Skip to main content

NIS2 Compliance

Practical support for organisations in scope of the NIS2 Directive under Irish law.

NIS2 is the European Union’s updated cybersecurity directive, replacing the original 2016 NIS Directive. Transposed into Irish law with the National Cyber Security Centre (NCSC) as the competent authority, it brings a much wider range of organisations into regulated cybersecurity scope—with meaningful obligations and significant penalties for non-compliance.

If you’re operating in one of the directive’s eighteen sectors and meet the size thresholds, you’re likely in scope whether or not you’ve been formally notified.

What NIS2 requires

NIS2 sets out obligations across four main areas:

Risk management measures

Article 21 specifies ten minimum cybersecurity risk management measures that in-scope entities must implement, including:

  • Risk analysis and information security policies
  • Incident handling procedures
  • Business continuity and crisis management
  • Supply chain security
  • Security in system acquisition, development, and maintenance
  • Effectiveness assessment of cybersecurity measures
  • Cyber hygiene and training
  • Cryptography and encryption policies
  • Human resources security and access control
  • Multi-factor authentication

The directive is deliberately technology-neutral—you decide appropriate controls based on your risk profile, size, and the cost of implementation.

Incident reporting

Significant incidents must be reported to the NCSC on a strict timeline:

  • Early warning within 24 hours of becoming aware of the incident
  • Incident notification within 72 hours, including an initial assessment
  • Final report within one month, covering root cause, mitigations, and impact

Management accountability

NIS2 makes board-level and executive management directly accountable for cybersecurity risk management. Managers must approve cybersecurity measures, oversee their implementation, and undertake regular training. Penalties can include temporary prohibition on managerial functions—a substantial personal risk.

Supply chain security

Entities must assess and manage cybersecurity risks across their supply chains, including direct suppliers and service providers. This has knock-on effects for organisations supplying entities in scope, even if they aren’t directly caught by the directive themselves.

Who’s in scope

NIS2 applies to “essential” and “important” entities across eighteen sectors:

Essential entities: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure (cloud, DNS, data centres, trust services, public electronic communications), ICT service management (B2B), public administration, and space.

Important entities: postal and courier services, waste management, chemicals, food, manufacturing of medical devices, computers and electronics, electrical equipment, machinery, motor vehicles and transport equipment, digital providers (online marketplaces, search engines, social networking platforms), and research.

In most cases, only medium and large organisations (50+ employees or €10M+ turnover) are captured. Certain entity types are in scope regardless of size—including DNS providers, top-level domain registries, and some trust service and communications providers.

If you’re uncertain, we can assess scope quickly based on your sector, activities, and size.

Penalties and enforcement

For essential entities, administrative fines can reach €10 million or 2% of worldwide annual turnover, whichever is higher. For important entities, the cap is €7 million or 1.4%. Competent authorities can also suspend certifications or authorisations, and temporarily prohibit individuals from exercising managerial functions—a meaningful shift toward personal accountability.

How NIS2 relates to other frameworks

NIS2 doesn’t mandate any specific framework, but several established standards map closely to its requirements:

  • ISO 27001 — provides the risk management, access control, incident management, and supply chain security capabilities NIS2 expects. Many organisations use ISO 27001 as the backbone for demonstrating compliance.
  • ISO 22301 — supports the business continuity and crisis management requirements explicitly called out in Article 21.
  • GDPR — the personal data breach reporting regime complements NIS2’s incident reporting; many organisations align the two processes.

How we can help

Scope and applicability assessment

We’ll help you determine whether NIS2 applies to your organisation, and if so, whether you qualify as an essential or important entity. You’ll have a clear, documented position you can share with auditors, customers, and the NCSC.

Gap analysis against Article 21

We’ll assess your current cybersecurity posture against the ten minimum measures and other obligations, identifying what’s in place, what’s partially addressed, and what needs to be built. You’ll get a prioritised remediation roadmap.

Programme design and implementation

Working with your existing teams, we’ll help design and implement the policies, procedures, and controls to meet NIS2 obligations—ideally reusing or extending what you already have rather than building parallel structures.

