NIS 2 and DORA - Latest Updates
Cyber security obligations for companies in Ireland is complex with new legal requirements to impact Ireland’s economy by the end of this year. Our DEG team outline the latest developments.
Major new legal requirements will place specific cybersecurity obligations on companies across Ireland’s economy by the end of this year. While the existing Network and Information Security Directive has flown under the radar for many Irish companies, stiff penalties and enhanced obligations on directors should put its successor right at the top of the agenda.
By no later than 17 October 2024, Ireland is required to implement the second Network and Information Security Directive (EU) 2022/2555 (“NIS 2”). NIS 2 will repeal its predecessor, Directive (EU) 2016/1148 (“NIS 1”), which served as the first EU-wide piece of cybersecurity legislation
Scope
Like the earlier legislation, NIS 2 is focused on enhancing cybersecurity preparedness within specific sectors of the economy and they key players within them that are deemed either ‘essential’ or ‘important’ to the economy of the State. Notably, this includes sectors such as transport, pharmaceutical and medical device manufacturing, food production and distribution, healthcare, network infrastructure, telecommunications, water supply, waste management, energy and postal services.
Banks, credit institutions, insurance undertakings and other regulated “financial entities” will fall into the scope of the companion legislation the Digital Operational Resilience Act which provides for similar but more extensive obligations.
Irish Implementation
The National Cyber Security Bill that will transpose NIS 2 into national law is listed on the Government Legislation Programme for Summer 2024 but we are yet to see a public draft. The National Cyber Security Centre (the “NCSC”) is expected to be Ireland’s competent authority for public body sectors, as well as taking a coordinating role across all sectors. While we are still waiting to see the Irish implementing legislation, sectoral regulators such as the Commission for the Regulation of Utilities (CRU) and the Commission for Communications Regulation (ComReg) are also expected to take on responsibility for supervising essential and important entities within their areas of competency.
Risk Management Measures
At the core of NIS 2 is the requirement for all in-scope entities to take “appropriate and proportional technical, operational and organisational measures” to manage the risks posted to the security of their systems that are used for operations or provision of services (and to prevent or minimise the impact of incidents on those systems and services). This is explicitly subject to a proportionality test, based on the entity’s exposure to risk and the resources available to it as well as the likelihood and severity of potential incidents.
There is also an indicative, non-exhaustive list of measures which should be put in place. This includes measures familiar to most organisations such as information security policies or business continuity / disaster recovery plans. However, the specifics of translating these policies into technical specifications are very much left up to the individual organisation to suit their risk profile and resources. NIS 2 also permits Member States to mandate that organisations follow particular EU cybersecurity certification schemes in order to meet these requirements, though it’s unclear if Ireland will take the opportunity to do so.
Increased Reporting Obligations
NIS 2 obliges ‘essential’ entities to report and engage with the designated authorities in relation to cybersecurity incidents and threats. Unlike its predecessor, NIS 2 introduces a three stage mechanism for reporting security incidents to the authorities – an early warning within 24 hours, an intermediate notification within 72 hours, and a final report within one month.
Obligations on Senior Management
Perhaps motivated by the relatively low profile of NIS 1, NIS 2 obliges members of the management body (ie, directors) to undertake specific cybersecurity-related training on a regular basis. In addition, senior management must approve cyber risk management measures and manage the overall implementation of such measures to mitigate an entity’s cyber risk and respond to incidents if they arise. Non-compliance may result in fines and temporary suspensions – ultimately the specific form of these will be determined by the Irish implementing legislation once it is enacted.If refusing a DSAR due to an applicable statutory exemption, the DPC warns that the controller must provide reasons for refusing (including identifying the applicable legislative provisions permitting such refusal and why they apply), and inform the data subject of the possibility of lodging a complaint with the DPC and seeking a judicial remedy (as per Article 12(4) GDPR).
Sanctions and Fines
NIS 2 affords Member States with the discretion to set out rules on penalties in their domestic implementing legislative and mandates that Member States impose GDPR-like administrative fines for non-compliance. Such penalties must be “effective, proportionate and dissuasive”. The administrative fines envisaged by NIS 2 include fines for specific breaches of up to €10 million or 2% of total global turnover (whichever is higher). The NCSC has the authority to impose such penalties under NIS 2. From a management perspective, NIS 2 provides that senior management can be obliged to disclose the identity of individual responsible for non-compliance.
DORA
DORA comprises of Regulation (EU) 2022/2554 and Directive (EU) 2022/2556 and introduces targeted rules to a wide range of regulated financial entities on the following: information and communication technology (“ICT”) risk management; ICT-related incident management, classification and reporting; digital operational resilience testing; and managing of ICT third-party risk (including the introduction of an oversight framework for critical ICT third-party service providers).
Article 4 of NIS 2 states that where sector specific Union legal acts require essential or important entities to adopt cybersecurity risk-management measures or to notify significant incidents, the relevant obligations and provisions of NIS 2 shall not apply to such entities. DORA would be an example of such a sector specific Union legal act.
Much of the fine detail for in-scope financial entities under DORA is still being designed by the European Supervisory Authorities ("ESAs") through regulatory technical standards and relevant guidelines.Article 15(3) GDPR requires controllers to provide data subjects with a "copy" of their personal data. In line with the draft EDPB Guidelines, the DPC states that this does not necessarily mean that the data subject is entitled to a copy of the actual document containing their personal data.
The first set of regulatory technical standards (“Phase 1”) were published and consulted on during 2023 and finalized by the ESAs before the deadline set down in DORA of 17 January 2024. The European Commission formally adopted them as Commission Delegated Regulations in February and March 2024, although they will not take legal effect until they are published in the EU Official Journal, which is likely to be on or about 17 January 2025 when DORA actually comes into force.
The second set of RTS and relevant guidelines (“Phase 2”) were published by the ESAs in draft form on 8 December 2023, with the public consultation on same closing on 4 March 2024. The Phase 2 documents are currently being finalised by the ESAs and must be submitted to the European Commission by 17 July 2024 at the latest. Thereafter the Phase 2 regulatory technical standards will be adopted by the European Commission, but similar to Phase 1, will not enter into force until they are published in the EU Official Journal on or about 17 January 2025.
Unlike NIS 2, DORA has direct effect and does not need to be transposed into Irish law so there will be no delay in implementation.
Looking Forward
The immediate step for anyone concerned about their organisation’s preparedness for NIS 2 is to take advice to assess whether they are an ‘essential’ or ‘important’ entity. Covered entities should take the opportunity now to review cyber hygiene practices and invest in improving internal cybersecurity protocols and policies.