Useful Reference Material

The National Cyber Security Centre (NCSC) is Ireland's primary government agency for cybersecurity. The website provides threat advisories, incident reporting, SME guidance, and the CyFUN framework documentation. Essential reading for any Irish business.

A practical, free guide from the NCSC specifically for Irish small and medium businesses. Covers the most common threats, basic controls, and how to get started with CyFUN. Recommended as the first document any Irish SME owner should read.

The official CyFUN framework page, including the selection tool, implementation guidance, and documentation for all three maturity levels (Basic, Important, Essential). The primary path for Irish organisations to demonstrate NIS2 compliance.

Official answers to the most common questions about CyFUN — who needs it, how it maps to NIS2, how to use the selection tool, and what the three maturity levels require. Useful for businesses beginning their CyFUN journey.

The NCSC's official NIS2 guidance page, covering scope, obligations, the transposition timeline, and how to prepare. Includes links to the draft legislation and the risk management measures guidance.

Detailed guidance on the specific risk management measures required under NIS2 Article 21. Covers all ten security domains and provides practical implementation guidance for Irish organisations.

A concise guide explaining NIS2 obligations, the scope criteria, the security measures required, and the incident reporting obligations. Designed for senior management and directors.

Ireland's national baseline cybersecurity standards, covering the minimum security controls expected of Irish organisations. Predates CyFUN but provides useful context for the evolution of Irish cybersecurity policy.

Practical configuration guidance for securing Microsoft 365 environments, covering authentication, email security, data loss prevention, and admin controls. Directly applicable to the majority of Irish SMEs using Microsoft 365.

Regular threat intelligence publications from the NCSC covering the current cyber threat landscape in Ireland. Includes sector-specific threat assessments and advisories on active campaigns targeting Irish organisations.

A practical, accessible resource specifically for small businesses, covering the most common threats and the basic controls that provide the greatest protection. Plain English, no technical background required.

A quick guide to QR code phishing (quishing) — how it works, how to recognise it, and how to protect your business. Particularly relevant as QR code attacks have increased significantly in 2025–2026.

Ireland's independent data protection supervisory authority. The website provides GDPR guidance, enforcement decisions, data breach notification procedures, and guidance on emerging issues including AI and generative AI.

Official guidance on when and how to notify the DPC of a personal data breach. Covers the 72-hour reporting obligation, the information required, and when affected individuals must also be notified.

The DPC's guidance on the GDPR implications of using generative AI tools. Covers data minimisation, lawful basis, data processing agreements, and the specific risks of using consumer AI tools for work involving personal data.

The Central Bank's regulatory expectations for cybersecurity in the financial services sector. Covers DORA obligations, operational resilience requirements, and the Central Bank's supervisory approach to cyber risk.

The Central Bank's guidance on DORA implementation for Irish financial entities. Covers the five pillars of DORA (ICT risk management, incident reporting, resilience testing, third-party risk, and information sharing) and the supervisory timeline.

Garda guidance on reporting cybercrime in Ireland, including fraud, BEC attacks, ransomware, and online scams. Includes the contact details for the Garda National Cyber Crime Bureau (GNCCB) and advice on preserving evidence.

Ireland's national cybersecurity strategy, setting out the government's priorities for protecting Irish citizens and businesses from cyber threats. Provides context for the regulatory and policy environment Irish businesses operate in.

The full text of the NIS2 Directive (Directive (EU) 2022/2555) on EUR-Lex. Essential reference for understanding the specific obligations, scope criteria, and enforcement provisions. Article 21 (security measures) and Article 23 (incident reporting) are the most relevant for most organisations.

The full text of the General Data Protection Regulation (GDPR). The primary reference for data protection obligations in Ireland and across the EU. Article 32 (security of processing) and Articles 33–34 (breach notification) are most relevant for cybersecurity purposes.

The full text of the EU Artificial Intelligence Act (Regulation (EU) 2024/1689). The world's first comprehensive AI regulation, classifying AI systems by risk level and imposing obligations proportionate to that risk. Relevant for businesses developing or deploying AI systems.

ENISA is the EU's cybersecurity agency. Its website provides threat landscape reports, guidelines for NIS2 implementation, sector-specific security guidance, and resources for SMEs. The ENISA Threat Landscape report is published annually and is the authoritative source for EU-level threat intelligence.

The European Commission's overview of the NIS2 Directive, including the policy rationale, key changes from NIS1, and implementation guidance. Useful for understanding the broader EU cybersecurity policy context.

The European Commission's overview of the Cyber Resilience Act, which introduces mandatory cybersecurity requirements for products with digital elements. Relevant for businesses that manufacture, import, or distribute connected products.

A focused reference for NIS2 Article 21, which specifies the ten security domains that in-scope organisations must address. Useful for mapping your existing controls against the specific requirements.

An analysis by the International Association of Privacy Professionals of NIS2 transposition in Ireland and what management boards specifically need to know and do. Covers director liability, governance obligations, and the Irish legislative timeline.

The US National Institute of Standards and Technology's Cybersecurity Framework, version 2.0. The foundation on which CyFUN is built. Provides a common language for cybersecurity risk management across organisations of all sizes and sectors.

