15th May 2026

Protecting your organisation against evolving cyber threats

 As cyber threats become harder to spot and regulators demand proof of resilience, Len McAuliffe outlines the practical steps leaders should take today to protect their organisations

A man looking into code

Global cyber threats are evolving rapidly, moving beyond technical risk to enterprise-wide dangers.

PwC’s 2026 Annual Threat Dynamics Report identifies a highly dynamic, interconnected and volatile cyber threat landscape, with attackers eroding trust through attacks on identities, systems, third parties and leadership.

For Irish organisations, reliance on global supply chains, outsourced services and cloud ecosystems means greater vulnerability than ever before.

In light of this, the Digital Operational Resilience Act (DORA) and the Network and Information Security Directive 2 (NIS2) are raising expectations for resilience, governance and accountability, making cyber risk both a security and compliance issue for organisations in the European Union.

What this means for regulation

Governing bodies in Ireland and the EU are responding to this risk landscape.

DORA and NIS2 place greater emphasis on governance, accountability and digital risk management, with organisations subject to legal and financial repercussions for failing to adequately safeguard their operations against systemic dependency, concentration risk and third-party disruption.

This means organisations, especially those defined as critical entities under NIS2, must be able to demonstrate:

  • robust control of privilege and access management;
  • identify their key dependencies; and
  • demonstrate to regulators that they can rapidly and appropriately detect, protect, respond to and report cyber incidents.

The standard is no longer simply to have policies and procedures in place. The expectation is that resilience can be evidenced, tested and sustained under pressure.

The threat is shifting from infrastructure to identity

The 2026 Annual Threat Dynamics Report shows that attackers have pivoted away from traditional attacks such as phishing links.

Advances in artificial intelligence (AI) have enabled threat actors to bypass technical controls by exploiting human behaviour, faking credentials and tricking identity systems.

Identity is now the front line of the cyber war. Resilience depends less on technical controls and more on an organisation’s ability to effectively verify and manage users and access privileges, and proactively identify and respond to suspicious behaviour.

This is especially relevant where businesses support remote work, depend on external service providers or operate across multiple jurisdictions.

Third party risk

Many businesses in Ireland depend on a complex and interconnected web of software providers, cloud vendors, developers, logistics partners and managed services.

This model delivers speed and flexibility but it also extends the attack surface well beyond the organisation’s direct control.

The executive implication is straightforward: third-party risk is no longer solely a line item in the procurement process.

It is a critical resilience issue that can make-or-break operations, destroy consumer trust, impact revenue and expose an organisation to significant legal consequences.

This is especially true for financial services given DORA’s explicit obligations regarding third-party information and communication technology (ICT) risk, and NIS2, which requires subject entities to understand and manage dependencies in their supply chain effectively.

What organisations should prioritise now

As identity-led threats from third parties accelerate, Irish organisations must prioritise practical, evidence-backed resilience steps that satisfy DORA and NIS2 requirements.

 Strengthen identity controls

Make identity a priority control area. Take the time to review privileged access, tighten employee joiner, mover and leaver processes, increase oversight of high-risk accounts and ensure suspicious access activity is monitored and investigated in a timely manner.

Embed governance in AI from the outset

Treat AI adoption as part of operational risk. Assign accountability and assess new risks before deployment. Be sure IT processes test controls and leadership updates policies and training to reflect how AI is being used inside the business.

Focus on critical third-party risk

Organisations need to identify critical core service suppliers and understand where dependencies are concentrated.

It is important that leadership reviews possible escalation paths in third-party supply chains and tests operational resilience against the unexpected loss of one or more key suppliers.

Rehearse cross-functional response

Organisations should organise practical exercises that involve leadership, legal, operations, communications and technology teams.

These exercises should test decisions, not just technical actions. Make sure escalation routes are clear and that teams know who is responsible for making the necessary decisions under pressure.

Measure what works in practice

Organisations must move beyond policy ownership alone. They must track how quickly access to systems is reviewed, incidents are escalated, suppliers are assessed and critical decisions are made

What an organisation needs most is to ensure its risk controls work in real world conditions.

(endbio) Len McAuliffe is Partner, Cybersecurity & Forensics at PwC Ireland