Organisations have to contend with a variety of regulations covering cybersecurity. The NIS2 directive which comes into force on October 18th imposes a new set of cybersecurity obligations and introduces for the first time the concept of individual accountability, while the Digital Operational Resilience Act (DORA) requires financial institutions to follow rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents. These new regulations are, of course, in addition to GDPR rules on data breaches. What can organisations do to keep pace with this rising tide of regulation? We ask a range of experts.
Moira Cronin, partner, digital risk & regulation, PwC Ireland, and Neil Redmond, director of cybersecurity, NIS2 lead, PwC Ireland
Regulation tends to bring with it negative connotations as organisations deploy technology and stand up teams of people to ensure compliance. This can be costly and disruptive as businesses struggle to manage the headcount and balance the costs associated with the implementation of new regulations. It can also carry with it assumptions that it stifles innovation as resources are directed towards compliance initiatives rather than value-added activities.
While the cost of compliance is firmly on the minds of many, we are reminded that risk management is cheaper than crisis management and while there is a significant cost associated, we see the more mature organisations using regulation in a different light to bring value to the organisation rather than just being a cost.
We encourage organisations to embrace regulation not as a constraint but as an opportunity for organisations to differentiate themselves on the market, strengthening their operational resilience, identifying process improvement opportunities, enhancing strategic decision making, and driving transformation.
Making products that are more relevant, more efficient and run smoother with less energy consumption
How your KitKat break is helping cocoa-farming families close the living income gap through an innovative programme
Renewable gas will power Ireland’s decarbonised future
All aboard: Ten great things to see and do in Heritage Week
Vaibhav Malik, partner, cybersecurity and resilience, Deloitte
Irish organisations will require assistance in understanding the operational and business impacts of these regulations. Additionally, organisations will need guidance on implementing the necessary cybersecurity controls to adhere to the relevant regulations. It is critical for organisations to receive this advice from a reliable source in order to confidently navigate the complex regulatory landscape.
The security team will need to implement additional measures to mitigate risks, while the compliance departments will need to identify and report any unmet requirements to the security team.
The new regulations are increasingly indicating that ultimate accountability for cyber risk management rests with the board. Therefore, the board must continuously assess their effectiveness in addressing cybersecurity, both in terms of their own responsibility and their oversight of management’s activities. Future recruitment of chief information security officers (CISOs) as board directors may increase due to the growing significance of cybersecurity knowledge on boards.
Deirdre Ardagh, data protection officer and senior regulatory counsel, Three Ireland
NIS2 elevates the importance of cybersecurity to a board-level issue as it introduces individual accountability, meaning that senior management could be held personally responsible for cybersecurity failures, as such organisations have an onus to ensure their senior management are adequately trained as well as appraised of all relevant risks.
Meeting these new regulatory requirements is necessitating substantial investments in technology, personnel and training. Smaller organisations, in particular, may struggle with the financial and human resource demands of implementing and maintaining compliance measures.
Leveraging external expertise, hiring specialised staff, investing in advanced cybersecurity technologies, and conducting ongoing training are all options to review where necessary.
Continuous monitoring and regular reporting to regulatory bodies demand a high level of diligence and can be administratively burdensome. Although compliance with an expanding array of regulations poses challenges, these rules are vital for maintaining robust security postures and ensuring overall operational resilience. Organisations need to view these regulations not as burdensome constraints but as frameworks that help safeguard their interests and those of their customers and other stakeholders.
Anthony Walsh, country director, Cato Networks
New regulations mandate businesses to strengthen cybersecurity measures, report incidents within 24 hours, and extend compliance across more sectors. Failure to adhere can lead to substantial fines and legal repercussions, underscoring the need for robust collaboration with national authorities and stakeholders. Keeping pace with regulations demands not just resources, but resilience.
The complexity of compliance, the evolving threat landscape, and the technical challenges of integration require continuous investment and adaptation. In a world where data is vast and threats are ever-changing, staying ahead is not just about meeting requirements – it’s about maintaining a proactive and dynamic approach to security.
Organisations can take several steps to keep pace with the rising tide of regulations such as adopting a unified security approach by implementing a comprehensive cybersecurity framework that addresses multiple regulatory requirements simultaneously. Continuous monitoring and real-time threat detection is also essential and organisations must utilise advanced monitoring tools to ensure continuous compliance and real-time threat detection.
