Blog | Is Ireland Prepared? EU cyber regulations threatens to overwhelm
The Challenge Posed by Incoming EU Regulations
Ireland’s digital services companies are at risk of being ill-prepared for the approaching tsunami of EU regulations.
These regulations include the Digital Services Act (DSA) and the Digital Services Markets (DSM) which apply to platforms and search engines, (initially those with more than 45 million customers each); the Digital Operations Resilience Act for the fintech sector; eIDAs which are relevant for e-certificate providers; NIS2 and the Critical Entities Directive (CER), which apply largely to critical infrastructure providers of essential services, which citizens rely on.
It has been estimated that the scope of NIS2 could encompass up to 2,500-3,000 entities in Ireland. This scale has the potential to overwhelm regulators in Ireland, and the companies in the sectors soon to be regulated for the first time.
With less than 5 months until the mandatory implementation date of October 2024, preparations for NIS2 will be intensive, expensive and resource heavy.
The cyber security measures included in the Directive are designed to help organisations to protect their data, systems and processes. Compliance will not merely prevent sanctions, but also guide organisations towards achieving a cyber security maturity that will shield them from cyber-attacks, which could have devastating effects on the company and on its customers. The objectives are laudable and essential, given the scale and impact of cyber-attacks, especially ransomware.
Some of the main provisions of NIS2 include the need for cyber security risk management measures which are required for essential and important entities to prevent or minimise the impact of cyber incidents. There will also be increased corporate responsibilities for top management in relation to cyber security, as well as a harsher penalty regime.
Furthermore, stringent reporting requirements will be imposed for notification of incidents.
Practical Steps to Strengthen Your Cybersecurity Position
Organisations should begin by performing an inventory or audit of their entire architecture and systems landscape, to establish a foundation for its risk management processes. This includes implementing a risk management framework that ensures continuous assessment, evaluation, and treatment of threats against its data.
Additionally, crisis management planning should be initiated to limit the impact and duration of any crisis that may arise.
To further enhance resilience, it is crucial to establish business continuity and disaster recovery procedures, ensuring critical processes can continue operating at an acceptable level during disruptions. Top management must be actively engaged in the cybersecurity strategy of the organisation to prioritise security initiatives.
Supply chain risks should be addressed by involving suppliers and service providers in risk assessments.
Finally, a structured incident management process should be defined to document and classify cybersecurity incidents, ensuring a swift response. These integrated measures collectively strengthen the organisation’s cybersecurity readiness to address emerging threats and challenge.
.ie and NIS2
As the trusted national domain registry for over 330,000 domain names, .ie is already designated by the Irish government as an operator of essential services (OES) under NIS1, the predecessor Directive to the imminent NIS2. Its ISO certification ensures that .ie is already compliant with the cybersecurity requirements of the new Directive.
In addition, the company has long-established DNS abuse protocols with many national regulators to assist them in tackling issues with .ie domains that are alleged to engage in technical abuse or criminal activity.
The scope of NIS2 will apply to all top-level domains for the first time – including .com .net. and .org and to all of the country code top level domains (ccTLDs) across Europe.
Accordingly, Ireland’s registrars and resellers which operate cross-border, will need to comply with NIS2 legislation applicable in all of those countries.
For example, they will need to have a dedicated database of complete and accurate information of any registrant who signs up for a domain name. This also means that registries and registrars will need to have verification processes.
To date, there has been speculation that the National Cyber Security Centre will delegate regulatory authority to regulators in situ, essentially a “federated approach” to regulation, thereby placing much of the regulatory burden on existing regulators, such as ComReg.
However, this has not been confirmed by the government, and it is important and urgent that the intended regulator is identified and commences its work without undue delay.
Conclusion
At .ie we are committed to demonstrating leadership for our sector and providing good governance. This includes meeting all regulatory requirements, including NIS2. It is not an easy task for the channel, but .ie has a multi-stakeholder Policy Advisory Committee that ensures its technical and registration policies & procedures are consensus-driven and will help .ie navigate rough regulatory waters ahead.
On this matter, .ie will leverage its established relationships with government departments to advocate for its stakeholders with national policymakers.
Through its international partnerships, the company will continue to liaise and coordinate with cross-border partners and Council for European National Top Level Domain Registries (CENTR) officials to advocate that the concerns of registrars, resellers and internet users are reflected in Europe’s implementing acts and in the national legislation.
Access all our blogs here
As the trusted national registry for over 330,000 domain names, .ie protects Ireland’s unique online identity and empowers people, communities and businesses connected with Ireland to thrive and prosper online. A positive driving force in Ireland’s digital economy, .ie serves as a profit for good organisation with a mission to elevate Ireland’s digital identity by providing the Irish online community with a trusted, resilient and accessible .ie internet domain. Working with strategic partners, .ie promotes and invests in digital adoption and advocacy initiatives – including the .ie Digital Town Blueprint and Awards for local towns, communities and SMEs. We provide data analytics and dashboards built by the .ie Xavier team to help with data-led decision-making for the public, registrars and policymakers. The organisation is designated as an Operator of Essential Services (OES) under the EU Cyber directive, and we fulfil a pivotal role in maintaining the security and reliability of part of Ireland’s digital infrastructure.