Skip to main content

NIS2 Compliance

Practical support for organisations preparing for the NIS2 Directive in Ireland.

NIS2 is the European Union’s updated cybersecurity directive, replacing the original 2016 NIS Directive. Although Ireland has not yet completed transposition into national law (the EU deadline of 17 October 2024 having passed), enforcement is expected to follow swiftly once enacted, with the National Cyber Security Centre (NCSC) anticipated to act as the competent authority. The directive brings a much wider range of organisations into regulated cybersecurity scope, with meaningful obligations and significant penalties for non compliance.

If you are operating in one of the directive’s eighteen sectors and meet the size thresholds, you are likely in scope under the incoming regime, and the time to begin preparation is well before formal notification.

What NIS2 requires

NIS2 sets out obligations across four main areas.

Risk management measures

Article 21 specifies ten minimum cybersecurity risk management measures that in scope entities must implement.

  • Risk analysis and information security policies.
  • Incident handling procedures.
  • Business continuity and crisis management.
  • Supply chain security.
  • Security in system acquisition, development, and maintenance.
  • Effectiveness assessment of cybersecurity measures.
  • Cyber hygiene and training.
  • Cryptography and encryption policies.
  • Human resources security and access control.
  • Multi factor authentication.

The directive is deliberately technology neutral. You decide appropriate controls based on your risk profile, size, and the cost of implementation.

Incident reporting

Significant incidents must be reported to the NCSC on a strict timeline.

  • Early warning within 24 hours of becoming aware of the incident.
  • Incident notification within 72 hours, including an initial assessment.
  • Final report within one month, covering root cause, mitigations, and impact.

Management accountability

NIS2 makes board level and executive management directly accountable for cybersecurity risk management. Managers must approve cybersecurity measures, oversee their implementation, and undertake regular training. Penalties can include temporary prohibition on managerial functions, a substantial personal risk.

Supply chain security

Entities must assess and manage cybersecurity risks across their supply chains, including direct suppliers and service providers. This has knock on effects for organisations supplying entities in scope, even if they are not directly caught by the directive themselves.

Who is in scope

NIS2 applies to “essential” and “important” entities across eighteen sectors.

Essential entities: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure (cloud, DNS, data centres, trust services, public electronic communications), ICT service management (B2B), public administration, and space.

Important entities: postal and courier services, waste management, chemicals, food, manufacturing of medical devices, computers and electronics, electrical equipment, machinery, motor vehicles and transport equipment, digital providers (online marketplaces, search engines, social networking platforms), and research.

In most cases, only medium and large organisations (50+ employees or €10M+ turnover) are captured. Certain entity types are in scope regardless of size, including DNS providers, top level domain registries, and some trust service and communications providers.

If you are uncertain, we can assess scope quickly based on your sector, activities, and size.

Penalties and enforcement

For essential entities, administrative fines can reach €10 million or 2% of worldwide annual turnover, whichever is higher. For important entities the cap is €7 million or 1.4%. Competent authorities can also suspend certifications or authorisations, and temporarily prohibit individuals from exercising managerial functions, a meaningful shift toward personal accountability.

How NIS2 relates to other frameworks

NIS2 does not mandate any specific framework, but several established standards map closely to its requirements.

  • ISO 27001 provides the risk management, access control, incident management, and supply chain security capabilities NIS2 expects. Many organisations use ISO 27001 as the backbone for demonstrating compliance.
  • ISO 22301 supports the business continuity and crisis management requirements explicitly called out in Article 21.
  • GDPR complements NIS2’s incident reporting through the personal data breach reporting regime. Many organisations align the two processes.

How we can help

Scope and applicability assessment

We help you determine whether NIS2 applies to your organisation, and if so, whether you qualify as an essential or important entity. You will have a clear, documented position you can share with auditors, customers, and the NCSC.

Gap analysis against Article 21

We assess your current cybersecurity posture against the ten minimum measures and other obligations, identifying what is in place, what is partially addressed, and what needs to be built. You will get a prioritised remediation roadmap.

Programme design and implementation

Working with your existing teams, we help design and implement the policies, procedures, and controls to meet NIS2 obligations. Ideally reusing or extending what you already have rather than building parallel structures.

Incident reporting readiness

We help you establish the processes, decision criteria, and templates to meet the 24 hour, 72 hour, and one month reporting timelines under pressure. That includes tabletop exercises so the first real incident is not where you test the process.

