NIS2 Directive: What Irish SMEs Need to Know

The NIS2 Directive is the European Union’s most significant cybersecurity legislation to date. If you run a business in Ireland — particularly one that touches essential or important services — this legislation affects you directly. And the deadlines are not as far away as they feel.

This guide cuts through the legal language and gives you a practical understanding of what NIS2 requires, who it applies to, what the penalties look like, and what you should be doing right now to prepare.

What is the NIS2 Directive?

NIS2 (the Network and Information Security Directive 2) is the EU’s updated framework for cybersecurity across member states. It replaces the original NIS Directive from 2016, which was widely criticised for being too narrow in scope and inconsistent in how different countries applied it.

The updated directive significantly expands which organisations fall under its requirements, introduces stricter security obligations, and creates a more standardised enforcement framework across the EU.

For Ireland specifically, NIS2 is being transposed into national law through the National Cyber Security Bill. The Department of Communications is leading this process, with the National Cyber Security Centre (NCSC) acting as the primary competent authority.

Who does NIS2 apply to?

This is where many Irish SMEs get caught off guard. The original NIS directive mostly affected large critical infrastructure operators — think energy companies, healthcare systems, transport networks. NIS2 dramatically broadens the scope.

Essential entities

These are organisations in sectors deemed critical to EU society and economy:

• Energy — electricity, oil, gas, hydrogen, district heating
• Transport — air, rail, water, road
• Banking and financial market infrastructure
• Healthcare — hospitals, labs, pharmaceutical manufacturing
• Drinking water supply and distribution
• Digital infrastructure — DNS providers, cloud computing, data centres, CDNs, trust service providers
• ICT service management — managed service providers (MSPs) and managed security service providers (MSSPs)
• Public administration
• Space — satellite operators and ground infrastructure

Important entities

These are organisations in sectors that, while not critical infrastructure, are still significant:

• Postal and courier services
• Waste management
• Chemical manufacturing and distribution
• Food production and distribution
• Manufacturing — medical devices, computers, electronics, machinery, motor vehicles
• Digital providers — online marketplaces, search engines, social networking platforms
• Research organisations

The size threshold

Here is the part that matters for SMEs: NIS2 generally applies to medium-sized enterprises and above. Under the EU definition, that means companies with:

• 50 or more employees, or
• Annual turnover exceeding EUR 10 million, or
• Annual balance sheet exceeding EUR 10 million

However, there are exceptions where smaller companies fall in scope regardless of size — particularly in digital infrastructure, DNS services, and trust service providers. If you are an MSP of any size, you are likely caught by the ICT service management provisions.

What does NIS2 actually require?

The directive mandates a risk-based approach to cybersecurity. In practical terms, that translates to several concrete obligations.

Risk management measures

You must implement appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risk. The directive specifically lists these areas:

1. Risk analysis and information system security policies — documented, reviewed, and updated regularly
2. Incident handling — detection, response, and recovery processes
3. Business continuity and crisis management — including backup management and disaster recovery
4. Supply chain security — assessing and managing risk from your suppliers and service providers
5. Security in network and information systems acquisition, development, and maintenance — including vulnerability handling and disclosure
6. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures — essentially, you need to test and audit your security
7. Basic cyber hygiene practices and cybersecurity training — for all staff, not just IT
8. Policies and procedures regarding the use of cryptography and encryption
9. Human resources security, access control policies, and asset management
10. Use of multi-factor authentication (MFA), secured voice, video, and text communications, and secured emergency communication systems

Incident reporting

NIS2 introduces strict incident reporting timelines:

• 24 hours — early warning to the competent authority (NCSC in Ireland) after becoming aware of a significant incident
• 72 hours — formal incident notification with an initial assessment of severity, impact, and indicators of compromise
• 1 month — final report with detailed description, root cause analysis, mitigation measures, and cross-border impact assessment

A “significant incident” is one that causes or can cause substantial disruption to services, financial loss, or affects other organisations.

Supply chain obligations

This is particularly relevant for SMEs. Even if your own company is below the size threshold, your clients may be in scope. NIS2 requires essential and important entities to assess and manage risk in their supply chains — which means they will start requiring cybersecurity assurances from their suppliers.

If you provide IT services, software, or any digital service to an in-scope organisation, expect to receive security questionnaires, audit requests, and contractual cybersecurity requirements.

What are the penalties?

NIS2 introduces meaningful financial penalties, differentiated by entity type:

• Essential entities: up to EUR 10 million or 2% of global annual turnover (whichever is higher)
• Important entities: up to EUR 7 million or 1.4% of global annual turnover (whichever is higher)

Beyond financial penalties, the directive also introduces personal accountability for management bodies. Senior management can be held personally liable for failure to comply with cybersecurity obligations. This includes potential temporary bans from holding management positions.

For Irish businesses, the exact penalty framework will be defined in the national transposition legislation, but it must meet the minimum thresholds set by the directive.

Timeline: Where are we now?

The NIS2 Directive entered into force on 16 January 2023, with member states given until 17 October 2024 to transpose it into national law. Ireland, like several other member states, has experienced delays in this transposition process.

However, the direction is clear: NIS2 compliance is coming, and the Irish government has signalled its commitment to the legislation. The National Cyber Security Bill will establish the legal framework, with the NCSC taking on expanded supervisory powers.

