Key Contacts: Sean McElligott – Partner | Anne Bateman – Partner
The new NIS2 Directive (Network and Information Security Directive 2022/2555) imposes a baseline level of cyber security on public and private entities (midsize and above) operating in sectors that are critical for the economy and society, including:
- Energy;
- Transport;
- Health;
- Banking & Financial infrastructure;
- Drinking Water & Waste Water;
- Manufacturing;
- Digital infrastructure;
- ICT service management;
- Public administration.
In simple terms, it is about securing Europe Inc. and, by extension, Ireland Inc from external and internal cyber-attacks.
Although cybersecurity requirements were first imposed in Europe in 2016 (under the precursor to NIS2), they were largely ignored as there was little or no enforcement of the legislation. In contrast, under NIS2, regulators now have wide ranging and significant enforcement powers.
Ireland failed to enact the necessary legislation to transpose the NIS2 Directive by the deadline of 17 October 2024, but the first draft of the General Scheme for the National Cyber Security Bill 2024 (“the Bill”) has been published and it is a wake-up call for companies and senior managers operating in the prescribed sectors.
The Bill imposes wide-ranging cyber-security obligations on public and private entities, but of particular intertest are the new enforcement powers under which individuals in management and leadership positions may face personal consequences if their actions or negligence contribute to cybersecurity breaches or non-compliance with relevant regulations. In simple terms, the days of outsourcing responsibility for cybersecurity to the Chief Information Security Officer are gone – the C-suite runs the risk of being held personally accountable for breaches of the legislation. Specifically, the regulator will have the power to:
- Impose liability on the management board of companies that do not comply with the legislation;
- Impose liability on corporate officers (director, manager, secretary or other officers) for non-compliance by the company with the legislation;
- restrict company CEOs and Directors and other senior managers from their positions where there has been a non-compliance with the legislation;
- in certain circumstances, suspend a license to operate a business in the State until there is a compliance with the provisions in the legislation;
- conduct “dawn raid” type inspections and apply to the District Court for search warrants.
For the avoidance of doubt, even if your organisation is not itself a regulated entity, it will almost certainly have contractual liability to upstream customers to whom it provides services – you will inevitably be faced with the prospect of having new terms inserted into all of your service contracts by your upstream customers.
Although last November’s election has delayed the implementation of the Bill, organisations need to start preparing now, with the immediate takeaways being:
- Assess whether your organisation is in scope for NIS2 – are you a regulated entity or in another company’s supply chain? In simple terms, if you are operating in one of the relevant sectors, there is a good chance that you are in scope – even if not directly in-scope, there is a high probability that you may be in the supply chain of a regulated entity.
- Conduct a legal and technical assessment and gap-analysis of your organisation’s existing cybersecurity risk management and incident reporting measures with a view to designing your roadmap to compliance.
- Assess your supply chains and your current contractual frameworks.
Finally, it is worth bearing in mind that in addition to the enforcement powers discussed above, the regulator has the power to impose financial penalties of up to €10m, or 2% of total worldwide annual turnover, for breaches of the legislation.