Cyber centre publishes guidance on EU directive
The National Cyber Security Centre (NCSC) has published guidance aimed at helping organisations to comply with an EU directive on cyber-security.
Thousands of Irish organisations are expected to come under the directive’s scope once it is transposed into Irish law in the coming months.
Under the NIS2 Directive, ‘essential entities’ in sectors such as energy and transport will have to implement strict risk-management measures. The bill also defines ‘important entities’ in areas of higher risk, such as waste management and postal services.
Both categories will have obligations to report certain cyber-incidents to the competent authority.
The NCSC describes the Risk Management Measures (RMMs) as “a detailed guide” setting out what essential and important organisations are expected to do under the directive to manage cyber-security risk.
‘What’ and ‘how’
The NCSC has also published Cyber Fundamentals (CyFun), a tiered framework containing practical controls to help organisations to meet their obligations.
The centre says that the draft RMMs include the minimum baseline of compliance and represent the ‘what’ organisations need to do for NIS2 compliance, while the CyFun scheme is an optional ‘how’ they may do it.
“A core challenge in this process has been determining how thousands of different businesses can demonstrate compliance with the directive’s broad security measure,” said Joseph Stephens (director of resilience, NCSC).
“We’ve worked hard to develop a framework that provides clear guidance, while remaining flexible enough to accommodate organisations of different sizes, sectors, and risk profiles,” he added.