Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

NIS2 in the nick of time

The Irish Government has published the Heads of Bill for the NIS2 Directive (the Network and Information Security Directive EU 2022/2555, to give its full name). The National Cyber Security Bill 2024 is the legislative vehicle for transposing NIS2 into Irish law. The bill designates which regulators will be responsible for various critical sectors. For example, the Commission for the Regulation of Utilities (CRU) will become the ‘competent authority’ for the energy, drinking water and wastewater sectors. The Central Bank of Ireland will oversee both banking and financial markets.

The bill also puts the National Cyber Security Centre (NCSC) on a statutory basis, to become Ireland’s designated cyber crisis management authority. The NCSC will run the State’s Computer Security Incident Response Team (CSIRT). The Government website has a one-page explainer, along with a link to the full 181-page bill as a PDF. NIS2 brings many more organisations into its scope, some of which will need to comply if they want to keep doing business with regulated entities. We’ve published a 10-step blog to help get ready for the regulation.

Adieu ActiveX, hello hardening

Two major security updates are coming from Microsoft, aimed at targeting longstanding vulnerabilities that cybercriminals exploit. Starting next month with the release of Office 2024, the software company will disable ActiveX by default. The change affects widely used apps including Word, Excel, PowerPoint, and Visio. From April 2025, the same change will apply to Microsoft 365 apps. The second update involves hardening the Windows CFLS logging service against bugs in future Windows 11 updates. Technical details of the changes are here.

These changes aim to address two of the biggest major attack surfaces in the Windows ecosystem to date. TechRepublic described the move as Microsoft being “on the warpath against legacy Office features that are providing entry points for bad actors since 2018. The news follows a strategic shift by the world’s biggest software company to make security its top priority. In August the Verge reported on an internal staff memo which put the issue in stark terms. “When faced with a tradeoff, the answer is clear and simple: security above all else,” it quoted Microsoft’s chief people officer Kathleen Hogan.

Data protection and privacy newsround: tech titans and regulators differ on AI

More developments emerged over the past month as privacy regulators look closer at the implications of AI. In Ireland, the Data Protection Commission has opened an investigation into Google over using EU citizens’ personal data to train its AI tools. The Netherlands’ data protection authority fined the US company Clearview AI €30.5 million over what it alleges was an illegal database storing “unique biometric codes”. It has also warned over companies’ use of AI-powered chatbots. And the shots are coming from both sides. Already, Apple has held back some AI features in the new iPhone for EU customers, blaming regulations. Meta, which owns Facebook and Instagram, took a similar tactic, suspending ‘multimodal’ AI features because of what it called an “unpredictable” regulatory environment.

Closer to home, the Irish High Court dismissed proceedings against X after the company formerly known as Twitter agreed to suspend processing personal data to train its AI tool ‘Grok’. Consumer organisations has objected to the tool, alleging it was in breach of the GDPR.

To close off this segment with some good news, our own Dr Valerie Lyons has been shortlisted in the achievement category in the PICCASO Awards, which recognise individuals who have made a significant contribution to the field of privacy. The ceremony takes place in London on 12 November.

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe.

Sign up here