NIS2 Ireland

NIS2 Ireland: Scope, Compliance Requirements & How Your Organisation Can Prepare

The original NIS1 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 was introduced to strengthen cybersecurity across the EU. Due to the increasing threat of cyber attacks, this directive was replaced by the

NIS2 Directive (EU) 2022/2555, which introduces stricter requirements and broadens its scope to enhance the resilience of critical infrastructures against cyber attacks.

Ireland did not meet the original deadline of 17 October 2024 for transposing the NIS2 Directive into national law. However, the draft legislation, hereinafter referred to as ‘the NIS2 Act’, is now available and outlines Ireland’s intended national implementation framework.

On this page, you will find everything you need to know about the impact of NIS2 on your organisation and how you can prepare for the upcoming regulatory obligations.
Is your organisation ready for stricter cybersecurity requirements?

To receive tailored guidance based on your situation, you can
contact our experts.

The content of this page is subject to updates as Ireland progresses with the transposition of the NIS2 Directive.

Scope of the Irish NIS2 Act

The Irish NIS2 Act applies to public and private entities – both legal entities and natural persons – that are registered in Ireland and provide products and/or services within the EU. The Act outlines which organisations fall under its cybersecurity obligations, distinguishing between essential entities and important entities. This classification is based on three core criteria: the services provided, the size of the entity and the establishment in Ireland.

In principle, your organisation falls within the scope of the Irish NIS2 Act if:

  • Your organisation provides services within a sector listed in Annex I or Annex II of the NIS2 Act;
  • Your organisation exceeds the thresholds for medium-sized enterprises; and
  • Your organisation is established in Ireland.

Criteria 1: Services provided

Annex I and Annex II of the Irish NIS2 Act define the sectors that fall within scope. It is therefore essential to analyse the services your organisation provides by (sub)sector. These sectors correspond to the categories defined in the European NIS2 Directive and are grouped into highly critical sectors and other critical sectors.

Annex I: Highly critical sectors Annex II: Other critical sectors
Energy
• Electricity
• District heating and cooling
• Oil
• Gas
• Hydrogen 		Postal and courier services
Transport
• Air
• Rail
• Water
• Road 		Waste management
Banking Manufacture, production and distribution of chemicals
Financial market infrastructures Production, processing and distribution of food
Health Manufacturing
• Medical and in vitro diagnostic devices
• IT products, electronic and optical equipment
• Electrical equipment
• Machinery and tools (n.e.c.)
• Motor vehicles, trailers and semi-trailers
• Other transport equipment
Drinking water Digital providers
Waste water Research
Digital infrastructure
ICT service management (business-to-business)
Public administration
Space

If your organisation provides services included in the sectors above, it may fall within the scope of the Irish NIS2 Act.

Criteria 2: Company size

In addition to the services provided, the size of your organisation determines whether you fall under the obligations of the Irish NIS2 Act. Medium-sized and large entities are generally in scope. To determine whether your organisation qualifies as small, medium-sized or large, you can consult the classification overview: enterprise size criteria.

The Act also automatically applies to specific providers, regardless of size:

  • Providers of public electronic communications networks or services
  • Providers of trust services
  • Top-level domain name registries (TLD registries)
  • Domain name registration service providers (DNS providers)

The Act may additionally apply, regardless of size, when organisations:

  • Provide services that are essential for critical societal or economic functions with no viable alternative providers
  • Deliver services whose disruption would significantly impact public order, safety or public health
  • Operate in contexts where incidents could trigger systemic or cross-border risks
  • Are strategically or nationally important due to sectoral dependencies

Criteria 3: Established entity in Ireland

The Irish NIS2 Act applies primarily to entities established in Ireland. However, the following categories also fall within scope:

  • Providers of public electronic communications networks or services offering services in Ireland
  • DNS service providers, TLD registries, domain name registration service providers, cloud providers, data centres, content delivery networks, managed service providers, managed security service providers, online marketplaces, online search engines and social networking platforms whose main establishment or EU legal representative is located in Ireland
  • Public authorities established under Irish law

In addition, a non-NIS2 organisation may still fall within scope if designated as essential or important by the national authority, or if it forms part of the supply chain of an NIS2 entity.

