As more and more countries transpose the NIS2 Directive into law, understanding its real-world impact is crucial for all businesses. Hear how leading experts are reacting to the new regulation.
How has NIS2 developed in Ireland over the past 1-2 years?
Paula Hoffler:
Nobody knows about NIS2. GDPR came in, everybody knew about it. It was a law to end all laws. NIS2—very little publications about it. If it wasn't for the NCSC, we would be in difficulty, or for individual organizations like the Irish Computer Society or ADPO or other private organizations talking about NIS2, we'd know very little about it.
I think from a governance framework and from bringing it out to the masses, we need to talk about it more. It needs to be on discussion points. It even needs to be on the news. There's a new law coming, guys. You need to be aware of it. For me, that's the difficulty.
I think if we have an implementation date for it coming into Ireland, it might spur things on a little bit, but historically the press on it has been very bad.
What is the biggest challenge for companies to be NIS2-compliant on time?
Paula Hoffler:
I think the first thing is preparedness. Even with GDPR, businesses still don't know what they're doing, where their information is, where their infrastructure is, how they're managing their infrastructure.
So trying to get their head around that is a huge, huge issue. They're not ready. When you don't have processes and you haven't applied the GDPR fundamental process into your business or compliance or governance around GDPR, you're going to find NIS2 very difficult.
Vaibhav Malik:
Risk management is kind of the fulcrum of the NIS2 Directive, right? So you need to have strong risk management and controls in place. Article 21 speaks about that as well in detail. So having a proper risk management and ensuring that you have the metrics trackable, reportable to the board, it's hugely important.
And also strengthening incident response is something which is a no-regret move. And everybody can implement it. Another one is also having steering groups for NIS2. A lot of times boards want to understand what's happening in terms of the progress that you're making on the NIS2 Directive. So these steering groups definitely help with that.
Is there more overlap or conflict between NIS2 and GDPR?
Paula Hoffler:
I don't think there's any conflict. I think they interlope really well.
They interplay, they work together a bit like we work with our security teams as DPOs. There's a significant amount of interplay. So if we look at supply-chain management or supply-chain oversight and look at the risk associated with that, as a DPO, we look at vendor risk and we run all those procedures anyway.
Records of processing activity will lead us into asset management and digital management, both physical and digital assets. So there's a huge amount of work with it and not forgetting Article 32 of the GDPR, which is all about security orArticle 5 and Article 24, we're looking at security there.
So for us, this is a natural progression. I think the benefits is the bringing together of the various different disciplines in an organization to come together to work on NIS2. So I don't think there's conflicts, I think there's just positivity all the way through in this.
How can more traditional industries adapt to NIS2 measures?
Vaibhav Malik
We work with a lot of companies that are in manufacturing and healthcare, and I suppose the problem there is that there's a bit of a divide between IT and OT.
Traditionally, IT security has worked on the principles of confidentiality, integrity, and availability, whereas OT has largely taken care of the availability aspects to keep the plant running, to keep the production line busy. So I suppose there's a lot of investment that needs to be done in the OT security side and how to govern that, but importantly, bridge the gap between IT security and OT security.
And we have seen when boards and executives put some time and resources in creating some sort of working group between IT and OT to work together. I think that gives a lot of success because ultimately it's the people who are going to solve this, not any fancy tools.
Also in healthcare and manufacturing industries, we've seen countries like Australia implement IEC 62443 standards. Although we don't have that in Ireland in the law, I suppose from an OT standpoint, organizations can proactively look at implementing standards like IEC 62443, which will anyways help with the defense in depth and give them a reasonable start to their security maturity.
How can experts prepare themselves for NIS2?
Paula Hoffler
I suppose the one piece of advice would come with a selection of bullet points.
Engage with your peers. Get involved in networks, sign up to events, come to DataGuard events in Meta buildings, get into LinkedIn conversations, be aware of what's happening out there in the market. There is an awful lot of laws coming down from Europe that are still coming down or have come down that you mightn't be aware of.
Engage in social communication and social contact to really embrace and understand what's available. Don't remain siloed. Just because your business is in a certain industry doesn't mean these laws don't impact you somewhere.
You may be a vendor of somebody who's caught in NIS2. If they're in NIS2, you’re in it too.
You need to have that awareness level. Engagement, conversation, and getting out there and talking to people makes all the difference.
_EasiestSetup_EaseOfSetup.svg?width=200&height=200&name=ConsentManagementPlatform(CMP)_EasiestSetup_EaseOfSetup.svg)
TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide Software-as-a-Service and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.
All data provided is for information only, based on internal estimates. This information is not indicative of KPIs, and is not given with any warranties or guarantees, expressly stated or implied in relation to accuracy and reliability.
{
"@context": "https://schema.org",
"@graph": [
{
"@type": "Organization",
"@id": "www.dataguard.com#organization",
"name": "DataGuard",
"legalName": "DataCo GmbH",
"description": "DataGuard, the European leader in security and compliance software, is trusted by more than 4,000 organizations across 50+ countries. We help you identify and manage your security and compliance risks and fast-track your certifications and compliance by combining expert consultancy with AI-powered automation. Our purpose-built, all-in-one platform is developed with the experience of over 1.5 million total hours by a team of certified security and compliance experts.",
"foundingDate": "2018",
"taxID": "DE315880213",
"logo": "https://7759810.fs1.hubspotusercontent-na1.net/hubfs/7759810/DataGuardLogo.svg",
"url": "www.dataguard.com",
"email": "info@dataguard.de",
"telephone": "+49 89 452459 900",
"address": {
"@type": "PostalAddress",
"streetAddress": "Sandstrasse 33",
"addressLocality": "Munich",
"addressRegion": "Bavaria",
"postalCode": "80335",
"addressCountry": "Germany"
},
"sameAs": [
"https://www.linkedin.com/company/dataguard1/",
"https://www.youtube.com/channel/UCEQzPZ6sCBCj9cAoBvaLL6w",
"https://x.com/i/flow/login?redirect_after_login=%2FDataGuard_dg"
]
}
]
}✅ Organization schema markup for "DataGuard" has been injected into the document head.