include having basic policies and procedures in place, introducing basic cyber hygiene practices, and implementing multi-factor authentication solutions.

Vivian Spies

That’s very informative. Thank you. Moving then on to the supply chain. Will NIS2 affect the way that entities deal with or contract with their suppliers?

Fionn Henderson

Sure so the answer to this one is potentially. Entities must undertake due diligence on their supply chain. However, in respect of contracts with suppliers, they are merely encouraged to include risk management measures.

Vivian Spies

That’s interesting. Thanks, Fionn. It seems that the lift required for organisations to comply with and to implement the requirements of NIS2 would depend largely on whether they already have any of these measures in place, and certainly identifying any of the measures on which they can build so moving on then, can you tell me a little bit more about the reporting regime under NIS2? Specifically, can you tell us how entities will know which incidents need to be reported?

Fionn Henderson

Only significant incidents need to be reported to CSIRT. Broadly, the assessment under NIS2 revolves around factors such as operational disruption, financial loss, as well as damage to others.

Vivian Spies

Can you tell me a little bit of what’s required under the reporting regime itself?

Fionn Henderson

Sure. So NIS2 does introduce an incident reporting process on the occurrence of significant events, and this takes place in four stages. First is the early warning, which is due 24 hours having become aware of the significant incident. After this is the instant notification, which takes place 72 hours after the fact. Next is the intermediate status reports, which must be provided only on request of the relevant authority, and so this may not always be applicable in practise and finally is the submission of the final report which is due within one month of the incident. However, where the incident is still ongoing, a progress report must be submitted instead.

Vivian Spies

Thanks, Fionn. Those are certainly some very tight timelines. Tell me, when it comes to reporting to recipients of services, customers rather than reporting to authorities, are there any instances where an entity must notify or report incidents to the recipients of their services?

Fionn Henderson

Of course. Entities must notify recipients where a significant incident or significant cyber threat takes place that is likely to adversely affect the provision of their services. Also, when it’s in the public interest, CSIRT can either inform the public of the incident or direct the entity to do so themselves.

Vivian Spies

Well, thanks for that, Fionn. It seems like NIS2 certainly is more prescriptive when it comes to both risk management measures and to reporting so tell me then, what can organisations do practically to prepare for all of this?

Fionn Henderson

Of course. So as a first step, organisations will almost certainly need to revisit their internal policies that are relevant to NIS2. So here we’re talking about their instant response policies as well as their IT security policies. Then, of course, it’s important that these organisations go ahead and implement the the changes that are affected as well as provide appropriate to training staff.

Vivian Spies

That’s very helpful. Thank you. Thank you very much, Fionn, for your time and for your insight today. Thank you to all of you for watching. That’s all we have time for today. Next week, we will be talking about enforcement and governance.

Vivian Spies

Hello, and welcome to the final video in our series on the Network and Information Systems Directive, or as more commonly referred to NIS2. In our first video, we looked at the differences between NIS2 and NIS1, and we also looked at the reporting obligations under NIS2. Today, we will be discussing governance and enforcement. I’m joined here today by my colleague, Lukas Mitterlechner in the Technology and Innovation Group. You’re very welcome here today, Lukas.

Lukas Mitterlechner

Thanks a lot.

Vivian Spies

Tell me, does NIS2 impose any specific governance requirements on entities?

Lukas Mitterlechner

Yes, it does so senior leadership, like at the Board of Directors have the ultimate responsibility for the oversight and implementation of cybersecurity risk management practices.

Vivian Spies

What kinds of obligations would this include?

Lukas Mitterlechner

Sure. There’s four main obligations on management bodies. They have to approve the adequency of the cybersecurity risk management practices taken by the entity. They have to supervise the implementation of those measures. They have to follow training to gain sufficient knowledge and skills to identify risks and assess cybersecurity risk management practices and their impact on the services provided by that entity. They also have to provide similar training to their employees on a regular basis.

Vivian Spies

Thanks very much, Lukas and can you go a little bit more into the potential consequences for leadership or board members where they fail to comply with those requirements?

Lukas Mitterlechner

Yeah, of course. Board members can be held liable for infringements by that entity of Article 21 of NIS2, which contains the requirement to have appropriate cybersecurity risk management measures in place. Legal representatives who also exercise a certain level of authority on behalf of the entity can be held personally liable. Also in certain circumstances, a competent authority may temporarily prohibit or fend an individual who discharges managerial responsibilities at the CEO or legal representative level from exercising a managerial function in that entity.

Vivian Spies

That’s very interesting. It seems that there could be potentially serious consequences professionally and personally for individuals who fail to comply with NIS2. Moving on, can you tell me a little bit more about the supervision and enforcement measures under NIS2?

Lukas Mitterlechner

Yeah, sure. The National Cyber Security Centre or NCSC is a national authority for enforcing the NIS2 in Ireland. Then NIS2 also provides national authorities with minimum supervision and enforcement measures taken against non-compliance, which includes things like administration and compliance.

Vivian Spies

Tell me, is there a difference in the enforcement measures applicable to important versus essential entities?

Lukas Mitterlechner

Yeah. That’s the main way that NIS2 differentiate in its application for essential and important entities so the supervision and enforcement measures for essential entities are more comprehensive, and they include things like ad hoc audits, and in certain cases, being subject to having certifications and authorisations in relation to their services being temporarily suspended. I see.

Vivian Spies

I see, thank you. Then, of course, there are the administrator fines. Does NIS2 distinguish between essential versus important entities when it comes to the application of administrator fines?

Lukas Mitterlechner

Yes, again, it does differentiate between the two. For essential entities, they’re subject to a maximum find of €10 million or 2% of the total global worldwide turnover in the preceding financial year, whichever is higher. Then for important entities, those figures are €7 million and 1.4 percent respectively.

Vivian Spies

Thanks. Then one last question for today, when is the transposing legislation due in Ireland?

Lukas Mitterlechner

The date of transposition is the 17th of October, 2024. That’s great.

Vivian Spies

Thank you today for your time and for your insight.

Lukas Mitterlechner

My pleasure.

Vivian Spies

With that, we conclude our video series on this, too. Thank you very much for watching.

Podcasts

The Arthur Cox podcast series ‘AC Audio’ is a collection of knowledge and insights across a range of practice areas within the firm.

Disclaimer: The contents of this podcast are to assist access to information and do not constitute legal or other advice. Specific advice should be sought in relation to specific cases. If you would like more information on this topic, please contact a member of our team or your usual Arthur Cox contact.