Preparing for NIS2 compliance

A new EU directive expands the scope of information security, bringing more businesses under the regulatory microscope

Joe Brady, chief information officer and head of security services at eir evo

First adopted in 2016, the NIS (Network Information Systems) directive demanded organisations in finance, energy, transportation, healthcare, digital infrastructure and water implement well-defined procedures around incident response and implement risk-based technical security measures.

Of course, since then the digitalisation of society has only grown – and with it, so has the risk. Indeed, according to Fortinet’s 2023 Global Ransomware Report, some 50 per cent of organisations surveyed fell victim to ransomware in 2022. Little wonder, then, that information security regulations are being tightened.

This year, a comprehensive new set of regulations, the EU’s updated NIS2 directive, will come into force.

Joe Brady, chief information officer and head of security services at eir evo said that NIS2 is an increasingly common conversation with organisations of all sizes.

“It’s definitely one of the hot topics, and a lot of organisations are unsure about how much of it applies to them or what they need to do,” he said.

Irish organisations can be forgiven for feeling a little confused on whether or not NIS2 applies to them as the final form of the legislation has yet to be seen.

“It’s a European directive, and it has to be written in Irish law by October. In the majority of countries that has already been transcribed into legislation but in Ireland it has not,” he said.

What is clear is that NIS2 intentionally has a broader scope, applying to organisations in every sector. In addition, it has stricter requirements and raises the prospect of punitive measures, such as fines and personal liabilities for directors, in a fashion similar to the GPDR.

“For companies that were in the scope of NIS, ensuring compliance with NIS2 is an incremental thing. The real concern is among people who were not in the scope of NIS but now will be,” Brady said.

Over the last twelve months, eir evo has been engaging across different sectors from utility companies to government departments to help them meet the requirements in time. Despite being used to regulation, these larger organisations have to move in a careful and considered fashion.

eir itself has been working hard to ensure compliance, he said.

“Within the wider eir group there has been a significant programme of work over the last twelve months,” he said.

Key to compliance is a clear set of procedures that define what should, and will, be done in the case of a breach or attempted intrusion.

eir evo performs gap analysis for clients, helping discover weaknesses that need to be addressed.

“Typical gaps are not necessarily bad security; they may just be related to formalising reporting requirements or similar” Brady said.

Though NIS2, like any regulation, is a burden, it is ultimately something that should be welcomed.

“It’s so easy to just get caught-up in the day-to-day operations of your business and not give it the attention it deserves. Then something like this comes along, so you do a gap analysis. You may find problems, but you get them solved,” Brady said.

“The onus is on organisations to be compliant, and eir evo can absolutely support here. We work with organisations from large utilities and central government down to smaller, tighter outfits, and we provide a whole suite of security services, from monitoring to endpoint detection and response, and, most importantly, preparing them to take action in the event of a security incident,” he said.

For details: visit eirevo.ie