When a 22-person Sligo logistics company asked their IT provider what NIS2 compliance would cost them, the answer was "it depends." That is technically accurate and practically useless for a business owner trying to set a budget. The fear of undefined, potentially large costs is one of the primary reasons Irish SMEs delay NIS2 preparation — and delay is the most dangerous response, because non-compliance fines can reach €10 million or 2 percent of global annual turnover, whichever is higher. This article cuts through the uncertainty with three realistic, line-by-line scenarios for a typical 20-person Irish business.
What NIS2 Actually Requires
NIS2 obligations fall into several distinct categories that each carry cost implications. You need a risk assessment and documented risk management programme. You need policies covering incident handling, business continuity, access control, and supply chain security. You need technical controls — MFA, endpoint protection, and backup — implemented and maintained. You need a tested incident response plan. You need staff training that is ongoing, not a one-time event. And for businesses with board-level governance obligations under Article 20, you need named security accountability at a senior level.
The NCSC Ireland has published guidance on how these requirements map to practical security measures for organisations of different sizes.[^1] The good news for a 20-person business is that the required controls are not exotic — they overlap significantly with the security measures your business should already have in place regardless of NIS2. The compliance overhead is the documentation, governance, and testing layer on top of those controls.
Is your business in scope for NIS2, and if so, which obligations apply to your size and sector? Book a free 20-minute strategy call — we can tell you within one session what NIS2 means for your specific business and what a proportionate compliance programme would cost.
Three Realistic Budget Scenarios
The following scenarios are based on our experience working with Irish SMEs across Donegal, Sligo, and the wider North West on compliance and security programmes. These are estimates for planning purposes, not quotes.
Scenario 1: Minimum Viable Compliance — €15,000 to €25,000 per year. This scenario covers the baseline obligations for a business with some existing security controls that need to be documented and formalised. It includes a one-off gap assessment and roadmap (€2,000 to €4,000), template-based policy development (€1,500 to €3,000), basic technical controls including MFA and endpoint protection at around €15 to €25 per user per month (approximately €3,600 to €6,000 annually for 20 users), online security awareness training with phishing simulations (€1,000 to €2,000), and a template-based incident response plan reviewed and adapted for the business (€1,000 to €2,500). A light advisory vCISO engagement for governance and board reporting typically adds €1,500 per month (€18,000 annually), though some businesses start with a lower hourly commitment. Total first-year investment in this range runs to €15,000 to €25,000 excluding vCISO, or €28,000 to €43,000 with a basic vCISO advisory retainer included.
Scenario 2: Solid Middle Ground — €30,000 to €50,000 per year. This is the most common approach for businesses that want to be genuinely compliant rather than nominally compliant. It includes a more thorough gap assessment (€3,000 to €5,000), customised policy development tailored to the business's specific risk profile (€3,000 to €6,000), better endpoint security at €25 to €40 per user per month (€6,000 to €9,600 annually), more comprehensive training including in-person workshops alongside online content (€2,500 to €4,000), a custom incident response plan with a tabletop exercise (€2,500 to €5,000), basic managed security monitoring (€4,800 to €9,600 annually), an annual penetration test (€5,000 to €8,000), and an ongoing vCISO retainer. An Garda Síochána's National Cyber Crime Bureau consistently notes that businesses with tested incident response plans and regular staff training sustain significantly less damage when incidents occur.[^2]
Scenario 3: Comprehensive — €60,000 to €100,000 per year. This scenario applies to businesses with complex regulatory requirements, sensitive data, or significant supply chain obligations. It includes a full security programme with managed SOC monitoring (€12,000 to €24,000 annually), bespoke policy development and legal review, comprehensive technical controls including privileged access management, annual penetration testing plus ad-hoc testing, a full vCISO fractional engagement with board-level reporting, and preparation for ISO 27001 or equivalent certification (€5,000 to €10,000). This is the level appropriate for businesses in regulated sectors — healthcare, financial services, critical infrastructure supply chains — or those seeking to pass stringent enterprise client due diligence processes.
What Drives Your Business to Which Scenario
Three factors determine where your business lands in this range. The first is your NIS2 scope category — essential entities face stricter obligations than important entities, and size thresholds matter. The second is your starting security maturity — a business that already has MFA deployed, backups tested, and basic policies in place needs far less upfront investment than one starting from scratch. The third is your regulatory environment — a business processing health data or operating in a sector with additional GDPR or sector-specific requirements will need more comprehensive documentation and controls.
The Data Protection Commission's accountability principle under GDPR means that demonstrating your security decisions and processes are documented is itself a requirement, separate from NIS2.[^3] A business that addresses both in a single programme is more efficient than one treating them as separate compliance exercises.
NIS2 is not primarily about spending more on security — it is about spending on the right things, in the right order, with the right documentation.
What to Do Next
Three actions any 20-person Irish business can take this month:
Determine your scope. Use the NCSC Ireland's sector guidance to confirm whether your business falls within NIS2's essential or important entity categories, and which specific obligations apply. If you are uncertain, a one-hour advisory conversation clarifies this quickly.
Run an honest gap assessment. Against the six core NIS2 requirement areas — risk management, incident handling, business continuity, supply chain security, access control, and staff training — assess which you have documented and which you are doing informally or not at all. That gap list is your starting budget justification.
Build a phased plan. A first-year investment focused on documentation, governance, and the highest-impact technical controls will achieve meaningful NIS2 progress at the lower end of Scenario 1. The subsequent years add testing, monitoring depth, and supply chain programme maturity. Spread sensibly over three years, NIS2 compliance is achievable for most Irish SMEs without catastrophic budget impact.
Related Reading
- vCISO Responsibilities Under NIS2: What the Regulation Actually Requires
- Building a NIS2 Compliance Roadmap: A 12-Month Plan for Irish SMEs
- vCISO Cost Ireland: Pricing Guide for Irish SMEs
[^1]: NCSC Ireland — Advice for Organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — Cyber Crime: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.