David McNamara, founder of CommSec Cyber Security and vice-chairman of the business growth committee for Cyber Ireland
Staying on top of these new regulations will not be easy. The biggest challenge will be for smaller companies with limited IT resources. They are really struggling to cover all bases without any gaps. For larger organisations, shifting mindset will be the biggest challenge. It is not just an IT problem any more.
We are talking about a major shift here – responsibility for cybersecurity is moving from the IT department straight into the boardroom. It is a whole new ball game. While the new regulations may seem burdensome, they are crucial in today’s rapidly evolving threat landscape.
The new rules coming into effect in 2024 and 2025, particularly for critical sectors like national security and finance (DORA), are essential.
These will bring more than 4,000 entities into scope, significantly improving Ireland Inc’s security posture. The SME sector lacks specific regulations or standards, which is a concern. There is a serious need for a standard that SMEs can adhere to and afford that will be recognised in Ireland.
Puneet Kukreja, head of cyber, EY Ireland
The regulatory environment, while challenging, is an essential aspect of contemporary business practice. Cybersecurity regulations drive organisations to implement crucial safeguards, foster accountability and maintain robustness in the face of constantly changing threats. By perceiving these regulations as a strategic priority rather than an obstacle, organisations cannot only comply but also bolster their security stance and secure a competitive advantage.
By adhering to regulatory standards and implementing robust cybersecurity practices, organisations protect sensitive data, maintain customer trust and enhance their security. Simultaneously, effective risk management ensures resilience against evolving threats and regulatory landscapes, while strong cyber defence acts as a barrier against malicious elements, safeguarding organisations, infrastructure, and people from financial and personal harm.
There will be a lot of challenges ahead, but there is also a lot of help and goodwill out there in the broader community. It can seem like a slow and thankless process but building on these core cyber foundations will allow an organisation to create a resilient digital landscape, crucial for today’s interconnected world.
Áine Clarke, Ibec digital & AI affairs executive
Obligated businesses will need to be more structured and deliberate in how their cybersecurity is organised. Many businesses will already have most of the policies and processes required by DORA or NIS2 in place, but it is a matter of organising them in ways that meet the new requirements, identifying gaps, and setting out compliance plans to show regulators that you are taking the necessary steps to comply.
Experience with GDPR will prove useful, particularly when looking at requirements to report significant cyber incidents, as GDPR set a precedent for handling data breaches and establishing processes for internal and external reporting.
Cybersecurity must be seen as both an economic imperative and opportunity. Ireland plays an important role internationally as a regulatory hub, as lead regulator on behalf of all EU citizens in the data protection, cybersecurity and online content space. Ireland will have an equally big role to play under NIS2, as supervisor to digital infrastructure and digital providers on a pan-European basis. In advance of Budget 2025, Ibec is emphasising the importance of further investment in national cybersecurity capacities; ensuring regulators are adequately resourced; and developing our cybersecurity industry.
Jackie Hennessy, partner, risk consulting, KPMG in Ireland
Over the past year, organisations have been navigating DORA, deciphering its implications, and should be well advanced in their preparations by now. Most organisations are now moving from preparation to implementation, but of course, there will be some who have fallen behind on their compliance journey through lack of in-house resources with capacity and the right expertise and skill set. It is imperative that firms act now to assess how DORA would apply to their business, what organisational and technical changes would be required as a result, and the level of investment needed to ensure compliance.
Regulations like DORA are simply essential for ensuring the security and resilience of critical ICT systems in financial entities. While they can sometimes be burdensome, they help mitigate risks and protect the broader financial system from potential disruptions. Ultimately, these regulations aim to create a more stable and secure environment for all stakeholders.
Baolin Liang, public relations manager, Huawei Ireland
For many SMEs, becoming compliant with the requirements of impending cybersecurity regulations may seem a major challenge and indeed understanding whether your business is in scope or out of scope is a task in and of itself. One way to demonstrate to a regulator that the SME organisation is taking appropriate steps to comply with NIS2 is to use existing cybersecurity risk-based frameworks and standards. For Irish SMEs, the most common standards to consider would be the ISO 27001:2022 Information Security Standard. One of the main challenges for small businesses is to implement effective and affordable security measures that can protect their systems and data from cyberattacks.
A main part of this challenge is that many SME owners and management may not have a thorough understanding of what needs to be done to improve the cybersecurity posture of their organisation. Huawei worked with BH Consulting to produce Navigating NIS2: the Guide for Irish SMEs. This guide is designed to empower Irish SMEs with essential knowledge to become NIS2 compliant in an increasingly complex cybersecurity landscape.