Nóra Cashe explains the obligations, compliance, and acceptance and rejection procedures for employers outlined in the Work Life Balance and Miscellaneous Provisions Act 2023 Code of Practice The Code of Practice (the Code) for the right to request flexible and remote work has been released. Now that these two rights are in effect, employees can request these entitlements. So, do you know your obligations as an employer, and do you understand how to comply with the new legislation? What are the rights to request remote and flexible work? The right to request flexible working and the right to request remote working are the last two of five statutory parts to come into effect within the Work Life Balance and Miscellaneous Provisions Act 2023. While many of the same guidelines apply to these two entitlements, they are separate. ‘Flexible working’ is defined as the adjustment of an employee’s working hours or working patterns. This includes flexible working schedules, reduced working hours, or even remote working. The right to request flexible working only applies to parents and to those acting in loco parentis or guardians as defined by the Act. Meanwhile, ‘remote working’ is an arrangement between employer and employee in which the work is carried out at a location other than at the employer's place of operation. This is done without any change to the employee's ordinary working hours. What is the Code of Practice? Drafted by the Workplace Relations Commission (WRC), the Code provides practical guidance for businesses and their staff regarding flexible or remote work requests. It is separated into three sections. The first two sections are Flexible Working (FW) and Remote Working (RW), which lay out guidelines for employees and employers to follow when requesting or receiving requests for flexible or remote working arrangements. The last section consists of policies and templates. Here, employers can find templates to use for relevant documentation, such as a Work Life Balance Policy, a Flexible Working Request application, and a Remote Working Request application. Staying compliant The Code defines flexible and remote work and provides the details on who can apply and when. The Code also contains important timelines and procedures for employers and employees to follow when a request is made and the consequences for not doing so. Failure to follow the timelines and procedures and to keep records could result in an award of up to 20 weeks of remuneration and/or a costly fine/summary conviction. Additionally, the Code of Practice includes information on situations such as: the abuse of any new working arrangements; the need to modify new working arrangements; and the need for the employee or employer to terminate the new working arrangements. Acceptance or rejection procedures Employers are not obligated to accept requests for remote or flexible work but it’s important to remember that a response must be delivered to the employee in writing within four weeks of their request. The three responses an employer can give are: Extension: the employer may request up to four more weeks to consider its decision, which it must also do in writing. Refusal: the employer must lay out its reasoning in writing. Acceptance: the employer must produce a written document with the relevant details for the employee to sign. Overall, employers are advised to weigh their employees’ circumstances and rationale for these requests against their own business needs. In addition, the Code provides tangible questions that employers may ask themselves when deciding whether to approve or reject a request. Nóra Cashe is a Litigation Manager at Peninsula

The new EU Directive NIS2 requires meticulous compliance strategies to improve cybersecurity resilience, explains Puneet Kukreja The intense uptake of digital solutions and innovative technologies over the past four years has changed the way we socialise, work, shop, bank, and receive necessary services, such as health. As sectors and services increasingly become interconnected and interdependent, the cybersecurity threat landscape continues to grow in sophistication and focus. Safeguarding critical infrastructures and services is paramount to protecting society and economies from these actors. In response, EU lawmakers have introduced several interconnected EU-wide laws to improve the digital and operational resilience of the sectors and services we rely on most. The second Network and Information Systems Directive (Directive (EU) 2022/2555 (NIS2)) is one of these EU-wide laws. It comes into effect on 18 October 2024 and will have a compliance impact on many public and private sector organisations across 18 sectors, similar to that experienced under the GDPR. The regulatory supervision and enforcement measures under NIS2 bear similarities to the GDPR. However, direct accountability and liability for upper management and possible suspension of CEO duties brings this squarely into the board room. NIS2 is an evolution from its predecessor, NIS-D (Directive (EU) 2016/1148), extending the legislative scope to capture entities in several additional sectors and subsectors, including public bodies and a wider range of digital service providers, as well as covered entities’ information and communications technology (ICT) supply chains. NIS2 sets out the minimum powers of supervision and enforcement that Member State competent authorities must have. Administrative fines can be imposed on essential and important entities for breaches of obligations relating to cybersecurity risk management measures and incident notification. For ‘essential entities’, the maximum fine is at least €10,000,000 or at least 2 percent of the total worldwide annual turnover in the previous financial year, whichever is higher. For ‘important entities,’ these figures are €7,000,000 and 1.4 percent. Irish legislation must be enacted before 18 October 2024 to transpose NIS2. Consistent with its treatment of NIS-D, the transposing legislation will provide that breaches of certain provisions of the same will be a criminal offence. We expect that a person found guilty of any of these offences will be liable on conviction to a fine and/or imprisonment. It is vital that CEOs, CFOs, CIOs, CISOs and board members understand not only the financial, personal, and reputational consequences of non-compliance – which underscores the urgency of pursuing NIS2 compliance now – but also the role that NIS2 will play in safeguarding their organisation’s cybersecurity and operational resilience. Navigating NIS2 There are several steps an organisation can take to navigate the NIS2. 