EU Cyber Regulations may overwhelm Ireland’s regulators and service providers

Ireland’s digital services companies are at risk of being ill-prepared for the approaching tsunami of EU regulations.

These regulations include the Digital Services Act (DSA) and the Digital Services Markets (DSM) which apply to platforms and search engines, (initially those with more than 45 million customers each); the Digital Operations Resilience Act for the fintech sector; and eIDAs which are relevant for e-certificate providers – NIS2 and the Critical Entities Directive (CER) – which apply largely to critical infrastructure providers of essential services, which citizens rely on.

It has been estimated that the scope of NIS2 could encompass between 2,500 and 3,000 entities in Ireland. This scale has the potential to overwhelm regulators in Ireland, and the companies in the sectors soon to be regulated for the first time. With less than five months until the mandatory implementation date of October 2024, preparations for NIS2 will be intensive, expensive and resource heavy.

The cybersecurity measures included in the Directive are designed to help organisations to protect their data, systems and processes. Compliance will not merely prevent sanctions, but also guide organisations towards achieving a cybersecurity maturity that will shield them from cyberattacks, which could have devastating effects on the company and on its customers. The objectives are laudable and essential, given the scale and impact of cyberattacks, especially ransomware.

Some of the main provisions of NIS2 include the need for cybersecurity risk management measures which are required for essential and important entities to prevent or minimise the impact of cyber incidents. There will also be increased corporate responsibilities for top management in relation to cybersecurity, as well as a harsher penalty regime. Furthermore, stringent reporting requirements will be imposed for notification of incidents.
Practical steps to strengthen your cybersecurity position

Organisations should begin by performing an inventory or audit of their entire architecture and systems landscape, to establish a foundation for its risk management processes. This includes implementing a risk management framework that ensures continuous assessment, evaluation, and treatment of threats against its data. Additionally, crisis management planning should be initiated to limit the impact and duration of any crisis that may arise.

To further enhance resilience, it is crucial to establish business continuity and disaster recovery procedures, ensuring critical processes can continue operating at an acceptable level during disruptions. Top management must be actively engaged in the cybersecurity strategy of the organisation to prioritise security initiatives. Supply chain risks should be addressed by involving suppliers and service providers in risk assessments.

Finally, a structured incident management process should be defined to document and classify cybersecurity incidents, ensuring a swift response. These integrated measures collectively strengthen the organisation’s cybersecurity readiness to address emerging threats and challenges.

.ie and NIS2

As the trusted national domain registry for over 330,000 domain names, .ie is already designated by the Government as an operator of essential services (OES) under NIS1, the predecessor directive to the imminent NIS2. Its ISO certification ensures that .ie is already compliant with the cybersecurity requirements of the new Directive. In addition, the company has long-established DNS abuse protocols with many national regulators to assist them in tackling issues with .ie domains that are alleged to engage in technical abuse or criminal activity.

The scope of NIS2 will apply to all top-level domains for the first time – including .com .net. and .org and to all of the country code top level domains (ccTLDs) across Europe. Accordingly, Ireland’s registrars and resellers which operate cross-border, will need to comply with NIS2 legislation applicable in all of those countries. For example, they will need to have a dedicated database of complete and accurate information of any registrant who signs up for a domain name. This also means that registries and registrars will need to have verification processes.

To date, there has been speculation that the National Cyber Security Centre will delegate regulatory authority to regulators in situ, essentially a “federated approach” to regulation, thereby placing much of the regulatory burden on existing regulators, such as ComReg. However, this has not been confirmed by the Government, and it is important and urgent that the intended regulator is identified and commences its work without undue delay.

Conclusion

At .ie we are committed to demonstrating leadership for our sector and providing good governance. This includes meeting all regulatory requirements, including NIS2. It is not an easy task for the channel, but .ie has a multi-stakeholder Policy Advisory Committee that ensures its technical and registration policies and procedures are consensus-driven and will help .ie navigate rough regulatory waters ahead.

On this matter, .ie will leverage its established relationships with government departments to advocate for its stakeholders with national policymakers. Through its international partnerships, the company will continue to liaise and coordinate with cross-border partners and Council for European National Top Level Domain Registries (CENTR) officials to advocate that the concerns of registrars, resellers and internet users are reflected in Europe’s implementing acts and in the national legislation.

W: weare.ie