To verify whether your organisation falls under the Irish NIS2 Act, you can use the online assessment tool provided by the National Cyber Security Centre (NCSC): NCSC NIS2 Scope Tool.

Would you like guidance on determining the correct NIS2 classification for your organisation? Contact our experts.

Obligations under the Irish NIS2 Act

Essential and important entities under the Irish NIS2 Act must comply with a series of cybersecurity obligations relating to registration, risk management measures, incident reporting and cooperation with authorities. The obligations outlined below apply once the NIS2 Directive has been fully transposed into Irish law.

1. Registration requirements

Organisations classified as essential or important under NIS2 will be required to register with the National Cyber Security Centre (NCSC). Although the NIS2 Directive has not yet been fully transposed into Irish law, a registration portal will be made available once the legislative process is complete.

Entities must submit at least the following details to the NCSC:

  • Name of the organisation
  • Address and complete contact details, including email and telephone numbers
  • IP address ranges used by the organisation
  • Sector and subsector to which the organisation belongs
  • Overview of EU Member States in which in-scope services are provided

Any changes to the submitted information must be communicated within two weeks. Although the official registration portal is not yet operational, organisations can already perform an initial assessment via the NCSC’s self-assessment tool. This tool is indicative only and does not replace the formal registration procedure.

Entities were initially asked to submit the information by 17 January 2025. However, until the legislation is formally adopted and the portal is launched, entities do not need to take action. New deadlines and practical instructions will follow once the Irish NIS2 Act has been officially adopted.

2. Cybersecurity management measures

Essential and important entities must implement appropriate technical and organisational measures to ensure a high level of cybersecurity. These NIS2 risk management measures must be proportionate to the risks associated with the services provided and include, at a minimum:

  • Policies for risk analysis and information system security
  • Incident management processes
  • Business continuity and crisis management (including backup and disaster recovery)
  • Supply chain security measures
  • Secure acquisition, development and maintenance of network and information systems, including vulnerability handling and disclosure
  • Policies and procedures to assess the effectiveness of cybersecurity controls
  • Cyber hygiene practices and cybersecurity training for staff
  • Policies and procedures on cryptography and, where applicable, encryption
  • Security measures related to personnel, access management and asset management
  • Use of multi-factor authentication or continuous authentication, secure communication channels and secure emergency communication systems

In Implementing Regulation 2024/2690, the European Commission further specifies minimum cybersecurity requirements for providers such as DNS operators, TLD registries, cloud services, data centres, content delivery networks, managed service providers, managed security service providers, online marketplaces, search engines, social networking platforms and trust service providers.

3. Reporting obligations for significant incidents

Essential and important entities must notify the national CSIRT (CSIRT-IE) when a significant incident occurs. They must also notify service recipients if the incident affects service delivery in sectors listed in Annexes I and II of the Irish NIS2 Act.

An incident is considered significant if:

  • it has caused or may cause severe operational disruption or financial loss for the entity; or
  • it has affected or may affect other legal or natural persons, causing substantial material or non-material damage.

Incident notifications must be submitted to info@ncsc.gov.ie, or to incident@ncsc.gov.ie for government-related cyber incidents, according to the following procedure:

  1. Immediately and within 24 hours: submit an early warning, including probable cause and any cross-border impact.
  2. Immediately and within 72 hours: submit an incident report containing updated information and an initial impact assessment.
  3. At the request of CSIRT-IE: submit an interim report.
  4. Within one month after the incident report: submit a final report including:
    1. A detailed description of the incident and its consequences
    2. The likely root cause or threat that led to the incident
    3. Applied and ongoing mitigation measures
    4. Any cross-border impact, if applicable
  5. If the incident is ongoing after one month: submit a progress report, followed by a final report once resolved.