Waiting for the final national legislation before starting preparation is a mistake. The directive’s requirements are clear, and the technical measures you need to implement take time to deploy properly.

Management accountability: A new dimension

One of NIS2’s most consequential provisions is the introduction of personal accountability for management bodies. This goes beyond the typical corporate liability model.

Under NIS2, the management body of essential and important entities must:

• Approve the cybersecurity risk-management measures taken by the entity
• Oversee the implementation of those measures
• Undergo cybersecurity training themselves — not just sign off on training for staff, but personally participate

If the entity fails to comply with its obligations, members of the management body can be held personally liable. For essential entities, competent authorities can even temporarily prohibit individuals from exercising management functions.

This is a significant shift. In practice, it means that cybersecurity is no longer something a board can delegate entirely to the IT department. Directors and senior managers need to understand the organisation’s risk posture, the measures in place, and the gaps that remain. “I leave that to the IT team” is no longer an adequate response to a regulatory enquiry.

For Irish SMEs with smaller management teams, this actually simplifies things — there are fewer layers between the decision-maker and the implementation. But it also means the managing director or owner-manager is directly in the regulatory line of fire.

How NIS2 interacts with GDPR

Many Irish businesses are already familiar with GDPR, which governs personal data protection. NIS2 and GDPR overlap but are distinct.

GDPR focuses on the protection of personal data — ensuring it is collected, processed, and stored lawfully and securely. NIS2 focuses on the security of network and information systems more broadly — it covers all data and all systems, not just those handling personal data.

Where they intersect is in security measures. Many of the technical controls required by NIS2 (access control, encryption, incident detection, backup) also satisfy GDPR’s requirement for “appropriate technical and organisational measures” to protect personal data. If you are already GDPR-compliant, you have a head start on NIS2.

However, NIS2 adds requirements that GDPR does not cover, particularly around supply chain security, incident reporting timelines (stricter than GDPR’s 72-hour breach notification), and the explicit management accountability provisions. Treating NIS2 as “just more GDPR” would be a mistake.

How Irish SMEs should prepare now

Here is a practical preparation roadmap, ordered by priority.

1. Determine your scope

Work out whether your organisation falls directly under NIS2 as an essential or important entity. Even if you are below the size threshold, assess whether your clients or partners are in scope — their supply chain obligations will flow down to you.

2. Conduct a security baseline assessment

Before you can manage risk, you need to understand your current position. A security baseline assessment maps your existing controls against the NIS2 requirements and identifies gaps.

At Tarbh Tech, every client engagement starts with exactly this process. We deploy our Security Baseline — a standardised set of controls covering MFA, Conditional Access, device policies, email security, and backup — that addresses the majority of NIS2’s technical requirements from day one.

3. Implement foundational controls

The NIS2 requirements map closely to established security frameworks. Start with:

• Multi-factor authentication on all accounts
• Conditional Access policies to control when and where people can sign in
• Device management through Microsoft Intune or similar
• Email security — anti-phishing, anti-malware, Safe Links, Safe Attachments
• Backup and recovery with tested restore procedures
• Endpoint protection with centralised management

4. Build your incident response capability

You need documented procedures for detecting, reporting, and recovering from incidents. At minimum:

• An incident response plan that names roles, responsibilities, and escalation paths
• Monitoring and alerting that can detect significant incidents
• A communication template for the 24-hour early warning
• Tested backup restoration — not just “we have backups” but “we have verified we can restore from them”

5. Address supply chain risk

Document your critical suppliers and their cybersecurity posture. Start with your IT providers, cloud services, and any third party with access to your systems or data. Ask them about their security certifications, incident response capabilities, and data protection measures.

6. Train your people

NIS2 explicitly requires cybersecurity training for staff. This does not need to be technical — it needs to be practical. Phishing awareness, password hygiene, recognising social engineering, and knowing how to report suspicious activity.

7. Document everything

NIS2 is about demonstrable compliance, not just having controls in place. Maintain records of your security policies, risk assessments, incident reports, training records, and audit results. When the NCSC comes asking, you need evidence.

The connection to Secure Score

If your organisation uses Microsoft 365, there is a tangible way to measure your security posture: Microsoft Secure Score. This metric scores your environment against Microsoft’s security recommendations on a percentage scale.

At Tarbh Tech, our Security Baseline brings client environments to a Secure Score of 77.7% on average — compared to the industry average of 50.6%. That 27-point gap represents real security controls: MFA enforcement, Conditional Access, device compliance, email filtering, and data protection policies.

These are not theoretical measures. They are precisely the kind of “appropriate and proportionate technical and organisational measures” that NIS2 requires. A strong Secure Score does not guarantee NIS2 compliance on its own, but it provides a measurable, auditable foundation that covers a significant portion of the directive’s technical requirements.

The bottom line

NIS2 is not a distant regulatory concern — it is an active compliance obligation that is being transposed into Irish law. The scope is broader than most SMEs expect, the penalties are meaningful, and management teams are personally accountable.

The good news is that the required measures are achievable. They align closely with modern security best practices that every business should have regardless of regulation. Starting now — with a security baseline assessment, foundational controls, and incident response planning — puts your organisation in a strong position well before enforcement begins.

The businesses that treat NIS2 as an opportunity to strengthen their security posture, rather than a compliance burden, will come out ahead.