NIS2 applies to medium and large organisations in 18 critical and important sectors — and it also catches smaller businesses through supply chain obligations: if your clients are in scope, they must assess your security posture. NIS2 compliance requires appropriate risk-management measures, mandatory incident reporting to the NCSC (24 hours / 72 hours / 30 days), supply chain security, and personal accountability for directors.
NIS2 (the Network and Information Security Directive 2) is now Irish law and is the most significant cybersecurity regulation to affect Irish businesses since GDPR. It replaced the original NIS Directive and dramatically expanded the scope — covering more sectors, imposing stricter requirements, and introducing personal liability for directors. In Ireland, the NCSC (National Cyber Security Centre) is the competent authority responsible for enforcement.
This hub brings together 69 expert articles covering everything from scope and fines to step-by-step compliance checklists and sector-specific guides.
What Is NIS2?
The Network and Information Security Directive 2 (NIS2) is an EU regulation that establishes a common level of cybersecurity across all member states. It replaced the original NIS Directive and dramatically expanded the scope — covering more sectors, imposing stricter requirements, and introducing personal liability for directors. In Ireland, the NCSC (National Cyber Security Centre) is the competent authority responsible for enforcement.
The Key Pillars of NIS2
Governance & Accountability
Directors and senior management are personally accountable for cybersecurity. Boards must approve risk-management measures and oversee their implementation. Ignorance is no longer a defence.
Risk Management Measures
Organisations must adopt appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks — including policies on risk analysis, incident handling, and business continuity.
Incident Reporting
Significant incidents must be reported to the NCSC within 24 hours (early warning), 72 hours (full notification), and 30 days (final report). The clock starts when you become aware of the incident.
Supply Chain Security
You are responsible for the security of your supply chain. NIS2 requires organisations to assess and manage risks from ICT suppliers, service providers, and third-party dependencies.
Fines & Enforcement
Essential entities face fines up to €10 million or 2% of global turnover. Important entities face up to €7 million or 1.4% of turnover. Directors can be held personally liable and temporarily suspended.
Registration & Self-Assessment
In-scope organisations must self-register with the NCSC. Ireland's transposition requires entities to identify themselves and submit registration details. The NCSC can also designate entities directly.
Key Deadlines & Numbers
| Figure | What it means |
|---|---|
| 24 hrs | Early warning to NCSC |
| 72 hrs | Full incident notification |
| €10M | Maximum fine (essential) |
| 18 | Sectors now in scope |
Frequently Asked Questions
What is NIS2 and when did it become Irish law?
NIS2 (the Network and Information Security Directive 2) is an EU-wide cybersecurity regulation that replaced the original NIS Directive. It was transposed into Irish law and applies to a significantly broader range of organisations than its predecessor. The directive establishes minimum cybersecurity standards, mandatory incident reporting, and personal accountability for directors.
Does NIS2 apply to my business?
NIS2 applies to medium and large organisations in 18 critical and important sectors — including energy, transport, health, digital infrastructure, ICT service management, public administration, and food production. However, it also catches smaller businesses through supply chain obligations: if your clients are in scope, they must assess your security posture. Use our free NIS2 Scope Check tool to find out in 3 minutes.
What are the fines for non-compliance?
Essential entities face fines of up to €10 million or 2% of global annual turnover (whichever is higher). Important entities face up to €7 million or 1.4% of turnover. Beyond fines, the NCSC can issue binding instructions, order audits, and — critically — temporarily suspend directors from management functions.
What is the difference between an Essential and an Important entity?
Essential entities are in the most critical sectors (energy, transport, health, drinking water, digital infrastructure, banking, financial market infrastructure, space, and public administration). Important entities cover sectors like postal services, waste management, food, manufacturing, digital providers, and research. Essential entities face stricter supervision and higher fines.
How quickly must I report a cyber incident under NIS2?
There are three mandatory deadlines: an early warning to the NCSC within 24 hours of becoming aware of a significant incident, a full incident notification within 72 hours, and a final report within one month. Failure to report on time is itself a compliance violation that can trigger enforcement action.
Can directors be held personally liable?
Yes. NIS2 explicitly makes senior management accountable for cybersecurity risk management. Directors who fail to approve and oversee appropriate measures can face personal sanctions, including temporary suspension from management roles. This is a significant change from previous regulations.
How does NIS2 relate to GDPR?
They are complementary. GDPR protects personal data; NIS2 protects network and information systems. A single cyber incident can trigger obligations under both. The key difference: GDPR is enforced by the DPC, while NIS2 is enforced by the NCSC. You need to satisfy both, but many controls (encryption, access management, incident response) serve both purposes.
What is the best framework to use for NIS2 compliance?
Ireland's NCSC recommends CyFUN (Cyber Fundamentals) as the starting framework for Irish businesses. It maps directly to NIS2 requirements and is designed for organisations that do not have a dedicated security team. The UK's Cyber Essentials and Australia's Essential 8 are also excellent practical frameworks that align well with NIS2. See our CyFUN hub for detailed guidance.
How much does NIS2 compliance cost for an SME?
Costs vary significantly based on your current maturity. A micro-enterprise starting from scratch might spend €5,000–€15,000 on initial compliance measures. A medium-sized business with existing IT infrastructure typically invests €15,000–€50,000. A vCISO engagement — which provides ongoing governance and compliance management — starts from €1,500 per month. The cost of non-compliance (fines, reputational damage, business disruption) is invariably higher.
Where do I start with NIS2 compliance?
Start with three things: (1) Determine if you are in scope using our free NIS2 Scope Check, (2) Read the NIS2 Compliance Checklist for Irish SMEs to understand the full picture, and (3) Book a free 20-minute call with us to get an honest assessment of where you stand and what to prioritise first.