# üîê The Evolution of Cybersecurity Governance Models
## Impact of GDPR and NIS2 on Multinational Organisations Operating in Ireland

**Module:** Security Frameworks and Compliance  
**Programme:** MSc / PGDip in Cybersecurity  
**CCT College Dublin**

---

### üìö Learning Objectives

By the end of this lecture, you will be able to:

1. Understand and compare key cybersecurity governance models and frameworks
2. Analyse the impact of GDPR and NIS2 on Irish organisations
3. Evaluate how organisations adapt to regulatory requirements
4. Identify future trends in cybersecurity governance

---

## üõ†Ô∏è Setup: Install Required Libraries

Run this cell first to install all necessary packages.

In [None]:
# Install required packages
!pip install pandas matplotlib seaborn plotly networkx -q

import pandas as pd
import matplotlib.pyplot as plt
import seaborn as sns
import plotly.express as px
import plotly.graph_objects as go
from datetime import datetime, timedelta
import json
from IPython.display import display, HTML, Markdown
import warnings
warnings.filterwarnings('ignore')

print("‚úÖ All libraries loaded successfully!")

---

# Part 1: Overview of Cybersecurity Governance Models

## What is Cybersecurity Governance?

**Cybersecurity governance** is the system by which an organisation directs and controls its cybersecurity activities. It encompasses:

- **Policies**: Rules and guidelines for security behaviour
- **Procedures**: Step-by-step processes for implementing security
- **Standards**: Specific technical requirements
- **Accountability**: Clear roles and responsibilities
- **Risk Management**: Identifying and mitigating threats

### Key Components of Governance Models

| Component | Description | Example |
|-----------|-------------|----------|
| Strategy | Long-term security vision | 5-year security roadmap |
| Risk Management | Identifying and prioritising threats | Risk registers |
| Compliance | Meeting legal/regulatory requirements | GDPR, NIS2 |
| Operations | Day-to-day security activities | Incident response |
| Metrics | Measuring security performance | KPIs, dashboards |

In [None]:
# Interactive: Governance Model Components Visualisation

governance_components = {
    'Component': ['Strategy', 'Risk Management', 'Compliance', 'Operations', 'Metrics', 'People'],
    'Importance': [95, 90, 88, 85, 75, 92],
    'Implementation_Difficulty': [70, 85, 80, 60, 65, 75],
    'Description': [
        'Long-term security vision and objectives',
        'Identifying and prioritising threats',
        'Meeting regulatory requirements',
        'Day-to-day security activities',
        'Measuring security performance',
        'Training and awareness programs'
    ]
}

df_governance = pd.DataFrame(governance_components)

fig = px.scatter(df_governance, 
                 x='Implementation_Difficulty', 
                 y='Importance',
                 text='Component',
                 size='Importance',
                 color='Component',
                 title='Governance Components: Importance vs Implementation Difficulty',
                 labels={'Implementation_Difficulty': 'Implementation Difficulty (%)',
                        'Importance': 'Importance (%)'})

fig.update_traces(textposition='top center')
fig.update_layout(showlegend=False, height=500)
fig.show()

## Major Cybersecurity Frameworks

### 1. NIST Cybersecurity Framework (CSF)

The **NIST CSF** is a voluntary framework developed by the US National Institute of Standards and Technology. It's widely adopted globally due to its flexibility and comprehensive approach.

**Five Core Functions:**
1. **Identify** - Asset management, risk assessment
2. **Protect** - Access control, training, data security
3. **Detect** - Continuous monitoring, anomaly detection
4. **Respond** - Incident response, communications
5. **Recover** - Recovery planning, improvements

In [None]:
# Interactive: NIST CSF Framework Visualisation

nist_functions = {
    'Function': ['IDENTIFY', 'PROTECT', 'DETECT', 'RESPOND', 'RECOVER'],
    'Categories': [6, 6, 3, 5, 3],
    'Description': [
        'Develop organisational understanding to manage cybersecurity risk',
        'Implement appropriate safeguards to ensure delivery of services',
        'Implement activities to identify occurrence of cybersecurity events',
        'Take action regarding detected cybersecurity incidents',
        'Maintain plans for resilience and restore capabilities'
    ],
    'Key_Activities': [
        'Asset Management, Risk Assessment, Governance',
        'Access Control, Training, Data Security, Maintenance',
        'Anomalies & Events, Continuous Monitoring, Detection Processes',
        'Response Planning, Communications, Analysis, Mitigation',
        'Recovery Planning, Improvements, Communications'
    ],
    'Color': ['#1f77b4', '#2ca02c', '#ff7f0e', '#d62728', '#9467bd']
}

df_nist = pd.DataFrame(nist_functions)

# Create a visual representation
fig, ax = plt.subplots(figsize=(14, 6))

# Create boxes for each function
for i, (func, color, desc) in enumerate(zip(df_nist['Function'], df_nist['Color'], df_nist['Description'])):
    rect = plt.Rectangle((i * 2.2, 0), 2, 1, facecolor=color, edgecolor='black', linewidth=2)
    ax.add_patch(rect)
    ax.text(i * 2.2 + 1, 0.5, func, ha='center', va='center', fontsize=12, fontweight='bold', color='white')
    # Wrap description text
    wrapped_desc = '\n'.join([desc[j:j+25] for j in range(0, len(desc), 25)])
    ax.text(i * 2.2 + 1, -0.3, wrapped_desc[:80] + '...', ha='center', va='top', fontsize=8)

# Add arrows between functions
for i in range(4):
    ax.annotate('', xy=(i * 2.2 + 2.15, 0.5), xytext=(i * 2.2 + 2.05, 0.5),
                arrowprops=dict(arrowstyle='->', color='black', lw=2))

ax.set_xlim(-0.5, 11.5)
ax.set_ylim(-1, 1.5)
ax.set_aspect('equal')
ax.axis('off')
ax.set_title('NIST Cybersecurity Framework - Core Functions', fontsize=14, fontweight='bold', pad=20)

plt.tight_layout()
plt.show()

# Display detailed table
print("\nüìã NIST CSF Detailed Breakdown:")
display(df_nist[['Function', 'Categories', 'Key_Activities']])

### 2. ISO/IEC 27001

**ISO 27001** is the international standard for Information Security Management Systems (ISMS). It provides a systematic approach to managing sensitive company information.

