Tomorrow (17 April) marks the beginning of a six month countdown until the directive on measures for a high common level of cybersecurity across the union (the so called “NIS2” directive) is required to be adopted by EU member states.
By the 18th October 2024, Ireland is required to implement measures including the establishment of a regulatory framework that can levy fines on relevant organisations of up to €10 million euros or 2% of the company's global turnover for non-compliance, as well as powers including the ability to prohibit the highest level of an organisation (Board, Senior Management or Chief Executive Officer) from temporarily exercising their managerial functions.
The groundbreaking legislation, which Grant Thornton Ireland believes will have dramatic impact on cybersecurity in Ireland, in some cases beyond the impact the introduction of GDPR had on data protection.
NIS2 is intended to radically enhance the Cyber security capacities of the key elements of private and public sectors, as well as the EU as a whole.
The Directive:
- Expands the sectors impacted from seven to eighteen including health, digital infrastructure, public administration, ICT providers, waste management, food production and processing and research.
- Introduces new cybersecurity risk and incident management requirements.
- Intensifies regulatory oversight including proactive supervision and enforcement.
- Strengthens penalties for failing to comply with the requirements.
- Introduces accountability on top management for non-compliance with the cybersecurity obligations.
- Enforces strict reporting requirements in the event of a cybersecurity incident.
- Ensures co-ordination between EU member states and that cybersecurity requirements and sanction regimes are harmonised.
The directive aims to ensure that impacted organisations from healthcare to transport have highest levels of Cyber defences in place in place to protect against sophisticated cybersecurity threats amidst a rising tide of increasingly complex hacking attempts by criminal groups. The cybersecurity attack on the HSE during COVID illustrates just how real the threat is.
Recent research by Grant Thornton Ireland revealed that over half of businesses in Ireland experienced a cyber-attack in the past year, with nearly a fifth (18.6%) of companies surveyed not having a cybersecurity policy in place.
The Grant Thornton Ireland Economic Cost of Cybercrime report also established that the total economic cost of cybercrime equated to €9.6 billion in 2020, a figure which has only risen since then. These figures illustrate the critical need for robust cybersecurity measures, with organisations affected by NIS2 now under pressure to have adequate protections in place to comply.
The introduction of N1S2 is strategic objective by the EU to reduce the incidence and impact of cyberattacks, ultimately benefiting businesses and the public. Its implementation comes at a crucial time with a range of new challenges emerging on the cybersecurity threat landscape as a result of artificial intelligence and the digital transformation of society.
Grant Thornton Ireland’s Cyber team has seen increasing demand as a result from clients to defend against attacks and meet their regulatory obligations.
Commenting about the impending deadline, Mike Harris, Grant Thornton Ireland Partner – Cyber Security, said:
“NIS2 will have a transformative effect on cybersecurity in many cases below that GPR has had on date privacy, but organisations are sleeping at the wheel in their preparation to comply with low levels of awareness about its requirements and ramifications.
The risk of cyberattacks has multiplied in recent years driven by the rise of hybrid working and the increase in the number of devices workers use, ultimately giving hackers more opportunities to target an organisation’s most critical data.
Similarly, the type of hacking attempts has also rapidly evolved, including criminal gangs using AI to clone colleague’s voices to breach cyber defences. As a result, there has never been more of a critical moment for organisations to ensure that they have robust protections in place.”