The criteria above are further specified in Implementing Regulation 2024/2690. These EU rules take precedence in case of inconsistencies with national guidance.

Additionally, all entities — including those not formally in scope — may voluntarily report incidents, threats or near misses to CSIRT-IE.

More information on reporting significant cyber incidents is available via the NCSC: NCSC Incident Reporting Guidance.

4. Obligations and responsibilities of management

Management bodies of essential and important entities bear full responsibility for ensuring compliance with the Irish NIS2 Act. Their obligations include:

  • Approving cybersecurity risk management measures and monitoring their implementation
  • Undertaking cybersecurity training to obtain the knowledge required to identify risks and assess security measures
  • Ensuring continuous cybersecurity training for relevant personnel

Management bodies may be held liable for non-compliance with the NIS2 Act.

5. Cooperation with authorities

Essential and important entities must cooperate with Irish authorities, including the NCSC and CSIRT-IE. This cooperation includes sharing information on network and information system security, reporting incidents, and supporting inspections conducted by national authorities.

Would you like guidance on preparing your organisation for NIS2 compliance in Ireland? Contact an expert.

Cm

How can my organisation demonstrate compliance with the NIS2 legislation?

Essential and important entities under the Irish NIS2 Act must undergo regular, independent conformity assessments. Following a successful assessment performed by an accredited Conformity Assessment Body (CAB), the organisation may obtain a certificate which provides stakeholders with assurance that the entity complies with the NIS2 requirements.

The NCSC provides information on the frameworks that can be used in Ireland to demonstrate compliance, including the CyberFundamentals (CyFun) framework and ISO/IEC 27001.

CyberFundamentals (CyFun) label

The CyberFundamentals framework consists of practical measures designed to strengthen an organisation’s cybersecurity posture, reduce the likelihood of common cyberattacks and enhance overall cyber resilience. Entities are classified into one starter level (Small) and three assurance levels: Basic, Important and Essential. Each level contains a specific set of mandatory controls.

To obtain the CyFun label, an organisation must follow these steps:

  1. Determine the applicable CyFun assurance level by conducting a risk assessment. The CyFun Selection Tool can support this process.
  2. Complete a Self Assessment and implement any required corrective measures.
  3. Have the Self Assessment and implemented measures independently verified or certified by an accredited CAB.
  4. Apply for the CyFun label through the Safeonweb@Work portal.

ISO/IEC 27001 certification

ISO/IEC 27001 is the internationally recognised standard for information security and outlines the requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS). This certification is an effective way to demonstrate compliance with the Irish NIS2 Act.

To obtain ISO/IEC 27001 certification, an organisation must complete the following steps:

  1. Acquire the necessary knowledge regarding ISO/IEC 27001, for example through specialised training programmes.
  2. Implement an ISMS that meets all requirements of the standard.
  3. Perform internal audits to assess the effectiveness of the ISMS.
  4. Conduct a management review, address any nonconformities and document the organisation’s conclusion regarding conformity with the standard.
  5. Engage an accredited CAB to carry out the external certification audit.

Would you like more information about certification or the audit process? Schedule a meeting with an expert.

How to determine the best route to demonstrate NIS2 compliance

Depending on your organisation’s size, sector and strategic objectives, the most suitable conformity route may differ. The overview below provides a step-by-step method to help you determine the right approach.

  1. Identify whether your organisation is classified as essential or important.
    Review the NIS2 entity criteria (sector, company size, establishment in Ireland).
  2. Determine the maturity level of your current cybersecurity controls.
    Assess how well your organisation already aligns with NIS2 requirements.
  3. Choose the conformity route that fits your objectives:
    • CyFun (CyberFundamentals): suitable for organisations seeking a practical, structured framework with a defined set of security controls.
    • ISO/IEC 27001: recommended for organisations requiring an internationally recognised standard and a long-term information security management system.
  4. Prepare documentation and evidence for the selected assessment route.
    This includes risk assessments, procedures, implemented controls and audit results.
  5. Schedule your conformity assessment with an accredited CAB.
    Independent verification is required to demonstrate compliance to stakeholders and authorities.

