skip to main content

What is the NIS2 Directive, and what does it mean for Irish organisations?

Safeguarding your assets, your people and your customers | 5 minute read

NIS2 is the EU’s updated cybersecurity regime. In Ireland, it is still pending full implementation, so organisations should prepare now for scope, governance, risk management and incident reporting obligations.¹

Key takeaways

1. NIS2 is coming to Ireland. The National Cyber Security Bill is expected to transpose it into Irish law.¹
2. More organisations will fall within scope, with stronger senior-level accountability. NIS2 expands cybersecurity obligations across more sectors and places direct responsibility on senior management.¹ 
3. Organisations should prepare by focusing on governance, risk controls, incident reporting and evidence.³


What is the NIS2 Directive?

The NIS2 Directive’s primary goal is to strengthen and harmonise cybersecurity across the EU in response to increasing digital threats. In Ireland, NIS2 will be transposed through the National Cyber Security Bill, with the National Cyber Security Centre (NCSC) acting as the lead authority for oversight and enforcement.


4000+

Over 4,000 Irish organisations are expected to be affected by NIS2.²

Source: EY Law Ireland


€10mil

Fines of up to €10 million or 2% of global annual turnover are sanctions included in the NIS2 Directive.3

Source: National Cyber Security Centre

Originally introduced in 2016, the NIS framework set baseline rules for how organisations manage network and information security. NIS2 builds on that foundation by extending the rules to more sectors and giving regulators stronger powers to oversee cyber risk and incident handling.

In Ireland, the new regime is expected to take effect through the National Cyber Security Bill. That leaves organisations with a limited window to review their current arrangements and close any obvious gaps before the new requirements apply. 

For many organisations, this will involve both practical control improvements and clearer accountability at senior level.³

What is the NIS2 Directive?

NIS2 introduces a more in-depth cybersecurity framework across the EU. The key pillars include expanded scope, risk management measures, governance requirements, enforcement and penalties.¹

Expanded scope: More sectors and organisations are regulated. Organisations may be included if they operate in a listed sector, meet medium or large enterprise thresholds and are established in Ireland or provide services within the EU.²

NIS2 applies to organisations across a wide range of sectors, including energy, transport, healthcare, utilities, digital infrastructure, cloud providers, data centres, financial services and public administration.

Risk management measures: The NIS2 Directive introduces mandatory risk management measures and stricter incident reporting obligations, requiring organisations to actively manage cyber risks and notify authorities of serious incidents.³

Governance requirements: The NIS2 Directive places direct responsibility on senior management and introduces tougher enforcement, including significant financial penalties for non-compliance.³

Enforcement and penalties: If regulations are not met, essential entities can face fines of up to €10 million or 2% of global annual turnover, whichever is higher.³

Has NIS2 been implemented in Ireland?

As of 2026, NIS2 has not yet been fully implemented in Ireland, although progress has been made.¹

Ireland missed the original EU transposition deadline of October 2024 and remains in a transitional phase. Draft legislation, the National Cyber Security Bill, is progressing through the legislative process.

In the meantime, the existing NIS1 framework remains in place, but organisations are expected to prepare now for NIS2 compliance.

What does NIS2 mean for your organisation?

The NIS2 Directive places greater emphasis on understanding cyber risk, managing it proportionately, reporting significant incidents and ensuring senior management oversight. Organisations that want to avoid last-minute pressure should use this transitional period to put key structures in place.¹

How to prepare for the NIS2 Directive

1. Confirm whether your organisation is in scope

The first step is to assess whether your organisation falls within one of the sectors covered by the NIS2 Directive and whether it meets the relevant size or service criteria. In Ireland, it generally applies to public or private entities established in Ireland that operate in listed sectors, meet medium or large enterprise thresholds, and provide services or carry out activities within the EU.¹