**Key Features:**
- Certification available (third-party audit)
- Plan-Do-Check-Act (PDCA) cycle
- 93 controls across 4 themes (Annex A - 2022 version)
- Risk-based approach

### 3. COBIT (Control Objectives for Information Technologies)

**COBIT** is an IT governance framework developed by ISACA. It helps organisations develop, organise, and implement strategies around IT governance and management.

### 4. CIS Controls

The **CIS Controls** are a prioritised set of actions that collectively form a defence-in-depth set of best practices. Version 8 contains 18 controls with 153 safeguards.

In [None]:
# Interactive: Framework Comparison Tool

frameworks = {
    'Framework': ['NIST CSF', 'ISO 27001', 'COBIT 2019', 'CIS Controls v8'],
    'Developer': ['NIST (US)', 'ISO/IEC', 'ISACA', 'CIS'],
    'Type': ['Voluntary', 'Certifiable', 'Governance', 'Technical'],
    'Focus': ['Risk Management', 'ISMS', 'IT Governance', 'Technical Controls'],
    'Best_For': ['General security programme', 'Compliance/certification', 'Aligning IT with business', 'Technical implementation'],
    'Controls_Count': ['108 subcategories', '93 controls', '40 objectives', '153 safeguards'],
    'Cost': ['Free', 'Paid Standard + Certification', 'Membership/Purchase', 'Free'],
    'Complexity': [7, 9, 8, 6],
    'Industry_Adoption': [85, 78, 65, 72]
}

df_frameworks = pd.DataFrame(frameworks)

# Display comparison table
print("üìä Cybersecurity Framework Comparison")
print("=" * 80)
display(df_frameworks[['Framework', 'Developer', 'Type', 'Focus', 'Best_For', 'Cost']])

In [None]:
# Radar chart comparing frameworks

categories = ['Risk Focus', 'Technical Depth', 'Compliance', 'Flexibility', 'Implementation Ease', 'Industry Recognition']

# Scores out of 10 for each framework
nist_scores = [9, 7, 7, 9, 7, 9]
iso_scores = [8, 6, 10, 6, 5, 10]
cobit_scores = [7, 5, 8, 7, 6, 7]
cis_scores = [6, 10, 6, 7, 8, 8]

fig = go.Figure()

fig.add_trace(go.Scatterpolar(r=nist_scores + [nist_scores[0]], theta=categories + [categories[0]], name='NIST CSF', fill='toself'))
fig.add_trace(go.Scatterpolar(r=iso_scores + [iso_scores[0]], theta=categories + [categories[0]], name='ISO 27001', fill='toself'))
fig.add_trace(go.Scatterpolar(r=cobit_scores + [cobit_scores[0]], theta=categories + [categories[0]], name='COBIT', fill='toself'))
fig.add_trace(go.Scatterpolar(r=cis_scores + [cis_scores[0]], theta=categories + [categories[0]], name='CIS Controls', fill='toself'))

fig.update_layout(
    polar=dict(radialaxis=dict(visible=True, range=[0, 10])),
    showlegend=True,
    title='Framework Comparison Radar Chart',
    height=500
)

fig.show()

---

# Part 2: GDPR - General Data Protection Regulation

## Overview

The **General Data Protection Regulation (GDPR)** came into effect on **25 May 2018**. It is the most comprehensive data protection legislation in the world and has significant implications for organisations processing personal data of EU residents.

### Key Principles (Article 5)

1. **Lawfulness, Fairness, and Transparency**
2. **Purpose Limitation**
3. **Data Minimisation**
4. **Accuracy**
5. **Storage Limitation**
6. **Integrity and Confidentiality**
7. **Accountability**

In [None]:
# Interactive: GDPR Principles Assessment Tool

class GDPRComplianceChecker:
    def __init__(self):
        self.principles = {
            'Lawfulness': {
                'questions': [
                    'Do you have a documented legal basis for processing?',
                    'Is processing fair and transparent to data subjects?',
                    'Have you documented your lawful basis in privacy notices?'
                ],
                'weight': 15
            },
            'Purpose Limitation': {
                'questions': [
                    'Are purposes for processing clearly specified?',
                    'Is data only used for stated purposes?',
                    'Do you have controls preventing purpose creep?'
                ],
                'weight': 15
            },
            'Data Minimisation': {
                'questions': [
                    'Do you only collect data that is necessary?',
                    'Have you reviewed data collection practices?',
                    'Are there processes to delete unnecessary data?'
                ],
                'weight': 15
            },
            'Accuracy': {
                'questions': [
                    'Are there processes to keep data accurate?',
                    'Can data subjects easily update their data?',
                    'Is inaccurate data corrected or deleted promptly?'
                ],
                'weight': 10
            },
            'Storage Limitation': {
                'questions': [
                    'Do you have data retention policies?',
                    'Is data deleted when no longer necessary?',
                    'Are retention periods documented and justified?'
                ],
                'weight': 15
            },
            'Integrity & Confidentiality': {
                'questions': [
                    'Is personal data encrypted at rest and in transit?',
                    'Are there access controls and authentication?',
                    'Do you conduct regular security assessments?'
                ],
                'weight': 15
            },
            'Accountability': {
                'questions': [
                    'Do you have a Data Protection Officer (if required)?',
                    'Are GDPR policies and procedures documented?',
                    'Can you demonstrate compliance if audited?'
                ],
                'weight': 15
            }
        }
    
    def assess(self, responses: dict) -> dict:
        """Assess GDPR compliance based on responses"""
        results = {}
        total_score = 0
        max_score = 0
        
        for principle, data in self.principles.items():
            if principle in responses:
                score = sum(responses[principle]) / len(data['questions']) * data['weight']
                results[principle] = {
                    'score': round(score, 1),
                    'max': data['weight'],
                    'percentage': round(score / data['weight'] * 100, 1)
                }
                total_score += score
                max_score += data['weight']
        
        results['overall'] = {
            'score': round(total_score, 1),
            'max': max_score,
            'percentage': round(total_score / max_score * 100, 1) if max_score > 0 else 0
        }
        
