NIS2 Ireland: what you need to know about compliance and certification

NIS2 Ireland

The original NIS1 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 was introduced to strengthen cybersecurity within the EU. Due to the increasing threat of cyber attacks, this directive was replaced by the NIS2 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022, which imposes stricter requirements and has a broader scope to increase the resilience of critical infrastructures against cyber attacks.

The deadline of 17 October 2024 for transposing the NIS2 Directive into national law was not met by Ireland. However, the draft law, hereinafter referred to as ‘the NIS2 Act’, is available.

On this page, you will find everything you need to know about the impact of NIS2 on your organisation and how you can prepare for the new regulations.

The content of this page is subject to change and will be updated as necessary.

NIS2 entities

The Irish NIS2 Act is relevant for both legal entities and natural persons (collectively referred to as ‘entities’) that are registered in Ireland and that supply products and/or services in an EU country.

The NIS2 Act explicitly specifies which public and private entities are subject to the cybersecurity obligations. A distinction is made between essential entities and important entities. The categorisation of entities takes into account the services provided, the size of the entity and the location of the entity.

In principle, your entity is subject to the Irish NIS2 Act if:

  • Your organisation provides services within a sector listed in Annex I and Annex II of the NIS2 Act;
  • Your organisation exceeds the thresholds for medium-sized enterprises; and
  • Your organisation is established in Ireland.

Criteria 1: services provided

Annexes I and II of the Irish NIS2 Act describe the sectors that fall within its scope. It is therefore very important to thoroughly analyse the services you provide to third parties by (sub)sector. The sectors listed in the Irish NIS2 Act correspond to the European NIS2 Directive.

Annex I: Highly critical sectorsAnnex II: Other critical sectors
Energy
• Electricity
• District heating and cooling
• Oil
• Gas
• Hydrogen		Postal and courier services
Transport
• Air
• Rail
• Water
• Road		Waste management
BankingManufacture, production and distribution of chemicals
Financial market infrastructuresProduction, processing and distribution of food
HealthManufacturing
• Medical devices and in vitro diagnostic medical devices
• Information technology products ans electronic and optical products
• Electrical equipment
• Machinery, apparatus and tools n.e.c.
• Motor vehicles, trailers and semi-trailers
• Other transport equipment
Drinking waterDigital providers
Waste waterResearch
Digital infrastructure 
ICT service management (business-to-business) 
Public administration 
Space 


If your organisation provides a service from the above list, your organisation may fall within the scope of the NIS2 Act.

Criteria 2: company size

In addition to the services provided, the size of the entity is also important in determining whether your organisation falls within the scope of the Irish NIS2 Act. Click here to determine whether your organisation is a small, medium-sized or large enterprise. In principle, medium-sized and large enterprises must comply with the obligations under the NIS2 Act.

In addition, the law also applies to the following specific providers, regardless of the size of the entity. These are:

  • Providers of public electronic communications networks or services
  • Providers of trust services
  • Providers of top-level domain name registries (TLD registries)
  • Providers of domain name registries (DNS service providers)

Furthermore, the law also applies to entities, regardless of their size, if their activities are crucial to society or the economy. This is the case if:

  • They provide services that are essential for critical societal or economic functions and are not provided by other providers
  • A disruption of their services would have a significant impact on public order, safety or public health
  • An incident at them could cause systemic risks with cross-border consequences
  • They are of strategic or vital importance at national or regional level, for example due to dependencies in other sectors

Criteria 3: established entity in Ireland

In principle, the Irish NIS2 Act can only apply to entities established in Ireland. However, by way of exception, the following entities are subject to the Irish NIS2 Act:

  • Providers of public electronic communications networks or providers of public electronic communications services offering their services in Ireland;
  • DNS service providers, top-level domain name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as online marketplace providers, online search engines or social networking service platforms, if they have their main establishment in Ireland or if they have their legal representative for the EU in Ireland in the case that they do not have an establishment within the EU;
  • Public authorities established by Ireland.

In addition to the three criteria above, when analysing the scope of the NIS2 Act, it should be taken into account that a non-NIS2 organisation may still be affected by the NIS2 Act because the national authority designates the entity as essential or important, or because the non-NIS2 organisation is part of the supply chain of an NIS2 organisation.

To determine whether your entity falls within the scope of the Irish NIS2 Act, you can use the NCSC’s online tool.

What does this mean for my company?

