As of April 2026, the NIS2 directive is moving into its concrete phase across Europe. Ireland missed the EU transposition deadline of 17 October 2024 and is currently bringing forward the National Cyber Security Bill 2024, the dedicated piece of legislation that will give NIS2 full effect in Irish law. For Irish SMEs, NIS2 is no longer a distant compliance topic: the National Cyber Security Centre (NCSC Ireland) already plays the role of competent authority and CSIRT, and the supply chain pressure on SMEs is already real. This article sets out the actual obligations, statutory deadlines, fines and a realistic compliance roadmap for an SME based in Dublin or anywhere in Ireland — with sources at every step.
KEY FIGURE
On 1 December 2025, NCSC Ireland and Munster Technological University (MTU) jointly published a national report on SME cyber resilience, alongside the 2025 National Cyber Risk Assessment. The report shows how underprepared many Irish SMEs remain for modern cyber threats and calls for clearer supply-chain expectations, mandatory cybersecurity in digital funding streams and stronger industry training. Source: gov.ie.
NIS2 in 2026: where does Ireland’s transposition stand?
The Directive (EU) 2022/2555, known as NIS2, entered into force on 16 January 2023 with a transposition deadline of 17 October 2024 — a deadline several Member States, including Ireland, did not meet. Ireland’s transposition vehicle is the National Cyber Security Bill 2024 (NCSB), the General Scheme of which was published by the Government on 30 August 2024. The Bill will replace the existing NIS1 framework set out in S.I. No. 360 of 2018.
The NCSB has been listed as a priority in the Government Legislation Programme for both Summer 2025 and Autumn 2025, and it is currently in the pre-legislative scrutiny phase. Until the Bill is enacted, the NIS2 obligations apply directly to entities through the directive’s effects, while NCSC Ireland acts as both competent authority and Computer Security Incident Response Team (CSIRT). Irish SMEs that meet the scope criteria should already be preparing — particularly those in supply chains of essential or important entities.
What changes between NIS1 and NIS2 in Ireland
- Significant expansion of regulated entities: NIS2 covers many more sectors and a much larger pool of organisations than the original NIS regime, including a broad range of medium-sized SMEs.
- From 6 to 18 sectors covered, now including B2B ICT services, waste management, manufacturing (including chemicals and food), research, digital providers, postal and courier services, and industrial manufacturing.
- Public bodies and certain local authorities fall within scope, depending on Ireland’s final transposition choices in the NCSB.
- Explicit accountability of management bodies (Article 20), including a mandatory training obligation and the possibility of personal liability under national transposition.
Is your Irish SME in scope of NIS2?
The NIS2 directive applies on the basis of three combined criteria: company size, sector of activity, and membership of a critical supply chain. It distinguishes two categories of regulated entities, with identical security obligations but different supervisory regimes and fine ceilings.
Essential entities
Threshold: more than 250 employees or annual turnover above €50 million or annual balance-sheet total above €43 million.
Sectors (Annex I): energy, transport, health, drinking water, waste water, digital infrastructure, public administration, space, banking, financial-market infrastructures, B2B managed ICT services.
Important entities
Threshold: between 50 and 249 employees, or annual turnover between €10 million and €50 million.
Sectors (Annex II): postal and courier services, waste management, manufacturing and distribution of chemicals, food production, manufacturing (medical devices, electronics, machinery, vehicles), digital providers (online marketplaces, search engines, social networks), research.
IMPORTANT
Even an SME with fewer than 50 employees can be drawn into NIS2 through the supply chain. Where you supply products or services to an essential or important entity, that entity must assess the cybersecurity of its providers (Article 21(2)(d)), which typically translates into contractual security clauses being passed down to you. In Ireland’s heavily regulated sectors — pharma, financial services, healthcare, public infrastructure — many SMEs are already seeing these clauses appear. Legal status alone is not enough: it is the analysis of your real exposure that determines your obligation level. NCSC Ireland’s NIS2 FAQ is the official starting point.