        return results

# Example assessment
checker = GDPRComplianceChecker()

# Sample responses (1 = Yes/Compliant, 0 = No/Non-compliant)
sample_responses = {
    'Lawfulness': [1, 1, 0],  # 2/3 compliant
    'Purpose Limitation': [1, 1, 1],  # 3/3 compliant
    'Data Minimisation': [1, 0, 0],  # 1/3 compliant
    'Accuracy': [1, 1, 1],  # 3/3 compliant
    'Storage Limitation': [0, 0, 1],  # 1/3 compliant
    'Integrity & Confidentiality': [1, 1, 1],  # 3/3 compliant
    'Accountability': [1, 1, 0]  # 2/3 compliant
}

results = checker.assess(sample_responses)

print("üìã GDPR Compliance Assessment Results")
print("=" * 50)
for principle, scores in results.items():
    if principle != 'overall':
        status = "‚úÖ" if scores['percentage'] >= 80 else "‚ö†Ô∏è" if scores['percentage'] >= 50 else "‚ùå"
        print(f"{status} {principle}: {scores['score']}/{scores['max']} ({scores['percentage']}%)")

print("\n" + "=" * 50)
overall = results['overall']
print(f"üìä OVERALL SCORE: {overall['score']}/{overall['max']} ({overall['percentage']}%)")

if overall['percentage'] >= 80:
    print("\nüéâ Good compliance posture!")
elif overall['percentage'] >= 50:
    print("\n‚ö†Ô∏è Moderate compliance - improvements needed")
else:
    print("\n‚ùå Significant compliance gaps - urgent attention required")

In [None]:
# Visualise GDPR compliance results

principles = [p for p in results.keys() if p != 'overall']
percentages = [results[p]['percentage'] for p in principles]

colors = ['#2ecc71' if p >= 80 else '#f39c12' if p >= 50 else '#e74c3c' for p in percentages]

fig = go.Figure(data=[
    go.Bar(
        x=principles,
        y=percentages,
        marker_color=colors,
        text=[f'{p}%' for p in percentages],
        textposition='outside'
    )
])

fig.add_hline(y=80, line_dash="dash", line_color="green", annotation_text="Target (80%)")
fig.add_hline(y=50, line_dash="dash", line_color="orange", annotation_text="Minimum (50%)")

fig.update_layout(
    title='GDPR Compliance by Principle',
    xaxis_title='GDPR Principle',
    yaxis_title='Compliance %',
    yaxis_range=[0, 110],
    height=500
)

fig.show()

## GDPR in Ireland: The Data Protection Commission (DPC)

Ireland's **Data Protection Commission (DPC)** is the lead supervisory authority for many of the world's largest technology companies due to their European headquarters being located in Ireland.

### Key DPC Statistics (2024)

| Metric | Value |
|--------|-------|
| Total fines issued since GDPR | ‚Ç¨3+ billion |
| Major investigations concluded | 30+ |
| Staff employed | 200+ |
| Annual budget | ‚Ç¨25+ million |

### Notable DPC Fines

- **Meta (Instagram)**: ‚Ç¨405 million (2022) - Children's data
- **Meta (Facebook)**: ‚Ç¨1.2 billion (2023) - Data transfers
- **TikTok**: ‚Ç¨345 million (2023) - Children's data
- **WhatsApp**: ‚Ç¨225 million (2021) - Transparency

In [None]:
# DPC Enforcement Timeline Visualisation

dpc_fines = {
    'Company': ['WhatsApp', 'Meta (FB)', 'Instagram', 'Twitter', 'Meta (FB)', 'TikTok', 'LinkedIn', 'Yahoo', 'Airbnb'],
    'Fine_EUR_Millions': [225, 265, 405, 450, 1200, 345, 310, 18, 1.5],
    'Year': [2021, 2022, 2022, 2022, 2023, 2023, 2023, 2022, 2023],
    'Violation': [
        'Transparency violations',
        'Legal basis for processing',
        "Children's data protection",
        'Transparency violations',
        'Data transfers to US',
        "Children's data protection",
        'Targeted advertising',
        'Data breach notification',
        'Cookie consent'
    ]
}

df_fines = pd.DataFrame(dpc_fines)
df_fines = df_fines.sort_values('Fine_EUR_Millions', ascending=True)

fig = px.bar(df_fines, 
             y='Company', 
             x='Fine_EUR_Millions',
             color='Year',
             text='Fine_EUR_Millions',
             orientation='h',
             title='Major DPC GDPR Fines (Ireland)',
             labels={'Fine_EUR_Millions': 'Fine (‚Ç¨ Millions)', 'Company': ''},
             hover_data=['Violation'])

fig.update_traces(texttemplate='‚Ç¨%{text}M', textposition='outside')
fig.update_layout(height=500, xaxis_range=[0, 1400])
fig.show()

In [None]:
# GDPR Data Breach Notification Calculator

class BreachNotificationCalculator:
    """
    GDPR Article 33 & 34 - Data Breach Notification Requirements
    """
    
    def __init__(self, breach_discovery_time: datetime):
        self.discovery_time = breach_discovery_time
        self.dpa_deadline = breach_discovery_time + timedelta(hours=72)
    
    def assess_notification_requirements(self, 
                                         risk_to_rights: str,  # 'unlikely', 'likely', 'high'
                                         data_types: list,
                                         records_affected: int) -> dict:
        """
        Assess notification requirements based on breach characteristics
        """
        assessment = {
            'discovery_time': self.discovery_time.strftime('%Y-%m-%d %H:%M'),
            'dpa_deadline': self.dpa_deadline.strftime('%Y-%m-%d %H:%M'),
            'time_remaining': str(self.dpa_deadline - datetime.now()),
            'notify_dpa': False,
            'notify_individuals': False,
            'reasoning': []
        }
        
        # Check special category data
        special_categories = ['health', 'biometric', 'genetic', 'political', 'religious', 'sexual']
        has_special_data = any(dt.lower() in special_categories for dt in data_types)
        
        # Article 33: Notify DPA if risk to rights and freedoms
        if risk_to_rights in ['likely', 'high']:
            assessment['notify_dpa'] = True
            assessment['reasoning'].append('Risk to rights and freedoms is likely or high - DPA notification required within 72 hours')
        elif risk_to_rights == 'unlikely' and records_affected < 100:
            assessment['notify_dpa'] = False
            assessment['reasoning'].append('Risk unlikely and limited records - DPA notification may not be required (document decision)')
        
