NIS2 may apply to your Donegal hotel, restaurant, or tourism business. Here is what in-scope hospitality businesses need to know, and a practical compliance roadmap.

When a Donegal hotel manager received an email from her property management system provider asking for confirmation of NIS2 compliance status, she assumed it was a mistake — surely NIS2 was for technology companies and critical infrastructure, not for a 60-room hotel on the Wild Atlantic Way. She called us to check. The answer was more complicated than she expected: whether her hotel was directly in scope depended on its size and the digital services it provided, but her PMS provider's question was not a mistake. Supply chain obligations under NIS2 mean that even businesses below the thresholds may face contractual requirements from larger, in-scope partners.

Most Donegal hospitality businesses have never heard of NIS2. Those that have generally assume it does not apply to them. This guide explains who is in scope, what compliance actually requires, and the practical steps that any hospitality business should take — whether or not they are formally in scope.

WHAT: Who in Hospitality Is in Scope for NIS2

NIS2 (Network and Information Security Directive 2) applies to entities operating in sectors listed in its Annexes and meeting size thresholds. For hospitality, the relevant question is whether the business operates digital services at a scale that brings it within scope.

Large hotels — those with 50 or more employees or annual turnover exceeding €10 million — that provide digital services including online booking systems, guest Wi-Fi networks, or digital payment infrastructure may be captured as "digital service" providers or under the food and accommodation sector provisions in some interpretations. The NCSC Ireland's entity classification guidance is the authoritative source for determining specific scope.[^1]

Even businesses below those thresholds face a secondary route into NIS2's orbit. The directive extends obligations down the supply chain. If your hotel, restaurant, or tourism business supplies services to an entity that is itself in scope — a large hospitality group, a public sector client, a multinational food service company — that entity may require you to meet NIS2-equivalent standards as a contractual condition of doing business. This is not a choice: if your client requires it, you comply or lose the contract.

The practical implication for Donegal hospitality businesses is straightforward. Determine your direct scope status using the NCSC Ireland's published guidance. Then review your major supplier and client relationships to identify whether any indirect obligations apply. Both exercises take less than a day and give you a clear picture of where you stand.

Has one of your technology suppliers or enterprise clients asked about your NIS2 compliance status? Book a free 20-minute strategy call — we work with hospitality businesses across Donegal and can give you a clear picture within a single call.

WHAT NOW: The Five Practical Obligations

Whether or not your business is formally in scope, the core obligations NIS2 imposes are good practice for any hospitality business holding guest data, processing payment card information, or depending on digital systems for operations.

Risk management. Identify the cybersecurity risks to your operations — your booking system, payment processing, guest Wi-Fi, staff email, and point-of-sale systems. For each risk, assess the likelihood and potential impact. Document the assessment. A risk register does not need to be complex — a simple spreadsheet listing each system, the threats it faces, and the controls you have in place is a meaningful starting point.

Incident response planning. If your booking system goes down because of a ransomware attack at 4pm on a Friday evening in August, what do you do? Who do you call? How do you handle guest check-ins without the PMS? How do you notify guests whose data may have been accessed? An incident response plan for a hospitality business needs to address both the technical response and the operational continuity challenge. An Garda Síochána's National Cyber Crime Bureau is the primary point of contact for cyber criminal incidents, and the NCSC Ireland handles incident reporting for NIS2 obligations.[^2]

Access control and MFA. Every staff account that accesses your booking system, payment platform, or email should have multi-factor authentication enabled. A compromised staff login is the most common entry point for attackers targeting hospitality businesses. Default credentials on hotel PMS systems, Wi-Fi routers, and point-of-sale terminals should be changed on installation — many remain on manufacturer defaults for years.

Data protection and GDPR alignment. Hospitality businesses hold significant volumes of personal data — guest names, contact details, payment information, dietary requirements, disability accommodations. A cyber incident that exposes this data triggers a mandatory notification obligation to the Data Protection Commission within 72 hours. The DPC has consistently stated that hospitality businesses are among those most frequently reporting data breaches, and that inadequate technical controls are a common contributing factor.[^3]

Supply chain security. Review the security posture of every digital supplier that accesses your systems or holds your data — your PMS provider, your payment processor, your booking platform, your Wi-Fi provider. Ask them for evidence of their own security controls. If they cannot provide it, that is a risk you need to assess.

WHY IT MATTERS: The Business Reality for Donegal Hospitality

Donegal's tourism and hospitality sector depends on reputation. A data breach affecting guest records — published on a dark web forum or reported in the media — causes reputational damage that marketing cannot easily repair. The cost of a ransomware attack on a hotel's PMS during peak season, with bookings locked and check-in processes paralysed, can exceed the annual cost of every cybersecurity control combined.

The guest Wi-Fi network that most hotels provide as a standard amenity is a significant attack surface — both for attacks on the hotel's own systems through the Wi-Fi infrastructure, and for criminals who use hotel networks as a base for attacking other guests. Properly segmenting guest Wi-Fi from operational networks is a basic control that many properties have not implemented.

The NCSC Ireland's published guidance on cybersecurity for businesses is directly applicable to the hospitality sector and costs nothing to access and implement. The controls it recommends — MFA, patching, access management, incident response planning — are the same controls that NIS2 formalises as legal obligations for in-scope entities.

A cyberattack during peak season is not an IT problem. It is an existential business event.

WHAT NEXT: Three Actions for Donegal Hospitality Businesses

1. Determine your NIS2 scope status this week. Use the NCSC Ireland's entity classification guidance. If you have 50 or more employees or turn over more than €10 million, seek specific advice on whether you are classified as an important entity.

2. Enable MFA on every staff account that accesses your booking system, payment platform, and email today. This is the single highest-impact control available for the lowest cost. If your PMS provider does not support MFA, raise it with them as a contractual requirement.

3. Document your incident response procedure for a PMS outage. Who is in charge? How do you contact guests? How do you process check-ins manually? What is the first call you make? A one-page procedure stored offline and known to your front desk manager is more valuable than a complex plan that nobody has read.

NIS2 Compliance for Donegal Hospitality: What the New EU Cybersecurity Law Means for Your Business.

WHAT: Who in Hospitality Is in Scope for NIS2

WHAT NOW: The Five Practical Obligations

WHY IT MATTERS: The Business Reality for Donegal Hospitality

WHAT NEXT: Three Actions for Donegal Hospitality Businesses

Related Reading