Strengthening Cybersecurity Across the EU

In today’s interconnected world, cyber threats are becoming increasingly sophisticated and pervasive. The European Union has recognised the urgent need for robust cybersecurity measures, resulting in the creation of the NIS2 Directive. This landmark legislation is designed to strengthen the digital infrastructure of member states, ensuring resilience against cyberattacks and promoting consistent standards across the EU. With its far-reaching impact, the NIS2 Directive represents a crucial step towards a secure and sustainable digital future.


What is the NIS2 Directive?

The NIS2 Directive, or Network and Information Systems Directive, builds on its predecessor, NIS1. It addresses gaps in Europe’s cybersecurity framework by focusing on improving the security of critical entities and their digital networks. Unlike NIS1, which mainly targeted essential service providers such as those in the energy and transport sectors, NIS2 expands its scope to cover industries like healthcare, banking, and digital infrastructure. Its key objectives include enhancing cyber resilience, standardising incident reporting, and fostering a coordinated EU-wide response to cyber threats.


Who Does the NIS2 Directive Apply To?

A major change under NIS2 is its broader applicability. The directive now includes medium and large enterprises operating in critical or significant sectors. This encompasses industries such as cloud computing, data centres, public administration, and waste management. Organisations are assessed based on their size, role, and the potential economic or societal impact of disruptions. Smaller organisations with high-risk profiles may also fall under its remit, reflecting the directive’s comprehensive approach to bolstering cybersecurity.

Key Requirements Under NIS2

Organisations subject to the NIS2 Directive must comply with stringent requirements, including:

  • Risk Management and Security Measures: Entities must implement robust protections tailored to their operations, including securing networks, supply chains, and sensitive data.
  • Incident Reporting: Significant cyber incidents must be reported to authorities within 24 to 72 hours.
  • Leadership Accountability: Senior management faces increased responsibilities, with potential liabilities for governance failures that result in breaches.

  • Implications for Organisations

    Non-compliance with the NIS2 Directive can lead to severe penalties, including substantial fines and reputational harm. Organisations must take a proactive approach by aligning their practices with the directive’s mandates. This may involve overhauling outdated systems, improving monitoring capabilities, and fostering cross-departmental collaboration. The directive also emphasises the need for cybersecurity awareness at all levels, urging organisations to adopt proactive, rather than reactive, strategies.


    Steps to Prepare for NIS2 Compliance

    A structured approach is essential for preparing for NIS2 compliance. Key steps include:

    1. Conduct a Risk Assessment: Identify vulnerabilities and gaps in your current cybersecurity framework.
    2. Implement Technical and Organisational Measures: Secure networks with firewalls, encryption, and incident response plans. Regular audits are essential.
    3. Train Employees: Promote a culture of cybersecurity awareness through regular training.
    4. Seek Expert Guidance: Consulting with cybersecurity specialists can help address complex compliance requirements.

    Key Measures Companies Must Implement

    To meet the directive’s requirements, organisations should focus on the following:

    • Risk Management Frameworks:

      • Conduct comprehensive risk assessments to identify and mitigate vulnerabilities.
      • Regularly update cybersecurity strategies to address evolving threats.
    • Incident Detection and Response:

      • Use advanced threat detection tools like intrusion detection systems and SIEM platforms.
      • Develop and maintain an incident response plan with clear protocols.
    • Secure Supply Chain Practices:

      • Evaluate third-party vendors’ cybersecurity measures.
      • Include NIS2-aligned security standards in supplier contracts.
    • Data Protection and Encryption:

      • Use encryption for sensitive data at rest and in transit.
      • Implement strong access controls and multi-factor authentication.
    • Cybersecurity Training:

      • Train employees regularly to recognise threats such as phishing.
      • Foster organisation-wide awareness of cybersecurity best practices.
    • Governance and Accountability:

      • Assign specific cybersecurity responsibilities within the organisation.
      • Make cybersecurity a regular agenda item in leadership discussions.
    • Incident Reporting Mechanisms:

      • Establish efficient reporting channels for notifying authorities.
      • Test mechanisms with simulated breach exercises.
    • Ongoing Monitoring and Auditing:

      • Invest in tools to monitor network activity and detect anomalies.
      • Conduct periodic audits to ensure compliance and identify improvements.

    Building a Resilient Digital Europe

    The NIS2 Directive is a significant milestone in harmonising cybersecurity standards across the EU. By fostering collaboration, enhancing resilience, and holding organisations accountable, it seeks to create a more secure digital environment for all member states. Organisations that embrace its principles will not only achieve compliance but also strengthen their operational resilience against emerging cyber threats. Now is the time to act—engaging with the NIS2 requirements will help ensure your organisation is prepared for the future and contributes to a safer, more resilient digital Europe.


