Background
The European Union NIS 2 Directive will come into effect on the 18th of October 2024. The Directive gives national cyber authorities new powers, including making top level management responsible for cybersecurity.
In advance of the heads of the Bill, Eamonn O’Donnell BL delves into the directive’s profound implications, from top-level management responsibilities to the enforcement mechanisms that will shape the cybersecurity landscape.
Top Level Responsibility and Organisational Obligations
As a pan-European directive, NIS 2 mandates stringent cybersecurity policies for two main categories of organisations: Critical Infrastructure Entities, such as energy, transport, healthcare, known as ‘Essential Entities’, as defined in Annex 1 of the Directive. The second category are organisations in the Digital Service Provision, are known as Important Entities.
National critical service providers must implement a cybersecurity policy and ensure that their networks are secure. Entities are under an obligation to report any breaches in a timely manner. Article 20 of the Directive imposes a responsibility on management bodies and boards of organisations for the cybersecurity of the organisation. Article 21 of the Directive imposes liability on the management and board of essential entities.
This will bring the IT department from the basement into the boardroom where the responsibility for cybersecurity now lies. Board members including the CEO should have enough knowledge to make decisions around the cybersecurity of the organisation; effective training is important in that respect.
Scope and Guidance for Irish Organisations
While the scope varies for each category, organizations providing digital services, irrespective of size, may fall under the directive’s purview. The European Commission provides guidelines for organisations to determine if they are within the scope of the Directive.
In Ireland, the National Cyber Security Centre (NCSC) provides guidance and assistance to organisations in the State to implement the requirements of the Directive. The NCSC have advised that there may be up to four thousand organisations that will come within the scope of the Directive.
However, these organisations within the scope of the Directive are under an obligation to implement an organisation wide cybersecurity policy. To implement a policy the initial stages are identifying the risks to the organisation. The policy must be rigorously evaluated on a consistent and constant basis to mitigate against developments in the threat landscape. The policy requires certification by a competent body including constant threat management within the certification. The EU Agency for Network Information Security (ENISA) provides information on the current threat landscape.
Enforcement and Penalties
Articles 31 to 37 outline the supervisory and enforcement framework, granting national authorities powers to ensure compliance. Within those parameters, Article 32 gives powers to implement measures that are effective, proportionate, and dissuasive on critical entities. These encompass onsite and off-site supervision, random checks, and targeted security audits, including ethical hacking.
NIS2 penalties and enforcement give national authorities a range of enforcement powers. They include the power to issue warnings for non-compliance, binding instructions to organisations, powers to enforce risk management and implementation of recommendations.
The Directive will give powers to the national authority to enforce the responsibility of management. The Chief Executive Officer or the Legal representative can be temporarily prohibited from performing their managerial duties, within essential entities.
In certain circumstances, NIS2 provides for administrative fines of up to 2% of the total worldwide annual turnover of essential entities, or at least ten million euro. For important entities, this administrative fine is in the order of 1.4% of annual turnover or at least seven million euro.
European Union Cybersecurity
A suite of cyber and digital related Directives are in train in the European Union. The Digital Operational Resilience Act regulation is now in force and will be in full effect from January 2025. This applies to the financial sector, related to ICT related incidents, in an already cyber aware industry.
EU Cyber Resilience Act applies to appliances and goods that have an element of digital software or connectivity. The intention is to harmonise the cybersecurity related to the product to ensure that they are resilient to risks.
EU Cyber Security Act relates to the certification process defining an EU wide cybersecurity certification framework.
Conclusion
The security of entities in the European Union is at an elevated level, due to the growing threat of cybercrime, in tandem with a greater reliance on online systems. The EU NIS 2 Directive and its alignment with Irish Law mark a pivotal step towards unified and fortified national cybersecurity.
The European Union Directives and their transposition into Irish Law will take a step towards unifying and strengthening national cybersecurity.
The views expressed above are the author’s own and do not reflect the views of The Bar of Ireland.
Discover the Media, Internet and Data Protection Bar Association
The Media, Internet and Data Protection Bar Association (MIDBA), supported by The Bar of Ireland, is a specialist association for barristers who practice in, or have an interest in, those areas of law. MIDBA seeks to advance knowledge in these dynamic and fast-developing areas of law.
Given the seismic changes in the media landscape in recent years, and with many of the largest technology companies having their European headquarters located in Ireland, it is essential that law practitioners are kept up to date on developments in these complex and fast-moving areas of law.