When a Donegal food processing company received its first NIS2 applicability assessment from its industry body in late 2025, the managing director's first reaction was relief: surely the directive applied to large digital infrastructure companies, not a regional manufacturer with sixty employees. Three weeks and one specialist legal review later, the relief had been replaced by a different emotion. The company fell squarely within scope. It had twelve months to build a functioning compliance programme. It had no idea where to start.
That scenario is repeating across Ireland. The NIS2 Directive has significantly expanded the scope of EU cybersecurity regulation, capturing businesses across sectors — food production, transport, healthcare, digital services, and more — that previously had no formal cyber compliance obligations. Over 60 percent of cyberattacks now target SMEs, and NIS2 exists precisely because the weakest links in critical supply chains are often the smaller organisations. NCSC Ireland is the national authority responsible for implementation and enforcement, and their guidance makes clear that scope is determined by sector and function, not by how large or rural your business is.[^1]
WHAT: Understanding What NIS2 Actually Requires
NIS2 is not a technology standard. It is a risk management and governance framework. The directive requires organisations to implement proportionate technical and organisational measures to manage cybersecurity risk, to report significant incidents within defined timelines, to address supply chain security, to maintain business continuity capability, and to ensure senior management is accountable for cybersecurity governance. Directors can be held personally liable for inadequate compliance.
The specific obligations depend on whether your organisation is classified as essential or important under the directive. Essential entities face more stringent requirements and more active supervisory attention. Important entities have comparable obligations but a lighter supervisory regime. In both cases, the practical compliance requirement is similar: a documented, functioning security programme that is proportionate to your risk.
WHAT NOW: Three Phases Across Twelve Months
Phase 1 — Assessment and Planning (Months 1 to 3). The first three months are for understanding where you are and building the plan for where you need to be. Begin with a formal gap analysis: assess your current security controls against NIS2 requirements and identify what is missing, incomplete, or undocumented. This work should be done honestly, with external support if your internal team does not have the specialist knowledge. The output is a risk register and a remediation plan that sets realistic timelines and costs.
Month 2 focuses on policy review. Take your existing security policies — or draft them if they do not exist — and align them with NIS2 principles. This covers incident response procedure, access control policy, data protection practice, and business continuity planning. Engage legal counsel for the policy documentation stage to ensure your policies are enforceable and consistent with GDPR obligations enforced by the Data Protection Commission.[^3]
Month 3 is for project planning. Assign a named compliance lead — internal or a virtual CISO — with clear authority and budget. Build a project plan with monthly milestones and a named owner for each action. Secure senior management sign-off. Without visible leadership commitment, compliance projects stall at exactly the wrong moment.
Unsure whether your business falls within NIS2 scope, or where your biggest compliance gaps are? Book a free 20-minute strategy call — we work with Irish SMEs to build NIS2 compliance programmes that are proportionate to their real risk.
Phase 2 — Implementation and Remediation (Months 4 to 9). The middle six months are for building and deploying controls. Months 4 to 6 focus on technical hardening: MFA across all critical accounts, endpoint detection and response tools, network segmentation, and robust backup solutions with verified restoration capability. These are the controls that both reduce your real risk and demonstrate the technical baseline NIS2 expects.
Months 7 to 9 focus on process and people. Develop and test your incident response plan — including the specific notification procedures for reporting to NCSC Ireland within the 24-hour initial reporting window required by the directive. Implement supply chain security measures: vendor assessment processes, security clauses in contracts, and ongoing monitoring of critical third parties. An Garda Síochána's National Cyber Crime Bureau consistently identifies supply chain compromise as a primary attack vector against Irish organisations.[^2] Conduct mandatory security awareness training for all staff, including contractors and part-time employees.
Phase 3 — Testing, Review, and Continuous Improvement (Months 10 to 12). The final quarter validates everything built in Phases 1 and 2. Month 10 is for external penetration testing and vulnerability scanning — a controlled attempt to find what an attacker would find. The report from a professional external tester is both a gap-closure tool and evidence of good faith for regulators.
Month 11 is for documentation finalisation. Pull together your complete NIS2 documentation package: gap analysis report, risk register, policy set, incident response plan, training records, vendor assessment results, and test evidence. This package is what you would present to a regulator, an insurer, or a major client conducting due diligence.
Month 12 establishes continuous monitoring and the annual review cycle. Cybersecurity is not a project that finishes. Build quarterly security review meetings, automated patch compliance monitoring, and an annual risk reassessment into your operational calendar.
WHY IT MATTERS: The Consequences of Inaction
NIS2 penalties for in-scope entities that fail to implement adequate security measures can reach €10 million for essential entities. Beyond financial penalties, the Data Protection Commission has authority to investigate cybersecurity failures where personal data is involved, with fines of up to €20 million under GDPR.[^3] Director liability is explicit in NIS2 — senior management cannot delegate accountability and then claim ignorance when an incident occurs.
The commercial consequences often precede the regulatory ones. Large clients and public sector buyers are already requiring NIS2-aligned security programmes from their suppliers. Businesses that cannot demonstrate compliance are being removed from tender processes and preferred supplier lists. The reputational cost of a breach — with a client's data, in a local market — compounds the financial and regulatory consequences significantly.
NIS2 compliance done properly is not just about avoiding penalties. It is about building a business that clients, insurers, and regulators trust — which in competitive Irish markets is an increasingly tangible advantage.
WHAT NEXT: Three Immediate Steps
Determine your scope this month. Consult NCSC Ireland's published guidance or take specialist legal advice to confirm whether your sector and size places you within NIS2 scope. Do not assume you are outside scope without verification.
Designate a compliance lead today. A named person with authority and accountability is the single most important prerequisite for a successful compliance programme. Without ownership, nothing moves.
Conduct an initial self-assessment against the five NIS2 core requirements: risk management, incident reporting, supply chain security, business continuity, and governance. Even a rough assessment — red, amber, green against each area — gives you the starting point for a structured plan.
Related Reading
- 12-Month Cyber Governance Roadmap for Donegal SMEs
- 10 Enterprise Security Questionnaire Questions: How to Answer Them
- Backup Basics: How Irish SMEs Can Survive a Ransomware Attack
[^1]: NCSC Ireland. Advice for Organisations. https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána. Cyber Crime. https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission. Guidance for Organisations. https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.