The NIS2 Directive came into effect across the EU in October 2024, and Ireland is transposing it into national law. If you run a medium or large business in energy, transport, healthcare, digital infrastructure, or financial services, this applies to you. Most Irish businesses are not ready.
NIS2 is not like GDPR, where updating a privacy policy might get you by. This directive puts personal liability on senior management for non compliance.
Who Is Covered
Essential entities include energy providers, healthcare organisations, transport operators, and digital infrastructure. Important entities cover postal services, food production, and manufacturing. The threshold is roughly fifty or more employees, or turnover above ten million euro.
What You Actually Need
A risk management framework, incident detection and response with mandatory reporting to the NCSC, supply chain security assessments, tested business continuity plans, and security awareness training for all staff including board members.
Management Liability
NIS2 lets member states hold senior management personally liable. If your board has not had a cybersecurity briefing in the past twelve months, that needs to change. Ignorance is explicitly not a defence.
Getting Started
Run a gap analysis. Prioritise incident response and supply chain assessments. Budget for external expertise. Fines can reach ten million euro or two percent of global turnover for essential entities.
Written by Shreesh, Shamrock Security