1. Registration

In Ireland, organisations that fall under the NIS2 legislation as essential or important entities will have to register themselves. The NIS2 Directive has not yet been fully transposed into national law. Once this process has been completed, the National Cyber Security Centre (NCSC) will make an official registration portal available.

If your organisation is classified as an essential or important entity based on the criteria described in the chapter ‘NIS2 entities’, you must provide the following information to the NCSC:

  • Name of the organisation
  • Address and current contact details of the entity, including email addresses and telephone numbers
  • IP address ranges
  • Sector and subsector
  • Overview of EU Member States where services falling within the scope of the NIS2 Act are provided

Any changes to this information must be communicated within two weeks.

Although the registration portal is not yet available, the NCSC does offer an online self-assessment tool. This allows organisations to make an initial assessment of whether they fall within the scope of the NIS2 Act. This tool is purely informative and does not replace the official registration procedure.

Organisations were asked to submit the above information by 17 January 2025 at the latest. As the NIS2 Directive has not yet been transposed into national law and the registration portal is not yet operational, entities do not need to register for the time being. Once the legislation has been adopted, new deadlines and instructions will be published. The registration portal will only be available once the Directive has been officially transposed into Irish law.

2. Management measures

If your organisation is categorised as an essential or important entity, this means that you are responsible for implementing appropriate technical and organisational measures to ensure the security of your network and information systems. These cybersecuritymanagement measures include at least:

  • Policy for risk analysis and security of information systems
  • Incident management
  • Business continuity, such as backup management and disaster recovery, and crisis management
  • Supply chain security
  • Security in the acquisition, development and maintenance of network and information systems, including the response to and disclosure of vulnerabilities
  • Policies and procedures to assess the effectiveness of measures for managing cybersecurity risks
  • Cyber hygiene and training in the field of cybersecurity
  • Policies and procedures on cryptography and, where applicable, encryption
  • Security aspects regarding personnel, access policy and asset management
  • Use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communication and secure emergency communication systems within the entity, where applicable.

In the implementing regulation 2024/2690, the European Commission has elaborated the above minimum cybersecurity measures for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, providers of content delivery networks, managed services providers, managed security services providers, online marketplaces, online search engines, social networking services platforms and trust service providers.

3. Reporting obligation of significant incidents

Essential and important entities are required to notify the national Computer Security Incident Response Team (CSIRT), i.e. CSIRT-IE, when a significant incident occurs. In addition, they must also notify the recipients of their services if the significant incident affects the provision of services relating to the (sub)sectors listed in Annexes I and II.

An incident is considered significant if

  • it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned;
  • it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.’

The significant incident shall be reported by the essential and important entity by email to info@ncsc.gov.ie or to incident@ncsc.gov.ie in the event of a cyber security incident involving the government, in accordance with the following procedure:

  1. immediately and within 24 hours of becoming aware of the significant incident, the entity shall submit an early warning, stating the probable cause and any cross-border implications;
  2. immediately and within 72 hours of becoming aware of the significant incident, the entity shall communicate an incident report containing an information update and an initial assessment of the incident;
  3. at the request of the competent CSIRT, the entity shall submit an interim report;
  4. No later than one month after the incident report, the entity shall submit a final report stating:
    1. A detailed description of the incident, as well as its severity and consequences;
    2. The type of threat or root cause that is likely to have led to the incident;
    3. Applied and ongoing risk mitigation measures;
    4. The cross-border consequences of the incident, if applicable.
  5. If the incident is still ongoing one month after the incident report, the entity must submit a progress report and a final report within one month of the incident being resolved.

In Implementing Regulation 2024/2690, the European Commission has defined the criteria for a significant incident for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engines and social networking service platforms, and trust service providers. These special rules take precedence over national rules in case of inconsistencies.

Finally, all entities, regardless of whether they fall within the scope of the NIS2 Act, can voluntarily report (significant) incidents, cyber threats and near misses to the CSIRT-IE.

More information on reporting significant cyber incidents can be found here.

4. Obligations and responsibilities of management

The management bodies of essential and important entities are responsible for compliance with the NIS2 Act and must fulfil various obligations, including:

  • Approving cyber security management measures and monitoring compliance with them
  • Undertaking training to acquire sufficient knowledge and skills to identify risks and assess management measures and their impact on their services
  • Continuously training the employees of the cyber security entity in the field of cyber security

The management bodies are liable for non-compliance with the NIS2 Act.