        # Article 34: Notify individuals if high risk
        if risk_to_rights == 'high':
            assessment['notify_individuals'] = True
            assessment['reasoning'].append('High risk to individuals - must communicate breach to affected data subjects')
        
        # Special category data always increases severity
        if has_special_data:
            assessment['notify_dpa'] = True
            assessment['reasoning'].append('Special category data involved - DPA notification required')
            if records_affected > 1000:
                assessment['notify_individuals'] = True
                assessment['reasoning'].append('Large-scale special category breach - individual notification required')
        
        # Financial data considerations
        if 'financial' in [d.lower() for d in data_types] or 'payment' in [d.lower() for d in data_types]:
            assessment['notify_dpa'] = True
            assessment['reasoning'].append('Financial data involved - heightened notification requirements')
        
        return assessment

# Example usage
print("üö® GDPR Breach Notification Assessment Tool")
print("=" * 60)

# Simulate a breach discovered now
breach_time = datetime.now()
calculator = BreachNotificationCalculator(breach_time)

# Example breach scenario
assessment = calculator.assess_notification_requirements(
    risk_to_rights='high',
    data_types=['email', 'password', 'health'],
    records_affected=50000
)

print(f"\nüìÖ Breach Discovered: {assessment['discovery_time']}")
print(f"‚è∞ DPA Notification Deadline: {assessment['dpa_deadline']}")
print(f"‚è≥ Time Remaining: {assessment['time_remaining']}")
print(f"\nüìã Notification Requirements:")
print(f"   - Notify DPA (Data Protection Commission): {'‚úÖ YES' if assessment['notify_dpa'] else '‚ùå NO'}")
print(f"   - Notify Affected Individuals: {'‚úÖ YES' if assessment['notify_individuals'] else '‚ùå NO'}")
print(f"\nüìù Reasoning:")
for reason in assessment['reasoning']:
    print(f"   ‚Ä¢ {reason}")

---

# Part 3: NIS2 Directive

## Overview

The **Network and Information Security Directive 2 (NIS2)** is the EU's updated cybersecurity legislation, replacing the original NIS Directive (2016). Member states had until **17 October 2024** to transpose it into national law.

### Key Differences: NIS vs NIS2

| Aspect | NIS (2016) | NIS2 (2022) |
|--------|------------|-------------|
| Scope | 7 sectors | 18 sectors |
| Entity Classification | OES & DSPs | Essential & Important |
| Incident Reporting | 72 hours | 24h (early warning) + 72h (full) |
| Penalties | Member state discretion | Up to ‚Ç¨10M or 2% global turnover |
| Management Liability | Limited | Personal liability for management |
| Supply Chain | Not addressed | Mandatory supply chain security |

In [None]:
# NIS2 Sector Classification Tool

class NIS2Classifier:
    """
    Determines if an organisation falls under NIS2 and classifies it
    """
    
    def __init__(self):
        # Essential entities (Annex I) - highly critical sectors
        self.essential_sectors = {
            'energy': ['electricity', 'oil', 'gas', 'hydrogen', 'district_heating'],
            'transport': ['air', 'rail', 'water', 'road'],
            'banking': ['credit_institutions'],
            'financial_market': ['trading_venues', 'central_counterparties'],
            'health': ['healthcare_providers', 'eu_laboratories', 'pharma_rd', 'medical_devices'],
            'drinking_water': ['water_supply'],
            'waste_water': ['waste_water_treatment'],
            'digital_infrastructure': ['internet_exchange', 'dns', 'tld', 'cloud', 'data_centre', 'cdn', 'trust_services', 'telecom'],
            'ict_service_management': ['managed_service_providers', 'managed_security_providers'],
            'public_administration': ['central_government', 'regional_government'],
            'space': ['space_operators']
        }
        
        # Important entities (Annex II) - other critical sectors
        self.important_sectors = {
            'postal': ['postal_services', 'courier_services'],
            'waste_management': ['waste_collection', 'waste_treatment'],
            'chemicals': ['chemical_manufacturing', 'chemical_distribution'],
            'food': ['food_production', 'food_processing', 'food_distribution'],
            'manufacturing': ['medical_devices', 'computers', 'electrical', 'machinery', 'motor_vehicles', 'transport_equipment'],
            'digital_providers': ['online_marketplaces', 'search_engines', 'social_networks'],
            'research': ['research_organisations']
        }
        
        # Size thresholds
        self.size_thresholds = {
            'large': {'employees': 250, 'turnover': 50000000, 'balance_sheet': 43000000},
            'medium': {'employees': 50, 'turnover': 10000000, 'balance_sheet': 10000000}
        }
    
    def classify(self, sector: str, subsector: str, employees: int, turnover: float) -> dict:
        """
        Classify an organisation under NIS2
        """
        result = {
            'in_scope': False,
            'classification': None,
            'sector_type': None,
            'requirements': [],
            'reporting_deadlines': {}
        }
        
        # Check if in essential sectors
        for essential_sector, subsectors in self.essential_sectors.items():
            if sector.lower() == essential_sector and subsector.lower() in subsectors:
                result['in_scope'] = True
                result['sector_type'] = 'Essential (Annex I)'
                break
        
        # Check if in important sectors
        if not result['in_scope']:
            for important_sector, subsectors in self.important_sectors.items():
                if sector.lower() == important_sector and subsector.lower() in subsectors:
                    result['in_scope'] = True
                    result['sector_type'] = 'Important (Annex II)'
                    break
        
        if not result['in_scope']:
            result['classification'] = 'Out of scope'
            return result
        
        # Determine size-based classification
        if employees >= 250 or turnover >= 50000000:
            if result['sector_type'] == 'Essential (Annex I)':
                result['classification'] = 'Essential Entity'
            else:
                result['classification'] = 'Important Entity'
        elif employees >= 50 or turnover >= 10000000:
            result['classification'] = 'Important Entity'
        else:
            result['in_scope'] = False
            result['classification'] = 'Below size threshold (generally out of scope)'
            return result
        
