.ie Domain Profile Report 2023

EU cyber regulations may overwhelm Ireland’s regulators and service providers Ireland’s digital services companies are ill-prepared for the approaching tsunami of EU cyber regulations. These regulations include:- „ Digital Services Act (DSA) and the Digital Markets Act (DMA) which apply to platforms and search engines, initially those with more than 45 million customers each „ Digital Operations Resilience Act (DORA) for the fintech sector „ EUID (digital wallets) and eIDAs which are relevant for e-certificate providers „ NIS2 and the Critical Entities Directive (CER), which apply largely to important or critical infrastructure providers. It has been estimated that the scope of NIS2 could encompass up to between 2,500-3,000 entities in Ireland. The scale and scope has the potential to overwhelm regulators in Ireland, and the companies in the 15 sectors with 8 new sectors soon to be regulated for the first time. With less than 10 months until the mandatory implementation date of October 2024, preparations for NIS2 will be intensive, expensive and resource-heavy. In essence, NIS2 aims to protect critical organisations and infrastructure within the EU from cyber threats with the goal of achieving a high level of common security across the EU. To fulfil its objective, the NIS2 Directive focusses on organisations that operate in critical sectors, as they are essential for the proper functioning of society and, for this very reason, are often the primary target of cyber attacks. The ransomware attack which disabled Ireland’s health services in 2021 is just one example. The cybersecurity measures included in the Directive are designed to help organisations to protect their data, systems and processes. Compliance will not merely prevent sanctions, but also guide organisations towards achieving a cybersecurity maturity that will shield them from cyber attacks, which could have devastating effects on the company and on its customers. The objectives are laudable and essential, given the scale and impact of cyber-attacks, especially ransomware. Some of the main provisions of NIS2 include: „ 10 cybersecurity risk management measures required for essential and important entities to prevent or minimise the impact of cyber incidents (Article 21) „ New measures for registrars and registries to verify domain name registration data (Article 28) „ There will be enhanced corporate responsibilities for top management in relation to cybersecurity „ A harsher penalty regime will be introduced „ A stricter supervisory regime must be implemented to ensure compliance „ Stringent reporting requirements will be imposed for notification of incidents. .ie Domain Profile Report 2023 | 3 These practical steps will, not only guide an organisation towards NIS2 compliance, but also strengthen its cybersecurity position and build its resilience against the ever-increasing cybersecurity threat landscape. The international consultancy firm EY advises organisations which will be regulated by NIS2 to prioritise several practical steps in preparation for the upcoming requirements. For instance: 1. Perform an inventory or audit of its entire architecture and systems landscape 2. Implement a risk management framework ensuring that threats against its data are continuously identified, assessed, evaluated, and treated 3. Initiate crisis management activities to limit the impact and duration of a crisis 4. Define and establish business continuity and disaster recovery procedures to ensure that the organisation’s critical processes continue to operate during a disruption 5. Make sure top management is involved in the cybersecurity strategy of the organisation 6. Identify supply chain risks by including service providers in the risk assessments 7. Define a structured incident management process to deal with anticipated cybersecurity incidents..