When a Sligo-based food manufacturer received its first supplier security questionnaire from a major retailer in early 2026, the questions were not about firewalls or antivirus software. They asked whether the management body had approved a documented cybersecurity risk management programme, whether there was a named security lead, and whether incident response procedures had been tested. The firm's IT provider handled the technical infrastructure competently, but nobody in the business could answer those governance questions. The questionnaire was a direct reflection of NIS2 obligations — and the firm had assumed those were a large-company concern. They were not.
Why NIS2 Changes the Accountability Question
The NIS2 Directive — currently being transposed into Irish law — is a significant expansion of the original EU network and information security rules. It extends obligations to a much broader range of sectors, including manufacturing, food production, digital services, waste management, and portions of the supply chains serving critical infrastructure. For many Irish SMEs, what previously felt like an enterprise concern has become a direct legal obligation.
The most significant change for business leaders is the explicit personal accountability placed on management bodies under NIS2. This is not a technical compliance exercise that can be delegated entirely to an IT department. The directive requires that management understand, approve, and oversee cybersecurity risk management measures — and that they have sufficient training to do so. The NCSC Ireland has been involved in the transposition process and has published guidance specifically for senior management on what these obligations mean in practice.[^1]
Does your board currently receive cybersecurity briefings, and could they demonstrate they understand your security posture if asked by a regulator? Book a free 20-minute strategy call — we help Irish leadership teams understand and document their NIS2 accountability without turning it into an enterprise compliance project.
What Articles 20 and 21 Actually Require
Article 20 of NIS2 — the governance article — states that management bodies must approve cybersecurity risk management measures and oversee their implementation. Individual members of those bodies can be held personally liable for serious failures. This is a material change from previous frameworks where cybersecurity accountability sat primarily with IT.
Article 21 defines the specific measures that in-scope organisations must have in place. These include documented policies on risk analysis and information system security, procedures for incident handling and reporting, business continuity and crisis management capability, supply chain security assessments, appropriate use of multi-factor authentication and encryption, and regular testing of security measures. For a business in Letterkenny or Donegal operating in one of the affected sectors, these are not aspirational recommendations — they are legal requirements with enforcement consequences. Fines for important entities can reach €7 million or 1.4 percent of global annual turnover, whichever is higher.
What a vCISO Provides in This Context
The vCISO role is particularly well suited to the NIS2 compliance challenge for Irish SMEs. A full-time CISO would address these requirements, but at a cost that is disproportionate for most businesses in scope — a senior security leader in Ireland commands €100,000 or more per year before employment costs. A vCISO provides strategic security leadership on a fractional basis, at a fraction of that cost, and can deliver exactly what NIS2 requires at a management level.
In practical terms, a vCISO supporting NIS2 compliance would develop and maintain the documented policies required under Article 21, conduct the risk assessments management needs to approve, establish and test incident response procedures, brief the board or senior management on their obligations and the current risk posture, liaise with the NCSC Ireland in the event of a significant incident, and prepare the organisation for supervisory inspection or supplier due diligence.
Critically, a vCISO does not remove management's personal accountability. The directive is explicit that management bodies must actively approve — not simply be informed of — security measures. A vCISO produces the analysis, the recommendations, and the documentation, but the board's role is to engage with that material, ask questions, and formally approve the risk management approach. This creates a genuine governance record rather than a paper exercise.
The Data Protection Commission also expects organisations processing personal data to maintain security governance that aligns with GDPR's accountability principle — a requirement that overlaps significantly with NIS2 and that a vCISO can address in a unified programme.[^3]
The Boundary Between vCISO and IT Provider
One confusion that arises repeatedly in Irish SMEs is the difference between what a vCISO does and what an IT support provider or managed services provider does. The IT provider manages infrastructure: servers, networks, devices, patching, helpdesk support. Their lens is operational. A vCISO manages strategy: risk, governance, compliance, policy, and management accountability. Their lens is business risk.
Both roles are necessary. An Garda Síochána's National Cyber Crime Bureau consistently notes that the businesses most vulnerable to attack are those that have IT support but no security strategy — they have the operational layer but not the governance layer that NIS2 now makes mandatory.[^2] A vCISO works alongside the IT provider, not instead of them, ensuring that the technical environment is governed by a documented risk posture rather than evolving ad hoc.
NIS2 does not ask who manages your IT. It asks who in management is accountable for your security decisions — and whether they can prove it.
What to Do Next
Three actions help Irish SMEs in NIS2 scope move from awareness to compliance:
Determine whether you are in scope. NIS2 applies to medium and large entities in defined sectors, but also to smaller entities in certain critical roles. Your sector, size, and supply chain position all affect whether the obligations apply. The NCSC Ireland has published sector guidance to help with this determination.
Appoint a named security lead. Whether that is an internal resource, a vCISO, or a managed security provider, NIS2 expects a named accountable person. Identify that person, define their remit in writing, and ensure management has formally acknowledged their role.
Schedule a management briefing. NIS2 requires management to have sufficient knowledge to assess cybersecurity risk. A two-hour briefing session, tailored to your business and sector, gives leadership the grounding they need to fulfil their governance responsibilities and creates an audit trail of their engagement.
Related Reading
- Building a NIS2 Compliance Roadmap: A 12-Month Plan for Irish SMEs
- What Does NIS2 Compliance Actually Cost for a 20-Person Irish Business?
- What Is a vCISO and Why Do Irish SMEs Need One?
[^1]: NCSC Ireland — Advice for Organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — Cyber Crime: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.