Cybersecurity shake-up: How to prepare for EU’s NIS2 and DORA

22 Mar 2024

Image: © phonlamaiphoto /Stock.adobe.com

With new cybersecurity regulation fast approaching, Rob Hayes, MD for Cyber UK&I for Sia Partners, discusses how Irish businesses can prepare and the importance of knowing your digital ecosystem.

As cyberattackers continue to evolve their tactics and organisations become more digitised, it is becoming increasingly vital that businesses keep their cybersecurity in order.

The interconnected nature of many sectors – and businesses using the cloud – means a successful attack on one company can lead to the data of other customers being exposed. These are known as supply chain attacks, a concept that various cyber criminals have exploited in recent years.

To protect from the threat of cyberattacks, the EU is pushing forward new regulation to ensure all member states and organisations within them have the appropriate standard of cybersecurity. These are the NIS2 directive and DORA, the Digital Operational Resilience Act.

DORA will come into effect in January 2025 and will bring about various new criteria for organisations to follow – particularly those in the financial sector. The NIS2 Directive, meanwhile, will come into effect in October 2024 and will cover a wide range of critical sectors.

Rob Hayes, head of cyber consulting and MD for Cyber UK and Ireland with Sia Partners, explained the importance of these upcoming EU rules – and the impact they will have on Irish businesses.

“Since a regulation is uniformly applied across all EU countries, it ensures that the same rules are applicable everywhere within the internal market,” Hayes said “This helps to create a consistent and predictable environment for individuals and businesses.

“DORA has exactly such an objective – to ensure that EU financial entities have a high level of operational resilience against digital threats. This includes banks, insurance companies and other financial institutions, with very few exceptions.”

“Both NIS2 and DORA place a strong emphasis on risk management. They require companies to proactively identify their vulnerabilities and take steps to address them. They also highlight the importance of supply chain security, meaning companies need to ensure that their vendors also have good cybersecurity practices.”

The impact on business

Hayes noted that the NIS2 Directive gives some wiggle room for EU member states in terms of how they implement it across their legal and administrative structures. But he predicts that the directive will “significantly impact Irish businesses” by raising cybersecurity standards.

“While complying with the directive requires effort and investment, the long-term benefits of a more robust cybersecurity posture can outweigh the initial costs,” Hayes said, “For those who are already compliant with NIS1, it will be a matter of adaptation.

“But for the new entities in scope, it will be a larger task of adoption. All of this is dependent on how Ireland has translated the directive into national law.”

The NIS2 Directive includes top management accountability for any non-compliance with cybersecurity obligations, as well as measures to protect supply chains and supplier relationships.

Hayes believes certain sectors such as energy, transportation and finance will have a “smoother transition” to complying with NIS2 as they were already subject to the rules of its predecessor.

“However, it’s important to note that even these sectors will need to adapt to the expanded scope of NIS2, which brings in new entities and introduces stricter requirements, including supply chain security measures,” he said.

In the case of DORA, Hayes said the focus of this act is on the financial sector but it will include ICT providers of all sizes.

“DORA is creating a new baseline, so raising the bar in the sector will have an impact on organisations not usually noticed at the national level,” Hayes said. “This will mean a significant change for ICT third-party providers, from AWS right down to niche operators and start-ups – with the smaller providers likely facing implementation challenges.”

How to prepare

For organisations of any size to prepare for these upcoming changes, Hayes believes collaboration is “essential” due to the current landscape of “interconnectivity and interdependencies”.

“The large organisations impacted really need to help the smaller organisations. In practical application, this is not about size, this is about criticality,” Hayes said. “Collaboration has to be among peers, but also with partners and vendors.

“Equally, resources are limited and compliance alone can be both expensive and time consuming to achieve and maintain. So, organisations must focus on what is both important to them and to the market. This can be achieved through identifying and documenting essential functions and processes.”

Hayes said businesses need to know their digital ecosystem and be able to “clearly identify people and their respective accountabilities across the organisation”.

“Reviewing the ICT risk management process within an organisation is also essential to improve threat detection capabilities, not simply limiting them to the classical cyber threat intelligence services,” he said.

This type of collaboration is important on the national scale too, according to Hayes, who believes countries like France and Germany are leading in terms of cyber resilience, while others like the Netherlands and Italy are “behind the curve”.

“From Ireland’s perspective, it is about who they can collaborate with internally and externally to accelerate progress,” Hayes said. “Collaboration is incredibly important, and each country has its own champions.

“Compared to larger EU economies, Ireland might have fewer resources dedicated to cybersecurity initiatives. This could also limit its ability to develop and enforce comprehensive regulations.”

In a recent video with SiliconRepublic.com, Kyndryl’s Kris Lovejoy discussed cyber resilience, what DORA will mean for businesses and how to improve diversity in the sector.

Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com