Management training and board briefings

NIS2 requires management accountability, including training. We deliver tailored board level briefings and ongoing cybersecurity training that meets the directive’s expectations while fitting your organisation’s governance rhythm.

Supply chain risk management

Building out a proportionate supply chain cybersecurity programme. Vendor due diligence, contractual requirements, and ongoing oversight, aligned with NIS2 expectations and your actual risk profile.

Integration with ISO 27001 or ISMS

If you have or are considering ISO 27001, we help integrate NIS2 obligations into your existing management system rather than running a separate compliance track.

What to expect

An initial scope assessment and gap analysis typically takes 3 to 6 weeks depending on organisation size and complexity. From there, remediation and programme implementation is scaled to your needs and starting position.

We work directly with your leadership, security, IT, legal, and business teams to make NIS2 a structured part of how you operate, not a parallel compliance overlay.

Common questions

Are we in scope for NIS2?
NIS2 covers a much wider range of organisations than the original NIS Directive. You are likely in scope if you operate in one of 18 specified sectors (energy, transport, banking, health, digital infrastructure, digital providers, manufacturing, food, waste, postal services, public administration, and more) and meet the size thresholds, generally medium or large enterprises (50+ employees or €10M+ turnover), with some sectors captured at any size. We can assess scope quickly based on your sector and activities.
What is the difference between NIS and NIS2?
NIS2 (Directive (EU) 2022/2555) replaces the original 2016 NIS Directive. Key changes include a much broader sectoral scope, tiered classification into 'essential' and 'important' entities, stricter incident reporting timelines (24 hour early warning, 72 hour notification, one month final report), explicit management accountability with personal liability, supply chain security requirements, and significantly higher fines.
When do we need to be compliant with NIS2 in Ireland?
Ireland has not yet transposed the NIS2 Directive into national law, despite the EU deadline of 17 October 2024 having passed. As a result the existing NIS Directive (NIS1) remains in force, with the National Cyber Security Centre expected to act as the competent authority under the new regime. While formal legal enforcement of NIS2 obligations in Ireland will only commence once transposition is complete, there is a clear regulatory expectation that organisations likely to fall within scope should already be progressing towards compliance. Given the direction of travel and the potential for swift enforcement following enactment, it would be prudent for in scope entities to begin assessing applicability and addressing any gaps now, rather than waiting for formal notification.
What are the fines for NIS2 non compliance?
Essential entities face fines up to €10 million or 2% of worldwide annual turnover, whichever is higher. Important entities face up to €7 million or 1.4%. Beyond fines, the directive allows suspension of authorisation or temporary bans on managerial functions, a notable shift that creates personal accountability at board and executive level.
How does NIS2 relate to ISO 27001?
ISO 27001 is not a direct NIS2 requirement, but it is an excellent framework for meeting NIS2's Article 21 risk management obligations. An ISO 27001 ISMS covers most of what NIS2 asks for (risk assessment, incident management, access controls, supply chain security, business continuity) with substantial overlap. Many organisations use ISO 27001 as the backbone for demonstrating NIS2 compliance.
What are the NIS2 security requirements?
Article 21 sets out ten minimum cybersecurity risk management measures: risk analysis and information security policies, incident handling, business continuity and crisis management, supply chain security, security in network and information systems acquisition and maintenance, effectiveness assessment, cyber hygiene and training, cryptography policies, HR security and access control, and multi factor authentication. The directive is technology neutral. You decide the appropriate controls for your risk profile.
Does NIS2 apply to small businesses?
Generally NIS2 applies to medium and large entities (50+ employees or €10M+ turnover) in the listed sectors. However, certain entity types are in scope regardless of size, including DNS providers, top level domain registries, trust service providers, and providers of publicly available electronic communications services. Some small organisations are also captured if they are the sole provider of an essential service or their disruption could have significant public impact.
What do we need to report to the NCSC?
Significant incidents must be reported to the National Cyber Security Centre. An early warning within 24 hours of awareness, a formal incident notification within 72 hours including an initial assessment, and a final report within one month covering root cause, mitigations, and ongoing impact. 'Significant' has specific criteria around operational disruption, financial loss, and affected users. We can help you set up processes to make these calls reliably under pressure.

Ready to discuss your requirements?

Let's have a conversation about how we can help your organisation.

Let's talk