Network and Information Security Directive

26 May, 2022

Cyberattacks are increasing in number and scale, with some predictions suggesting that companies will suffer a ransomware attack every 11 seconds in 2022; up from every 40 seconds in 2016. As a result, businesses must invest more in cybersecurity, both for themselves and their customers.

In light of this heightened risk level, a new EU cybersecurity strategy has been adopted for 2020–2025. Among other things, it proposes a review of the existing Network and Information Security (NIS) Directive with a view to making Europe fit for the digital age and building a future-ready economy that works for the people.

So, what is the NIS2 Directive?

A close-up photo of the EU flag flying against a bright blue sky.

The objective of the revised NIS2 Directive is to achieve a high level of network and information system security within the EU through the following means:

1. Improved cybersecurity capabilities at national level

What will member states do to increase their national cybersecurity capabilities? Each member state will adopt a national strategy for the security of network and information systems, which will define the strategic objectives and appropriate policy and regulatory measures.

2. Increased EU-level cooperation

How will member states cooperate? The NIS2 Directive will establish a 'cooperation group' to support and facilitate strategic cooperation and the exchange of information among member states, and to develop trust and confidence. It will also establish a network of national cybersecurity incident response teams (CSIRTs) to promote swift and effective operational cooperation between member states.

3. Risk management and incident reporting obligations for operators of essential services and digital service providers

What are "operators of essential services" and what will they be required to do? Operators of essential services are private businesses or public entities with an important role for society and the economy. Under the NIS2 Directive, identified operators of essential services will have to take appropriate security measures and notify the relevant national authority of all serious incidents. Security measures include:

  • Preventing risks: technical and organisational measures that are appropriate and proportionate to the risk.
  • Ensuring the security of network and information systems: the measures should ensure a level of network and information system security appropriate to the risks.
  • Handling incidents: the measures should prevent and minimise the impact of incidents on the IT systems used to provide the services.

The five key actions to take now

1. Centralise cybersecurity governance

To prepare for the NIS2 Directive, a singular, centralised governance structure should be established for your firm's security. This will enable quick responses to compliance requests. Defined ownership of security controls is also important in understanding governance.

2. Perform awareness training

Although not yet published, the NIS2 Directive will likely remain largely unchanged from its predecessor. Providing awareness training to security staff will ease the transition when the Directive is eventually published.

3. Perform a security health check

A cybersecurity health check will provide an up-to-date picture of where your organisation stands. An audit can be the first step on the road to compliance, highlighting potential gaps and creating plans to remediate them.

4. Identify partners and suppliers who will be affected

Not everyone will be affected by the NIS2 Directive. Identifying which partners, clients and suppliers will fall under the remit of the Directive is a useful exercise. Doing so will give you an opportunity to prepare in the event that a change of approach is needed with certain stakeholders.

5. Contact your security partners

Contact your trusted cybersecurity advisers for the most up-to-date advice and guidance. Also, leverage what you already have by integrating the NIS2 Directive with existing compliance efforts or initiatives. And finally, build IT and cybersecurity international standards and frameworks into your regulatory compliance framework for easy implementation, testing and monitoring, and to ensure that maximum benefit is derived from existing IT and cybersecurity control programmes.

We are here to help you

The NIS2 Directive will affect organisations designated as operators of essential services and digital service providers within the European Union. As a result, it will directly impact the cybersecurity space in Ireland. PwC can help you understand the requirements that affect your organisation, and help you prepare for the future. Contact us today.

Contact us

Pat Moran

Partner, PwC Ireland (Republic of)

Tel: +353 86 380 3738

Leonard McAuliffe

Partner, PwC Ireland (Republic of)

Tel: +353 87 960 3463

Neil Redmond

Director, PwC Ireland (Republic of)

Tel: +353 87 970 7107

Follow PwC Ireland