If you would like professional guidance in choosing the most suitable conformity assessment route, contact an expert.

Enforcement and sanctions under the Irish NIS2 Act

Under the Irish NIS2 Act, the competent authority carries out inspections to verify whether cybersecurity entities comply with the applicable requirements. A distinction is made between essential entities and important entities, as the intensity of supervision differs per category.

  • Essential entities are monitored both proactively (ex-ante) and reactively (ex-post) and are required to undergo regular conformity assessments.
  • Important entities are, in principle, supervised reactively only, for example after an incident or where there are indications of non-compliance with the law.

If an inspection reveals non-compliance, the competent authority may impose enforcement actions. The Irish NIS2 Act provides for specific penalties that vary according to the nature, impact and seriousness of the infringement and are divided into administrative measures and administrative fines.

Administrative measures

Administrative measures are corrective actions aimed at restoring compliance and reducing cyber risk. Possible measures that may be imposed include, among others:

  • Issuing formal warnings to the entity;
  • Requiring the entity to implement specific technical or organisational measures within a defined timeframe;
  • Appointing a supervisor or monitoring officer to oversee compliance with the NIS2 Act;
  • Temporarily suspending certain authorisations, certificates or licences where justified.

Administrative fines

In addition to administrative measures, the competent authority may impose administrative fines. These fines are laid down in law and can be substantial, reflecting the importance of NIS2 compliance for critical and important services.

Depending on the category of the entity and the seriousness of the infringement, fines can amount to:

  • Up to EUR 10,000,000 or 2% of the total worldwide annual turnover of an essential entity, whichever is higher;
  • Up to EUR 7,000,000 or 1.4% of the total worldwide annual turnover of an important entity, whichever is higher.

These sanctions underline the importance of a structured NIS2 compliance strategy and a demonstrably effective cybersecurity management system. If you would like guidance in preparing your organisation for NIS2 enforcement and avoiding sanctions, contact an expert.

Timeline: key dates for NIS2 in Ireland

The initial deadline of 17 October 2024 for EU Member States to transpose the NIS2 Directive into national law was not met by Ireland. The Irish NIS2 Act is currently in draft form and will enter into force once the legislative process is completed. As soon as the Act is adopted, the Irish National Cyber Security Centre (NCSC) will publish the official deadlines and compliance requirements.

What we know so far:

  • 17 October 2024 – Original EU deadline for transposition of the NIS2 Directive into national law.
  • Draft NIS2 Act published – The draft legislation is available, but not yet in force.
  • Upcoming deadlines – Once the Act is adopted, deadlines for registration, reporting and conformity assessments will be communicated by the NCSC.

Because timelines may significantly impact your compliance planning, this section will be updated as soon as official dates are released by the Irish government or the NCSC.

Would you like to prepare your organisation in advance for the expected NIS2 obligations? Contact an expert for guidance.

Competent authorities

Under the Irish NIS2 Act, several national and sectoral authorities have been designated to supervise, enforce and support the implementation of cybersecurity requirements. The National Cyber Security Centre (NCSC) acts as the central coordinating body, supported by sector-specific regulators responsible for monitoring essential and important entities within their domain.

The overview below provides clarity on the competent authorities in Ireland and their responsibilities under the NIS2 framework.

