Summary
As Ireland moves closer to NIS2 transposition, organisations face significant new cyber security obligations. This article examines the expected timeline, governance requirements for directors, the role of the CyFun framework, supply chain security, AI-related risks, incident readiness, and the practical measures businesses should implement to achieve NIS2 compliance and strengthen resilience.
By David McNamara, Founder, CommSec | June 2026
I have been watching NIS2 take shape for several years. When the directive was first introduced at EU level, I welcomed it. Not because regulation is an end in itself, but because cybersecurity in Ireland needed an enforcement approach. Too many organisations were taking too many risks, knowingly or not, and without a clear regulatory floor, there was little pressure to change that.
There are strong indications that Ireland intends to transpose NIS2 before the end of its EU Council Presidency, which concludes in Q4 2026. Completing transposition under the Presidency would be a visible signal of Ireland’s commitment to the EU’s digital regulatory agenda. For the organisations we work with, it means Q3 2026 is the planning assumption they should be working to right now. This is when the legislation is pencilled in for transposition.
What strikes me most about where we are is the scale of what is about to change. NIS2 will bring thousands of Irish organisations into scope, compared to the few hundred that fell under the original NIS1 directive. This is not an incremental update. It is a fundamental expansion of who must take cybersecurity seriously, and how they must demonstrate it.
Ireland’s NIS2 Update: What Is Happening and When
Ireland was required to transpose NIS2 into national law by October 2024. The National Cyber Security Bill is currently in committee stage, and the EU Presidency context gives us good reason to expect it before the end of Q3 2026. When the Bill passes, the obligations land all at once. There is no phased implementation and no grace period, beyond a three-month window for self-registration with the NCSC.
What that means in practice is significant. Management bodies will be required to personally approve their organisation’s cybersecurity risk management measures and actively oversee their implementation. All fifteen risk management measures must be operational from day one, not in progress, not planned, operational. Incident reporting capability must be live and tested, with a 24-hour early warning obligation and a 72-hour formal notification requirement following a significant incident. And from the moment the Bill is enacted, the NCSC has the power to conduct unannounced on-site inspections. There is no settling-in period.
One thing that does not get enough attention in this conversation is the resourcing reality facing most Irish organisations. The larger advisory firms are stretched. Their NIS2 capacity is largely committed to enterprise and multinational clients, and smaller organisations, many of whom fall into scope for the first time under NIS2, are finding it difficult to access the support they need at a price point that makes sense. That gap is real, and it is widening as the deadline approaches.
There is also a governance point that is worth being direct about. You can outsource implementation support. You can outsource your monitoring, your testing, your incident response capability. What you cannot outsource is the governance itself. The board remains accountable. The senior leadership team remains accountable. NIS2 is explicit on this, and no advisory engagement, however well structured, transfers that responsibility to a third party. The organisations that understand this early will build their compliance programmes around genuine internal ownership, supported by the right external partners, rather than treating it as something to be handed off entirely.
Recent research commissioned by .IE found that 45% of Ireland’s essential and important entities are not ready for NIS2. That figure is concerning on its own. What I find more alarming is that 47% of respondents said they had not fully mapped their supply chain for critical services. Supply chain exposure is one of the most significant gaps we encounter in practice, and it is one of the hardest to close quickly. You cannot manage a risk you have not yet mapped. And as AI-powered tools become more embedded in how organisations manage their security, a new question is emerging that few are asking yet: if your primary security tooling is AI-driven, what happens when it fails? Where is the resilience? Where is the failover? AI introduces capability, but it also introduces dependency, and NIS2’s incident reporting obligations do not pause because your tooling is unavailable.
Supporting Senior Leadership Through a Real Shift in Responsibility
I want to be clear about something before getting into the detail of director obligations. The boards and senior leadership teams I speak with are not disengaged from cybersecurity because they do not care. They are managing an enormous range of competing pressures. Global uncertainty, cost of living challenges, energy prices, geopolitical instability, and the day-to-day complexity of running a business in a difficult environment. Cybersecurity is one item on a very long list.
That is exactly why I believe NIS2, and the director obligations it introduces, is actually a helpful development for leaders in this position. Article 20 gives boards a formal framework for engaging with cybersecurity that they have not had before. It creates a clear structure: approve the risk management measures, oversee their implementation, receive regular reporting, and ensure that training is in place. That is not an unreasonable ask. It is the kind of governance structure that most directors already apply to financial and legal risk.
The intent here is not to burden directors with technical responsibility they are not equipped for. The intent is to ensure that cybersecurity receives the board-level attention it deserves, supported by people who understand it. That is where IT leaders and their security teams play a critical role, translating risk into business language, giving leadership the information they need to make sound decisions, and ensuring that governance is documented in a way that holds up to regulatory scrutiny.
At CommSec, a significant part of what we do in our GRC practice is support exactly this dynamic. We work alongside Information Security Officers and senior leadership teams to build the governance frameworks, reporting structures, and risk management processes that make NIS2 compliance achievable and sustainable. The goal is not compliance for its own sake. It is to help leadership teams feel genuinely confident in their security posture, not just on paper.
CyFun: A Framework That Actually Helps
One of the genuinely positive developments in Ireland’s NIS2 implementation is the CyFun framework. CyFun is Ireland’s designated national scheme for assessing cybersecurity maturity, built on the globally recognised NIST Cybersecurity Framework version 2.0. I believe it is a good thing, and I say that not as a compliance professional talking about frameworks in the abstract, but as someone who has watched Irish organisations struggle with the question of where to start.
CyFun gives organisations structure and clarity. It defines what good looks like, across 217 controls at the Essential level, and it creates a common language that regulated entities and their supply chains can use to assess and communicate their security posture. For an organisation trying to understand its own gaps, that structure is genuinely useful. For an organisation trying to assure itself that its suppliers are managing cyber risk appropriately, it provides a measurable standard to hold them to.
