In 2025, your organisation will experience a substantial escalation in compliance challenges. On top of existing legislation, the landscape is morphing as it adapts to emerging compliance requirements driven by DORA, NIS2, PART-IS, the EU Artificial Intelligence Act, the Critical Entities Resilience Directive (CER) and so on.
Organisations must be adaptable, vigilant, and proactive in their compliance strategies to navigate the landscape. We at Ergo are happy to help you understand which regulations are compulsory versus which are best practice guidelines and how best to achieve compliance using industry recognised frameworks.
Quick Links
Dora
NIS2
PART-IS
The EU Artificial Intelligence Act
The Critical Entities Resilience Directive
ISO 27001 Framework
DORA
The Digital Operational Resilience Act (DORA) is a regulation introduced by the European Union to enhance the digital operational resilience of the financial sector. It came into effect on 17th January 2025. DORA aims to ensure that financial institutions can withstand severe operational disruptions caused by cyber attacks or other incidents.
Key aspects of DORA include:
- Risk Management: Information and Communication Technology (ICT) risk management
- Incident Management: ICT-related incident management, classification and reporting
- Testing: Digital operational resilience testing
- Supply Chain: Management of ICT third-party risk (including the introduction of an oversight framework for critical ICT third-party service providers)
- Information sharing: Information sharing arrangements.
Whilst most organisations will have a level of compliance activity against each of these areas, it’s important to note in terms of the digital operational resilience testing, traditional penetration tests are insufficient to meet the needs of DORA which demands advanced Threat Led Penetration Testing (TLPT) in accordance with the TIBER-EU Framework.
NIS2 directive
The new Network and Information Systems directive, NIS2, represents a significant step forward in bolstering cyber security resilience across the EU. With its broader scope, risk-based approach and emphasis on supply chain security, the NIS2 directive acknowledges the evolving and disruptive threat landscape and its impact on the critical role of essential services and digital infrastructure. It also strengthens national regulatory oversight. Potential sanctions for infringements include stricter administrative fines and management liability which could be up to 1.4% of total annual worldwide turnover, or 7 million euro, or 2% of total annual worldwide turnover, or 10 million euro.
Source: itgovernance.co.uk
Because NIS2 is a European directive, Ireland must transpose the EU framework into our national laws. Unfortunately, Ireland missed the deadline of Oct 17th, 2024, as NIS2 is a complex piece of legislation which requires a complete overhaul of existing legislation. Ireland continues to work through the transposition requirements of the Directive, and it’s expected to be transposed later this year. In the meantime, the earlier version of NIS2 (NIS1) is still operational and continues to apply to already designated Operators of Essential Services (OESs) within the State.
NIS2 will effectively lay down measures that aim to achieve a high common level of cyber security across the European Union, with a view to improving the functioning of the internal market. It aims to strengthen cyber resilience by focusing on the following key objectives:
- National strategies: Member States must create national cybersecurity strategies and set up authorities for cybersecurity, crisis management, contact points, and incident response teams (CSIRTs).
- Risk management and reporting: Specified entities and critical entities under Directive (EU) 2022/2557, must follow cybersecurity risk management and reporting rules.
- Information sharing: There are rules for sharing cybersecurity information.
- Supervision and enforcement: Member States have obligations to supervise and enforce these rules.
PART-IS
PART-IS is a regulation introduced by the European Union Aviation Safety Agency (EASA) to enhance the cybersecurity and operational resilience of the aviation sector. The Irish Aviation Authority (IAA) are the supervisory authority in Ireland. The provisions of PART-IS will be applicable from October 16th 2025, for organisations in the scope of the delegated act and from February 22, 2026 for all other organisations under the implemented act.
Key aspects of PART-IS include:
- Risk Management: Information Security Risk Management: Establishing rules for identifying and managing information security risks within aviation organisations and authorities.
- Incident Management: Setting requirements for detecting information security events, identifying incidents and responding to and recovering from these incidents to ensure aviation safety.
- Applicability: the regulation applies to various organisations, including approved design and production organisations, aerodrome operators and apron management service providers
The goal of PART-IS is to create a cyber-resilient aviation system by safeguarding operations and aviation safety against emerging cyber threats.
