Kieran McCorry, Microsoft

Leaders in Ireland need to pay attention to changing EU cybersecurity legislation

A new report by Microsoft Ireland highlights organisations are vulnerable to cybercrime, finds Kieran McCorry
Kieran McCorry, Microsoft

29 March 2024

In recent months there have been a lot of discussions about new EU cybersecurity legislation, namely the Network and Information Systems 2 Directive (NIS2). NIS2 is the new European cyber security directive that will replace the existing NIS directive in October 2024. All European countries are currently transposing the NIS2 directive into law and organisations in Ireland are no different when it comes to compliance with these new requirements.

Even though NIS2 will impact more than 180,000 organisations across the EU, there is a startling lack of awareness of the upcoming legislative changes among leaders in Ireland, as is evidenced by our latest report Cyber Security Trends in Ireland. This is further exacerbated by the cyber security vulnerabilities that persist across Irish industry and by the absence of comprehensive defence strategies, also highlighted in our report following research among c-suite executives within organisations in Ireland.

While there’s been a commendable adoption of cybersecurity training, the true resilience demanded by the evolving threat landscape necessitates ongoing investments in technological solutions. Our report reveals that 46% of respondents have faced cyber incidents in the last three years, with 30% experiencing data breaches. Strikingly, only 14% reported incidents to regulatory bodies. The report revealed a significant gap exists in strategic processes, with just 44% performing risk assessments and 38% employing a multi-layered defence strategy – all of which will be legislated for in less than 10 months’ time for many organisations in Ireland. The study also points to a potential complacency, with 26% of organisations indicating a lack of IT security infrastructure investment planned for the coming year.




Despite its potential to strengthen cyber security postures, more than 70% of leaders in Ireland are either unaware or unprepared for compliance. Of those who are aware of NIS2, 20% feel they are currently compliant with the legislation and 20% believe they are not compliant. Sixty percent of all respondents are unsure if they are or not. Positively, 31% of organisations are planning to invest in their strategy to achieve compliance with NIS2 and 29% have a roadmap in place to achieve this.

That said, this lack of awareness extends to the majority being unsure about their organisations having investment or a roadmap for NIS2 compliance. The research also revealed that while organisations may have experienced a cyber incident (46%), not all (14%) felt they had to report it. However, under NIS2, organisations will have to report earlier and more often. It is imperative that Irish organisations are aware of, and planning for, this new legislation that will have a significant impact on their organisations, and potentially their customers’, cyber security policies and defences.

What is NIS2 Legislation?

The NIS2 directive mandates a baseline of minimum-security measures for digital service providers and operators of essential services, highlighting the urgency for organisations in Ireland to prepare for its implications. This includes organisations in the public and private sectors, across industries ranging from finance to transportation to healthcare.

Preparing for NIS2 will require companies to rethink the tools, processes, and skills that reinforce their cybersecurity. A key feature of NIS2 is the requirement to implement a benchmark of minimum cybersecurity measures including risk assessments, policies and procedures for cryptography, security procedures for employees with access to sensitive data, multi-factor authentication, and cyber security training. The legislation also includes an emphasis on the need for cyber security in supply chains and prioritises the relationship between companies and direct suppliers. Additionally, NIS2 aims to harmonise cybersecurity requirements and enforcement across EU member states, while directing companies to create a plan for handling security incidents and managing business operations during and after a security incident.

Preparing for NIS2 legislation

Any kind of successful transformation effort is about people and company culture as much as it is about technology. Optimising your cybersecurity – and preparing for NIS2 – is no exception. This is not just an issue relegated to the IT department or the cyber security team. Effective security requires teamwork – from workers on the factory floor to C-suite leadership. Skilling and education are important components of empowering your people. The majority (62%) of supply chain attacks are malware. And as most malware attacks rely on social engineering, you quickly see why people are so important. 

It is important to note that NIS2 will require businesses to have plans in place both for mitigating risk and managing incidents when they do happen. Pre-empting attacks requires understanding where vulnerabilities exist and implementing safeguards accordingly. 

For example, organisations can assess risks and comply with regulations using Microsoft 365 Compliance Manager and Microsoft Defender for Cloud. It is also possible to secure devices and networks against supply chain attacks using Microsoft Defender for Endpoint.

Microsoft’s recent strides in unifying incident experiences through Microsoft Sentinel and Microsoft Defender XDR mark another significant leap toward cohesive and efficient cybersecurity strategies. Meanwhile, from 1st of April, Microsoft Copilot for Security will be generally available in Ireland. The industry’s first generative AI solution will help security and IT professionals catch what others miss, move faster, and strengthen team expertise. Copilot is informed by large-scale data and threat intelligence, including more than 78 trillion security signals processed by Microsoft each day, and coupled with Large Language Models to deliver tailored insights and guide next steps. With Copilot, users can protect their environments at the speed and scale of AI and transform their security operations.

In conclusion, the forthcoming implementation of NIS2 demands urgent attention from leaders in Ireland. With mere months remaining until NIS2 becomes enforceable, strategic cybersecurity processes and resilience must become focal points of organisational agendas. Embracing these technologies and fostering a culture of vigilance and adaptability will be crucial for safeguarding organisations and their stakeholders in the face of escalating cyber threats.

Kieran McCorry is national technology officer with Microsoft Ireland

Back to Top ↑