Ireland's National Cyber Security Bill

Ireland's National Cyber Security Bill transposes NIS2 but adds domestic enforcement powers, personal director liability, and NCSC authority. Here's what Irish SMEs need to know.

Ireland's National Cyber Security Bill: What It Adds Beyond NIS2 and Why Irish SMEs Can't Wait

Ireland is late transposing NIS2. The EU deadline was October 2024, and the National Cyber Security Bill — the primary vehicle for bringing NIS2 into Irish law — is still making its way through the Oireachtas as of mid-2026. The European Commission has formally noted Ireland's delay, as it has for a number of other member states.

That legislative delay does not mean Irish businesses are off the hook. NIS2 itself is an EU directive, and the obligations it establishes are not new. Irish organisations in scope should already be taking steps. The bill's passage will not introduce new surprises for organisations paying attention; it will introduce enforcement teeth.

The Legislative Background

NIS2 (Directive 2022/2555) is the EU's updated Network and Information Security directive. It replaced the original NIS Directive and significantly expanded its scope, obligations, and enforcement provisions. Unlike a regulation, a directive requires member states to transpose its requirements into national law.

Ireland's transposition vehicle is the National Cyber Security Bill. The Bill was published and has progressed through the Oireachtas committee stage, but as of July 2026 has not yet passed into law. The timeline for enactment remains uncertain.

The practical consequence is that Ireland currently lacks the full statutory framework, enforcement powers, and penalty regime that NIS2 requires member states to establish. This creates an odd situation where the substantive obligations of NIS2 are in force under EU law, but the national enforcement and supervisory architecture is not yet fully operational.

What the Bill Adds Beyond NIS2

The National Cyber Security Bill does not simply copy-paste NIS2 text into Irish statute.

The NCSC as national authority

The National Cyber Security Centre (NCSC) is designated as Ireland's primary competent authority for NIS2 matters. Under the Bill, the NCSC gains formal statutory powers — including the ability to conduct audits, inspections, and investigations; to issue binding instructions; and to impose administrative financial penalties on non-compliant entities.

Before the Bill passes, the NCSC operates without this full statutory toolkit. Post-passage, that changes materially.

Sector-specific regulators

Ireland's approach allocates supervisory responsibility across sector-specific regulators for some of the 18 sectors NIS2 covers. The Central Bank of Ireland oversees financial entities. ComReg handles electronic communications. The Bill establishes the framework for how these bodies interact with the NCSC and exercise their own powers.

Broader scope

NIS2 dramatically expanded the range of sectors and entity types covered compared to its predecessor. The sectors include energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, and space — plus "important" sectors including postal services, waste management, chemicals, food, manufacturing, digital providers, and research.

Critically, the threshold question is not just whether your sector appears on the list. It is whether your organisation meets the "medium-sized enterprise" threshold (50+ employees or €10m+ turnover). Organisations providing services to in-scope entities as ICT suppliers or managed service providers can be drawn in through supply chain provisions regardless of their own size.

Personal liability for senior management

The Bill includes provisions requiring that senior management of in-scope entities are accountable for the implementation and oversight of cybersecurity risk management measures. NIS2 Article 20 contains equivalent language, but the Bill gives it Irish statutory expression.

In practical terms, directors cannot treat cybersecurity as purely a technical matter delegated to IT. They must demonstrate active oversight — approving policies, receiving regular reporting, and participating in awareness training. Regulators can hold individual managers personally liable for breaches of these oversight obligations.

This does not mean directors face personal liability for every security incident. It means they face potential liability for failing to establish adequate governance and oversight. The distinction is important.

Why Waiting for the Bill Is a Mistake

NIS2 obligations are not contingent on the Bill. The directive is in effect. Irish entities in scope are already subject to its risk management and incident reporting requirements under EU law.

The Bill is coming. When it passes, regulators will not extend grace periods indefinitely for entities that have done nothing in the interim. Organisations that can demonstrate a compliance programme in progress will be in a substantially better position than those starting from zero on the day of enactment.

The underlying risks do not respect legislative timelines. The threat environment that NIS2 was designed to address — ransomware, supply chain attacks, critical infrastructure targeting — is active now.

What Irish SMEs Should Be Doing Now

Determine your scope. Are you a medium or large enterprise in a listed sector? Do you provide ICT services or critical dependencies to entities that are in scope? If yes to either, begin treating NIS2 obligations as applicable now.

Establish governance. Cybersecurity risk needs to be a standing agenda item at board or senior management level. Document that oversight — meeting minutes, risk register reviews, policy approvals.

Implement the core risk measures. NIS2 Article 21 specifies the minimum measures: risk analysis, incident handling, business continuity, supply chain security, network security, access control, cryptography, and multi-factor authentication. If you need a structure, NIS2 compliance guidance is available.

Prepare for incident reporting. NIS2 requires significant incident notification within 24 hours (initial warning) and 72 hours (fuller report). You need an incident response process that produces the required information within those windows.

Engage your supply chain. If you are in scope, your significant ICT suppliers may be too — and you may have contractual obligations to require security measures from them.

The National Cyber Security Bill will pass. When it does, enforcement in Ireland will have real teeth: administrative penalties of up to €10 million or 2% of global annual turnover for important entities, and up to €20 million or 2% for essential entities. A vCISO engagement can help you build a credible, proportionate compliance programme before those penalties become available to regulators.


James McGee is a CISA, CISSP, and CISM-certified security professional and founder of Pragmatic Security, an Irish vCISO advisory firm helping SMEs navigate cybersecurity and regulatory compliance.