Ireland is a connector for sub-sea cables, transmitting the majority of data between two continents underwater where legislation and policing is murky. For this reason alone Ireland is of geo-political significance. Crucially, Ireland is exposed, with its critical infrastructure and markets being optimal targets for criminal or politically motivated attacks.
Over the past two to three years the European Union has taken major steps to respond to the growing governance challenges for business, industry and finance arising from cyber-crime or warfare. Much of the new legislation places burdens on the private sector, particularly in the areas of critical or vital infrastructure for member states, specifically now placing obligations on the banking and insurance sectors. Along with the General Data Protection Regulation (GDPR) these new laws are aimed at protecting a variety of interests operating in the internal market.
We already have the Network and Information Security Directive 2016/1148 (NIS Directive) which addresses binding operating procedures for critical infrastructure operators and responses to cyber events, and adopts relevant strategies and designates member states with a role in policing the protection of said infrastructure. Additionally, there is the EU Cybersecurity Act 20191 which sets up a cybersecurity certification framework for information and communications technology (ICT) products and services.
This summer, political agreement was reached between the EU Commission, Parliament and Council on the further strengthening of cybersecurity at an EU level through the Network and Information Security Directive 2 (NIS2 Directive).
Much of the new legislation places burdens on the private sector, particularly in the areas of critical or vital infrastructure for member states, specifically now placing obligations on the banking and insurance sectors.
The NIS2 Directive will set minimum standards for cybersecurity risk management measures and reporting obligations and information sharing on sectors covered by it. The list of sectors coming within its remit have been increased, and it provides for remedies and sanctions to ensure enforcement.
Under the NIS Directive, member states determined which entities would qualify as operators of essential services. The NIS2 Directive significantly erodes this discretion, expands the number of sectors covered (from 19 to 35), and introduces a size-cap to bring all medium-sized and large entities within its scope. These are entities having at least 50 employees and a minimum turnover of €10 million per year. Sectors include: health; data centre service providers; energy; banking; manufactures of pharmaceutical products; public administration; and waste management.
The NIS2 Directive strengthens available sanctions for non-compliance or failure to cooperate. Companies may be subject to administrative fines for certain breaches of up to €10 million or 2% of worldwide turnover (whichever is higher) with direct obligations on top-management for non-compliance, which could result in fines and a temporary ban from discharging managerial functions. Formal adoption of NIS2 by EU Institutions is expected by the end of Q4 2022, with implementation at a national level by member states by H2 2024.
Additional requirements will arise for risk management frameworks in the financial sector through the European Commission’s Digital Operational Resilience Act (DORA), which will overlap with the NIS2 Directive and will have a similar implementation date in H2 2024. DORA focuses on a digital finance package, and the regulation of crypto-assets together with digital operational resilience. DORA lays down uniform requirements for ICT risk management, reporting, operational resilience, information and intelligence sharing, measures for sound management of ICT risk, outsourcing arrangements, and oversight and cooperation between enforcement entities. DORA is relevant for financial services undertakings and the insurance sector running from credit institutions to investment firms, and rating agencies to fund managers.
Additional requirements will arise for risk management frameworks in the financial sector through the European Commission’s Digital Operational Resilience Act (DORA), which will overlap with the NIS2 Directive and will have a similar implementation date in H2 2024.
In practice, businesses and state agencies will need to foster strong relations with the policing authorities, the National Cyber Security Centre, and processing banks. It is important that in conjunction with their lawyers they implement rapid response and risk management plans, operational resilience plans, undertake staff vetting and training, and ensure IT security is operating at legislative standards or beyond. A key focus will be on ensuring that all outsourcing arrangements are operating at the requisite standards and that risk is allocated with oversights in place.
While there will be costs incurred in the implementation of these measures, the aims of these regulations collectively are to achieve a high common level of cybersecurity across the EU, making all digitally held data and digital services more secure and improving resilience and incident response capacities. Even with all of these systems and controls in place, cyber-criminals will continue their efforts. When a cyber-attack occurs businesses that have incident response plans and respond quickly with legal action in the courts significantly reduce the harm and impact to them and their customers. The courts can provide various remedies in the form of quick and effective injunctions that work well with bright and dark web monitoring. These orders provide for the effective taking down of damaging information quickly, and for tracing of data within and outside the jurisdiction. The right responses build trust, and when compliant with the new legislation will avoid much of the treble hit of loss, fines and reputational harm.