2. Understand if you are an essential or important entity

Under the NIS2 Directive, organisations are grouped into two categories: essential and important. This affects how closely they will be monitored and what action may be taken if they do not meet the rules.³
Essential entities are usually checked more closely because they provide services that are critical to society or the economy. Important entities are still regulated, but they are generally reviewed after an issue or concern has been raised.³

Organisations should not wait to be told whether NIS2 applies to them. Each organisation should review its own activities, sector and size to understand whether it falls within the threshold.¹ ²

3. Put cybersecurity governance at board level

One of the most significant changes under the NIS2 Directive is the increased responsibility placed on senior management.¹

This means cyber risk should be treated as an organisational risk, not just a technical issue. Boards and senior leaders will need visibility over the organisation’s risk assessments, security controls, incident response planning, supply chain exposure and compliance status.

4. Review cybersecurity risk management measures

The NIS2 Directive requires relevant organisations to take appropriate measures to manage cyber risks. In practice, this includes areas such as risk management policies, incident handling, business continuity, crisis management, supply chain security, cyber hygiene, staff training, access control, asset management and secure communications.

The NCSC has also published draft Risk Management Measures guidance and recommends that organisations use recognised cybersecurity frameworks, such as Cyber Fundamentals, to assess their preparedness.¹

5. Prepare for incident reporting

The NIS2 Directive introduces stricter reporting expectations for significant incidents.³

Organisations should ensure they have a clear internal process for identifying, escalating and documenting incidents. This should include defined responsibilities, decision-making procedures, evidence gathering, communications planning and engagement with the relevant competent authority or CSIRT once the Irish reporting framework is live.³

6. Keep evidence of compliance

Being prepared for the NIS2 Directive is not only about having controls in place. Organisations will also need to be able to demonstrate what they have done. Useful evidence may include risk assessments, cybersecurity policies, incident response plans and audit findings. ³

7. Monitor the Irish implementation timeline

As mentioned earlier, Ireland has not yet completed full implementation of the NIS2 Directive. The National Cyber Security Bill is the mechanism through which the Directive will be transposed into Irish law.
Until that legislation is enacted, the NCSC has stated that NIS2 registration and reporting portals will not go live, and existing NIS1 obligations continue to apply to organisations already designated under that framework.¹

Final takeaway

The introduction of the NIS2 Directive marks a major shift in how cybersecurity is regulated across the EU. For Irish organisations, the practical message is to prepare now: assess if you are affected, understand your classification, assign senior ownership, review your cyber risk management measures, strengthen incident response processes and keep clear evidence of the steps taken.¹

The NIS2 Directive is not just about preventing cyber incidents. It is about proving that cyber risk is being governed, managed and reported.

Follow our cyber series as we look at further mandates in cybersecurity including the EU Product Liability Directive and EU AI Act.

The introduction of the NIS2 Directive marks a major shift in how cybersecurity is regulated across the EU. For Irish organisations, the practical message is to prepare now: assess if you are affected, understand your classification, assign senior ownership, review your cyber risk management measures, strengthen incident response processes and keep clear evidence of the steps taken.

David Dalton
Senior Account Executive

Want to see how we can help?

No matter the industry you operate in, you will have some sort of reliance on technology for the effective day-to-day running of your business. That’s what makes cyber insurance so important; every company has some level of vulnerability that cyber criminals can exploit.


General disclaimer

This insights article is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this article, NFP does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this article. This article has been compiled using information available to us up to its date of publication.

Margin Investments Ltd t/a NFP, RideSure is authorised and regulated by the Central Bank of Ireland. Registered office: ReSure House, Steeple View Court, Church Road, Malahide, Dublin, K36Y673 and its directors are Aidan Brady, Ross Barron, Garry Fitzroy,  Registered in Ireland No: 288386.


NFP contributors

David Dalton
Senior Account Executive



https://www.nfpireland.ie/insights/articles/what-is-the-nis2-directive-and-what-does-it-mean-for-irish-organisations-in-2026/
2026 Copyright | All Right Reserved