Originally introduced in 2016, the NIS framework set baseline rules for how organisations manage network and information security. NIS2 builds on that foundation by extending the rules to more sectors and giving regulators stronger powers to oversee cyber risk and incident handling.
In Ireland, the new regime is expected to take effect through the National Cyber Security Bill. That leaves organisations with a limited window to review their current arrangements and close any obvious gaps before the new requirements apply.
For many organisations, this will involve both practical control improvements and clearer accountability at senior level.³
What is the NIS2 Directive?
NIS2 introduces a more in-depth cybersecurity framework across the EU. The key pillars include expanded scope, risk management measures, governance requirements, enforcement and penalties.¹
Expanded scope: More sectors and organisations are regulated. Organisations may be included if they operate in a listed sector, meet medium or large enterprise thresholds and are established in Ireland or provide services within the EU.²
NIS2 applies to organisations across a wide range of sectors, including energy, transport, healthcare, utilities, digital infrastructure, cloud providers, data centres, financial services and public administration.
Risk management measures: The NIS2 Directive introduces mandatory risk management measures and stricter incident reporting obligations, requiring organisations to actively manage cyber risks and notify authorities of serious incidents.³
Governance requirements: The NIS2 Directive places direct responsibility on senior management and introduces tougher enforcement, including significant financial penalties for non-compliance.³
Enforcement and penalties: If regulations are not met, essential entities can face fines of up to €10 million or 2% of global annual turnover, whichever is higher.³
Has NIS2 been implemented in Ireland?
As of 2026, NIS2 has not yet been fully implemented in Ireland, although progress has been made.¹
Ireland missed the original EU transposition deadline of October 2024 and remains in a transitional phase. Draft legislation, the National Cyber Security Bill, is progressing through the legislative process.
In the meantime, the existing NIS1 framework remains in place, but organisations are expected to prepare now for NIS2 compliance.
What does NIS2 mean for your organisation?
The NIS2 Directive places greater emphasis on understanding cyber risk, managing it proportionately, reporting significant incidents and ensuring senior management oversight. Organisations that want to avoid last-minute pressure should use this transitional period to put key structures in place.¹
How to prepare for the NIS2 Directive
1. Confirm whether your organisation is in scope
The first step is to assess whether your organisation falls within one of the sectors covered by the NIS2 Directive and whether it meets the relevant size or service criteria. In Ireland, it generally applies to public or private entities established in Ireland that operate in listed sectors, meet medium or large enterprise thresholds, and provide services or carry out activities within the EU.¹
2. Understand if you are an essential or important entity
Under the NIS2 Directive, organisations are grouped into two categories: essential and important. This affects how closely they will be monitored and what action may be taken if they do not meet the rules.³
Essential entities are usually checked more closely because they provide services that are critical to society or the economy. Important entities are still regulated, but they are generally reviewed after an issue or concern has been raised.³
Organisations should not wait to be told whether NIS2 applies to them. Each organisation should review its own activities, sector and size to understand whether it falls within the threshold.¹ ²
3. Put cybersecurity governance at board level
One of the most significant changes under the NIS2 Directive is the increased responsibility placed on senior management.¹
This means cyber risk should be treated as an organisational risk, not just a technical issue. Boards and senior leaders will need visibility over the organisation’s risk assessments, security controls, incident response planning, supply chain exposure and compliance status.
4. Review cybersecurity risk management measures
The NIS2 Directive requires relevant organisations to take appropriate measures to manage cyber risks. In practice, this includes areas such as risk management policies, incident handling, business continuity, crisis management, supply chain security, cyber hygiene, staff training, access control, asset management and secure communications.
The NCSC has also published draft Risk Management Measures guidance and recommends that organisations use recognised cybersecurity frameworks, such as Cyber Fundamentals, to assess their preparedness.¹
5. Prepare for incident reporting
The NIS2 Directive introduces stricter reporting expectations for significant incidents.³
Organisations should ensure they have a clear internal process for identifying, escalating and documenting incidents. This should include defined responsibilities, decision-making procedures, evidence gathering, communications planning and engagement with the relevant competent authority or CSIRT once the Irish reporting framework is live.³
6. Keep evidence of compliance
Being prepared for the NIS2 Directive is not only about having controls in place. Organisations will also need to be able to demonstrate what they have done. Useful evidence may include risk assessments, cybersecurity policies, incident response plans and audit findings. ³
7. Monitor the Irish implementation timeline
As mentioned earlier, Ireland has not yet completed full implementation of the NIS2 Directive. The National Cyber Security Bill is the mechanism through which the Directive will be transposed into Irish law.
Until that legislation is enacted, the NCSC has stated that NIS2 registration and reporting portals will not go live, and existing NIS1 obligations continue to apply to organisations already designated under that framework.¹
Final takeaway
The introduction of the NIS2 Directive marks a major shift in how cybersecurity is regulated across the EU. For Irish organisations, the practical message is to prepare now: assess if you are affected, understand your classification, assign senior ownership, review your cyber risk management measures, strengthen incident response processes and keep clear evidence of the steps taken.¹
The NIS2 Directive is not just about preventing cyber incidents. It is about proving that cyber risk is being governed, managed and reported.
Follow our cyber series as we look at further mandates in cybersecurity including the EU Product Liability Directive and EU AI Act.