The 10 Article 21 measures: the cybersecurity baseline for Irish SMEs in 2026
Article 21 of Directive (EU) 2022/2555 sets out ten minimum risk-management measures that every regulated entity — essential or important — must implement, in a manner proportionate to its size and exposure. These ten measures form the mandatory common trunk of NIS2 compliance.
1. Risk analysis and information security policies
Asset mapping, threat and vulnerability analysis, and a documented information security policy that is reviewed on a regular cycle.
2. Incident handling
Detection, response and post-incident review procedures. Incident handling is the operational counterpart of the notification obligation under Article 23.
3. Business continuity and crisis management
Business continuity, disaster recovery (DRP/BCP) and backup policies, plus crisis management. These measures must be tested regularly — not merely documented.
4. Supply-chain security
Security assessment of suppliers and providers, contractual clauses, and management of third-party access. This is one of the most significant additions of NIS2 compared to NIS1.
5. Security in the IT lifecycle
Security in the acquisition, development and maintenance of network and information systems, including vulnerability handling and patching.
6. Effectiveness assessment
Policies and procedures to assess regularly the effectiveness of the cybersecurity risk-management measures: internal audits, penetration testing, configuration reviews.
7. Cyber hygiene and training
Basic cyber hygiene practices and ongoing cybersecurity training for all staff, including management. Awareness is no longer optional.
8. Cryptography and encryption
Policies and procedures for the use of cryptography and encryption — at rest and in transit — together with key management. Encryption is now a baseline expectation, not a premium feature.
9. HR security, access control, asset management
Joiners-movers-leavers processes, access management on the principle of least privilege, asset inventory and lifecycle management.
10. MFA and secured communications
Multi-factor or continuous authentication, secured voice, video and text communications, and secured emergency communication systems within the entity.
Reporting an incident under NIS2: the 24 hours / 72 hours / 1 month rule
Article 23 of the directive imposes a three-stage notification regime for significant incidents, with strict deadlines. An incident is considered “significant” where it causes a severe operational disruption, a substantial financial loss, or where it can cause considerable harm to other natural or legal persons.
24 HOURS
Early warning
Initial notification to the national CSIRT (in Ireland, NCSC Ireland), indicating whether the significant incident is suspected of being caused by unlawful or malicious acts and whether it could have a cross-border impact.
72 HOURS
Incident notification
Formal notification updating the early warning, with an initial assessment of severity, impact and — where available — indicators of compromise (IOCs).
1 MONTH
Final report
Detailed report including a full description of the incident, the type of threat, the root causes, the mitigation measures applied and planned, and any cross-border impact.
Failure to notify on time is itself a sanctionable breach, regardless of the severity of the underlying incident. In practice, an Irish SME must therefore be able to activate its notification procedure 24/7, including weekends and bank holidays. This operational discipline is one of the main cultural shifts NIS2 imposes on SME leadership teams.
Management accountability and fines
NIS2 marks a cultural shift: cybersecurity becomes an explicit responsibility of company management bodies. Two articles must be read together.
Article 20 — Governance and management training
The management bodies of essential and important entities must approve the cybersecurity risk-management measures, oversee their implementation, and may be held liable for breaches. They are also required to follow regular training in order to gain sufficient knowledge to identify risks and to assess cybersecurity risk-management practices and their impact on the entity. The same training requirement is recommended for staff with similar responsibilities.
Article 34 — Administrative fines
The directive sets a minimum cap that Member States must enable for breaches of Articles 21 (risk-management measures) and 23 (notification obligations):
ESSENTIAL ENTITIES
Maximum administrative fine of at least €10 million or 2% of total worldwide annual turnover in the preceding financial year — whichever is higher.
IMPORTANT ENTITIES
Maximum administrative fine of at least €7 million or 1.4% of total worldwide annual turnover in the preceding financial year — whichever is higher.
Beyond fines, national authorities may also issue compliance orders, suspend certifications, or temporarily prohibit individuals from holding management functions. Where breaches are serious, members of management bodies can be held personally liable, in line with how each Member State — including Ireland through the NCSB — defines this in its transposition.