        # Add requirements based on classification
        result['requirements'] = [
            'Risk management measures (Art. 21)',
            'Incident reporting obligations (Art. 23)',
            'Supply chain security',
            'Business continuity management',
            'Encryption and access control policies',
            'Vulnerability handling and disclosure',
            'Cybersecurity training for management',
            'Regular security assessments'
        ]
        
        if result['classification'] == 'Essential Entity':
            result['requirements'].extend([
                'Subject to proactive supervision',
                'Higher penalty exposure (‚Ç¨10M or 2% turnover)'
            ])
        
        # Reporting deadlines
        result['reporting_deadlines'] = {
            'early_warning': '24 hours',
            'incident_notification': '72 hours',
            'intermediate_report': 'Upon request',
            'final_report': '1 month (or when incident resolved)'
        }
        
        return result

# Example classifications
classifier = NIS2Classifier()

examples = [
    {'sector': 'digital_infrastructure', 'subsector': 'cloud', 'employees': 500, 'turnover': 100000000},
    {'sector': 'health', 'subsector': 'healthcare_providers', 'employees': 150, 'turnover': 25000000},
    {'sector': 'food', 'subsector': 'food_production', 'employees': 300, 'turnover': 80000000},
    {'sector': 'retail', 'subsector': 'clothing', 'employees': 1000, 'turnover': 500000000},
]

print("üè¢ NIS2 Classification Examples")
print("=" * 70)

for ex in examples:
    result = classifier.classify(**ex)
    print(f"\nüìç {ex['sector'].title()} - {ex['subsector'].title()}")
    print(f"   Employees: {ex['employees']:,} | Turnover: ‚Ç¨{ex['turnover']:,.0f}")
    print(f"   ‚û°Ô∏è  In Scope: {'‚úÖ YES' if result['in_scope'] else '‚ùå NO'}")
    print(f"   ‚û°Ô∏è  Classification: {result['classification']}")
    if result['sector_type']:
        print(f"   ‚û°Ô∏è  Sector Type: {result['sector_type']}")

In [None]:
# NIS2 Incident Reporting Timeline Visualisation

import plotly.figure_factory as ff

# Define NIS2 incident reporting timeline
incident_time = datetime.now()

timeline_data = [
    dict(Task="Early Warning", Start=incident_time, Finish=incident_time + timedelta(hours=24), Resource="Mandatory"),
    dict(Task="Incident Notification", Start=incident_time, Finish=incident_time + timedelta(hours=72), Resource="Mandatory"),
    dict(Task="Intermediate Report", Start=incident_time + timedelta(hours=72), Finish=incident_time + timedelta(days=7), Resource="Upon Request"),
    dict(Task="Final Report", Start=incident_time + timedelta(days=7), Finish=incident_time + timedelta(days=30), Resource="Mandatory"),
]

df_timeline = pd.DataFrame(timeline_data)

colors = {'Mandatory': '#e74c3c', 'Upon Request': '#f39c12'}

fig = ff.create_gantt(df_timeline, 
                       colors=colors,
                       index_col='Resource',
                       show_colorbar=True,
                       group_tasks=True,
                       title='NIS2 Incident Reporting Timeline')

fig.update_layout(height=400)
fig.show()

print("\nüìã NIS2 Incident Reporting Requirements:")
print("\n1Ô∏è‚É£  EARLY WARNING (24 hours)")
print("   ‚Ä¢ Notify CSIRT/competent authority")
print("   ‚Ä¢ Indicate if incident is suspected to be caused by unlawful/malicious acts")
print("   ‚Ä¢ Indicate if incident could have cross-border impact")

print("\n2Ô∏è‚É£  INCIDENT NOTIFICATION (72 hours)")
print("   ‚Ä¢ Update to early warning")
print("   ‚Ä¢ Initial assessment of severity and impact")
print("   ‚Ä¢ Indicators of compromise (where available)")

print("\n3Ô∏è‚É£  INTERMEDIATE REPORT (upon request)")
print("   ‚Ä¢ Status updates on incident handling")
print("   ‚Ä¢ Requested by CSIRT/competent authority")

print("\n4Ô∏è‚É£  FINAL REPORT (1 month or when incident resolved)")
print("   ‚Ä¢ Detailed description of incident")
print("   ‚Ä¢ Type of threat or root cause")
print("   ‚Ä¢ Mitigation measures applied and ongoing")
print("   ‚Ä¢ Cross-border impact (if applicable)")

## NIS2 Implementation in Ireland

Ireland transposed NIS2 through the **European Union (Measures for a High Common Level of Cybersecurity) Regulations 2024** (S.I. No. 396 of 2024).

### Key Irish Implementation Details

- **Competent Authority**: National Cyber Security Centre (NCSC)
- **CSIRT**: CSIRT-IE (operated by NCSC)
- **Single Point of Contact**: Department of Communications
- **Sector-specific authorities**: Various (e.g., Central Bank for financial services)

In [None]:
# NIS2 Article 21 - Security Measures Checklist

nis2_security_measures = {
    'Risk Analysis & Information Security Policies': {
        'measures': [
            'Documented risk assessment methodology',
            'Regular risk assessments conducted',
            'Information security policy approved by management',
            'Policies reviewed and updated annually'
        ],
        'article': '21(2)(a)'
    },
    'Incident Handling': {
        'measures': [
            'Incident response plan documented',
            'Incident detection capabilities in place',
            'Incident classification and triage process',
            'Post-incident review process'
        ],
        'article': '21(2)(b)'
    },
    'Business Continuity & Crisis Management': {
        'measures': [
            'Business continuity plan documented',
            'Backup management and disaster recovery',
            'Crisis management procedures',
            'Regular testing of BC/DR plans'
        ],
        'article': '21(2)(c)'
    },
    'Supply Chain Security': {
        'measures': [
            'Supplier security assessment process',
            'Security requirements in contracts',
            'Monitoring of supplier security',
            'Supplier incident notification requirements'
        ],
        'article': '21(2)(d)'
    },
    'Network & Information Systems Security': {
        'measures': [
            'Secure acquisition and development',
            'Vulnerability management process',
            'Security in network and systems',
            'Secure configuration management'
        ],
        'article': '21(2)(e)'
    },
    'Security Measure Effectiveness': {
        'measures': [
            'Policies to assess cybersecurity measures',
            'Regular security assessments/audits',
            'Penetration testing programme',
            'Security metrics and KPIs'
        ],
        'article': '21(2)(f)'
    },
    'Cyber Hygiene & Training': {
        'measures': [
            'Basic cyber hygiene practices',
            'Regular cybersecurity training',
            'Management cybersecurity training',
            'Phishing awareness programme'
        ],
        'article': '21(2)(g)'
    },
    'Cryptography & Encryption': {
        'measures': [
            'Cryptography policy defined',
            'Encryption of data at rest',
            'Encryption of data in transit',
            'Key management procedures'
        ],
        'article': '21(2)(h)'
    },
    'HR Security & Access Control': {
        'measures': [
            'Human resources security policies',
            'Access control policy',
            'Asset management procedures',
            'Identity management and authentication'
        ],
        'article': '21(2)(i)'
    },
    'Multi-Factor Authentication': {
        'measures': [
            'MFA for administrative access',
            'MFA for remote access',
            'Secure communications systems',
            'Emergency communication systems'
        ],
        'article': '21(2)(j)'
    }
}

