Tabletop Exercises for Irish SME Boards

NIS2 requires tested incident response plans. A tabletop exercise is the practical way to test them. Here's the format, what scenarios work best, and how to run one for your Irish SME board.

Tabletop Exercises for Irish SME Boards: What They Are and Why NIS2 Effectively Requires Them

Most Irish SMEs that have an incident response plan wrote it, filed it, and never looked at it again. That plan will fail the moment it matters most — not because it was badly written, but because it was never tested under anything resembling realistic pressure.

A tabletop exercise fixes that. It is a facilitated discussion-based simulation: you walk a group of decision-makers through a cyber incident scenario, in real time, and ask them to make the decisions they would need to make if it were happening now. No systems are touched. No live traffic is affected. The only thing that gets stress-tested is the plan and the people.

Done properly, a two-hour tabletop exercise will tell you more about your incident response readiness than any policy document review.

Why NIS2 Specifically Requires Tested Plans

Under NIS2 — which came into force across EU member states including Ireland — a written incident response plan is a baseline expectation, not a differentiator. What NIS2 actually demands, under Article 21's risk management measures, is that organisations implement measures that have been tested and reviewed.

When the National Cyber Security Centre or a competent authority asks how your organisation manages cyber incidents, "we have a document" is not an adequate answer. "We ran an exercise in Q2, identified three gaps, and closed two of them with a third in progress" is.

If you are in NIS2 scope — or adjacent to entities that are — understanding the full compliance picture is worth your time before you have to explain your posture to a regulator rather than a consultant.

What a Typical Two-Hour Tabletop Looks Like

A well-run tabletop exercise has four phases.

Scenario injection (15 minutes). The facilitator presents the scenario as if it is unfolding now. Not a lecture about what ransomware is. "It is 7:45am on a Monday. Your IT manager has just called to say that half the shared drives are showing encrypted file extensions and a ransom note has appeared on the screen in the main office. What do you do right now?"

Discussion phase (60–75 minutes). The facilitator walks the group through a sequence of decision points. Who do you call first? Do you shut down systems — and who has the authority to make that call? When do you notify your customers? What are your obligations to report to the NCSC? Who talks to the media if this gets out? When does legal counsel come in? The discussion is deliberately open-ended. The facilitator is not looking for right answers; they are surfacing the gaps, the assumptions, and the disagreements.

Gap identification (20 minutes). What did the exercise reveal? Where did the group disagree about who was responsible? What information was needed that nobody had? Which steps in the written plan turned out to be unrealistic? These are documented in real time.

Action list (15 minutes). Each gap gets assigned an owner and a target date. This is what makes the exercise useful rather than just interesting.

Three Scenarios That Fit Irish SMEs

Ransomware. The highest-frequency serious incident type for Irish SMEs. The scenario should force a decision about whether to pay (and who decides), how long the business can operate without IT systems, and what the NIS2 reporting window looks like when you are also trying to recover your data. The HSE attack in 2021 is a reference point most Irish executives understand at a gut level.

Business email compromise. A scenario where a finance team member has already transferred €35,000 to a fraudulent account before anyone noticed. Can the transfer be recalled? When do you tell the bank? Who tells the board? Is this reportable under NIS2? What do you tell the client whose payment was involved?

Data breach notification. Personal data — customer records, employee files — has been accessed by an unauthorised party. The GDPR clock is running: 72 hours to notify the Data Protection Commission if the breach is reportable. Who makes that assessment? Where is the DPC notification process documented? Do you know your DPO's phone number right now?

Who Needs to Be in the Room

A tabletop exercise with only IT staff is a technical discussion, not a business one. The point is to stress-test the decision-making layer, which means you need decision-makers.

At minimum: the CEO or MD, the Finance Director or CFO, the IT lead or IT manager, and someone with a legal or compliance function. The exercise should feel slightly uncomfortable for the non-technical attendees. That discomfort is informative: it shows where the organisation relies on one person having the answers rather than having a clear documented process.

What You Get Out of It

After a well-facilitated tabletop exercise, you should leave with a short list of specific, actionable gaps. Common findings for Irish SMEs:

  • No documented process for contacting the NCSC — the team did not know the reporting portal existed
  • Ambiguity about who can authorise a system shutdown during business hours
  • Ransom payment decision not clearly assigned — a genuine board-level disagreement that needs to be resolved in policy before it needs to be resolved under pressure
  • No offsite copy of key contact details — if email is down, nobody knows the external IT vendor's emergency number

These are fixable problems. They are far less fixable when you discover them at 2am during an actual incident.

How Often to Run One

Once a year is a reasonable baseline. Run one more frequently if you have had a significant change — new IT systems, a merger, key personnel changes, or an actual incident. NIS2 entities should treat annual exercises as a minimum.

Scenarios should rotate so the exercise tests different parts of the plan each time. A ransomware tabletop this year and a BEC scenario next year will give you better coverage than running the same scenario repeatedly.


Pragmatic Security facilitates tabletop exercises for Irish SME boards and leadership teams. If you want to test your incident response posture before the next incident rather than during it, get in touch.


James McGee is a CISA, CISSP, and CISM-certified security professional and founder of Pragmatic Security, an Irish vCISO advisory firm helping SMEs navigate cybersecurity and regulatory compliance.