The next 12 months are shaping up to be a pivotal year for cybersecurity and how companies manage threats and risks to their business. Two substantial pieces of EU legislation are coming down the tracks.

The two regulations, the Network and Information Security Directive (NIS2) and the Digital Operational Resilience Act (DORA), come into being in October 2024 and January 2025, respectively, giving business just months to make the final preparations for compliance.

Moira Cronin, partner at PwC Risk and Regulation, said that the regulations cover a much larger remit than just simply IT and has implications for other areas of business.

PwC’s latest risk survey gives a detailed view of how Irish executives and boards feel about cybersecurity.

The global survey takes the pulse of industries’ position against cyber-attacks and their appetite for risks. Other countries and regions differ in their approach while Irish respondents – 60 took part – have shown an awareness of the risks at hand, but a slowness in action.

Acute awareness, varying degrees of preparedness

According to the survey, 33 per cent of Irish respondents said that they are “extremely or highly exposed” to cyber risks – compared to 37 per cent globally.

However, just 25 per cent of respondents said that they plan to invest in upgrading critical systems this coming year to be more resilient against cyber-attacks.

“What the survey does show is that there’s a lag in Ireland compared to elsewhere in how people react to cybersecurity and how they plan for cybersecurity,” Neil Redmond, director at PwC Risk and Regulation, Cybersecurity & Privacy, said.

While organisations attempt to navigate the current state of play with cyber risks, they need to be mindful of a quickly changing regulatory environment that will introduce new rules.

It is amid this backdrop that companies need to pay attention to their obligations.

NIS2 fills the gaps

The Network and Information Security Directive (NIS2) is a heavily updated version of the inaugural NIS directive from 2018 that introduced greater cybersecurity standards for operators of critical services and infrastructure. NIS2 brings more of these types of services such as transportation, water services and health services into scope.

The “essential entities” covered by NIS2 are those in sectors like energy, transport, health, banking and public administration while “important entities” cover waste management and postal services among others.

“An essential entity is something that the country as a whole requires to be effective 24/7,” Redmond explained.

Companies under the remit of NIS2 must carry out regular testing of their cybersecurity controls and demonstrate a robust incident response and reporting system and crisis management processes.

“The board needs to be aware and approve the adequacy of cybersecurity risk management measures in an organisation. They can’t just accept what they’re told, they have to challenge and understand why they’re taking an act,” Redmond said.

Neil Redmond: “The National Cyber Security Centre (NCSC) will be carrying out audits and inspections on a more regular basis.” Photo: Bryan Meade

Failure to meet these standards can result in some hefty fines, with essential entities facing sanctions up to €10 million or two per cent of global annual revenue, whichever is higher. Important entities can be fined €7 million or 1.4 per cent of global annual revenue, again whichever is higher.

This is all with a view to protecting nations’ critical services from cyber-attacks and to prepare for threats like ransomware.

One does not need to look too far back in history to find an example of ransomware upending critical services in Ireland, namely the 2021 cyber-attack on the HSE.

National authorities will have more power in their oversight of NIS2 to ensure compliance. In the case of Ireland, that is the National Cyber Security Centre (NCSC).

“It can ask you for information on a regular basis or an ad hoc basis, which is also new,” Redmond said.

Once the October deadline passes, the NCSC will greatly ramp up its functions with enforcing compliance around NIS2.

“At that point in time, the NCSC will be carrying out audits and inspections on a more regular basis than it has previously.”

DORA tightens focus on financial services

The Digital Operational Resilience Act (DORA) is the other piece of legislation that is fast approaching.

DORA comes into full effect in January 2025, again leaving companies with less than a year to reach compliance.

Unlike NIS2, DORA has a much tighter focus, covering only the financial services sector and ensures that financial services organisations can withstand, respond and recover from all types of ICT/cyber threats. Crucially, the regulation also governs the way regulated financial services deal with third parties and outsourcing providers.

This is all aimed at tightening up the supply chain around financial services. While, for example, a bank may be well fortified against cyber threats, a third party providing services like cloud computing and data analytics to that bank may not be as secure. The whole system is only as strong as its weakest link.

“For the first time ever, it incorporates third parties. You have financial services organisations that outsource quite a number of [functions],” Cronin said. 

“Outsourcing has been huge in the last number of years. The scope of DORA is around your critical and important functions and that’s a very important definition and each organisation must define what those functions actually are.”

Companies that are trying to assess their DORA posture should start from the top and follow the chain to pinpoint every applicable ICT third-party provider.

“If you think about it from a claims processing perspective with an insurance company, they might outsource claims processing to company A and company A might outsource its IT system and that IT system might sit in a cloud,” she said.