# Create an interactive checklist
print("üìã NIS2 Article 21 - Security Measures Compliance Checklist")
print("=" * 70)

total_measures = 0
for category, data in nis2_security_measures.items():
    print(f"\nüîπ {category} [{data['article']}]")
    for measure in data['measures']:
        print(f"   ‚òê {measure}")
        total_measures += 1

print(f"\n{'=' * 70}")
print(f"üìä Total measures to assess: {total_measures}")

---

# Part 4: Organisational Adaptation and Challenges

## How Organisations Have Adapted

### Common Adaptation Strategies

1. **Governance Structure Changes**
   - Appointment of DPOs and CISOs
   - Board-level cybersecurity committees
   - Clear reporting lines to executive management

2. **Process Improvements**
   - Privacy by Design implementation
   - Enhanced incident response capabilities
   - Vendor risk management programmes

3. **Technology Investments**
   - Security Information and Event Management (SIEM)
   - Data Loss Prevention (DLP) tools
   - Identity and Access Management (IAM)

4. **Cultural Changes**
   - Security awareness training
   - Privacy culture development
   - Management accountability

In [None]:
# Compliance Maturity Assessment Tool

class ComplianceMaturityModel:
    """
    Assess organisational maturity across GDPR and NIS2 compliance domains
    Based on a 5-level maturity model:
    1 - Initial (ad hoc)
    2 - Developing (some processes)
    3 - Defined (documented processes)
    4 - Managed (measured and controlled)
    5 - Optimised (continuous improvement)
    """
    
    def __init__(self):
        self.domains = {
            'Governance & Leadership': {
                'description': 'Board oversight, policy framework, roles and responsibilities',
                'gdpr_relevance': 'High',
                'nis2_relevance': 'High'
            },
            'Risk Management': {
                'description': 'Risk identification, assessment, and treatment',
                'gdpr_relevance': 'High',
                'nis2_relevance': 'High'
            },
            'Data Protection': {
                'description': 'Personal data handling, privacy controls, DPIA',
                'gdpr_relevance': 'Critical',
                'nis2_relevance': 'Medium'
            },
            'Security Operations': {
                'description': 'Monitoring, detection, vulnerability management',
                'gdpr_relevance': 'Medium',
                'nis2_relevance': 'Critical'
            },
            'Incident Management': {
                'description': 'Detection, response, notification, recovery',
                'gdpr_relevance': 'High',
                'nis2_relevance': 'Critical'
            },
            'Supply Chain Security': {
                'description': 'Vendor assessment, contractual controls, monitoring',
                'gdpr_relevance': 'High',
                'nis2_relevance': 'High'
            },
            'Training & Awareness': {
                'description': 'Staff training, management awareness, culture',
                'gdpr_relevance': 'Medium',
                'nis2_relevance': 'High'
            },
            'Business Continuity': {
                'description': 'BC/DR planning, testing, crisis management',
                'gdpr_relevance': 'Medium',
                'nis2_relevance': 'Critical'
            }
        }
    
    def assess(self, scores: dict) -> dict:
        """Calculate maturity assessment results"""
        results = {}
        total = 0
        
        for domain, score in scores.items():
            if domain in self.domains:
                results[domain] = {
                    'score': score,
                    'level': self._get_level_name(score),
                    'gdpr_relevance': self.domains[domain]['gdpr_relevance'],
                    'nis2_relevance': self.domains[domain]['nis2_relevance']
                }
                total += score
        
        results['overall'] = {
            'score': round(total / len(scores), 2),
            'level': self._get_level_name(total / len(scores))
        }
        
        return results
    
    def _get_level_name(self, score):
        if score < 1.5:
            return '1 - Initial'
        elif score < 2.5:
            return '2 - Developing'
        elif score < 3.5:
            return '3 - Defined'
        elif score < 4.5:
            return '4 - Managed'
        else:
            return '5 - Optimised'

# Example assessment
model = ComplianceMaturityModel()

# Sample organisation scores (1-5 scale)
sample_scores = {
    'Governance & Leadership': 3.5,
    'Risk Management': 3.0,
    'Data Protection': 4.0,
    'Security Operations': 2.5,
    'Incident Management': 3.0,
    'Supply Chain Security': 2.0,
    'Training & Awareness': 3.5,
    'Business Continuity': 2.5
}

results = model.assess(sample_scores)

print("üìä Compliance Maturity Assessment Results")
print("=" * 70)
print(f"\nüéØ Overall Maturity: {results['overall']['score']}/5.0 - {results['overall']['level']}")
print("\n" + "-" * 70)

for domain, data in results.items():
    if domain != 'overall':
        emoji = "üü¢" if data['score'] >= 4 else "üü°" if data['score'] >= 3 else "üü†" if data['score'] >= 2 else "üî¥"
        print(f"{emoji} {domain}")
        print(f"   Score: {data['score']}/5 ({data['level']})")
        print(f"   GDPR Relevance: {data['gdpr_relevance']} | NIS2 Relevance: {data['nis2_relevance']}")

In [None]:
# Visualise maturity assessment

domains = [d for d in results.keys() if d != 'overall']
scores = [results[d]['score'] for d in domains]

# Create radar chart
fig = go.Figure()

fig.add_trace(go.Scatterpolar(
    r=scores + [scores[0]],
    theta=domains + [domains[0]],
    fill='toself',
    name='Current Maturity',
    line_color='#3498db'
))