5. Cooperate with authorities

Essential and important entities must cooperate with the national authorities. This concerns the exchange of information on the security of network and information systems, reporting incidents, cooperation with the inspection service, etc.

How can I demonstrate that my company complies with the NIS2 legislation?

Essential and important entities must have a compliance audit carried out on a frequent basis. Based on an independent conformity assessment by an accredited Conformity Assessment Body (CAB), the entity can obtain a certificate demonstrating compliance with the NIS2 Act to stakeholders.

The NCSC website provides information about specific frameworks that an entity can use, including the CyberFundamentals framework (CyFun) and ISO27001:

CyberFundamentals label

The CCB has developed a framework consisting of concrete measures aimed at better protecting data, reducing the risk of the most common cyberattacks and increasing the cyber resilience of an organisation.

Based on the severity of the threat to which an organisation is exposed, a distinction is made between the starter level Small and three security levels: Basic, Important and Essential. The CyFun Framework contains a set of management measures for each level.

In order to obtain the CyFun label, you must take the following steps:

  1. Determine the CyFun assurance level by performing a risk assessment. You can use the CyFun Selection Tool for this purpose.
  2. Complete a Self Assessment and implement corrective measures;
  3. Have the Self Assessment and the implemented measures verified or certified by a CAB;
  4. Apply for the CyFun label via the Safeonweb@work portal.

ISO/IEC 27001 certification

Another way to demonstrate compliance with NIS2 is the ISO/IEC 27001 certificate. ISO/IEC 27001 is the globally recognised standard for information security and describes the requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS).

To obtain ISO 27001 certification, the following steps must be taken:

  1. Acquire the necessary knowledge about ISO/IEC 27001, for example through training courses.
  2. Implement the ISO 27001 management system in your organisation in accordance with the standard requirements.
  3. Conduct internal audits.
  4. Have the management assess the results of the internal audit and take corrective measures if necessary. Record the conclusion about compliance with the requirements in the management review.
  5. Contact an accredited CAB (Certification and Accreditation Body) to conduct an external audit.

If you would like more information about certification, you can make an appointment with an expert here.

Enforcement and sanctions

The competent authority carries out inspections to verify compliance with the requirements by cyber security entities. A distinction must be made between essential and important entities:

  • Essential entities are checked both proactively (ex-ante) and reactively (ex-post) and are required to undergo regular conformity assessments.
  • Important entities are in principle only checked reactively, after an incident or if there is a suspicion of non-compliance with the law.

The Irish NIS2 Act provides for specific penalties for entities that fail to comply with the legal provisions. These penalties vary according to the nature and seriousness of the infringement and are divided into administrative measures and administrative fines.

Possible administrative measures that may be imposed include issuing warnings, requiring the entity to take certain measures, appointing a supervisor to monitor compliance with the NIS2 Act, etc.

Administrative fines that may be imposed are also laid down by law and can amount to up to 10,000,000 euros or 2% of the total worldwide annual turnover of the essential entity and up to 7,000,000 euros or 1.4% of the total worldwide annual turnover of the important entity.

Timeline

17 October 2024: initial deadline for EU Member States to transpose the NIS2 Directive into national law

Important deadlines for cyber security entities will be added as more information becomes available.

Competent authorities

In Ireland, several competent authorities have been designated to be involved in the implementation of the NIS2 legislation.

The National Cyber Security Centre (NCSC) is the central authority in Ireland responsible for national cyber security and the implementation of the NIS2 Act. The NCSC focuses on securing government networks and critical national infrastructure. Within the NCSC, the Computer Security Incident Response Team (CSIRT-IE) operates, which is specifically responsible for responding to cyber incidents. CSIRT-IE provides technical support in the event of security incidents, monitors cyber threats and shares relevant information with national and international partners.

In addition to the NCSC, sectoral authorities have also been designated:

  • Commission for the Regulation of Utilities (CRU): Energy, drinking water and wastewater
  • Commission for Communications Regulation (ComReg): Digital infrastructure, ICT services, space and digital providers
  • Central Bank of Ireland (CBI): Banking and financial market
  • Irish Aviation Authority (IAA): Transport – Aviation
  • Commission for Rail Regulation (CRR): Transport – rail
  • Minister of Transport: Transport – maritime
  • National Transport Authority (NTA): Transport – road
  • Agencies under the remit of the Minister for Health: Health

These authorities work together within a national forum of competent authorities and are responsible for supervision, enforcement and support within their respective sectors.