1. Legal analysis Assess whether NIS2 applies to your organisation or whether any of the statutory exemptions will apply. To the extent NIS2 applies, it will be necessary to understand its requirements, including any cross-border implications and the steps necessary to secure ICT supply chains. 2. Strategic planning of compliance navigation Identify cybersecurity risks and set clear targets to assist in allocating resources and creating strong governance for resilience and regulatory adherence. This will also ensure operational integrity and informed decision-making. 3. Technology procurement Align chosen technologies with organisation needs and regulatory requirements. 4. Implementation strategy Develop a robust plan covering technology integration, employee training, and monitoring mechanisms. 5. Technology implementation Explore partnerships with organisations experienced in technology transformation. This will help you enable the full lifecycle of capability from analysis to managed services. 6. Employee training and awareness Champion comprehensive training programmes to instil a culture of cybersecurity within the organisation. 7. Managed services for continuous compliance Explore partnerships with experienced service providers for ongoing monitoring and response capabilities. 8. Budgeting and resource allocation Collaborate on budgeting to align finance planning with strategic cybersecurity objectives. 9. Documentation and reporting Oversee the creation of comprehensive documentation, ensuring transparency and accountability. Your NIS2 journey Organisations will differ in their level of compliance or maturity across the key control areas that are required under NIS2. However, one thing is certain: all in-scope organisations should now consider the implications of NIS2 to ensure they have sufficient time to assess, design, and implement their compliance plans before the legislation comes into effect. Organisations operating in the sectors defined in NIS2 will need to assess whether they fall within its scope, the availability of any exemptions, their categorisation as ‘essential’ or ‘important’, their NIS2 obligations, and the impact of and interplay with other EU cybersecurity and operational resilience laws. NIS2 requires organisations to address cybersecurity risks in their own ICT supply chains. In practice, this will require a risk-based assessment of ICT supplier relationships, enhancing contracts and securing inspection and other rights to ensure supply chain security. Early supplier engagement will be essential. To the extent certain in-scope organisations are established and/or providing their services in more than one EU Member State, they may be subject to implementing laws in more than one jurisdiction or the EU Member State where their cybersecurity risk management decisions are predominately made. The NIS2 jurisdiction rules require careful consideration and may cause certain entities to rethink the geographic positioning of cybersecurity decision-making. To successfully achieve and sustain NIS2 compliance, an organisation must commit to continuous improvement as well as the adoption of proactive measures. Both are key in this evolving digital landscape. Beginning a compliance journey with a legal analysis of the new directive will ensure you start on the right path and your organisation not only avoids substantial financial penalties but also becomes more resilient to evolving cyber threats. Puneet Kukreja is Cyber Security Leader at EY

The EU Accessibility Act sets out to improve accessibility standards. Adela Buliman outlines what organisations need to consider before it comes into effect The European Accessibility Act (EAA) represents a significant step forward in making the European Union more accessible to all people, including people with disabilities. The legislation comes into effect on 28 June 2025. There are many industries in scope, including both the public and private sector. The EAA is extending the reach of the existing Public Sector Accessibility Regulations under the EU Web Accessibility Directive. Under current regulations, any organisation that is at least 50 percent funded by the state has to have a digitally accessible website, mobile app and digital documents, where relevant. The EAA is expanding this. Scope of legislation The EAA is much broader in scope than the public sector regulations. The products covered by the Act include: ATMs Ticket and travel check-in machines Self-service terminals Mobile phones Computers, terminals and operating systems E-reading devices The services covered include: Audio-visual media services Transportation services Banking services Electronic communications services E-books E-commerce The services covered are much broader than it may seem. For instance, when it comes to banking services, it is not just the digital assets that are in scope, but anything a user is required to interact with to use a service. So, a letter that the bank may send you with your card pin must have a digitally accessible alternative. As well as this, when you look at the definition of “e-commerce” under the legislation, it is not just for retail companies, it is any organisation that either sells a product or service on a website or advertises that product or service online. For example, the organisation may be in the insurance sector, but if it advertises its insurance plans online, it would be within the scope of this legislation too. Taking all this into account, there are very few organisations that are not in scope of this legislation. Regulators Surveillance authorities have been assigned to each in-scope industry. The Competition and Consumer Protection Commission (CCPC) is the regulator for each product that is in scope. For services, the following bodies are regulating: Industry Regulator Electronic Communications Commission for Communications Regulation Audiovisual media Coimisiún na Meán Air passenger transport Irish Aviation Authority Bus, rail and waterborne passenger transport National Transport Authority Consumer banking Central Bank of Ireland E-books and dedicated software and e-commerce Competition and Consumer Protection Commission (CPCC) Emergency communications Commission for Communications Regulation   Ramifications