# Add target level
target = [4] * len(domains)
fig.add_trace(go.Scatterpolar(
    r=target + [target[0]],
    theta=domains + [domains[0]],
    fill='toself',
    name='Target (Level 4)',
    line_color='#2ecc71',
    opacity=0.3
))

fig.update_layout(
    polar=dict(radialaxis=dict(visible=True, range=[0, 5])),
    showlegend=True,
    title='Compliance Maturity Assessment',
    height=600
)

fig.show()

In [None]:
# Common Challenges Analysis

challenges_data = {
    'Challenge': [
        'Resource constraints (budget/staff)',
        'Keeping pace with regulatory changes',
        'Legacy system compatibility',
        'Supply chain complexity',
        'Cross-border data transfers',
        'Skills shortage',
        'Board/management engagement',
        'Incident detection capabilities',
        'Documentation and evidence',
        'Third-party risk management'
    ],
    'GDPR_Impact': [8, 7, 6, 9, 10, 7, 6, 5, 8, 9],
    'NIS2_Impact': [9, 9, 8, 10, 5, 9, 8, 10, 7, 10],
    'Frequency': [85, 78, 72, 68, 65, 82, 58, 75, 70, 77]
}

df_challenges = pd.DataFrame(challenges_data)
df_challenges['Combined_Impact'] = (df_challenges['GDPR_Impact'] + df_challenges['NIS2_Impact']) / 2
df_challenges = df_challenges.sort_values('Combined_Impact', ascending=True)

fig = go.Figure()

fig.add_trace(go.Bar(
    y=df_challenges['Challenge'],
    x=df_challenges['GDPR_Impact'],
    name='GDPR Impact',
    orientation='h',
    marker_color='#3498db'
))

fig.add_trace(go.Bar(
    y=df_challenges['Challenge'],
    x=df_challenges['NIS2_Impact'],
    name='NIS2 Impact',
    orientation='h',
    marker_color='#e74c3c'
))

fig.update_layout(
    barmode='group',
    title='Common Compliance Challenges: GDPR vs NIS2 Impact',
    xaxis_title='Impact Score (1-10)',
    height=500,
    legend=dict(x=0.7, y=0.1)
)

fig.show()

---

# Part 5: Future Directions

## Emerging Regulatory Landscape

### Key EU Regulations to Watch

| Regulation | Status | Key Impact |
|------------|--------|------------|
| **AI Act** | In force (Aug 2024) | AI system risk classification, prohibited practices |
| **Digital Operational Resilience Act (DORA)** | Applicable Jan 2025 | Financial services ICT risk management |
| **Cyber Resilience Act (CRA)** | Entering force 2024-2027 | Security requirements for products with digital elements |
| **Data Act** | Applicable Sept 2025 | Fair access to and use of data |
| **European Health Data Space (EHDS)** | Proposed | Health data sharing and secondary use |

### Emerging Threats and Governance Implications

1. **AI-Powered Attacks**: Sophisticated phishing, deepfakes, automated vulnerability exploitation
2. **Supply Chain Attacks**: Increased focus on third-party risk (see SolarWinds, Kaseya)
3. **Cloud Security**: Shared responsibility models, multi-cloud complexity
4. **Quantum Computing**: Post-quantum cryptography transition planning
5. **OT/IoT Security**: Convergence of IT and operational technology

In [None]:
# Regulatory Timeline Visualisation

regulations = [
    {'Regulation': 'GDPR', 'Start': '2018-05-25', 'Type': 'Data Protection', 'Status': 'In Force'},
    {'Regulation': 'NIS', 'Start': '2018-05-09', 'Type': 'Cybersecurity', 'Status': 'Replaced by NIS2'},
    {'Regulation': 'NIS2', 'Start': '2024-10-17', 'Type': 'Cybersecurity', 'Status': 'In Force'},
    {'Regulation': 'AI Act', 'Start': '2024-08-01', 'Type': 'AI Governance', 'Status': 'Phased Implementation'},
    {'Regulation': 'DORA', 'Start': '2025-01-17', 'Type': 'Financial Services', 'Status': 'Applicable'},
    {'Regulation': 'Cyber Resilience Act', 'Start': '2027-12-11', 'Type': 'Product Security', 'Status': 'Phased Implementation'},
    {'Regulation': 'Data Act', 'Start': '2025-09-12', 'Type': 'Data Sharing', 'Status': 'Applicable'},
]

df_regs = pd.DataFrame(regulations)
df_regs['Start'] = pd.to_datetime(df_regs['Start'])
df_regs = df_regs.sort_values('Start')

fig = px.timeline(df_regs, 
                  x_start='Start', 
                  x_end=pd.to_datetime('2028-01-01'),
                  y='Regulation',
                  color='Type',
                  title='EU Regulatory Timeline',
                  hover_data=['Status'])

fig.add_vline(x=datetime.now(), line_dash="dash", line_color="red", annotation_text="Today")
fig.update_layout(height=400)
fig.show()

In [None]:
# Future-Ready Governance Framework Assessment

future_readiness = {
    'Capability': [
        'AI Governance Framework',
        'Zero Trust Architecture',
        'Supply Chain Risk Management',
        'Cloud Security Posture Management',
        'Threat Intelligence Integration',
        'Automated Compliance Monitoring',
        'Post-Quantum Cryptography Planning',
        'OT/IoT Security Integration',
        'Privacy-Enhancing Technologies',
        'Cyber Insurance Strategy'
    ],
    'Current_Adoption': [25, 45, 55, 60, 50, 35, 10, 40, 30, 65],
    'Importance_2025': [85, 90, 95, 85, 80, 75, 40, 70, 60, 70],
    'Regulatory_Driver': [
        'AI Act',
        'NIS2, DORA',
        'NIS2, DORA, CRA',
        'NIS2, DORA',
        'NIS2',
        'GDPR, NIS2, DORA',
        'Future standards',
        'NIS2, CRA',
        'GDPR, AI Act',
        'Market-driven'
    ]
}

df_future = pd.DataFrame(future_readiness)
df_future['Gap'] = df_future['Importance_2025'] - df_future['Current_Adoption']
df_future = df_future.sort_values('Gap', ascending=False)

print("üîÆ Future Governance Capabilities: Gap Analysis")
print("=" * 70)

for _, row in df_future.iterrows():
    priority = "üî¥ HIGH" if row['Gap'] > 50 else "üü° MEDIUM" if row['Gap'] > 30 else "üü¢ LOW"
    print(f"\n{priority} PRIORITY: {row['Capability']}")
    print(f"   Current Adoption: {row['Current_Adoption']}%")
    print(f"   Importance 2025: {row['Importance_2025']}%")
    print(f"   Gap: {row['Gap']} percentage points")
    print(f"   Regulatory Driver: {row['Regulatory_Driver']}")