Becoming NIS2-compliant: a realistic action plan for an Irish SME
NIS2 compliance is not a one-off project: it is a structured journey combining an initial audit, technical uplift, documentation and ongoing governance. Here is the five-step plan we recommend to SMEs and mid-market organisations in Dublin and across Ireland.
- Run a NIS2 gap audit. Identify the gaps between your current setup and the 10 measures of Article 21. Map your critical assets, sensitive data flows, and the processes that cannot be interrupted.
- Prioritise by risk. Address critical vulnerabilities first (unpatched systems, accounts without MFA, missing offline backups), then build out the minimum technical baseline (EDR, encryption, access control).
- Document and formalise. Information security policy (ISP), incident response procedures, asset register, security clauses in supplier contracts. Documentation is auditable — it must exist and be kept current.
- Train at every level. Staff awareness on common attacks (phishing, social engineering), targeted governance training for management (Article 20 obligation), at least one tabletop crisis exercise per year.
- Monitor and improve continuously. Internal audits, penetration tests, annual review of the risk analysis, ISP updates. Compliance is demonstrated — and that demonstration is in the long run.
FROM THE FIELD
On the SME engagements we run at Ezohiko, taking a heterogeneous environment to NIS2 compliance generally takes 6 to 18 months, depending on the starting cyber maturity and the size of the estate. The three most common blockers are: an incomplete asset inventory, the absence of a tested backup (rather than merely a documented one), and the lack of a regular cybersecurity review at board level. An Irish SME that fixes these three points already covers close to half of the Article 21 requirements.
How Ezohiko supports Dublin SMEs on their NIS2 compliance journey
Ezohiko supports Irish SMEs and mid-market organisations end-to-end on NIS2 compliance, with no jargon and no empty promises. Our approach combines a gap audit, technical implementation and ongoing governance — sized to your business and budget. Three pillars structure that support.
Technical baseline — SafeIT
Deployment and management of firewall, EDR, MFA, encryption and supervision, mutualised for SMEs and independent professionals. A technical baseline that maps directly onto measures 5, 8, 9 and 10 of Article 21.
Business continuity (DRP & BCP)
Implementation and real-world testing of your disaster recovery and business continuity plans, with committed recovery time objectives. Directly addresses measure 3 of Article 21.
Governance & Fractional IT Manager
Information Security Policy (ISP) drafting, security board preparation, NIS2 gap audit and management training — through our fractional IT manager engagement model. Addresses measures 1, 6 and 7 plus Article 20.
Frequently asked questions on NIS2 for Irish SMEs
What is the NIS2 directive and when does it take effect for Irish SMEs?
The NIS2 directive (Network and Information Security 2), formally Directive (EU) 2022/2555 of 14 December 2022, is an EU cybersecurity regulation that entered into force on 16 January 2023 with a transposition deadline of 17 October 2024. In Ireland, transposition is being delivered through the National Cyber Security Bill 2024 (NCSB), the General Scheme of which was published on 30 August 2024 by the Department of Justice, Home Affairs and Migration. As of 19 April 2026, the NCSB remains in pre-legislative scrutiny and is listed as a priority in the Government Legislation Programme. NCSC Ireland already operates as the competent authority and CSIRT for NIS2 matters in Ireland.
What is the difference between an essential entity and an important entity under NIS2?
Essential entities (Annex I of the directive) are larger organisations operating in highly critical sectors: energy, transport, health, water, digital infrastructure, banking, public administration. The size threshold is more than 250 employees or annual turnover above €50 million. Important entities (Annex II) are mid-sized organisations in broader critical sectors: postal services, waste management, manufacturing, chemicals, food, digital providers. Their size threshold is between 50 and 249 employees, or annual turnover between €10 million and €50 million. The technical security obligations are identical for both categories — only the supervisory regime and the fine ceilings differ.
Does NIS2 apply to an Irish SME with fewer than 50 employees?