The EU Artificial Intelligence Act
The EU Artificial Intelligence Act is a comprehensive legal framework introduced by the European Union to regulate artificial intelligence (AI) systems. It aims to ensure AI development and deployment are safe, transparent and respect individuals fundamental rights. The Act came in to force on August 1st, 2024.
Key aspects of the EU AI act include:
- Risk-Based Approach: AI systems are categorised based on their risk levels. Minimal risk systems (e.g., spam filters) face no obligations, while high-risk systems (e.g., AI-based medical software) must comply with strict requirements.
- Transparency Requirements: Certain AI systems, like chatbots, must inform users that they are interacting with a machine.
- Human Oversight: High risk AI systems must have human oversight to ensure safety and accountability.
- Prohibited Practices: AI systems that pose unacceptable risk such as those enabling social soring by governments are banned.
- Uniform Framework: the Act provides a consistent regulatory framework across all EU member states, promoting innovation while protecting.
The Critical Entities Resilience Directive
In October 2024, the Irish government promulgated the EU Resilience of Critical Entities Regulations (CER) 2024 Special Instrument (SI) 559/2024. The regulations will apply to a wide range of critical entities across the banking sector, energy, transport and health services.
Key aspects of CER include:
- National Strategy: a comprehensive framework for enhancing the resilience of critical entities, encompassing risk assessment, designation of entities as critical and measures to improve resilience.
- Competent Authorities: The regulations designate sector-specific competent authorities who will be responsible for overseeing the implementation of the regulations and who will have the power to conduct inspections, enforce compliance, and issue guidance to critical entities.
- Background Checks: The Regulations allow for the Minister to provide for circumstances in which a designated critical entity to carry out background checks, including criminal record checks.
- Incident Notification: Critical entities are required to notify the competent authorities of any incidents that could significantly disrupt their operations.
- Cooperation with other member states: Cross-border sharing of information, conducting joint risk assessments and participating in advisory missions.
- Overlap with DORA and NIS2: Any overlap with DORA and NIS2 appears to be dealt with by way of a broad carve-out for entities already within the scope of that legislation, time will tell how that will work in a practical sense.
ISO 27001 Framework
ISO 27001 is the world’s best-known standard for information security management systems (ISMS). ISO 27001 promotes a holistic approach to demonstrating information security through a framework that focuses on people, policies and technology. An information security management system implemented according to this standard is an excellent tool for risk management, cyber resilience and operational excellence, and the emphasis on continual improvement copes very well with the emergent nature of cyber risk.
Key aspects of ISO 27001 include:
- Risk Management – a comprehensive risk management process which defines an organisation’s risk criteria and appetite. It quantitatively assesses information security risk across people, process and technology, to ensure that reviews yield consistent, valid and comparable results. Risk treatment is assessed in terms of acceptance, mitigation, sharing or ownership and each risk is designated a risk owner. Alongside risk ISO 27001 takes into account the control measures that an organisation has in place mapping to the risks themselves allowing a comprehensive view of inherent and residual risk in your organisation.
- Governance and operational excellence – ISO 27001 alignment demonstrates that your organisation is following information security best practice and provides an independent, objective assessment attesting that the information security measures in place are in line with industry standards.
- Cyber Resilience – ISO 27001 has a systematic approach to risk management, secure development, supply chain security, incident response, backup and disaster recovery and lifecycle management which are all components of an effective cyber resiliency program.
- Incident Management – Effective incident management is a critical element of an organisation’s operational resiliency. The core objective of which is to quickly identify and remediate in order to restore normal operations as fast as possible while minimising the impact on business continuity and ensuring the protection of your organisation’s information security assets.
- Continual Improvement – ISO 27001 advocates a culture of continual improvement. Changing landscapes are continually assessed for emerging risks, threats and opportunities for improvement that drive a proactive continuous improvement program maintaining a high degree of confidence in your security posture.
Ergo places great emphasis on innovation and quality. This commitment is reflected in our adherence to a range of esteemed accreditations and industry compliance standards, including ISO 27001.
If you need assistance with navigating the ever-changing regulatory landscape and implementing effective cybersecurity measures, please contact us. Our team of experts possesses extensive knowledge and expertise in technologies and can help you with:
- Cyber resilience and cyber recovery services
- Managed detection and response
- Penetration testing
- Cloud security
- Hybrid and multi cloud services
