When a Sligo-based energy services contractor received a supplier security questionnaire from a major utility client in early 2026, the questions were not about certificates on the wall — they asked about DDoS protection, web application firewalls, encryption in transit, and documented incident response procedures. The contractor had none of these formally in place. The contract review was paused until they could demonstrate adequate controls. Within three weeks they had implemented Cloudflare's free plan and documented what it covered. The client accepted it as a reasonable starting point.
That story illustrates something practical about NIS2: compliance is not always about expensive enterprise tools. For many Irish SMEs, the baseline technical controls the directive requires are already accessible for free. Understanding where Cloudflare fits — and where it does not — is the starting point.
What NIS2 Requires
NIS2 is the EU's updated Network and Information Security Directive, which came into force across member states in late 2024. It applies to businesses in critical and important sectors — energy, transport, healthcare, financial services, digital infrastructure, and supply chain providers to regulated entities. In Ireland, the NCSC Ireland is the competent authority responsible for implementation and enforcement.[^1]
For businesses in scope, NIS2 requires measurable controls across several areas: risk management and identification of critical assets; incident detection and a documented response plan; business continuity and system recovery capabilities; supply chain security due diligence; use of cryptography and encryption; access control and least privilege; and security monitoring with regular assessments.
The penalties for material non-compliance reach €10 million or 2% of global annual turnover for important entities, and €20 million or 4% for essential entities. More immediately, regulated clients and procurement bodies are already using NIS2 scope as a baseline for supplier assessments — as the Sligo contractor discovered.
Does your business fall within NIS2 scope, or supply to one that does? Book a free 20-minute strategy call — we'll map your obligations and identify which controls you can implement immediately.
Where Cloudflare Contributes to NIS2 Requirements
Cloudflare is not a NIS2 compliance platform. No single tool is. But it directly addresses several of the technical measures the directive requires, particularly for the network and application layers.
DDoS protection is a core NIS2 availability requirement. Businesses must be able to demonstrate that their critical systems can withstand distributed denial of service attacks. Cloudflare's free plan includes automatic DDoS mitigation across all connected domains, absorbing volumetric attacks through its global network. For a Donegal water utility, a healthcare booking platform, or a digital services company supplying regulated clients, this matters. Without DDoS protection, a relatively unsophisticated attack can take your services offline for hours — a reportable incident under NIS2.
The Web Application Firewall included on Cloudflare's free tier addresses NIS2's access control and threat monitoring requirements. WAF rules filter malicious traffic before it reaches your server, blocking SQL injection attempts, cross-site scripting, and automated scanning. This is not a full security operations centre, but it is a documented, active layer of protection that you can point to in a compliance assessment.
Encryption in transit is directly addressed by Cloudflare's automatic SSL and TLS certificates. NIS2 requires use of cryptography to protect data, particularly personal data in transit. Cloudflare makes HTTPS the default for all connected domains at no cost. For Irish healthcare providers or financial services firms, this removes one of the most common technical audit findings at zero cost.
Cloudflare's analytics dashboard provides logs of traffic, blocked threats, and security events. This contributes to NIS2's monitoring requirement, though it should be supplemented with server-side logging and, for higher-risk organisations, a security information and event management platform.
What Cloudflare Does Not Cover
Being honest about gaps is as important as describing what works. Cloudflare addresses the perimeter — the network and application layer facing the public internet. NIS2 requires much more than perimeter security.
You still need an incident response plan — a documented procedure for how your organisation detects, contains, and reports security incidents. NCSC Ireland requires early notification of significant incidents, and your plan must specify who does what, when they do it, and who they notify. An Garda Síochána's National Cyber Crime Bureau is the law enforcement contact for criminal cyber incidents.[^2]
You still need supply chain risk management — an assessment of whether your critical suppliers have adequate security controls. Cloudflare is one of those suppliers, and its DPA and security documentation are part of your evidence base, but you also need to assess other vendors.
You still need access control policies — who can access which systems, whether MFA is enforced, whether privileged access is logged. Cloudflare contributes nothing to internal access management.
And you still need to conduct regular security assessments. The Data Protection Commission expects ongoing demonstrable effort, not a one-time setup.[^3] For NIS2-regulated organisations, documented reviews are expected at least annually.
Three Steps to Take This Week
These are not the full scope of NIS2 compliance, but they are the baseline steps that make immediate use of Cloudflare's free capabilities.
Add your domain to Cloudflare and enable the WAF and DDoS protection on the free plan. Verify that HTTPS is enforced across all your web properties. Document the date you activated each control in a simple compliance log.
Download Cloudflare's Data Processing Agreement and retain it with your compliance records. This evidences that one of your key network providers has a GDPR and NIS2-aligned data handling agreement in place — a requirement auditors will look for.
Review NCSC Ireland's organisational guidance and identify which of your internal processes — incident response, access control, patching — are not yet documented. Cloudflare addresses the network layer. The policies and procedures for people and processes are yours to write.
For Donegal and Sligo businesses in scope for NIS2, or supplying to businesses that are, this is not a future problem. Procurement-driven compliance checks are already under way. Getting the baseline technical controls in place now, and being able to document them, is what distinguishes a business that passes supplier review from one that does not.
Related Reading
- Cloudflare GDPR Compliance for Irish Businesses
- Cloudflare WAF Basics — Protecting Your Site from Hackers
- Building a NIS2 Compliance Roadmap for Irish SMEs
[^1]: NCSC Ireland — Guidance for organisations on NIS2 and cybersecurity requirements: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — Cybercrime Bureau and incident reporting: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission Ireland — Organisational compliance guidance: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.