    Contact us today to learn how we can assist you in achieving NIS2 compliance.



The General Data Protection Regulation enacted by the European Union is scheduled to go into effect on May 25. The effect of this regulatory framework will differ across European jurisdictions; in the United Kingdom, for example, companies will only have to follow GDPR guidelines until Brexit is formalized. As for Ireland and other EU member states, the GDPR is not exactly a rigid proposition.
The Seanad opted to adopt some of the flexibility offered by the GDPR when it passed the Irish Data Protection Bill earlier this year. This new law is filled with complexities for government and public entities, but the situation is not as strict for private companies.
Article 37 of the new law directs certain companies to appoint a data protection officer; specifically, business enterprises that collect, store and process large amounts of sensitive data will be expected to appoint a DPO. Some examples of sensitive digital information include: health records and data that can reveal the political and religious inclinations of Irish or European citizens. With this in mind, it is safe to assume that certain barristers and solicitors offices will have to abide by this article; moreover, private hospitals, insurance offices, and psychologists may have to do so as well. Banks and private funds can also expect to be subject to GDPR compliance.
Larger business enterprises in Ireland have more at stake under the new laws, but small companies should not believe that they will be impervious to the expensive penalties that can be imposed under GDPR. The reality of personal information stored in digital records these days is that it must be protected, and not just because of GDPR. If anything, the enactment of the Irish Data Protection Bill should prompt company owners to look at how their office network is protected.
Any company that has been managing its own server on premises should strongly consider migrating its data infrastructure to the cloud. The security advantage in this regard is that cloud technology has become very competitive, which means that providers are mindful about using secure and GDPR compliant options. There is more than compliance to consider when choosing cloud solutions; the ability to automate the data backup process and ease of recovery should also be factored in.
In the end, GDPR may become a wake-up call for Irish companies that have neglected the overall security of their office networks and the integrity of their data.



The 2018 update of the Oxford English Dictionary will include ransomware as a new entry, and this announcement just happens to coincide with a new zero-day exploit that bypasses security measures of popular cloud computing services such as Office 365 and Google Drive.
“Shurl0ckr” is the name of the new ransomware strain detected on February 7 by cyber security experts at Bitglass Threat Research Team. Out of 67 antivirus software suites, only five of them identified Shurl0ckr as a threat.
Ransomware attacks are very much on the minds of Irish information security specialists. In May 2017, IT administrators at the Health Service Executive moved quickly to protect its vast network from the WannaCry ransomware attack that greatly impacted the operations of the NHS in the United Kingdom. At the time, the HSE operated 2,350 servers and more than 25,000 clients, many of them running Windows XP. Technicians rushed to install emergency patches and update antivirus software on all machines; three instances of WannaCry were initially detected but later dismissed when found to be vestiges of a previous infection by different malware.
In the end, HSE was not targeted by the hackers behind the WannaCry ransomware; however, an internal assessment published in January 2018 indicated that the Executive lacks a defined strategy for business continuity in case of future attacks. HSE is not certainly not alone in this predicament; in June 2017, Irish broadcasting giant Kantar Media was dealt an embarrassing blow as its servers were came under a ransomware attack at a time when the company was negotiating an important merger.
Ransomware attacks are particularly devastating due to their particular mechanism; once a system is infected, malicious code proceeds to apply a layer of encryption to all data it can find with the exception of system files it needs to display a ransom demand, which typically directs victims to transfer cryptocurrency or enter a bank card number so that a key can be received to remove the encryption and access files. The Garda Cyber Crime Bureau tells business owners to not pay these ransom demands; however, this is often the only way to unlock sensitive data needed to unlock information. In America, more than $206 million in ransomware payments were made just in the first quarter of 2016; in the most critical cases, business owners have had to bite the bullet and reformat their hard drives or reset their servers and start over, thereby losing crucial company information.
While keeping antivirus software and operating systems up-to-date can certainly help to protect against ransomware, the best strategy will always be to install and maintain a solid data backup system that adheres to business continuity guidelines. In case of a severe ransomware attack, servers or clients can be completely restored without having to meet any ransom demands. Comprehensive data backup strategies will completely workstations; another option is to mirror virtual workstations in the cloud so that they can be booted from just about anywhere in Ireland or even abroad.
Proper data backup systems are also crucial for disaster recovery planning, and they may be a matter of compliance for businesses operating in certain sectors. Business owners who install reliable backup solutions for their company networks will always have peace of mind in terms of never having to worry about ransomware attacks.


Contact Us