Authority Responsibilities
National Cyber Security Centre (NCSC) Central authority responsible for national cyber security, coordination of NIS2 implementation, securing government networks and overseeing critical national infrastructure.
CSIRT-IE (Computer Security Incident Response Team) Responds to cybersecurity incidents, monitors threats, provides technical support and shares threat intelligence with national and international partners.
Commission for the Regulation of Utilities (CRU) Competent authority for the energy, drinking water and wastewater sectors.
Commission for Communications Regulation (ComReg) Supervises digital infrastructure, ICT service providers, the space sector and digital service providers.
Central Bank of Ireland (CBI) Responsible for supervision under NIS2 in the banking sector and financial market infrastructures.
Irish Aviation Authority (IAA) Competent authority for aviation transport entities falling under NIS2.
Commission for Railway Regulation (CRR) Supervisory authority responsible for rail transport.
Minister for Transport Responsible for maritime transport and related NIS2 supervision.
National Transport Authority (NTA) Supervises NIS2 obligations for entities involved in road transport.
Health-sector agencies (under the Minister for Health) Competent authorities for healthcare organisations within the scope of the NIS2 Act.

Together, these authorities form Ireland’s national framework for NIS2 supervision, enforcement and sector-specific guidance.

Is the NIS2 Directive already transposed into Irish law?

No. Ireland did not meet the transposition deadline of 17 October 2024. However, a draft version of the NIS2 Act is available. Once the Act is fully adopted, the Irish authorities will formalise procedures, deadlines and supervisory mechanisms.

Your organisation may fall within scope if it:

  • provides services listed in Annex I or Annex II of the Act;
  • meets the thresholds for medium-sized or large enterprises; and
  • is established in Ireland.

In addition, certain providers — such as trust service providers, DNS service providers, TLD registries and public electronic communications providers — fall within scope regardless of their size.

Classification depends on the services you provide, company size and establishment in Ireland. The National Cyber Security Centre (NCSC) offers an online self-assessment tool that helps organisations make an initial determination. Final classifications will be confirmed by the competent authority after the Act enters into force.

Not yet. The official registration portal has not been launched because the Irish NIS2 Act has not been fully transposed. Organisations were initially asked to submit information by 17 January 2025, but this obligation is suspended until legislation is finalised. New deadlines will be communicated once the Act enters into force.

Essential and important entities will be required to provide:

  • organisation name and address;
  • contact details;
  • IP address ranges;
  • sector and subsector classification;
  • countries where NIS2-relevant services are provided.

Any changes must be reported within two weeks.

Entities must implement a minimum set of technical and organisational measures, including:

  • risk analysis and information-system security;
  • incident management;
  • business continuity and disaster recovery;
  • supply chain security;
  • secure development and vulnerability management;
  • staff security and access control;
  • cyber hygiene and training;
  • encryption policies;
  • (continuous) authentication and secure communications where appropriate.

These requirements are elaborated in EU Implementing Regulation 2024/2690.

Significant incidents must be reported to CSIRT-IE by email:

The required reporting timeline is:

  1. Within 24 hours: early warning with probable cause and cross-border implications;
  2. Within 72 hours: incident report with an initial assessment;
  3. interim report upon request of the competent CSIRT;
  4. Within one month: final report with a detailed analysis and applied mitigation measures.

If the incident is still ongoing after one month, a progress report is required.

The Irish NIS2 Act provides for administrative measures and administrative fines:

  • Essential entities: up to €10,000,000 or 2% of total worldwide annual turnover;
  • Important entities: up to €7,000,000 or 1.4% of total worldwide annual turnover.

Administrative measures may include warnings or the appointment of a supervisor to oversee compliance.

Yes. Management bodies must:

  • approve cybersecurity management measures;
  • monitor compliance and overall effectiveness;
  • undertake training to gain sufficient cybersecurity knowledge and skills;
  • ensure continuous cybersecurity training for employees.

Management may be held liable for non-compliance.

Organisations are advised to:

  • determine whether they fall within the NIS2 scope;
  • perform a cybersecurity gap analysis against NIS2 requirements;
  • prepare incident reporting procedures;
  • review supply chain dependencies;
  • assess readiness for frameworks such as CyFun or ISO/IEC 27001;
  • prepare for mandatory registration once the portal is launched.