Who does NIS2 apply to in Ireland?

NIS2 applies to essential and important entities, including energy, health, transport, water, digital infrastructure, public administration, food, waste, and some SMEs that act as critical suppliers.

What is the NIS2 reporting requirement?

Under NIS2, organisations must notify the national authority of a significant cybersecurity incident within 24 hours of detection and provide a detailed report within 72 hours.

How long does it take to get NIS2 ready?

With focused effort, many Irish organisations can achieve baseline NIS2 readiness in 90 days by mapping assets, enabling multi-factor authentication, segmenting networks, and preparing an incident response plan.

What are the main NIS2 requirements?

Key requirements include governance at board level, documented risk management, multi-factor authentication, offline backups, 24-hour breach reporting, supply chain security, and regular staff training.

Does NIS2 affect Irish SMEs?

Yes. While not all SMEs are in direct scope, those supplying essential or important entities may need to prove equivalent compliance. This affects IT providers, manufacturers, and critical service contractors.

Cybersecurity

NIS2 Readiness for Irish Organisations: Scope, Gaps, and a 90-Day Action Plan

Q: What are the penalties for non-compliance with NIS2?

Irish organisations that fail to comply with NIS2 can face fines up to €10 million or 2% of annual global turnover, along with reputational damage and regulatory enforcement.

September 5, 2025

Why NIS2 Matters for Ireland

The NIS2 Directive is now live across the EU, including Ireland. It sets mandatory cybersecurity requirements for “essential” and “important” entities — from local councils and hospitals to transport operators, energy firms, and some SMEs.

Failure to comply can result in fines up to €10 million or 2% of annual global turnover. For Irish organisations, 2026 is the time to act. This article explains who falls under NIS2, the gaps most organisations face, and a vendor-neutral 90-day action plan.

1. Who Is in Scope Under NIS2?

NIS2 applies to two main groups:

Essential entities: Energy, transport, health, water, digital infrastructure, public administration.
Important entities: Food, waste, manufacturing, postal, social care, and some digital service providers.

Even SMEs may be in scope if they are critical suppliers to essential entities.

2. The Biggest Gaps for Irish Organisations

Most Irish councils, hospitals, and SMEs share the same challenges:

Limited visibility: No full inventory of IT/OT assets.
Weak access control: Single logins, shared accounts, and lack of MFA.
Supplier risk: Vendors not vetted for security compliance.
Incident readiness: No clear plan for 24-hour breach reporting.
Board awareness: Cybersecurity not discussed at executive level.

3. NIS2 Requirements in Plain English

NIS2 requires organisations to implement:

Governance: Cybersecurity must be addressed at board level.
Risk management: Documented policies and regular vulnerability scans.
Incident reporting: Notify authorities within 24 hours of detection.
Business continuity: Offline backups, disaster recovery, and crisis response.
Supply chain security: Ensure contractors meet equivalent standards.

4. A 90-Day Action Plan for NIS2 Readiness

Day 1–30: Assess & Map

Identify if you are in scope.
Map all IT and OT assets.
Run a quick gap analysis against NIS2 requirements.

Day 31–60: Secure & Segment

Enable multi-factor authentication (MFA).
Segment networks (staff, IoT, guest).
Apply vendor patches and update policies.

Day 61–90: Plan & Prove

Draft an incident response plan.
Test backups and recovery.
Train staff on phishing and reporting.
Prepare evidence for compliance audit.

5. Benefits Beyond Compliance

Reduced risk of ransomware and data loss.
Stronger supplier relationships through shared standards.
Improved resilience during outages or crises.
Better reputation with citizens, patients, and customers.

Case Example

A regional council in Ireland ran a 90-day NIS2 programme. By enabling MFA, segmenting networks, and training staff, it reduced phishing-related incidents by 70% and met compliance reporting timelines.

Conclusion: Don’t Wait

NIS2 isn’t optional — and regulators in Ireland will begin enforcement in 2026. Organisations that act now with a simple 90-day plan will not only avoid fines but also strengthen trust, resilience, and long-term security.

Microtel helps Irish organisations with vendor-neutral NIS2 readiness assessments, ensuring you meet requirements without unnecessary cost or complexity.

References

European Union Agency for Cybersecurity. (2023). NIS2 Directive implementation guidance. ENISA. https://www.enisa.europa.eu/publications

European Commission. (2023). Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union. Official Journal of the European Union. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555

Hiller, J. S., & Russell, R. S. (2020). Privacy and security in the era of digital government: Managing risks and promoting trust. Government Information Quarterly, 37(1), 101411. https://doi.org/10.1016/j.giq.2019.101411

Share this post :

RJ Henderson

RJ Henderson is a senior technology consultant and solutions architect with over 30 years of experience spanning Cloud Computing, Artificial Intelligence, Engineering, Networking, and Project Management. RJ combines deep technical insight with practical project-delivery expertise, ensuring every solution meets business goals, compliance standards, and long-term scalability.