Summary
The Irish Government will transpose the NIS2 Directive into law in Q4 2025, with penalties enforced from 2026. Around 4,000 Irish organisations must prepare to adopt strict cybersecurity risk management measures and report incidents. Two key guidance documents – Ireland’s NIS2 Risk Management Measures Draft and ENISA’s Technical Implementation Guidance – set out detailed requirements aligned with standards such as ISO 27001. The CyFun initiative offers practical support to help smaller organisations build baseline defences. Acting now to implement controls, engage boards and document evidence will be vital for compliance and resilience.
The NIS2 Directive is set to drive significant change for thousands of Irish organisations. The Irish Government has indicated that NIS2 will be transposed into Irish law in Q4 2025, with penalties enforced for non-compliance from 2026. This means time is running short for around 4,000 organisations expected to fall under its scope.
NIS2 applies to essential and important entities across sectors such as energy, healthcare, logistics, digital services, and many others. It requires these organisations to adopt strict cybersecurity risk management measures and report significant incidents promptly.
David McNamara, Founder of CommSec:
“This new guidance brings much-needed clarity and a north star for organisations navigating NIS2. Aligning your cyber security practices with internationally recognised frameworks like ISO 27001:2022 will take you 95% of the way towards compliance. The key is to act early, document your measures thoroughly and build a culture where security is everyone’s responsibility.”
Two new guidance documents have been published to help organisations prepare:
- The NIS2 Risk Management Measures (RMM) Draft Guidance issued by Ireland’s National Cyber Security Centre (NCSC) explains the specific controls you must implement. These Risk Management Measures cover 16 areas, including:
- Board-level accountability and governance
- Asset management
- Access control
- Incident detection and response
- Supply chain security
- Business continuity and disaster recovery
The RMM guidance is not just a checklist. It sets out expectations for a structured and evidence-based approach to managing cybersecurity risks. Each measure must be appropriate and proportionate to your organisation’s size, exposure, and impact on society if disrupted.
For example, management boards will be legally accountable for approving risk management frameworks and ensuring they are implemented in daily operations. Regular reviews, training, and continual improvement are also mandatory.
- The ENISA Technical Implementation Guidance supports organisations, especially those in digital infrastructure and ICT services. This document maps NIS2 requirements to recognised international standards such as ISO 27001 and NIST. It offers clear examples of how to demonstrate compliance and what evidence you may need to show regulators.
CyFun: A Practical Starting Point
In parallel, the CyFun (Cyber Fundamentals) initiative is helping smaller and medium-sized enterprises build baseline cyber defences. CyFun focuses on practical and achievable measures that align with NIS2 and other relevant regulations. This includes:
- Basic cyber hygiene practices
- Security awareness training
- Simple risk assessments and improvement plans
- Support to implement essential controls cost-effectively
While CyFun does not replace NIS2 compliance, it offers a structured path to improve maturity and prepare for the more demanding RMM obligations. For many organisations with limited resources, CyFun can be an important first step to build resilience and reduce exposure to penalties.
Why this matters
NIS2 raises the bar for cybersecurity governance. From late 2025, Irish organisations that fail to comply will face investigations and sanctions. Beyond compliance, adopting the RMM and CyFun principles will strengthen your resilience against ransomware, supply chain breaches, and other serious threats.
Get Started Now
If you are not sure whether NIS2 applies to your organisation, you should review the criteria in the Directive and use the NCSC’s online “Am I in Scope?” tool. For those in scope, it is essential to:
- Appoint internal owners for compliance and governance
- Review and plan the implementation of the Risk Management Measures
- Establish policies, procedures, and evidence trails
- Engage your board and management to secure commitment
You can find the guidance documents here:
If you would like support with readiness assessments or compliance planning, please get in touch with our team. We are here to help you safeguard your business.