The full NIST CSF 2.0 publication. Covers the six functions (Govern, Identify, Protect, Detect, Respond, Recover), the core categories and subcategories, and implementation guidance. Essential reference for organisations implementing CyFUN.

The official UK government Cyber Essentials scheme, covering the five technical controls (firewalls, secure configuration, user access control, malware protection, patch management) and the certification process. Directly relevant to Irish businesses seeking Cyber Essentials certification.

The ACSC's Essential Eight framework — eight mitigation strategies to protect against the most common cyber attack techniques. Widely referenced in Irish and European security contexts for its practical, measurable approach to ransomware resilience.

Detailed guidance on the four maturity levels (0–3) of the Essential Eight framework. Explains what is required at each level for each of the eight strategies, enabling organisations to assess their current maturity and plan improvements.

IBM's annual global study on the financial impact of data breaches, based on analysis of real-world incidents. The 2024 report found the global average cost of a data breach reached $4.88 million. Provides sector-specific data and analysis of the factors that increase or reduce breach costs.

A 2025 report on the state of cybersecurity among Irish SMEs, covering current security posture, awareness levels, investment patterns, and the most common vulnerabilities. Essential reading for understanding the Irish SME cybersecurity landscape.

Cyber Ireland's annual report covering the state of the Irish cybersecurity industry, the threat landscape, and the key challenges facing Irish organisations. Provides useful context for the scale and nature of cyber threats in Ireland.

Hiscox's annual cyber readiness report includes Ireland-specific data on cyber attack frequency, financial impact, and the security controls that most effectively reduce risk. Particularly useful for understanding the insurance and risk management perspective.

Travelers Insurance's quarterly cyber threat report covering the most active threat actors, attack techniques, and sectors targeted in Q2 2025. Useful for understanding current threat trends from an insurance perspective.

RTÉ reporting on research showing that 65% of Irish consumers would not return to a retailer following a data breach. Provides important context for the reputational and commercial impact of cyber incidents on Irish businesses.

Silicon Republic is Ireland's leading technology news publication. Its cybersecurity coverage provides regular updates on Irish cyber incidents, regulatory developments, and the broader technology landscape relevant to Irish businesses.

An analysis of the Irish cybersecurity landscape in late 2025, covering the key threats facing Irish SMEs and the regulatory pressures driving security investment. Provides useful context for the current environment.

Legal analysis from William Fry solicitors on NIS2 enforcement mechanisms, supervisory powers, and the personal liability provisions for directors. Authoritative legal perspective on the enforcement landscape.

IAPP analysis of the relationship between NIS2 and the Cyber Resilience Act, covering how the two regulations interact and what organisations need to do to comply with both. Particularly relevant for businesses that both use and produce digital products.

A clear, comprehensive explanation of the three email authentication protocols — SPF, DKIM, and DMARC — how they work together, and how to implement them. Essential reading for any business looking to prevent email spoofing and BEC attacks.

An alternative explanation of email authentication protocols with practical implementation guidance. Useful as a second reference alongside the Cloudflare resource.

A free online tool for testing your email security configuration — checking SPF, DKIM, and DMARC records, testing blacklists, and diagnosing email delivery issues. Useful for verifying that your email authentication is correctly configured.

Microsoft's practical zero trust implementation guidance for small and medium businesses, covering identity, devices, applications, and data. Directly applicable to businesses using Microsoft 365.

Microsoft's guidance on implementing the Essential Eight backup strategy using Microsoft technologies. Covers backup configuration, testing, and the specific requirements for immutable backups.

A clear explanation of the different backup types — full, incremental, and differential — with guidance on choosing the right approach for your business. Useful context for implementing the 3-2-1-1-0 backup strategy.

An overview of endpoint detection and response (EDR) solutions suitable for small businesses, covering features, pricing, and deployment considerations. Useful for businesses evaluating EDR tools.

A clear explanation of the difference between traditional antivirus and modern EDR, covering detection methods, response capabilities, and why EDR provides significantly better protection against modern threats.

NIST's introductory resource for the five (now six) CSF functions, with explanations and examples for each. A useful starting point for organisations new to the framework.

Cyber Ireland is the national cybersecurity cluster organisation for Ireland. Its publications page includes research reports, industry surveys, and policy submissions on Irish cybersecurity. A useful resource for understanding the Irish cybersecurity ecosystem.

Cyber Ireland's practical guidance for Irish SMEs on reducing cyber risk in 2025 and beyond. Covers the key threats, the most effective controls, and the resources available to Irish businesses.

ThinkBusiness analysis of the cyber threats facing Irish SMEs, with a focus on email-based attacks. Provides useful Irish-specific context and statistics.

The Competition and Consumer Protection Commission (CCPC) provides guidance on consumer protection, including warnings about online scams and fraud targeting Irish consumers and businesses. Relevant for businesses handling consumer transactions.

An analysis of the financial impact of cyber threats on Irish businesses and the cost-effective solutions that SMEs are adopting. Provides useful Irish-specific financial context.

Business Post analysis of the rising AI-powered cyber threat landscape and the controls that can contain it. Provides Irish business media perspective on the AI security challenge.