NIS2 for Irish SMEs: Understanding Your New Cybersecurity Obligations

The world of cybersecurity is full of acronyms and jargon, and the latest one you might be hearing about is NIS2. This isn't just another piece of technical alphabet soup; it's a significant new European directive that will have a real-world impact on many Irish businesses, including Small and Medium-sized Enterprises (SMEs). If you're a business owner, it's crucial to understand what NIS2 is, whether it applies to you, and what you need to do to comply.

This article breaks down the NIS2 Directive in plain English, so you can understand your new obligations and take practical steps to protect your business.

The Problem: A Rising Tide of Cyber Threats

Cyberattacks are no longer a distant threat reserved for large corporations. Every business, regardless of size, is a potential target. From ransomware attacks that can grind your operations to a halt to data breaches that can destroy customer trust, the consequences of a cyber incident can be devastating. The EU has recognised this growing threat and has introduced the NIS2 Directive to bolster the cybersecurity resilience of essential services across the member states, including Ireland.

The Consequence: New Rules and Stricter Penalties

NIS2 expands the scope of the original NIS Directive, bringing many more businesses under its remit. The directive categorises businesses into two groups: 'Essential' and 'Important' entities. While large organisations in critical sectors like energy, transport, and healthcare are considered 'Essential', many other businesses, including a significant number of Irish SMEs, will be classified as 'Important'.

If your business is in scope, you will be legally required to implement a set of minimum cybersecurity measures and report significant incidents to the authorities.

Who is in Scope?

Determining whether your business falls under NIS2 can be complex, but a key factor is your size and sector. Generally, if you are a medium-sized enterprise (fewer than 250 employees and a turnover of less than €50 million) operating in a critical sector, you are likely to be in scope. However, even smaller businesses can be included if they are considered to have a significant impact on the economy or society.

The 10 Minimum Cybersecurity Measures

NIS2 mandates that all in-scope businesses implement a baseline of cybersecurity measures. These are not just suggestions; they are legal requirements. The 10 minimum measures are:

1. Risk assessments and security policies for information systems.
2. Policies and procedures for evaluating the effectiveness of security measures.
3. Policies and procedures for the use of cryptography and, when relevant, encryption.
4. A plan for handling security incidents.
5. Security around the procurement of systems and the development and operation of systems.
6. Cybersecurity training and a practice for basic computer hygiene.
7. Security procedures for employees with access to sensitive or important data.
8. A plan for managing business operations during and after a security incident.
9. The use of multi-factor authentication.
10. Security around supply chains and the relationship between the company and direct supplier.

Reporting Obligations

One of the most significant changes introduced by NIS2 is the strict incident reporting timeline. If your business suffers a significant cyber incident, you must:

• Submit an initial notification to the National Cyber Security Centre (NCSC) within 24 hours of becoming aware of the incident.
• Provide a detailed report to the NCSC within 72 hours.

Penalties for Non-Compliance

The penalties for failing to comply with NIS2 are substantial. For 'Important' entities, fines can be up to €7 million or 1.4% of global turnover, whichever is higher. For 'Essential' entities, this rises to €10 million or 2% of global turnover.

The Solution: Proactive Cybersecurity and Expert Guidance

Navigating the complexities of NIS2 can be daunting, especially for SMEs with limited resources. This is where a virtual Chief Information Security Officer (vCISO) can be invaluable. A vCISO can provide the expert guidance and support you need to understand your obligations, implement the necessary security measures, and develop a robust cybersecurity strategy.

A vCISO can help you to:

• Determine if your business is in scope of NIS2.
• Conduct a thorough risk assessment to identify your vulnerabilities.
• Develop and implement the 10 minimum cybersecurity measures.
• Create an incident response plan to ensure you can meet the reporting deadlines.
• Provide ongoing support and guidance to help you maintain compliance.

Free Resource: Download The Irish SME Cyber Survival Guide — 10 controls based on NCSC Ireland & ENISA guidance. Plain English, no jargon.

What to do now: Your NIS2 Action Checklist

1. Determine if you are in scope: Review the criteria for 'Essential' and 'Important' entities and assess whether your business is likely to be included.
2. Conduct a gap analysis: Compare your current cybersecurity measures against the 10 minimum requirements of NIS2.
3. Develop a roadmap to compliance: Create a plan to address any gaps you have identified.
4. Seek expert advice: Consider engaging a vCISO to guide you through the process.

Related Reading

• /blog/what_is_a_vciso_and_why_do_irish_smes_need_one
• /blog/reducing_your_cyber_insurance_premiums_a_guide_for_irish_businesses

Sources

• National Cyber Security Centre - NIS2
• NIS2 Directive

Book a free 20-minute strategy call — no jargon, no hard sell, just honest advice tailored to your business.