In February 2026, staff at the Health Research Board in Dublin were told to unplug their computers and go home. Systems were shut down and an active NCSC Ireland investigation began. The incident echoed the devastating HSE ransomware attack of May 2021, which cost over €100 million to recover from and disrupted patient services for months. These are not isolated failures of large institutions. They are evidence of a vulnerability pattern that runs through every sector of the Irish economy, including the SMEs that supply and support those institutions.
For Irish businesses facing NIS2 obligations — whether directly in scope or as part of a regulated supply chain — the question is not whether to act, but how. Two frameworks offer the clearest combined path: Ireland's own CyFUN and Australia's Essential 8. Neither alone is sufficient. Together, they address NIS2's requirements more comprehensively than either does independently.
Why Your Current Approach Is Insufficient
The modern threat landscape for Irish SMEs is brutal and getting worse. A Donegal accountancy firm transferred €18,000 after receiving a business email compromise attack from what appeared to be a long-standing client. They had no cyber insurance. The funds were never recovered. In Sligo, a hotel's booking system was encrypted by ransomware on a bank holiday weekend. They paid €12,000 in Bitcoin. The decryption key only partially worked.
These are not sophisticated nation-state attacks. They are routine criminal operations targeting businesses that have not implemented basic controls. NIS2's Article 21 responds to exactly this pattern — it demands an all-hazards approach to risk management focused on actual risk reduction, not checkbox compliance. A risk assessment that sits in a folder unread and controls that are documented but not implemented will not satisfy Irish regulators, and they will not stop an attack.
Is your cybersecurity posture aligned to NIS2's Article 21 requirements? Book a free 20-minute strategy call — we help Donegal and North-West businesses build a defensible, practical cyber baseline that satisfies both regulators and enterprise clients.
CyFUN: The Governance Layer
CyFUN — Ireland's Cyber Fundamentals Framework — is endorsed by NCSC Ireland as the primary tool for Irish organisations to meet their NIS2 obligations.[^1] It is built on NIST Cybersecurity Framework 2.0 and organises security across six functions: Govern, Identify, Protect, Detect, Respond, and Recover.
Think of CyFUN as the governance blueprint. It defines what your organisation needs to address — risk management strategy, policy, incident handling, business continuity, supply chain security, staff training, and board oversight — and provides the documented structure that regulators will expect to see. Without CyFUN's governance layer, even technically strong organisations struggle to demonstrate the systematic, managed approach that NIS2 requires.
CyFUN's Govern function addresses NIS2 Article 21's requirements for policies on risk analysis and information system security. Its Respond function covers incident handling. Its Recover function covers business continuity and backup management. Its Identify function supports supply chain risk assessment. For Irish organisations, using CyFUN as the organising framework is the most direct path to demonstrating NIS2 compliance.
Essential 8: The Technical Controls
The Essential 8, developed by the Australian Cyber Security Centre, provides the practical technical layer that CyFUN's governance requires but does not specify.[^2] Its eight strategies — application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups — target the specific techniques most commonly used in successful attacks.
If CyFUN is the blueprint, the Essential 8 are the locks on the doors and the fire extinguishers. They are the tangible, testable controls that stop attackers and limit damage. Unlike Cyber Essentials, the Essential 8 uses maturity levels (0 through 3), allowing organisations to demonstrate progressive improvement rather than a binary pass or fail. For most Irish SMEs, reaching Maturity Level 1 across all eight strategies provides substantial protection against the most common attack types.
The Essential 8 directly addresses several specific NIS2 Article 21 requirements. Patch Applications and Patch Operating Systems cover vulnerability management. MFA covers access control obligations. Regular Backups cover business continuity. Restrict Administrative Privileges and Application Control address system security. The technical precision of the Essential 8 fills the gaps left by governance-focused frameworks.
The Hybrid Model: Phased Implementation
The practical advantage of combining CyFUN and the Essential 8 is that it creates a phased, manageable implementation roadmap that Irish SMEs can follow without a dedicated security team.
In the first two months, focus on the foundation: conduct a CyFUN initial risk assessment across the Identify function, and implement the four Essential 8 controls with the highest immediate impact — patching applications, patching operating systems, enabling MFA, and establishing tested backups. These four controls alone would have prevented the majority of ransomware and credential-based attacks that An Garda Síochána's National Cyber Crime Bureau reported against Irish businesses in 2025.[^3]
In months three through six, harden and govern. Develop incident response and business continuity policies aligned to CyFUN's Respond and Recover functions, and implement the remaining Essential 8 controls — application control, user application hardening, restricting administrative privileges, and configuring macro settings. Document everything. The documentation is what distinguishes a genuine security posture from a paper exercise.
In months seven through twelve, mature and demonstrate. Refine policies, test them, and prepare for the external validation that NIS2 requires. The NCSC Ireland expects evidence of a systematic approach, not a one-time snapshot. A Letterkenny GP practice that was fined €15,000 by the Data Protection Commission for inadequate access controls had controls on paper but not in practice. The hybrid model's maturity approach closes that gap.
The combined cost of a NIS2 enforcement action, a ransomware incident, and lost client contracts dwarfs the cost of implementing this framework. The question for Irish directors is not whether they can afford to build a hybrid cyber baseline — it is whether they can afford not to.
What Next: Three Actions for Irish SMEs
First, complete a CyFUN self-assessment before the end of this month. The NCSC Ireland provides free guidance. This structured assessment maps directly to NIS2 Article 21 and takes a day to complete honestly. The output tells you exactly which governance gaps need addressing before you move to technical controls.
Second, implement MFA, patching, and tested backups across your entire operation this quarter. These three Essential 8 controls address the most commonly exploited vulnerabilities in Irish SMEs and are achievable without specialist skills. Configure automatic updates on all devices, enable MFA on all email and remote access, and verify that your most recent backup can actually be restored. Document the test.
Third, appoint a named individual responsible for cyber governance in your organisation. Under NIS2, responsibility cannot be diffuse. Your board needs someone who can report on your security posture, manage your risk register, and coordinate your incident response when something goes wrong. For most Irish SMEs, a vCISO engagement is the most cost-effective way to provide that capability without a full-time hire.
[^1]: NCSC Ireland — Advice for Organisations [^2]: Data Protection Commission Ireland [^3]: An Garda Síochána — Cybercrime
Related Reading
- NIS2 Fines and Penalties: The Numbers That Should Keep Every Irish Director Awake
- The 12-Month Cyber Governance Roadmap for a Donegal SME: From Zero to NIS2-Ready
- Director Liability in the Age of NIS2 and GDPR: A Briefing for Irish Company Directors
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.