Known unknowns: The lack of guidance on NIS2 in Ireland

The Network and Information Systems Directive 2 (NIS2) marks a critical point in the European Union’s cybersecurity framework. Its objective is to enhance the resilience and security of network and information systems across member states.

As Ireland’s national country code top-level domain (ccTLD Manager), we at .ie recognise the profound implications of this directive for the wider business community. It effectively marks “the end of self-regulation” for many sectors. However, the successful implementation of the law could be at risk because of the lack of comprehensive and sector-specific guidance from the Government. The state of play for NIS2’s transposition in Ireland is one of uncertainty and unanswered questions.

Understanding the NIS2 Directive

NIS2 seeks to address the evolving landscape of cybersecurity threats by expanding the scope of the original NIS Directive, enhancing security requirements, and promoting greater harmonisation across the EU.

Its objectives include improving the resilience of critical infrastructure, enhancing incident response capabilities, and fostering cooperation among EU member states. The directive extends its reach to a broad range of sectors, such as energy, transport, banking, health, and digital infrastructure.

NIS2 is an EU directive – meaning that while it was adopted in 2022 by the Council of the European Union, it has to be transposed into national law in each member state. In Ireland, this directive will be transposed through the first National Cyber Security Bill. The deadline is 17 October 2024.

Current state of guidance

The public guidance that the Government has provided on NIS2 has been broad and does not speak to any of the sector-specific requirements found in the NIS2 Directive. For example, from the domain name industry perspective, there is no public actionable guidance on how registrars and registries should verify personal data of individuals trying to register domain names (a new NIS2 requirement).

Ireland’s national competent authority for NIS2, the National Cyber Security Centre (NCSC) held its inaugural national conference in June 2024. At this conference, NCSC representatives announced that they would not proactively identify or notify entities that they are within scope of NIS2, and that it would be up to entities to self-identify as an “important” or “essential” entity through an online portal. These entities will be subject to more compliance obligations, and face hefty penalties for non-compliance.

And yet, at the time of writing, the affected sectors have not formally heard what the Government’s approach to compliance monitoring will be. There is no guidance on what templates or reporting processes entities will be subject to; whether there will be a transition period; and whether there will be supports available to implement cybersecurity risk measures.

This laissez-faire approach does not ensure that appropriate security measures will be in place and creates a risk that many essential or important entities will be unknowingly non-compliant – especially for smaller companies that do not have the resources for a compliance or legal team. The Government must make efforts to identify and notify which entities are to be listed as essential or important under the law.

Lasting uncertainty

A big source of uncertainty, and one that makes it very difficult to engage stakeholders and warn them of the upcoming regulatory obligations, is that the Bill to transpose NIS2 has been seriously delayed. The NCSC website notes that a draft of the Bill was expected to be released by end of 2023. At the time of writing, well into late-July 2024, there is still no publicly released draft of the Bill.

The absence of clear, actionable guidance and any legislative progress creates a challenging environment for businesses striving to align their cybersecurity practices with NIS2. Without concrete instructions, it is difficult for organisations to develop comprehensive compliance strategies, particularly in areas such as risk management, incident reporting, and supply chain security. This uncertainty is especially burdensome for SMEs that may lack the resources to navigate these complexities without detailed guidance.

NIS2 mandates a risk-based approach to cybersecurity, but without clear guidelines, assessing and mitigating risks becomes a formidable task. Businesses will be left to navigate this critical area without adequate support, undermining the directive’s primary goal of enhancing security across the board.

The need for detailed, actionable guidance

At .ie, we have a strong interest in ensuring the security and stability of Ireland’s internet infrastructure. Unfortunately, the Government’s guidance on NIS2 transposition remains at a high level, providing limited detail on the specific measures and protocols required for compliance.

It is imperative that the Government provides detailed, actionable and sector-specific guidance on NIS2’s requirements. This includes clarifying if the NIST Cyber Security Framework will be mandated as a Cyber Security Baseline Standard. Clarifications such as these will be an accelerant to entities’ NIS2 compliance actions. The Government should also offer support and resources targeted at SMEs, which often lack the expertise and financial resources to navigate complex regulatory requirements. Comprehensive training programmes, workshops, tailored guidance documents, and financial support can help SMEs enhance their cybersecurity capabilities. By offering clear and comprehensive guidelines, policymakers can help ensure the resilience and security of Ireland’s digital infrastructure.

W: weare.ie