When a four-star hotel on the Donegal coast discovered that its booking system had been accessed by an unauthorised third party last summer, the consequences unfolded quickly. Guest credit card details and passport scans were potentially exposed. The Data Protection Commission was notified. A forensic investigation ran for six weeks. The hotel's reputation, built over years of positive reviews and repeat business, absorbed a blow it is still recovering from. With the NIS2 Directive now being transposed into Irish law, that hotel — and many others in Sligo, Donegal, and across Ireland — would face regulatory action as well.
Why Hotels Are Now in the Frame
Most hotel owners assume that EU cybersecurity law applies to power grids and banks, not guest houses and resort properties. That assumption is outdated. NIS2 explicitly covers entities that provide services to the public at scale — and hotels, by their nature, process large volumes of personal and financial data, operate interconnected booking and payment systems, and serve both leisure and business travellers whose data is commercially valuable.
The NCSC Ireland, which is the lead national authority for NIS2 implementation, has confirmed that hospitality businesses meeting certain thresholds — typically more than 50 employees or annual revenue above €10 million — will fall within scope as important entities.[^1] Larger hotel groups and chains operating across multiple locations will likely be classified as essential entities with stricter obligations and higher potential fines.
Even hotels that fall below the direct scope thresholds face indirect pressure. If your hotel supplies accommodation or services to businesses that are themselves regulated under NIS2 — corporate clients, government agencies, healthcare organisations — those clients will increasingly require contractual assurances about your cybersecurity posture. Failing to provide them risks losing the contract.
Does your hotel know whether it qualifies as an important or essential entity under NIS2, and what controls you are required to have in place? Book a free 20-minute strategy call — we will help you scope your obligations and identify exactly where to focus your effort first.
The Five Areas You Must Address
NIS2 compliance for hotels is not a single checkbox exercise. It covers five interconnected areas that need to be assessed, documented, and maintained.
The first is payment card and financial data protection. Hotels process thousands of card transactions each month. NIS2 requires that payment systems be properly segmented from other operational networks, that data in transit and at rest is encrypted, and that access to payment processing infrastructure is restricted to authorised personnel only. This requirement works alongside existing PCI DSS obligations rather than replacing them.
The second area is guest personal data management. Hotels hold some of the most varied personal data of any business type — names, addresses, passport copies, dietary and accessibility needs, corporate billing information. NIS2 requires clear data retention policies, documented access controls, and tested breach notification procedures. The Data Protection Commission in Ireland has been explicit that health-adjacent data, such as dietary needs linked to medical conditions, requires particular care.[^2]
Third, network and Wi-Fi security. Hotel guest networks are a known attack vector. Criminals check in as guests and use the guest Wi-Fi to probe the property management system or the staff network. NIS2 requires full network segmentation: guest Wi-Fi must be completely separated from the systems that run reception, housekeeping, and back-office functions. Most Irish hotels are not there yet.
Fourth, staff training. Under NIS2, all staff who interact with digital systems — which in a hotel means virtually everyone from reception to accounts — must receive appropriate security awareness training. This includes recognising phishing emails, handling guest data correctly, and knowing who to contact if something seems wrong. Seasonal staff and temporary workers are included in this requirement, which is a particular challenge for the tourism sector.
Fifth, incident response planning. NIS2 requires a documented plan that covers how your hotel will detect, contain, and report a cyber incident. The reporting timeline is tight: an initial notification to the NCSC Ireland within 24 hours of discovery, with a full incident report within 72 hours. An Garda Síochána's National Cyber Crime Bureau should also be contacted where criminal activity is suspected.[^3] Most hotel operators have never tested whether they could meet those timelines.
What the Fines Look Like
Important entities under NIS2 face fines of up to €7 million or 1.4% of global annual turnover, whichever is higher. Essential entities face fines of up to €10 million or 2% of global turnover. Directors can be held personally liable for failures in cybersecurity governance — a provision that brings this firmly into the boardroom agenda, not just the IT department.
Beyond fines, the reputational cost of a disclosed breach is significant in an industry that lives and dies by reviews and word of mouth. Travellers who discover their data was mishandled do not return. Corporate clients who experience a breach through a hotel's systems take their business elsewhere and sometimes pursue civil claims.
The cost of one serious cyber incident in the hospitality sector consistently exceeds the annual cost of the controls that would have prevented it.
Three Steps to Take Before the Deadline
1. Determine your NIS2 scope status. Review your employee count and annual revenue against the NIS2 thresholds. If you are approaching or exceed those figures, treat yourself as in scope and act accordingly. Waiting for the regulator to confirm your status is not a safe strategy.
2. Segment your networks and enable MFA. These two technical controls address the most common attack paths in the hotel sector. Network segmentation isolates your operational systems from guest access. Multi-factor authentication on email, property management systems, and accounting software stops the majority of credential-based attacks. Both can be achieved in weeks, not months.
3. Draft and test your incident response plan. Write down who does what when a cyberattack is discovered. Practice the 24-hour notification process with your management team. Identify your IT support contact, your legal adviser, and your data protection officer's out-of-hours number. A plan that exists only in someone's head is not a plan.
The NCSC Ireland provides free guidance for hospitality businesses at every stage of this process. Starting there, before the compliance deadline arrives, is the right move.
Related Reading
- NIS2 for Irish SMEs: Your Obligations Explained
- NIS2 Supply Chain Requirements for Irish SMEs
- Sligo Hotel Ransomware: Three Days Offline
[^1]: NCSC Ireland, NIS2 guidance for organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: Data Protection Commission, guidance on personal data obligations: https://www.dataprotection.ie [^3]: An Garda Síochána, National Cyber Crime Bureau cybercrime resources: https://www.garda.ie/en/crime/cyber-crime/
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.