for non-compliance It is important to note the consequences of non-compliance with the EAA: A fine (€5,000) or imprisonment of up to six months or both; A fine of up to €60,000 or imprisonment of up to 18 months or both; or Litigation The one that poses the most risk to organisations is litigation. Under the EAA, users will be allowed to litigate against companies that they feel are discriminating against them. Next steps for organisations When it comes to getting ready for the legislation, there are three steps that we recommend: Auditing An audit is a great way to start your journey. An audit will provide you with an issue log of items that need to be fixed to be accessible and compliant. Upskilling Upskilling your own staff is an important second step in preparing for the EAA. When you receive audit results, there will be a large amount of repetition in the types of issues found, highlighting a knowledge gap that you can fill by training staff. Embedding The last step is embedding accessibility into your company culture. It can be up to 30 times more expensive to retroactively make something accessible. Embedding the accessibility into your procurement process, design process, sprints, etc., allows you to keep costs low and create a long-term accessibility plan. Adela Buliman is the Head of Accessibility at Vially and sits on the European Committee for Standardisations, in particular committees relating to the European Accessibility Act and Public Sector Accessibility Regulations

Managing cyber security and other technology-related risks is becoming an increasingly complex business. Sara McCallister explains why. With a growing need for technology assurance—from cyber security and transformation programmes to the use of AI, cloud services and third parties—what do internal audit and technology risk professionals need to know to protect organisations today? Cyber security Cyber security continues to be a critical business risk for organisations in Ireland and globally. While data loss and service disruption continue to be two biggest risks associated with a cyber-attack, ransomware attacks are also significant. According to a 2023 Sophos report, 66 percent of organisations globally have been hit by a ransomware attack in the last year. Cybercriminals succeeded in encrypting data in just over three-quarters (76%) of these attacks. Third-party management To manage service continuity risks, information privacy and security, organisations need an effective framework of third party controls. IT and technology teams are among the most active users of third-party products, such as tools, software-as-a-service (SaaS) solutions and the direct outsourcing of business activities. This gives organisations access to a much wider range of skills and greater flexibility to scale up or down with demand. Outsourcing the responsibility for these services doesn't outsource the associated risks, however. Organisations need to expand their range of assurance activities to cover third-party providers. Generative AI The risks associated with generative AI are critical due to its widespread adoption. Concerns include the potential for biased outputs, security vulnerabilities and misuse of generated content for malicious purposes. Deep fakes, misinformation and ethical dilemmas also pose challenges. As generative AI becomes integral to different sectors, understanding and mitigating these risks is essential to maintaining trust, safeguarding privacy and ensuring responsible deployment. Timely attention to these concerns is crucial in preventing unintended consequences, protecting against malicious uses and establishing robust frameworks for the ethical and secure implementation of generative AI. Transformation programmes Organisations are adopting and experimenting with leaner and faster approaches to delivering transformation. Many are dealing with the challenge of legacy IT, outdated infrastructure and applications that are still in use and prevent more modern practices, exposing them to availability risks and cyber security vulnerabilities. Cloud assurance In recent years, the use of cloud solutions has increased rapidly. Organisations use cloud solutions to host their critical systems, such as enterprise resource planning (ERP) and customer-facing applications, or sensitive data, such as personal or intellectual property. The proposed changes to the UK Corporate Governance Code (the Code) have heightened the focus on organisations’ financial and IT control frameworks ahead of the 2025 deadline. This would include controls in cloud environments. Organisations still face challenges around cloud controls and assurance, inconsistent approaches across assurance teams, cloud concentration risks and lock-in with vendors. There is also a shortage of cloud-risk specialists who can help organisations to determine whether practices are aligned with recommendations from the Cloud Security Alliance and cloud service providers. Identity and access management One of the foundational pillars of securing your organisation's data is ensuring you are adequately managing access to this information. This includes authenticating access, authorising access based on genuine business needs and monitoring and reviewing access to data. Organisations need robust frameworks in place to manage access to their information and reduce the risk of inappropriate or unauthorised access, which could cause significant loss. Technology resilience In a technology-dependent world, it is often critical that an organisation's IT infrastructure and applications are resilient and continue to operate at acceptable levels during unexpected events or when elements of its technology environment are compromised. Data management and quality The risks associated with data management and quality are paramount as they directly impact decision-making, business operations and regulatory compliance. Robust data management mitigates cyber security risks, safeguarding sensitive information from breaches. Compliance with data protection regulations, such as GDPR, hinges on accurate data handling. Addressing these risks ensures organisations can trust their data, supporting decision-making, maintaining customer trust and complying with legal requirements in a data-driven business landscape. Sara McCallister is Partner, Business Risk Operations, Grant Thornton

