When a Donegal construction firm received a letter from a large public sector client last year, the message was unambiguous: suppliers handling sensitive project data would be required to demonstrate NIS2-aligned security controls from January 2026. The firm had no documented security programme, no designated security lead, and no idea where to start. They had twelve months. That turned out to be exactly enough time.
Many Irish SMEs in Donegal, Sligo, and across the North-West are in the same position today. The NIS2 Directive has significantly broadened the scope of EU cybersecurity regulation, pulling in organisations that previously had no formal compliance obligations. Misunderstanding your scope — assuming you are too small, too rural, or too sector-specific to be affected — is the most common and most costly mistake. This roadmap is designed to take a typical Donegal SME from foundational security to NIS2-ready in twelve structured months.
WHAT: The NIS2 Baseline You Are Working Towards
NIS2 is not a single checkbox. It requires a functioning risk management process, documented security controls, tested incident response capability, supply chain oversight, and regular reporting to senior management. NCSC Ireland is the national authority responsible for NIS2 implementation and enforcement, and their published guidance sets out the specific obligations for different categories of organisation.[^1]
The good news is that NIS2 compliance and good general security practice are almost entirely the same thing. If you build a sensible, well-documented security programme, NIS2 alignment follows naturally. This roadmap treats NIS2 as the destination and good security practice as the path.
WHAT NOW: A Month-by-Month Plan
Months 1 and 2 — Know What You Have. Before you can protect your business, you need to understand it. Start with a digital asset inventory: every laptop, server, cloud account, application, and data set that matters to your operations. Then conduct a risk assessment — what threats are realistic, what would the impact be, and where are your biggest gaps. For a Donegal SME, this typically takes four to six weeks and costs between €1,500 and €3,000 if you engage external support. The output is a risk register that drives every decision for the next ten months.
Month 2 — Close the Obvious Gaps. Multi-factor authentication and systematic patch management are the two controls that, together, prevent the majority of successful attacks. Enable MFA across all email, cloud, and critical business accounts this month. Establish an automated patching schedule for operating systems and key applications. These two steps cost relatively little and eliminate most of your exposure to credential theft and vulnerability exploitation.
Is your Donegal business unsure where its biggest cyber risks actually sit? Book a free 20-minute strategy call — we will give you an honest, jargon-free picture of your current risk and what to prioritise first.
Month 3 — Build Your Safety Net. Test your backups this month — not just confirm they exist, but actually restore data from them. Many Irish SMEs discover at this point that their backups have been failing silently for months. Alongside backup testing, draft a simple incident response plan. It does not need to be a hundred-page document. It needs to answer four questions: who is in charge when something goes wrong, who do you call, what do you do in the first hour, and how do you communicate with clients and regulators. NCSC Ireland's incident reporting hotline is 1800 CYBER1.
Month 4 — Train Your Team. Your staff are your most important security control and your most common point of failure. This month, deliver mandatory security awareness training to all employees, including part-time staff and contractors. Cover phishing recognition, password hygiene, what to do if they suspect an incident, and your reporting procedure. Follow up with a simulated phishing exercise to measure baseline awareness. The Data Protection Commission has noted repeatedly that human error is a factor in the majority of GDPR breaches reported by Irish organisations.[^3]
Month 5 — Understand Your Regulatory Position. With foundational controls in place, this is the right moment to assess your formal NIS2 obligations. Not every Irish SME falls within scope. Scope depends on your sector, size, and whether you are considered essential or important infrastructure. Consult NCSC Ireland's published guidance or take legal advice if your position is unclear. If you are in scope, begin the registration process now rather than waiting for a deadline.
Month 6 — Review Your Insurance. Cyber insurance is not a substitute for good security, but it is a critical component of a complete risk management strategy. Review your existing policy or get new quotes. Understand specifically what your policy covers and, more importantly, what it excludes. Insurers increasingly require evidence of specific controls — MFA, tested backups, documented incident response — before they will pay out on a claim.
Months 7 to 9 — Secure Your Supply Chain. Supply chain attacks account for a growing share of the incidents investigated by An Garda Síochána's National Cyber Crime Bureau.[^2] These months are for assessing the security of your own suppliers and vendors. Identify which third parties have access to your systems or data. Send them a security questionnaire. Review their certifications. Incorporate security clauses into new contracts. This is also a NIS2 requirement for many in-scope organisations.
Months 10 to 12 — Embed and Report. The final quarter is about governance: making cybersecurity a permanent part of how your business is managed rather than a one-off project. Establish a quarterly security review meeting with senior management. Produce a simple dashboard showing your key metrics — patch compliance, training completion, backup test results, open incidents. Conduct an annual security audit, either internally or with external support, to identify what has changed and what needs updating.
WHY IT MATTERS: The Stakes Are Real
NIS2 penalties for non-compliance can reach €10 million for essential entities. Director liability is now a genuine concern — NIS2 makes senior management personally accountable for the adequacy of their organisation's security governance. The reputational cost of a breach that damages client data can be worse than the financial penalty. For businesses in Donegal that depend on long-term relationships with public sector clients or large enterprise customers, losing that trust is an existential risk.
The businesses that survive serious cyber incidents are not the ones with the most sophisticated technology. They are the ones that started building a programme before the incident happened.
WHAT NEXT: Three Actions This Month
Start your asset inventory this week. A simple spreadsheet listing every device, cloud account, and application is a meaningful beginning. Prioritise the systems that would stop the business if they went down.
Enable MFA on your email platform today. For Microsoft 365 or Google Workspace, this takes less than thirty minutes and immediately reduces your most common attack surface.
Book a structured conversation with a security adviser who understands the Irish regulatory environment. The roadmap above is a framework. Getting the right starting point for your specific business, sector, and risk profile is what turns a framework into a plan that works.
Related Reading
- Building a NIS2 Compliance Roadmap: A 12-Month Plan for Irish SMEs
- 10 Enterprise Security Questionnaire Questions: How to Answer Them
- Backup Test: Run Every Month, Probably Never Have
[^1]: NCSC Ireland. Advice for Organisations. https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána. Cyber Crime. https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission. Guidance for Organisations. https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.