EU regulations are bringing significant challenges for many Irish businesses
Pro
John Rustage, e92plus
In association with e92plus
Despite the NIS2 directive entering force in January 2023, many organisations across the EU – and Ireland in particular – are still failing to meet its requirements. A recent ENISA‑based report highlights key national infrastructure sectors (including public bodies and healthcare) lagging behind. NIS2 will be introduced to Irish law soon, and the consequences of non-compliance are significant – not just fines of up to €10 million or 2% of turnover, but also personal liability for boards and senior management.
Plus, while it’s important to remember in the drive to meet compliance standards that the complexities of enforcing a robust cybersecurity posture has increased, reports estimate that around 4,000-6,000 entities in sectors now newly in scope haven’t yet closed fundamental security gaps like MFA, incident handling or supply chain risk registers – the essentials are still often not in place.
Compliance matters, and so do MSPs
Managed service providers (MSPs) and managed security service providers (MSSPs) are also themselves in scope under NIS2: by providing IT services or digital infrastructure support, they become “essential or important entities”. They are an essential part of the supply chain of their customers (and supply chain risk management is now a critical standard), plus are increasingly targets for the cyber criminals as well.
How VARs and MSPs can help customers comply
- Gap assessments grounded in simple frameworks: use lightweight frameworks – such as the CyFun (Cyber Fundamentals) framework from the National Cyber Security Centre – to map controls the NIS2 articles such as incident handling, asset and access controls, supply‑chain security, training, MFA, etc.. For small businesses, frameworks provide a great starting point, and partners can provide a valuable service to ensure their customers focus on what’s important.
- Supply chain mapping: working with customers to understand their exposure through third parties and suppliers in their digital and physical supply chain, which can achieve compliance but also help those organisations help improve their own security.
- Incident response and awareness training: still a hugely under-estimated part of ensuring good security posture, staff training (from phishing simulations to in-person workshops to tools for reporting suspicious emails or activity) can complement incident response plans, where in the event of an attack or breach, the whole organisation needs to be ready and prepared. This doesn’t just include business continuity and restoration of services from IT, but obligations to notify authorities or communication to customers and suppliers.
- Ongoing monitoring and continuous improvement: compliance isn’t a one off. Continual monitoring of apps, networks and devices for vulnerabilities, patching needs and asset tracking can help ensure organisations are compliant. For partners, it’s an opportunity to building strong relationships and closer engagement, and a more proactive approach can reduce response times and the chance of missing potential issues.
- Board‑level accountability support: cyber security is still often misunderstood or under estimated at board level, from budget allocation to prioritisation, so VARs and MSPs can help translate compliance or technical requirements to simple business language, and provide guidance on how to stay compliant, giving examples and case studies from across their other customers.
NIS2 brings significant challenges for many Irish businesses, with more in scope and more demanding requirements. It also, however, represents a significant opportunity for VARs and MSPs to provide more services, expand their portfolio and become even more important partners for their customers.