That supply chain dimension is worth dwelling on. One of the most significant changes NIS2 introduces is the expectation that regulated entities take responsibility for the cyber risk their suppliers represent. CyFun gives both parties a framework to work within. And I would go further: every forward-thinking SME and SMB in Ireland, whether or not they fall directly into NIS2 scope, should be working towards CyFun alignment. It is increasingly the benchmark that larger regulated customers will expect their suppliers to meet. Getting ahead of that expectation is good business, not just good compliance.
The AI Dimension: A Growing Risk on Both Sides
No update on the Irish cyber landscape in 2026 would be complete without addressing artificial intelligence. The rise of AI has changed the threat environment in ways that make robust detection and governance more important than ever.
On the threat side, the tools available to malicious actors have improved substantially. AI-powered phishing campaigns can now generate highly personalised, contextually convincing messages at scale, far beyond what was possible even two years ago. AI is being used to automate the discovery of vulnerabilities, to accelerate lateral movement within compromised networks, and to make attacks harder to detect by mimicking normal user behaviour. The organisations most at risk are those with weak visibility into their environments, because the attacks are designed to evade exactly the kinds of passive defences that many Irish organisations still rely on.
On the governance side, AI usage within organisations is creating new risks that boards and senior teams are only beginning to grapple with. Employees using AI tools, whether sanctioned or not, may be inadvertently exposing sensitive data, processing personal information through third-party systems, or creating shadow processes that sit outside any security or compliance framework. NIS2 does not yet specifically address AI governance, but the risk management measures it requires are broad enough to encompass it. Organisations that are building their NIS2 compliance programmes now should be incorporating AI governance into that work from the outset, not treating it as a separate exercise to be addressed later.
Incident Readiness: Detection Must Come Before Everything Else
Of all the obligations embedded in NIS2, incident response is the one that exposes organisations most immediately. The 24-hour early warning and 72-hour notification requirements are not aspirational targets. They are legal deadlines. And meeting them requires detection capability first, not just response plans.
“Most organisations have an incident response plan. Very few have the detection capability to trigger it in time. Under NIS2, you cannot report what you cannot see. The question boards need to ask is not whether they have a plan, but whether they will know an incident has happened within hours, not days or weeks.”
— David McNamara, Founder, CommSec
There is a practical sequencing problem in how many organisations approach NIS2 compliance. They begin with policies, then procedures, then technical controls, and treat monitoring and detection as something to layer in later. Monitoring should be one of the first priorities and can be done in conjunction with the policies, processes and technical controls.
Detection is not a component you add after the other controls are in place. It is the foundation that makes every other control measurable and meaningful. Without detection capability, you cannot confirm your access controls are functioning as intended. You cannot verify that your patch management programme is closing the vulnerabilities it should. You cannot know whether your incident response plan reflects the reality of your environment, because you have never had real observed activity to test it against. You are building a compliance programme on assumption rather than evidence.
The 24-hour early warning requirement means an organisation must be capable of identifying a significant incident, assessing its severity, and notifying the competent authority, all within a single working day. That is not achievable without continuous, 24/7 monitoring. A business-hours security function will not meet that standard. Detection is not the last step in a compliance programme. It is the first. Every other control flows from it.
How CommSec Supports Organisations Through NIS2
At CommSec, we have been supporting Irish organisations with NIS2 readiness for the past two years. We work with IT managers, security teams, and senior leadership across sectors including financial services, credit unions, healthcare, energy, and logistics. Our role is to make the journey practical and manageable, not to present compliance as an insurmountable challenge.
Our NIS2 engagements typically begin with a structured gap assessment using the CyFun framework and the NCSC’s Risk Management Measures guidance. This gives organisations a clear picture of where they stand, what is missing, and what needs to be prioritised before enactment. From there, we support remediation across the full range of NIS2 requirements.
For organisations that need ongoing security leadership, our virtual CISO service embeds an experienced security executive into the leadership team on a flexible, retained basis. Our vCISOs work at board and C-suite level, translating technical risk into business language and ensuring that governance structures are in place and properly documented. For detection and monitoring, our 24/7 Managed SOC and MDR services provide the continuous visibility that NIS2’s incident reporting obligations demand. We also support data protection obligations through our DPO as a Service, and deliver NIS2 and DORA training programmes specifically designed for senior management and board-level audiences.
For organisations in the supply chain of regulated entities, we offer proportionate assessments that establish a credible, documented security posture aligned to CyFun. This gives both the organisation and its regulated customers the assurance they need.
If your organisation is in scope for NIS2 and you are not yet certain where you stand, the most useful thing you can do right now is understand your gaps. We offer a free initial consultation, and our team is available to help you build a practical roadmap before the Bill is enacted.
A Final Thought
NIS2 has been a long time coming. I genuinely believe it will make Irish organisations more resilient, not just more compliant. The frameworks are sound. The oversight is appropriate. And the emphasis on detection, governance, and board engagement reflects how mature cybersecurity programmes actually work.
The organisations that will be best positioned when transposition lands are those that have treated this as an opportunity to build something real, not just a compliance exercise to be closed off. Governance without visibility is a statement of intent. Governance backed by 24/7 detection and a clear risk management framework is a defensible position.
The window to prepare is open. Given the EU Presidency timeline, it will not be open for much longer. If you are ready to take the next step, CommSec are here to help.
—
David McNamara is Founder of CommSec, an Irish cybersecurity company operating since 2013. CommSec supports Irish organisations with NIS2 readiness, Managed SOC, MDR, CISO as a Service, and GRC advisory services.
To book a free NIS2 consultation, visit commsec.ie/nis2 or call +353 1 536 7320.