Irish NCSC talks about road to NIS2 and lessons for businesses to learn.
NIS2 is about resilience and resilience is about knowing something, learning from it and doing something to improve next time.
Speaking at Irisscon in Dublin, Paul Stanley, head of engagement at Ireland’s National Cyber Security Centre (NCSC) said the concept of NIS2 came from the idea of defining essential services to determine those organisations that enable society to function, and determining those organisations that support essential services.
Regulatory Acts
Stanley detailed the various acts that led to the establishment of NIS2, namely the original NIS Directive of 2016, which aimed to enhance the cybersecurity of critical infrastructure, the 2019 Cyber Security Act, that established a framework for EU-wide cybersecurity certification schemes for ICT products, services and processes, and the ECCC regulation, and the NIS2 directive.
Also due this year is the Cyber Resilience Act, which will mandate cybersecurity requirements for products with digital elements, and the Cyber Solidarity Act, which will create a European alert system for detecting and responding to threats.
Stanley said a lot of questions the NCSC receives relate to whether a business is in scope or not, and it has developed a part of its website to help businesses determine if they are affected by NIS2.
Speaking to SC UK, Stanley said the role of the Irish NCSC is to act as the National Competent Authority for government, "and some agencies that the government has," while it is delegating the National Competent Authority for the energy sector too.
"We're coordinating them, but they're going to be their own entity in themselves," he said. "So they will be doing the auditing and evaluating of the In their sector."
On other frameworks to align your business to and get certified with, Stanley said ISO27001 is one you can pick as a standard to be measured against,” he said. “If you are 90 percent of the way there, you will understand what NIS2 will require from you.”
He also recommended looking at ISO27001, where there is more emphasis on understanding risks to data, and what can interrupt a business.
"One of the things we're trying to stress to organisations is you can't put your head in the sand and say, well, I didn't know that this regulation was there," he said.
Financial Penalties
“The most important part is that it is a regulation and there is a possibility of fines, and people who get fined are at the top of the organisation,” Stanley said. “Does everyone involved understand risk management, and is risk the right word?”
Stanley also said that a difference for the NCSC from NIS1 to NIS2 is that it has gone from being a point of contact for 70 Irish organisations, to around 4,000, and he said the NCSC’s goal “is to be a coordinator for National Competent Authorities, and act as a single point of contact.”
He likened its role as a regulator to being more about guidance, rather than on strict enforcement. He said: "It's hard when you're an organisation that on the one hand, we have to be friendly and be approachable and be a partner and on the other hand, we do have this tool too."
He said there is not an intention for an auditor to see a business fail, and are looking for major non-conformity, and if there is an opportunity for improvement, and how a business can do things better, as it is going to be the single point of contact for the whole country.
Sharing Information
Stanley said one of the guidelines from the EU about NIS2 is to form groups to share information, and set up a ‘cyber core’ for different verticals to help them learn about threats relevant to them, and help with exercises to improve the maturity of systems.
He admitted there are “loads of vulnerabilities to try to mitigate” and threats come from outside the organisation, and you can train employees, conduct audits and produce evidence of that in the case of an investigation to affect the impact of a regulatory penalty.
He also said that the cyber core, which it will manage for the energy sector, will allow businesses to learn from each other about best practices and mistakes.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.