Beyond a digital resume, your LinkedIn profile reflects your priorities, connections, values and unique professional brand, writes Donal Whelan In recent years, LinkedIn has become a vital career-enhancing tool for all career professionals looking to network and seek out new opportunities. According to LinkedIn, over 75 percent of people who have changed jobs have used the platform to inform their career decision. Furthermore, social professional networks are the number one source for quality hires. Given these statistics, treating LinkedIn as another social media platform is insufficient when managing your career. Here are four things your LinkedIn profile says about you and how you can leverage each of these elements to improve your career presence. 1. Establishes your priorities How you present yourself in your LinkedIn headline and summary, and the way in which you list your current and previous experience gives employers valuable clues on your priorities. The way you highlight your professional duties and accomplishments offers recruiters the opportunity to estimate how you would set priorities in a new position. Every decision you make and every sentence you write should be made with this consideration in mind. Highlight the aspects you would like to pursue further, and employers will notice. 2.  Highlights proof of performance LinkedIn goes beyond static resumes, which is the social aspect of the platform. Your past co-workers and supervisors can leave recommendations on each of your prior work experiences or endorse your individual professional skills. Recruiters will look for this type of information when assessing if you’re right for a role. We are psychologically inclined to believe social proof, treating it as independent, third-party confirmation of potentially biased claims. A statement of success in your current position is significantly more valuable if your current supervisor confirms your accomplishments in a single sentence or two. 3. Spotlights your values Influencers you have decided to follow and past posts you have written on LinkedIn are all ways of expressing your personality, perspective, and values. These elements of your profile inform other users of what you care about and can shape the personality you want to portray to a potential employer. It’s essential to demonstrate professionalism to ensure your profile expresses interest in the career you wish to pursue. 4. Showcases your professional brand It goes without saying that your profile is your professional brand and you are attempting to give the best impression of yourself. But your profile also shows how much you allow your current role to influence your brand. For instance, some users create their profile solely around their current job, while others make their profiles all about their career path. Every branding decision is a choice, and you get to choose which works best for your career journey. More than a CV Your LinkedIn profile is much more than just a digitised version of your resume or CV. It is an opportunity to present yourself to employers in the best light possible. Recruiters are always on the lookout for talent, so it is important you continue to update your profile to optimise your chances of advancing in your career and making new professional connections. Donal Whelan is Managing Director of Lincoln Recruitment Specialists

Reforms to High Income Child Benefit Charge and National Insurance in the UK’s Budget aim to provide relief to struggling families amidst the cost-of-living crisis, writes Lee Melling UK Chancellor of the Exchequer Jeremy Hunt’s recent Budget announcement could have an impact on families struggling financially amid the cost-of-living crisis. Some reforms could provide relief and reshape the landscape of financial stability for households. High Income Child Benefit Charge The recent announcement regarding changes to the High Income Child Benefit Charge (HICBC) in the UK's Budget is poised to substantially impact financially struggling families, offering relief amid the ongoing cost-of-living challenges. Despite the rise in wages attributed to inflation, the perceived inequity of HICBC across various household types and income levels has been a concern. The Chancellor's reform decision, transitioning HICBC from an individual to a household system by April 2026, helps address this issue. Under the current system, if one parent earns more than £50,000, child benefit starts to reduce, and those who earn £60,000 receive no child benefit at all. This means two parents earning £50,000 a year or less would each receive child benefit in full, but a household with one working parent or a single-income household earning more than £50,000 would see the benefit cut. The change creates a fairer system and takes into consideration that people’s wages have risen in line with inflation. Furthermore, the decision to increase the threshold—especially at a time when many employees have had their salary adjustments in line with inflation—ensures more families retain more of the Child Benefit they receive. It also assures those worried about pay increases affecting their Child Benefit entitlement. National Insurance Amid record-high energy bills, rising food costs and mortgage payments, the reduction of the National Insurance by 2p can help ease the financial burden during a period of stretched budgets.   Nevertheless, while these measures offer some relief, additional measures are still required to provide support for households grappling with the escalating cost-of-living. Despite assurances of a decline in inflation, Chancellor Hunt’s cautious approach in this latest Budget might leave many feeling disappointed that the changes haven’t gone far enough.  As people navigate the adjustments to their finances in response to these changes, it is crucial to recognise the potential stress and anxiety associated with such transitions. Acknowledging the scale of the situation and seeking assistance, whether through understanding the broad cost-of-living crisis or knowing that others share similar experiences, can help manage the stress associated with an individual’s financial situation.  For those concerned about their financial situation, reaching out for help is important. Equipping oneself with a range of tools and seeking advice can go a long way towards supporting your everyday financial health. Lee Melling is a Financial Wellbeing expert at Caba, the occupational charity supporting The Institute of Chartered Accountants in England and Wales