On 5 March 2025, William Fry hosted an event titled “Navigating NIS2: Requirements, Best Practices, and Practical Insights”.
The event brought together industry experts to discuss the latest trends and challenges in the cybersecurity landscape, focusing on compliance with the new NIS2 directive. The panel was moderated by Susan Walsh and featured speakers Rachel Hayes, Partner in William Fry’s Technology Department; David Keddy, Cloud Security Technical Specialist at Microsoft; and Joseph Stephens, Director of Resilience at the National Cyber Security Centre of Ireland (NCSC).
Key Takeaways from the Panel Discussion
In preparation for the coming into force of NIS2, the panel speakers discussed various topics to inform the audience on key elements of NIS2. From compliance tips, the importance of supply chain security and the role of the NCSC, the panel broke down NIS2 and the steps organisations should take to address it.
NIS2 Readiness
Susan Walsh introduced the NIS2 directive, referencing its genesis as part of the EU’s Cybersecurity Strategy and provided an overview of the sectors now in the directive’s scope. Rachel Hayes kickstarted the panel discussions by explaining how to assess NIS2 applicability to an organisation, taking into account the sector definitions under the legislation and an organisation’s size. Joseph Stephens advised that there is a helpful tool on the NSCS website to assist organisations in assessing NIS2 applicability.
Practical Compliance Tips
For in-scope entities, the panel speakers provided several practical tips for compliance:
- Multi-Disciplinary Approach: David Keddy’s top practical tip is two-fold: develop plans to protect against a cyber breach and formulate plans for reporting a breach. He recommended that this requires input from various organisational stakeholders, which Hayes and Stephens agreed is key for compliance with NIS2. Hayes stressed a bottom-up, top-down approach to cybersecurity. Keddy advised that to achieve this, management boards and ICT specialists will have to work together, with ICT needing to explain and translate complex ICT matters into risks and impacts, which can be presented to board members. For more information on incident notification, see our article on incident notifications under NIS2 here.
- Board Involvement: Hayes highlighted that NIS2 now catches anyone with management control of an in-scope organisation – making them responsible for the approval and oversight of the organisation’s cybersecurity risk management measures. She advised that board members must undergo training and ensure cybersecurity knowledge is disseminated throughout the organisation. Stephens agreed that the board should drive cybersecurity and compliance with NIS2. For more information on the role and obligations of the managing board under NIS2, please see our article here.
- Leveraging Technology: Keddy acknowledged that while bad actors commonly exploit AI to perpetrate cyberattacks, it is also a key tool to bolster organisations from such threats. AI augments employee skillsets, increasing the number of people who can work in cybersecurity, and can also help organisations assess whether a cyber incident needs to be reported. Keddy also stressed the efficacy and importance of simple, well-established tools such as two-factor authentication in preventing cyber incidents, which many organisations have yet to implement despite their availability and maturity.
- All-Hazards Approach: NIS2 requires an ‘all-hazards’ approach to managing cybersecurity risks. Stephens highlighted that two-thirds of cyber-incidents are not malicious, resulting from a variety of factors such as severe weather events causing black-outs, misconfigurations and human error. To comply with NIS2, these incidents must also be reported to the NCSC to the extent they impact cybersecurity and constitute a ‘significant event’. The NSCS will work with the organisation to provide support and advice to help mitigate against such risks in future.
Importance of Supply Chain Security
In addition to the key points discussed above, a key theme that ran through the discussion was the role and importance of supply chain security. Stephens highlighted the importance of risk management in supply chain security, noting that organisations will need to have a framework to assess and monitor the security of their suppliers. He also stated that many ICT suppliers may be directly in the scope of NIS2, thus making the dialogue on cybersecurity and NIS2 compliance somewhat easier. Keddy noted that many suppliers may adhere to NIS2 for best practice, even where they are not in scope.
Stephens emphasised the importance of contractual arrangements with suppliers and getting legal assistance in the contractual negotiation stage to address NIS2 requirements and obligations in supplier contracts. Organisations need contractual protections in the event of cyber incidents, both in the case of incidents affecting the organisation itself or its suppliers. These should address notification and assistance/information-sharing obligations. Supplier contracts should address cybersecurity standards and, where applicable, certifications and assurances. Stephens also advised that contracts should provide additional protections for critical supplier services, such as audit rights.
Role of the NCSC
Stevens provided valuable insight into the multifaceted role of the NCSC. In addition to its supervisory and enforcement role in certain sectors, the NCSC will be responsible for detecting and responding to cyber incidents, building national capacity (for example, by ensuring that organisations have the support they need) and supporting government and government departments. The NCSC also acts as the Computer Security Incident Response Team (CSIRT) under the legislation and the single point of contact for cooperation with other Member States. Each sector will have designated competent authorities, with the NSCS acting as the lead competent authority in Ireland.
Status of NIS2 transposing legislation in Ireland: At the time of this publication, NIS2 is legally binding in the European Union (since 17 October 2024). However, NIS2 has yet to be transposed into Irish law, and Ireland is subject to infringement proceedings due to late transposition by the European Commission. The General Scheme for the National Cyber Security Bill 2024 (CSB) is the proposed draft legislation to transpose NIS2 into Irish law. The CSB is published on the Government’s priority legislation list. Please visit our website for relevant updates regarding the CSB.
Conclusion
For more information on NIS2, see William Fry’s NIS2 podcast series here; or access William Fry’s TechReg Connect software solution. You can also get in touch with Susan Walsh, Rachel Hayes, Leo Moore or your usual William Fry contact.
