To help pharmacies navigate these new regulations, we have developed the NIS2 Handbook for Community Pharmacies, which builds upon the foundation set by the IPU Cyber Essentials Guide. Below is an overview of NIS2, what it requires, and how pharmacies can ensure compliance using the detailed steps and examples provided in the handbook.

Who does NIS2 apply to?

Healthcare providers classified as “essential” or “important” under the NIS2 Directive are those that meet the criteria of more than 50 employees or with annual revenue exceeding €10 million. If your business falls into this category, NIS2 brings additional requirements that go beyond basic cybersecurity best practices.

What is required under NIS2?

While the IPU Cyber Essentials Guide provides guidance on essential security practices like firewalls, secure configuration, and malware protection, NIS2 introduces further obligations in several key areas. The NIS2 Handbook for Community Pharmacies provides a practical roadmap to meet these requirements, including:

• Risk analysis and system security: Pharmacies must regularly assess risks to their IT systems. The handbook offers guidance on conducting audits, reviewing access rights, and identifying vulnerabilities, ensuring that systems are secure from both internal and external threats;
• Incident handling and reporting: In the event of a cybersecurity incident, pharmacies must have clear procedures in place. The handbook details how to create an Incident Response Plan and outlines steps for reporting significant incidents to regulators like the PSI, as required under NIS2;
• Business continuity and disaster recovery: Pharmacies must ensure that they can continue operating in the event of a cyberattack. The handbook provides examples of creating a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP), including steps to test these plans regularly;
• Supply chain security: Pharmacies are also responsible for the cybersecurity practices of their suppliers. The handbook includes templates for Vendor Security Agreements, ensuring that third-party providers adhere to the same high standards as the pharmacy itself; and
• Employee training: Regular staff training on cybersecurity is mandatory under NIS2. The handbook outlines how to implement effective training programmes and includes examples of how to incorporate the Cyber Hygiene Checklist from the IPU Cyber Essentials Guide into daily practice.

Compliance with NIS2

One of the key aspects of NIS2 compliance is the ability to provide evidence of your cybersecurity measures. The NIS2 Handbook explains what this looks like in a community pharmacy setting, including:

• Risk assessments, documented security audits, and training logs;
• Incident reports that outline how cyberattacks were managed and mitigated; and
• Backup and disaster recovery tests, showing that pharmacies are prepared to continue operations during a disruption.

Regulatory bodies such as the PSI will likely oversee NIS2 compliance for pharmacies. Pharmacies should be prepared for audits, inspections, and ad hoc reviews to ensure they are meeting these obligations. The handbook provides step-by-step advice on how to document compliance effectively, from maintaining audit records to preparing for inspections.

The role of PSI as Regulator

It is expected that the PSI will serve as the regulatory authority for community pharmacies subject to NIS2. The PSI will have the power to enforce compliance, which could include audits, issuing warnings, and imposing penalties for non-compliance.

IPU support

The NIS2 Handbook for Community Pharmacies offers detailed guidance on how to engage with PSI in this regulatory role, including what documentation should be provided during an inspection and how to respond to requests for additional information.

Next steps

For pharmacies subject to NIS2, preparing for compliance starts now. The NIS2 Handbook for Community Pharmacies provides the tools and examples necessary to meet these new requirements and build on the best practices outlined in the IPU Cyber Essentials Guide.

For full background on the national steps and resources available to pharmacies, visit the National Cyber Security Centre’s dedicated NIS2 page at ncsc.gov.ie/nis2. This page offers further guidance on regulatory requirements and additional resources to help you ensure compliance.

By following the guidance in the handbook, pharmacies can ensure that they not only comply with NIS2 but also strengthen their overall cybersecurity posture, protecting patient data and maintaining the continuity of their services.

For more information and to access the full handbook, visit ipu.ie/cybersecruity.