An SME with fewer than 50 employees is generally outside the direct scope of NIS2. However, it can be drawn in through the supply chain: where it provides products or services to an essential or important entity, that entity must assess the security of its providers under Article 21(2)(d), which usually flows down as contractual security clauses. In Ireland’s tightly regulated sectors (pharmaceuticals, financial services, healthcare, public infrastructure), many SME suppliers are already seeing such clauses appear. A case-by-case analysis is recommended, starting with the NCSC Ireland NIS2 FAQ.
What are the NIS2 incident notification deadlines?
Article 23 of the NIS2 directive imposes a three-step regime for significant incidents: an early warning within a maximum of 24 hours of becoming aware of the incident, a formal incident notification with an initial assessment within a maximum of 72 hours, and a detailed final report within one month. In Ireland, these notifications are sent to NCSC Ireland in its CSIRT capacity. Failure to notify in time is itself sanctionable, regardless of the underlying incident’s severity.
What are the penalties for non-compliance with NIS2?
Article 34 of the directive sets the minimum cap for administrative fines. For essential entities, fines can reach at least €10 million or 2% of total worldwide annual turnover in the preceding financial year, whichever is higher. For important entities, the cap is at least €7 million or 1.4% of total worldwide annual turnover. Beyond fines, authorities can issue compliance orders, suspend certifications, or temporarily ban individuals from holding management functions. Members of management bodies can also be held personally liable in cases of serious breach, depending on the final wording of the Irish transposition.
How long does NIS2 compliance take for an Irish SME?
The time to compliance depends heavily on the starting cyber maturity. Across our SME engagements, Ezohiko typically observes a 6 to 18 month range to cover the Article 21 requirements end-to-end, excluding ongoing governance. Organisations that already have a solid technical baseline (EDR, MFA, tested backups) move faster; those starting from a fragmented IT estate or without a current asset inventory need more upfront preparation. The transition window expected from the NCSB and from EU implementing acts gives Irish SMEs the room to build a realistic plan rather than a fire drill.
NIS2 versus GDPR: what is the difference for an Irish SME?
The GDPR (General Data Protection Regulation) protects personal data and applies to any organisation processing such data, regardless of size or sector. Enforcement in Ireland sits with the Data Protection Commission (DPC). NIS2, by contrast, imposes a cybersecurity framework on entities operating in essential and important sectors, focused on the resilience of network and information systems. Enforcement in Ireland sits with NCSC Ireland and the wider competent-authority framework that the NCSB will define. The two regimes are complementary: NIS2 imposes technical and organisational measures that also help protect personal data, while the GDPR imposes specific data-protection requirements (lawful basis, data minimisation, individuals’ rights) that NIS2 does not cover. A personal data breach caused by a cybersecurity incident can trigger both notification obligations: to NCSC Ireland under NIS2 (Article 23) and to the DPC under the GDPR (Article 33).
How does Ezohiko support Irish SMEs on NIS2 compliance?
Ezohiko offers end-to-end support for Dublin SMEs and mid-market organisations: NIS2 gap audit, risk assessment, deployment of the technical baseline (firewall, EDR, MFA, backup) through SafeIT, drafting of security policies and incident response procedures, training for staff and management, real-world DRP testing, and ongoing pilotage. Our fractional IT manager model brings this expertise at a cost that fits an SME’s budget — without the burden of a full-time hire. The objective is not to tick boxes: it is to build a cybersecurity setup that holds up over time, tested and documented.
Further reading: official sources and resources
Official texts
- Directive (EU) 2022/2555 on EUR-Lex — full text of the NIS2 directive
- General Scheme of the National Cyber Security Bill 2024 — gov.ie
- European Commission — NIS2 implementation in Ireland
Authorities and tools
- NCSC Ireland — NIS2 — competent authority and CSIRT
- NCSC Ireland — NIS2 FAQ
- Data Protection Commission (DPC) — GDPR regulator in Ireland
Let’s discuss your situation.
30 minutes, no obligation.
Let’s take a look together at what it would take to ease your IT workload. No sales pitch. Just an honest assessment of the situation.
Your IT architect. Your trusted partner.