VISO Information Security Officer, Megan Haybyrne introduces us to The NIS2 directive, also known as the Network and Information Security Directive, which is legislation introduced by the European Union (EU) to enhance the security and resilience of critical infrastructure and digital services.
It aims to establish a common framework for managing cybersecurity risks and incidents across EU member states. The NIS2 Directive was formally adopted by the Parliament and then the Council in November 2022 and became enforceable as of 16 January 2023. Member States now have until 17 October 2024, to incorporate NIS2 components, strategies, and mandated reporting into their national laws.
Ireland continues to work through the transposition requirements of the Directive before its due date. It is intended that a draft Heads of Bill will be brought before Cabinet ahead of year end, 2023. No updates on this yet.
Who does this apply to?
The NIS2 directive imposes several obligations on operators of essential services (OES) and digital service providers (DSPs). OES refers to organizations in sectors such as energy, transport, banking, and healthcare, while DSPs include online marketplaces, search engines, and cloud computing services. These entities are required to implement appropriate security measures, conduct risk assessments, and report significant cyber incidents to the relevant national authority.
Operators of Essential Services
Digital Service Providers
What is included in NIS2?
One of the key aspects of the NIS2 directive is the establishment of Computer Security Incident Response Teams (CSIRTs) at both national and EU levels. These CSIRTs play a crucial role in coordinating incident response, sharing information, and providing guidance to OES and DSPs. The directive also encourages cooperation and information sharing between member states to ensure a coordinated response to cyber threats.
Overall, the NIS2 directive serves as a comprehensive framework to protect critical infrastructure and digital services from cyber threats. By setting common standards and promoting cooperation, it aims to strengthen the overall security posture of the EU.
Risk analysis and information systems security policies
Incident handling (prevention, detection, and response)
Business continuity and crisis management
Supply chain security
Security in network and information systems
Policies and procedures for cybersecurity risk management measures
The use of cryptography and encryption
The companies and utilities that have been officially designated as Operators of Essential Services are now subject to a set of security requirements as set out in Regulation 17 of SI No. 360 of 2018. The National Cybersecurity Centre Ireland has produced guidelines to assist OES in meeting these requirements.
The security guidelines consist of five themes which provide a high-level view of an organisation's management of cybersecurity risk. These are:
How can VISO help?
If you are unsure if this is applicable to your business, or if you’re unsure how to approach it, reach out to our team in VISO today and we can help steer you in the right direction! We can assist you in any way required and help ensure that your company is complying with all required legislation.