In [None]:
# Gap analysis visualisation

fig = go.Figure()

fig.add_trace(go.Bar(
    name='Current Adoption',
    x=df_future['Capability'],
    y=df_future['Current_Adoption'],
    marker_color='#3498db'
))

fig.add_trace(go.Bar(
    name='2025 Importance',
    x=df_future['Capability'],
    y=df_future['Importance_2025'],
    marker_color='#2ecc71'
))

fig.update_layout(
    barmode='group',
    title='Future Governance Capabilities: Current vs Required',
    xaxis_tickangle=-45,
    yaxis_title='Percentage (%)',
    height=500,
    legend=dict(x=0.7, y=0.95)
)

fig.show()

---

# Part 6: Practical Exercise

## Scenario: TechCorp Ireland Ltd

**Background:**
TechCorp Ireland Ltd is a multinational technology company with its European headquarters in Dublin. The company:

- Provides cloud computing services to enterprise customers across Europe
- Has 800 employees in Ireland, 5,000 globally
- Annual turnover: ‚Ç¨200 million
- Processes personal data of 2 million EU customers
- Recently experienced a data breach affecting 50,000 records

**Your Task:**
Using the tools provided in this notebook, assess TechCorp's regulatory obligations and compliance status.

In [None]:
# Exercise: Classify TechCorp under NIS2

print("üìù Exercise 1: NIS2 Classification")
print("=" * 50)
print("\nClassify TechCorp Ireland Ltd under NIS2")
print("\nHints:")
print("- What sector does cloud computing fall under?")
print("- What is the employee count and turnover?")
print("- Is TechCorp an Essential or Important entity?")

# Students should run this:
techcorp_classification = classifier.classify(
    sector='digital_infrastructure',
    subsector='cloud',
    employees=800,
    turnover=200000000
)

print("\n‚úÖ Classification Result:")
print(f"   In Scope: {techcorp_classification['in_scope']}")
print(f"   Classification: {techcorp_classification['classification']}")
print(f"   Sector Type: {techcorp_classification['sector_type']}")

print("\nüìã Key Requirements:")
for req in techcorp_classification['requirements'][:5]:
    print(f"   ‚Ä¢ {req}")

In [None]:
# Exercise: Assess the data breach scenario

print("üìù Exercise 2: Data Breach Notification Assessment")
print("=" * 50)
print("\nScenario: TechCorp discovered a breach at 09:00 today")
print("- Records affected: 50,000")
print("- Data types: email addresses, names, encrypted passwords")
print("- Risk assessment: High (credentials could be brute-forced)")

# Students should run this:
breach_time = datetime.now().replace(hour=9, minute=0)
breach_calc = BreachNotificationCalculator(breach_time)

techcorp_breach = breach_calc.assess_notification_requirements(
    risk_to_rights='high',
    data_types=['email', 'names', 'passwords'],
    records_affected=50000
)

print("\n‚úÖ Notification Assessment:")
print(f"   Discovery Time: {techcorp_breach['discovery_time']}")
print(f"   DPA Deadline: {techcorp_breach['dpa_deadline']}")
print(f"   Notify DPC: {'YES' if techcorp_breach['notify_dpa'] else 'NO'}")
print(f"   Notify Individuals: {'YES' if techcorp_breach['notify_individuals'] else 'NO'}")

print("\nüìã Reasoning:")
for reason in techcorp_breach['reasoning']:
    print(f"   ‚Ä¢ {reason}")

print("\n‚ö†Ô∏è  Additionally under NIS2:")
print(f"   ‚Ä¢ Early Warning to NCSC due within: 24 hours")
print(f"   ‚Ä¢ Incident Notification due within: 72 hours")

---

# Summary and Key Takeaways

## Main Points

1. **Governance Models** provide the foundation for managing cybersecurity risk through policies, processes, and accountability structures

2. **GDPR** focuses on data protection and privacy rights, with significant enforcement through the Irish DPC

3. **NIS2** expands cybersecurity requirements across 18 sectors with stricter incident reporting and management accountability

4. **Organisational Adaptation** requires governance changes, process improvements, technology investments, and cultural shifts

5. **Future Directions** include new regulations (AI Act, DORA, CRA) and emerging threats requiring continuous governance evolution

## Ireland-Specific Considerations

- **DPC** is a leading global data protection authority
- **NCSC** is responsible for NIS2 implementation
- Many multinational tech companies are regulated from Ireland
- Strong intersection between GDPR and NIS2 requirements

---

## References for Further Reading

1. GDPR Full Text: https://gdpr-info.eu/
2. NIS2 Directive: EUR-Lex
3. Data Protection Commission: https://www.dataprotection.ie/
4. NCSC Ireland: https://www.ncsc.gov.ie/
5. NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
6. ISO 27001: https://www.iso.org/isoiec-27001-information-security.html
7. ENISA NIS2 Resources: https://www.enisa.europa.eu/

---

## üìù Assignment Preparation Notes

Your research report should cover:

1. **Introduction (10%)**: Set the context - why cybersecurity governance matters for Irish organisations

2. **Overview of Governance Models (20%)**: Compare frameworks (NIST, ISO 27001, COBIT, CIS) and explain key components

3. **Impact of GDPR and NIS2 (20%)**: Analyse specific requirements and how they affect Irish organisations

4. **Evolution and Adaptation (20%)**: Use real examples of how organisations have adapted, challenges faced

5. **Future Directions (20%)**: Discuss emerging regulations, threats, and governance trends

6. **Organisation & Clarity (10%)**: Clear structure, proper citations (Harvard style), professional presentation

**Word Count**: 2500-3000 words

**Submission**: PDF or Word via Moodle by 15th December 2025

Good luck! üçÄ