When a Letterkenny accountancy firm received a letter from its largest client last year demanding confirmation of NIS2 compliance before contract renewal, the partners had no idea what NIS2 was. Within three months, they had completed a gap assessment, updated their supplier agreements, and enabled multi-factor authentication across all systems. It cost less than they feared and took less time than they expected. The firm that had never thought about EU cybersecurity law was, within a quarter, meaningfully more secure. Most Irish SMEs are not there yet, but they need to be.
What NIS2 Is and Why It Applies to You
The NIS2 Directive — the EU's Network and Information Security Directive 2 — is the updated European framework for cybersecurity across critical sectors and their supply chains. It replaced the original 2016 NIS Directive and dramatically expanded the range of organisations in scope. While energy companies and hospitals are the obvious examples, the directive's reach extends significantly further.
The NCSC Ireland, designated as the national authority for NIS2 implementation, has confirmed that the directive applies to medium-sized enterprises operating in specific sectors — and to smaller businesses that meet certain criticality criteria.[^1] If your business has more than 50 employees or annual revenue above €10 million and operates in areas including digital services, postal and courier services, food production, manufacturing, or public administration, you are likely in scope.
NIS2 divides covered organisations into two tiers: essential entities and important entities. Essential entities face stricter supervision and higher maximum fines. Important entities have somewhat lighter oversight but still carry significant legal obligations. Both tiers must implement the same core cybersecurity measures. The difference is largely in how the regulator monitors them and how hard it comes down when things go wrong.
Does your business know whether it falls within NIS2 scope, and what your minimum cybersecurity obligations are? Book a free 20-minute strategy call — we will tell you clearly where you stand and what to prioritise first.
The Ten Minimum Controls
NIS2 mandates a specific list of cybersecurity measures that every in-scope organisation must implement. These are not voluntary guidelines. They are legal requirements, and failure to have them in place is the basis for regulatory action.
The first is a documented risk assessment and written security policies. You must identify your critical systems, understand how they could be attacked, assess the likelihood and impact of different threats, and write down how you manage each risk. This does not need to be an elaborate document, but it does need to exist and be maintained.
Second, you need policies and procedures for evaluating whether your security measures are actually working. This means testing, reviewing, and updating your controls on a regular basis rather than setting them up once and forgetting about them.
Third, cryptography and encryption policies must be in place. Sensitive data — whether customer records, financial information, or internal communications — must be protected in transit and at rest using appropriate encryption standards.
Fourth, an incident response plan that is documented, tested, and ready to activate. This includes the ability to notify the NCSC Ireland within 24 hours of discovering a significant cyber incident, and to provide a detailed report within 72 hours. An Garda Síochána's National Cyber Crime Bureau should also be informed where criminal activity is suspected.[^2]
Fifth, security requirements must be built into how you procure, develop, and operate systems. Buying software or hardware that lacks basic security features, or deploying systems without security testing, creates liability.
Sixth, cybersecurity awareness training for all staff. Every employee who uses a digital system — laptop, smartphone, or cloud application — needs to understand the basics of safe use, including how to recognise a phishing email.
Seventh, documented procedures for handling sensitive data and controlling who has access to it. Access should be granted on the basis of need, not convenience.
Eighth, a business continuity plan covering what happens during and after a cyberattack. If your systems go down, how do you keep the business operating? If your data is encrypted by ransomware, how do you recover it?
Ninth, multi-factor authentication must be deployed on all systems that hold or process significant data. A username and password alone is not NIS2-compliant for critical systems.
Tenth, supply chain security. You must assess the cybersecurity practices of your suppliers and ensure that contractors and service providers with access to your systems meet a minimum security standard. The Data Protection Commission has made clear that supply chain liability extends upstream under both GDPR and NIS2.[^3]
What the Penalties Look Like
For important entities, fines can reach €7 million or 1.4% of global annual turnover, whichever is higher. For essential entities, the ceiling rises to €10 million or 2% of global turnover. Directors can be held personally liable for failures in cybersecurity governance. This is not theoretical. The European regulators who drafted NIS2 explicitly included director liability as a mechanism to drive board-level engagement with cybersecurity, not just IT team responsibility.
Beyond direct regulatory fines, a disclosed NIS2 breach triggers parallel GDPR notification requirements, potential civil claims from affected individuals, and — as the Letterkenny accountancy firm discovered in reverse — commercial consequences when clients or partners demand evidence of compliance that you cannot provide.
NIS2 compliance is not only a regulatory obligation — it is increasingly a commercial prerequisite for winning and keeping business contracts in Ireland and across the EU.
Where to Start
If you are uncertain whether NIS2 applies to your business, start by reviewing the NCSC Ireland guidance on essential and important entities. The NCSC publishes plain-English resources that help Irish businesses determine their scope status without needing to hire a lawyer first.
Once you understand your scope, the next step is a gap assessment against the ten minimum controls listed above. For most Irish SMEs, the largest gaps are in incident response procedures, supply chain security assessment, and formal risk documentation. These are not technically complex to address — they require structured thinking and documentation more than expensive technology.
If you need support to move through this process efficiently, a virtual CISO can provide the expertise of a senior security professional on a part-time basis. This model is particularly well-suited to Irish SMEs that need NIS2 governance capability without the cost of a full-time hire.
The compliance deadline is approaching. Starting now, with a clear scope assessment, is the most important first move.
Related Reading
- NIS2 Supply Chain Requirements for Irish SMEs
- Seven Signs a Donegal Business Needs a vCISO Now
- Building a NIS2 Compliance Roadmap: A 12-Month Plan for Irish SMEs
[^1]: NCSC Ireland, NIS2 guidance for Irish organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána, National Cyber Crime Bureau cybercrime resources: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission, guidance on GDPR and supply chain obligations: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.