Incident reporting readiness

We’ll help you establish the processes, decision criteria, and templates to meet the 24/72-hour/one-month reporting timelines under pressure—including tabletop exercises so the first real incident isn’t where you test the process.

Management training and board briefings

NIS2 requires management accountability, including training. We can deliver tailored board-level briefings and ongoing cybersecurity training that meets the directive’s expectations while fitting your organisation’s governance rhythm.

Supply chain risk management

Building out a proportionate supply chain cybersecurity programme—vendor due diligence, contractual requirements, ongoing oversight—aligned with NIS2 expectations and your actual risk profile.

Integration with ISO 27001 or ISMS

If you have or are considering ISO 27001, we’ll help integrate NIS2 obligations into your existing management system rather than running a separate compliance track.

What to expect

An initial scope assessment and gap analysis typically takes 3-6 weeks depending on organisation size and complexity. From there, remediation and programme implementation is scaled to your needs and starting position.

We work directly with your leadership, security, IT, legal, and business teams to make NIS2 a structured part of how you operate—not a parallel compliance overlay.

Common questions

Are we in scope for NIS2?
NIS2 covers a much wider range of organisations than the original NIS Directive. You're likely in scope if you operate in one of 18 specified sectors (energy, transport, banking, health, digital infrastructure, digital providers, manufacturing, food, waste, postal services, public administration, and more) and meet the size thresholds—generally medium or large enterprises (50+ employees or €10M+ turnover), with some sectors captured at any size. We can assess scope quickly based on your sector and activities.
What's the difference between NIS and NIS2?
NIS2 (Directive (EU) 2022/2555) replaces the original 2016 NIS Directive. Key changes include a much broader sectoral scope, tiered classification into 'essential' and 'important' entities, stricter incident reporting timelines (24-hour early warning, 72-hour notification, one-month final report), explicit management accountability with personal liability, supply chain security requirements, and significantly higher fines.
When do we need to be compliant with NIS2 in Ireland?
Ireland has transposed NIS2 into national law, with the National Cyber Security Centre (NCSC) as the competent authority. Obligations are already in force for entities in scope. Enforcement is building out as organisations identify themselves and register with the NCSC. If you're likely in scope, the time to act is now rather than waiting for a formal notification.
What are the fines for NIS2 non-compliance?
Essential entities face fines up to €10 million or 2% of worldwide annual turnover, whichever is higher. Important entities face up to €7 million or 1.4%. Beyond fines, the directive allows suspension of authorisation or temporary bans on managerial functions—a notable shift that creates personal accountability at board and executive level.
How does NIS2 relate to ISO 27001?
ISO 27001 is not a direct NIS2 requirement, but it's an excellent framework for meeting NIS2's Article 21 risk management obligations. An ISO 27001 ISMS covers most of what NIS2 asks for—risk assessment, incident management, access controls, supply chain security, business continuity—with substantial overlap. Many organisations use ISO 27001 as the backbone for demonstrating NIS2 compliance.
What are the NIS2 security requirements?
Article 21 sets out ten minimum cybersecurity risk management measures: risk analysis and information security policies, incident handling, business continuity and crisis management, supply chain security, security in network and information systems acquisition and maintenance, effectiveness assessment, cyber hygiene and training, cryptography policies, HR security and access control, and multi-factor authentication. The directive is technology-neutral—you decide the appropriate controls for your risk profile.
Does NIS2 apply to small businesses?
Generally NIS2 applies to medium and large entities (50+ employees or €10M+ turnover) in the listed sectors. However, certain entity types are in scope regardless of size—including DNS providers, top-level domain registries, trust service providers, and providers of publicly available electronic communications services. Some small organisations are also captured if they are the sole provider of an essential service or their disruption could have significant public impact.
What do we need to report to the NCSC?
Significant incidents must be reported to the National Cyber Security Centre: an early warning within 24 hours of awareness, a formal incident notification within 72 hours including an initial assessment, and a final report within one month covering root cause, mitigations, and ongoing impact. 'Significant' has specific criteria around operational disruption, financial loss, and affected users—we can help you set up processes to make these calls reliably under pressure.

Ready to discuss your requirements?

Let's have a conversation about how we can help your organisation.

Let's talk