A practical 7-day action plan for Irish business directors to implement the CyFUN Govern function. Step-by-step guidance aligned to NIS2 and NCSC Ireland standards.

In May 2021, the Health Service Executive suffered a ransomware attack that crippled IT systems across Ireland. Patient appointments were cancelled. Critical services were disrupted for months. The recovery cost exceeded €100 million.[^1] Many Irish SMEs, especially those in Donegal and the North-West, assumed that attack had nothing to teach them — they were too small to be targeted. That assumption is wrong. Cybercriminals do not discriminate by size. They target vulnerability. And the CyFUN Govern function, the part most Irish businesses overlook because it feels like paperwork, is precisely the control that determines whether everything else works.

Effective governance is not a bureaucratic exercise. It is the difference between a security programme that functions under pressure and one that falls apart when an incident occurs. This 7-day quick start gives Irish business directors a concrete, actionable plan — one day's focused work per day — to implement CyFUN Govern before the end of the week.

Day 1: Asset Inventory — Know What You Protect

You cannot protect what you do not know you have. Begin by creating a comprehensive list of your digital assets: every laptop, desktop, server, and mobile device; every software application and cloud service your business uses; and every location where critical data is stored, including email accounts, shared drives, accounting systems, and customer databases.

A Donegal accountancy firm that received a business email compromise attack and transferred €18,000 to a criminal's account had never mapped its critical financial systems. Had it done so, the firm would have identified those systems as high-risk and implemented stronger controls around payment authorisation. The asset inventory is the foundation. Everything else builds on it.

Day 2: Risk Register — Understand Your Threats

Once you know what you have, you must understand what threatens it. A risk register is a structured list of potential cyber threats, assessed for likelihood and impact, with documented mitigation strategies. Keep it practical. Focus on the most probable and damaging risks: phishing attacks targeting staff email, ransomware encrypting critical files, business email compromise targeting financial transactions, and unauthorised access to client data.

A Sligo hotel that had its booking system encrypted by ransomware on a bank holiday weekend and paid €12,000 in Bitcoin had never formally assessed ransomware as a threat to its operations. That assessment would have mandated robust backups — and with tested backups, there would have been no payment and no data loss. The risk register is not a compliance document. It is a business decision tool.

Day 3: Policy Review — Set the Rules

Policies define how your business handles cybersecurity in practice. Review your existing policies — or acknowledge that you have none and create the minimum viable set. The essential policies for any Irish SME are an acceptable use policy covering what staff can and cannot do with company systems, a data protection policy aligned to GDPR requirements, a password and access management policy requiring MFA on all business accounts, and an incident reporting procedure telling staff what to do and who to contact if something goes wrong.

A Letterkenny GP practice was fined €15,000 by the Data Protection Commission after a former receptionist accessed patient records for six months post-employment. Their policies were not enforced and access was not revoked promptly.[^2] Policies are not just documents. They are operational directives that produce real consequences when they exist — and real consequences when they do not.

Does your board have a documented cybersecurity governance structure that would satisfy an NCSC Ireland inspector? Book a free 20-minute strategy call — we help Irish business directors build practical CyFUN governance without adding unnecessary bureaucracy.

Day 4: Supplier Review — Secure Your Supply Chain

Your cybersecurity is only as strong as your weakest link. For most Irish SMEs, that link is a third-party supplier — the IT provider who has remote access to your systems, the cloud service storing your customer data, the payment processor handling your financial transactions. Each supplier introduces potential risk that NIS2's Article 21 explicitly requires you to assess and manage.

The Health Research Board attack in Dublin in February 2026, where staff were told to unplug computers and go home while the NCSC Ireland investigated, serves as a reminder that supply chain attacks are a common initial access vector. Ask your critical suppliers how they protect your data, what their incident response procedures are, and whether they hold any cybersecurity certification. Document the answers. If you cannot get satisfactory answers, that is a risk to document in your risk register and manage accordingly.

Day 5: Roles and Responsibilities — Define Who Does What

Effective cybersecurity requires clear ownership. Who is accountable for data protection in your organisation? Who manages IT security? Who handles an incident when one occurs? Who reports to the board? Define these roles explicitly, document them, and ensure each named individual understands their responsibilities.

Under NIS2, Irish directors carry personal accountability for cybersecurity governance. The directive does not allow responsibility to be delegated to IT and forgotten. Many Irish SMEs lack a dedicated security professional — for them, a virtual CISO engagement provides the senior security leadership to define these roles, oversee implementation, and report to the board on the organisation's security posture. Leaving ownership undefined means critical tasks fall through the gaps.

Day 6: Board Briefing — Get Buy-in and Budget

Cybersecurity is a business risk, not an IT problem. Your board of directors must understand this distinction and be equipped to fulfil their governance obligations under NIS2. Prepare a concise briefing — one page of key risks, one page of current controls, one page of gaps and the cost to address them. Present your risk register. Use real numbers: the average ransomware incident for an Irish SME costs between €50,000 and €200,000 in direct and indirect costs. The controls that prevent most incidents cost a fraction of that.

A Cork manufacturing firm lost a €2.3 million contract after failing a client cybersecurity audit because the board had not approved investment in the required certification. Board-level understanding of cyber risk is not optional. It is a legal obligation under NIS2 and a commercial necessity for any business competing in a regulated supply chain.

Day 7: Self-Assessment — Measure and Improve

The final day is about reflection and establishing a rhythm of continuous improvement. Conduct an honest self-assessment of your CyFUN Govern implementation against the seven areas addressed this week. Identify what is complete, what is in progress, and what requires further work. Set a date one quarter from now for your next review. Assign each open item to a named owner with a deadline.

Cybersecurity is not a project with an end date. It is an ongoing operational discipline. The businesses that treat it as a quarterly management priority — reviewing the risk register, updating policies, testing backups, briefing the board — are the ones that avoid costly incidents. An Garda Síochána's Garda NCCB publishes regular guidance on the threats facing Irish businesses.[^3] Make it part of your quarterly governance rhythm.

Regular self-assessment against CyFUN Govern is the difference between a security programme that functions and one that fails when it matters most.

What Next: Three Priority Actions

First, complete your asset inventory and risk register by the end of this week. These are the foundation of everything else. Without them, your policies address hypothetical risks and your board briefing has no factual basis.

Second, schedule a board briefing on cybersecurity governance for this quarter. Use the output of your risk register and gap analysis. Frame it as a NIS2 compliance obligation and a commercial risk management issue. Request a budget decision on the top three gaps identified.

Third, contact Enterprise Ireland about the Cyber Security Review Grant. It covers 80% of an independent expert review at a net cost of €600 to your business, and the resulting report provides exactly the documented baseline that NIS2 requires.

[^1]: NCSC Ireland — Advice for Organisations [^2]: Data Protection Commission Ireland [^3]: An Garda Síochána — Cybercrime

7-Day CyFUN Govern Quick Start for Irish Business Directors.