“It’s up to organisations to get a very broad view of where their data is sitting, where their risks essentially are.”

Compliance with these rules will introduce a great deal more complexity and costs for financial services firms operating in Europe. Furthermore, the change in the state of play could force many companies to renegotiate contracts with third parties, another costly endeavour.

However, according to Cronin, it is unlikely that banks and other firms will completely cut off their outsourcing practices and move more functions in-house. There will always be some sort of outsourcing.

“I think in a lot of boardrooms and for clients that we spoke to, the thoughts of reversing what they’ve done from an outsourcing perspective is almost unimaginable but it’s definitely been mentioned as something that organisations are taking into account,” she said.

There’s broad awareness among the larger companies about DORA, she added, but there may still be blind spots among smaller and mid-size service providers that have yet to grasp the obligations ahead of them.

Moira Cronin: “It’s very important that you get ahead of this and you start preparing your organisation for it.” Photo: Bryan Meade

Beyond identifying the chain, and much like NIS2, DORA requires companies to put strong cybersecurity testing and incident reporting processes in place.

Chief among these requirements is cybersecurity testing where companies test exhaustively in the system for any flaws or vulnerabilities. This must be carried out annually.

Furthermore, a process called threat-led penetration testing, or TLPT, is required to be carried out every three years. It is much more advanced and is an in-depth excavation of the company’s systems. It also must be certified by an outside party.

“That’s one of the areas that we focus in on with clients because we know it’s new to them and it’s probably something that they haven’t done before,” Cronin said.

“It’s very important that you get ahead of this and you start preparing your organisation for it.”

Cronin said PwC is working with clients on preparing for DORA with workshops on the different provisions in the legislation. It also includes compiling reports on the gaps in companies that need to be plugged ahead of January 2025.

Even if a company thinks that they are ahead of the game on DORA, they may need to think twice.

“If you are an organisation that has complied with all of the cross-industry guidance and everything that has come out of the European supervisory authorities and the Central Bank of Ireland (CBI) in the last number of years, you still will not be compliant with DORA,” she said. 

“It is a whole new bar and I think a lot of organisations struggle with that at the very start. They’ve invested so much in the last 10 years in cybersecurity and now all of a sudden, there’s a new bar to reach.”

No room for complacency

Cybersecurity has been a buzzword over the last decade, Redmond explained, with more attention and regulation than ever before.

“It’s been 10 years of cybersecurity as a buzzword,” he said. “I think what the European Union, the Irish government and the CBI see is that companies may not necessarily appreciate how cybersecurity supports the economy or supports their businesses. So trying to encourage companies to be compliant with the likes of NIS2 and DORA gives an impetus to go back to their own boards and stakeholders and explain [its importance].”

Redmond recently spent 12 months working with a client to help them be prepared for NIS2.

“In our experience some companies don’t have the level of maturity that would be required to meet the obligations under the new legislation. We work with these companies to develop a whole programme to enable them to sustain an audit, show all the documentation to NCSC and to the regulatory authorities,” said Redmond. “This helps them understand how a threat can impact them, how to respond to a threat and how it can harm their business.”

“Transparency is key and knowledge is power. You have to really understand what’s going on in your organisation.” 

Moira Cronin

Companies can’t rest on their laurels as the very nature of cybersecurity means that threats are ever-evolving. Once a company has settled into complying with NIS2 and DORA, they must stay alert and proactive regarding new threats that could enter the fray.

Nowhere is this more relevant than in the field of artificial intelligence. While the hype around AI has ballooned over the last year, and companies have raced to explore ways of exploiting the technology to improve their bottom lines, it brings with it a new generation of risk.

PwC’s Risk survey reveals that just 28 per cent of Irish respondents see Generative AI as an opportunity, compared to 60 per cent globally.

The new EU AI Act, due for final publication later this month, not only covers Generative AI but also the broader elements of AI.

“A lot of organisations are using AI and they don’t actually know that it is in fact AI so there is a body of work required to ensure those elements are governed and controlled appropriately, even in advance of investing further in Generative AI,” Cronin added. “This is all back to understanding your end-to-end processes, where your data is sitting and what risks you are exposed to.”

The arrival of regulations, whether it’s NIS2 and DORA or the EU’s AI Act, creates greater responsibilities for boards to fully understand how their data is being processed and technology is being used at their companies. Gone are the days when a board could plead ignorance about what management teams or the IT department are doing.

“I think transparency is key and knowledge is power. You have to really understand what’s going on in your organisation.” 

This article is partner content and has been produced in association with PwC.